Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	March 22, 2021, 6:39 p.m.	March 22, 2021, 6:53 p.m.

Size	9.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`4f062d156ec2be43c44a610702e49eb9`
SHA256	`e786d07582576bc3b4c243e481182ba594d67cc052c25bb918363c73c9e4093d`
CRC32	`6A06E616`
ssdeep	`192:lBZRT7uWWtTqLGCaGMSsCaDesyiv0bQFKKBS:3ZNKHZvCaLSsFeo7/`
Yara	PE_Header_Zero - PE File Signature Zero IsPE32 - (no description) IsNET_EXE - (no description) IsWindowsGUI - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT

a8ojAHyWHoBa8hMZ3OIGGUW1.exe "C:\Users\test22\AppData\Local\Temp\a8ojAHyWHoBa8hMZ3OIGGUW1.exe"
2616
- hEy8l0Ocek947fXN8CnVolnr.exe "C:\Users\test22\Documents\hEy8l0Ocek947fXN8CnVolnr.exe"
  1812
- 0ox04i91pFvffgfPVlGF73Oi.exe "C:\Users\test22\Documents\0ox04i91pFvffgfPVlGF73Oi.exe"
  3456
- XXbpTsiY4TdfZ7ndzt1wbwFj.exe "C:\Users\test22\Documents\XXbpTsiY4TdfZ7ndzt1wbwFj.exe"
  5572
- R1jG4jSARjAeuxQLgRnH6hMd.exe "C:\Users\test22\Documents\R1jG4jSARjAeuxQLgRnH6hMd.exe"
  3080
  - R1jG4jSARjAeuxQLgRnH6hMd.exe "C:\Users\test22\Documents\R1jG4jSARjAeuxQLgRnH6hMd.exe"
    7096
- RAP5DibOOw8cCvk7OSJbNID1.exe "C:\Users\test22\Documents\RAP5DibOOw8cCvk7OSJbNID1.exe"
  6652
- 7YnZlLu2X9SqH8UQ0sEtYdF8.exe "C:\Users\test22\Documents\7YnZlLu2X9SqH8UQ0sEtYdF8.exe"
  1432
- oFu4xlqNzIyHP4GZmDFGSa18.exe "C:\Users\test22\Documents\oFu4xlqNzIyHP4GZmDFGSa18.exe"
  8156
- uK5q1v0bG98JXoIiEmJvONNA.exe "C:\Users\test22\Documents\uK5q1v0bG98JXoIiEmJvONNA.exe"
  5704
  - uK5q1v0bG98JXoIiEmJvONNA.exe "C:\Users\test22\Documents\uK5q1v0bG98JXoIiEmJvONNA.exe"
    5012
- R12EntAmQQxV0PH80UWKXXHX.exe "C:\Users\test22\Documents\R12EntAmQQxV0PH80UWKXXHX.exe"
  5176

Name	Response	Post-Analysis Lookup
aretywer.xyz	A 45.144.30.78	45.144.30.78
pastebin.com	A 104.23.99.190 A 104.23.98.190	104.23.99.190
www.investinae.com	CNAME investinae.com A 108.167.143.77	108.167.143.77
iplogger.org	A 88.99.66.31	88.99.66.31
msiamericas.com	A 141.136.39.190	141.136.39.190
d0wnl0ads.online
file.ekkggr3.com	A 104.21.66.169 A 172.67.162.110	172.67.162.110
digitalassets.ams3.digitaloceanspaces.com	A 5.101.110.225	5.101.110.225
whatitis.site	A 91.200.41.57 A 92.63.99.163	91.200.41.57
mytoolsprivacy.site	A 179.43.158.179	179.43.158.179
jg3.3uag.pw

IP Address	Status	Action
103.124.106.203	Active	Moloch
104.23.98.190	Active	Moloch
108.167.143.77	Active	Moloch
141.136.39.190	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
172.67.162.110	Active	Moloch
179.43.158.179	Active	Moloch
188.93.233.223	Active	Moloch
45.144.30.78	Active	Moloch
5.101.110.225	Active	Moloch
88.99.66.31	Active	Moloch
91.200.41.57	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49808 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49818 -> 141.136.39.190:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.102:49818 -> 141.136.39.190:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.102:49818 -> 141.136.39.190:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49809 -> 104.23.98.190:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.102:62461 -> 164.124.101.2:53	2016778	ET DNS Query to a *.pw domain - Likely Hostile	Potentially Bad Traffic
TCP 91.200.41.57:80 -> 192.168.56.102:49810	2014819	ET INFO Packed Executable Download	Misc activity
TCP 192.168.56.102:49813 -> 188.93.233.223:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 188.93.233.223:80 -> 192.168.56.102:49813	2014819	ET INFO Packed Executable Download	Misc activity
TCP 192.168.56.102:49819 -> 108.167.143.77:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 91.200.41.57:80 -> 192.168.56.102:49810	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 91.200.41.57:80 -> 192.168.56.102:49810	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 188.93.233.223:80 -> 192.168.56.102:49813	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 188.93.233.223:80 -> 192.168.56.102:49813	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.102:49812 -> 103.124.106.203:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 192.168.56.102:49814 -> 5.101.110.225:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49816 -> 5.101.110.225:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 45.144.30.78:80 -> 192.168.56.102:49817	2014819	ET INFO Packed Executable Download	Misc activity
TCP 103.124.106.203:80 -> 192.168.56.102:49812	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 103.124.106.203:80 -> 192.168.56.102:49812	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 45.144.30.78:80 -> 192.168.56.102:49817	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 179.43.158.179:80 -> 192.168.56.102:49820	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.102:49835 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 141.136.39.190:443 -> 192.168.56.102:49818	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 141.136.39.190:443 -> 192.168.56.102:49818	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49808 88.99.66.31:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=*.iplogger.org	55:1e:13:99:46:1c:67:40:a3:48:7f:38:0d:16:e7:51:f4:c4:43:cb
TLSv1 192.168.56.102:49809 104.23.98.190:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	ce:69:3b:0c:23:1f:bf:e1:a4:87:d2:44:26:54:a5:e4:bd:26:2f:7a
TLSv1 192.168.56.102:49835 88.99.66.31:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=*.iplogger.org	55:1e:13:99:46:1c:67:40:a3:48:7f:38:0d:16:e7:51:f4:c4:43:cb

Queries for the computername (24 events)

Time & API	Arguments	Status	Return
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:39 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 22, 2021, 6:39 p.m.			0	0
IsDebuggerPresent March 22, 2021, 6:39 p.m.			0	0
IsDebuggerPresent March 22, 2021, 6:40 p.m.			0	0
IsDebuggerPresent March 22, 2021, 6:40 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 22, 2021, 6:39 p.m.		1	1	0

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ March 22, 2021, 6:40 p.m.	stacktrace: 0x2cd211f 0x23d0a05 0x23d02b6 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 68 64 b9 65 fc e8 bb 1b 01 00 8b 44 25 00 86 d2 exception.instruction: push 0xfc65b964 exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x2d36108 registers.esp: 1637704 registers.edi: 4294967294 registers.eax: 1637736 registers.ebp: 1637816 registers.edx: 0 registers.ebx: 1 registers.esi: 15671376 registers.ecx: 1637816	1	0	0
__exception__ March 22, 2021, 6:40 p.m.	stacktrace: 0x2ca211f 0x23a0a05 0x23a02b6 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 68 64 b9 65 fc e8 bb 1b 01 00 8b 44 25 00 86 d2 exception.instruction: push 0xfc65b964 exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x2d06108 registers.esp: 1637704 registers.edi: 4294967294 registers.eax: 1637736 registers.ebp: 1637816 registers.edx: 0 registers.ebx: 1 registers.esi: 12197968 registers.ecx: 1637816	1	0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (6 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://whatitis.site/dlc/mixinte
suspicious_features	Connection to IP address	suspicious_request	GET http://103.124.106.203/cof4/inst.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://188.93.233.223/proxy1.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://iplogger.org/1ixtu7
suspicious_features	GET method with no useragent header	suspicious_request	GET https://pastebin.com/raw/mH2EJxkv
suspicious_features	GET method with no useragent header	suspicious_request	GET https://iplogger.org/1lp5k

Performs some HTTP requests (10 events)

request	GET http://whatitis.site/dlc/mixinte
request	GET http://103.124.106.203/cof4/inst.exe
request	GET http://188.93.233.223/proxy1.exe
request	GET http://file.ekkggr3.com/iuww/jvppp.exe
request	GET http://aretywer.xyz/Corepad092.exe
request	GET http://mytoolsprivacy.site/downloads/privacytools3.exe
request	GET https://iplogger.org/1ixtu7
request	GET https://pastebin.com/raw/mH2EJxkv
request	GET https://iplogger.org/1hVa87
request	GET https://iplogger.org/1lp5k

Allocates read-write-execute memory (usually to unpack itself) (50 out of 52 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 2616 region_size: 1769472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00960000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ad0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 2616 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00730000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00522000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00555000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00557000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00980000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00546000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00547000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00981000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00982000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00983000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 2616 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef20000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef28000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 2616 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 1812 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 106496 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0099b000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:39 p.m.	process_identifier: 1812 region_size: 184320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 6:40 p.m.	process_identifier: 3456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 393216 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009cb000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:40 p.m.	process_identifier: 3456 region_size: 614400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00890000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 6:40 p.m.	process_identifier: 5572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 327680 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c9b000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:40 p.m.	process_identifier: 5572 region_size: 593920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00310000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 6:40 p.m.	process_identifier: 3080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 49152 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008cb000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:40 p.m.	process_identifier: 3080 region_size: 53248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00380000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 6:40 p.m.	process_identifier: 6652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 393216 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0094b000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:40 p.m.	process_identifier: 6652 region_size: 614400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00890000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 6:40 p.m.	process_identifier: 1432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 327680 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0096b000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:40 p.m.	process_identifier: 1432 region_size: 593920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00880000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:40 p.m.	process_identifier: 8156 region_size: 4677632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:40 p.m.	process_identifier: 8156 region_size: 4677632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02850000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:40 p.m.	process_identifier: 8156 region_size: 9498624 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02cd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 6:40 p.m.	process_identifier: 8156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02cd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 6:40 p.m.	process_identifier: 8156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 663552 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02cde000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 6:40 p.m.	process_identifier: 5704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 49152 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0090b000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:40 p.m.	process_identifier: 5704 region_size: 53248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00390000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:40 p.m.	process_identifier: 5176 region_size: 4677632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:40 p.m.	process_identifier: 5176 region_size: 4677632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02820000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:40 p.m.	process_identifier: 5176 region_size: 9498624 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ca0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

a8ojAHyWHoBa8hMZ3OIGGUW1.exe tried to sleep 161 seconds, actually delayed analysis time by 161 seconds

Creates executable files on the filesystem (50 out of 9099 events)

file	C:\Users\test22\Documents\AaZB2O3InRqcgfiNFy1s6QHh.exe
file	C:\Users\test22\Documents\SpbianNZnZ3hacsjQNDCKP1F.exe
file	C:\Users\test22\Documents\uXQnGdDvmWUZpBzeuqioGVNm.exe
file	C:\Users\test22\Documents\9bYYQKepBy0Aiuwb3ccWMaFQ.exe
file	C:\Users\test22\Documents\EupWdWq9MJm6VdwuEsIF9vWq.exe
file	C:\Users\test22\Documents\u8zreqdDBlvbmAnkbwPQ9ibY.exe
file	C:\Users\test22\Documents\vTQdAtNF80g8So5k0WDPtIfQ.exe
file	C:\Users\test22\Documents\axNb5jmh33OLP4SZC2AGuA4J.exe
file	C:\Users\test22\Documents\Ps3wHJ9WEw77A28Zx5QlqE5E.exe
file	C:\Users\test22\Documents\HGP8Foje6wtHvJsCk5uaPGKc.exe
file	C:\Users\test22\Documents\O91IeqZNtqpUuzKOJrMPqTyt.exe
file	C:\Users\test22\Documents\5aHY5l5IsX3YpE8y9dZ428lg.exe
file	C:\Users\test22\Documents\s2o4Dnc4AXz9ORoIf5rqJpKI.exe
file	C:\Users\test22\Documents\a3PyEr5JbjNivwHX4rL1A6ab.exe
file	C:\Users\test22\Documents\Z391N85EetE8FSVgJgTlFYq7.exe
file	C:\Users\test22\Documents\AGHvtOPbOXDaAmqdqoAjBlBM.exe
file	C:\Users\test22\Documents\pTDQMdg4Ri9SPsy4OMLsrwg0.exe
file	C:\Users\test22\Documents\vDnXCyx4ueyGYTYYETWtSHZl.exe
file	C:\Users\test22\Documents\kZI6VLugYT8Lf2yF2Eq5ddJK.exe
file	C:\Users\test22\Documents\alQHc76sdtotnnuwIppNxRKa.exe
file	C:\Users\test22\Documents\yEBi4446sYPjuRfjjW4TVPK9.exe
file	C:\Users\test22\Documents\YjU5i5CrwjBElgfWXC6jwTZ8.exe
file	C:\Users\test22\Documents\sdxVKyOrOskOGb9vqOTS3NJf.exe
file	C:\Users\test22\Documents\VmDMG6X0tGcaVHbWGmTLK2Wi.exe
file	C:\Users\test22\Documents\SS2gWWH86NLsdMWyGHxGTKa0.exe
file	C:\Users\test22\Documents\YRiCpOuS3sXi1jDtnNzDX35x.exe
file	C:\Users\test22\Documents\XvbHi2gBJzw5OnppDgzV9323.exe
file	C:\Users\test22\Documents\YFJElg0HyjaskuhWk2cFMaOn.exe
file	C:\Users\test22\Documents\VF0SFHTTZleniFCDpDmYJcQj.exe
file	C:\Users\test22\Documents\KT36bJnAzbM8WYQTOfqzKQyl.exe
file	C:\Users\test22\Documents\9INvY6u8RCeC4qYAAsoLRDD6.exe
file	C:\Users\test22\Documents\sa6DTARPfgwQfSREMPeGrWkg.exe
file	C:\Users\test22\Documents\QXQcI3FhijdkHoKxJapNSHTj.exe
file	C:\Users\test22\Documents\qfqkSZYWdK4awh3uPuoym4F0.exe
file	C:\Users\test22\Documents\3j7B4YXiZkjElQ1fUuWg9cyI.exe
file	C:\Users\test22\Documents\T1IS8Ba4LuRL8WDVsxCpHTj3.exe
file	C:\Users\test22\Documents\jrN7hsELiNIkp5HZyIXfCEAB.exe
file	C:\Users\test22\Documents\rkNcwBco5NrmP3sBAEvkjZhS.exe
file	C:\Users\test22\Documents\Pdu0TdY8fAQuUg2iBrkwWpjQ.exe
file	C:\Users\test22\Documents\G038fb2FXvM1Ns1uREVnR3oJ.exe
file	C:\Users\test22\Documents\UxATeqtAGbXnYb2GIRKnsyt9.exe
file	C:\Users\test22\Documents\ytHXI8DnUujoy45gIKDuhtEL.exe
file	C:\Users\test22\Documents\69LY3PhN8ksi81cO3FZqdfjF.exe
file	C:\Users\test22\Documents\0nKaTpwC4a6Y5cL5YIyA8BHo.exe
file	C:\Users\test22\Documents\KAd6K9ALNx69nLxU9eMjdP1n.exe
file	C:\Users\test22\Documents\3qjRN79CziS5v4vp5fiNPmcE.exe
file	C:\Users\test22\Documents\HUhmlIGyTDtaDcVtkNhO6Wdh.exe
file	C:\Users\test22\Documents\VPwNnmdFvIWAljDqc3zARm5E.exe
file	C:\Users\test22\Documents\FfVLHempeHupf2Z9a6fHu1I7.exe
file	C:\Users\test22\Documents\KcDP1BrNOxMgA8ERY1pewHjg.exe

Creates hidden or system file (2 events)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile March 22, 2021, 6:40 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000004a8 filepath: C:\Users\Public\Desktop\c52DE20K05QI.sys desired_access: 0x10100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_ALL) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\Public\Desktop\c52DE20K05QI.sys create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 7 (FILE_SHARE_READ\|FILE_SHARE_WRITE\|FILE_SHARE_DELETE)	1	0	0
NtCreateFile March 22, 2021, 6:40 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x0000012c filepath: C:\Users\Public\Documents\76R9Qqi6nJ9a6q.sys desired_access: 0x10100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_ALL) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\Public\Documents\76R9Qqi6nJ9a6q.sys create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 7 (FILE_SHARE_READ\|FILE_SHARE_WRITE\|FILE_SHARE_DELETE)	1	0	0

Creates a suspicious process (1 event)

cmdline

C:\Users\test22\Documents\VGOca5th3t6GymA2tYHhVCMd.exe

Drops a binary and executes it (6 events)

file	C:\Users\test22\Documents\hEy8l0Ocek947fXN8CnVolnr.exe
file	C:\Users\test22\Documents\0ox04i91pFvffgfPVlGF73Oi.exe
file	C:\Users\test22\Documents\7YnZlLu2X9SqH8UQ0sEtYdF8.exe
file	C:\Users\test22\Documents\uK5q1v0bG98JXoIiEmJvONNA.exe
file	C:\Users\test22\Documents\R12EntAmQQxV0PH80UWKXXHX.exe
file	C:\Users\test22\Documents\H0MbiFYxmpqkaYE6bQP3uMHx.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\4DD3.tmp

Executes one or more WMI queries (1 event)

wmi	SELECT Caption FROM Win32_OperatingSystem

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses March 22, 2021, 6:39 p.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (6 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW March 22, 2021, 6:40 p.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 6:40 p.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 6:40 p.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 6:40 p.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 6:40 p.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 6:40 p.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1

Yara rule detected in process memory (14 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (22 events)

cmdline	C:\Users\test22\Documents\DqZddDn0ctEchFUKnG6fKTsc.exe
cmdline	C:\Users\test22\Documents\kH2oIFRtXrJFpkfKctrIL7AT.exe
cmdline	C:\Users\test22\Documents\mqEELzXJfYgLKtyAykvfd8sc.exe
cmdline	C:\Users\test22\Documents\n7L4PG9VpRIshv1dEDAeNxSC.exe
cmdline	C:\Users\test22\Documents\8GqhbNlxxhppu288sT1v2AaT.exe
cmdline	C:\Users\test22\Documents\YNoS93vo7hxtbkIxzKFaqLsC.exe
cmdline	C:\Users\test22\Documents\xkBpqIg5Z5Zo4Oy65nXDgsSc.exe
cmdline	C:\Users\test22\Documents\uOA3IxS7BVC1ghVdhhAlgNet.exe
cmdline	C:\Users\test22\Documents\Pi4KsMN9NP9SzzApxCK2zBSc.exe
cmdline	C:\Users\test22\Documents\l15l5BmDagqlIqXOtLs77eSC.exe
cmdline	C:\Users\test22\Documents\SBskcnoLxT1AvLVNth62xoAT.exe
cmdline	C:\Users\test22\Documents\jBHuczzilnIVBtobGpKOZAsC.exe
cmdline	C:\Users\test22\Documents\SnneikTjLeDMsVmfUfKxz9sc.exe
cmdline	C:\Users\test22\Documents\xd0T5gHAz1zNJIgZfSBVsNEt.exe
cmdline	C:\Users\test22\Documents\GKzTRdmj7LnI5OJGaY3umUAT.exe
cmdline	C:\Users\test22\Documents\Z6BTGHlYo4qX635gJeYOCrsC.exe
cmdline	C:\Users\test22\Documents\PDA8R2JLQgexjDppPggmKDiR.exe
cmdline	C:\Users\test22\Documents\uCd6dGvsipXTCGtZ1Jj9sKAT.exe
cmdline	C:\Users\test22\Documents\y8ESbsc7wC63vmhcy9v9eLSc.exe
cmdline	C:\Users\test22\Documents\aA73NEFrcsykxWb3sEQvNCsC.exe
cmdline	C:\Users\test22\Documents\asGrDkPAdldwOtKqTTXKHsSC.exe
cmdline	C:\Users\test22\Documents\ofk9xBA2Bpo7ZLIwyuKqY9sC.exe

One or more of the buffers contains an embedded PE file (2 events)

buffer	Buffer with sha1: c05e46ecab236464613fa897b57bffa29e661e52
buffer	Buffer with sha1: f4b90461575f862f28dbc1d91fb2ac91d68e3716

Communicates with host for which no DNS query was performed (3 events)

host	103.124.106.203
host	172.217.25.14
host	188.93.233.223

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory March 22, 2021, 6:40 p.m.	process_identifier: 7096 region_size: 49152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0	0
NtAllocateVirtualMemory March 22, 2021, 6:40 p.m.	process_identifier: 5012 region_size: 49152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0	0

Attempts to identify installed AV products by registry key (1 event)

registry

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\avPFWDKcxGzm648DeqkS7yQIXos5U44e

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation March 22, 2021, 6:39 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

Installs itself for autorun at Windows startup (50 out of 9105 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ibVgwQmnzPBMn5qA7CzDbClrs5WEn7j6	reg_value	C:\Users\test22\Documents\hEy8l0Ocek947fXN8CnVolnr.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\VTrAi7K125T15zTZWNCXZDh0IJQKdKh6	reg_value	C:\Users\test22\Documents\bHaJfsqN7WEsdKjCWnYmvjPf.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ZPfk08Ts43nkMoTgSrsu10IRw12ZrAYs	reg_value	C:\Users\test22\Documents\0ox04i91pFvffgfPVlGF73Oi.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\GNy9G3B3e5MzNnMjIU0hWn1yOYj7JmQk	reg_value	C:\Users\test22\Documents\XXbpTsiY4TdfZ7ndzt1wbwFj.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\V9vrTEu2pmiVEGpjC0PwmXEaIYa18Jot	reg_value	C:\Users\test22\Documents\R1jG4jSARjAeuxQLgRnH6hMd.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Ro6QdWZ9KVomm8caWdtkwSYYa9PQxt9I	reg_value	C:\Users\test22\Documents\oFu4xlqNzIyHP4GZmDFGSa18.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ToKDVQvOx1VmTG5x43BhQS8gRXzHtIwF	reg_value	C:\Users\test22\Documents\RAP5DibOOw8cCvk7OSJbNID1.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\PizdHIMbVfoOVCyLs1NwAsQco9ZEoQue	reg_value	C:\Users\test22\Documents\5Ui5n23g8yr8WuvbJB6ei6KN.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\qnv8bnfpEP1ILO5ICjaRTyJmORDH8B0h	reg_value	C:\Users\test22\Documents\uK5q1v0bG98JXoIiEmJvONNA.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\65AO92AdeTFHxAXzqBspw6q1dJtJjYrC	reg_value	C:\Users\test22\Documents\7YnZlLu2X9SqH8UQ0sEtYdF8.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\OJu0I03GmCseyHl82hGzKpHbUfPV7utN	reg_value	C:\Users\test22\Documents\ZTLPOrIKi7wAtCyO4Na6TLu9.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\BTfnkhI2Te4mGgBkfYvdSbGAEcteq8Io	reg_value	C:\Users\test22\Documents\jLBE7SCsDqXqUUaxmcDvE4zj.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MeiIxnLVVQQoeWwGQP4wERkQvoDMscf9	reg_value	C:\Users\test22\Documents\WcCoxYHgifWzZyrFbdPqIWQk.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\4RXJk8m3uRcB4eQSgAcCwbtrC9fjCmhq	reg_value	C:\Users\test22\Documents\LccS08s4UBeJhDlEqIZ3beg4.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ipGkdD0ItwFXGsq7qHoMDcHd0Tr5PFoc	reg_value	C:\Users\test22\Documents\6hYiliUVYkYQkjJM2HWbCdIc.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\intJV53nHm8Ksvf6PSbx5T8ENhf0Vtnd	reg_value	C:\Users\test22\Documents\Z595ct1VuPgyevFKaYu4z5ZG.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\op5yZCSX9fpyXq6gTmaCmHRTE07gEH93	reg_value	C:\Users\test22\Documents\f3Xy9s9zW2q1x4cp2ypgemKO.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\YmujEvS2gvFOgluJNGcTP8Dbivp64Hsl	reg_value	C:\Users\test22\Documents\sIKUwKZUjT2SPnRM1IM1LHmh.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\iSASGW8YDes3pjsX0pTPMj4gGZi0cn6N	reg_value	C:\Users\test22\Documents\gn6KazPxA9wdhCpPYDoEoSRZ.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\YeLryI5aieiI8kj37pNyJ1MUzteMZ6NS	reg_value	C:\Users\test22\Documents\VhlIy7rnBXZCTvkyVQN99CM9.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\3ueF43d6xNC4HuQs91h7ne3cMDdeApI3	reg_value	C:\Users\test22\Documents\UmtUv9z3b9dyNb0urUBUyXzg.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\teK3O4rXw1inMN0GEoKg0KtZ0C30a95H	reg_value	C:\Users\test22\Documents\R12EntAmQQxV0PH80UWKXXHX.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\vvDMB16w5bjDCNgrKGWp96ejw4mDijnb	reg_value	C:\Users\test22\Documents\EILnjWdEJKKw5QP8NXaWemDi.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\QdZGO3OWxH8ZVsX3CEblFA2k8mMzXPLr	reg_value	C:\Users\test22\Documents\Fm1yTRDSOX0erL6A0tLYQYiy.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\kyIlqY8i5RVRLgCFAGclUSXa7FdG39uH	reg_value	C:\Users\test22\Documents\DDh017EUJeqjNhpHWRVL66sQ.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\brol52p5hO54RAPhdrFMocPjIo0mx3mO	reg_value	C:\Users\test22\Documents\VRPCzcnugHo5LX6zPQL0eG6R.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\bEdRBDHnlrjTYHub1bu6ERIGFllJhzMl	reg_value	C:\Users\test22\Documents\V7lIxBzncsY7bCiPBoWxBtn9.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\6XLZb8Gwe78wbB3TyUVT6Xm0vrPl3mln	reg_value	C:\Users\test22\Documents\UmqsiimZkuVudP03455k9r4K.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\uUotse22WUF5Or7lXtpWHHkqQWjRz7SF	reg_value	C:\Users\test22\Documents\rfwLWM7mojQfQEb2ClwoVlOi.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\u7dV4kCZC9nBQ5DKzfpt7nrusPnpppJa	reg_value	C:\Users\test22\Documents\RNbBiN3JrXJ69goUoKRm61bm.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Ptnp6XtXzNPcpdaRQiYNur1FL4ii1tOE	reg_value	C:\Users\test22\Documents\wyQktiOGVu3A2mDsHHxaMrpG.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\1hdCzKfF9KSfIaWrYaLOhMsj142Vjkvr	reg_value	C:\Users\test22\Documents\JJUA4jJ7BgKpXlDnqgJnSbWi.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\y4K5RJgYZlrWS8lRSUNcgfRSYmLHV3bq	reg_value	C:\Users\test22\Documents\xwIXFHI1AEqMSifQKcO2QHBp.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\n2gp8YCfKBlzZaUFvW3PskbQo9RYUfwM	reg_value	C:\Users\test22\Documents\vciL6Nj0iRxr1I7L07j53iIT.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\bQB9HoLpPYfK1QY2et9aDksfN0u0VPha	reg_value	C:\Users\test22\Documents\UPiEq32KPRg0hIwandKgo3kC.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\hgwR3VT91EfVn8AlrYVM9k2lRXuCNnge	reg_value	C:\Users\test22\Documents\ofma13ClF1lInljXFSC43K90.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\nK9fkQwNhBz0Eoe5qloYTTfEnnvwZBpt	reg_value	C:\Users\test22\Documents\gw3VHvrthlRiGNuHRaNfyw06.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\p526f9ygVG5I7iJecYjPRarulI1HMcld	reg_value	C:\Users\test22\Documents\56r6vMIQzDBEX3Cm5RyNIcnU.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\OIVXIqT3fbzkSTKQntAwrawsce92s1k4	reg_value	C:\Users\test22\Documents\SXQ0TLuzPfsQ73pXIUut2YCP.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Vn4nqaLo15PRq8aQCck1oQoXZKtOvbhE	reg_value	C:\Users\test22\Documents\UBmL0XriMzvgDFEzJdGIXPix.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\8hOfr62ZYLy1IMx9kyMhlghlChL4VlZw	reg_value	C:\Users\test22\Documents\cy0NcD1voHoIzxILD0G5pqIF.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\9ndJv7EwvBLX72KOueTWw3lveU2NQiTE	reg_value	C:\Users\test22\Documents\puO5yVEsOPto9QC0CHV0dlec.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\BsobF0gNsHHL68WzhCLzAmqzarQJbUwH	reg_value	C:\Users\test22\Documents\Qw5L247QK628Fp3K6GG8SIpG.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\CyAXjWvXU9FHzMiB11YUWsRtdSZK3gKP	reg_value	C:\Users\test22\Documents\GzJJQfLUapQ7hrO8uRbP70GY.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\gQ3Q7kexyzYEFHfEGUaeFtHXJ0cdIFy6	reg_value	C:\Users\test22\Documents\suHbfxuE42nimGJisZYFbwCT.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\JgGGIBotAcVSMRKnNGGP9UpFY1kyGrkK	reg_value	C:\Users\test22\Documents\sx4O3dHTXztwrEck3T8HViOx.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\1BsQbznT1LtFLyQM4tF9iZWNd7quxUsj	reg_value	C:\Users\test22\Documents\iHFWWALWKAwPsKXmIV3Pb8xz.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\pewdJ2ggdKv6T648xvmFCzxLhVpG99qg	reg_value	C:\Users\test22\Documents\TPfUS55UWcXhaSaUErVs3xRb.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\qk6yMZhddP8PRGzVkIJKvhpDUgTmFiVw	reg_value	C:\Users\test22\Documents\7DoxJcKe61DQgdBIwW4IKLZ0.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\43dqG4Y53Mkd9QzO1n1MvYhipnFgAUta	reg_value	C:\Users\test22\Documents\oyGifWRgTjwQfw1qhihBCOEJ.exe

Loads a driver (6 events)

Time & API	Arguments	Return
NtLoadDriver March 22, 2021, 6:40 p.m.	driver_service_name: \Registry\Machine\System\CurrentControlSet\Services\T185N	3221225473
NtLoadDriver March 22, 2021, 6:40 p.m.	driver_service_name: \Registry\Machine\System\CurrentControlSet\Services\PMV68RD	3221225473
NtLoadDriver March 22, 2021, 6:40 p.m.	driver_service_name: \Registry\Machine\System\CurrentControlSet\Services\6Mf6CS8i0	3221225473
NtLoadDriver March 22, 2021, 6:40 p.m.	driver_service_name: \Registry\Machine\System\CurrentControlSet\Services\n27s32	3221225473
NtLoadDriver March 22, 2021, 6:40 p.m.	driver_service_name: \Registry\Machine\System\CurrentControlSet\Services\GrPFx4	3221225473
NtLoadDriver March 22, 2021, 6:40 p.m.	driver_service_name: \Registry\Machine\System\CurrentControlSet\Services\36Hn955Y	3221225473

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory March 22, 2021, 6:40 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 7096 process_handle: 0x00000080	1	1	0
WriteProcessMemory March 22, 2021, 6:40 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 5012 process_handle: 0x00000080	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3080 called NtSetContextThread to modify thread in remote process 7096
Process injection	Process 5704 called NtSetContextThread to modify thread in remote process 5012
NtSetContextThread March 22, 2021, 6:40 p.m.	registers.eip: 2000355780 registers.esp: 1638384 registers.edi: 0 registers.eax: 4205112 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 7096	1	0	0
NtSetContextThread March 22, 2021, 6:40 p.m.	registers.eip: 2000355780 registers.esp: 1638384 registers.edi: 0 registers.eax: 4205112 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 5012	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3080 resumed a thread in remote process 7096
Process injection	Process 5704 resumed a thread in remote process 5012
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 7096	1	0	0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 5012	1	0	0

Uses Sysinternals tools in order to add additional command line functionality (16 events)

cmdline	C:\Users\test22\Documents\allup6eHHwkvtFb1KO2YoERu.exe
cmdline	C:\Users\test22\Documents\qLUFMJjuvJA2gm2q5fiPzlRu.exe
cmdline	C:\Users\test22\Documents\lQiGPfAxGaF7lprr0TnZobrU.exe
cmdline	C:\Users\test22\Documents\FOdyVa2uEJEsdckdVh2ktCrU.exe
cmdline	C:\Users\test22\Documents\WnJQ24bhdRFf3lHnNld1SZdU.exe
cmdline	C:\Users\test22\Documents\AMsQ4wmnac9m5uztX3e1tFRU.exe
cmdline	C:\Users\test22\Documents\qwlscXpX1077NZ801tFzxDdU.exe
cmdline	C:\Users\test22\Documents\ETv2WHDuRXIspLTr6mxlBODU.exe
cmdline	C:\Users\test22\Documents\wjivyZcTYeXp9LWL9GQgjwRu.exe
cmdline	C:\Users\test22\Documents\tKaXkwwOJD5glsMA4QhDb5Ru.exe
cmdline	C:\Users\test22\Documents\syO410wQvD6s3lbMenrfZ6Du.exe
cmdline	C:\Users\test22\Documents\UQYiVvv20T4DS3SRswot0YRu.exe
cmdline	C:\Users\test22\Documents\FPWM6Ppyot7CJD66VC813gdu.exe
cmdline	C:\Users\test22\Documents\HVRCJF3r7Wx6ADWx3wn22ADU.exe
cmdline	C:\Users\test22\Documents\Lvex8WARW94owmumEuowlEdU.exe
cmdline	C:\Users\test22\Documents\Q7OWMFYcWf8MFv3t0i4PtYRu.exe

Generates some ICMP traffic

Executed a process and injected code into it, probably while unpacking (50 out of 18237 events)

Time & API	Arguments	Status	Return
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2616	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2616	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 2616	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x0000033c suspend_count: 1 process_identifier: 2616	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x00000594 suspend_count: 1 process_identifier: 2616	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x000005a8 suspend_count: 1 process_identifier: 2616	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x000005bc suspend_count: 1 process_identifier: 2616	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x000005e8 suspend_count: 1 process_identifier: 2616	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x000005fc suspend_count: 1 process_identifier: 2616	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x00000618 suspend_count: 1 process_identifier: 2616	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x0000063c suspend_count: 1 process_identifier: 2616	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x00000658 suspend_count: 1 process_identifier: 2616	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x00000674 suspend_count: 1 process_identifier: 2616	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x000006ac suspend_count: 1 process_identifier: 2616	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x000006f8 suspend_count: 1 process_identifier: 2616	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x0000073c suspend_count: 1 process_identifier: 2616	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x000007dc suspend_count: 1 process_identifier: 2616	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x0000089c suspend_count: 1 process_identifier: 2616	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x00000914 suspend_count: 1 process_identifier: 2616	1	0
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x0000077c suspend_count: 1 process_identifier: 2616	1	0
CreateProcessInternalW March 22, 2021, 6:39 p.m.	thread_identifier: 7444 thread_handle: 0x000009cc process_identifier: 1812 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\hEy8l0Ocek947fXN8CnVolnr.exe track: 1 command_line: "C:\Users\test22\Documents\hEy8l0Ocek947fXN8CnVolnr.exe" filepath_r: C:\Users\test22\Documents\hEy8l0Ocek947fXN8CnVolnr.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000009d4	1	1
NtResumeThread March 22, 2021, 6:39 p.m.	thread_handle: 0x000007f8 suspend_count: 1 process_identifier: 2616	1	0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x000007f8 suspend_count: 1 process_identifier: 2616	1	0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x00000904 suspend_count: 1 process_identifier: 2616	1	0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x00000854 suspend_count: 1 process_identifier: 2616	1	0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x00000760 suspend_count: 1 process_identifier: 2616	1	0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x00000794 suspend_count: 1 process_identifier: 2616	1	0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x00000788 suspend_count: 1 process_identifier: 2616	1	0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x0000077c suspend_count: 1 process_identifier: 2616	1	0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x0000066c suspend_count: 1 process_identifier: 2616	1	0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x000005c8 suspend_count: 1 process_identifier: 2616	1	0
CreateProcessInternalW March 22, 2021, 6:40 p.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\bHaJfsqN7WEsdKjCWnYmvjPf.exe track: 0 command_line: "C:\Users\test22\Documents\bHaJfsqN7WEsdKjCWnYmvjPf.exe" filepath_r: C:\Users\test22\Documents\bHaJfsqN7WEsdKjCWnYmvjPf.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000		0
CreateProcessInternalW March 22, 2021, 6:40 p.m.	thread_identifier: 3980 thread_handle: 0x0000072c process_identifier: 3456 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\0ox04i91pFvffgfPVlGF73Oi.exe track: 1 command_line: "C:\Users\test22\Documents\0ox04i91pFvffgfPVlGF73Oi.exe" filepath_r: C:\Users\test22\Documents\0ox04i91pFvffgfPVlGF73Oi.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000073c	1	1
CreateProcessInternalW March 22, 2021, 6:40 p.m.	thread_identifier: 6564 thread_handle: 0x000006f8 process_identifier: 5572 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\XXbpTsiY4TdfZ7ndzt1wbwFj.exe track: 1 command_line: "C:\Users\test22\Documents\XXbpTsiY4TdfZ7ndzt1wbwFj.exe" filepath_r: C:\Users\test22\Documents\XXbpTsiY4TdfZ7ndzt1wbwFj.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000064c	1	1
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x00000650 suspend_count: 1 process_identifier: 2616	1	0
CreateProcessInternalW March 22, 2021, 6:40 p.m.	thread_identifier: 5352 thread_handle: 0x000005fc process_identifier: 3080 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\R1jG4jSARjAeuxQLgRnH6hMd.exe track: 1 command_line: "C:\Users\test22\Documents\R1jG4jSARjAeuxQLgRnH6hMd.exe" filepath_r: C:\Users\test22\Documents\R1jG4jSARjAeuxQLgRnH6hMd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000062c	1	1
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x00000594 suspend_count: 1 process_identifier: 2616	1	0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x0000073c suspend_count: 1 process_identifier: 2616	1	0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x00000738 suspend_count: 1 process_identifier: 2616	1	0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x000006f4 suspend_count: 1 process_identifier: 2616	1	0
CreateProcessInternalW March 22, 2021, 6:40 p.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\5Ui5n23g8yr8WuvbJB6ei6KN.exe track: 0 command_line: "C:\Users\test22\Documents\5Ui5n23g8yr8WuvbJB6ei6KN.exe" filepath_r: C:\Users\test22\Documents\5Ui5n23g8yr8WuvbJB6ei6KN.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000		0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x000006e8 suspend_count: 1 process_identifier: 2616	1	0
CreateProcessInternalW March 22, 2021, 6:40 p.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\ZTLPOrIKi7wAtCyO4Na6TLu9.exe track: 0 command_line: "C:\Users\test22\Documents\ZTLPOrIKi7wAtCyO4Na6TLu9.exe" filepath_r: C:\Users\test22\Documents\ZTLPOrIKi7wAtCyO4Na6TLu9.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000		0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x00000224 suspend_count: 1 process_identifier: 2616	1	0
CreateProcessInternalW March 22, 2021, 6:40 p.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\jLBE7SCsDqXqUUaxmcDvE4zj.exe track: 0 command_line: "C:\Users\test22\Documents\jLBE7SCsDqXqUUaxmcDvE4zj.exe" filepath_r: C:\Users\test22\Documents\jLBE7SCsDqXqUUaxmcDvE4zj.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000		0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x000009e4 suspend_count: 1 process_identifier: 2616	1	0
CreateProcessInternalW March 22, 2021, 6:40 p.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\WcCoxYHgifWzZyrFbdPqIWQk.exe track: 0 command_line: "C:\Users\test22\Documents\WcCoxYHgifWzZyrFbdPqIWQk.exe" filepath_r: C:\Users\test22\Documents\WcCoxYHgifWzZyrFbdPqIWQk.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000		0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x000009fc suspend_count: 1 process_identifier: 2616	1	0
CreateProcessInternalW March 22, 2021, 6:40 p.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\LccS08s4UBeJhDlEqIZ3beg4.exe track: 0 command_line: "C:\Users\test22\Documents\LccS08s4UBeJhDlEqIZ3beg4.exe" filepath_r: C:\Users\test22\Documents\LccS08s4UBeJhDlEqIZ3beg4.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000		0
NtResumeThread March 22, 2021, 6:40 p.m.	thread_handle: 0x00000a14 suspend_count: 1 process_identifier: 2616	1	0

File has been identified by 39 AntiVirus engines on VirusTotal as malicious (39 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.36541837
FireEye	Generic.mg.4f062d156ec2be43
ALYac	Trojan.GenericKD.36541837
Cylance	Unsafe
AegisLab	Trojan.MSIL.Stealer.l!c
Sangfor	Trojan.Win32.Save.a
BitDefender	Trojan.GenericKD.36541837
K7GW	Trojan-Downloader ( 005796b91 )
Cybereason	malicious.369223
BitDefenderTheta	Gen:NN.ZemsilF.34628.am0@aKCURqp
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-Spy.MSIL.Stealer.gen
Alibaba	TrojanSpy:MSIL/Stealer.7dd40801
Tencent	Msil.Trojan-spy.Stealer.Pdmk
Ad-Aware	Trojan.GenericKD.36541837
Sophos	Mal/Generic-S
DrWeb	Trojan.Siggen12.47234
McAfee-GW-Edition	RDN/Generic PWS.y
Emsisoft	Trojan.GenericKD.36541837 (B)
Ikarus	Trojan-Downloader.MSIL.Small
Avira	TR/Dldr.Small.qtras
MAX	malware (ai score=88)
Microsoft	Backdoor:Win32/Bladabindi!ml
GData	Trojan.GenericKD.36541837
Cynet	Malicious (score: 100)
McAfee	RDN/Generic PWS.y
Malwarebytes	Trojan.Downloader
Panda	Trj/GdSda.A
ESET-NOD32	a variant of MSIL/TrojanDownloader.Small.CLF
Rising	Trojan.IPLogger!1.B69D (CLOUD)
SentinelOne	Static AI - Malicious PE
Fortinet	MSIL/Small.CLF!tr.dldr
AVG	Win32:DropperX-gen [Drp]
Avast	Win32:DropperX-gen [Drp]
CrowdStrike	win/malicious_confidence_100% (W)
Qihoo-360	Win32/TrojanDownloader.Small.HgIASRIA

Stops Windows services (6 events)

service	6Mf6CS8i0 (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\6Mf6CS8i0\Start)
service	PMV68RD (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PMV68RD\Start)
service	36Hn955Y (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\36Hn955Y\Start)
service	n27s32 (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\n27s32\Start)
service	GrPFx4 (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\GrPFx4\Start)
service	T185N (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\T185N\Start)

a8ojAHyWHoBa8hMZ3OIGGUW1.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All