Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	May 14, 2021, 9:45 a.m.	May 14, 2021, 9:49 a.m.

Size	351.4KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`8860fecf9a64e193bfde8808889f7e48`
SHA256	`972a19b0dc047f482972e513446d3735ea7d41aadaa57e0201a5f0f9a93fedbb`
CRC32	`BDF2CAED`
ssdeep	`6144:Y0hNLAQF57b5LAWUkV62/sFiv6BtgZHbGYXwE08A:ZMKHzUb2/ssG2ZyYXs`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

OctodadSetup.exe "C:\Users\test22\AppData\Local\Temp\OctodadSetup.exe"
7092
- cmd.exe "C:\Windows\system32\cmd.exe" /C wmic computersystem get model /format:list
  7768
  - WMIC.exe wmic computersystem get model /format:list
    8088
- iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  8400
  - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:8400 CREDAT:145409
    3360
explorer.exe C:\Windows\Explorer.EXE
1848

Name	Response	Post-Analysis Lookup
www.demtxr.com	A 64.111.117.81	64.111.117.81
bat.bing.com	CNAME dual-a-0001.a-msedge.net CNAME bat-bing-com.a-0001.a-msedge.net A 204.79.197.200 A 13.107.21.200	13.107.21.200
ge.tt
www.freegamer.info	A 107.154.230.90 CNAME uhcva.x.incapdns.net	107.154.230.90
s.yimg.com	A 119.161.14.17 A 119.161.14.18 CNAME edge.gycpi.b.yahoodns.net A 119.161.16.11 A 119.161.16.12	119.161.5.252

IP Address	Status	Action
107.154.230.90	Active	Moloch
117.18.232.200	Active	Moloch
119.161.14.18	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
204.79.197.200	Active	Moloch
64.111.117.81	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49811 -> 64.111.117.81:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49842 -> 64.111.117.81:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49812 -> 64.111.117.81:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49816 -> 64.111.117.81:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 107.154.230.90:80 -> 192.168.56.102:49827	2221017	SURICATA HTTP invalid response field folding	Generic Protocol Command Decode
TCP 107.154.230.90:80 -> 192.168.56.102:49827	2221021	SURICATA HTTP response header invalid	Generic Protocol Command Decode
TCP 192.168.56.102:49838 -> 64.111.117.81:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 64.111.117.81:443 -> 192.168.56.102:49813	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49815 -> 64.111.117.81:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 64.111.117.81:443 -> 192.168.56.102:49817	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49831 -> 119.161.14.18:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49830 -> 119.161.14.18:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49837 -> 64.111.117.81:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 64.111.117.81:443 -> 192.168.56.102:49839	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49841 -> 64.111.117.81:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 64.111.117.81:443 -> 192.168.56.102:49843	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49832 -> 204.79.197.200:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49830 119.161.14.18:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Sunnyvale, O=Oath Inc, CN=*.yahoo.com	b0:29:79:7d:77:15:cc:13:0d:dc:50:5d:a0:cd:44:a5:79:df:61:f3
TLSv1 192.168.56.102:49831 119.161.14.18:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Sunnyvale, O=Oath Inc, CN=*.yahoo.com	b0:29:79:7d:77:15:cc:13:0d:dc:50:5d:a0:cd:44:a5:79:df:61:f3
TLSv1 192.168.56.102:49832 204.79.197.200:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01	CN=www.bing.com	29:b4:ed:e7:1f:1c:1b:12:99:6c:9b:1e:27:75:ac:01:25:15:77:1f

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 14, 2021, 9:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 14, 2021, 9:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 14, 2021, 9:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 14, 2021, 9:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 14, 2021, 9:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 14, 2021, 9:45 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 14, 2021, 9:45 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 14, 2021, 9:45 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

One or more processes crashed (4 events)

Time & API	Arguments	Status
__exception__ May 14, 2021, 9:45 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x74b24387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x74d4ef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74d46a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x74d46b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74d46a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x74d65c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x74de06b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x74bfd7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x74bfd876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x74bfddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x74b18a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x74b18938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x74b1950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x74bfdccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x74bfdb41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x74bfe1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x74b19367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x74b19326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755b77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755b788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x74ada48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x74ad853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x74ada4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x74aecd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x74aed87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 47575444 registers.edi: 3274956 registers.eax: 47575444 registers.ebp: 47575524 registers.edx: 53 registers.ebx: 47575808 registers.esi: 2147746133 registers.ecx: 3040648	1
__exception__ May 14, 2021, 9:45 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x74bff725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74d6414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x74acfe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x74bfa338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x74f8e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x74f672ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x74f5ab0d IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x74f8c048 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x74f587f7 RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x74f58926 RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x74f5d55e IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x74f8c44b RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x74f5d1f6 RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x74f5d1ac RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x74f5d40b RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x74f5991b RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x74f58d67 RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x74f5a0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x74f59b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x74f59aa8 DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x721c6f4f DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x721c6e40 DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x721c27a4 DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x721c2652 DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x721c253d DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x721c2411 DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x721c25ab wmic+0x39c80 @ 0x1009c80 wmic+0x3b06a @ 0x100b06a wmic+0x3b1f8 @ 0x100b1f8 wmic+0x36fcd @ 0x1006fcd wmic+0x3d6e9 @ 0x100d6e9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 976920 registers.edi: 1957755408 registers.eax: 976920 registers.ebp: 977000 registers.edx: 1 registers.ebx: 3010308 registers.esi: 2147746133 registers.ecx: 1633798200	1
__exception__ May 14, 2021, 9:46 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x74b24387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x74d4ef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74d46a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x74d46b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74d46a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x74d65c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x74de06b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x74bfd7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x74bfd876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x74bfddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x74b18a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x74b18938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x74b1950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x74bfdccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x74bfdb41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x74bfe1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x74b19367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x74b19326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755b77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755b788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x74ada48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x74ad853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x74ada4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x74aecd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x74aed87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 105050220 registers.edi: 5004212 registers.eax: 105050220 registers.ebp: 105050300 registers.edx: 229 registers.ebx: 105050584 registers.esi: 2147746133 registers.ecx: 5400320	1
__exception__ May 14, 2021, 9:46 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x74bff725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74d6414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x74acfe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x74bfa338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x74f8e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x74f672ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x74f5ab0d GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x74f5ea98 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x74f587f7 CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x74f5ba32 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755b77c4 DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x755b7bca CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x74f8516f CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x74f850ce RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x74f5a0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x74f59b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x74f59aa8 CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x74f8530c URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x74f857a0 DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x6efc540c DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x6efc52ca CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x6f0a0ea3 RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x77407e96 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x773e54f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 69131520 registers.edi: 1957755408 registers.eax: 69131520 registers.ebp: 69131600 registers.edx: 1 registers.ebx: 5406396 registers.esi: 2147746133 registers.ecx: 1635662561	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (8 events)

request	GET http://www.freegamer.info/join/
request	GET http://www.freegamer.info/_Incapsula_Resource?SWJIYLWA=719d34d31c8e3a6e6fffd425f7e032f3&ns=1&cb=1751958704
request	GET http://bat.bing.com/bat.js
request	GET http://www.freegamer.info/_Incapsula_Resource?SWKMTFSR=1&e=0.16526160572090975
request	GET http://www.freegamer.info/favicon.ico
request	GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
request	GET https://bat.bing.com/p/action/4022064
request	GET https://s.yimg.com/wi/ytc.js

Allocates read-write-execute memory (usually to unpack itself) (50 out of 209 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 14, 2021, 9:45 a.m.	process_identifier: 7092 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2021, 9:45 a.m.	process_identifier: 7092 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03164000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2021, 9:45 a.m.	process_identifier: 8088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x743f1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2021, 9:45 a.m.	process_identifier: 8400 region_size: 11669504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2021, 9:45 a.m.	process_identifier: 8400 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x035d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2021, 9:45 a.m.	process_identifier: 8400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7560f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2021, 9:45 a.m.	process_identifier: 8400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7560f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2021, 9:45 a.m.	process_identifier: 8400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7560f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2021, 9:45 a.m.	process_identifier: 8400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7560f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2021, 9:45 a.m.	process_identifier: 8400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755dc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2021, 9:45 a.m.	process_identifier: 8400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755fc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2021, 9:45 a.m.	process_identifier: 8400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755dc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2021, 9:45 a.m.	process_identifier: 8400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755fc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2021, 9:45 a.m.	process_identifier: 8400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f33000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2021, 9:45 a.m.	process_identifier: 8400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fd7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2021, 9:45 a.m.	process_identifier: 8400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76809000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2021, 9:45 a.m.	process_identifier: 8400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x756b2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2021, 9:45 a.m.	process_identifier: 8400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755c2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2021, 9:45 a.m.	process_identifier: 8400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7560f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2021, 9:45 a.m.	process_identifier: 8400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7560f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2021, 9:45 a.m.	process_identifier: 8400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7560f000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2021, 9:45 a.m.	process_identifier: 8400 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02fc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2021, 9:45 a.m.	process_identifier: 8400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2021, 9:46 a.m.	process_identifier: 8400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x745f1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2021, 9:45 a.m.	process_identifier: 3360 region_size: 4591616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2021, 9:45 a.m.	process_identifier: 3360 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2021, 9:45 a.m.	process_identifier: 3360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7560f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2021, 9:45 a.m.	process_identifier: 3360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7560f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2021, 9:45 a.m.	process_identifier: 3360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7560f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2021, 9:45 a.m.	process_identifier: 3360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7560f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2021, 9:45 a.m.	process_identifier: 3360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755dc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2021, 9:45 a.m.	process_identifier: 3360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755fc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2021, 9:45 a.m.	process_identifier: 3360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755dc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2021, 9:45 a.m.	process_identifier: 3360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755fc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2021, 9:45 a.m.	process_identifier: 3360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f33000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2021, 9:45 a.m.	process_identifier: 3360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fd7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2021, 9:45 a.m.	process_identifier: 3360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76809000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2021, 9:45 a.m.	process_identifier: 3360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x756b2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2021, 9:45 a.m.	process_identifier: 3360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755c2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2021, 9:45 a.m.	process_identifier: 3360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755c7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2021, 9:45 a.m.	process_identifier: 3360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755df000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2021, 9:45 a.m.	process_identifier: 3360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755c6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2021, 9:45 a.m.	process_identifier: 3360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75733000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2021, 9:45 a.m.	process_identifier: 3360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x773fd000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2021, 9:45 a.m.	process_identifier: 3360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75737000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2021, 9:45 a.m.	process_identifier: 3360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755b8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2021, 9:45 a.m.	process_identifier: 3360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755bd000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2021, 9:45 a.m.	process_identifier: 3360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x773e2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2021, 9:45 a.m.	process_identifier: 3360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x773d2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2021, 9:45 a.m.	process_identifier: 3360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74ac6000 process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW May 14, 2021, 9:45 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13294608384 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1	0

An application raised an exception which may be indicative of an exploit crash (3 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process iexplore.exe with pid 8400 crashed
__exception__ May 14, 2021, 9:46 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x74b24387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x74d4ef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74d46a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x74d46b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74d46a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x74d65c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x74de06b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x74bfd7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x74bfd876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x74bfddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x74b18a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x74b18938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x74b1950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x74bfdccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x74bfdb41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x74bfe1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x74b19367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x74b19326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755b77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755b788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x74ada48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x74ad853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x74ada4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x74aecd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x74aed87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 105050220 registers.edi: 5004212 registers.eax: 105050220 registers.ebp: 105050300 registers.edx: 229 registers.ebx: 105050584 registers.esi: 2147746133 registers.ecx: 5400320	1	0	0
__exception__ May 14, 2021, 9:46 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x74bff725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74d6414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x74acfe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x74bfa338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x74f8e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x74f672ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x74f5ab0d GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x74f5ea98 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x74f587f7 CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x74f5ba32 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755b77c4 DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x755b7bca CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x74f8516f CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x74f850ce RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x74f5a0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x74f59b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x74f59aa8 CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x74f8530c URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x74f857a0 DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x6efc540c DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x6efc52ca CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x6f0a0ea3 RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x77407e96 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x773e54f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 69131520 registers.edi: 1957755408 registers.eax: 69131520 registers.ebp: 69131600 registers.edx: 1 registers.ebx: 5406396 registers.esi: 2147746133 registers.ecx: 1635662561	1	0	0

Application Crash

Process iexplore.exe with pid 8400 crashed

Time & API

Arguments

Status

Return

Repeated

__exception__

May 14, 2021, 9:46 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b
CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x74b24387
NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x74d4ef51
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74d46a9c
NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x74d46b42
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74d46a9c
NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x74d65c3a
NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x74de06b8
WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x74bfd7e6
WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x74bfd876
WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x74bfddd0
CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x74b18a43
CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x74b18938
DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x74b1950a
WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x74bfdccd
WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x74bfdb41
WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x74bfe1fd
DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x74b19367
DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x74b19326
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755b77c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755b788a
CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x74ada48b
CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x74ad853b
CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x74ada4ac
CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x74aecd48
CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x74aed87a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 105050220
registers.edi: 5004212
registers.eax: 105050220
registers.ebp: 105050300
registers.edx: 229
registers.ebx: 105050584
registers.esi: 2147746133
registers.ecx: 5400320

__exception__

May 14, 2021, 9:46 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x74bff725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74d6414b
ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x74acfe14
StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x74bfa338
IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x74f8e99f
IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x74f672ed
RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x74f5ab0d
GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x74f5ea98
RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x74f587f7
CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x74f5ba32
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755b77c4
DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x755b7bca
CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x74f8516f
CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x74f850ce
RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x74f5a0d8
RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x74f59b85
RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x74f59aa8
CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x74f8530c
URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x74f857a0
DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x6efc540c
DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x6efc52ca
CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x6f0a0ea3
RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x77407e96
TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x773e54f4
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 69131520
registers.edi: 1957755408
registers.eax: 69131520
registers.ebp: 69131600
registers.edx: 1
registers.ebx: 5406396
registers.esi: 2147746133
registers.ecx: 1635662561

Creates executable files on the filesystem (8 events)

file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\bat[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\ytc[1].js
file	C:\Users\test22\AppData\Local\Temp\nsu823.tmp\NotifyIcon.dll
file	C:\Users\test22\AppData\Local\Temp\nsu823.tmp\inetc.dll
file	C:\Users\test22\AppData\Local\Temp\nsu823.tmp\nsExec.dll
file	C:\Users\test22\AppData\Local\Temp\nsu823.tmp\ButtonEvent.dll
file	C:\Users\test22\AppData\Local\Temp\nsu823.tmp\nsDialogs.dll
file	C:\Users\test22\AppData\Local\Temp\nsu823.tmp\System.dll

Creates a shortcut to an executable file (1 event)

file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration.lnk

Creates a suspicious process (2 events)

cmdline	wmic computersystem get model /format:list
cmdline	"C:\Windows\system32\cmd.exe" /C wmic computersystem get model /format:list

Drops an executable to the user AppData folder (6 events)

file	C:\Users\test22\AppData\Local\Temp\nsu823.tmp\nsExec.dll
file	C:\Users\test22\AppData\Local\Temp\nsu823.tmp\nsDialogs.dll
file	C:\Users\test22\AppData\Local\Temp\nsu823.tmp\inetc.dll
file	C:\Users\test22\AppData\Local\Temp\nsu823.tmp\ButtonEvent.dll
file	C:\Users\test22\AppData\Local\Temp\nsu823.tmp\System.dll
file	C:\Users\test22\AppData\Local\Temp\nsu823.tmp\NotifyIcon.dll

Executes one or more WMI queries (1 event)

wmi	SELECT Model FROM Win32_ComputerSystem

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory May 14, 2021, 9:45 a.m.	process_identifier: 3360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x02d20000 process_handle: 0xffffffff	1	0	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (4 events)

cmdline	wmic computersystem get model /format:list
cmdline	"C:\Windows\system32\cmd.exe" /C wmic computersystem get model /format:list
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:8400 CREDAT:145409
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	SELECT Model FROM Win32_ComputerSystem

Communicates with host for which no DNS query was performed (2 events)

host	117.18.232.200
host	172.217.25.14

Network activity contains more than one unique useragent (3 events)

process	OctodadSetup.exe	useragent	NSIS_Inetc (Mozilla)
process	OctodadSetup.exe	useragent	Mozilla/5.0
process	iexplore.exe	useragent	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 8400 resumed a thread in remote process 3360
NtResumeThread May 14, 2021, 9:45 a.m.	thread_handle: 0x00000334 suspend_count: 1 process_identifier: 3360	1	0	0

File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 events)

DrWeb	Adware.Downware.16961
MicroWorld-eScan	Adware.GenericKD.30613374
FireEye	Generic.mg.8860fecf9a64e193
CAT-QuickHeal	Trojan.Agent
McAfee	Artemis!8860FECF9A64
Cylance	Unsafe
Zillya	Adware.Downware.Win32.169
SUPERAntiSpyware	PUP.Downware/Variant
K7AntiVirus	Adware ( 004df08d1 )
Alibaba	AdWare:Win32/DownWare.ba7a771e
K7GW	Adware ( 004df08d1 )
Cybereason	malicious.f9a64e
Arcabit	Adware.Generic.D1D31F7E
Symantec	Trojan Horse
APEX	Malicious
ClamAV	Win.Malware.Score-6931191-0
Kaspersky	not-a-virus:HEUR:AdWare.Win32.Downware.gen
BitDefender	Adware.GenericKD.30613374
NANO-Antivirus	Trojan.Win32.StartPage.esqoia
AegisLab	Adware.Win32.Downware.2!c
Ad-Aware	Adware.GenericKD.30613374
Sophos	DownWare (PUA)
Comodo	ApplicUnwnt@#avud7zvby13y
F-Secure	Heuristic.HEUR/AGEN.1117529
VIPRE	DownloadShield (fs)
TrendMicro	TROJ_GEN.R002C0OA321
McAfee-GW-Edition	Artemis!PUP
Emsisoft	Application.InstallAd (A)
Jiangmin	AdWare.Downware.g
Webroot	Pua.Downloadshield
Avira	HEUR/AGEN.1117529
MAX	malware (ai score=97)
Antiy-AVL	RiskWare[Downloader]/Win32.AGeneric
Gridinsoft	Adware.DownWare.vl!c
Microsoft	PUA:Win32/Vittalia
ZoneAlarm	not-a-virus:HEUR:AdWare.Win32.Downware.gen
GData	Adware.GenericKD.30613374
Cynet	Malicious (score: 85)
AhnLab-V3	PUP/Win32.Downware.R182412
VBA32	Adware.OpenDownloadManager
ALYac	Adware.GenericKD.30613374
Malwarebytes	PUP.Optional.DownWare
Panda	Trj/Genetic.gen
ESET-NOD32	Win32/DownWare.AR potentially unwanted
TrendMicro-HouseCall	TROJ_GEN.R002C0OA321
Tencent	Win32.Adware.Downware.Eawu
Ikarus	PUA.DownWare
Fortinet	Adware/Downware
AVG	FileRepMalware
Avast	FileRepMalware

OctodadSetup.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All