Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 8, 2021, 11:43 a.m.	June 8, 2021, 11:45 a.m.

Size	91.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`8b3db2945a73ca4d3ffc48166eaf8d6b`
SHA256	`cab2aafba47661454577b0f6755a7482928050a1e4219a2e78d4c25c382adfd4`
CRC32	`77A263A6`
ssdeep	`1536:v8Wf5WEOATEQMG8Ft6pjMwslzEnWB2HtG82LrRzpTrM4eh2DaWNCOSEcj1qZYPR:EWf5zOoCGYt6yR6nVerdpTrM4eoDaOCT`
Yara	Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) IsPE32 - (no description)

ayowa.exe "C:\Users\test22\AppData\Local\Temp\ayowa.exe"
4656

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
172.217.25.14	Active	Moloch
51.222.195.7	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW June 8, 2021, 11:44 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 8, 2021, 11:43 a.m.			0	0
IsDebuggerPresent June 8, 2021, 11:43 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey June 8, 2021, 11:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00612a50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 8, 2021, 11:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00612c10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 8, 2021, 11:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00612c10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DigitalProductId

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 8, 2021, 11:43 a.m.		1	1	0

One or more processes crashed (4 events)

Time & API	Arguments	Status
__exception__ June 8, 2021, 11:44 a.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x6fd51194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x6fc22ba1 mscorlib+0x36dd51 @ 0x6ef4dd51 mscorlib+0x32fea6 @ 0x6ef0fea6 mscorlib+0x30ab40 @ 0x6eeeab40 0x4d059c0 0x4d0bb27 0x4d0b7ba 0x4d0b11d 0x4d0b6ab 0x4d04a8c 0x7f224e system+0x1cbc3d @ 0x645cbc3d 0x4d00ea7 0x4d0013b system+0x202915 @ 0x653f2915 system+0x1f9adf @ 0x653e9adf mscorlib+0x3022a6 @ 0x6eee22a6 mscorlib+0x302261 @ 0x6eee2261 system+0x1f2e47 @ 0x653e2e47 system+0x202886 @ 0x653f2886 system+0x1f2c38 @ 0x653e2c38 mscorlib+0x34bb1e @ 0x6ef2bb1e DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x6fbb9dd2 DllGetClassObjectInternal+0x74073 CorDllMainForThunk-0x18488 clr+0x1390ec @ 0x6fcd90ec LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x6fc17d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x6fc17dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x6fc17e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x6fbac3bf DllGetClassObjectInternal+0x7412f CorDllMainForThunk-0x183cc clr+0x1391a8 @ 0x6fcd91a8 DllGetClassObjectInternal+0x74178 CorDllMainForThunk-0x18383 clr+0x1391f1 @ 0x6fcd91f1 GetMetaDataInternalInterfaceFromPublic+0xab22 PreBindAssemblyEx-0x982 clr+0x1771e9 @ 0x6fd171e9 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x6fcba0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 83424244 registers.edi: 0 registers.eax: 83424244 registers.ebp: 83424324 registers.edx: 0 registers.ebx: 6275888 registers.esi: 6565920 registers.ecx: 277009652	1
__exception__ June 8, 2021, 11:44 a.m.	stacktrace: 0x4d04aa9 0x7f224e system+0x1cbc3d @ 0x645cbc3d 0x4d00ea7 0x4d0013b system+0x202915 @ 0x653f2915 system+0x1f9adf @ 0x653e9adf mscorlib+0x3022a6 @ 0x6eee22a6 mscorlib+0x302261 @ 0x6eee2261 system+0x1f2e47 @ 0x653e2e47 system+0x202886 @ 0x653f2886 system+0x1f2c38 @ 0x653e2c38 mscorlib+0x34bb1e @ 0x6ef2bb1e DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x6fbb9dd2 DllGetClassObjectInternal+0x74073 CorDllMainForThunk-0x18488 clr+0x1390ec @ 0x6fcd90ec LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x6fc17d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x6fc17dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x6fc17e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x6fbac3bf DllGetClassObjectInternal+0x7412f CorDllMainForThunk-0x183cc clr+0x1391a8 @ 0x6fcd91a8 DllGetClassObjectInternal+0x74178 CorDllMainForThunk-0x18383 clr+0x1391f1 @ 0x6fcd91f1 GetMetaDataInternalInterfaceFromPublic+0xab22 PreBindAssemblyEx-0x982 clr+0x1771e9 @ 0x6fd171e9 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x6fcba0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 40 04 48 89 45 d8 eb e1 b9 cd d6 0e 25 e8 a0 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4d0c3b5 registers.esp: 83424872 registers.edi: 37722272 registers.eax: 0 registers.ebp: 83424924 registers.edx: 37723384 registers.ebx: 1683956052 registers.esi: 37721372 registers.ecx: 37721372	1
__exception__ June 8, 2021, 11:44 a.m.	stacktrace: 0x4d04b3a 0x7f224e system+0x1cbc3d @ 0x645cbc3d 0x4d00ea7 0x4d0013b system+0x202915 @ 0x653f2915 system+0x1f9adf @ 0x653e9adf mscorlib+0x3022a6 @ 0x6eee22a6 mscorlib+0x302261 @ 0x6eee2261 system+0x1f2e47 @ 0x653e2e47 system+0x202886 @ 0x653f2886 system+0x1f2c38 @ 0x653e2c38 mscorlib+0x34bb1e @ 0x6ef2bb1e DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x6fbb9dd2 DllGetClassObjectInternal+0x74073 CorDllMainForThunk-0x18488 clr+0x1390ec @ 0x6fcd90ec LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x6fc17d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x6fc17dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x6fc17e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x6fbac3bf DllGetClassObjectInternal+0x7412f CorDllMainForThunk-0x183cc clr+0x1391a8 @ 0x6fcd91a8 DllGetClassObjectInternal+0x74178 CorDllMainForThunk-0x18383 clr+0x1391f1 @ 0x6fcd91f1 GetMetaDataInternalInterfaceFromPublic+0xab22 PreBindAssemblyEx-0x982 clr+0x1771e9 @ 0x6fd171e9 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x6fcba0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 3f 31 14 6a 8b c8 8b 01 8b 40 28 ff 10 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4d0d9f2 registers.esp: 83424856 registers.edi: 83424908 registers.eax: 0 registers.ebp: 83424924 registers.edx: 37425704 registers.ebx: 1683956052 registers.esi: 37770216 registers.ecx: 0	1
__exception__ June 8, 2021, 11:44 a.m.	stacktrace: 0x4d04b74 0x7f224e system+0x1cbc3d @ 0x645cbc3d 0x4d00ea7 0x4d0013b system+0x202915 @ 0x653f2915 system+0x1f9adf @ 0x653e9adf mscorlib+0x3022a6 @ 0x6eee22a6 mscorlib+0x302261 @ 0x6eee2261 system+0x1f2e47 @ 0x653e2e47 system+0x202886 @ 0x653f2886 system+0x1f2c38 @ 0x653e2c38 mscorlib+0x34bb1e @ 0x6ef2bb1e DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x6fbb9dd2 DllGetClassObjectInternal+0x74073 CorDllMainForThunk-0x18488 clr+0x1390ec @ 0x6fcd90ec LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x6fc17d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x6fc17dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x6fc17e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x6fbac3bf DllGetClassObjectInternal+0x7412f CorDllMainForThunk-0x183cc clr+0x1391a8 @ 0x6fcd91a8 DllGetClassObjectInternal+0x74178 CorDllMainForThunk-0x18383 clr+0x1391f1 @ 0x6fcd91f1 GetMetaDataInternalInterfaceFromPublic+0xab22 PreBindAssemblyEx-0x982 clr+0x1771e9 @ 0x6fd171e9 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x6fcba0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 c8 25 14 6a 8b f8 eb 41 e9 2b 01 00 00 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4d0e569 registers.esp: 83424872 registers.edi: 37770160 registers.eax: 38020736 registers.ebp: 83424924 registers.edx: 38020736 registers.ebx: 1683956052 registers.esi: 38020244 registers.ecx: 0	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 64 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 8, 2021, 11:43 a.m.	process_identifier: 4656 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00380000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2021, 11:43 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 8, 2021, 11:43 a.m.	process_identifier: 4656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 8, 2021, 11:43 a.m.	process_identifier: 4656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2021, 11:43 a.m.	process_identifier: 4656 region_size: 983040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2021, 11:43 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00770000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2021, 11:43 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2021, 11:43 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00435000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2021, 11:43 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2021, 11:43 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00437000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2021, 11:43 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2021, 11:43 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2021, 11:43 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2021, 11:43 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2021, 11:43 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00721000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2021, 11:43 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00722000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2021, 11:43 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2021, 11:43 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2021, 11:43 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2021, 11:43 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00723000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2021, 11:43 a.m.	process_identifier: 4656 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00724000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2021, 11:43 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00727000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2021, 11:43 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00728000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2021, 11:43 a.m.	process_identifier: 4656 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00729000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2021, 11:43 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003dd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2021, 11:43 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007ff000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2021, 11:43 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2021, 11:43 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0072b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2021, 11:43 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0072c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2021, 11:43 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0072d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2021, 11:43 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0072e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2021, 11:43 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2021, 11:43 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0072f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2021, 11:44 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04d00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2021, 11:44 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2021, 11:44 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04d01000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2021, 11:44 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04d02000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2021, 11:44 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003de000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2021, 11:44 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04d03000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2021, 11:44 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04d04000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2021, 11:44 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2021, 11:44 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2021, 11:44 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2021, 11:44 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2021, 11:44 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04d05000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2021, 11:44 a.m.	process_identifier: 4656 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04d06000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2021, 11:44 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04d09000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2021, 11:44 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04d0a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2021, 11:44 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04d0b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 8, 2021, 11:44 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04d0c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Steals private information from local Internet browsers (12 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Chromium\User Data
file	C:\Users\test22\AppData\Local\Chromium\User Data\Login Data
file	C:\Users\test22\AppData\Local\Chromium\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data\Login Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data\Login Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00013800', u'virtual_address': u'0x00002000', u'entropy': 7.841541569808069, u'name': u'.text', u'virtual_size': u'0x000137a4'}

entropy

7.84154156981

description

A section with a high entropy has been found

entropy

0.861878453039

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (2 events)

host	172.217.25.14
host	51.222.195.7

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation June 8, 2021, 11:44 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

ayowa.exe tried to sleep 8184735 seconds, actually delayed analysis time by 8184735 seconds

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Harvests information related to installed instant messenger clients (1 event)

file	C:\Users\test22\AppData\Roaming\.purple\accounts.xml

Harvests credentials from local email clients (3 events)

registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\IMAP Password2
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\HTTPMail Password
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\IMAP Password2

File has been identified by 30 AntiVirus engines on VirusTotal as malicious (30 events)

Elastic	malicious (high confidence)
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
ESET-NOD32	MSIL/TrojanDownloader.Agent.IAJ
APEX	Malicious
Paloalto	generic.ml
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Backdoor.MSIL.Badernet.gen
Alibaba	Backdoor:MSIL/Badernet.90cd40e8
Avast	Win32:CrypterX-gen [Trj]
Tencent	Msil.Backdoor.Badernet.Eaxh
F-Secure	Trojan.TR/Dropper.MSIL.Gen
McAfee-GW-Edition	BehavesLike.Win32.Generic.nc
FireEye	Generic.mg.8b3db2945a73ca4d
Sophos	Mal/Generic-S
Ikarus	Trojan.MSIL.Inject
GData	Win32.Trojan.Agent.I0T9IW
Avira	TR/Dropper.MSIL.Gen
Kingsoft	Win32.Hack.Undef.(kcloud)
AegisLab	Trojan.MSIL.Badernet.m!c
ZoneAlarm	HEUR:Backdoor.MSIL.Badernet.gen
Microsoft	Trojan:Win32/Wacatac.B!ml
McAfee	RDN/Generic BackDoor
Cylance	Unsafe
SentinelOne	Static AI - Malicious PE
eGambit	Unsafe.AI_Score_88%
BitDefenderTheta	Gen:NN.ZemsilF.34722.fm0@aSKKQmp
AVG	Win32:CrypterX-gen [Trj]
Cybereason	malicious.1e8956
MaxSecure	Trojan.Malware.300983.susgen

ayowa.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All