Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 11, 2021, 10:51 a.m.	June 11, 2021, 11:03 a.m.

Size	8.1MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`55a8f69da427110755203118b875f9a0`
SHA256	`640a626ae3f4d33a3cdc1d5b15343c880078058aac21a961b5fc561ce03d6424`
CRC32	`1AF81A3B`
ssdeep	`196608:Y8UXPD5lt5gQbzW7WJuVQV4DLf9JAVYdy8AAunhu:/UXVzAgqD9u38AA4`
PDB Path	C:\Users\HP\Desktop\Word Troll Malware\obj\Debug\Word Troll Malware.pdb
Yara	Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) IsPE32 - (no description)

Document1 - Microsoft Word.docx.exe "C:\Users\test22\AppData\Local\Temp\Document1 - Microsoft Word.docx.exe"
2952
- iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  3916
  - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:3916 CREDAT:145409
    5168
  - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:3916 CREDAT:79875
    1904
explorer.exe C:\Windows\Explorer.EXE
1848

Name	Response	Post-Analysis Lookup
accounts.google.com	A 142.250.204.109	172.217.161.77
fonts.gstatic.com	A 142.250.204.99 CNAME gstaticadssl.l.google.com	172.217.26.3
ssl.gstatic.com	A 142.250.199.67	172.217.27.67
r8---sn-3u-bh2el.googlevideo.com	CNAME r8.sn-3u-bh2el.googlevideo.com A 59.18.49.83	59.18.49.83
r2---sn-3u-bh2le.googlevideo.com	A 59.18.35.205 CNAME r2.sn-3u-bh2le.googlevideo.com	59.18.35.205
i.ytimg.com	A 172.217.31.246 A 142.250.66.54 A 142.250.207.86 A 172.217.174.214 A 172.217.26.150 A 172.217.161.150 A 142.250.66.118 A 142.250.199.86 A 142.250.66.150 A 172.217.163.246 A 142.250.66.86 A 172.217.24.86 A 142.250.204.86 A 216.58.200.86 A 142.250.204.54 A 172.217.161.182	172.217.25.118
fonts.googleapis.com	A 172.217.174.202	216.58.220.138
r6---sn-3u-bh2lr.googlevideo.com	A 59.18.30.209 CNAME r6.sn-3u-bh2lr.googlevideo.com	59.18.30.209
www.youtube.com	A 172.217.31.238 CNAME youtube-ui.l.google.com A 172.217.174.206 A 142.250.204.110 A 172.217.26.142 A 172.217.163.238 A 142.250.66.142 A 142.250.199.78 A 142.250.204.46 A 142.250.204.78 A 142.250.66.46 A 172.217.24.78 A 142.250.66.110 A 216.58.220.206 A 172.217.161.142 A 142.250.204.142 A 142.250.66.78	172.217.25.110

IP Address	Status	Action
117.18.232.200	Active	Moloch
142.250.199.67	Active	Moloch
142.250.204.109	Active	Moloch
142.250.204.99	Active	Moloch
164.124.101.2	Active	Moloch
172.217.161.182	Active	Moloch
172.217.174.202	Active	Moloch
172.217.25.14	Active	Moloch
216.58.220.206	Active	Moloch
59.18.30.209	Active	Moloch
59.18.35.205	Active	Moloch
59.18.49.83	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49825 -> 216.58.220.206:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49824 -> 216.58.220.206:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49828 -> 172.217.161.182:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49829 -> 172.217.161.182:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49831 -> 216.58.220.206:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49832 -> 172.217.174.202:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49833 -> 172.217.174.202:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49826 -> 216.58.220.206:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49827 -> 216.58.220.206:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49830 -> 216.58.220.206:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49834 -> 142.250.204.99:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49835 -> 142.250.204.99:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49841 -> 59.18.35.205:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49840 -> 59.18.35.205:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49836 -> 142.250.204.99:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49838 -> 142.250.204.99:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49844 -> 142.250.204.109:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49839 -> 59.18.35.205:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49846 -> 142.250.199.67:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49837 -> 142.250.204.99:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49845 -> 142.250.204.109:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49860 -> 216.58.220.206:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49857 -> 216.58.220.206:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49861 -> 216.58.220.206:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49863 -> 172.217.161.182:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49862 -> 172.217.161.182:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49865 -> 216.58.220.206:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49874 -> 59.18.30.209:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49866 -> 172.217.174.202:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49867 -> 172.217.174.202:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49870 -> 142.250.204.99:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49873 -> 59.18.30.209:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49876 -> 142.250.204.99:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49880 -> 142.250.204.109:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49879 -> 142.250.204.109:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49887 -> 142.250.199.67:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49872 -> 142.250.204.99:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49871 -> 142.250.204.99:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49893 -> 216.58.220.206:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49895 -> 216.58.220.206:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49897 -> 216.58.220.206:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49894 -> 216.58.220.206:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49858 -> 216.58.220.206:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49864 -> 216.58.220.206:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49898 -> 216.58.220.206:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49875 -> 59.18.30.209:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49877 -> 142.250.204.99:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49892 -> 216.58.220.206:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49900 -> 59.18.49.83:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49904 -> 142.250.204.109:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49906 -> 142.250.199.67:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49901 -> 59.18.49.83:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49916 -> 216.58.220.206:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49917 -> 216.58.220.206:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49919 -> 216.58.220.206:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49918 -> 216.58.220.206:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49921 -> 216.58.220.206:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49927 -> 142.250.204.109:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49922 -> 216.58.220.206:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49924 -> 59.18.35.205:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49902 -> 59.18.49.83:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49903 -> 142.250.204.109:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49930 -> 142.250.199.67:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49928 -> 142.250.204.109:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49937 -> 216.58.220.206:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49936 -> 216.58.220.206:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49938 -> 216.58.220.206:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49923 -> 59.18.35.205:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49925 -> 59.18.35.205:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49825 216.58.220.206:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.google.com	9d:69:c5:54:30:b2:d0:84:13:b8:4f:65:af:db:c3:18:4f:35:2b:5a
TLSv1 192.168.56.102:49824 216.58.220.206:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.google.com	9d:69:c5:54:30:b2:d0:84:13:b8:4f:65:af:db:c3:18:4f:35:2b:5a
TLSv1 192.168.56.102:49828 172.217.161.182:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=edgestatic.com	92:9f:7b:0c:6f:d8:c6:f4:a4:45:65:7f:d6:38:24:88:79:dd:ae:14
TLSv1 192.168.56.102:49829 172.217.161.182:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=edgestatic.com	92:9f:7b:0c:6f:d8:c6:f4:a4:45:65:7f:d6:38:24:88:79:dd:ae:14
TLSv1 192.168.56.102:49831 216.58.220.206:443	None	None	None
TLSv1 192.168.56.102:49832 172.217.174.202:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=upload.video.google.com	0c:b8:82:34:93:46:2b:86:b2:28:eb:7c:42:37:d1:9c:24:93:05:62
TLSv1 192.168.56.102:49833 172.217.174.202:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=upload.video.google.com	0c:b8:82:34:93:46:2b:86:b2:28:eb:7c:42:37:d1:9c:24:93:05:62
TLSv1 192.168.56.102:49826 216.58.220.206:443	None	None	None
TLSv1 192.168.56.102:49827 216.58.220.206:443	None	None	None
TLSv1 192.168.56.102:49830 216.58.220.206:443	None	None	None
TLSv1 192.168.56.102:49834 142.250.204.99:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.gstatic.com	8e:1d:aa:2d:91:c8:61:04:77:65:7f:07:fe:a3:24:81:05:31:84:87
TLSv1 192.168.56.102:49835 142.250.204.99:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.gstatic.com	8e:1d:aa:2d:91:c8:61:04:77:65:7f:07:fe:a3:24:81:05:31:84:87
TLSv1 192.168.56.102:49841 59.18.35.205:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.googlevideo.com	e1:e2:fb:51:dd:6e:50:1d:f8:3a:fb:9e:57:b8:93:fa:dd:5f:41:2e
TLSv1 192.168.56.102:49840 59.18.35.205:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.googlevideo.com	e1:e2:fb:51:dd:6e:50:1d:f8:3a:fb:9e:57:b8:93:fa:dd:5f:41:2e
TLSv1 192.168.56.102:49836 142.250.204.99:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.gstatic.com	8e:1d:aa:2d:91:c8:61:04:77:65:7f:07:fe:a3:24:81:05:31:84:87
TLSv1 192.168.56.102:49838 142.250.204.99:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.gstatic.com	8e:1d:aa:2d:91:c8:61:04:77:65:7f:07:fe:a3:24:81:05:31:84:87
TLSv1 192.168.56.102:49844 142.250.204.109:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=accounts.google.com	82:f2:63:96:17:cb:b0:24:89:aa:8d:14:32:53:98:6e:a1:2b:17:97
TLSv1 192.168.56.102:49839 59.18.35.205:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.googlevideo.com	e1:e2:fb:51:dd:6e:50:1d:f8:3a:fb:9e:57:b8:93:fa:dd:5f:41:2e
TLSv1 192.168.56.102:49846 142.250.199.67:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.gstatic.com	54:06:19:45:ff:99:47:3c:1d:59:41:96:a7:e7:ac:d0:e0:ee:10:8a
TLSv1 192.168.56.102:49837 142.250.204.99:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.gstatic.com	8e:1d:aa:2d:91:c8:61:04:77:65:7f:07:fe:a3:24:81:05:31:84:87
TLSv1 192.168.56.102:49845 142.250.204.109:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=accounts.google.com	82:f2:63:96:17:cb:b0:24:89:aa:8d:14:32:53:98:6e:a1:2b:17:97
TLSv1 192.168.56.102:49857 216.58.220.206:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.google.com	9d:69:c5:54:30:b2:d0:84:13:b8:4f:65:af:db:c3:18:4f:35:2b:5a
TLSv1 192.168.56.102:49860 216.58.220.206:443	None	None	None
TLSv1 192.168.56.102:49861 216.58.220.206:443	None	None	None
TLSv1 192.168.56.102:49863 172.217.161.182:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=edgestatic.com	92:9f:7b:0c:6f:d8:c6:f4:a4:45:65:7f:d6:38:24:88:79:dd:ae:14
TLSv1 192.168.56.102:49862 172.217.161.182:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=edgestatic.com	92:9f:7b:0c:6f:d8:c6:f4:a4:45:65:7f:d6:38:24:88:79:dd:ae:14
TLSv1 192.168.56.102:49874 59.18.30.209:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.googlevideo.com	e1:e2:fb:51:dd:6e:50:1d:f8:3a:fb:9e:57:b8:93:fa:dd:5f:41:2e
TLSv1 192.168.56.102:49865 216.58.220.206:443	None	None	None
TLSv1 192.168.56.102:49866 172.217.174.202:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=upload.video.google.com	0c:b8:82:34:93:46:2b:86:b2:28:eb:7c:42:37:d1:9c:24:93:05:62
TLSv1 192.168.56.102:49867 172.217.174.202:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=upload.video.google.com	0c:b8:82:34:93:46:2b:86:b2:28:eb:7c:42:37:d1:9c:24:93:05:62
TLSv1 192.168.56.102:49870 142.250.204.99:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.gstatic.com	8e:1d:aa:2d:91:c8:61:04:77:65:7f:07:fe:a3:24:81:05:31:84:87
TLSv1 192.168.56.102:49873 59.18.30.209:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.googlevideo.com	e1:e2:fb:51:dd:6e:50:1d:f8:3a:fb:9e:57:b8:93:fa:dd:5f:41:2e
TLSv1 192.168.56.102:49876 142.250.204.99:443	None	None	None
TLSv1 192.168.56.102:49880 142.250.204.109:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=accounts.google.com	82:f2:63:96:17:cb:b0:24:89:aa:8d:14:32:53:98:6e:a1:2b:17:97
TLSv1 192.168.56.102:49879 142.250.204.109:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=accounts.google.com	82:f2:63:96:17:cb:b0:24:89:aa:8d:14:32:53:98:6e:a1:2b:17:97
TLSv1 192.168.56.102:49887 142.250.199.67:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.gstatic.com	54:06:19:45:ff:99:47:3c:1d:59:41:96:a7:e7:ac:d0:e0:ee:10:8a
TLSv1 192.168.56.102:49872 142.250.204.99:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.gstatic.com	8e:1d:aa:2d:91:c8:61:04:77:65:7f:07:fe:a3:24:81:05:31:84:87
TLSv1 192.168.56.102:49871 142.250.204.99:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.gstatic.com	8e:1d:aa:2d:91:c8:61:04:77:65:7f:07:fe:a3:24:81:05:31:84:87
TLSv1 192.168.56.102:49893 216.58.220.206:443	None	None	None
TLSv1 192.168.56.102:49895 216.58.220.206:443	None	None	None
TLSv1 192.168.56.102:49897 216.58.220.206:443	None	None	None
TLSv1 192.168.56.102:49894 216.58.220.206:443	None	None	None
TLSv1 192.168.56.102:49858 216.58.220.206:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.google.com	9d:69:c5:54:30:b2:d0:84:13:b8:4f:65:af:db:c3:18:4f:35:2b:5a
TLSv1 192.168.56.102:49864 216.58.220.206:443	None	None	None
TLSv1 192.168.56.102:49875 59.18.30.209:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.googlevideo.com	e1:e2:fb:51:dd:6e:50:1d:f8:3a:fb:9e:57:b8:93:fa:dd:5f:41:2e
TLSv1 192.168.56.102:49898 216.58.220.206:443	None	None	None
TLSv1 192.168.56.102:49877 142.250.204.99:443	None	None	None
TLSv1 192.168.56.102:49892 216.58.220.206:443	None	None	None
TLSv1 192.168.56.102:49900 59.18.49.83:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.googlevideo.com	e1:e2:fb:51:dd:6e:50:1d:f8:3a:fb:9e:57:b8:93:fa:dd:5f:41:2e
TLSv1 192.168.56.102:49904 142.250.204.109:443	None	None	None
TLSv1 192.168.56.102:49901 59.18.49.83:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.googlevideo.com	e1:e2:fb:51:dd:6e:50:1d:f8:3a:fb:9e:57:b8:93:fa:dd:5f:41:2e
TLSv1 192.168.56.102:49917 216.58.220.206:443	None	None	None
TLSv1 192.168.56.102:49916 216.58.220.206:443	None	None	None
TLSv1 192.168.56.102:49919 216.58.220.206:443	None	None	None
TLSv1 192.168.56.102:49918 216.58.220.206:443	None	None	None
TLSv1 192.168.56.102:49927 142.250.204.109:443	None	None	None
TLSv1 192.168.56.102:49921 216.58.220.206:443	None	None	None
TLSv1 192.168.56.102:49922 216.58.220.206:443	None	None	None
TLSv1 192.168.56.102:49924 59.18.35.205:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.googlevideo.com	e1:e2:fb:51:dd:6e:50:1d:f8:3a:fb:9e:57:b8:93:fa:dd:5f:41:2e
TLSv1 192.168.56.102:49902 59.18.49.83:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.googlevideo.com	e1:e2:fb:51:dd:6e:50:1d:f8:3a:fb:9e:57:b8:93:fa:dd:5f:41:2e
TLSv1 192.168.56.102:49903 142.250.204.109:443	None	None	None
TLSv1 192.168.56.102:49906 142.250.199.67:443	None	None	None
TLSv1 192.168.56.102:49936 216.58.220.206:443	None	None	None
TLSv1 192.168.56.102:49938 216.58.220.206:443	None	None	None
TLSv1 192.168.56.102:49937 216.58.220.206:443	None	None	None
TLSv1 192.168.56.102:49923 59.18.35.205:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.googlevideo.com	e1:e2:fb:51:dd:6e:50:1d:f8:3a:fb:9e:57:b8:93:fa:dd:5f:41:2e
TLSv1 192.168.56.102:49925 59.18.35.205:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.googlevideo.com	e1:e2:fb:51:dd:6e:50:1d:f8:3a:fb:9e:57:b8:93:fa:dd:5f:41:2e
TLSv1 192.168.56.102:49930 142.250.199.67:443	None	None	None
TLSv1 192.168.56.102:49928 142.250.204.109:443	None	None	None

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW June 11, 2021, 10:51 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW June 11, 2021, 10:51 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 11, 2021, 10:51 a.m.			0	0
IsDebuggerPresent June 11, 2021, 10:51 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey June 11, 2021, 10:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ba610 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 11, 2021, 10:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ba850 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 11, 2021, 10:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ba850 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

This executable has a PDB path (1 event)

pdb_path

C:\Users\HP\Desktop\Word Troll Malware\obj\Debug\Word Troll Malware.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 11, 2021, 10:51 a.m.		1	1	0

One or more processes crashed (3 events)

Time & API	Arguments	Status
__exception__ June 11, 2021, 10:52 a.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x6fd51194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x6fc22ba1 mscorlib+0x2f0dd9 @ 0x6eed0dd9 mscorlib+0x2ebefa @ 0x6eecbefa mscorlib+0x2ebe3d @ 0x6eecbe3d mscorlib+0x2d4b22 @ 0x6eeb4b22 mscorlib+0x35d2d4 @ 0x6ef3d2d4 mscorlib+0x363385 @ 0x6ef43385 mscorlib+0x35fae1 @ 0x6ef3fae1 mscorlib+0x35f721 @ 0x6ef3f721 mscorlib+0x35f4f3 @ 0x6ef3f4f3 mscorlib+0x35ccf0 @ 0x6ef3ccf0 mscorlib+0x2d53d5 @ 0x6eeb53d5 mscorlib+0x2d522c @ 0x6eeb522c mscorlib+0x2d51f6 @ 0x6eeb51f6 mscorlib+0x2d9242 @ 0x6eeb9242 mscorlib+0x2d51cd @ 0x6eeb51cd mscorlib+0x36990b @ 0x6ef4990b 0x12b37d6 system+0x1e5c55 @ 0x647b5c55 system+0x1ee170 @ 0x647be170 0x3aa08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755b77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755b788a system+0x2093cc @ 0x647d93cc system+0x1fdca1 @ 0x647cdca1 system+0x1fd921 @ 0x647cd921 system+0x1fd792 @ 0x647cd792 system+0x1a14bd @ 0x647714bd 0x12b0093 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 2614336 registers.edi: 0 registers.eax: 2614336 registers.ebp: 2614416 registers.edx: 0 registers.ebx: 105416176 registers.esi: 6576720 registers.ecx: 960442324	1
__exception__ June 11, 2021, 10:52 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x74b24387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x74d4ef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74d46a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x74d46b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74d46a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x74d65c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x74de06b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x74bfd7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x74bfd876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x74bfddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x74b18a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x74b18938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x74b1950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x74bfdccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x74bfdb41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x74bfe1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x74b19367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x74b19326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755b77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755b788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x74ada48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x74ad853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x74ada4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x74aecd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x74aed87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 104199244 registers.edi: 84842108 registers.eax: 104199244 registers.ebp: 104199324 registers.edx: 424751298 registers.ebx: 104199608 registers.esi: 2147746133 registers.ecx: 84625152	1
__exception__ June 11, 2021, 10:52 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x74bff725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74d6414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x74acfe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x74bfa338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x74f8e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x74f672ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x74f5ab0d GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x74f5ea98 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x74f587f7 CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x74f5ba32 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755b77c4 DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x755b7bca CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x74f8516f CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x74f850ce RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x74f5a0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x74f59b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x74f59aa8 CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x74f8530c URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x74f857a0 DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x62ca540c DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x62ca52ca CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x62d80ea3 RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x77407e96 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x773e54f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 99474160 registers.edi: 1957755408 registers.eax: 99474160 registers.ebp: 99474240 registers.edx: 1 registers.ebx: 8103716 registers.esi: 2147746133 registers.ecx: 1593391676	1

Time & API

Arguments

Status

Return

Repeated

__exception__

June 11, 2021, 10:52 a.m.

stacktrace:

CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x6fd51194
LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x6fc22ba1
mscorlib+0x2f0dd9 @ 0x6eed0dd9
mscorlib+0x2ebefa @ 0x6eecbefa
mscorlib+0x2ebe3d @ 0x6eecbe3d
mscorlib+0x2d4b22 @ 0x6eeb4b22
mscorlib+0x35d2d4 @ 0x6ef3d2d4
mscorlib+0x363385 @ 0x6ef43385
mscorlib+0x35fae1 @ 0x6ef3fae1
mscorlib+0x35f721 @ 0x6ef3f721
mscorlib+0x35f4f3 @ 0x6ef3f4f3
mscorlib+0x35ccf0 @ 0x6ef3ccf0
mscorlib+0x2d53d5 @ 0x6eeb53d5
mscorlib+0x2d522c @ 0x6eeb522c
mscorlib+0x2d51f6 @ 0x6eeb51f6
mscorlib+0x2d9242 @ 0x6eeb9242
mscorlib+0x2d51cd @ 0x6eeb51cd
mscorlib+0x36990b @ 0x6ef4990b
0x12b37d6
system+0x1e5c55 @ 0x647b5c55
system+0x1ee170 @ 0x647be170
0x3aa08e
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755b77c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755b788a
system+0x2093cc @ 0x647d93cc
system+0x1fdca1 @ 0x647cdca1
system+0x1fd921 @ 0x647cd921
system+0x1fd792 @ 0x647cd792
system+0x1a14bd @ 0x647714bd
0x12b0093
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xe0434f4e
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 2614336
registers.edi: 0
registers.eax: 2614336
registers.ebp: 2614416
registers.edx: 0
registers.ebx: 105416176
registers.esi: 6576720
registers.ecx: 960442324

__exception__

June 11, 2021, 10:52 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b
CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x74b24387
NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x74d4ef51
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74d46a9c
NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x74d46b42
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74d46a9c
NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x74d65c3a
NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x74de06b8
WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x74bfd7e6
WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x74bfd876
WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x74bfddd0
CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x74b18a43
CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x74b18938
DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x74b1950a
WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x74bfdccd
WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x74bfdb41
WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x74bfe1fd
DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x74b19367
DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x74b19326
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755b77c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755b788a
CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x74ada48b
CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x74ad853b
CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x74ada4ac
CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x74aecd48
CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x74aed87a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 104199244
registers.edi: 84842108
registers.eax: 104199244
registers.ebp: 104199324
registers.edx: 424751298
registers.ebx: 104199608
registers.esi: 2147746133
registers.ecx: 84625152

__exception__

June 11, 2021, 10:52 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x74bff725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74d6414b
ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x74acfe14
StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x74bfa338
IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x74f8e99f
IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x74f672ed
RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x74f5ab0d
GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x74f5ea98
RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x74f587f7
CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x74f5ba32
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755b77c4
DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x755b7bca
CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x74f8516f
CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x74f850ce
RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x74f5a0d8
RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x74f59b85
RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x74f59aa8
CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x74f8530c
URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x74f857a0
DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x62ca540c
DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x62ca52ca
CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x62d80ea3
RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x77407e96
TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x773e54f4
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 99474160
registers.edi: 1957755408
registers.eax: 99474160
registers.ebp: 99474240
registers.edx: 1
registers.ebx: 8103716
registers.esi: 2147746133
registers.ecx: 1593391676

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (34 events)

request	GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
request	GET https://www.youtube.com/watch?v=Ml5L20bWCts
request	GET https://www.youtube.com/s/desktop/8cab6c66/jsbin/web-animations-next-lite.min.vflset/web-animations-next-lite.min.js
request	GET https://www.youtube.com/s/desktop/8cab6c66/jsbin/fetch-polyfill.vflset/fetch-polyfill.js
request	GET https://www.youtube.com/error_204?t=jserror&level=ERROR&client.name=1&client.version=2.20210609.00.00&msg=%EA%B0%9C%EC%B2%B4%EA%B0%80%20%ED%95%84%EC%9A%94%ED%95%A9%EB%8B%88%EB%8B%A4.&type=Error&client.params=unhandled%20window%20error&file=https%3A%2F%2Fwww.youtube.com%2Fs%2Fdesktop%2F8cab6c66%2Fjsbin%2Fweb-animations-next-lite.min.vflset%2Fweb-animations-next-lite.min.js&line=68
request	GET https://i.ytimg.com/generate_204
request	GET https://www.youtube.com/error_204?t=jserror&level=ERROR&client.name=1&client.version=2.20210609.00.00&msg='MutationObserver'%EC%9D%B4(%EA%B0%80)%20%EC%A0%95%EC%9D%98%EB%90%98%EC%A7%80%20%EC%95%8A%EC%95%98%EC%8A%B5%EB%8B%88%EB%8B%A4.&type=Error&client.params=unhandled%20window%20error&file=https%3A%2F%2Fwww.youtube.com%2Fs%2Fdesktop%2F8cab6c66%2Fjsbin%2Fwebcomponents-all-noPatch.vflset%2Fwebcomponents-all-noPatch.js&line=67
request	GET https://www.youtube.com/s/desktop/8cab6c66/jsbin/webcomponents-all-noPatch.vflset/webcomponents-all-noPatch.js
request	GET https://www.youtube.com/s/player/a0094ae9/www-player.css
request	GET https://www.youtube.com/s/desktop/8cab6c66/cssbin/www-main-desktop-watch-page-skeleton.css
request	GET https://www.youtube.com/s/desktop/8cab6c66/cssbin/www-main-desktop-player-skeleton.css
request	GET https://www.youtube.com/s/desktop/8cab6c66/jsbin/www-i18n-constants-ko_KR.vflset/www-i18n-constants.js
request	GET https://www.youtube.com/s/player/a0094ae9/player_ias.vflset/ko_KR/base.js
request	GET https://www.youtube.com/s/desktop/8cab6c66/cssbin/www-onepick.css
request	GET https://fonts.googleapis.com/css?family=Roboto:500,300,700,400\|YouTube+Sans:400,500,700
request	GET https://r2---sn-3u-bh2le.googlevideo.com/generate_204?conn2
request	GET https://r2---sn-3u-bh2le.googlevideo.com/generate_204
request	GET https://fonts.gstatic.com/s/roboto/v27/KFOmCnqEu92Fr1Mu4mxM.woff
request	GET https://www.youtube.com/error_204?t=jserror&level=ERROR&client.name=1&client.version=2.20210609.00.00&msg='Uint8Array'%EC%9D%B4(%EA%B0%80)%20%EC%A0%95%EC%9D%98%EB%90%98%EC%A7%80%20%EC%95%8A%EC%95%98%EC%8A%B5%EB%8B%88%EB%8B%A4.&type=Error&client.params=unhandled%20window%20error&file=https%3A%2F%2Fwww.youtube.com%2Fs%2Fplayer%2Fa0094ae9%2Fplayer_ias.vflset%2Fko_KR%2Fbase.js&line=5663
request	GET https://www.youtube.com/s/desktop/8cab6c66/jsbin/spf.vflset/spf.js
request	GET https://www.youtube.com/s/desktop/8cab6c66/jsbin/network.vflset/network.js
request	GET https://www.youtube.com/s/desktop/8cab6c66/jsbin/desktop_polymer_legacy_browsers.vflset/desktop_polymer_legacy_browsers.js
request	GET https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Dko%26next%3D%252Fsignin_passive%26feature%3Dpassive&hl=ko
request	GET https://www.youtube.com/s/desktop/8cab6c66/img/favicon.ico
request	GET https://www.youtube.com/watch?v=ZO2GU7cRrA8
request	GET https://www.youtube.com/s/desktop/8cab6c66/jsbin/scheduler.vflset/scheduler.js
request	GET https://r6---sn-3u-bh2lr.googlevideo.com/generate_204?conn2
request	GET https://r6---sn-3u-bh2lr.googlevideo.com/generate_204
request	GET https://fonts.gstatic.com/s/roboto/v27/KFOlCnqEu92Fr1MmSU5fBBc-.woff
request	GET https://fonts.gstatic.com/s/roboto/v27/KFOlCnqEu92Fr1MmEU9fBBc-.woff
request	GET https://fonts.gstatic.com/s/roboto/v27/KFOlCnqEu92Fr1MmWUlfBBc-.woff
request	GET https://www.youtube.com/watch?v=Z1nufRLDQMU
request	GET https://r8---sn-3u-bh2el.googlevideo.com/generate_204?conn2
request	GET https://r8---sn-3u-bh2el.googlevideo.com/generate_204

Allocates read-write-execute memory (usually to unpack itself) (50 out of 1265 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 11, 2021, 10:51 a.m.	process_identifier: 2952 region_size: 1769472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x012a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2021, 10:51 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01410000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 11, 2021, 10:51 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 11, 2021, 10:51 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2021, 10:51 a.m.	process_identifier: 2952 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a50000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2021, 10:51 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02bb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2021, 10:51 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00392000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2021, 10:51 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2021, 10:51 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2021, 10:51 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2021, 10:51 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2021, 10:51 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x012b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2021, 10:51 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0039a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2021, 10:51 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2021, 10:51 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2021, 10:51 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2021, 10:51 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2021, 10:51 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x012b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 11, 2021, 10:51 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2021, 10:51 a.m.	process_identifier: 2952 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01411000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2021, 10:51 a.m.	process_identifier: 2952 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01415000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2021, 10:51 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0039c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2021, 10:51 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2021, 10:51 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0528f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2021, 10:51 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05280000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2021, 10:51 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x012b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2021, 10:51 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x012b3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2021, 10:51 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01426000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2021, 10:51 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x012b4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2021, 10:51 a.m.	process_identifier: 3916 region_size: 4067328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02880000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2021, 10:51 a.m.	process_identifier: 3916 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 11, 2021, 10:51 a.m.	process_identifier: 3916 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7560f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 11, 2021, 10:51 a.m.	process_identifier: 3916 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7560f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 11, 2021, 10:51 a.m.	process_identifier: 3916 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7560f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 11, 2021, 10:51 a.m.	process_identifier: 3916 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7560f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 11, 2021, 10:51 a.m.	process_identifier: 3916 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755dc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 11, 2021, 10:51 a.m.	process_identifier: 3916 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755fc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 11, 2021, 10:51 a.m.	process_identifier: 3916 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755dc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 11, 2021, 10:51 a.m.	process_identifier: 3916 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755fc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 11, 2021, 10:51 a.m.	process_identifier: 3916 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f33000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 11, 2021, 10:51 a.m.	process_identifier: 3916 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fd7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 11, 2021, 10:51 a.m.	process_identifier: 3916 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76809000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 11, 2021, 10:51 a.m.	process_identifier: 3916 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x756b2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 11, 2021, 10:51 a.m.	process_identifier: 3916 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755c2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 11, 2021, 10:51 a.m.	process_identifier: 3916 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7560f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 11, 2021, 10:51 a.m.	process_identifier: 3916 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7560f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 11, 2021, 10:51 a.m.	process_identifier: 3916 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7560f000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2021, 10:51 a.m.	process_identifier: 3916 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02be0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 11, 2021, 10:51 a.m.	process_identifier: 3916 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 11, 2021, 10:52 a.m.	process_identifier: 3916 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732d1000 process_handle: 0xffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (10 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceExW June 11, 2021, 10:51 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13280092160 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW June 11, 2021, 10:51 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13279952896 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW June 11, 2021, 10:51 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13279952896 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW June 11, 2021, 10:51 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13278904320 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW June 11, 2021, 10:51 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13270335488 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW June 11, 2021, 10:52 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13226098688 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW June 11, 2021, 10:52 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13226098688 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW June 11, 2021, 10:52 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13226098688 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW June 11, 2021, 10:52 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13225975808 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW June 11, 2021, 10:52 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13217107968 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1

An application raised an exception which may be indicative of an exploit crash (3 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process iexplore.exe with pid 3916 crashed
__exception__ June 11, 2021, 10:52 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x74b24387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x74d4ef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74d46a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x74d46b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74d46a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x74d65c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x74de06b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x74bfd7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x74bfd876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x74bfddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x74b18a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x74b18938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x74b1950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x74bfdccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x74bfdb41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x74bfe1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x74b19367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x74b19326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755b77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755b788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x74ada48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x74ad853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x74ada4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x74aecd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x74aed87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 104199244 registers.edi: 84842108 registers.eax: 104199244 registers.ebp: 104199324 registers.edx: 424751298 registers.ebx: 104199608 registers.esi: 2147746133 registers.ecx: 84625152	1	0	0
__exception__ June 11, 2021, 10:52 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x74bff725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74d6414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x74acfe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x74bfa338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x74f8e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x74f672ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x74f5ab0d GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x74f5ea98 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x74f587f7 CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x74f5ba32 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755b77c4 DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x755b7bca CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x74f8516f CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x74f850ce RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x74f5a0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x74f59b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x74f59aa8 CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x74f8530c URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x74f857a0 DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x62ca540c DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x62ca52ca CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x62d80ea3 RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x77407e96 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x773e54f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 99474160 registers.edi: 1957755408 registers.eax: 99474160 registers.ebp: 99474240 registers.edx: 1 registers.ebx: 8103716 registers.esi: 2147746133 registers.ecx: 1593391676	1	0	0

Application Crash

Process iexplore.exe with pid 3916 crashed

Time & API

Arguments

Status

Return

Repeated

__exception__

June 11, 2021, 10:52 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b
CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x74b24387
NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x74d4ef51
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74d46a9c
NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x74d46b42
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74d46a9c
NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x74d65c3a
NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x74de06b8
WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x74bfd7e6
WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x74bfd876
WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x74bfddd0
CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x74b18a43
CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x74b18938
DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x74b1950a
WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x74bfdccd
WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x74bfdb41
WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x74bfe1fd
DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x74b19367
DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x74b19326
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755b77c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755b788a
CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x74ada48b
CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x74ad853b
CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x74ada4ac
CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x74aecd48
CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x74aed87a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 104199244
registers.edi: 84842108
registers.eax: 104199244
registers.ebp: 104199324
registers.edx: 424751298
registers.ebx: 104199608
registers.esi: 2147746133
registers.ecx: 84625152

__exception__

June 11, 2021, 10:52 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x74bff725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74d6414b
ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x74acfe14
StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x74bfa338
IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x74f8e99f
IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x74f672ed
RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x74f5ab0d
GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x74f5ea98
RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x74f587f7
CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x74f5ba32
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755b77c4
DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x755b7bca
CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x74f8516f
CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x74f850ce
RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x74f5a0d8
RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x74f59b85
RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x74f59aa8
CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x74f8530c
URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x74f857a0
DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x62ca540c
DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x62ca52ca
CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x62d80ea3
RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x77407e96
TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x773e54f4
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 99474160
registers.edi: 1957755408
registers.eax: 99474160
registers.ebp: 99474240
registers.edx: 1
registers.ebx: 8103716
registers.esi: 2147746133
registers.ecx: 1593391676

Creates executable files on the filesystem (10 events)

file	C:\Users\test22\Documents\Da Click Aquí (6).bat
file	C:\Users\test22\Desktop\Anti-Virus (10).bat
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WordMalware.lnk
file	C:\Users\test22\Documents\Da Click Aquí (14).bat
file	C:\Users\test22\Desktop\Infección (3).VBS
file	C:\Users\test22\Desktop\Anti-Virus (2).bat
file	C:\Users\test22\Pictures\Captura7.bat
file	C:\Users\test22\Documents\HELP (13).VBS
file	C:\Users\test22\Desktop\Infección (11).VBS
file	C:\Users\test22\Documents\HELP (5).VBS

Creates a shortcut to an executable file (3 events)

file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\WordMalware.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WordMalware.lnk

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 11, 2021, 10:51 a.m.	process_identifier: 5168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x082a0000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00812000', u'virtual_address': u'0x00002000', u'entropy': 7.820027838681018, u'name': u'.text', u'virtual_size': u'0x00811f80'}

entropy

7.82002783868

description

A section with a high entropy has been found

entropy

0.99476376768

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 11, 2021, 10:51 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (16 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:3916 CREDAT:79875
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:3916 CREDAT:145409

Communicates with host for which no DNS query was performed (2 events)

host	117.18.232.200
host	172.217.25.14

Installs itself for autorun at Windows startup (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WordMalware.lnk

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3916 resumed a thread in remote process 5168
Process injection	Process 3916 resumed a thread in remote process 1904
NtResumeThread June 11, 2021, 10:51 a.m.	thread_handle: 0x00000340 suspend_count: 1 process_identifier: 5168	1	0	0
NtResumeThread June 11, 2021, 10:51 a.m.	thread_handle: 0x00000564 suspend_count: 1 process_identifier: 1904	1	0	0

Executed a process and injected code into it, probably while unpacking (38 events)

Time & API	Arguments	Status	Return
NtResumeThread June 11, 2021, 10:51 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread June 11, 2021, 10:51 a.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread June 11, 2021, 10:51 a.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread June 11, 2021, 10:51 a.m.	thread_handle: 0x00000500 suspend_count: 1 process_identifier: 2952	1	0
NtGetContextThread June 11, 2021, 10:51 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread June 11, 2021, 10:51 a.m.	thread_handle: 0x000000e0	1	0
NtResumeThread June 11, 2021, 10:51 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2952	1	0
CreateProcessInternalW June 11, 2021, 10:51 a.m.	thread_identifier: 4772 thread_handle: 0x000004f4 process_identifier: 3916 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Program Files (x86)\Internet Explorer\iexplore.exe track: 1 command_line: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome filepath_r: C:\Program Files (x86)\Internet Explorer\iexplore.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000550	1	1
NtGetContextThread June 11, 2021, 10:52 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread June 11, 2021, 10:52 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread June 11, 2021, 10:52 a.m.	thread_handle: 0x000000e0	1	0
NtSetContextThread June 11, 2021, 10:52 a.m.	registers.eip: 1874996100 registers.esp: 2614544 registers.edi: 0 registers.eax: -664050023 registers.ebp: 2614548 registers.edx: 13852228 registers.ebx: 0 registers.esi: 2383005 registers.ecx: 72495096 thread_handle: 0x000000e0 process_identifier: 2952	1	0
NtResumeThread June 11, 2021, 10:52 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2952	1	0
NtGetContextThread June 11, 2021, 10:52 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread June 11, 2021, 10:52 a.m.	thread_handle: 0x000000e0	1	0
NtResumeThread June 11, 2021, 10:52 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread June 11, 2021, 10:51 a.m.	thread_handle: 0x00000214 suspend_count: 1 process_identifier: 3916	1	0
CreateProcessInternalW June 11, 2021, 10:51 a.m.	thread_identifier: 8408 thread_handle: 0x00000340 process_identifier: 5168 current_directory: filepath: track: 1 command_line: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:3916 CREDAT:145409 filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000344	1	1
NtResumeThread June 11, 2021, 10:51 a.m.	thread_handle: 0x00000340 suspend_count: 1 process_identifier: 5168	1	0
NtResumeThread June 11, 2021, 10:51 a.m.	thread_handle: 0x00000428 suspend_count: 1 process_identifier: 3916	1	0
NtResumeThread June 11, 2021, 10:51 a.m.	thread_handle: 0x00000290 suspend_count: 1 process_identifier: 3916	1	0
CreateProcessInternalW June 11, 2021, 10:51 a.m.	thread_identifier: 2000 thread_handle: 0x00000564 process_identifier: 1904 current_directory: filepath: track: 1 command_line: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:3916 CREDAT:79875 filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000568	1	1
NtResumeThread June 11, 2021, 10:51 a.m.	thread_handle: 0x00000564 suspend_count: 1 process_identifier: 1904	1	0
NtGetContextThread June 11, 2021, 10:52 a.m.	thread_handle: 0x00000614	1	0
NtResumeThread June 11, 2021, 10:51 a.m.	thread_handle: 0x000001f8 suspend_count: 1 process_identifier: 5168	1	0
NtResumeThread June 11, 2021, 10:51 a.m.	thread_handle: 0x0000022c suspend_count: 1 process_identifier: 5168	1	0
NtResumeThread June 11, 2021, 10:51 a.m.	thread_handle: 0x0000023c suspend_count: 1 process_identifier: 5168	1	0
NtResumeThread June 11, 2021, 10:51 a.m.	thread_handle: 0x000007cc suspend_count: 1 process_identifier: 5168	1	0
NtResumeThread June 11, 2021, 10:52 a.m.	thread_handle: 0x00000874 suspend_count: 1 process_identifier: 5168	1	0
NtResumeThread June 11, 2021, 10:52 a.m.	thread_handle: 0x00000954 suspend_count: 1 process_identifier: 5168	1	0
NtResumeThread June 11, 2021, 10:53 a.m.	thread_handle: 0x000008c4 suspend_count: 1 process_identifier: 5168	1	0
NtResumeThread June 11, 2021, 10:53 a.m.	thread_handle: 0x000009bc suspend_count: 1 process_identifier: 5168	1	0
NtResumeThread June 11, 2021, 10:51 a.m.	thread_handle: 0x000001f8 suspend_count: 1 process_identifier: 1904	1	0
NtResumeThread June 11, 2021, 10:51 a.m.	thread_handle: 0x0000022c suspend_count: 1 process_identifier: 1904	1	0
NtResumeThread June 11, 2021, 10:51 a.m.	thread_handle: 0x00000248 suspend_count: 1 process_identifier: 1904	1	0
NtResumeThread June 11, 2021, 10:51 a.m.	thread_handle: 0x000007ac suspend_count: 1 process_identifier: 1904	1	0
NtResumeThread June 11, 2021, 10:52 a.m.	thread_handle: 0x00000794 suspend_count: 1 process_identifier: 1904	1	0
NtResumeThread June 11, 2021, 10:52 a.m.	thread_handle: 0x00000940 suspend_count: 1 process_identifier: 1904	1	0

File has been identified by 46 AntiVirus engines on VirusTotal as malicious (46 events)

McAfee	Artemis!55A8F69DA427
Sangfor	Malware
CrowdStrike	win/malicious_confidence_60% (W)
Alibaba	Trojan:MSIL/Kladun.3a99d7ca
K7GW	Trojan ( 004b234c1 )
K7AntiVirus	Trojan ( 004b234c1 )
Cyren	W32/Trojan.AFPP-9106
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Paloalto	generic.ml
Cynet	Malicious (score: 85)
Kaspersky	HEUR:Trojan.MSIL.Kladun.gen
BitDefender	Gen:Variant.Razy.746665
NANO-Antivirus	Trojan.Win32.Kladun.hxxxck
MicroWorld-eScan	Gen:Variant.Razy.746665
Avast	Win32:Malware-gen
Tencent	Msil.Trojan.Kladun.Swlc
Ad-Aware	Gen:Variant.Razy.746665
Emsisoft	Gen:Variant.Razy.746665 (B)
F-Secure	Worm.WORM/Agent.odago
DrWeb	Trojan.MulDrop15.61336
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R002C0WI320
McAfee-GW-Edition	Artemis!Trojan
FireEye	Gen:Variant.Razy.746665
Sophos	Mal/Generic-S
Ikarus	Worm.MSIL.Agent
GData	Gen:Variant.Razy.746665
Jiangmin	Trojan.MSIL.qlul
Avira	WORM/Agent.odago
Arcabit	Trojan.Razy.DB64A9
AegisLab	Trojan.MSIL.Kladun.4!c
ZoneAlarm	HEUR:Trojan.MSIL.Kladun.gen
Microsoft	Trojan:MSIL/Shaosmine.aj!rfn
ALYac	Gen:Variant.Razy.746665
MAX	malware (ai score=85)
Cylance	Unsafe
ESET-NOD32	a variant of MSIL/Agent.VX
TrendMicro-HouseCall	TROJ_GEN.R002C0WI320
Yandex	Trojan.Kladun!24+odmxq0Ic
Fortinet	W32/Kladun.VX!tr
BitDefenderTheta	Gen:NN.ZemsilCO.34700.@p0@aGr!qEk
AVG	Win32:Malware-gen
Cybereason	malicious.da4271
Panda	Trj/GdSda.A
Qihoo-360	Generic/Trojan.48d

Document1 - Microsoft Word.docx.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All