Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 20, 2022, 1:16 p.m.	May 20, 2022, 1:34 p.m.

Size	100.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`c7a310982da68b10360854f9cd78e718`
SHA256	`df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731`
CRC32	`A3FDE6F8`
ssdeep	`3072:BEO/Q7F376cPoWq8EYByWZmaRO4KVppjp:OOQFLbKYUWEa04wj`
Yara	IsPE32 - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature

asdf.EXE "C:\Users\test22\AppData\Local\Temp\asdf.EXE"
2776
- MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  3068
  - azne.exe "C:\Users\test22\AppData\Roaming\azne.exe"
    2428
    - azne.exe C:\Users\test22\AppData\Roaming\azne.exe
      2824
  - pm.exe "C:\Users\test22\AppData\Roaming\pm.exe"
    2628
  - cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" & exit
    2560
    - timeout.exe timeout /t 5
      756

Name	Response	Post-Analysis Lookup
rockrock.ug	A 185.215.113.89	185.215.113.89
rockphil.ac.ug	A 185.215.113.89	185.215.113.89

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.215.113.89	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 185.215.113.89:80 -> 192.168.56.101:49163	2400020	ET DROP Spamhaus DROP Listed Traffic Inbound group 21	Misc Attack
TCP 192.168.56.101:49163 -> 185.215.113.89:80	2030384	ET HUNTING Suspicious Terse Request for .bmp	Potentially Bad Traffic
TCP 185.215.113.89:80 -> 192.168.56.101:49166	2035884	ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4	Malware Command and Control Activity Detected
TCP 192.168.56.101:49171 -> 185.215.113.89:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 185.215.113.89:80 -> 192.168.56.101:49171	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.89:80 -> 192.168.56.101:49171	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.89:80 -> 192.168.56.101:49171	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49171 -> 185.215.113.89:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 192.168.56.101:49171 -> 185.215.113.89:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 185.215.113.89:80 -> 192.168.56.101:49171	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.89:80 -> 192.168.56.101:49171	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49166 -> 185.215.113.89:80	2033163	ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil	A Network Trojan was detected
TCP 192.168.56.101:49171 -> 185.215.113.89:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 192.168.56.101:49171 -> 185.215.113.89:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 20, 2022, 1:17 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 20, 2022, 1:17 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 20, 2022, 1:17 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 20, 2022, 1:17 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 20, 2022, 1:17 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 20, 2022, 1:17 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (6 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 20, 2022, 1:16 p.m.			0	0
IsDebuggerPresent May 20, 2022, 1:16 p.m.			0	0
IsDebuggerPresent May 20, 2022, 1:17 p.m.			0	0
IsDebuggerPresent May 20, 2022, 1:17 p.m.			0	0
IsDebuggerPresent May 20, 2022, 1:10 p.m.			0	0
IsDebuggerPresent May 20, 2022, 1:10 p.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW May 20, 2022, 1:17 p.m.	buffer: Waiting for 5 console_handle: 0x00000007	1	1	0
WriteConsoleW May 20, 2022, 1:17 p.m.	buffer: seconds, press a key to continue ... console_handle: 0x00000007	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 20, 2022, 1:16 p.m.		1	1	0

One or more processes crashed (9 events)

Time & API	Arguments	Status
__exception__ May 20, 2022, 1:17 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7670b37e 0x61e3dcd 0x61e3d42 0x61e11ff 0x61e08f3 0x61e07ea 0x61e0733 0x61de4ed 0x61de40b 0x51c7d9d DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72eb1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72eb1737 mscorlib+0x2d3711 @ 0x72143711 mscorlib+0x308f2d @ 0x72178f2d 0x5051e9 0x50512c system+0x1f9799 @ 0x70ac9799 system+0x1f92c8 @ 0x70ac92c8 system+0x1eca74 @ 0x70abca74 system+0x1ec868 @ 0x70abc868 system+0x1f82b8 @ 0x70ac82b8 system+0x1ee54d @ 0x70abe54d system+0x1f70ea @ 0x70ac70ea system+0x1e56c0 @ 0x70ab56c0 system+0x1f8215 @ 0x70ac8215 system+0x1f6f75 @ 0x70ac6f75 system+0x1ee251 @ 0x70abe251 system+0x1ee229 @ 0x70abe229 system+0x1ee170 @ 0x70abe170 0x2ca08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x76be62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x76be6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x76be6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x76be6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x7765011a system+0x1ebc85 @ 0x70abbc85 system+0x1f683b @ 0x70ac683b system+0x1a5e44 @ 0x70a75e44 system+0x1fd8a0 @ 0x70acd8a0 system+0x1fd792 @ 0x70acd792 system+0x1a14bd @ 0x70a714bd 0x500084 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72e42e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72ef74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72ef7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72f81dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72f81e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72f81f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72f8416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7488f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74907f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74904de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7670b479 registers.esp: 4120684 registers.edi: 1980555208 registers.eax: 16777216 registers.ebp: 4120888 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ May 20, 2022, 1:17 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7670b37e 0x61e3dcd 0x61e3d42 0x61e11ff 0x61e08f3 0x61e07ea 0x61e0733 0x61de4ed 0x61de40b 0x51c7d9d DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72eb1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72eb1737 mscorlib+0x2d3711 @ 0x72143711 mscorlib+0x308f2d @ 0x72178f2d 0x5051e9 0x50512c system+0x1f9799 @ 0x70ac9799 system+0x1f92c8 @ 0x70ac92c8 system+0x1eca74 @ 0x70abca74 system+0x1ec868 @ 0x70abc868 system+0x1f82b8 @ 0x70ac82b8 system+0x1ee54d @ 0x70abe54d system+0x1f70ea @ 0x70ac70ea system+0x1e56c0 @ 0x70ab56c0 system+0x1f8215 @ 0x70ac8215 system+0x1f6f75 @ 0x70ac6f75 system+0x1ee251 @ 0x70abe251 system+0x1ee229 @ 0x70abe229 system+0x1ee170 @ 0x70abe170 0x2ca08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x76be62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x76be6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x76be6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x76be6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x7765011a system+0x1ebc85 @ 0x70abbc85 system+0x1f683b @ 0x70ac683b system+0x1a5e44 @ 0x70a75e44 system+0x1fd8a0 @ 0x70acd8a0 system+0x1fd792 @ 0x70acd792 system+0x1a14bd @ 0x70a714bd 0x500084 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72e42e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72ef74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72ef7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72f81dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72f81e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72f81f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72f8416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7488f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74907f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74904de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7670b479 registers.esp: 4120684 registers.edi: 1980555208 registers.eax: 4194304 registers.ebp: 4120888 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ May 20, 2022, 1:17 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7670b37e 0x61e3dcd 0x61e3d42 0x61e11ff 0x61e08f3 0x61e07ea 0x61e0733 0x61de4ed 0x61de40b 0x51c7d9d DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72eb1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72eb1737 mscorlib+0x2d3711 @ 0x72143711 mscorlib+0x308f2d @ 0x72178f2d 0x5051e9 0x50512c system+0x1f9799 @ 0x70ac9799 system+0x1f92c8 @ 0x70ac92c8 system+0x1eca74 @ 0x70abca74 system+0x1ec868 @ 0x70abc868 system+0x1f82b8 @ 0x70ac82b8 system+0x1ee54d @ 0x70abe54d system+0x1f70ea @ 0x70ac70ea system+0x1e56c0 @ 0x70ab56c0 system+0x1f8215 @ 0x70ac8215 system+0x1f6f75 @ 0x70ac6f75 system+0x1ee251 @ 0x70abe251 system+0x1ee229 @ 0x70abe229 system+0x1ee170 @ 0x70abe170 0x2ca08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x76be62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x76be6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x76be6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x76be6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x7765011a system+0x1ebc85 @ 0x70abbc85 system+0x1f683b @ 0x70ac683b system+0x1a5e44 @ 0x70a75e44 system+0x1fd8a0 @ 0x70acd8a0 system+0x1fd792 @ 0x70acd792 system+0x1a14bd @ 0x70a714bd 0x500084 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72e42e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72ef74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72ef7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72f81dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72f81e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72f81f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72f8416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7488f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74907f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74904de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7670b479 registers.esp: 4120684 registers.edi: 1980555208 registers.eax: 16711680 registers.ebp: 4120888 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ May 20, 2022, 1:17 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7670b37e 0x61e3dcd 0x61e3d42 0x61e11ff 0x61e08f3 0x61e07ea 0x61e0733 0x61de4ed 0x61de40b 0x51c7d9d DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72eb1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72eb1737 mscorlib+0x2d3711 @ 0x72143711 mscorlib+0x308f2d @ 0x72178f2d 0x5051e9 0x50512c system+0x1f9799 @ 0x70ac9799 system+0x1f92c8 @ 0x70ac92c8 system+0x1eca74 @ 0x70abca74 system+0x1ec868 @ 0x70abc868 system+0x1f82b8 @ 0x70ac82b8 system+0x1ee54d @ 0x70abe54d system+0x1f70ea @ 0x70ac70ea system+0x1e56c0 @ 0x70ab56c0 system+0x1f8215 @ 0x70ac8215 system+0x1f6f75 @ 0x70ac6f75 system+0x1ee251 @ 0x70abe251 system+0x1ee229 @ 0x70abe229 system+0x1ee170 @ 0x70abe170 0x2ca08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x76be62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x76be6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x76be6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x76be6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x7765011a system+0x1ebc85 @ 0x70abbc85 system+0x1f683b @ 0x70ac683b system+0x1a5e44 @ 0x70a75e44 system+0x1fd8a0 @ 0x70acd8a0 system+0x1fd792 @ 0x70acd792 system+0x1a14bd @ 0x70a714bd 0x500084 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72e42e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72ef74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72ef7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72f81dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72f81e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72f81f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72f8416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7488f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74907f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74904de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7670b479 registers.esp: 4120684 registers.edi: 1980555208 registers.eax: 16777216 registers.ebp: 4120888 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ May 20, 2022, 1:17 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7670b37e 0x61e3dcd 0x61e3d42 0x61e11ff 0x61e08f3 0x61e07ea 0x61e0733 0x61de4ed 0x61de40b 0x51c7d9d DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72eb1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72eb1737 mscorlib+0x2d3711 @ 0x72143711 mscorlib+0x308f2d @ 0x72178f2d 0x5051e9 0x50512c system+0x1f9799 @ 0x70ac9799 system+0x1f92c8 @ 0x70ac92c8 system+0x1eca74 @ 0x70abca74 system+0x1ec868 @ 0x70abc868 system+0x1f82b8 @ 0x70ac82b8 system+0x1ee54d @ 0x70abe54d system+0x1f70ea @ 0x70ac70ea system+0x1e56c0 @ 0x70ab56c0 system+0x1f8215 @ 0x70ac8215 system+0x1f6f75 @ 0x70ac6f75 system+0x1ee251 @ 0x70abe251 system+0x1ee229 @ 0x70abe229 system+0x1ee170 @ 0x70abe170 0x2ca08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x76be62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x76be6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x76be6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x76be6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x7765011a system+0x1ebc85 @ 0x70abbc85 system+0x1f683b @ 0x70ac683b system+0x1a5e44 @ 0x70a75e44 system+0x1fd8a0 @ 0x70acd8a0 system+0x1fd792 @ 0x70acd792 system+0x1a14bd @ 0x70a714bd 0x500084 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72e42e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72ef74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72ef7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72f81dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72f81e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72f81f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72f8416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7488f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74907f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74904de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7670b479 registers.esp: 4120684 registers.edi: 1980555208 registers.eax: 4194304 registers.ebp: 4120888 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ May 20, 2022, 1:17 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7670b37e 0x61e3dcd 0x61e3d42 0x61e11ff 0x61e08f3 0x61e07ea 0x61e0733 0x61de4ed 0x61de40b 0x51c7d9d DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72eb1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72eb1737 mscorlib+0x2d3711 @ 0x72143711 mscorlib+0x308f2d @ 0x72178f2d 0x5051e9 0x50512c system+0x1f9799 @ 0x70ac9799 system+0x1f92c8 @ 0x70ac92c8 system+0x1eca74 @ 0x70abca74 system+0x1ec868 @ 0x70abc868 system+0x1f82b8 @ 0x70ac82b8 system+0x1ee54d @ 0x70abe54d system+0x1f70ea @ 0x70ac70ea system+0x1e56c0 @ 0x70ab56c0 system+0x1f8215 @ 0x70ac8215 system+0x1f6f75 @ 0x70ac6f75 system+0x1ee251 @ 0x70abe251 system+0x1ee229 @ 0x70abe229 system+0x1ee170 @ 0x70abe170 0x2ca08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x76be62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x76be6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x76be6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x76be6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x7765011a system+0x1ebc85 @ 0x70abbc85 system+0x1f683b @ 0x70ac683b system+0x1a5e44 @ 0x70a75e44 system+0x1fd8a0 @ 0x70acd8a0 system+0x1fd792 @ 0x70acd792 system+0x1a14bd @ 0x70a714bd 0x500084 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72e42e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72ef74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72ef7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72f81dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72f81e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72f81f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72f8416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7488f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74907f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74904de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7670b479 registers.esp: 4120684 registers.edi: 1980555208 registers.eax: 16711680 registers.ebp: 4120888 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ May 20, 2022, 1:17 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7670b37e 0x655a015 0x6559f8a 0x65572b7 0x6556353 0x65561b6 0x655613b 0x655349e 0x655333b 0x4f7d2f3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x728c2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x728d264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72941838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72941737 mscorlib+0x2d3711 @ 0x71af3711 mscorlib+0x308f2d @ 0x71b28f2d 0x5d5191 0x5d50d4 system+0x1f9799 @ 0x70269799 system+0x1f92c8 @ 0x702692c8 system+0x1eca74 @ 0x7025ca74 system+0x1ec868 @ 0x7025c868 system+0x1f82b8 @ 0x702682b8 system+0x1ee54d @ 0x7025e54d system+0x1f70ea @ 0x702670ea system+0x1e56c0 @ 0x702556c0 system+0x1f8215 @ 0x70268215 system+0x1f6f75 @ 0x70266f75 system+0x1ee251 @ 0x7025e251 system+0x1ee229 @ 0x7025e229 system+0x1ee170 @ 0x7025e170 0x41a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x76be62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x76be6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x76be6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x76be6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x7765011a system+0x1ebc85 @ 0x7025bc85 system+0x1f683b @ 0x7026683b system+0x1a5e44 @ 0x70215e44 system+0x1fd8a0 @ 0x7026d8a0 system+0x1fd792 @ 0x7026d792 system+0x1a14bd @ 0x702114bd 0x5d0084 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x728c2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x728d264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x728d2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729874ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72987610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72a11dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72a11e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72a11f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72a1416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72f6f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72fe7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72fe4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7670b479 registers.esp: 4252652 registers.edi: 1980555208 registers.eax: 16777216 registers.ebp: 4252856 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ May 20, 2022, 1:17 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7670b37e 0x655a015 0x6559f8a 0x65572b7 0x6556353 0x65561b6 0x655613b 0x655349e 0x655333b 0x4f7d2f3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x728c2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x728d264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72941838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72941737 mscorlib+0x2d3711 @ 0x71af3711 mscorlib+0x308f2d @ 0x71b28f2d 0x5d5191 0x5d50d4 system+0x1f9799 @ 0x70269799 system+0x1f92c8 @ 0x702692c8 system+0x1eca74 @ 0x7025ca74 system+0x1ec868 @ 0x7025c868 system+0x1f82b8 @ 0x702682b8 system+0x1ee54d @ 0x7025e54d system+0x1f70ea @ 0x702670ea system+0x1e56c0 @ 0x702556c0 system+0x1f8215 @ 0x70268215 system+0x1f6f75 @ 0x70266f75 system+0x1ee251 @ 0x7025e251 system+0x1ee229 @ 0x7025e229 system+0x1ee170 @ 0x7025e170 0x41a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x76be62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x76be6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x76be6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x76be6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x7765011a system+0x1ebc85 @ 0x7025bc85 system+0x1f683b @ 0x7026683b system+0x1a5e44 @ 0x70215e44 system+0x1fd8a0 @ 0x7026d8a0 system+0x1fd792 @ 0x7026d792 system+0x1a14bd @ 0x702114bd 0x5d0084 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x728c2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x728d264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x728d2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729874ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72987610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72a11dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72a11e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72a11f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72a1416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72f6f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72fe7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72fe4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7670b479 registers.esp: 4252652 registers.edi: 1980555208 registers.eax: 4194304 registers.ebp: 4252856 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ May 20, 2022, 1:17 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7670b37e 0x655a015 0x6559f8a 0x65572b7 0x6556353 0x65561b6 0x655613b 0x655349e 0x655333b 0x4f7d2f3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x728c2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x728d264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72941838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72941737 mscorlib+0x2d3711 @ 0x71af3711 mscorlib+0x308f2d @ 0x71b28f2d 0x5d5191 0x5d50d4 system+0x1f9799 @ 0x70269799 system+0x1f92c8 @ 0x702692c8 system+0x1eca74 @ 0x7025ca74 system+0x1ec868 @ 0x7025c868 system+0x1f82b8 @ 0x702682b8 system+0x1ee54d @ 0x7025e54d system+0x1f70ea @ 0x702670ea system+0x1e56c0 @ 0x702556c0 system+0x1f8215 @ 0x70268215 system+0x1f6f75 @ 0x70266f75 system+0x1ee251 @ 0x7025e251 system+0x1ee229 @ 0x7025e229 system+0x1ee170 @ 0x7025e170 0x41a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x76be62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x76be6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x76be6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x76be6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x7765011a system+0x1ebc85 @ 0x7025bc85 system+0x1f683b @ 0x7026683b system+0x1a5e44 @ 0x70215e44 system+0x1fd8a0 @ 0x7026d8a0 system+0x1fd792 @ 0x7026d792 system+0x1a14bd @ 0x702114bd 0x5d0084 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x728c2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x728d264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x728d2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729874ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72987610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72a11dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72a11e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72a11f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72a1416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72f6f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72fe7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72fe4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7670b479 registers.esp: 4252652 registers.edi: 1980555208 registers.eax: 2359296 registers.ebp: 4252856 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (9 events)

suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.89/dl/0414/net_Gzhsuovx.bmp
suspicious_features	GET method with no useragent header	suspicious_request	GET http://rockrock.ug/gggate.php
suspicious_features	GET method with no useragent header	suspicious_request	GET http://rockrock.ug/request
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://rockrock.ug/gggate.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.89/azne.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.89/pm.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.89/cc.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.89/dl/0414/azne_Tauzqofu.png
suspicious_features	POST method with no referer header	suspicious_request	POST http://rockphil.ac.ug/index.php

Performs some HTTP requests (9 events)

request	GET http://185.215.113.89/dl/0414/net_Gzhsuovx.bmp
request	GET http://rockrock.ug/gggate.php
request	GET http://rockrock.ug/request
request	POST http://rockrock.ug/gggate.php
request	GET http://185.215.113.89/azne.exe
request	GET http://185.215.113.89/pm.exe
request	GET http://185.215.113.89/cc.exe
request	GET http://185.215.113.89/dl/0414/azne_Tauzqofu.png
request	POST http://rockphil.ac.ug/index.php

Sends data using the HTTP POST Method (2 events)

request	POST http://rockrock.ug/gggate.php
request	POST http://rockphil.ac.ug/index.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 387 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 20, 2022, 1:16 p.m.	process_identifier: 2776 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00960000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:16 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 20, 2022, 1:16 p.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 20, 2022, 1:16 p.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:16 p.m.	process_identifier: 2776 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02410000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:16 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:16 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:16 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:16 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:16 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:16 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:16 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00500000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:16 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:16 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:16 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:16 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:16 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:16 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00501000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:16 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00502000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:16 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00503000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:16 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00504000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:16 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00505000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 20, 2022, 1:16 p.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x739e2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:17 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:17 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00506000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:17 p.m.	process_identifier: 2776 region_size: 28672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00507000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:17 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0050e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:17 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05f90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:17 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05f91000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:17 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051bf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:17 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:17 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002cd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:17 p.m.	process_identifier: 2776 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05f92000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:17 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05f94000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:17 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002ce000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:17 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05f95000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:17 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x09610000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:17 p.m.	process_identifier: 2776 region_size: 53248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x09611000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:17 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0961e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:17 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0961f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:17 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002cf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:17 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:17 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:17 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051c1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:17 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:17 p.m.	process_identifier: 2776 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:17 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051c4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:17 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:17 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:17 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Steals private information from local Internet browsers (50 out of 9077 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State\IndexedDB\chrome-extension_flpiciilemghbmfalicajoolhkkenfel_0.indexeddb.leveldb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies\IndexedDB\chrome-extension_hcflpincpppdclinealmandijcmnkbgn_0.indexeddb.leveldb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\IndexedDB\chrome-extension_fihkakfobkmkjojpchpfgcmhfjnmnfpi_0.indexeddb.leveldb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\First Run\Sync Extension Settings\hcflpincpppdclinealmandijcmnkbgn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\IndexedDB\chrome-extension_bhhhlbepdkbapadjdnnojkbgioiodbic_0.indexeddb.leveldb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\IndexedDB\chrome-extension_nphplpgoakhhjchkkhmiggakijnkhfnd_0.indexeddb.leveldb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Sync Extension Settings\jccapkebeeiajkkdemacblkjhhhboiek\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Sync Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Channel IDs\Local Extension Settings\pnlfjmlcjdjgkddecgincndfgegkecke\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Local Extension Settings\fgkaeeikaoeiiggggbgdcjchmdfmamla\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7619.603.0.2_0\_locales\fr\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Channel IDs\Sync Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\IndexedDB\chrome-extension_dlcobpjiigpikoobohmabehhmhfoodbb_0.indexeddb.leveldb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbml\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\IndexedDB\chrome-extension_hpglfhgfnhbgpjdenjgmdgoeiappafln_0.indexeddb.leveldb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\IndexedDB\chrome-extension_ehibhohmlpipbaogcknmpmiibbllplph_0.indexeddb.leveldb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Current Tabs\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\topbar_floating_button_close.png\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\manifest.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State\Local Extension Settings\nlgnepoeokdfodgjkjiblkadkjbdfmgd\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\First Run\IndexedDB\chrome-extension_jbdaocneiiinmjbjlgalhcelgbejmnid_0.indexeddb.leveldb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt\Sync Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State\Local Extension Settings\pgojdfajgcjjpjnbpfaelnpnjocakldb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\fcckkdbjnoikooededlapcalpionmalo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\fil\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies\IndexedDB\chrome-extension_bcopgchhojmggmffilplmbdicgaihlkp_0.indexeddb.leveldb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Local Extension Settings\aijcbedoijmgnlmjeegjaglmepbmpkpi\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal\IndexedDB\chrome-extension_nknhiehlklippafakaeklbeglecifhad_0.indexeddb.leveldb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Local Extension Settings\bofddndhbegljegmpmnlbhcejofmjgbn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies\Local Extension Settings\fgkaeeikaoeiiggggbgdcjchmdfmamla\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\IndexedDB\chrome-extension_fhilaheimglignddkjgofkcbgekhenbh_0.indexeddb.leveldb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Local Extension Settings\fcckkdbjnoikooededlapcalpionmalo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt\IndexedDB\chrome-extension_ellkdbaphhldpeajbepobaecooaoafpg_0.indexeddb.leveldb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Local Extension Settings\ellkdbaphhldpeajbepobaecooaoafpg\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\agkfnefiabmfpanochlcakggnkdfmmjd\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\te\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Local Extension Settings\dklmlehijiaepdijfnbbhncfpcoeeljf\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Local Extension Settings\hpbgcgmiemanfelegbndmhieiigkackl\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies\Local Extension Settings\jccapkebeeiajkkdemacblkjhhhboiek\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State\IndexedDB\chrome-extension_aiifbnbfobpmeekipheeijimdpnlpgpp_0.indexeddb.leveldb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Local Extension Settings\ppdadbejkmjnefldpcdjhnkpbjkikoip\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\IndexedDB\chrome-extension_fkhebcilafocjhnlcngogekljmllgdhd_0.indexeddb.leveldb\CURRENT

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Roaming\pm.exe
file	C:\Users\test22\AppData\Roaming\azne.exe

Creates a suspicious process (2 events)

cmdline	"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" & exit
cmdline	C:\Windows\System32\cmd.exe /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" & exit

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Roaming\azne.exe
file	C:\Users\test22\AppData\Roaming\pm.exe

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Roaming\pm.exe
file	C:\Users\test22\AppData\Roaming\azne.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW May 20, 2022, 1:17 p.m.	show_type: 0 filepath_r: C:\Windows\System32\cmd.exe parameters: /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" & exit filepath: C:\Windows\System32\cmd.exe	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses May 20, 2022, 1:17 p.m.	flags: 15 family: 0		111	0

An executable file was downloaded by the process msbuild.exe (3 events)

Time & API	Arguments	Status	Return
InternetReadFile May 20, 2022, 1:17 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL)Xbàö>¹ @ à@ð¸KÀôÀ H.textD `.rsrcôÀô@@.relocÀ@B ¹H\|t/D8æ,++-&+( +&+õ,++- &+}+ß(+0 s&Þ&,++-&Þ( +÷0e+E++-{þ+,++-+,++&+ö++-+ +é{o +,¼+·,++-&&+( +*0´,++:8W"0A"ÀAs ,++:m&8,++:a&8æ Ø s ( +[<a +E8a+Da@XE $1D( +Ü6XE!N+ÂC( request_handle: 0x00cc000c	1	1
InternetReadFile May 20, 2022, 1:17 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL-Xbà.ö®9 @ `@`9K@ô@ H.text´ `.rsrcô@ô@@.reloc@@B9H D/Ü@æ,++-&+( +&+õ,++- &+}+ß(+0 s&Þ&,++-&Þ( +÷0e+E++-{þ+,++-+,++&+ö++-+ +é{o +,¼+·,++-&&+( +*0º,++:8r"0A"ÀAs ,++:s&87,++:g&8 Ø s ( 8Ka ++La+Va]XE 1_(+Ü[(ó+ÏIXE4 request_handle: 0x00cc000c	1	1
InternetReadFile May 20, 2022, 1:17 p.m.	buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL ^BàÊü'0@p@n)púàÔÐÌx.textãä `.itext\(è `.data0 @À.bss¸7P2À.idatan)*2@À.tls4À\À.rdataÐ\@@.relocÔà^@B.rsrcúpúâ@@pÜ@@ request_handle: 0x00cc000c	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 20, 2022, 1:17 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW May 20, 2022, 1:17 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Potentially malicious URLs were found in the process memory dump (2 events)

url	http://ip-api.com/json
url	https://dotbit.me/a/

Yara rule detected in process memory (48 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Take ScreenShot	rule	ScreenShot
description	Communications use DNS	rule	Network_DNS
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Communications over HTTP	rule	Network_HTTP
description	Run a KeyLogger	rule	KeyLogger
description	Win32 PWS Loki	rule	Win32_PWS_Loki_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (39 events)

Time & API	Arguments	Status
RegOpenKeyExA May 20, 2022, 1:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000324 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExA May 20, 2022, 1:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x00000320 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExA May 20, 2022, 1:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x00000320 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExA May 20, 2022, 1:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x00000320 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExA May 20, 2022, 1:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x00000320 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExA May 20, 2022, 1:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE base_handle: 0x80000002 key_handle: 0x00000320 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExA May 20, 2022, 1:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x00000320 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExA May 20, 2022, 1:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x00000320 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExA May 20, 2022, 1:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x00000320 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExA May 20, 2022, 1:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x00000320 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExA May 20, 2022, 1:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x00000320 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExA May 20, 2022, 1:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x00000320 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExA May 20, 2022, 1:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x00000320 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExA May 20, 2022, 1:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x00000320 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExA May 20, 2022, 1:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x00000320 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExA May 20, 2022, 1:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x00000320 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExA May 20, 2022, 1:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x00000320 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExA May 20, 2022, 1:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x00000320 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExA May 20, 2022, 1:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x00000320 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExA May 20, 2022, 1:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000320 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExA May 20, 2022, 1:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000320 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExA May 20, 2022, 1:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000320 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1
RegOpenKeyExA May 20, 2022, 1:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000320 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1
RegOpenKeyExA May 20, 2022, 1:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000320 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1
RegOpenKeyExA May 20, 2022, 1:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000320 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1
RegOpenKeyExA May 20, 2022, 1:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000320 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExA May 20, 2022, 1:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000320 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1
RegOpenKeyExA May 20, 2022, 1:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000320 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1
RegOpenKeyExA May 20, 2022, 1:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000320 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1
RegOpenKeyExA May 20, 2022, 1:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000320 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1
RegOpenKeyExA May 20, 2022, 1:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000320 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1
RegOpenKeyExA May 20, 2022, 1:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000320 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExA May 20, 2022, 1:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000320 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1
RegOpenKeyExA May 20, 2022, 1:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000320 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1
RegOpenKeyExA May 20, 2022, 1:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000320 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExA May 20, 2022, 1:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000320 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1
RegOpenKeyExA May 20, 2022, 1:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x80000002 key_handle: 0x00000320 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExA May 20, 2022, 1:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x80000002 key_handle: 0x00000320 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExA May 20, 2022, 1:17 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x80000002 key_handle: 0x00000320 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess May 20, 2022, 1:17 p.m.	status_code: 0xffffffff process_identifier: 3032 process_handle: 0x000002b0		0	0
NtTerminateProcess May 20, 2022, 1:17 p.m.	status_code: 0xffffffff process_identifier: 3032 process_handle: 0x000002b0	1	0	0

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" & exit
cmdline	C:\Windows\System32\cmd.exe /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" & exit

Allocates execute permission to another process indicative of possible code injection (3 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory May 20, 2022, 1:17 p.m.	process_identifier: 3032 region_size: 249856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003dc		3221225496
NtAllocateVirtualMemory May 20, 2022, 1:17 p.m.	process_identifier: 3068 region_size: 249856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000029c	1	0
NtAllocateVirtualMemory May 20, 2022, 1:17 p.m.	process_identifier: 2824 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000039c	1	0

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Attempts to access Bitcoin/ALTCoin wallets (1 event)

file	C:\Users\test22\AppData\Roaming\Electrum\wallets\

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2776 manipulating memory of non-child process 3032
NtAllocateVirtualMemory May 20, 2022, 1:17 p.m.	process_identifier: 3032 region_size: 249856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003dc		3221225496	0

Potential code injection by writing to the memory of another process (8 events)

Time & API	Arguments	Status	Return
WriteProcessMemory May 20, 2022, 1:17 p.m.	buffer: MZÿÿ¸@Ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $Õè½ÏÓÓÓþÿMÓÄüÒÓÒÓþÿ\|ÓþÿNÓRichÓPELB;8bà ÈÄ²Àà@Ð@e(ä#à.textÐÈ à.rdataàÌ@@.data pR@À.reloc%&T@B`Àzà base_address: 0x00400000 process_identifier: 3068 process_handle: 0x0000029c	1	1
WriteProcessMemory May 20, 2022, 1:17 p.m.	buffer: BÄôK A³ÝJpMÛ(TÍ<¨K¢`Ý;U base_address: 0x00427000 process_identifier: 3068 process_handle: 0x0000029c	1	1
WriteProcessMemory May 20, 2022, 1:17 p.m.	buffer: RQSUT$ L$\$l$¶9Àtdk1ic21-=1s09Àt [pasdl0qwi[R9ëuë 9ÊuÍ][YZÃ`d¡0@@xè^k RQSUèÿÿÿÄ´y¿k RQSUèYÿÿÿÄsaÃUíuû]d¡0@@xè^Èsk RQSUèÿÿÿÄ0ÿà^D[VLWjhfogu45096u4509jfgogdf5645u790jhfogu45096u4509jfgogdf5645u790jhfogu45096u4509jfgogdf5645u790jhfogu45096u4509jfgo BRg867967tjgh56787ohuklvbnm678hjkg867967tjgh56787ohuklvbnm678hjkg867967tjgh56787ohuklvbnm678hjkg867967tjgh56787ohuklgdf5645u790jhfogu45096u4509jfgovbnm678hjkg867967tjgh56787ohuklcvb56jkh34ikjghtue9sroygihdfgyo base_address: 0x0043c000 process_identifier: 3068 process_handle: 0x0000029c	1	1
WriteProcessMemory May 20, 2022, 1:17 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 3068 process_handle: 0x0000029c	1	1
WriteProcessMemory May 20, 2022, 1:17 p.m.	buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*à$¦°@@Ðà\CODE° `DATAl°@ÀBSSÅÀ¤À.idataÐ¤@À.reloc\à¬@PÄ@P base_address: 0x00400000 process_identifier: 2824 process_handle: 0x0000039c	1	1
WriteProcessMemory May 20, 2022, 1:17 p.m.	buffer: @2À@@@\@ì @l$@ËÌÈÉ×ÏÈÍÎÛØÚÙÊÜÝÞßàáãäå@ErrorÀRuntime error at 00000000À0123456789ABCDEFÿÿÿÿàO@ÀÀ@@J7<äºÏ¿}ªiFîµä[Jú-EÝ]³QçëqØ'ÓØ'ÓØ'ÖØ7nØ$ÓsØ$ÓsØ$nsØ7ÓsØ7ÖsØ$ÓØ7Ø7ÖØ7ÖsØ$ÓØ$nsØ$nsØ7Ø$ÓØ$nsØ$nsØ7ÖsØ$ÓsØÔØ'ØØsØXØ$ÓØ'ÖØqØ'ÖØáveÛe3ôs>v÷E±Yêá)VûAr5d2'òÂØMY pê5ù©ñÌ-þ+~R¶ÖæÐvMºoß3 v§·5vÅÞ¸`6©¤á þáx.¢Wï)b!ò²jíïz´Ì·\|X¸q/Õæ?dEzãîs£3Ãhp>4Æ7èËJ\|úðØèëá¾iAò¡úèÌ3áHþíG\rgã@À¥[\ë¸?áRÃénSÑÒ-´¼;ÐÍñ[MQ¶SEvr]`U¥Ýê(èúmü'~àÖ.ÚÅÂÅÃ3Â%G°j°Uî½S:Ì¦æä[½V¿vz½åÁL}¸<ÿ,9ÞýV_:Â9 ç½WùÙÔÛoSûËÛ`Qé6ñ¡àwËm¥Anm'o-°aÃÐµ1ä¨5[þ'Çè©Ð¦¿q¤ÞÆ +ºê$gÌ7¶G~Ø: ðDºÜÑk½´úÓæ`¸{ÈQÖÎ<Aæ>5²+X2`ÿ0e¢÷¼Aâ@PD%ÌÐÒ:¨»efk®Z¨ÃÌPÒÕcÕéN{»¨¤¦b«?O±óÝ0ZRÔèÌÚÃOË©¤×`TwR\ÀàÄËÃÐÃsS¦@O±j¹}¢ì Jg_ÍYÇò @'¸PÂZ°)zãp>cXgÇ¼\|½\ÏODná)ü7Lôû8a³Ô´:3ªÆôë¥øGgPnº1½·ÕÔ^)õ/2{Û¸<T¾i#©È7ný_Fû^înB!ôëäRÛc-dèmàÇ«>WÆÄNä¨«$há:_p$Öd^}QÏ kï8áeÏÌË%V¿âFNØ\ðøG;æ1Èy¤SÇ,°!#fñÄþ j®Þ Ø\|íälçÇ+ÆÚ EÅÅ$Ü¶Dë Í!kù,ú"dlQ(°ÇMIÎ,p#°)]ÕÙ9i-0àl&®ª!YÑoPÝ+¾9}\±¡©Ù.¿4#D.§×è¼R I±£ç 1ÔTû_v¿tÂmÿóJQ÷Ð\pk+Fæ_h:÷Ù æÄ £8 c+-û2_ö0ýcQò¸dtµ+ûÞ¸¦åð#t êqêR(PY» ïÀ(¢#ÓÏÆÌzÓ ¯N$ÇAÇAôÆApÇA¤ÆAÇA@ÇAhÇAlÆA,ÇA¼ÆAÇA°ÆAÆAÄÆA´°AÇAÇAÇA(ÈA\ÇAüÆA4ÇA\|ÆAÆAìÆA ÇA<ÇA¸°AèÆA¤ÇA°°AÀÆAÇA¸ÆAdÆA°ÇAðÆA ÇA´ÆA(ÇAÈÇAØ°A¼°AÆAÇAÇAÇAÆA ÆA8ÇA¬ÆAPÇA¬ÇAÆALÇAøÆAÌÆADÇA`ÇA¬°A ÈA¨ÇAÇAÇAÈÆAÆAÇAÆA0ÇAhÆAHÇA´ÇArockphil.ac.ug base_address: 0x0041b000 process_identifier: 2824 process_handle: 0x0000039c	1	1
WriteProcessMemory May 20, 2022, 1:17 p.m.	buffer: ,ÒÜÐ ÔHÑXÔXÑÔhÑàÔxÑÕÑ8ÕÑºÖðÑ*×Òp× Ò:ÒRÒjÒÒÒ¬Ò¼ÒÈÒÖÒæÒÓÓ$Ó:ÓPÓbÓtÓÓÓ®Ó¼ÓÊÓÖÓòÓþÓÔ,Ô>ÔLÔfÔzÔÔ¦Ô¶ÔÌÔîÔÕ Õ.ÕFÕRÕZÕfÕxÕÕÕ¦Õ¶ÕÆÕØÕìÕÖÖ.ÖBÖPÖ`ÖrÖ~ÖÖÖ®ÖÄÖÔÖäÖðÖ× ×6×B×V×^×z××kernel32.dllDeleteCriticalSectionLeaveCriticalSectionEnterCriticalSectionInitializeCriticalSectionVirtualFreeVirtualAllocLocalFreeLocalAllocGetTickCountQueryPerformanceCounterGetVersionGetCurrentThreadIdWideCharToMultiByteMultiByteToWideCharGetThreadLocaleGetStartupInfoAGetModuleFileNameAGetLocaleInfoAGetCommandLineAFreeLibraryExitProcessWriteFileUnhandledExceptionFilterRtlUnwindRaiseExceptionGetStdHandleuser32.dllGetKeyboardTypeMessageBoxACharNextAadvapi32.dllRegQueryValueExARegOpenKeyExARegCloseKeyoleaut32.dllSysFreeStringSysReAllocStringLenSysAllocStringLenkernel32.dllGetModuleHandleAadvapi32.dllRegOpenKeyExARegEnumKeyAFreeSidkernel32.dllWriteFileSleepLocalFreeLoadLibraryExWLoadLibraryAGlobalUnlockGlobalLockGetTickCountGetSystemInfoGetProcAddressGetModuleHandleAGetModuleFileNameAGetFileAttributesWGetCurrentProcessIdGetCurrentProcessFreeLibraryFindNextFileWFindFirstFileWFindCloseExitProcessDeleteFileWCreateDirectoryWCopyFileWgdi32.dllSelectObjectDeleteObjectDeleteDCCreateCompatibleDCCreateCompatibleBitmapBitBltuser32.dllReleaseDCGetSystemMetricsGetDCCharToOemBuffAole32.dllOleInitializeCoCreateInstance base_address: 0x0041d000 process_identifier: 2824 process_handle: 0x0000039c	1	1
WriteProcessMemory May 20, 2022, 1:17 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2824 process_handle: 0x0000039c	1	1

Code injection by writing an executable or DLL to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory May 20, 2022, 1:17 p.m.	buffer: MZÿÿ¸@Ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $Õè½ÏÓÓÓþÿMÓÄüÒÓÒÓþÿ\|ÓþÿNÓRichÓPELB;8bà ÈÄ²Àà@Ð@e(ä#à.textÐÈ à.rdataàÌ@@.data pR@À.reloc%&T@B`Àzà base_address: 0x00400000 process_identifier: 3068 process_handle: 0x0000029c	1	1	0
WriteProcessMemory May 20, 2022, 1:17 p.m.	buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*à$¦°@@Ðà\CODE° `DATAl°@ÀBSSÅÀ¤À.idataÐ¤@À.reloc\à¬@PÄ@P base_address: 0x00400000 process_identifier: 2824 process_handle: 0x0000039c	1	1	0

Collects information about installed applications (27 events)

Time & API	Arguments	Status
RegQueryValueExA May 20, 2022, 1:17 p.m.	key_handle: 0x00000320 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA May 20, 2022, 1:17 p.m.	key_handle: 0x00000320 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExA May 20, 2022, 1:17 p.m.	key_handle: 0x00000320 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA May 20, 2022, 1:17 p.m.	key_handle: 0x00000320 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA May 20, 2022, 1:17 p.m.	key_handle: 0x00000320 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA May 20, 2022, 1:17 p.m.	key_handle: 0x00000320 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExA May 20, 2022, 1:17 p.m.	key_handle: 0x00000320 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExA May 20, 2022, 1:17 p.m.	key_handle: 0x00000320 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 20, 2022, 1:17 p.m.	key_handle: 0x00000320 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 20, 2022, 1:17 p.m.	key_handle: 0x00000320 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 20, 2022, 1:17 p.m.	key_handle: 0x00000320 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 20, 2022, 1:17 p.m.	key_handle: 0x00000320 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 20, 2022, 1:17 p.m.	key_handle: 0x00000320 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 20, 2022, 1:17 p.m.	key_handle: 0x00000320 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 20, 2022, 1:17 p.m.	key_handle: 0x00000320 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 20, 2022, 1:17 p.m.	key_handle: 0x00000320 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 20, 2022, 1:17 p.m.	key_handle: 0x00000320 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 20, 2022, 1:17 p.m.	key_handle: 0x00000320 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 20, 2022, 1:17 p.m.	key_handle: 0x00000320 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 20, 2022, 1:17 p.m.	key_handle: 0x00000320 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 20, 2022, 1:17 p.m.	key_handle: 0x00000320 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 20, 2022, 1:17 p.m.	key_handle: 0x00000320 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 20, 2022, 1:17 p.m.	key_handle: 0x00000320 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 20, 2022, 1:17 p.m.	key_handle: 0x00000320 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA May 20, 2022, 1:17 p.m.	key_handle: 0x00000320 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExA May 20, 2022, 1:17 p.m.	key_handle: 0x00000320 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExA May 20, 2022, 1:17 p.m.	key_handle: 0x00000320 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Harvests credentials from local email clients (1 event)

file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini

Network activity contains more than one unique useragent (2 events)

process	MSBuild.exe				useragent
process	azne.exe				useragent	Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2776 called NtSetContextThread to modify thread in remote process 3068
Process injection	Process 2428 called NtSetContextThread to modify thread in remote process 2824
NtSetContextThread May 20, 2022, 1:17 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4440242 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002b0 process_identifier: 3068	1	0	0
NtSetContextThread May 20, 2022, 1:17 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4302468 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000294 process_identifier: 2824	1	0	0

Creates a slightly modified copy of itself (1 event)

description

Possibly a polymorphic version of itself

file

{u'size': 102912, u'yara': [{u'strings': [], u'meta': {u'description': u'(no description)'}, u'name': u'IsPE32', u'offsets': {}}, {u'strings': [u'RW52aXJvbm1lbnQ=', u'U3lzdGVtLk5ldA==', u'djQuMC4zMDMxOQ=='], u'meta': {u'date': u'2021-04-27', u'description': u'Win Backdoor AsyncRAT', u'author': u'r0d'}, u'name': u'Win_Backdoor_AsyncRAT_Zero', u'offsets': {u's2': [[35960L, 1]], u'o1': [[27532L, 2]], u's4': [[36056L, 0]]}}, {u'strings': [], u'meta': {u'description': u'(no description)'}, u'name': u'Is_DotNET_EXE', u'offsets': {}}, {u'strings': [u'TVo='], u'meta': {u'ini_date': u'2020-06-03', u'description': u'PE File Signature', u'author': u'r0d'}, u'name': u'PE_Header_Zero', u'offsets': {u'signature': [[0L, 0]]}}], u'sha1': u'e8bdd864c2610495850bf525cd1529c66c0b0b53', u'name': u'26f35270f7140657_azne.exe', u'filepath': u'C:\\Users\\test22\\AppData\\Roaming\\azne.exe', u'sha512': u'5e85802a49875fadfff9bd2d1e4f04bb3e391709813757e14364b99f674e3e7fea757f861c2d811e9882035737d122ebfd4aa17039fdc08dc16f73028159e389', u'urls': [], u'crc32': u'0511B825', u'path': u'/home/cuckoo/.cuckoo/storage/analyses/26900/files/26f35270f7140657_azne.exe', u'ssdeep': u'3072:kiQpXFDYuJGJWq8EYByWZmaRO4KVppjU:MFeDYUWEa04wj', u'sha256': u'26f35270f714065705474f3a330a9b7676c2d7e30b9cb9de57d726930768fe29', u'type': u'PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows', u'pids': [3068], u'md5': u'683600b61a32d3eb2cd44cb34fdf7ab3', u'virustotal': {u'scan_id': u'26f35270f714065705474f3a330a9b7676c2d7e30b9cb9de57d726930768fe29-1652881778', u'sha1': u'e8bdd864c2610495850bf525cd1529c66c0b0b53', u'resource': u'683600b61a32d3eb2cd44cb34fdf7ab3', u'verbose_msg': u'Scan finished, information embedded', u'response_code': 1, u'scan_date': u'2022-05-18 13:49:38', u'permalink': u'https://www.virustotal.com/gui/file/26f35270f714065705474f3a330a9b7676c2d7e30b9cb9de57d726930768fe29/detection/f-26f35270f714065705474f3a330a9b7676c2d7e30b9cb9de57d726930768fe29-1652881778', u'summary': {u'positives': 53, u'permalink': u'https://www.virustotal.com/gui/file/26f35270f714065705474f3a330a9b7676c2d7e30b9cb9de57d726930768fe29/detection/f-26f35270f714065705474f3a330a9b7676c2d7e30b9cb9de57d726930768fe29-1652881778', u'scan_date': u'2022-05-18 13:49:38'}, u'total': 69, u'positives': 53, u'sha256': u'26f35270f714065705474f3a330a9b7676c2d7e30b9cb9de57d726930768fe29', u'md5': u'683600b61a32d3eb2cd44cb34fdf7ab3', u'scans': {u'Bkav': {u'detected': True, u'version': u'1.3.0.9899', u'result': u'W32.AIDetectNet.01', u'update': u'20220518'}, u'Lionic': {u'detected': True, u'version': u'7.5', u'result': u'Trojan.MSIL.Injects.4!c', u'update': u'20220518'}, u'tehtris': {u'detected': False, u'version': u'v0.1.2', u'result': None, u'update': u'20220518'}, u'MicroWorld-eScan': {u'detected': True, u'version': u'14.0.409.0', u'result': u'Trojan.GenericKD.48871806', u'update': u'20220518'}, u'CMC': {u'detected': False, u'version': u'2.10.2019.1', u'result': None, u'update': u'20211026'}, u'CAT-QuickHeal': {u'detected': True, u'version': u'14.00', u'result': u'Trojanpws.Msil', u'update': u'20220518'}, u'ALYac': {u'detected': True, u'version': u'1.1.3.1', u'result': u'Spyware.Infostealer.Azorult', u'update': u'20220518'}, u'Cylance': {u'detected': True, u'version': u'2.3.1.101', u'result': u'Unsafe', u'update': u'20220518'}, u'Sangfor': {u'detected': True, u'version': u'2.14.0.0', u'result': u'Suspicious.Win32.Save.a', u'update': u'20220517'}, u'K7AntiVirus': {u'detected': True, u'version': u'12.12.42394', u'result': u'Trojan-Downloader ( 0059195b1 )', u'update': u'20220518'}, u'Alibaba': {u'detected': True, u'version': u'0.3.0.5', u'result': u'Trojan:MSIL/Injects.0d0840e9', u'update': u'20190527'}, u'K7GW': {u'detected': True, u'version': u'12.12.42393', u'result': u'Trojan-Downloader ( 0059195b1 )', u'update': u'20220518'}, u'Cybereason': {u'detected': False, u'version': u'1.2.449', u'result': None, u'update': u'20210330'}, u'Baidu': {u'detected': False, u'version': u'1.0.0.2', u'result': None, u'update': u'20190318'}, u'VirIT': {u'detected': False, u'version': u'9.5.198', u'result': None, u'update': u'20220518'}, u'Cyren': {u'detected': True, u'version': u'6.5.1.2', u'result': u'W32/MSIL_Kryptik.FSG.gen!Eldorado', u'update': u'20220518'}, u'Symantec': {u'detected': True, u'version': u'1.17.0.0', u'result': u'Trojan Horse', u'update': u'20220518'}, u'Elastic': {u'detected': True, u'version': u'4.0.36', u'result': u'malicious (high confidence)', u'update': u'20220503'}, u'ESET-NOD32': {u'detected': True, u'version': u'25287', u'result': u'a variant of MSIL/TrojanDownloader.Agent.LLQ', u'update': u'20220518'}, u'APEX': {u'detected': True, u'version': u'6.292', u'result': u'Malicious', u'update': u'20220516'}, u'Paloalto': {u'detected': True, u'version': u'0.9.0.1003', u'result': u'generic.ml', u'update': u'20220518'}, u'ClamAV': {u'detected': False, u'version': u'0.105.0.0', u'result': None, u'update': u'20220518'}, u'Kaspersky': {u'detected': True, u'version': u'21.0.1.45', u'result': u'HEUR:Trojan.MSIL.Injects.gen', u'update': u'20220518'}, u'BitDefender': {u'detected': True, u'version': u'7.2', u'result': u'Trojan.GenericKD.48871806', u'update': u'20220518'}, u'NANO-Antivirus': {u'detected': False, u'version': u'1.0.146.25588', u'result': None, u'update': u'20220518'}, u'SUPERAntiSpyware': {u'detected': True, u'version': u'5.6.0.1032', u'result': u'Trojan.Agent/Gen-Downloader', u'update': u'20220514'}, u'Avast': {u'detected': True, u'version': u'21.1.5827.0', u'result': u'Win32:PWSX-gen [Trj]', u'update': u'20220518'}, u'Tencent': {u'detected': True, u'version': u'1.0.0.1', u'result': u'Malware.Win32.Gencirc.11f0f480', u'update': u'20220518'}, u'Ad-Aware': {u'detected': True, u'version': u'3.0.21.193', u'result': u'Trojan.GenericKD.48871806', u'update': u'20220518'}, u'Sophos': {u'detected': True, u'version': u'1.4.1.0', u'result': u'Mal/Generic-S', u'update': u'20220518'}, u'Comodo': {u'detected': True, u'version': u'34631', u'result': u'Malware@#193emry83fmys', u'update': u'20220518'}, u'F-Secure': {u'detected': False, u'version': u'18.10.978.51', u'result': None, u'update': u'20220518'}, u'DrWeb': {u'detected': True, u'version': u'7.0.56.4040', u'result': u'Trojan.Siggen17.39782', u'update': u'20220518'}, u'Zillya': {u'detected': True, u'version': u'2.0.0.4634', u'result': u'Trojan.Agent.Win32.2765286', u'update': u'20220518'}, u'TrendMicro': {u'detected': True, u'version': u'11.0.0.1006', u'result': u'TrojanSpy.Win32.AZORULT.YXCDQZ', u'update': u'20220518'}, u'McAfee-GW-Edition': {u'detected': True, u'version': u'v2019.1.2+3728', u'result': u'RDN/Generic.rp', u'update': u'20220518'}, u'FireEye': {u'detected': True, u'version': u'35.24.1.0', u'result': u'Generic.mg.683600b61a32d3eb', u'update': u'20220518'}, u'Emsisoft': {u'detected': True, u'version': u'2021.5.0.7597', u'result': u'Trojan.GenericKD.48871806 (B)', u'update': u'20220518'}, u'SentinelOne': {u'detected': True, u'version': u'22.2.1.2', u'result': u'Static AI - Malicious PE', u'update': u'20220330'}, u'GData': {u'detected': True, u'version': u'A:25.33062B:27.27397', u'result': u'Trojan.GenericKD.48871806', u'update': u'20220518'}, u'Jiangmin': {u'detected': True, u'version': u'16.0.100', u'result': u'Trojan.MSIL.ampef', u'update': u'20220517'}, u'Webroot': {u'detected': False, u'version': u'1.0.0.403', u'result': None, u'update': u'20220518'}, u'Avira': {u'detected': True, u'version': u'8.3.3.14', u'result': u'TR/Agent_AGen.fptlf', u'update': u'20220518'}, u'MAX': {u'detected': True, u'version': u'2019.9.16.1', u'result': u'malware (ai score=89)', u'update': u'20220518'}, u'Antiy-AVL': {u'detected': False, u'version': u'3.0', u'result': None, u'update': u'20220518'}, u'Kingsoft': {u'detected': True, u'version': u'2017.9.26.565', u'result': u'Win32.Troj.Undef.(kcloud)', u'update': u'20220518'}, u'Gridinsoft': {u'detected': True, u'version': u'1.0.78.174', u'result': u'Ransom.Win32.Sabsik.sa', u'update': u'20220518'}, u'Arcabit': {u'detected': True, u'version': u'1.0.0.889', u'result': u'Trojan.Generic.D2E9B97E', u'update': u'20220518'}, u'ViRobot': {u'detected': False, u'version': u'2014.3.20.0', u'result': None, u'update': u'20220518'}, u'ZoneAlarm': {u'detected': True, u'version': u'1.0', u'result': u'HEUR:Trojan.MSIL.Injects.gen', u'update': u'20220518'}, u'Microsoft': {u'detected': True, u'version': u'1.1.19200.6', u'result': u'TrojanDownloader:MSIL/Tnega.RPA!MTB', u'update': u'20220518'}, u'Cynet': {u'detected': True, u'version': u'4.0.0.27', u'result': u'Malicious (score: 100)', u'update': u'20220518'}, u'AhnLab-V3': {u'detected': True, u'version': u'3.21.3.10230', u'result': u'Trojan/Win.Wacatac.C5095748', u'update': u'20220518'}, u'Acronis': {u'detected': False, u'version': u'1.2.0.108', u'result': None, u'update': u'20220426'}, u'McAfee': {u'detected': True, u'version': u'6.0.6.653', u'result': u'RDN/Generic.rp', u'update': u'20220518'}, u'TACHYON': {u'detected': False, u'version': u'2022-05-18.02', u'result': None, u'update': u'20220518'}, u'VBA32': {u'detected': True, u'version': u'5.0.0', u'result': u'TScope.Trojan.MSIL', u'update': u'20220518'}, u'Malwarebytes': {u'detected': True, u'version': u'4.2.2.27', u'result': u'Trojan.Downloader', u'update': u'20220518'}, u'Zoner': {u'detected': False, u'version': u'2.2.2.0', u'result': None, u'update': u'20220518'}, u'TrendMicro-HouseCall': {u'detected': True, u'version': u'10.0.0.1040', u'result': u'TrojanSpy.Win32.AZORULT.YXCDQZ', u'update': u'20220518'}, u'Rising': {u'detected': False, u'version': u'25.0.0.27', u'result': None, u'update': u'20220518'}, u'Yandex': {u'detected': True, u'version': u'5.5.2.24', u'result': u'Trojan.DL.Agent_AGen!pHahAF/Ds3k', u'update': u'20220428'}, u'Ikarus': {u'detected': True, u'version': u'6.0.24.0', u'result': u'Trojan-Downloader.MSIL.Agent', u'update': u'20220518'}, u'MaxSecure': {u'detected': True, u'version': u'1.0.0.1', u'result': u'Trojan.Malware.74363616.susgen', u'update': u'20220517'}, u'Fortinet': {u'detected': True, u'version': u'6.2.142.0', u'result': u'W32/Malicious_Behavior.VEX', u'update': u'20220518'}, u'BitDefenderTheta': {u'detected': True, u'version': u'7.2.37796.0', u'result': u'Gen:NN.ZemsilF.34682.gm0@a41PpPl', u'update': u'20220518'}, u'AVG': {u'detected': True, u'version': u'21.1.5827.0', u'result': u'Win32:PWSX-gen [Trj]', u'update': u'20220518'}, u'Panda': {u'detected': False, u'version': u'4.6.4.2', u'result': None, u'update': u'20220518'}, u'CrowdStrike': {u'detected': True, u'version': u'1.0', u'result': u'win/malicious_confidence_100% (W)', u'update': u'20220418'}}}}

Resumed a suspended thread in a remote process potentially indicative of process injection (10 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2776 resumed a thread in remote process 3068
Process injection	Process 3068 resumed a thread in remote process 2428
Process injection	Process 3068 resumed a thread in remote process 2628
Process injection	Process 3068 resumed a thread in remote process 2560
Process injection	Process 2428 resumed a thread in remote process 2824
NtResumeThread May 20, 2022, 1:17 p.m.	thread_handle: 0x000002b0 suspend_count: 1 process_identifier: 3068	1	0	0
NtResumeThread May 20, 2022, 1:17 p.m.	thread_handle: 0x000002b8 suspend_count: 1 process_identifier: 2428	1	0	0
NtResumeThread May 20, 2022, 1:17 p.m.	thread_handle: 0x00000404 suspend_count: 1 process_identifier: 2628	1	0	0
NtResumeThread May 20, 2022, 1:17 p.m.	thread_handle: 0x0000040c suspend_count: 1 process_identifier: 2560	1	0	0
NtResumeThread May 20, 2022, 1:17 p.m.	thread_handle: 0x00000294 suspend_count: 1 process_identifier: 2824	1	0	0

Generates some ICMP traffic

Executed a process and injected code into it, probably while unpacking (50 events)

Time & API	Arguments	Status	Return
NtResumeThread May 20, 2022, 1:16 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2776	1	0
NtResumeThread May 20, 2022, 1:16 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2776	1	0
NtResumeThread May 20, 2022, 1:16 p.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 2776	1	0
NtResumeThread May 20, 2022, 1:17 p.m.	thread_handle: 0x000003b0 suspend_count: 1 process_identifier: 2776	1	0
NtResumeThread May 20, 2022, 1:17 p.m.	thread_handle: 0x00000290 suspend_count: 1 process_identifier: 2776	1	0
NtGetContextThread May 20, 2022, 1:17 p.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread May 20, 2022, 1:17 p.m.	thread_handle: 0x000000e4	1	0
NtResumeThread May 20, 2022, 1:17 p.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 2776	1	0
CreateProcessInternalW May 20, 2022, 1:17 p.m.	thread_identifier: 3036 thread_handle: 0x00000278 process_identifier: 3032 current_directory: filepath: track: 1 command_line: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000003dc	1	1
NtGetContextThread May 20, 2022, 1:17 p.m.	thread_handle: 0x00000278	1	0
NtAllocateVirtualMemory May 20, 2022, 1:17 p.m.	process_identifier: 3032 region_size: 249856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003dc		3221225496
CreateProcessInternalW May 20, 2022, 1:17 p.m.	thread_identifier: 2064 thread_handle: 0x000002b0 process_identifier: 3068 current_directory: filepath: track: 1 command_line: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000029c	1	1
NtGetContextThread May 20, 2022, 1:17 p.m.	thread_handle: 0x000002b0	1	0
NtAllocateVirtualMemory May 20, 2022, 1:17 p.m.	process_identifier: 3068 region_size: 249856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000029c	1	0
WriteProcessMemory May 20, 2022, 1:17 p.m.	buffer: MZÿÿ¸@Ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $Õè½ÏÓÓÓþÿMÓÄüÒÓÒÓþÿ\|ÓþÿNÓRichÓPELB;8bà ÈÄ²Àà@Ð@e(ä#à.textÐÈ à.rdataàÌ@@.data pR@À.reloc%&T@B`Àzà base_address: 0x00400000 process_identifier: 3068 process_handle: 0x0000029c	1	1
WriteProcessMemory May 20, 2022, 1:17 p.m.	buffer: base_address: 0x00401000 process_identifier: 3068 process_handle: 0x0000029c	1	1
WriteProcessMemory May 20, 2022, 1:17 p.m.	buffer: base_address: 0x0041e000 process_identifier: 3068 process_handle: 0x0000029c	1	1
WriteProcessMemory May 20, 2022, 1:17 p.m.	buffer: BÄôK A³ÝJpMÛ(TÍ<¨K¢`Ý;U base_address: 0x00427000 process_identifier: 3068 process_handle: 0x0000029c	1	1
WriteProcessMemory May 20, 2022, 1:17 p.m.	buffer: base_address: 0x00439000 process_identifier: 3068 process_handle: 0x0000029c	1	1
WriteProcessMemory May 20, 2022, 1:17 p.m.	buffer: RQSUT$ L$\$l$¶9Àtdk1ic21-=1s09Àt [pasdl0qwi[R9ëuë 9ÊuÍ][YZÃ`d¡0@@xè^k RQSUèÿÿÿÄ´y¿k RQSUèYÿÿÿÄsaÃUíuû]d¡0@@xè^Èsk RQSUèÿÿÿÄ0ÿà^D[VLWjhfogu45096u4509jfgogdf5645u790jhfogu45096u4509jfgogdf5645u790jhfogu45096u4509jfgogdf5645u790jhfogu45096u4509jfgo BRg867967tjgh56787ohuklvbnm678hjkg867967tjgh56787ohuklvbnm678hjkg867967tjgh56787ohuklvbnm678hjkg867967tjgh56787ohuklgdf5645u790jhfogu45096u4509jfgovbnm678hjkg867967tjgh56787ohuklcvb56jkh34ikjghtue9sroygihdfgyo base_address: 0x0043c000 process_identifier: 3068 process_handle: 0x0000029c	1	1
WriteProcessMemory May 20, 2022, 1:17 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 3068 process_handle: 0x0000029c	1	1
NtSetContextThread May 20, 2022, 1:17 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4440242 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002b0 process_identifier: 3068	1	0
NtResumeThread May 20, 2022, 1:17 p.m.	thread_handle: 0x000002b0 suspend_count: 1 process_identifier: 3068	1	0
CreateProcessInternalW May 20, 2022, 1:17 p.m.	thread_identifier: 192 thread_handle: 0x000002b8 process_identifier: 2428 current_directory: C:\ProgramData filepath: C:\Users\test22\AppData\Roaming\azne.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\azne.exe" filepath_r: C:\Users\test22\AppData\Roaming\azne.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002b0	1	1
NtResumeThread May 20, 2022, 1:17 p.m.	thread_handle: 0x000002b8 suspend_count: 1 process_identifier: 2428	1	0
CreateProcessInternalW May 20, 2022, 1:17 p.m.	thread_identifier: 2620 thread_handle: 0x00000404 process_identifier: 2628 current_directory: C:\ProgramData filepath: C:\Users\test22\AppData\Roaming\pm.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\pm.exe" filepath_r: C:\Users\test22\AppData\Roaming\pm.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000434	1	1
NtResumeThread May 20, 2022, 1:17 p.m.	thread_handle: 0x00000404 suspend_count: 1 process_identifier: 2628	1	0
CreateProcessInternalW May 20, 2022, 1:17 p.m.	thread_identifier: 2580 thread_handle: 0x0000040c process_identifier: 2560 current_directory: C:\ProgramData filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" & exit filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000404	1	1
NtResumeThread May 20, 2022, 1:17 p.m.	thread_handle: 0x0000040c suspend_count: 1 process_identifier: 2560	1	0
NtResumeThread May 20, 2022, 1:17 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2428	1	0
NtResumeThread May 20, 2022, 1:17 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2428	1	0
NtResumeThread May 20, 2022, 1:17 p.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 2428	1	0
NtResumeThread May 20, 2022, 1:17 p.m.	thread_handle: 0x000003b4 suspend_count: 1 process_identifier: 2428	1	0
NtResumeThread May 20, 2022, 1:17 p.m.	thread_handle: 0x00000410 suspend_count: 1 process_identifier: 2428	1	0
CreateProcessInternalW May 20, 2022, 1:17 p.m.	thread_identifier: 3008 thread_handle: 0x00000294 process_identifier: 2824 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Roaming\azne.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000039c	1	1
NtGetContextThread May 20, 2022, 1:17 p.m.	thread_handle: 0x00000294	1	0
NtAllocateVirtualMemory May 20, 2022, 1:17 p.m.	process_identifier: 2824 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000039c	1	0
WriteProcessMemory May 20, 2022, 1:17 p.m.	buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*à$¦°@@Ðà\CODE° `DATAl°@ÀBSSÅÀ¤À.idataÐ¤@À.reloc\à¬@PÄ@P base_address: 0x00400000 process_identifier: 2824 process_handle: 0x0000039c	1	1
WriteProcessMemory May 20, 2022, 1:17 p.m.	buffer: base_address: 0x00401000 process_identifier: 2824 process_handle: 0x0000039c	1	1
WriteProcessMemory May 20, 2022, 1:17 p.m.	buffer: @2À@@@\@ì @l$@ËÌÈÉ×ÏÈÍÎÛØÚÙÊÜÝÞßàáãäå@ErrorÀRuntime error at 00000000À0123456789ABCDEFÿÿÿÿàO@ÀÀ@@J7<äºÏ¿}ªiFîµä[Jú-EÝ]³QçëqØ'ÓØ'ÓØ'ÖØ7nØ$ÓsØ$ÓsØ$nsØ7ÓsØ7ÖsØ$ÓØ7Ø7ÖØ7ÖsØ$ÓØ$nsØ$nsØ7Ø$ÓØ$nsØ$nsØ7ÖsØ$ÓsØÔØ'ØØsØXØ$ÓØ'ÖØqØ'ÖØáveÛe3ôs>v÷E±Yêá)VûAr5d2'òÂØMY pê5ù©ñÌ-þ+~R¶ÖæÐvMºoß3 v§·5vÅÞ¸`6©¤á þáx.¢Wï)b!ò²jíïz´Ì·\|X¸q/Õæ?dEzãîs£3Ãhp>4Æ7èËJ\|úðØèëá¾iAò¡úèÌ3áHþíG\rgã@À¥[\ë¸?áRÃénSÑÒ-´¼;ÐÍñ[MQ¶SEvr]`U¥Ýê(èúmü'~àÖ.ÚÅÂÅÃ3Â%G°j°Uî½S:Ì¦æä[½V¿vz½åÁL}¸<ÿ,9ÞýV_:Â9 ç½WùÙÔÛoSûËÛ`Qé6ñ¡àwËm¥Anm'o-°aÃÐµ1ä¨5[þ'Çè©Ð¦¿q¤ÞÆ +ºê$gÌ7¶G~Ø: ðDºÜÑk½´úÓæ`¸{ÈQÖÎ<Aæ>5²+X2`ÿ0e¢÷¼Aâ@PD%ÌÐÒ:¨»efk®Z¨ÃÌPÒÕcÕéN{»¨¤¦b«?O±óÝ0ZRÔèÌÚÃOË©¤×`TwR\ÀàÄËÃÐÃsS¦@O±j¹}¢ì Jg_ÍYÇò @'¸PÂZ°)zãp>cXgÇ¼\|½\ÏODná)ü7Lôû8a³Ô´:3ªÆôë¥øGgPnº1½·ÕÔ^)õ/2{Û¸<T¾i#©È7ný_Fû^înB!ôëäRÛc-dèmàÇ«>WÆÄNä¨«$há:_p$Öd^}QÏ kï8áeÏÌË%V¿âFNØ\ðøG;æ1Èy¤SÇ,°!#fñÄþ j®Þ Ø\|íälçÇ+ÆÚ EÅÅ$Ü¶Dë Í!kù,ú"dlQ(°ÇMIÎ,p#°)]ÕÙ9i-0àl&®ª!YÑoPÝ+¾9}\±¡©Ù.¿4#D.§×è¼R I±£ç 1ÔTû_v¿tÂmÿóJQ÷Ð\pk+Fæ_h:÷Ù æÄ £8 c+-û2_ö0ýcQò¸dtµ+ûÞ¸¦åð#t êqêR(PY» ïÀ(¢#ÓÏÆÌzÓ ¯N$ÇAÇAôÆApÇA¤ÆAÇA@ÇAhÇAlÆA,ÇA¼ÆAÇA°ÆAÆAÄÆA´°AÇAÇAÇA(ÈA\ÇAüÆA4ÇA\|ÆAÆAìÆA ÇA<ÇA¸°AèÆA¤ÇA°°AÀÆAÇA¸ÆAdÆA°ÇAðÆA ÇA´ÆA(ÇAÈÇAØ°A¼°AÆAÇAÇAÇAÆA ÆA8ÇA¬ÆAPÇA¬ÇAÆALÇAøÆAÌÆADÇA`ÇA¬°A ÈA¨ÇAÇAÇAÈÆAÆAÇAÆA0ÇAhÆAHÇA´ÇArockphil.ac.ug base_address: 0x0041b000 process_identifier: 2824 process_handle: 0x0000039c	1	1
WriteProcessMemory May 20, 2022, 1:17 p.m.	buffer: ,ÒÜÐ ÔHÑXÔXÑÔhÑàÔxÑÕÑ8ÕÑºÖðÑ*×Òp× Ò:ÒRÒjÒÒÒ¬Ò¼ÒÈÒÖÒæÒÓÓ$Ó:ÓPÓbÓtÓÓÓ®Ó¼ÓÊÓÖÓòÓþÓÔ,Ô>ÔLÔfÔzÔÔ¦Ô¶ÔÌÔîÔÕ Õ.ÕFÕRÕZÕfÕxÕÕÕ¦Õ¶ÕÆÕØÕìÕÖÖ.ÖBÖPÖ`ÖrÖ~ÖÖÖ®ÖÄÖÔÖäÖðÖ× ×6×B×V×^×z××kernel32.dllDeleteCriticalSectionLeaveCriticalSectionEnterCriticalSectionInitializeCriticalSectionVirtualFreeVirtualAllocLocalFreeLocalAllocGetTickCountQueryPerformanceCounterGetVersionGetCurrentThreadIdWideCharToMultiByteMultiByteToWideCharGetThreadLocaleGetStartupInfoAGetModuleFileNameAGetLocaleInfoAGetCommandLineAFreeLibraryExitProcessWriteFileUnhandledExceptionFilterRtlUnwindRaiseExceptionGetStdHandleuser32.dllGetKeyboardTypeMessageBoxACharNextAadvapi32.dllRegQueryValueExARegOpenKeyExARegCloseKeyoleaut32.dllSysFreeStringSysReAllocStringLenSysAllocStringLenkernel32.dllGetModuleHandleAadvapi32.dllRegOpenKeyExARegEnumKeyAFreeSidkernel32.dllWriteFileSleepLocalFreeLoadLibraryExWLoadLibraryAGlobalUnlockGlobalLockGetTickCountGetSystemInfoGetProcAddressGetModuleHandleAGetModuleFileNameAGetFileAttributesWGetCurrentProcessIdGetCurrentProcessFreeLibraryFindNextFileWFindFirstFileWFindCloseExitProcessDeleteFileWCreateDirectoryWCopyFileWgdi32.dllSelectObjectDeleteObjectDeleteDCCreateCompatibleDCCreateCompatibleBitmapBitBltuser32.dllReleaseDCGetSystemMetricsGetDCCharToOemBuffAole32.dllOleInitializeCoCreateInstance base_address: 0x0041d000 process_identifier: 2824 process_handle: 0x0000039c	1	1
WriteProcessMemory May 20, 2022, 1:17 p.m.	buffer: base_address: 0x0041e000 process_identifier: 2824 process_handle: 0x0000039c	1	1
WriteProcessMemory May 20, 2022, 1:17 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2824 process_handle: 0x0000039c	1	1
NtSetContextThread May 20, 2022, 1:17 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4302468 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000294 process_identifier: 2824	1	0
NtResumeThread May 20, 2022, 1:17 p.m.	thread_handle: 0x00000294 suspend_count: 1 process_identifier: 2824	1	0
NtResumeThread May 20, 2022, 1:10 p.m.	thread_handle: 0x00000000000000c4 suspend_count: 1 process_identifier: 2628	1	0
NtResumeThread May 20, 2022, 1:10 p.m.	thread_handle: 0x0000000000000134 suspend_count: 1 process_identifier: 2628	1	0
NtResumeThread May 20, 2022, 1:10 p.m.	thread_handle: 0x0000000000000178 suspend_count: 1 process_identifier: 2628	1	0
CreateProcessInternalW May 20, 2022, 1:17 p.m.	thread_identifier: 720 thread_handle: 0x00000084 process_identifier: 756 current_directory: C:\ProgramData filepath: C:\Windows\System32\timeout.exe track: 1 command_line: timeout /t 5 filepath_r: C:\Windows\system32\timeout.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
NtResumeThread May 20, 2022, 1:17 p.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 2824	1	0

File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 events)

Bkav	W32.AIDetectNet.01
DrWeb	Trojan.DownLoader44.51162
MicroWorld-eScan	Trojan.GenericKD.39506499
FireEye	Generic.mg.c7a310982da68b10
CAT-QuickHeal	Trojan.MSIL
McAfee	RDN/AZORult
Cylance	Unsafe
Sangfor	Suspicious.Win32.Save.a
K7AntiVirus	Trojan-Downloader ( 0059195b1 )
Alibaba	Trojan:MSIL/Injects.ce6797d9
K7GW	Trojan-Downloader ( 0059195b1 )
BitDefenderTheta	Gen:NN.ZemsilF.34682.gm0@aOrK@Cp
Cyren	W32/MSIL_Kryptik.FSG.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/TrojanDownloader.Agent.LLQ
TrendMicro-HouseCall	TrojanSpy.Win32.AZORULT.YXCDQZ
Paloalto	generic.ml
Kaspersky	HEUR:Trojan.MSIL.Injects.gen
BitDefender	Trojan.GenericKD.39506499
SUPERAntiSpyware	Trojan.Agent/Gen-Downloader
Avast	Win32:PWSX-gen [Trj]
Tencent	Malware.Win32.Gencirc.11f0b007
Ad-Aware	Trojan.GenericKD.39506499
Emsisoft	Trojan.GenericKD.39506499 (B)
Comodo	Malware@#1xaxq2iepyhky
Zillya	Trojan.Agent.Win32.2771557
TrendMicro	TrojanSpy.Win32.AZORULT.YXCDQZ
McAfee-GW-Edition	RDN/AZORult
SentinelOne	Static AI - Malicious PE
Sophos	Mal/Generic-S
Ikarus	Trojan-Downloader.MSIL.Agent
GData	Trojan.GenericKD.39506499
Jiangmin	Trojan.MSIL.ampap
Webroot	W32.Trojan.Gen
Avira	TR/Agent_AGen.yteen
Kingsoft	Win32.Troj.Generic_a.a.(kcloud)
Gridinsoft	Trojan.Win32.Kryptik.cl
Arcabit	Trojan.Generic.D25AD243
Microsoft	TrojanDownloader:MSIL/Tnega.RPA!MTB
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.MSILZilla.C5083510
VBA32	TScope.Trojan.MSIL
ALYac	Spyware.Infostealer.Azorult
Malwarebytes	Trojan.Downloader.MSIL.Generic
APEX	Malicious
Yandex	Trojan.DL.Agent!k8fWudtP2Qo
MAX	malware (ai score=85)
MaxSecure	Trojan.Malware.74363616.susgen
Fortinet	PossibleThreat

asdf.EXE

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All