Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	March 22, 2021, 6:55 p.m.	March 22, 2021, 7:01 p.m.

Size	9.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`4c5c17827dee5404f8277ec293e24f61`
SHA256	`862e41d1ddfa72722af62eb35aac11970ed21b6a7f01c78f715be65f5d72724c`
CRC32	`7B792405`
ssdeep	`192:IBZRT7uWWtPqfGCaGMSsRDesyGv0bQFJS:SZNKHJnCaLSsdec7J`
Yara	PE_Header_Zero - PE File Signature Zero IsPE32 - (no description) IsNET_EXE - (no description) IsWindowsGUI - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT

KG5pc5F7jZu3r0hr7kiig97u.exe "C:\Users\test22\AppData\Local\Temp\KG5pc5F7jZu3r0hr7kiig97u.exe"
812
- 2gRgCSRWhUUA0rwPknZ0YhVG.exe "C:\Users\test22\Documents\2gRgCSRWhUUA0rwPknZ0YhVG.exe"
  8572
- P3HUHaXIIiLdOaEwuuyiwRng.exe "C:\Users\test22\Documents\P3HUHaXIIiLdOaEwuuyiwRng.exe"
  4764
- AsNehvmNhGVkie8HshVsHLRU.exe "C:\Users\test22\Documents\AsNehvmNhGVkie8HshVsHLRU.exe"
  4440
- AMvgFsk0Ptjjy516sXCEMCgD.exe "C:\Users\test22\Documents\AMvgFsk0Ptjjy516sXCEMCgD.exe"
  6460
  - AMvgFsk0Ptjjy516sXCEMCgD.exe "C:\Users\test22\Documents\AMvgFsk0Ptjjy516sXCEMCgD.exe"
    5512
- bR5BXqjHr6efjMHZEzZOv4H3.exe "C:\Users\test22\Documents\bR5BXqjHr6efjMHZEzZOv4H3.exe"
  2700
- t5ZLHfH08kEVTqLjlwkkl5gT.exe "C:\Users\test22\Documents\t5ZLHfH08kEVTqLjlwkkl5gT.exe"
  3064
- oE0nJiOSXCnIWlMy2P2qBFaX.exe "C:\Users\test22\Documents\oE0nJiOSXCnIWlMy2P2qBFaX.exe"
  3012
- 6BeRHHihv22CEo6SSjxeNG3i.exe "C:\Users\test22\Documents\6BeRHHihv22CEo6SSjxeNG3i.exe"
  5760
  - 6BeRHHihv22CEo6SSjxeNG3i.exe "C:\Users\test22\Documents\6BeRHHihv22CEo6SSjxeNG3i.exe"
    5116
- Ze9XdDa0NAR8UpAujSDfMtH5.exe "C:\Users\test22\Documents\Ze9XdDa0NAR8UpAujSDfMtH5.exe"
  3468

Name	Response	Post-Analysis Lookup
digitalassets.ams3.digitaloceanspaces.com	A 5.101.110.225	5.101.110.225
pastebin.com	A 104.23.99.190 A 104.23.98.190	104.23.99.190
www.investinae.com	CNAME investinae.com A 108.167.143.77	108.167.143.77
iplogger.org	A 88.99.66.31	88.99.66.31
msiamericas.com	A 141.136.39.190	141.136.39.190
d0wnl0ads.online
file.ekkggr3.com	A 104.21.66.169 A 172.67.162.110	104.21.66.169
aretywer.xyz	A 45.144.30.78	45.144.30.78
whatitis.site	A 91.200.41.57 A 92.63.99.163	91.200.41.57
mytoolsprivacy.site	A 179.43.158.179	179.43.158.179
jg3.3uag.pw

IP Address	Status	Action
172.67.176.78	Active	Moloch
103.124.106.203	Active	Moloch
104.23.98.190	Active	Moloch
108.167.143.77	Active	Moloch
141.136.39.190	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
172.67.162.110	Active	Moloch
179.43.158.179	Active	Moloch
188.93.233.223	Active	Moloch
45.144.30.78	Active	Moloch
5.101.110.225	Active	Moloch
88.99.66.31	Active	Moloch
91.200.41.57	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49807 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49809 -> 104.23.98.190:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.102:61998 -> 164.124.101.2:53	2016778	ET DNS Query to a *.pw domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.102:49816 -> 5.101.110.225:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 91.200.41.57:80 -> 192.168.56.102:49810	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.102:49813 -> 188.93.233.223:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 91.200.41.57:80 -> 192.168.56.102:49810	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.102:49812 -> 103.124.106.203:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 192.168.56.102:49814 -> 108.167.143.77:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 188.93.233.223:80 -> 192.168.56.102:49813	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 188.93.233.223:80 -> 192.168.56.102:49813	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 103.124.106.203:80 -> 192.168.56.102:49812	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 103.124.106.203:80 -> 192.168.56.102:49812	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.102:49815 -> 5.101.110.225:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49819 -> 141.136.39.190:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.102:49819 -> 141.136.39.190:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.102:49819 -> 141.136.39.190:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 179.43.158.179:80 -> 192.168.56.102:49818	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 45.144.30.78:80 -> 192.168.56.102:49820	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.102:49828 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 141.136.39.190:443 -> 192.168.56.102:49819	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 141.136.39.190:443 -> 192.168.56.102:49819	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49807 88.99.66.31:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=*.iplogger.org	55:1e:13:99:46:1c:67:40:a3:48:7f:38:0d:16:e7:51:f4:c4:43:cb
TLSv1 192.168.56.102:49809 104.23.98.190:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	ce:69:3b:0c:23:1f:bf:e1:a4:87:d2:44:26:54:a5:e4:bd:26:2f:7a
TLSv1 192.168.56.102:49828 88.99.66.31:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=*.iplogger.org	55:1e:13:99:46:1c:67:40:a3:48:7f:38:0d:16:e7:51:f4:c4:43:cb

Queries for the computername (24 events)

Time & API	Arguments	Status	Return
GetComputerNameW March 22, 2021, 6:55 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:55 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:55 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:55 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:55 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:55 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:55 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:55 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:55 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:55 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:55 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:55 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:55 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:55 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:55 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:55 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:55 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:55 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:55 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:55 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:55 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:55 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:55 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 22, 2021, 6:55 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 22, 2021, 6:55 p.m.			0	0
IsDebuggerPresent March 22, 2021, 6:55 p.m.			0	0
IsDebuggerPresent March 22, 2021, 6:55 p.m.			0	0
IsDebuggerPresent March 22, 2021, 6:55 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 22, 2021, 6:55 p.m.		1	1	0

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ March 22, 2021, 6:55 p.m.	stacktrace: 0x2cf211f 0x23f0a05 0x23f02b6 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 68 64 b9 65 fc e8 bb 1b 01 00 8b 44 25 00 86 d2 exception.instruction: push 0xfc65b964 exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x2d56108 registers.esp: 1637704 registers.edi: 4294967294 registers.eax: 1637736 registers.ebp: 1637816 registers.edx: 0 registers.ebx: 1 registers.esi: 12066896 registers.ecx: 1637816	1	0	0
__exception__ March 22, 2021, 6:55 p.m.	stacktrace: 0x2e8211f 0x2580a05 0x25802b6 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 68 64 b9 65 fc e8 bb 1b 01 00 8b 44 25 00 86 d2 exception.instruction: push 0xfc65b964 exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x2ee6108 registers.esp: 1637704 registers.edi: 4294967294 registers.eax: 1637736 registers.ebp: 1637816 registers.edx: 0 registers.ebx: 1 registers.esi: 15409232 registers.ecx: 1637816	1	0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (6 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://whatitis.site/dlc/mixinte
suspicious_features	Connection to IP address	suspicious_request	GET http://103.124.106.203/cof4/inst.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://188.93.233.223/proxy1.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://iplogger.org/1ixtu7
suspicious_features	GET method with no useragent header	suspicious_request	GET https://pastebin.com/raw/mH2EJxkv
suspicious_features	GET method with no useragent header	suspicious_request	GET https://iplogger.org/1lx5k

Performs some HTTP requests (10 events)

request	GET http://whatitis.site/dlc/mixinte
request	GET http://103.124.106.203/cof4/inst.exe
request	GET http://188.93.233.223/proxy1.exe
request	GET http://file.ekkggr3.com/iuww/jvppp.exe
request	GET http://mytoolsprivacy.site/downloads/privacytools3.exe
request	GET http://aretywer.xyz/Corepad092.exe
request	GET https://iplogger.org/1ixtu7
request	GET https://pastebin.com/raw/mH2EJxkv
request	GET https://iplogger.org/1hVa87
request	GET https://iplogger.org/1lx5k

Allocates read-write-execute memory (usually to unpack itself) (50 out of 52 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 22, 2021, 6:55 p.m.	process_identifier: 812 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:55 p.m.	process_identifier: 812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 6:55 p.m.	process_identifier: 812 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 6:55 p.m.	process_identifier: 812 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:55 p.m.	process_identifier: 812 region_size: 1310720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e00000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:55 p.m.	process_identifier: 812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:55 p.m.	process_identifier: 812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:55 p.m.	process_identifier: 812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00905000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:55 p.m.	process_identifier: 812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0090b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:55 p.m.	process_identifier: 812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00907000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:55 p.m.	process_identifier: 812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:55 p.m.	process_identifier: 812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:55 p.m.	process_identifier: 812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:55 p.m.	process_identifier: 812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008f6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:55 p.m.	process_identifier: 812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:55 p.m.	process_identifier: 812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:55 p.m.	process_identifier: 812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:55 p.m.	process_identifier: 812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:55 p.m.	process_identifier: 812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:55 p.m.	process_identifier: 812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f71000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:55 p.m.	process_identifier: 812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f72000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:55 p.m.	process_identifier: 812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f73000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:55 p.m.	process_identifier: 812 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef20000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:55 p.m.	process_identifier: 812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:55 p.m.	process_identifier: 812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:55 p.m.	process_identifier: 812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef28000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:55 p.m.	process_identifier: 812 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:55 p.m.	process_identifier: 812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 6:55 p.m.	process_identifier: 8572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 106496 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0092b000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:55 p.m.	process_identifier: 8572 region_size: 184320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00380000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 6:55 p.m.	process_identifier: 4764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 327680 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c7b000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:55 p.m.	process_identifier: 4764 region_size: 593920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00880000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 6:55 p.m.	process_identifier: 4440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 327680 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0098b000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:55 p.m.	process_identifier: 4440 region_size: 593920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 6:55 p.m.	process_identifier: 6460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 49152 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002db000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:55 p.m.	process_identifier: 6460 region_size: 53248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 6:55 p.m.	process_identifier: 2700 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 393216 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009fb000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:55 p.m.	process_identifier: 2700 region_size: 614400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00890000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:55 p.m.	process_identifier: 3064 region_size: 4677632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:55 p.m.	process_identifier: 3064 region_size: 4677632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02870000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:55 p.m.	process_identifier: 3064 region_size: 9498624 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02cf0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 6:55 p.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02cf1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 6:55 p.m.	process_identifier: 3064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 663552 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02cfe000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 6:55 p.m.	process_identifier: 3012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 393216 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009fb000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:55 p.m.	process_identifier: 3012 region_size: 614400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2021, 6:55 p.m.	process_identifier: 5760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 49152 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002fb000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:55 p.m.	process_identifier: 5760 region_size: 53248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:55 p.m.	process_identifier: 3468 region_size: 4677632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02580000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:55 p.m.	process_identifier: 3468 region_size: 4677632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2021, 6:55 p.m.	process_identifier: 3468 region_size: 9498624 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

KG5pc5F7jZu3r0hr7kiig97u.exe tried to sleep 161 seconds, actually delayed analysis time by 161 seconds

Creates executable files on the filesystem (50 out of 9338 events)

file	C:\Users\test22\Documents\24GFEnbvd8zo5xAaGvGrAPux.exe
file	C:\Users\test22\Documents\aTqD5MckxTcds7WOdUbeq9l0.exe
file	C:\Users\test22\Documents\NErTCfYpyW5zv7UJHEqZdQsj.exe
file	C:\Users\test22\Documents\gj2Ru1eNRUyEXMhtC9vsQCbW.exe
file	C:\Users\test22\Documents\NEj7mBepBHTVUbzwFBZjuW4p.exe
file	C:\Users\test22\Documents\4Io8nFkcURJ9ztyxTawKQ40m.exe
file	C:\Users\test22\Documents\zHNw4XFlVPp2lsyMfeITNBWt.exe
file	C:\Users\test22\Documents\vK3uYNu5EPAN0EvFvZAMvhmE.exe
file	C:\Users\test22\Documents\LKidb1JefOzoU5Qb5yqgm09E.exe
file	C:\Users\test22\Documents\OKn2jP7ZJXJkt0sjhyB7yZxU.exe
file	C:\Users\test22\Documents\JpCAEPszdzGe4ILNRS81NFyP.exe
file	C:\Users\test22\Documents\Bo7y0wkzeVX4Z7jFSIGyQkHu.exe
file	C:\Users\test22\Documents\8Vbj2msPsNdvmgwcEOpcktzP.exe
file	C:\Users\test22\Documents\RAqZ2EXPIwcG99OUVBuFnrFL.exe
file	C:\Users\test22\Documents\mdFYij3INyazyekI3Unq5ONN.exe
file	C:\Users\test22\Documents\mNYa3rkvccvy756OAeTkKVRb.exe
file	C:\Users\test22\Documents\I5srYmLjpxqjDQexRcIa2sGQ.exe
file	C:\Users\test22\Documents\RiFSUDV8OVuK35r37hPlnSdf.exe
file	C:\Users\test22\Documents\tk72FoMu6dUrUSBP1HZPZRrc.exe
file	C:\Users\test22\Documents\u51i5WLLfkJGgeQIm5wQePzg.exe
file	C:\Users\test22\Documents\4nn0SyQltdLOxQOB5oNXeFz7.exe
file	C:\Users\test22\Documents\GmHg8q1FnJhED8Xm3ccCtPsX.exe
file	C:\Users\test22\Documents\HKkCZHSoBLXOcHQXZUZHfBSa.exe
file	C:\Users\test22\Documents\kuhK3DgbJzK9596we1IXt3Df.exe
file	C:\Users\test22\Documents\nCsz0tFq62zlxDkt4Ga2CwmT.exe
file	C:\Users\test22\Documents\cI8xNruL3SMyTHzEtwkhYqff.exe
file	C:\Users\test22\Documents\7Rz6oGQZbEFD9PgrrCtVkara.exe
file	C:\Users\test22\Documents\pP7W940roBaZtxBbEwKG66iX.exe
file	C:\Users\test22\Documents\ZZeiVSQAXPoxXopPqrDF2ms4.exe
file	C:\Users\test22\Documents\S5rgBxokDIqS7CC8VlqJCClt.exe
file	C:\Users\test22\Documents\JcFhpcdIFBKKZ2YmerRWbyPG.exe
file	C:\Users\test22\Documents\MadlHEslLTVyY9JVVmaBy2ZH.exe
file	C:\Users\test22\Documents\YI4MdSYq9LxKa74NacXzAQXE.exe
file	C:\Users\test22\Documents\cpkPZPGZiUeh7Kp1KNcA3tT3.exe
file	C:\Users\test22\Documents\HMeooL6WRj7FXB3SRqxL46lB.exe
file	C:\Users\test22\Documents\8gfwJ2Pv1LUmZfKM2YKeR7PP.exe
file	C:\Users\test22\Documents\pfKbFy0hO0gvKb9HA9Byvot7.exe
file	C:\Users\test22\Documents\w43QShtLO3y3E1ZZubOJDtLn.exe
file	C:\Users\test22\Documents\02ugaeyL54aiUMqNrEK1rIEE.exe
file	C:\Users\test22\Documents\orQ7NT8oNCFjT8vjnJMLaKwk.exe
file	C:\Users\test22\Documents\JYCzQGDvZRWBWNrVex6q7Uxs.exe
file	C:\Users\test22\Documents\7qfRkLRitsPFzn7hZMfRJFSC.exe
file	C:\Users\test22\Documents\rulUPNq2ZkmPP1r1ihU5DFaC.exe
file	C:\Users\test22\Documents\MReIfITAJGG9omQMyiHP7k7R.exe
file	C:\Users\test22\Documents\hbqwyz8phiyTEbRGddyrNBQ0.exe
file	C:\Users\test22\Documents\NeqqCQEJAjalZJZyPBXyFFQG.exe
file	C:\Users\test22\Documents\FxngQgXJ41w615zJxlkmCqjf.exe
file	C:\Users\test22\Documents\WSc5scXp5J2iYtrJtig6IiXl.exe
file	C:\Users\test22\Documents\9XXLo8JywQDl4lrlZYeLI7ph.exe
file	C:\Users\test22\Documents\Eor0y7vuNNgIaqcr5edUzrMs.exe

Creates hidden or system file (2 events)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile March 22, 2021, 6:55 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000004ac filepath: C:\Users\test22\Documents\MNFl8lWCayON2l.sys desired_access: 0x10100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_ALL) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\Documents\MNFl8lWCayON2l.sys create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 7 (FILE_SHARE_READ\|FILE_SHARE_WRITE\|FILE_SHARE_DELETE)	1	0	0
NtCreateFile March 22, 2021, 6:55 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000000d4 filepath: C:\ProgramData\Microsoft\Windows\Start Menu\5ivBBQ.sys desired_access: 0x10100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_ALL) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\ProgramData\Microsoft\Windows\Start Menu\5ivBBQ.sys create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 7 (FILE_SHARE_READ\|FILE_SHARE_WRITE\|FILE_SHARE_DELETE)	1	0	0

Creates a suspicious process (1 event)

cmdline

C:\Users\test22\Documents\cUsX9AUueO1UD6wMIcQtcsyB.exe

Drops a binary and executes it (6 events)

file	C:\Users\test22\Documents\2gRgCSRWhUUA0rwPknZ0YhVG.exe
file	C:\Users\test22\Documents\P3HUHaXIIiLdOaEwuuyiwRng.exe
file	C:\Users\test22\Documents\AMvgFsk0Ptjjy516sXCEMCgD.exe
file	C:\Users\test22\Documents\oE0nJiOSXCnIWlMy2P2qBFaX.exe
file	C:\Users\test22\Documents\Ze9XdDa0NAR8UpAujSDfMtH5.exe
file	C:\Users\test22\Documents\GkgIuNKmQgJLWGz5Q5ydssYr.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\4DD3.tmp

Executes one or more WMI queries (1 event)

wmi	SELECT Caption FROM Win32_OperatingSystem

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses March 22, 2021, 6:55 p.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (6 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW March 22, 2021, 6:55 p.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 6:55 p.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 6:55 p.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 6:55 p.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 6:55 p.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW March 22, 2021, 6:55 p.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1

Yara rule detected in process memory (14 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (31 events)

cmdline	C:\Users\test22\Documents\7qfRkLRitsPFzn7hZMfRJFSC.exe
cmdline	C:\Users\test22\Documents\zk0OjKFARTZq7i6RJXu0rGAt.exe
cmdline	C:\Users\test22\Documents\6L72UrRtSuwlX6UClC5MR2At.exe
cmdline	C:\Users\test22\Documents\kwuOprkqb0BE9HArfmF8LHAt.exe
cmdline	C:\Users\test22\Documents\IjU0bX91mvxxuRJC5nUpPxSC.exe
cmdline	C:\Users\test22\Documents\DUboD5D8LFYJEYGdsrVcFmAt.exe
cmdline	C:\Users\test22\Documents\ffs4tjVdY7grAdZx6cWYyjat.exe
cmdline	C:\Users\test22\Documents\tww9SBz3Bj7Q37NQBZCImfat.exe
cmdline	C:\Users\test22\Documents\Su4u2e6DlSSEwIkfFW5xeBaT.exe
cmdline	C:\Users\test22\Documents\DC6YHhE2GQkhkfNXQd2McuaT.exe
cmdline	C:\Users\test22\Documents\GTP4XzdgSGln7DSmj1z33aAt.exe
cmdline	C:\Users\test22\Documents\xJqSneu4z4QvM4XUPfMoCpAt.exe
cmdline	C:\Users\test22\Documents\9y30pnzNFWvKDAiS89656Jat.exe
cmdline	C:\Users\test22\Documents\bcIbDl4xJxzo0spWDL4aULaT.exe
cmdline	C:\Users\test22\Documents\CoRqCsIlCWRjk8JURQG04MAT.exe
cmdline	C:\Users\test22\Documents\NyjfXMpyIlUtKWyefbS0vSAt.exe
cmdline	C:\Users\test22\Documents\cUsX9AUueO1UD6wMIcQtcsyB.exe
cmdline	C:\Users\test22\Documents\VwKW2J0prQ63g3GPDQlM4IAt.exe
cmdline	C:\Users\test22\Documents\nQGYOEpXM1qnMINr4spILFAT.exe
cmdline	C:\Users\test22\Documents\tPA5Pbwup7NMpT62ZSV9yYsC.exe
cmdline	C:\Users\test22\Documents\PKand6sg8HPzsYqIyabb6OSc.exe
cmdline	C:\Users\test22\Documents\wjxsgUH1cvbgyKjC6DuRSdIr.exe
cmdline	C:\Users\test22\Documents\tMiqhvz5ODttIqYuIm52JhSC.exe
cmdline	C:\Users\test22\Documents\nZTcjyU3lRUqtP21DOOVSVSC.exe
cmdline	C:\Users\test22\Documents\KJZEIwk5r5y1mdKjdWQcgrSC.exe
cmdline	C:\Users\test22\Documents\qg0bxynNEoOY9coRP0ddDhAT.exe
cmdline	C:\Users\test22\Documents\RP262uRSTW2kdblGCzFI2ySc.exe
cmdline	C:\Users\test22\Documents\HOZQu4CqJGcZmuJ2EXH5PBsc.exe
cmdline	C:\Users\test22\Documents\QBIsWtP31rXE5c5WgqyHX5AT.exe
cmdline	C:\Users\test22\Documents\r0ChcJPvf4WMPBMjJ0SFdoaT.exe
cmdline	C:\Users\test22\Documents\BuFgFL89C6JGBrVYg5sg7HAt.exe

One or more of the buffers contains an embedded PE file (2 events)

buffer	Buffer with sha1: c05e46ecab236464613fa897b57bffa29e661e52
buffer	Buffer with sha1: f4b90461575f862f28dbc1d91fb2ac91d68e3716

Communicates with host for which no DNS query was performed (4 events)

host	172.67.176.78
host	103.124.106.203
host	172.217.25.14
host	188.93.233.223

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory March 22, 2021, 6:55 p.m.	process_identifier: 5512 region_size: 49152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0	0
NtAllocateVirtualMemory March 22, 2021, 6:55 p.m.	process_identifier: 5116 region_size: 49152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0	0

Attempts to identify installed AV products by registry key (1 event)

registry

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\AvpNsGr6b0MldRi241jka83yO4z2gDC3

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation March 22, 2021, 6:55 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

Installs itself for autorun at Windows startup (50 out of 9344 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\rSMPtIkNmN6PgJaRmPMUr9iRzhAEGwOV	reg_value	C:\Users\test22\Documents\2gRgCSRWhUUA0rwPknZ0YhVG.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\zj18hEAKxHALmbRO9hnKcXHh6phiaxGy	reg_value	C:\Users\test22\Documents\LLzuGCnZuGXmvgsbNHOJUAYs.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ZGWioJS4k3iMpA6KfVlDRV0cbTB2gcu9	reg_value	C:\Users\test22\Documents\t5ZLHfH08kEVTqLjlwkkl5gT.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\bEJJZpw8qsQLlPszWaaQtXsRSPUbN7Q8	reg_value	C:\Users\test22\Documents\AMvgFsk0Ptjjy516sXCEMCgD.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Qk2CQOtdwNxgK3LfB9MW1XxEW10JVUus	reg_value	C:\Users\test22\Documents\P3HUHaXIIiLdOaEwuuyiwRng.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\xyqYYjHbcFE28JIVaEo42ReKuaEg5g6h	reg_value	C:\Users\test22\Documents\bR5BXqjHr6efjMHZEzZOv4H3.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Ugn7elf6Ihr66jVPVhFzO9Ce9Kz0sPR7	reg_value	C:\Users\test22\Documents\KBNiAKtHzDCeIPb4qExqPMAf.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\eJ8UvoN2Pt6NV1sj41SIob6eLsIK4jzz	reg_value	C:\Users\test22\Documents\AsNehvmNhGVkie8HshVsHLRU.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\NdJDgC8q3Gwc1UvmYZPLFH6a6QVIvi6R	reg_value	C:\Users\test22\Documents\a3AXxSc22cVyiuv1zvxQ3JqC.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\gtHQr04UKfP3KbdADZraNecmP1IjrcXr	reg_value	C:\Users\test22\Documents\M7KUIYV0ep4b8TAe9L1d3f6F.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\QeAzrUnsHi3EnDt7QDpnN9jIgj1zB33e	reg_value	C:\Users\test22\Documents\AFyZRFJnujQdDGUis1aeyg2B.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\51TIdyqNpZ103626GPrpnD5RnLrjoHn8	reg_value	C:\Users\test22\Documents\NwJwFT6a6iWfNP5pIcOv0OxR.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\UVS8VJnzI51mILDrcCzEX88miC55CXWq	reg_value	C:\Users\test22\Documents\6BeRHHihv22CEo6SSjxeNG3i.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\iLPEJ67Ahvr6JjxKZhqrULwTfquDCMzo	reg_value	C:\Users\test22\Documents\811NAy7H2I0yYFvMkRokhIo1.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\XDCHuceDWbzZyYmXOVDK4DhVXqaSOsxu	reg_value	C:\Users\test22\Documents\Ze9XdDa0NAR8UpAujSDfMtH5.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Y5icL38V5CSEsKB1TYTRin64d6LwTJmi	reg_value	C:\Users\test22\Documents\oE0nJiOSXCnIWlMy2P2qBFaX.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\9n8PsLCwauaQ6y1hRzMPanlV0dhSw8vf	reg_value	C:\Users\test22\Documents\ocON9vGeESMTTIFsOBWnwIzv.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\CnZPouAb85mdkguaDTAAtCnBrHI6myjD	reg_value	C:\Users\test22\Documents\ncOVw0v3Pa3irzvaJzW76jVW.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\9YhglDyJViWsMl9gEekRb1yYQf2r47ev	reg_value	C:\Users\test22\Documents\G1TJbgPfZbkwMS0nE54mjVm9.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\kIPFLHPYElc2b6hWjOpBaKcIFYvgZZA4	reg_value	C:\Users\test22\Documents\PTJD9s4Vmaan5Iad5XhFvUhI.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\pHAxVs9pkhGZdr3uEKzYkIdgVwrO3dPP	reg_value	C:\Users\test22\Documents\wBc0czKfLCjUpiC9zLfgpgrZ.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\odbjBuvHS0Fagi5rAXVqXVFsRi6IBuiA	reg_value	C:\Users\test22\Documents\UDKVyWJcC4uHbmfIRucfqTyh.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\YsSdxmFhREM41kvb6DiufeLM6OUQQPCG	reg_value	C:\Users\test22\Documents\OmrV5jbSInzkhElsyueT7HJT.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\hGgjSzRCBGbdoiJ8jCNMLsTPWGRN2IgD	reg_value	C:\Users\test22\Documents\cY6NR8efhSSd2r1N9DX4jYx3.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wQNMhDK3jX3l28gpzeL5QhA8g1Tdx929	reg_value	C:\Users\test22\Documents\kCpLb4NsBQbwPYja3YVgLksy.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\QOqquqGjf3QBkU8yTOysUIdhTYkGSLkh	reg_value	C:\Users\test22\Documents\U1YLqAK7GiN2e8h42qrqZxhP.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\vIWVF9QUTtsaZfdzAZQqv2zyEDYZyYie	reg_value	C:\Users\test22\Documents\TJ5cUeNZcnWlsfUhs3XL8z5I.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\TiQCk1g4KOMmyRrIFxTtkzBK4M9QO959	reg_value	C:\Users\test22\Documents\OxrLI2TcWCS9x3IMZhKjiOW2.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\hGIX2QpKSNLAZHhy5yNMBcdYz1ZMfLEx	reg_value	C:\Users\test22\Documents\ay2jlR2efXyirgXH0Bdu4mSd.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\nthA1coHIYfBEDpZM8eWM9EdJps0V8YY	reg_value	C:\Users\test22\Documents\fYCeJfmProQdUWstepzGZGcE.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\pE1MuyvK9GFFLPckkPXDoHmc9Rz6E7w0	reg_value	C:\Users\test22\Documents\581Z7lYP9JU61rpbAZ3amF2n.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\cZMc8zFBUP98gj1YuLpeK10ZCE8vHZHQ	reg_value	C:\Users\test22\Documents\FNt2tMeLXK6ulkPu7S0Wsz8h.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\jxa30U44HttUJhYs9HaPbeyv0lUpxlGv	reg_value	C:\Users\test22\Documents\PLaT9CMiE4aVkROXbcmgJdXk.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\8pDP9OHgm7fTwMHqZqP5Q7N5WZm3EErr	reg_value	C:\Users\test22\Documents\yzuLlTruAfO1h4O4D3hCDHJE.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\cH2jmOciQxnG9La65dhisngcSvGNbUzc	reg_value	C:\Users\test22\Documents\qqN5PcuwYrOjZ4H0w0nX1NyB.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\lZR0IOG57LOxrSVvTYTBT5LQ5ewu3bwm	reg_value	C:\Users\test22\Documents\2MdHkKJJPqTlQB0laqbYpPSz.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\OB5ncWBgYl3DvK29WTb4RFd1koZNVfrn	reg_value	C:\Users\test22\Documents\4ogL2TBAjYnFxD3HVpFR5Qfq.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\hDCx6xL34P54NAk8uOhJYRquSOaOkEyg	reg_value	C:\Users\test22\Documents\I071YYiNXHrLK0WKxG5mylYI.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\XSesX6TzaYdYqQm977Nj9vz1RntmNOcM	reg_value	C:\Users\test22\Documents\byUUVuQj6yR55b7wf71kEPuP.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\cnatNqmL5QTmTitZuNEhQS2rhdSVmVK4	reg_value	C:\Users\test22\Documents\EE7DQiM9fceg8jGPU1mGBKQm.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\usMtXQjkFYx87GRRaPq7rLbCggNZ9WzF	reg_value	C:\Users\test22\Documents\yUkmHcwz0SkrQe6vINWyFsVJ.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\RKM1CKktjs9gO2BXxGNrjkWisMd598Ck	reg_value	C:\Users\test22\Documents\8a2YQDbktAl1q8yB5EX0CYcj.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\yoJ0qpulpZh5u5gNjoRqSYjaYa285HaN	reg_value	C:\Users\test22\Documents\8THG0khja2S88RxDCAD5KvAq.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\EsbQwvpi8TmTnUw3vghlF9qgHvfFv4t8	reg_value	C:\Users\test22\Documents\SaSMaq2uIrSjt2SHdzWfdTYa.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\C5JBPkxEknRvMEoJiJjVZRQIRWBRKwMO	reg_value	C:\Users\test22\Documents\C2IsOm8XBukZP9dIDdu7wxUE.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\oBt2if4xaCNIXVrlBIY3bnajaCdjWkAi	reg_value	C:\Users\test22\Documents\hDqTc6Ib7gzmrs69ykZmO9pv.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\lJbfBUb0CpucrPXvO6RZbuFmaAqi947m	reg_value	C:\Users\test22\Documents\Y5obNP3blBMpexld3xkFkwTA.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\EzFBo20HrI1EZT71gAyGHPjSOCIKDTHr	reg_value	C:\Users\test22\Documents\ln0ExXaQkVnzDIvnay0oe4j0.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\PwwltqDXAK9ZT9jHYGlmHoBhyBTELnll	reg_value	C:\Users\test22\Documents\E998SYmsefI4QrOG19HdFcsy.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\vPwrX9MXiYIJPEgWHxKXu4zAPboLhmuL	reg_value	C:\Users\test22\Documents\RKtflB9ybu4Gryw2ZAF91Grk.exe

Loads a driver (6 events)

Time & API	Arguments	Return
NtLoadDriver March 22, 2021, 6:55 p.m.	driver_service_name: \Registry\Machine\System\CurrentControlSet\Services\JI57x7hPAj	3221225473
NtLoadDriver March 22, 2021, 6:55 p.m.	driver_service_name: \Registry\Machine\System\CurrentControlSet\Services\4juPS8e4lm0U	3221225473
NtLoadDriver March 22, 2021, 6:55 p.m.	driver_service_name: \Registry\Machine\System\CurrentControlSet\Services\mEMj9FwKv	3221225473
NtLoadDriver March 22, 2021, 6:55 p.m.	driver_service_name: \Registry\Machine\System\CurrentControlSet\Services\U6rxla9A1YIcH	3221225473
NtLoadDriver March 22, 2021, 6:55 p.m.	driver_service_name: \Registry\Machine\System\CurrentControlSet\Services\JI57x7hPAj	3221225525
NtLoadDriver March 22, 2021, 6:55 p.m.	driver_service_name: \Registry\Machine\System\CurrentControlSet\Services\q3btMf	3221225473

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory March 22, 2021, 6:55 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 5512 process_handle: 0x00000080	1	1	0
WriteProcessMemory March 22, 2021, 6:55 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 5116 process_handle: 0x00000080	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 6460 called NtSetContextThread to modify thread in remote process 5512
Process injection	Process 5760 called NtSetContextThread to modify thread in remote process 5116
NtSetContextThread March 22, 2021, 6:55 p.m.	registers.eip: 2000355780 registers.esp: 1638384 registers.edi: 0 registers.eax: 4205112 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 5512	1	0	0
NtSetContextThread March 22, 2021, 6:55 p.m.	registers.eip: 2000355780 registers.esp: 1638384 registers.edi: 0 registers.eax: 4205112 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 5116	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 6460 resumed a thread in remote process 5512
Process injection	Process 5760 resumed a thread in remote process 5116
NtResumeThread March 22, 2021, 6:55 p.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 5512	1	0	0
NtResumeThread March 22, 2021, 6:55 p.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 5116	1	0	0

Uses Sysinternals tools in order to add additional command line functionality (14 events)

cmdline	C:\Users\test22\Documents\3Os2yTo9gVMWYGe5f0v0DiRu.exe
cmdline	C:\Users\test22\Documents\fNfViBtQhXHJoVITIqJPFWdU.exe
cmdline	C:\Users\test22\Documents\OZbj5T43NcfV2DU9dHgOTrRu.exe
cmdline	C:\Users\test22\Documents\T9XL29YE3i4H2uXB7WiBuuRu.exe
cmdline	C:\Users\test22\Documents\NTEdaQLIYbABkovaZMhaiLDU.exe
cmdline	C:\Users\test22\Documents\94ENPCrA3KvPoUFfiQrmj4ru.exe
cmdline	C:\Users\test22\Documents\AsNehvmNhGVkie8HshVsHLRU.exe
cmdline	C:\Users\test22\Documents\U8NlZLqg8IW6BBfwDH2UcQdu.exe
cmdline	C:\Users\test22\Documents\E3cQyzrQTdf3g0mbQbUszKru.exe
cmdline	"C:\Users\test22\Documents\AsNehvmNhGVkie8HshVsHLRU.exe"
cmdline	C:\Users\test22\Documents\FpSQYX7ylgj2XDIZnOsTZHRU.exe
cmdline	C:\Users\test22\Documents\tHS27oAIJxtbo8zyvmMApDQk.exe
cmdline	C:\Users\test22\Documents\yemmYXm0BUmX2Q9EpWYEAlru.exe
cmdline	C:\Users\test22\Documents\We0Lo8DviHUPfv5WY5ZoNjdu.exe

Executed a process and injected code into it, probably while unpacking (50 out of 18715 events)

Time & API	Arguments	Status	Return
NtResumeThread March 22, 2021, 6:55 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 812	1	0
NtResumeThread March 22, 2021, 6:55 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 812	1	0
NtResumeThread March 22, 2021, 6:55 p.m.	thread_handle: 0x00000194 suspend_count: 1 process_identifier: 812	1	0
NtResumeThread March 22, 2021, 6:55 p.m.	thread_handle: 0x0000033c suspend_count: 1 process_identifier: 812	1	0
NtResumeThread March 22, 2021, 6:55 p.m.	thread_handle: 0x00000594 suspend_count: 1 process_identifier: 812	1	0
NtResumeThread March 22, 2021, 6:55 p.m.	thread_handle: 0x000005b8 suspend_count: 1 process_identifier: 812	1	0
NtResumeThread March 22, 2021, 6:55 p.m.	thread_handle: 0x000005c8 suspend_count: 1 process_identifier: 812	1	0
NtResumeThread March 22, 2021, 6:55 p.m.	thread_handle: 0x000005ec suspend_count: 1 process_identifier: 812	1	0
NtResumeThread March 22, 2021, 6:55 p.m.	thread_handle: 0x00000610 suspend_count: 1 process_identifier: 812	1	0
NtResumeThread March 22, 2021, 6:55 p.m.	thread_handle: 0x00000648 suspend_count: 1 process_identifier: 812	1	0
NtResumeThread March 22, 2021, 6:55 p.m.	thread_handle: 0x00000664 suspend_count: 1 process_identifier: 812	1	0
NtResumeThread March 22, 2021, 6:55 p.m.	thread_handle: 0x00000688 suspend_count: 1 process_identifier: 812	1	0
NtResumeThread March 22, 2021, 6:55 p.m.	thread_handle: 0x000006ac suspend_count: 1 process_identifier: 812	1	0
NtResumeThread March 22, 2021, 6:55 p.m.	thread_handle: 0x00000700 suspend_count: 1 process_identifier: 812	1	0
NtResumeThread March 22, 2021, 6:55 p.m.	thread_handle: 0x000007c4 suspend_count: 1 process_identifier: 812	1	0
NtResumeThread March 22, 2021, 6:55 p.m.	thread_handle: 0x00000768 suspend_count: 1 process_identifier: 812	1	0
NtResumeThread March 22, 2021, 6:55 p.m.	thread_handle: 0x0000081c suspend_count: 1 process_identifier: 812	1	0
NtResumeThread March 22, 2021, 6:55 p.m.	thread_handle: 0x000008d8 suspend_count: 1 process_identifier: 812	1	0
NtResumeThread March 22, 2021, 6:55 p.m.	thread_handle: 0x00000928 suspend_count: 1 process_identifier: 812	1	0
NtResumeThread March 22, 2021, 6:55 p.m.	thread_handle: 0x000007f4 suspend_count: 1 process_identifier: 812	1	0
CreateProcessInternalW March 22, 2021, 6:55 p.m.	thread_identifier: 5260 thread_handle: 0x00000a2c process_identifier: 8572 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\2gRgCSRWhUUA0rwPknZ0YhVG.exe track: 1 command_line: "C:\Users\test22\Documents\2gRgCSRWhUUA0rwPknZ0YhVG.exe" filepath_r: C:\Users\test22\Documents\2gRgCSRWhUUA0rwPknZ0YhVG.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000a34	1	1
NtResumeThread March 22, 2021, 6:55 p.m.	thread_handle: 0x00000868 suspend_count: 1 process_identifier: 812	1	0
NtResumeThread March 22, 2021, 6:55 p.m.	thread_handle: 0x00000868 suspend_count: 1 process_identifier: 812	1	0
NtResumeThread March 22, 2021, 6:55 p.m.	thread_handle: 0x00000918 suspend_count: 1 process_identifier: 812	1	0
NtResumeThread March 22, 2021, 6:55 p.m.	thread_handle: 0x00000878 suspend_count: 1 process_identifier: 812	1	0
NtResumeThread March 22, 2021, 6:55 p.m.	thread_handle: 0x00000834 suspend_count: 1 process_identifier: 812	1	0
NtResumeThread March 22, 2021, 6:55 p.m.	thread_handle: 0x00000720 suspend_count: 1 process_identifier: 812	1	0
NtResumeThread March 22, 2021, 6:55 p.m.	thread_handle: 0x000008a8 suspend_count: 1 process_identifier: 812	1	0
NtResumeThread March 22, 2021, 6:55 p.m.	thread_handle: 0x00000854 suspend_count: 1 process_identifier: 812	1	0
NtResumeThread March 22, 2021, 6:55 p.m.	thread_handle: 0x00000894 suspend_count: 1 process_identifier: 812	1	0
NtResumeThread March 22, 2021, 6:55 p.m.	thread_handle: 0x0000080c suspend_count: 1 process_identifier: 812	1	0
NtResumeThread March 22, 2021, 6:55 p.m.	thread_handle: 0x000007c4 suspend_count: 1 process_identifier: 812	1	0
CreateProcessInternalW March 22, 2021, 6:55 p.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\LLzuGCnZuGXmvgsbNHOJUAYs.exe track: 0 command_line: "C:\Users\test22\Documents\LLzuGCnZuGXmvgsbNHOJUAYs.exe" filepath_r: C:\Users\test22\Documents\LLzuGCnZuGXmvgsbNHOJUAYs.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000		0
CreateProcessInternalW March 22, 2021, 6:55 p.m.	thread_identifier: 6324 thread_handle: 0x0000036c process_identifier: 4764 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\P3HUHaXIIiLdOaEwuuyiwRng.exe track: 1 command_line: "C:\Users\test22\Documents\P3HUHaXIIiLdOaEwuuyiwRng.exe" filepath_r: C:\Users\test22\Documents\P3HUHaXIIiLdOaEwuuyiwRng.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000588	1	1
NtResumeThread March 22, 2021, 6:55 p.m.	thread_handle: 0x00000688 suspend_count: 1 process_identifier: 812	1	0
NtResumeThread March 22, 2021, 6:55 p.m.	thread_handle: 0x000007e4 suspend_count: 1 process_identifier: 812	1	0
CreateProcessInternalW March 22, 2021, 6:55 p.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\KBNiAKtHzDCeIPb4qExqPMAf.exe track: 0 command_line: "C:\Users\test22\Documents\KBNiAKtHzDCeIPb4qExqPMAf.exe" filepath_r: C:\Users\test22\Documents\KBNiAKtHzDCeIPb4qExqPMAf.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000		0
NtResumeThread March 22, 2021, 6:55 p.m.	thread_handle: 0x000008dc suspend_count: 1 process_identifier: 812	1	0
CreateProcessInternalW March 22, 2021, 6:55 p.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\a3AXxSc22cVyiuv1zvxQ3JqC.exe track: 0 command_line: "C:\Users\test22\Documents\a3AXxSc22cVyiuv1zvxQ3JqC.exe" filepath_r: C:\Users\test22\Documents\a3AXxSc22cVyiuv1zvxQ3JqC.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000		0
CreateProcessInternalW March 22, 2021, 6:55 p.m.	thread_identifier: 7312 thread_handle: 0x00000224 process_identifier: 4440 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\AsNehvmNhGVkie8HshVsHLRU.exe track: 1 command_line: "C:\Users\test22\Documents\AsNehvmNhGVkie8HshVsHLRU.exe" filepath_r: C:\Users\test22\Documents\AsNehvmNhGVkie8HshVsHLRU.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000208	1	1
NtResumeThread March 22, 2021, 6:55 p.m.	thread_handle: 0x0000022c suspend_count: 1 process_identifier: 812	1	0
CreateProcessInternalW March 22, 2021, 6:55 p.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\M7KUIYV0ep4b8TAe9L1d3f6F.exe track: 0 command_line: "C:\Users\test22\Documents\M7KUIYV0ep4b8TAe9L1d3f6F.exe" filepath_r: C:\Users\test22\Documents\M7KUIYV0ep4b8TAe9L1d3f6F.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000		0
NtResumeThread March 22, 2021, 6:55 p.m.	thread_handle: 0x00000230 suspend_count: 1 process_identifier: 812	1	0
CreateProcessInternalW March 22, 2021, 6:55 p.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\AFyZRFJnujQdDGUis1aeyg2B.exe track: 0 command_line: "C:\Users\test22\Documents\AFyZRFJnujQdDGUis1aeyg2B.exe" filepath_r: C:\Users\test22\Documents\AFyZRFJnujQdDGUis1aeyg2B.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000		0
NtResumeThread March 22, 2021, 6:55 p.m.	thread_handle: 0x00000224 suspend_count: 1 process_identifier: 812	1	0
CreateProcessInternalW March 22, 2021, 6:55 p.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\NwJwFT6a6iWfNP5pIcOv0OxR.exe track: 0 command_line: "C:\Users\test22\Documents\NwJwFT6a6iWfNP5pIcOv0OxR.exe" filepath_r: C:\Users\test22\Documents\NwJwFT6a6iWfNP5pIcOv0OxR.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000		0
CreateProcessInternalW March 22, 2021, 6:55 p.m.	thread_identifier: 7000 thread_handle: 0x00000830 process_identifier: 6460 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\AMvgFsk0Ptjjy516sXCEMCgD.exe track: 1 command_line: "C:\Users\test22\Documents\AMvgFsk0Ptjjy516sXCEMCgD.exe" filepath_r: C:\Users\test22\Documents\AMvgFsk0Ptjjy516sXCEMCgD.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000008fc	1	1
CreateProcessInternalW March 22, 2021, 6:55 p.m.	thread_identifier: 2728 thread_handle: 0x00000824 process_identifier: 3064 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\t5ZLHfH08kEVTqLjlwkkl5gT.exe track: 1 command_line: "C:\Users\test22\Documents\t5ZLHfH08kEVTqLjlwkkl5gT.exe" filepath_r: C:\Users\test22\Documents\t5ZLHfH08kEVTqLjlwkkl5gT.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000820	1	1
CreateProcessInternalW March 22, 2021, 6:55 p.m.	thread_identifier: 6304 thread_handle: 0x000008f8 process_identifier: 2700 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Documents\bR5BXqjHr6efjMHZEzZOv4H3.exe track: 1 command_line: "C:\Users\test22\Documents\bR5BXqjHr6efjMHZEzZOv4H3.exe" filepath_r: C:\Users\test22\Documents\bR5BXqjHr6efjMHZEzZOv4H3.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000008f4	1	1
NtResumeThread March 22, 2021, 6:55 p.m.	thread_handle: 0x00000210 suspend_count: 1 process_identifier: 812	1	0

Stops Windows services (5 events)

service	4juPS8e4lm0U (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\4juPS8e4lm0U\Start)
service	mEMj9FwKv (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\mEMj9FwKv\Start)
service	JI57x7hPAj (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\JI57x7hPAj\Start)
service	q3btMf (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\q3btMf\Start)
service	U6rxla9A1YIcH (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\U6rxla9A1YIcH\Start)

File has been identified by 41 AntiVirus engines on VirusTotal as malicious (41 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.36541954
FireEye	Generic.mg.4c5c17827dee5404
ALYac	Trojan.GenericKD.36541954
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
Alibaba	TrojanSpy:MSIL/Stealer.972d11b7
K7GW	Trojan-Downloader ( 005796b91 )
Cybereason	malicious.fc73e6
Arcabit	Trojan.Generic.D22D9602
BitDefenderTheta	Gen:NN.ZemsilF.34628.am0@a0rZ!Hp
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/TrojanDownloader.Small.CLF
APEX	Malicious
Avast	Win32:DropperX-gen [Drp]
Kaspersky	HEUR:Trojan-Spy.MSIL.Stealer.gen
BitDefender	Trojan.GenericKD.36541954
Paloalto	generic.ml
Ad-Aware	Trojan.GenericKD.36541954
Emsisoft	Trojan.GenericKD.36541954 (B)
DrWeb	Trojan.Siggen12.47234
McAfee-GW-Edition	RDN/Generic PWS.y
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
Avira	TR/Dldr.Small.zmiqq
Gridinsoft	Trojan.Win32.Downloader.sa
Microsoft	Backdoor:Win32/Bladabindi!ml
AegisLab	Trojan.MSIL.Stealer.l!c
GData	Trojan.GenericKD.36541954
Cynet	Malicious (score: 100)
McAfee	RDN/Generic PWS.y
MAX	malware (ai score=88)
Malwarebytes	Trojan.Downloader
Rising	Trojan.IPLogger!1.B69D (CLOUD)
Ikarus	Trojan-Downloader.MSIL.Small
eGambit	Unsafe.AI_Score_65%
Fortinet	W32/Stealer.CLF!tr
AVG	Win32:DropperX-gen [Drp]
Panda	Trj/GdSda.A
CrowdStrike	win/malicious_confidence_100% (W)
Qihoo-360	Win32/TrojanSpy.Generic.HgIASRIA

KG5pc5F7jZu3r0hr7kiig97u.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All