popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

relese.exe

NPKI AsyncRAT MSOffice File AntiDebug .NET DLL PNG Format PE File DLL OS Processor Check PE32 PE64 .NET EXE JPEG Format AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 May 27, 2021, 5:38 p.m. May 27, 2021, 5:40 p.m.
Size 3.5MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 67c0f9f7a63db607929cfbae83442911
SHA256 22d99292c5e01bfa28fed4347dcd4633d30ec309b780730e0c1d802600b66e20
CRC32 664ACD3E
ssdeep 49152:8bA3l3rsrnd/itIi2FDOHPl6sFpsYaboV9u3fAkCNrA17KiFpP6sXsdCVwqZbjZ5:8bKrctGDl/ps53PAkC5o+i3PdcdB2jwu
PDB Path D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
Yara
  • PE_Header_Zero - PE File Signature
  • OS_Processor_Check_Zero - OS Processor Check
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
cacerts.digicert.com
A 104.18.10.39
A 104.18.11.39
CNAME cdn.digicertcdn.com
104.18.10.39
dotnet.microsoft.com
CNAME dual.part-0021.t-0009.t-msedge.net
CNAME part-0021.t-0009.t-msedge.net
A 13.107.246.49
CNAME firstparty-azurefd-prod.trafficmanager.net
CNAME dotnetwebsite.azurefd.net
A 13.107.213.49
13.107.213.49
IP Address Status Action
104.18.10.39 Active Moloch
104.18.11.39 Active Moloch
117.18.232.200 Active Moloch
13.107.246.49 Active Moloch
164.124.101.2 Active Moloch
172.217.25.14 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.102:49842 -> 13.107.246.49:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49838 -> 23.197.161.201:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49841 -> 13.107.246.49:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.102:49842
13.107.246.49:443 		C=US, O=Microsoft Corporation, CN=Microsoft Azure TLS Issuing CA 05 C=US, ST=WA, L=Redmond, O=Microsoft Corporation, CN=dotnet.microsoft.com 84:70:00:ee:f5:ad:e7:a8:ba:80:02:e9:4b:27:5e:77:75:3b:31:d8
TLSv1
192.168.56.102:49838
23.197.161.201:443 		C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01 C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=go.microsoft.com 88:c7:2f:7b:17:dd:89:49:46:0b:a2:3f:1b:26:80:82:24:cf:0b:58
TLSv1
192.168.56.102:49841
13.107.246.49:443 		C=US, O=Microsoft Corporation, CN=Microsoft Azure TLS Issuing CA 05 C=US, ST=WA, L=Redmond, O=Microsoft Corporation, CN=dotnet.microsoft.com 84:70:00:ee:f5:ad:e7:a8:ba:80:02:e9:4b:27:5e:77:75:3b:31:d8

pdb_path D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
section .didat
resource name PNG
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b
CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x74b24387
NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x74d4ef51
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74d46a9c
NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x74d46b42
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74d46a9c
NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x74d65c3a
NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x74de06b8
WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x74bfd7e6
WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x74bfd876
WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x74bfddd0
CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x74b18a43
CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x74b18938
DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x74b1950a
WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x74bfdccd
WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x74bfdb41
WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x74bfe1fd
DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x74b19367
DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x74b19326
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755b77c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755b788a
CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x74ada48b
CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x74ad853b
CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x74ada4ac
CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x74aecd48
CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x74aed87a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 110948004
registers.edi: 80934740
registers.eax: 110948004
registers.ebp: 110948084
registers.edx: 127
registers.ebx: 110948368
registers.esi: 2147746133
registers.ecx: 7697792
1 0 0

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x74bff725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74d6414b
ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x74acfe14
StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x74bfa338
IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x74f8e99f
IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x74f672ed
RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x74f5ab0d
GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x74f5ea98
RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x74f587f7
CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x74f5ba32
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755b77c4
DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x755b7bca
CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x74f8516f
CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x74f850ce
RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x74f5a0d8
RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x74f59b85
RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x74f59aa8
CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x74f8530c
URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x74f857a0
DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x6efc540c
DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x6efc52ca
CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x6f0a0ea3
RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x77407e96
TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x773e54f4
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 75292008
registers.edi: 1957755408
registers.eax: 75292008
registers.ebp: 75292088
registers.edx: 1
registers.ebx: 7218228
registers.esi: 2147746133
registers.ecx: 2768421057
1 0 0
request GET http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch&plcid=0x409&o1=.NETFramework,Version=v4.6.1&processName=Svc_host.exe&platform=0009&osver=5&isServer=0
request GET http://cacerts.digicert.com/DigiCertGlobalRootG2.crt
request GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
request GET https://go.microsoft.com/fwlink/?linkid=850289&tfm=.NETFramework,Version=v4.6.1&processName=Svc_host.exe&platform=0009&osver=5&isServer=0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 8564
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73772000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 7636
region_size: 2228224
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000800000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 7636
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000009a0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3752
region_size: 13701120
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02e40000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3752
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03b50000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7560f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7560f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7560f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7560f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x755dc000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x755fc000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x755dc000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x755fc000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f33000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73fd7000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76809000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x756b2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x755c2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7560f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7560f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7560f000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3752
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x032d0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73772000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x745d1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4408
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02600000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4408
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02600000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7560f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7560f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7560f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7560f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x755dc000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x755fc000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x755dc000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x755fc000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f33000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73fd7000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76809000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x756b2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x755c2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x755c7000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x755df000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x755c6000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75733000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x773fd000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75737000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x755b8000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x755bd000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x773e2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x773d2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74ac6000
process_handle: 0xffffffff
1 0 0
Application Crash Process iexplore.exe with pid 3752 crashed
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b
CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x74b24387
NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x74d4ef51
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74d46a9c
NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x74d46b42
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74d46a9c
NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x74d65c3a
NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x74de06b8
WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x74bfd7e6
WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x74bfd876
WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x74bfddd0
CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x74b18a43
CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x74b18938
DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x74b1950a
WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x74bfdccd
WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x74bfdb41
WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x74bfe1fd
DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x74b19367
DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x74b19326
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755b77c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755b788a
CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x74ada48b
CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x74ad853b
CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x74ada4ac
CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x74aecd48
CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x74aed87a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 110948004
registers.edi: 80934740
registers.eax: 110948004
registers.ebp: 110948084
registers.edx: 127
registers.ebx: 110948368
registers.esi: 2147746133
registers.ecx: 7697792
1 0 0

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x74bff725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74d6414b
ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x74acfe14
StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x74bfa338
IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x74f8e99f
IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x74f672ed
RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x74f5ab0d
GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x74f5ea98
RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x74f587f7
CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x74f5ba32
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755b77c4
DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x755b7bca
CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x74f8516f
CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x74f850ce
RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x74f5a0d8
RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x74f59b85
RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x74f59aa8
CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x74f8530c
URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x74f857a0
DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x6efc540c
DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x6efc52ca
CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x6f0a0ea3
RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x77407e96
TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x773e54f4
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 75292008
registers.edi: 1957755408
registers.eax: 75292008
registers.ebp: 75292088
registers.edx: 1
registers.ebx: 7218228
registers.esi: 2147746133
registers.ecx: 2768421057
1 0 0
file C:\Users\test22\AppData\Local\Temp\RarSFX0\Svc_host.exe
file C:\Users\test22\AppData\Local\Temp\RarSFX0\System.Runtime.CompilerServices.Unsafe.dll
file C:\Users\test22\AppData\Local\Temp\RarSFX0\x86\SQLite.Interop.dll
file C:\Users\test22\AppData\Local\Temp\RarSFX0\BouncyCastle.Crypto.dll
file C:\Users\test22\AppData\Local\Temp\RarSFX0\x64\SQLite.Interop.dll
file C:\Users\test22\AppData\Local\Temp\RarSFX0\System.Buffers.dll
file C:\Users\test22\AppData\Local\Temp\RarSFX0\System.Memory.dll
file C:\Users\test22\AppData\Local\Temp\RarSFX0\Newtonsoft.Json.dll
file C:\Users\test22\AppData\Local\Temp\RarSFX0\System.Data.SQLite.dll
file C:\Users\test22\AppData\Local\Temp\RarSFX0\System.IO.Compression.dll
file C:\Users\test22\AppData\Local\Temp\RarSFX0\System.Numerics.Vectors.dll
file C:\Users\test22\AppData\Local\Temp\RarSFX0\Svc_host.exe
file C:\Users\test22\AppData\Local\Temp\RarSFX0\System.Data.SQLite.dll
file C:\Users\test22\AppData\Local\Temp\RarSFX0\System.Runtime.CompilerServices.Unsafe.dll
file C:\Users\test22\AppData\Local\Temp\RarSFX0\Svc_host.exe
file C:\Users\test22\AppData\Local\Temp\RarSFX0\System.Memory.dll
file C:\Users\test22\AppData\Local\Temp\RarSFX0\Newtonsoft.Json.dll
file C:\Users\test22\AppData\Local\Temp\RarSFX0\System.Buffers.dll
file C:\Users\test22\AppData\Local\Temp\RarSFX0\System.Numerics.Vectors.dll
file C:\Users\test22\AppData\Local\Temp\RarSFX0\BouncyCastle.Crypto.dll
file C:\Users\test22\AppData\Local\Temp\RarSFX0\x86\SQLite.Interop.dll
file C:\Users\test22\AppData\Local\Temp\RarSFX0\System.IO.Compression.dll
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 4408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 16 (PAGE_EXECUTE)
base_address: 0x07e50000
process_handle: 0xffffffff
1 0 0
section {u'size_of_data': u'0x0000e200', u'virtual_address': u'0x00063000', u'entropy': 6.802679828750322, u'name': u'.rsrc', u'virtual_size': u'0x0000e038'} entropy 6.80267982875 description A section with a high entropy has been found
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
cmdline "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:3752 CREDAT:145409
cmdline "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
host 117.18.232.200
host 172.217.25.14
Process injection Process 3752 resumed a thread in remote process 4408
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000338
suspend_count: 1
process_identifier: 4408
1 0 0
Bkav W32.AIDetect.malware1
Elastic malicious (high confidence)
DrWeb Trojan.PWS.StealerNET.99
FireEye Generic.mg.67c0f9f7a63db607
CAT-QuickHeal Trojanpws.Msil
McAfee Artemis!67C0F9F7A63D
Cylance Unsafe
Zillya Trojan.ScriptKD.JS.10
Sangfor Trojan.Win32.Save.a
K7AntiVirus Spyware ( 004bf53c1 )
Alibaba TrojanPSW:MSIL/Browsstl.e170a589
K7GW Spyware ( 004bf53c1 )
Cybereason malicious.7a63db
BitDefenderTheta Gen:NN.ZemsilF.34692.em0@aqs!Dan
Cyren W32/MSIL_Mintluks.A.gen!Eldorado
Symantec Trojan.Gen.MBT
ESET-NOD32 a variant of MSIL/Spy.Agent.AES
APEX Malicious
Avast Win32:Trojan-gen
Cynet Malicious (score: 100)
Kaspersky UDS:DangerousObject.Multi.Generic
BitDefender Trojan.GenericKD.46315273
Paloalto generic.ml
MicroWorld-eScan Trojan.GenericKD.46315273
Ad-Aware Trojan.GenericKD.46315273
Emsisoft Trojan.GenericKD.46315273 (B)
VIPRE Trojan.Win32.Generic!BT
TrendMicro TROJ_GEN.R002C0DEI21
McAfee-GW-Edition BehavesLike.Win32.Generic.wc
Sophos Generic ML PUA (PUA)
Avira TR/Spy.Agent.zooiw
Microsoft PWS:MSIL/RedLine.GG!MTB
AegisLab Trojan.Multi.Generic.4!c
ZoneAlarm HEUR:Trojan-PSW.MSIL.Stealer.gen
GData Trojan.GenericKD.46315273
VBA32 TrojanPSW.StealerNET
ALYac Trojan.GenericKD.46315273
MAX malware (ai score=82)
Malwarebytes Malware.AI.1256039792
TrendMicro-HouseCall TROJ_GEN.R002C0DEI21
Rising Stealer.Agent!1.B723 (CLOUD)
Yandex TrojanSpy.Agent!Tg6u1jk023k
MaxSecure Trojan.Malware.1728101.susgen
Fortinet W32/Stealer.AES!tr.pws
Webroot W32.Trojan.Gen
AVG Win32:Trojan-gen
Panda Trj/CI.A
CrowdStrike win/malicious_confidence_100% (W)