revert to snapshot of vm with no malware. for this lab i used wireshark, procmon + noriben, api monitor (32bit)
tldr makes copies of itself and adds to autoruns + deletes the original
check C:\Temp\ for a readme.pdf + c:\windows\ for a writer.exe + c:\windows\temp\ for fake svchost.exe (protip they all got the same hash)
spawns a notepad.exe and a cmd.exe - cmd.exe spawns ping.exe and deletes findme.exe
registry keys do stuff w/ autoruns in HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AH
apimonitor shows the above stuff + winhttp calls to ali's github (binaryz0ne) and you have his api auth token :) but he disabled that one for me :( no fun
wireshark just shows the winhttp stuff - ip for me was 140.82.114.5 but that just depends on whichever github server ip you get
if u need help with this you should check labs at beginning of the semester
after you run the malware and save ur logs you should restart ur vm :)