Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 8, 2023, 5:30 p.m.	Nov. 8, 2023, 5:37 p.m.

Size	4.7MB
Type	PE32 executable (console) Intel 80386, for MS Windows
MD5	`90427a600ba896346dca58a43f4cc77f`
SHA256	`a8a172e5e99b940b86720dfffa4a822a486b4a7334c420cdefae80fca5ce2638`
CRC32	`09A80354`
ssdeep	`98304:KEjAuvLZidHg42wcN3zhgDsZvIkZXiCIc42sLFhaRhZ:KzYWHg4FcN3zBZvbIc42Esh`
Yara	Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature IsPE32 - (no description) mzp_file_format - MZP(Delphi) file format

bet365.exe "C:\Users\test22\AppData\Local\Temp\bet365.exe"
1280
- cmd.exe cmd /k cmd < Irs & exit
  2188
  - cmd.exe cmd
    2300
    - findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      2500
    - tasklist.exe tasklist
      2460
    - tasklist.exe tasklist
      2608
    - findstr.exe findstr /I "wrsa.exe"
      2644
    - cmd.exe cmd /c mkdir 12922
      2732
    - cmd.exe cmd /c copy /b Plants + Ai + Entertaining + Mozilla + Artistic 12922\Publication.pif
      2808
    - cmd.exe cmd /c copy /b Bradley + Observation + Tribune + Tribes + Latinas + Troubleshooting + Shoppingcom + Peak + Canadian + Peterson + Institute + Carrying + Map + Persian + Snow 12922\a
      2852
    - Publication.pif 12922\Publication.pif 12922\a
      2904
    - PING.EXE ping -n 5 localhost
      2940
Publication.pif C:\Users\test22\AppData\Local\Temp\59843\12922\Publication.pif
2088

Name	Response	Post-Analysis Lookup
UGimJTaULZqJErlriNlsHPaO.UGimJTaULZqJErlriNlsHPaO

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Nov. 8, 2023, 5:30 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Nov. 8, 2023, 5:30 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 8, 2023, 5:23 p.m.			0	0

Command line console output was observed (50 out of 470 events)

Time & API	Arguments	Status	Return
WriteConsoleW Nov. 8, 2023, 5:30 p.m.	buffer: Microsoft Windows [Version 6.1.7601] console_handle: 0x00000007	1	1
WriteConsoleW Nov. 8, 2023, 5:30 p.m.	buffer: Copyright (c) 2009 Microsoft Corporation. All rights reserved. console_handle: 0x00000007	1	1
WriteConsoleW Nov. 8, 2023, 5:30 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\59843> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 8, 2023, 5:30 p.m.	buffer: Set ifPQcOpjFMSywDpMHEutDufItvxCjG=e console_handle: 0x00000007	1	1
WriteConsoleW Nov. 8, 2023, 5:30 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\59843> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 8, 2023, 5:30 p.m.	buffer: zbvYgiwbwYITFEjYtt=VmcnqqiLYxHqYyvLEul console_handle: 0x00000007	1	1
WriteConsoleW Nov. 8, 2023, 5:30 p.m.	buffer: 'zbvYgiwbwYITFEjYtt' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 8, 2023, 5:30 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\59843> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 8, 2023, 5:30 p.m.	buffer: mDJeEbcrAlvbooLVYYc=iverxYKNoTHSUGZsQaUCEtkOYpRQz console_handle: 0x00000007	1	1
WriteConsoleW Nov. 8, 2023, 5:30 p.m.	buffer: 'mDJeEbcrAlvbooLVYYc' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 8, 2023, 5:30 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\59843> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 8, 2023, 5:30 p.m.	buffer: NGKkdrAFIFNHUGCEDBpz=FrSxelgykuTx console_handle: 0x00000007	1	1
WriteConsoleW Nov. 8, 2023, 5:30 p.m.	buffer: 'NGKkdrAFIFNHUGCEDBpz' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 8, 2023, 5:30 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\59843> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 8, 2023, 5:30 p.m.	buffer: uwiIdVRlKgPWpEkxFdHZco=RQhSjAbmUhhABvVkhCUUO console_handle: 0x00000007	1	1
WriteConsoleW Nov. 8, 2023, 5:30 p.m.	buffer: 'uwiIdVRlKgPWpEkxFdHZco' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 8, 2023, 5:30 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\59843> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 8, 2023, 5:30 p.m.	buffer: nTFeKFQkxkX=fRerEKjPVIVtKXKyxvB console_handle: 0x00000007	1	1
WriteConsoleW Nov. 8, 2023, 5:30 p.m.	buffer: 'nTFeKFQkxkX' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 8, 2023, 5:30 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\59843> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 8, 2023, 5:30 p.m.	buffer: OOazjpPRIITwCei=opXlIYoPXBa console_handle: 0x00000007	1	1
WriteConsoleW Nov. 8, 2023, 5:30 p.m.	buffer: 'OOazjpPRIITwCei' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 8, 2023, 5:30 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\59843> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 8, 2023, 5:30 p.m.	buffer: VKRXKKKBnIQcUxijPTBHQGXln=EPFDvKQeVXRVsRaG console_handle: 0x00000007	1	1
WriteConsoleW Nov. 8, 2023, 5:30 p.m.	buffer: 'VKRXKKKBnIQcUxijPTBHQGXln' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 8, 2023, 5:30 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\59843> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 8, 2023, 5:30 p.m.	buffer: maCdhRWZrqKXfNGnzyUVV=uERnpcUCJflebS console_handle: 0x00000007	1	1
WriteConsoleW Nov. 8, 2023, 5:30 p.m.	buffer: 'maCdhRWZrqKXfNGnzyUVV' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 8, 2023, 5:30 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\59843> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 8, 2023, 5:30 p.m.	buffer: Set qsXJDaKuyGllvXMbKIjjXnOIAyBscMhfOCzOXkaUvnMSZlbF=a console_handle: 0x00000007	1	1
WriteConsoleW Nov. 8, 2023, 5:30 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\59843> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 8, 2023, 5:30 p.m.	buffer: mzkFZBCfobRzKazUvUDXAndaQn=WJdIWzEhUtoCRjIeUrrOzntO console_handle: 0x00000007	1	1
WriteConsoleW Nov. 8, 2023, 5:30 p.m.	buffer: 'mzkFZBCfobRzKazUvUDXAndaQn' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 8, 2023, 5:30 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\59843> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 8, 2023, 5:30 p.m.	buffer: wZdqeSPAOFFSPVZuymQhs=LScvfNKznEByUxhjRkzeeGel console_handle: 0x00000007	1	1
WriteConsoleW Nov. 8, 2023, 5:30 p.m.	buffer: 'wZdqeSPAOFFSPVZuymQhs' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 8, 2023, 5:30 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\59843> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 8, 2023, 5:30 p.m.	buffer: irHgYgBkfgn=FDePciqdJqFTTHETgJtQk console_handle: 0x00000007	1	1
WriteConsoleW Nov. 8, 2023, 5:30 p.m.	buffer: 'irHgYgBkfgn' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 8, 2023, 5:30 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\59843> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 8, 2023, 5:30 p.m.	buffer: iJrymdqTFuOHjHsj=mwTcinOxsJHWFpIzhvaMdH console_handle: 0x00000007	1	1
WriteConsoleW Nov. 8, 2023, 5:30 p.m.	buffer: 'iJrymdqTFuOHjHsj' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 8, 2023, 5:30 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\59843> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 8, 2023, 5:30 p.m.	buffer: dPxmtkcWBweFOaWZlgKoGzXq=ugYkYAdSdDFNZKpVMyUDDTqsvonG console_handle: 0x00000007	1	1
WriteConsoleW Nov. 8, 2023, 5:30 p.m.	buffer: 'dPxmtkcWBweFOaWZlgKoGzXq' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 8, 2023, 5:30 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\59843> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 8, 2023, 5:30 p.m.	buffer: tWSxCXXvLDBLNbPsjlE=jThevahhGOQeKzjGMzbM console_handle: 0x00000007	1	1
WriteConsoleW Nov. 8, 2023, 5:30 p.m.	buffer: 'tWSxCXXvLDBLNbPsjlE' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Nov. 8, 2023, 5:30 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\59843> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 8, 2023, 5:30 p.m.	buffer: nwCaRQvkqlXTyk=IPXpKJPWMmqzkp console_handle: 0x00000007	1	1

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.itext

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Nov. 8, 2023, 5:30 p.m.	process_identifier: 1280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Nov. 8, 2023, 5:23 p.m.	process_identifier: 2904 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000b70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0	0

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\59843\12922\Publication.pif

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\bet365.exe

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (9 events)

Time & API	Arguments	Status	Return
Process32NextW Nov. 8, 2023, 5:23 p.m.	snapshot_handle: 0x0000000000000120 process_name: mobsync.exe process_identifier: 1668	1	1
Process32NextW Nov. 8, 2023, 5:23 p.m.	snapshot_handle: 0x0000000000000120 process_name: SearchProtocolHost.exe process_identifier: 156	1	1
Process32NextW Nov. 8, 2023, 5:23 p.m.	snapshot_handle: 0x0000000000000120 process_name: cmd.exe process_identifier: 496	1	1
Process32NextW Nov. 8, 2023, 5:23 p.m.	snapshot_handle: 0x0000000000000120 process_name: bet365.exe process_identifier: 1280	1	1
Process32NextW Nov. 8, 2023, 5:23 p.m.	snapshot_handle: 0x0000000000000120 process_name: svchost.exe process_identifier: 2352	1	1
Process32NextW Nov. 8, 2023, 5:23 p.m.	snapshot_handle: 0x0000000000000120 process_name: mscorsvw.exe process_identifier: 2420	1	1
Process32NextW Nov. 8, 2023, 5:23 p.m.	snapshot_handle: 0x0000000000000120 process_name: WmiPrvSE.exe process_identifier: 2568	1	1
Process32NextW Nov. 8, 2023, 5:23 p.m.	snapshot_handle: 0x0000000000000120 process_name: sppsvc.exe process_identifier: 2720	1	1
Process32NextW Nov. 8, 2023, 5:23 p.m.	snapshot_handle: 0x0000000000000120 process_name: PING.EXE process_identifier: 2940	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0042a600', u'virtual_address': u'0x00085000', u'entropy': 7.375919367589938, u'name': u'.rsrc', u'virtual_size': u'0x0042a600'}

entropy

7.37591936759

description

A section with a high entropy has been found

entropy

0.895643044619

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Nov. 8, 2023, 5:30 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Nov. 8, 2023, 5:30 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Potentially malicious URLs were found in the process memory dump (2 events)

url	https://docs.rs/getrandom
url	https://P

Yara rule detected in process memory (19 events)

description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Run a KeyLogger	rule	KeyLogger

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess Nov. 8, 2023, 5:23 p.m.	status_code: 0x00000000 process_identifier: 1280 process_handle: 0x0000000000000120		0	0
NtTerminateProcess Nov. 8, 2023, 5:23 p.m.	status_code: 0x00000000 process_identifier: 1280 process_handle: 0x0000000000000120	1	0	0

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	tasklist
cmdline	cmd /c mkdir 12922
cmdline	ping -n 5 localhost

One or more of the buffers contains an embedded PE file (2 events)

buffer	Buffer with sha1: 7873b06c6e9b39da003324b4757f24ba071f7439
buffer	Buffer with sha1: 38540c359055505ff38cdfe801f722cd6ea83c01

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 8, 2023, 5:23 p.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4489216 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000610000 process_handle: 0x0000000000000204	1	0	0

Manipulates memory of a non-child process indicative of process injection (3 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2904 manipulating memory of non-child process 2088
NtAllocateVirtualMemory Nov. 8, 2023, 5:23 p.m.	process_identifier: 2088 region_size: 4489216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x0000000000610000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000204	1	0	0
NtProtectVirtualMemory Nov. 8, 2023, 5:23 p.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4489216 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000610000 process_handle: 0x0000000000000204	1	0	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2904 called NtSetContextThread to modify thread in remote process 2088
NtSetContextThread Nov. 8, 2023, 5:23 p.m.	registers.r14: 0 registers.r15: 0 registers.rcx: 9428856 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 6356120 registers.r11: 0 registers.r8: 0 registers.r9: 0 registers.rip: 2003748096 registers.rdx: 8796092866560 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0 thread_handle: 0x0000000000000200 process_identifier: 2088	1	0	0

Expresses interest in specific running processes (4 events)

process: potential process injection target	explorer.exe
process	cmd.exe
process	publication.pif
process	bet365.exe

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2904 resumed a thread in remote process 2088
NtResumeThread Nov. 8, 2023, 5:23 p.m.	thread_handle: 0x0000000000000200 suspend_count: 1 process_identifier: 2088	1	0	0

Executed a process and injected code into it, probably while unpacking (16 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Nov. 8, 2023, 5:30 p.m.	thread_identifier: 2192 thread_handle: 0x00000108 process_identifier: 2188 current_directory: C:\Users\test22\AppData\Local\Temp\59843 filepath: track: 1 command_line: cmd /k cmd < Irs & exit filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000010c	1	1
CreateProcessInternalW Nov. 8, 2023, 5:30 p.m.	thread_identifier: 2304 thread_handle: 0x00000088 process_identifier: 2300 current_directory: C:\Users\test22\AppData\Local\Temp\59843 filepath: C:\Windows\System32\cmd.exe track: 1 command_line: cmd filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000008c	1	1
CreateProcessInternalW Nov. 8, 2023, 5:30 p.m.	thread_identifier: 2464 thread_handle: 0x00000090 process_identifier: 2460 current_directory: C:\Users\test22\AppData\Local\Temp\59843 filepath: C:\Windows\System32\tasklist.exe track: 1 command_line: tasklist filepath_r: C:\Windows\system32\tasklist.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000098	1	1
CreateProcessInternalW Nov. 8, 2023, 5:30 p.m.	thread_identifier: 2504 thread_handle: 0x00000090 process_identifier: 2500 current_directory: C:\Users\test22\AppData\Local\Temp\59843 filepath: C:\Windows\System32\findstr.exe track: 1 command_line: findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" filepath_r: C:\Windows\system32\findstr.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000a0	1	1
CreateProcessInternalW Nov. 8, 2023, 5:30 p.m.	thread_identifier: 2612 thread_handle: 0x00000098 process_identifier: 2608 current_directory: C:\Users\test22\AppData\Local\Temp\59843 filepath: C:\Windows\System32\tasklist.exe track: 1 command_line: tasklist filepath_r: C:\Windows\system32\tasklist.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000008c	1	1
CreateProcessInternalW Nov. 8, 2023, 5:30 p.m.	thread_identifier: 2648 thread_handle: 0x00000098 process_identifier: 2644 current_directory: C:\Users\test22\AppData\Local\Temp\59843 filepath: C:\Windows\System32\findstr.exe track: 1 command_line: findstr /I "wrsa.exe" filepath_r: C:\Windows\system32\findstr.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000a4	1	1
CreateProcessInternalW Nov. 8, 2023, 5:30 p.m.	thread_identifier: 2736 thread_handle: 0x000000a4 process_identifier: 2732 current_directory: C:\Users\test22\AppData\Local\Temp\59843 filepath: C:\Windows\System32\cmd.exe track: 1 command_line: cmd /c mkdir 12922 filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000008c	1	1
CreateProcessInternalW Nov. 8, 2023, 5:30 p.m.	thread_identifier: 2812 thread_handle: 0x0000008c process_identifier: 2808 current_directory: C:\Users\test22\AppData\Local\Temp\59843 filepath: C:\Windows\System32\cmd.exe track: 1 command_line: cmd /c copy /b Plants + Ai + Entertaining + Mozilla + Artistic 12922\Publication.pif filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000a4	1	1
CreateProcessInternalW Nov. 8, 2023, 5:30 p.m.	thread_identifier: 2856 thread_handle: 0x000000a4 process_identifier: 2852 current_directory: C:\Users\test22\AppData\Local\Temp\59843 filepath: C:\Windows\System32\cmd.exe track: 1 command_line: cmd /c copy /b Bradley + Observation + Tribune + Tribes + Latinas + Troubleshooting + Shoppingcom + Peak + Canadian + Peterson + Institute + Carrying + Map + Persian + Snow 12922\a filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000008c	1	1
CreateProcessInternalW Nov. 8, 2023, 5:30 p.m.	thread_identifier: 2908 thread_handle: 0x0000008c process_identifier: 2904 current_directory: C:\Users\test22\AppData\Local\Temp\59843 filepath: C:\Users\test22\AppData\Local\Temp\59843\12922\Publication.pif track: 1 command_line: 12922\Publication.pif 12922\a filepath_r: C:\Users\test22\AppData\Local\Temp\59843\12922\Publication.pif stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000a4	1	1
CreateProcessInternalW Nov. 8, 2023, 5:30 p.m.	thread_identifier: 2944 thread_handle: 0x000000a4 process_identifier: 2940 current_directory: C:\Users\test22\AppData\Local\Temp\59843 filepath: C:\Windows\System32\PING.EXE track: 1 command_line: ping -n 5 localhost filepath_r: C:\Windows\system32\PING.EXE stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000008c	1	1
CreateProcessInternalW Nov. 8, 2023, 5:23 p.m.	thread_identifier: 2084 thread_handle: 0x0000000000000200 process_identifier: 2088 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\59843\12922\Publication.pif filepath_r: stack_pivoted: 0 creation_flags: 134742020 (CREATE_NO_WINDOW\|CREATE_SUSPENDED\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000204	1	1
NtGetContextThread Nov. 8, 2023, 5:23 p.m.	thread_handle: 0x0000000000000200	1	0
NtAllocateVirtualMemory Nov. 8, 2023, 5:23 p.m.	process_identifier: 2088 region_size: 4489216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x0000000000610000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000204	1	0
NtSetContextThread Nov. 8, 2023, 5:23 p.m.	registers.r14: 0 registers.r15: 0 registers.rcx: 9428856 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 6356120 registers.r11: 0 registers.r8: 0 registers.r9: 0 registers.rip: 2003748096 registers.rdx: 8796092866560 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0 thread_handle: 0x0000000000000200 process_identifier: 2088	1	0
NtResumeThread Nov. 8, 2023, 5:23 p.m.	thread_handle: 0x0000000000000200 suspend_count: 1 process_identifier: 2088	1	0

bet365.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All