Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	May 21, 2021, 10:08 a.m.	May 21, 2021, 10:10 a.m.

Size	276.8KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`e57416e1935a33a9f173da150d8daa05`
SHA256	`4176f2c029ae72c4bf087aa6fe76adff915ad75a41c1b9a8d28b71835052c87a`
CRC32	`087AF25E`
ssdeep	`6144:/QqaV8iAxOQmDIqpV5LBZJveaCzlH8KQALPsL2lJbZJ:QVyxOpdpVZJ/CzPQAA2ltZJ`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

run.exe "C:\Users\test22\AppData\Local\Temp\run.exe"
2208
- Sec.exe "C:\Windows\temp\Sec.exe"
  6988
  - 8908.exe 8908.exe
    6764
- Sel.exe "C:\Windows\temp\Sel.exe"
  5720
- Seh.exe "C:\Windows\temp\Seh.exe"
  7204
  - NVIDIA.exe "C:\Windows\NVIDIA.exe"
    8340
    - Picture.exe "C:\Picture.exe"
      2508
- Ser.exe "C:\Windows\temp\Ser.exe"
  3172

Name	Response	Post-Analysis Lookup
users.qzone.qq.com	A 58.250.136.113	58.250.136.113
ocsp.dcocsp.cn	CNAME ocsp.dcocsp.cn.w.kunlunar.com A 47.246.59.227 A 47.246.59.229 A 47.246.59.228 A 47.246.59.230 A 47.246.59.231 A 47.246.59.226 A 47.246.59.232 A 47.246.59.233	163.181.22.230

IP Address	Status	Action
139.155.178.173	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
43.129.230.36	Active	Moloch
47.246.59.231	Active	Moloch
58.250.136.113	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49808 -> 43.129.230.36:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 192.168.56.102:49808 -> 43.129.230.36:80	2008974	ET ADWARE_PUP User-Agent (Mozilla/4.0 (compatible))	Possibly Unwanted Program Detected
TCP 192.168.56.102:49813 -> 139.155.178.173:19060	2013214	ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server	Malware Command and Control Activity Detected
TCP 192.168.56.102:49813 -> 139.155.178.173:19060	2016922	ET MALWARE Backdoor family PCRat/Gh0st CnC traffic	Malware Command and Control Activity Detected
TCP 192.168.56.102:49813 -> 139.155.178.173:19060	2021716	ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102	Malware Command and Control Activity Detected
TCP 43.129.230.36:80 -> 192.168.56.102:49808	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 43.129.230.36:80 -> 192.168.56.102:49808	2020500	ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK)	Exploit Kit Activity Detected
TCP 192.168.56.102:49811 -> 139.155.178.173:888	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 43.129.230.36:80 -> 192.168.56.102:49808	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 43.129.230.36:80 -> 192.168.56.102:49808	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 192.168.56.102:49817 -> 139.155.178.173:888	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 139.155.178.173:888 -> 192.168.56.102:49817	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 139.155.178.173:888 -> 192.168.56.102:49817	2020500	ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK)	Exploit Kit Activity Detected
TCP 139.155.178.173:888 -> 192.168.56.102:49817	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 139.155.178.173:888 -> 192.168.56.102:49817	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 192.168.56.102:49875 -> 139.155.178.173:19060	2013214	ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server	Malware Command and Control Activity Detected
TCP 192.168.56.102:49875 -> 139.155.178.173:19060	2016922	ET MALWARE Backdoor family PCRat/Gh0st CnC traffic	Malware Command and Control Activity Detected
TCP 192.168.56.102:49875 -> 139.155.178.173:19060	2021716	ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102	Malware Command and Control Activity Detected
TCP 192.168.56.102:49925 -> 139.155.178.173:19060	2013214	ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server	Malware Command and Control Activity Detected
TCP 192.168.56.102:49925 -> 139.155.178.173:19060	2016922	ET MALWARE Backdoor family PCRat/Gh0st CnC traffic	Malware Command and Control Activity Detected
TCP 192.168.56.102:49925 -> 139.155.178.173:19060	2021716	ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102	Malware Command and Control Activity Detected
TCP 192.168.56.102:49808 -> 43.129.230.36:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.102:49808 -> 43.129.230.36:80	2008974	ET ADWARE_PUP User-Agent (Mozilla/4.0 (compatible))	Possibly Unwanted Program Detected
TCP 192.168.56.102:49974 -> 139.155.178.173:19060	2013214	ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server	Malware Command and Control Activity Detected
TCP 192.168.56.102:49974 -> 139.155.178.173:19060	2016922	ET MALWARE Backdoor family PCRat/Gh0st CnC traffic	Malware Command and Control Activity Detected
TCP 192.168.56.102:49974 -> 139.155.178.173:19060	2021716	ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102	Malware Command and Control Activity Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49870 58.250.136.113:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Secure Site CA G2	C=CN, ST=Guangdong Province, L=Shenzhen, O=Shenzhen Tencent Computer Systems Company Limited, OU=R&D, CN=*.qzone.qq.com	89:39:26:02:eb:fd:36:ce:7d:93:4f:b3:e5:16:96:06:0f:b6:9a:5b

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 21, 2021, 10:08 a.m.			0	0
IsDebuggerPresent May 21, 2021, 10:08 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 21, 2021, 10:08 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ May 21, 2021, 10:08 a.m.	stacktrace: Host+0x14c @ 0x10002bfc exception.instruction_r: 0f 3f 07 0b 85 db 0f 94 45 e4 5b eb 24 8b 45 ec exception.exception_code: 0xc000001d exception.symbol: Host-0x1307 exception.address: 0x100017a9 registers.esp: 1637528 registers.edi: 0 registers.eax: 1 registers.ebp: 1637580 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 1970484437 registers.ecx: 7724	1	0	0
__exception__ May 21, 2021, 10:08 a.m.	stacktrace: Host+0x155 @ 0x10002c05 exception.instruction_r: ed 81 fb 68 58 4d 56 0f 94 45 e4 5b 59 5a c7 45 exception.instruction: in eax, dx exception.exception_code: 0xc0000096 exception.symbol: Host-0x1268 exception.address: 0x10001848 registers.esp: 1637528 registers.edi: 0 registers.eax: 1447909480 registers.ebp: 1637580 registers.edx: 22104 registers.ebx: 0 registers.esi: 1970484437 registers.ecx: 10	1	0	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (4 events)

suspicious_features	Connection to IP address	suspicious_request	GET http://43.129.230.36/8908.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://43.129.230.36/System1.dll
suspicious_features	GET method with no useragent header	suspicious_request	GET http://users.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=12345678
suspicious_features	GET method with no useragent header	suspicious_request	GET https://users.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=12345678

Performs some HTTP requests (6 events)

request	GET http://43.129.230.36/8908.exe
request	GET http://43.129.230.36/System1.dll
request	GET http://users.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=12345678
request	GET http://ocsp.dcocsp.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAh%2BGPuPqpJ%2B6HYKDYmC9RI%3D
request	GET http://ocsp.dcocsp.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHv1Dj%2BciPJEWH5JNtwL5Y07mRqwQUxBF%2BiECGwkG%2FZfMa4bRTQKOr7H0CEArIzKqFYmE3jrS4gQrE3QI%3D
request	GET https://users.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=12345678

Allocates read-write-execute memory (usually to unpack itself) (50 out of 491 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 21, 2021, 10:08 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73dd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 10:08 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74e51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 10:08 a.m.	process_identifier: 6988 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dca1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 10:08 a.m.	process_identifier: 6988 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 10:08 a.m.	process_identifier: 6988 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x736e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 10:08 a.m.	process_identifier: 6988 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73861000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 10:08 a.m.	process_identifier: 6988 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72de1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 10:08 a.m.	process_identifier: 6988 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 10:08 a.m.	process_identifier: 6988 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x66a91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 10:08 a.m.	process_identifier: 6988 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x673a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 10:08 a.m.	process_identifier: 6988 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 942080 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 10:08 a.m.	process_identifier: 6988 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 217088 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x100e7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 10:08 a.m.	process_identifier: 5720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73861000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 10:08 a.m.	process_identifier: 5720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73771000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 10:08 a.m.	process_identifier: 5720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72da4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 10:08 a.m.	process_identifier: 5720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 10:08 a.m.	process_identifier: 5720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76891000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 10:08 a.m.	process_identifier: 5720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77371000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 10:08 a.m.	process_identifier: 5720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 10:08 a.m.	process_identifier: 5720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x765b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 10:08 a.m.	process_identifier: 5720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75431000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 10:08 a.m.	process_identifier: 5720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x743e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 10:08 a.m.	process_identifier: 5720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 10:08 a.m.	process_identifier: 5720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x736e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 10:08 a.m.	process_identifier: 5720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 10:08 a.m.	process_identifier: 5720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x736e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 10:08 a.m.	process_identifier: 5720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 10:08 a.m.	process_identifier: 5720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x736e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 10:08 a.m.	process_identifier: 5720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 10:08 a.m.	process_identifier: 5720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x736e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 10:08 a.m.	process_identifier: 5720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 10:08 a.m.	process_identifier: 5720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x736e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 10:08 a.m.	process_identifier: 5720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 10:08 a.m.	process_identifier: 5720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x736e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 10:08 a.m.	process_identifier: 5720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 10:08 a.m.	process_identifier: 5720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x736e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 10:08 a.m.	process_identifier: 5720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 10:08 a.m.	process_identifier: 5720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x736e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 10:08 a.m.	process_identifier: 5720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 10:08 a.m.	process_identifier: 5720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x736e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 10:08 a.m.	process_identifier: 5720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 10:08 a.m.	process_identifier: 5720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x736e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 10:08 a.m.	process_identifier: 5720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 10:08 a.m.	process_identifier: 5720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x736e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 10:08 a.m.	process_identifier: 5720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 10:08 a.m.	process_identifier: 5720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x736e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 10:08 a.m.	process_identifier: 5720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 10:08 a.m.	process_identifier: 5720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x736e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 10:08 a.m.	process_identifier: 5720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 21, 2021, 10:08 a.m.	process_identifier: 5720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x736e1000 process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

Ser.exe tried to sleep 252 seconds, actually delayed analysis time by 252 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW May 21, 2021, 10:08 a.m.	total_number_of_free_bytes: 13274988544 free_bytes_available: 13274988544 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0
GetDiskFreeSpaceExW May 21, 2021, 10:10 a.m.	total_number_of_free_bytes: 13272264704 free_bytes_available: 13272264704 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Creates executable files on the filesystem (8 events)

file	C:\Windows\Temp\Seh.exe
file	C:\Windows\Temp\Sec.exe
file	C:\Windows\Temp\8908.exe
file	C:\Windows\Temp\Ser.exe
file	C:\Program Files\AppPatch\NetSyst96.dll
file	C:\Program Files\Cacrk\Cacrk.dll
file	C:\Picture.exe
file	C:\Windows\Temp\Sel.exe

Creates a service (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateServiceA May 21, 2021, 10:08 a.m.	service_start_name: start_type: 2 password: display_name: Internet Connection Sharing (ICS) filepath: C:\Program Files (x86)\Arrange\NULL.jpg service_name: SharedAccess filepath_r: C:\Program Files (x86)\Arrange\NULL.jpg desired_access: 983551 service_handle: 0x00000000 error_control: 0 service_type: 272 service_manager_handle: 0x0086ccc0		0	0
CreateServiceA May 21, 2021, 10:08 a.m.	service_start_name: start_type: 2 password: display_name: SuperProServer filepath: C:\Windows\NVIDIA.exe service_name: NVIDIA filepath_r: C:\Windows\NVIDIA.exe desired_access: 983551 service_handle: 0x005ee710 error_control: 0 service_type: 272 service_manager_handle: 0x00611718	1	6219536	0

Drops a binary and executes it (4 events)

file	C:\Windows\Temp\Sec.exe
file	C:\Windows\Temp\Ser.exe
file	C:\Windows\Temp\Seh.exe
file	C:\Picture.exe

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Local\Temp\3118bdb.tmp
file	C:\Users\test22\AppData\Local\Temp\3118bbb.tmp
file	C:\Users\test22\AppData\Local\Temp\3118bec.tmp

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (44 events)

Time & API	Arguments	Status	Return
Process32NextW May 21, 2021, 10:08 a.m.	snapshot_handle: 0x000003a4 process_name: mobsync.exe process_identifier: 7308	1	1
Process32NextW May 21, 2021, 10:08 a.m.	snapshot_handle: 0x000003a4 process_name: pw.exe process_identifier: 6108	1	1
Process32NextW May 21, 2021, 10:08 a.m.	snapshot_handle: 0x000003a4 process_name: taskhost.exe process_identifier: 2808	1	1
Process32NextW May 21, 2021, 10:08 a.m.	snapshot_handle: 0x000003a4 process_name: cmd.exe process_identifier: 2240	1	1
Process32NextW May 21, 2021, 10:08 a.m.	snapshot_handle: 0x000003a4 process_name: conhost.exe process_identifier: 2504	1	1
Process32NextW May 21, 2021, 10:08 a.m.	snapshot_handle: 0x000003a4 process_name: pw.exe process_identifier: 3324	1	1
Process32NextW May 21, 2021, 10:08 a.m.	snapshot_handle: 0x000003a4 process_name: slui.exe process_identifier: 1836	1	1
Process32NextW May 21, 2021, 10:08 a.m.	snapshot_handle: 0x000003a4 process_name: Sec.exe process_identifier: 6988	1	1
Process32NextW May 21, 2021, 10:08 a.m.	snapshot_handle: 0x000003a4 process_name: Ser.exe process_identifier: 3172	1	1
Process32NextW May 21, 2021, 10:08 a.m.	snapshot_handle: 0x000003a4 process_name: Sel.exe process_identifier: 5720	1	1
Process32NextW May 21, 2021, 10:08 a.m.	snapshot_handle: 0x000003a4 process_name: NVIDIA.exe process_identifier: 8340	1	1
Process32NextW May 21, 2021, 10:08 a.m.	snapshot_handle: 0x000003a4 process_name: 8908.exe process_identifier: 6764	1	1
Process32NextW May 21, 2021, 10:10 a.m.	snapshot_handle: 0x00000334 process_name: NVIDIA.exe process_identifier: 3320	1	1
Process32NextW May 21, 2021, 10:10 a.m.	snapshot_handle: 0x00000334 process_name: cmd.exe process_identifier: 2856	1	1
Process32NextW May 21, 2021, 10:10 a.m.	snapshot_handle: 0x00000334 process_name: conhost.exe process_identifier: 5424	1	1
Process32NextW May 21, 2021, 10:10 a.m.	snapshot_handle: 0x00000334 process_name: pw.exe process_identifier: 6872	1	1
Process32NextW May 21, 2021, 10:08 a.m.	snapshot_handle: 0x00000290 process_name: Seh.exe process_identifier: 7204	1	1
Process32NextW May 21, 2021, 10:08 a.m.	snapshot_handle: 0x00000e54 process_name: cmd.exe process_identifier: 5272	1	1
Process32NextW May 21, 2021, 10:08 a.m.	snapshot_handle: 0x00000e54 process_name: conhost.exe process_identifier: 7552	1	1
Process32NextW May 21, 2021, 10:08 a.m.	snapshot_handle: 0x00000e54 process_name: pw.exe process_identifier: 6844	1	1
Process32NextW May 21, 2021, 10:09 a.m.	snapshot_handle: 0x0000195c process_name: cmd.exe process_identifier: 4744	1	1
Process32NextW May 21, 2021, 10:09 a.m.	snapshot_handle: 0x0000195c process_name: conhost.exe process_identifier: 6440	1	1
Process32NextW May 21, 2021, 10:09 a.m.	snapshot_handle: 0x0000195c process_name: pw.exe process_identifier: 2424	1	1
Process32NextW May 21, 2021, 10:09 a.m.	snapshot_handle: 0x00002464 process_name: cmd.exe process_identifier: 3468	1	1
Process32NextW May 21, 2021, 10:09 a.m.	snapshot_handle: 0x00002464 process_name: conhost.exe process_identifier: 3716	1	1
Process32NextW May 21, 2021, 10:09 a.m.	snapshot_handle: 0x00002464 process_name: pw.exe process_identifier: 7656	1	1
Process32NextW May 21, 2021, 10:09 a.m.	snapshot_handle: 0x00002f0c process_name: cmd.exe process_identifier: 5264	1	1
Process32NextW May 21, 2021, 10:09 a.m.	snapshot_handle: 0x00002f18 process_name: conhost.exe process_identifier: 884	1	1
Process32NextW May 21, 2021, 10:09 a.m.	snapshot_handle: 0x00002f68 process_name: pw.exe process_identifier: 4468	1	1
Process32NextW May 21, 2021, 10:09 a.m.	snapshot_handle: 0x00003950 process_name: cmd.exe process_identifier: 2564	1	1
Process32NextW May 21, 2021, 10:09 a.m.	snapshot_handle: 0x00003950 process_name: conhost.exe process_identifier: 5116	1	1
Process32NextW May 21, 2021, 10:09 a.m.	snapshot_handle: 0x00003950 process_name: pw.exe process_identifier: 500	1	1
Process32NextW May 21, 2021, 10:09 a.m.	snapshot_handle: 0x00004470 process_name: cmd.exe process_identifier: 8812	1	1
Process32NextW May 21, 2021, 10:09 a.m.	snapshot_handle: 0x00004478 process_name: conhost.exe process_identifier: 8968	1	1
Process32NextW May 21, 2021, 10:09 a.m.	snapshot_handle: 0x000044e4 process_name: pw.exe process_identifier: 4428	1	1
Process32NextW May 21, 2021, 10:10 a.m.	snapshot_handle: 0x00004f54 process_name: cmd.exe process_identifier: 8832	1	1
Process32NextW May 21, 2021, 10:10 a.m.	snapshot_handle: 0x00004f54 process_name: conhost.exe process_identifier: 6300	1	1
Process32NextW May 21, 2021, 10:10 a.m.	snapshot_handle: 0x00004f54 process_name: pw.exe process_identifier: 7684	1	1
Process32NextW May 21, 2021, 10:10 a.m.	snapshot_handle: 0x000064c8 process_name: cmd.exe process_identifier: 4464	1	1
Process32NextW May 21, 2021, 10:10 a.m.	snapshot_handle: 0x000064c8 process_name: conhost.exe process_identifier: 4724	1	1
Process32NextW May 21, 2021, 10:10 a.m.	snapshot_handle: 0x000064c8 process_name: pw.exe process_identifier: 5052	1	1
Process32NextW May 21, 2021, 10:10 a.m.	snapshot_handle: 0x00006fc0 process_name: cmd.exe process_identifier: 2404	1	1
Process32NextW May 21, 2021, 10:10 a.m.	snapshot_handle: 0x00006fc0 process_name: conhost.exe process_identifier: 556	1	1
Process32NextW May 21, 2021, 10:10 a.m.	snapshot_handle: 0x00006fc0 process_name: pw.exe process_identifier: 5652	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory May 21, 2021, 10:08 a.m.	process_identifier: 5720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 36864 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x10001000 process_handle: 0xffffffff	1	0	0

An executable file was downloaded by the processes sec.exe, nvidia.exe (4 events)

Time & API	Arguments	Status	Return
InternetReadFile May 21, 2021, 10:08 a.m.	buffer: MZÿÿ¸@(º´ Í!¸LÍ!This program cannot be run in DOS mode. $LNáî ²î ²î ²sò,² î ²gñ+²î ²gñ²î ²ò.²$î ²>È²Âî ²>È+²Tî ²^ñ3²$î ²jñ3²î ²î!²¤ì ²æ}²î ²ôÎ2² î ²àñ+²iî ²àñ*²î ²î ²Sî ²Ïè&² î ²Richî ²PELrN`à` ÀBz_p @P\|K, Oh_p T.textâS ` `.rdataR3Ap @Ap @@.dataJè°K °K@À.rsrch_ O`ÐL@@ request_handle: 0x00cc000c	1	1
InternetReadFile May 21, 2021, 10:08 a.m.	buffer: Processú¦Ï©ÅoïÉ[©Á~¿ÍfC±NtZwuser32.dllgdi32.dll ÷×_ÒÖ¯ÆfCÁ¾/ÎCÃ6G¥ÏWçÅïÉ[©Á~¿ÍfC±@ãð7«Å[ïÉ[©Á~¿ÍfC±D@#\EAPA×fAgA jAirAýrAóuAÎxA%yAyAA{AßAA AAA¾A¸¾AèA@A'AAgA»AAæA½AAûA0A"AAÝA¹AA\|An A`¡AR¢AD£A:¤A¥Aæ¥AÜ¦A)¨A©Aò©A¯Aà¯A¹°A±Ar²AM³A>¶Al·A¸AºAöºAÑ»A³¼A½AöB÷B?¿A¨ßAÐéAÛøAÒBu5Bí5BB®BÝBBBªBeB5B}%B ;B;B¨8B@À?MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $yÌ³Þ=Ý=Ý=Ý¾±ÓÝ×ÝÖkÝF±Ñ>Ýk²ÎÝ_²Î(Ý=Ür¯ÝÕ²ÖwÝÕ²×$Ý=Ý"Ýú«Û<ÝÂÙ<ÝRich=ÝPELw ^à!ð@ÛQ°J t\|ð} request_handle: 0x00cc000c	1	1
InternetReadFile May 21, 2021, 10:08 a.m.	buffer: MZÿÿ¸@(º´ Í!¸LÍ!This program cannot be run in DOS mode. $LNáî ²î ²î ²sò,² î ²gñ+²î ²gñ²î ²ò.²$î ²>È²Âî ²>È+²Tî ²^ñ3²$î ²jñ3²î ²î!²¤ì ²æ}²î ²ôÎ2² î ²àñ+²iî ²àñ*²î ²î ²Sî ²Ïè&² î ²Richî ²PEL¡@v`à` ÀBap @Pè\|K, Oh_p T.textU ` `.rdata¢3Ap @Ap @@.dataJè°K °K@À.rsrch_ O`ÐL@@ request_handle: 0x00cc000c	1	1
InternetReadFile May 21, 2021, 10:08 a.m.	buffer: kernel32IsWow64Processú¦Ï©ÅoïÉ[©Á~¿ÍfC±NtZwuser32.dllgdi32.dll ÷×_ÒÖ¯ÆfCÁ¾/ÎCÃ6G¥ÏWçÅïÉ[©Á~¿ÍfC±@ãð7«Å[ïÉ[©Á~¿ÍfC±D@#\Software\Valve\Steam\RememberPasswordêAõA\|hA4iAÅkAtA¢tAwAszAÊzA'{Aæ\|AA&A¯A8A·A'ÀA]ÀAAåAÌA¿AA`A´AAbA-A AÕAÇA¹AA^A/ A!¡A¢A£A÷£Aé¤Aß¥A¶¦A§A¨AÎ©AÄªA«AÃ°A±A^²AB³A´Aò´Aã·A¹A8ºAÀ»A¼Av½AX¾A<¿ABBäÀAMáAuëAúAwB7B7B´BSBB±BºBOB BÚB"'B@®<B¹<BM:BÀ?MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $yÌ³Þ=Ý=Ý=Ý¾±ÓÝ×ÝÖkÝF±Ñ>Ýk²ÎÝ_²Î(Ý=Ür¯ÝÕ²ÖwÝÕ²×$Ý=Ý"Ýú«Û<ÝÂÙ<ÝRich=ÝPELw ^à!ð@ÛQ request_handle: 0x00cc000c	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 21, 2021, 10:08 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW May 21, 2021, 10:08 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 out of 7092 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW May 21, 2021, 10:08 a.m.	snapshot_handle: 0x000003a4 process_name: 8908.exe process_identifier: 7536688		0	0
Process32NextW May 21, 2021, 10:08 a.m.	snapshot_handle: 0x000003a4 process_name: 8908.exe process_identifier: 3014768		0	0
Process32NextW May 21, 2021, 10:08 a.m.	snapshot_handle: 0x000003a4 process_name: 8908.exe process_identifier: 7274573		0	0
Process32NextW May 21, 2021, 10:08 a.m.	snapshot_handle: 0x000003a4 process_name: 8908.exe process_identifier: 5046390		0	0
Process32NextW May 21, 2021, 10:08 a.m.	snapshot_handle: 0x000003a4 process_name: 8908.exe process_identifier: 6815859		0	0
Process32NextW May 21, 2021, 10:08 a.m.	snapshot_handle: 0x000003a4 process_name: 8908.exe process_identifier: 6881397		0	0
Process32NextW May 21, 2021, 10:08 a.m.	snapshot_handle: 0x000003a4 process_name: 8908.exe process_identifier: 7602277		0	0
Process32NextW May 21, 2021, 10:08 a.m.	snapshot_handle: 0x000003a4 process_name: 8908.exe process_identifier: 6619235		0	0
Process32NextW May 21, 2021, 10:08 a.m.	snapshot_handle: 0x000003a4 process_name: 8908.exe process_identifier: 4456552		0	0
Process32NextW May 21, 2021, 10:08 a.m.	snapshot_handle: 0x000003a4 process_name: 8908.exe process_identifier: 7536758		0	0
Process32NextW May 21, 2021, 10:08 a.m.	snapshot_handle: 0x000003a4 process_name: 8908.exe process_identifier: 6684769		0	0
Process32NextW May 21, 2021, 10:08 a.m.	snapshot_handle: 0x000003a4 process_name: 8908.exe process_identifier: 4390992		0	0
Process32NextW May 21, 2021, 10:08 a.m.	snapshot_handle: 0x000003a4 process_name: process_identifier: 5439572		0	0
Process32NextW May 21, 2021, 10:08 a.m.	snapshot_handle: 0x000003a4 process_name: 8908.exe process_identifier: 6619182		0	0
Process32NextW May 21, 2021, 10:08 a.m.	snapshot_handle: 0x000003a4 process_name: 8908.exe process_identifier: 6553715		0	0
Process32NextW May 21, 2021, 10:08 a.m.	snapshot_handle: 0x000003a4 process_name: 8908.exe process_identifier: 5046338		0	0
Process32NextW May 21, 2021, 10:08 a.m.	snapshot_handle: 0x000003a4 process_name: 8908.exe process_identifier: 6619246		0	0
Process32NextW May 21, 2021, 10:08 a.m.	snapshot_handle: 0x000003a4 process_name: 8908.exe process_identifier: 6750273		0	0
Process32NextW May 21, 2021, 10:08 a.m.	snapshot_handle: 0x000003a4 process_name: 8908.exe process_identifier: 7471220		0	0
Process32NextW May 21, 2021, 10:08 a.m.	snapshot_handle: 0x000003a4 process_name: 8908.exe process_identifier: 7733331		0	0
Process32NextW May 21, 2021, 10:08 a.m.	snapshot_handle: 0x000003a4 process_name: 8908.exe process_identifier: 4980808		0	0
Process32NextW May 21, 2021, 10:08 a.m.	snapshot_handle: 0x000003a4 process_name: 8908.exe process_identifier: 6619251		0	0
Process32NextW May 21, 2021, 10:08 a.m.	snapshot_handle: 0x000003a4 process_name: 8908.exe process_identifier: 7864421		0	0
Process32NextW May 21, 2021, 10:08 a.m.	snapshot_handle: 0x000003a4 process_name: 8908.exe process_identifier: 3342387		0	0
Process32NextW May 21, 2021, 10:08 a.m.	snapshot_handle: 0x000003a4 process_name: 8908.exe process_identifier: 3014722		0	0
Process32NextW May 21, 2021, 10:08 a.m.	snapshot_handle: 0x000003a4 process_name: process_identifier: 7733362		0	0
Process32NextW May 21, 2021, 10:08 a.m.	snapshot_handle: 0x000003a4 process_name: 8908.exe process_identifier: 6553705		0	0
Process32NextW May 21, 2021, 10:10 a.m.	snapshot_handle: 0x00000334 process_name: pw.exe process_identifier: 7602224		0	0
Process32NextW May 21, 2021, 10:10 a.m.	snapshot_handle: 0x00000334 process_name: pw.exe process_identifier: 7536688		0	0
Process32NextW May 21, 2021, 10:10 a.m.	snapshot_handle: 0x00000334 process_name: pw.exe process_identifier: 3014768		0	0
Process32NextW May 21, 2021, 10:10 a.m.	snapshot_handle: 0x00000334 process_name: pw.exe process_identifier: 7274573		0	0
Process32NextW May 21, 2021, 10:10 a.m.	snapshot_handle: 0x00000334 process_name: pw.exe process_identifier: 5046390		0	0
Process32NextW May 21, 2021, 10:10 a.m.	snapshot_handle: 0x00000334 process_name: pw.exe process_identifier: 6815859		0	0
Process32NextW May 21, 2021, 10:10 a.m.	snapshot_handle: 0x00000334 process_name: pw.exe process_identifier: 6881397		0	0
Process32NextW May 21, 2021, 10:10 a.m.	snapshot_handle: 0x00000334 process_name: pw.exe process_identifier: 7602277		0	0
Process32NextW May 21, 2021, 10:10 a.m.	snapshot_handle: 0x00000334 process_name: pw.exe process_identifier: 6619235		0	0
Process32NextW May 21, 2021, 10:10 a.m.	snapshot_handle: 0x00000334 process_name: pw.exe process_identifier: 4456552		0	0
Process32NextW May 21, 2021, 10:10 a.m.	snapshot_handle: 0x00000334 process_name: pw.exe process_identifier: 7536758		0	0
Process32NextW May 21, 2021, 10:10 a.m.	snapshot_handle: 0x00000334 process_name: pw.exe process_identifier: 6684769		0	0
Process32NextW May 21, 2021, 10:10 a.m.	snapshot_handle: 0x00000334 process_name: pw.exe process_identifier: 4390992		0	0
Process32NextW May 21, 2021, 10:10 a.m.	snapshot_handle: 0x00000334 process_name: process_identifier: 5439572		0	0
Process32NextW May 21, 2021, 10:10 a.m.	snapshot_handle: 0x00000334 process_name: pw.exe process_identifier: 6619182		0	0
Process32NextW May 21, 2021, 10:10 a.m.	snapshot_handle: 0x00000334 process_name: pw.exe process_identifier: 6553715		0	0
Process32NextW May 21, 2021, 10:10 a.m.	snapshot_handle: 0x00000334 process_name: pw.exe process_identifier: 5046338		0	0
Process32NextW May 21, 2021, 10:10 a.m.	snapshot_handle: 0x00000334 process_name: pw.exe process_identifier: 6619246		0	0
Process32NextW May 21, 2021, 10:10 a.m.	snapshot_handle: 0x00000334 process_name: pw.exe process_identifier: 6750273		0	0
Process32NextW May 21, 2021, 10:10 a.m.	snapshot_handle: 0x00000334 process_name: pw.exe process_identifier: 7471220		0	0
Process32NextW May 21, 2021, 10:10 a.m.	snapshot_handle: 0x00000334 process_name: pw.exe process_identifier: 7733331		0	0
Process32NextW May 21, 2021, 10:10 a.m.	snapshot_handle: 0x00000334 process_name: pw.exe process_identifier: 4980808		0	0
Process32NextW May 21, 2021, 10:10 a.m.	snapshot_handle: 0x00000334 process_name: pw.exe process_identifier: 6619251		0	0

Communicates with host for which no DNS query was performed (3 events)

host	139.155.178.173
host	172.217.25.14
host	43.129.230.36

Installs itself for autorun at Windows startup (3 events)

service_name	SharedAccess	service_path	C:\Program Files (x86)\Arrange\NULL.jpg
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\XXXXXX5B07E7D0	reg_value	C:\Windows\XXXXXX5B07E7D0\svchsot.exe
service_name	NVIDIA	service_path	C:\Windows\NVIDIA.exe

Expresses interest in specific running processes (3 events)

process	ser.exe
process	sel.exe
process: potential process injection target	explorer.exe

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ May 21, 2021, 10:08 a.m.	stacktrace: Host+0x155 @ 0x10002c05 exception.instruction_r: ed 81 fb 68 58 4d 56 0f 94 45 e4 5b 59 5a c7 45 exception.instruction: in eax, dx exception.exception_code: 0xc0000096 exception.symbol: Host-0x1268 exception.address: 0x10001848 registers.esp: 1637528 registers.edi: 0 registers.eax: 1447909480 registers.ebp: 1637580 registers.edx: 22104 registers.ebx: 0 registers.esi: 1970484437 registers.ecx: 10	1	0	0

Creates known Zegost files, registry changes and/or mutexes (1 event)

mutex

AAAAAArrCmva6ysr2utKe9rrSwqa6mr7Wvnw==

File has been identified by 48 AntiVirus engines on VirusTotal as malicious (48 events)

MicroWorld-eScan	MemScan:Trojan.GenericKDZ.41799
FireEye	MemScan:Trojan.GenericKDZ.41799
CAT-QuickHeal	Trojan.Magania.18692
McAfee	GenericRXGZ-NM!4B19377ADE95
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan-Downloader ( 0055e3da1 )
K7GW	Trojan-Downloader ( 0055e3da1 )
Cybereason	malicious.1935a3
Arcabit	Trojan.Generic.DA347
Baidu	Multi.Threats.InArchive
Cyren	W32/Trojan.IM.gen!Eldorado
Symantec	Backdoor.Trojan
ESET-NOD32	multiple detections
APEX	Malicious
Avast	Win32:Malware-gen
ClamAV	Win.Trojan.Farfli-9811912-0
Kaspersky	Trojan-Downloader.Win32.Dupzom.blr
BitDefender	MemScan:Trojan.GenericKDZ.41799
NANO-Antivirus	Trojan.Win32.Dwn.eahibw
Tencent	Win32.Trojan-downloader.Dupzom.Ajuy
Ad-Aware	MemScan:Trojan.GenericKDZ.41799
Sophos	Troj/AutoG-JE
Comodo	TrojWare.Win32.Agent.PDSB@4q3i1w
DrWeb	Trojan.DownLoader19.23899
TrendMicro	BKDR_ZEGOST.SM50
McAfee-GW-Edition	BackDoor-EMA.gen.e
Emsisoft	MemScan:Trojan.GenericKDZ.41799 (B)
Ikarus	Trojan-Downloader.Win32.Agent
Jiangmin	Trojan/Dialer.mgr
Avira	HEUR/AGEN.1124319
Kingsoft	Win32.Troj.Undef.(kcloud)
Microsoft	Trojan:Win32/Dorv.A
ZoneAlarm	HEUR:Trojan.Win32.Agent.gen
GData	Win32.Trojan-Downloader.Agent.WC
Cynet	Malicious (score: 99)
AhnLab-V3	Trojan/Win.Generic.R419237
BitDefenderTheta	Gen:NN.ZexaF.34690.cq0@aqF6coeb
ALYac	MemScan:Trojan.GenericKDZ.41799
MAX	malware (ai score=80)
VBA32	BScope.Trojan.Downloader
Malwarebytes	Malware.AI.4016639641
Zoner	Trojan.Win32.83819
TrendMicro-HouseCall	BKDR_ZEGOST.SM50
Rising	Backdoor.Farfli!8.B4 (RDMK:cmRtazojdhNbzDwVnpD4AxNBfQpf)
Yandex	Trojan.GenAsa!puNbw774luA
eGambit	Unsafe.AI_Score_99%
Fortinet	W32/Agent.BVS!tr
AVG	Win32:Malware-gen

run.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All