Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 11, 2021, 4:14 p.m.	June 11, 2021, 4:17 p.m.

Size	54.8KB
Type	data
MD5	`be8764f2800cc28a19b745fd6f81dba9`
SHA256	`d17ba0b35521a2be5072d21dc19bd9b86560127902d4ddf28febf8e47df00ed7`
CRC32	`0D2CB868`
ssdeep	`1536:4vmYge6SnE6vM9OY7YSdgo1eHqnkYDG+adBig97teP1WkmCyL3LE2Vk87BcYoEcL:4Dge6Sne57YSao1GYy+8c`
Yara	None matched

iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\test22\AppData\Local\Temp\index2.html
2076
- iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2076 CREDAT:145409
  2276

Name	Response	Post-Analysis Lookup
tootirrruahapowsadassa.com	A 172.67.218.104 A 104.21.94.22	104.21.94.22
login.live.com	A 20.190.163.20 CNAME www.a.lg.prod.aadmsa.akadns.net A 20.190.163.21 A 40.126.35.129 CNAME default.a.lg.prod.aadmsa.akadns.net A 40.126.35.144 CNAME www.tm.a.prd.aadg.trafficmanager.net CNAME login.msa.msidentity.com A 20.190.163.19 A 40.126.35.86 A 20.190.163.18 CNAME sin.current.a.prd.aadg.trafficmanager.net CNAME prda.aadg.msidentity.com CNAME www.tm.lg.prod.aadmsa.akadns.net A 40.126.35.87	40.126.37.6
www2.bing.com	CNAME www2-bing-com.dual-a-0001.a-msedge.net CNAME dual-a-0001.a-msedge.net A 204.79.197.200 A 13.107.21.200	13.107.21.200
login.microsoftonline.com	CNAME a.privatelink.msidentity.com A 40.126.52.0 A 40.126.52.1 A 40.126.52.147 CNAME krc.current.a.prd.aadg.trafficmanager.net A 40.126.52.146 A 40.126.52.3 CNAME www.tm.a.prd.aadg.trafficmanager.net A 40.126.52.150 A 20.190.144.140 CNAME prda.aadg.msidentity.com A 40.126.16.160	40.126.52.148

IP Address	Status	Action
104.21.94.22	Active	Moloch
117.18.232.200	Active	Moloch
164.124.101.2	Active	Moloch
20.190.163.18	Active	Moloch
40.126.52.3	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49204 -> 104.21.94.22:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49210 -> 204.79.197.200:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49203 -> 104.21.94.22:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49207 -> 204.79.197.200:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49215 -> 204.79.197.200:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49206 -> 204.79.197.200:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49209 -> 204.79.197.200:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49216 -> 40.126.52.3:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49218 -> 204.79.197.200:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49225 -> 117.18.232.200:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 117.18.232.200:443 -> 192.168.56.101:49226	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49219 -> 204.79.197.200:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49221 -> 20.190.163.18:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49214 -> 204.79.197.200:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49213 -> 204.79.197.200:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49217 -> 40.126.52.3:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49220 -> 20.190.163.18:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49224 -> 117.18.232.200:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49204 104.21.94.22:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	7c:d3:63:d6:73:77:09:13:7a:43:c3:09:90:c4:66:17:64:41:3d:7e
TLSv1 192.168.56.101:49203 104.21.94.22:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	7c:d3:63:d6:73:77:09:13:7a:43:c3:09:90:c4:66:17:64:41:3d:7e
TLSv1 192.168.56.101:49207 204.79.197.200:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01	CN=www.bing.com	29:b4:ed:e7:1f:1c:1b:12:99:6c:9b:1e:27:75:ac:01:25:15:77:1f
TLSv1 192.168.56.101:49215 204.79.197.200:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01	CN=www.bing.com	29:b4:ed:e7:1f:1c:1b:12:99:6c:9b:1e:27:75:ac:01:25:15:77:1f
TLSv1 192.168.56.101:49206 204.79.197.200:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01	CN=www.bing.com	29:b4:ed:e7:1f:1c:1b:12:99:6c:9b:1e:27:75:ac:01:25:15:77:1f
TLSv1 192.168.56.101:49210 204.79.197.200:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01	CN=www.bing.com	29:b4:ed:e7:1f:1c:1b:12:99:6c:9b:1e:27:75:ac:01:25:15:77:1f
TLSv1 192.168.56.101:49209 204.79.197.200:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01	CN=www.bing.com	29:b4:ed:e7:1f:1c:1b:12:99:6c:9b:1e:27:75:ac:01:25:15:77:1f
TLSv1 192.168.56.101:49216 40.126.52.3:443	C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA	C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=stamp2.login.microsoftonline.com	de:dd:3b:3d:85:a0:f1:06:e2:75:76:3c:8d:12:93:4c:ef:32:50:22
TLSv1 192.168.56.101:49218 204.79.197.200:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01	CN=www.bing.com	29:b4:ed:e7:1f:1c:1b:12:99:6c:9b:1e:27:75:ac:01:25:15:77:1f
TLSv1 192.168.56.101:49219 204.79.197.200:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01	CN=www.bing.com	29:b4:ed:e7:1f:1c:1b:12:99:6c:9b:1e:27:75:ac:01:25:15:77:1f
TLSv1 192.168.56.101:49221 20.190.163.18:443	C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA	C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=graph.windows.net	3a:72:af:8b:75:8e:65:e6:76:63:b2:c8:42:cd:8b:1b:fd:2e:02:51
TLSv1 192.168.56.101:49214 204.79.197.200:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01	CN=www.bing.com	29:b4:ed:e7:1f:1c:1b:12:99:6c:9b:1e:27:75:ac:01:25:15:77:1f
TLSv1 192.168.56.101:49213 204.79.197.200:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01	CN=www.bing.com	29:b4:ed:e7:1f:1c:1b:12:99:6c:9b:1e:27:75:ac:01:25:15:77:1f
TLSv1 192.168.56.101:49217 40.126.52.3:443	C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA	C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=stamp2.login.microsoftonline.com	de:dd:3b:3d:85:a0:f1:06:e2:75:76:3c:8d:12:93:4c:ef:32:50:22
TLSv1 192.168.56.101:49220 20.190.163.18:443	C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA	C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=graph.windows.net	3a:72:af:8b:75:8e:65:e6:76:63:b2:c8:42:cd:8b:1b:fd:2e:02:51

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 11, 2021, 4:15 p.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefd6da49d RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7feff1673c3 ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7feff2c43bf IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7feff185295 I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7feff182799 Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7feff22af1e Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7feff22b76c NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7feff1848d6 CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7feff3f0883 CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7feff3f0ccd CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7feff3f0c43 CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7feff2aa4f0 GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7feff2bd551 CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7feff3f347e CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7feff3f122b CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7feff3f3542 GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7feff2bd42d GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7feff2bd1d6 TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x770d9bd1 TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x770d98da GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7feff2bd0ab CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7feff3e3e57 ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7feff290106 ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7feff290182 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76e5652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x771ec521 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 42141 exception.address: 0x7fefd6da49d registers.r14: 0 registers.r15: 0 registers.rcx: 113698016 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 113703968 registers.r11: 113699776 registers.r8: 0 registers.r9: 0 registers.rdx: 1 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1910585790 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

June 11, 2021, 4:15 p.m.

stacktrace:

RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefd6da49d
RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7feff1673c3
ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7feff2c43bf
IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7feff185295
I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7feff182799
Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7feff22af1e
Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7feff22b76c
NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7feff1848d6
CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7feff3f0883
CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7feff3f0ccd
CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7feff3f0c43
CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7feff2aa4f0
GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7feff2bd551
CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7feff3f347e
CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7feff3f122b
CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7feff3f3542
GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7feff2bd42d
GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7feff2bd1d6
TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x770d9bd1
TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x770d98da
GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7feff2bd0ab
CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7feff3e3e57
ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7feff290106
ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7feff290182
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76e5652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x771ec521

exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00
exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d
exception.instruction: add rsp, 0xc8
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 42141
exception.address: 0x7fefd6da49d
registers.r14: 0
registers.r15: 0
registers.rcx: 113698016
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 113703968
registers.r11: 113699776
registers.r8: 0
registers.r9: 0
registers.rdx: 1
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 1910585790
registers.r13: 0

Performs some HTTP requests (35 events)

request	GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
request	GET https://tootirrruahapowsadassa.com/
request	GET https://www.bing.com/
request	GET https://www.bing.com/rp/MDr1f9aJs4rBVf1F5DAtlALvweY.gz.js
request	GET https://www.bing.com/rp/hceflue5sqxkKta9dP3R-IFtPuY.gz.js
request	GET https://www.bing.com/rp/svI82uPNFRD54V4bMLaeahXQXBI.gz.js
request	GET https://www.bing.com/rp/a282eRIAnHsW_URoyogdzsukm_o.gz.js
request	GET https://www.bing.com/th?id=OHR.GlenEtive_ROW5856952083_1920x1080.jpg&rf=LaDigue_1920x1080.jpg&pid=hp
request	GET https://www.bing.com/rp/B0oC6BX98v6fWz1fuvaeRm9bOak.png
request	GET https://www.bing.com/sa/simg/favicon-2x.ico
request	GET https://www.bing.com/fd/ls/l?IG=9D12532635294F00A7B04ABD98369983&CID=026EA38DE0CA69A22623B3DEE159681C&Type=Event.CPT&DATA={"pp":{"S":"L","FC":-1,"BC":-1,"SE":-1,"TC":-1,"H":846,"BP":1164,"CT":1233,"IL":1},"ad":[-1,-1,1365,899,1365,899,0]}&P=SERP&DA=HKGE01
request	POST https://www.bing.com/fd/ls/lsp.aspx?
request	GET https://www.bing.com/rp/nD3Dxxt3XsvojhRsXFq3RJI2wTE.gz.js
request	GET https://www.bing.com/rp/2ajnlX1juJQ_Nu80sW46BDUL1-A.gz.js
request	GET https://www.bing.com/rp/swyt_VnIjJDWZW5KEq7a8l_1AEw.gz.js
request	GET https://www.bing.com/rp/Dta1_Or8JEDr20O5LJEJy7sv1z0.gz.js
request	GET https://www.bing.com/rp/P3LN8DHh0udC9Pbh8UHnw5FJ8R8.gz.js
request	GET https://www.bing.com/rp/eaMqCdNxIXjLc0ATep7tsFkfmSA.gz.js
request	GET https://www.bing.com/rp/RXZtj0lYpFm5XDPMpuGSsNG8i9I.gz.js
request	GET https://www.bing.com/rp/ozS3T0fsBUPZy4zlY0UX_e0TUwY.gz.js
request	GET https://www.bing.com/rp/MstqcgNaYngCBavkktAoSE0--po.gz.js
request	GET https://www.bing.com/rp/Xp-HPHGHOZznHBwdn7OWdva404Y.gz.js
request	GET https://www.bing.com/rp/n8-O_KIRNSMPFWQWrGjn0BRH6SM.gz.js
request	GET https://www.bing.com/rp/6sxhavkE4_SZHA_K4rwWmg67vF0.gz.js
request	GET https://www.bing.com/rp/FvkosEDIbuCPhD1mwLAN-LJ7Coc.gz.js
request	GET https://www.bing.com/rp/_ofc7e4WqqkT9lPqQJykFP4vxq4.gz.js
request	GET https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token+code&nonce=6b267c39-7342-4a85-89ec-b4cb1cb52718&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fconditional&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%229D12532635294F00A7B04ABD98369983%22%7d
request	GET https://www.bing.com/rp/pCNhfy2VQinsKZ9KIqxtGogwDv0.gz.js
request	GET https://www.bing.com/ipv6test/test?FORM=MONITR
request	GET https://www2.bing.com/ipv6test/test
request	POST https://www.bing.com/orgid/idtoken/conditional
request	GET https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1623395708&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=1042&id=264960&checkda=1
request	GET https://www.bing.com/secure/Passport.aspx?popup=1&ssl=1
request	GET https://www.bing.com/fd/ls/l?IG=9D12532635294F00A7B04ABD98369983&CID=026EA38DE0CA69A22623B3DEE159681C&TYPE=Event.ClientInst&DATA=%5B%7B%22T%22%3A%22CI.Init%22%2C%22TS%22%3A1623395698471%2C%22Name%22%3A%22Base%22%2C%22FID%22%3A%22CI%22%7D%2C%7B%22width%22%3A%221365%22%2C%22T%22%3A%22CI.Info%22%2C%22TS%22%3A1623395698472%2C%22Name%22%3A%22W%22%2C%22FID%22%3A%22BRW%22%7D%2C%7B%22height%22%3A%22899%22%2C%22T%22%3A%22CI.Info%22%2C%22TS%22%3A1623395698472%2C%22Name%22%3A%22M%22%2C%22FID%22%3A%22BRH%22%7D%2C%7B%22T%22%3A%22CI.Info%22%2C%22TS%22%3A1623395698472%2C%22Name%22%3A%221%22%2C%22FID%22%3A%22Mutation%22%7D%2C%7B%22T%22%3A%22CI.Info%22%2C%22TS%22%3A1623395698472%2C%22Name%22%3A%224%22%2C%22FID%22%3A%22DM%22%7D%2C%7B%22RTT%22%3A%221623395694987%22%2C%22T%22%3A%22CI.Init%22%2C%22TS%22%3A1623395698826%2C%22Name%22%3A%22ClientPerf%22%2C%22FID%22%3A%22HP%22%7D%2C%7B%22w%22%3A%221365%22%2C%22h%22%3A%221024%22%2C%22dpr%22%3A%220%22%2C%22T%22%3A%22CI.Init%22%2C%22TS%22%3A1623395698826%2C%22Name%22%3A%22ClientScreen%22%2C%22FID%22%3A%22HP%22%7D%2C%7B%22Time%22%3A3877%2C%22T%22%3A%22CI.Latency%22%2C%22TS%22%3A1623395698864%2C%22Name%22%3A%22sBoxTime%22%2C%22FID%22%3A%22HP%22%7D%2C%7B%22T%22%3A%22CI.ClientInst%22%2C%22TS%22%3A1623395699131%2C%22Name%22%3A%22OrgId%22%2C%22FID%22%3A%22NoSignInAttempt%22%7D%5D
request	POST https://www.bing.com/fd/ls/lsp.aspx

Sends data using the HTTP POST Method (3 events)

request	POST https://www.bing.com/fd/ls/lsp.aspx?
request	POST https://www.bing.com/orgid/idtoken/conditional
request	POST https://www.bing.com/fd/ls/lsp.aspx

Allocates read-write-execute memory (usually to unpack itself) (50 out of 54 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 11, 2021, 4:14 p.m.	process_identifier: 2076 region_size: 5378048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003170000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 11, 2021, 4:14 p.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003690000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 11, 2021, 4:14 p.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077131000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 11, 2021, 4:14 p.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077131000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 11, 2021, 4:14 p.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077131000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 11, 2021, 4:14 p.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077131000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 11, 2021, 4:14 p.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077131000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 11, 2021, 4:14 p.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077131000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 11, 2021, 4:14 p.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000770dd000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 11, 2021, 4:14 p.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077102000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 11, 2021, 4:14 p.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000770e4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 11, 2021, 4:14 p.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077102000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 11, 2021, 4:14 p.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc135000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 11, 2021, 4:14 p.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc135000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 11, 2021, 4:14 p.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdda4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 11, 2021, 4:14 p.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefda01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 11, 2021, 4:14 p.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000770ca000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 11, 2021, 4:14 p.m.	process_identifier: 2076 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003530000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 11, 2021, 4:14 p.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000735bc000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 11, 2021, 4:15 p.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000073e03000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 11, 2021, 4:14 p.m.	process_identifier: 2276 region_size: 4001792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002b30000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 11, 2021, 4:14 p.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002f00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 11, 2021, 4:14 p.m.	process_identifier: 2276 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077131000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 11, 2021, 4:14 p.m.	process_identifier: 2276 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077131000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 11, 2021, 4:14 p.m.	process_identifier: 2276 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077131000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 11, 2021, 4:14 p.m.	process_identifier: 2276 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077131000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 11, 2021, 4:14 p.m.	process_identifier: 2276 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077131000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 11, 2021, 4:14 p.m.	process_identifier: 2276 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077131000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 11, 2021, 4:14 p.m.	process_identifier: 2276 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000770dd000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 11, 2021, 4:14 p.m.	process_identifier: 2276 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077102000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 11, 2021, 4:14 p.m.	process_identifier: 2276 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000770e4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 11, 2021, 4:14 p.m.	process_identifier: 2276 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077102000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 11, 2021, 4:14 p.m.	process_identifier: 2276 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc135000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 11, 2021, 4:14 p.m.	process_identifier: 2276 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc135000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 11, 2021, 4:14 p.m.	process_identifier: 2276 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdda4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 11, 2021, 4:14 p.m.	process_identifier: 2276 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefda01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 11, 2021, 4:14 p.m.	process_identifier: 2276 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000770ca000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 11, 2021, 4:14 p.m.	process_identifier: 2276 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000770cf000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 11, 2021, 4:14 p.m.	process_identifier: 2276 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000770cd000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 11, 2021, 4:14 p.m.	process_identifier: 2276 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000770cb000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 11, 2021, 4:14 p.m.	process_identifier: 2276 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e56000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 11, 2021, 4:14 p.m.	process_identifier: 2276 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077206000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 11, 2021, 4:14 p.m.	process_identifier: 2276 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e51000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 11, 2021, 4:14 p.m.	process_identifier: 2276 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000770d0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 11, 2021, 4:14 p.m.	process_identifier: 2276 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000770ca000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 11, 2021, 4:14 p.m.	process_identifier: 2276 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000771df000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 11, 2021, 4:14 p.m.	process_identifier: 2276 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000771eb000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 11, 2021, 4:14 p.m.	process_identifier: 2276 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff3d7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 11, 2021, 4:14 p.m.	process_identifier: 2276 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdd44000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 11, 2021, 4:14 p.m.	process_identifier: 2276 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdd41000 process_handle: 0xffffffffffffffff	1

An application raised an exception which may be indicative of an exploit crash (2 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process iexplore.exe with pid 2076 crashed
__exception__ June 11, 2021, 4:15 p.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefd6da49d RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7feff1673c3 ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7feff2c43bf IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7feff185295 I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7feff182799 Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7feff22af1e Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7feff22b76c NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7feff1848d6 CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7feff3f0883 CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7feff3f0ccd CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7feff3f0c43 CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7feff2aa4f0 GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7feff2bd551 CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7feff3f347e CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7feff3f122b CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7feff3f3542 GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7feff2bd42d GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7feff2bd1d6 TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x770d9bd1 TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x770d98da GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7feff2bd0ab CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7feff3e3e57 ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7feff290106 ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7feff290182 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76e5652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x771ec521 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 42141 exception.address: 0x7fefd6da49d registers.r14: 0 registers.r15: 0 registers.rcx: 113698016 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 113703968 registers.r11: 113699776 registers.r8: 0 registers.r9: 0 registers.rdx: 1 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1910585790 registers.r13: 0	1	0	0

Application Crash

Process iexplore.exe with pid 2076 crashed

Time & API

Arguments

Status

Return

Repeated

__exception__

June 11, 2021, 4:15 p.m.

stacktrace:

RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefd6da49d
RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7feff1673c3
ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7feff2c43bf
IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7feff185295
I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7feff182799
Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7feff22af1e
Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7feff22b76c
NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7feff1848d6
CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7feff3f0883
CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7feff3f0ccd
CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7feff3f0c43
CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7feff2aa4f0
GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7feff2bd551
CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7feff3f347e
CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7feff3f122b
CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7feff3f3542
GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7feff2bd42d
GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7feff2bd1d6
TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x770d9bd1
TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x770d98da
GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7feff2bd0ab
CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7feff3e3e57
ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7feff290106
ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7feff290182
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76e5652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x771ec521

Creates executable files on the filesystem (19 events)

file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\Xp-HPHGHOZznHBwdn7OWdva404Y.gz[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\n8-O_KIRNSMPFWQWrGjn0BRH6SM.gz[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\nD3Dxxt3XsvojhRsXFq3RJI2wTE.gz[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\ozS3T0fsBUPZy4zlY0UX_e0TUwY.gz[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\Dta1_Or8JEDr20O5LJEJy7sv1z0.gz[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\swyt_VnIjJDWZW5KEq7a8l_1AEw.gz[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\P3LN8DHh0udC9Pbh8UHnw5FJ8R8.gz[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\RXZtj0lYpFm5XDPMpuGSsNG8i9I.gz[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\pCNhfy2VQinsKZ9KIqxtGogwDv0.gz[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\a282eRIAnHsW_URoyogdzsukm_o.gz[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\MDr1f9aJs4rBVf1F5DAtlALvweY.gz[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\_ofc7e4WqqkT9lPqQJykFP4vxq4.gz[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\svI82uPNFRD54V4bMLaeahXQXBI.gz[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\MstqcgNaYngCBavkktAoSE0--po.gz[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\hceflue5sqxkKta9dP3R-IFtPuY.gz[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\2ajnlX1juJQ_Nu80sW46BDUL1-A.gz[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\eaMqCdNxIXjLc0ATep7tsFkfmSA.gz[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\FvkosEDIbuCPhD1mwLAN-LJ7Coc.gz[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\6sxhavkE4_SZHA_K4rwWmg67vF0.gz[1].js

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 11, 2021, 4:14 p.m.	process_identifier: 2276 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x000007fffff80000 process_handle: 0xffffffffffffffff	1	0	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2076 CREDAT:145409

Communicates with host for which no DNS query was performed (1 event)

host

117.18.232.200

File has been identified by 17 AntiVirus engines on VirusTotal as malicious (17 events)

Arcabit	VBS.Heur.Worm.Dunihi.2.F8AC86B2.Gen
ESET-NOD32	VBS/Kryptik.AP
Baidu	VBS.Worm.Agent.rd
Avast	VBS:Downloader-PI [Trj]
Kaspersky	HEUR:Worm.Script.Generic
BitDefender	VBS.Heur.Worm.Dunihi.2.F8AC86B2.Gen
NANO-Antivirus	Trojan.Script.Agent.dmmmng
MicroWorld-eScan	VBS.Heur.Worm.Dunihi.2.F8AC86B2.Gen
Ad-Aware	VBS.Heur.Worm.Dunihi.2.F8AC86B2.Gen
Emsisoft	VBS.Heur.Worm.Dunihi.2.F8AC86B2.Gen (B)
McAfee-GW-Edition	BehavesLike.HTML.Dropper.qq
FireEye	VBS.Heur.Worm.Dunihi.2.F8AC86B2.Gen
GData	VBS.Heur.Worm.Dunihi.2.F8AC86B2.Gen
ALYac	VBS.Heur.Worm.Dunihi.2.F8AC86B2.Gen
MAX	malware (ai score=88)
Fortinet	WM/Moat.33F95FF6!tr
AVG	VBS:Downloader-PI [Trj]

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2076 resumed a thread in remote process 2276
NtResumeThread June 11, 2021, 4:14 p.m.	thread_handle: 0x0000000000000364 suspend_count: 1 process_identifier: 2276	1	0	0

index2.html

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All