Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 7, 2021, 6:42 p.m.	July 7, 2021, 6:45 p.m.

Size	188.9KB
Type	Zip archive data, at least v2.0 to extract
MD5	`88811d5b8004bca2c3166e3cedd10fe3`
SHA256	`6a39055318c5ff39bb354e675325e0f929de46455a92117afba43b3824a4da9a`
CRC32	`07270557`
ssdeep	`3072:lacjzJ3t108fD2yIYgyZVDP1CdbpL0XVN4vS74xHtrLRJo3a98MbrlbV:laWysD2yIYgofspLsN4vS7Qh3b1V`
Yara	None matched

java.exe "C:\Program Files (x86)\Java\jre1.8.0_131\bin\java.exe" -jar C:\Users\test22\AppData\Local\Temp\InvoicePO-03092021.jar
1240
- wscript.exe wscript C:\Users\test22\bqqnjhotkk.js
  1536
  - javaw.exe "C:\Program Files (x86)\Java\jre1.8.0_131\bin\javaw.exe" -jar "C:\Users\test22\AppData\Roaming\owchvlkxi.txt"
    1800
    - java.exe "C:\Program Files (x86)\Java\jre1.8.0_131\bin\java.exe" -jar "C:\Users\test22\owchvlkxi.txt"
      2572
      - cmd.exe cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\owchvlkxi.txt"
        2004
        
        schtasks.exe schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\owchvlkxi.txt"
        2692
      - java.exe "C:\Program Files (x86)\Java\jre1.8.0_131\bin\java.exe" -jar "C:\Users\test22\AppData\Roaming\owchvlkxi.txt"
        2404
        
        cmd.exe cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"
        3020
        
        WMIC.exe wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list
        1308
        
        cmd.exe cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"
        1572
        
        WMIC.exe wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list
        932
        
        cmd.exe cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"
        2188
        
        WMIC.exe wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list
        2200
        
        cmd.exe cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list"
        2252
        
        WMIC.exe wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list
        2328

Name	Response	Post-Analysis Lookup
github-releases.githubusercontent.com	A 185.199.108.154 A 185.199.111.154 A 185.199.109.154 A 185.199.110.154	185.199.108.154
repo1.maven.org	A 151.101.196.209 CNAME sonatype.map.fastly.net	199.232.196.209
str-master.pw
github.com	A 52.78.231.108	15.164.81.167
ip-api.com	A 208.95.112.1	208.95.112.1

IP Address	Status	Action
151.101.196.209	Active	Moloch
164.124.101.2	Active	Moloch
185.199.108.154	Active	Moloch
208.95.112.1	Active	Moloch
46.183.221.118	Active	Moloch
52.78.231.108	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49164 -> 52.78.231.108:443	2028375	ET JA3 Hash - Possible Malware - Java Based RAT	Unknown Traffic
TCP 192.168.56.102:49166 -> 151.101.196.209:443	2028375	ET JA3 Hash - Possible Malware - Java Based RAT	Unknown Traffic
TCP 192.168.56.102:49167 -> 151.101.196.209:443	2028375	ET JA3 Hash - Possible Malware - Java Based RAT	Unknown Traffic
TCP 192.168.56.102:49168 -> 185.199.108.154:443	2028375	ET JA3 Hash - Possible Malware - Java Based RAT	Unknown Traffic
TCP 192.168.56.102:49165 -> 151.101.196.209:443	2028375	ET JA3 Hash - Possible Malware - Java Based RAT	Unknown Traffic
TCP 192.168.56.102:49175 -> 46.183.221.118:3232	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49175 -> 46.183.221.118:3232	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49175 -> 46.183.221.118:3232	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49175 -> 46.183.221.118:3232	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49175 -> 46.183.221.118:3232	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49175 -> 46.183.221.118:3232	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49175 -> 46.183.221.118:3232	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49175 -> 46.183.221.118:3232	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49175 -> 46.183.221.118:3232	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49175 -> 46.183.221.118:3232	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49175 -> 46.183.221.118:3232	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49175 -> 46.183.221.118:3232	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49175 -> 46.183.221.118:3232	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49175 -> 46.183.221.118:3232	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49175 -> 46.183.221.118:3232	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49175 -> 46.183.221.118:3232	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49175 -> 46.183.221.118:3232	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49175 -> 46.183.221.118:3232	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49175 -> 46.183.221.118:3232	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
UDP 192.168.56.102:51868 -> 164.124.101.2:53	2016778	ET DNS Query to a *.pw domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.102:49184 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.102:49164 52.78.231.108:443	C=US, O=DigiCert, Inc., CN=DigiCert High Assurance TLS Hybrid ECC SHA256 2020 CA1	C=US, ST=California, L=San Francisco, O=GitHub, Inc., CN=github.com	84:63:b3:a9:29:12:cc:fd:1d:31:47:05:98:9b:ec:13:99:37:d0:d7
TLS 1.2 192.168.56.102:49166 151.101.196.209:443	C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA	C=US, ST=Maryland, L=Fulton, O=Sonatype, Inc, CN=repo1.maven.org	74:54:1d:15:cf:77:9e:e8:00:c2:ea:0d:77:6e:d3:02:51:0f:15:dd
TLS 1.2 192.168.56.102:49167 151.101.196.209:443	C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA	C=US, ST=Maryland, L=Fulton, O=Sonatype, Inc, CN=repo1.maven.org	74:54:1d:15:cf:77:9e:e8:00:c2:ea:0d:77:6e:d3:02:51:0f:15:dd
TLS 1.2 192.168.56.102:49168 185.199.108.154:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=San Francisco, O=GitHub, Inc., CN=www.github.com	70:94:de:dd:e6:c4:69:48:3a:92:70:a1:48:56:78:2d:18:64:e0:b7
TLS 1.2 192.168.56.102:49165 151.101.196.209:443	C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA	C=US, ST=Maryland, L=Fulton, O=Sonatype, Inc, CN=repo1.maven.org	74:54:1d:15:cf:77:9e:e8:00:c2:ea:0d:77:6e:d3:02:51:0f:15:dd

Queries for the computername (21 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 7, 2021, 6:43 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 7, 2021, 6:43 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 7, 2021, 6:43 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 7, 2021, 6:43 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 7, 2021, 6:43 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 7, 2021, 6:43 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 7, 2021, 6:43 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 7, 2021, 6:43 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 7, 2021, 6:43 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 7, 2021, 6:43 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 7, 2021, 6:43 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 7, 2021, 6:43 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 7, 2021, 6:43 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 7, 2021, 6:43 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 7, 2021, 6:43 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 7, 2021, 6:43 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 7, 2021, 6:43 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 7, 2021, 6:43 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 7, 2021, 6:43 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 7, 2021, 6:43 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 7, 2021, 6:43 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 7, 2021, 6:43 p.m.			0	0
IsDebuggerPresent July 7, 2021, 6:43 p.m.			0	0
IsDebuggerPresent July 7, 2021, 6:43 p.m.			0	0
IsDebuggerPresent July 7, 2021, 6:43 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 7, 2021, 6:42 p.m.		1	1	0

One or more processes crashed (16 events)

Time & API	Arguments	Status
__exception__ July 7, 2021, 6:42 p.m.	stacktrace: exception.instruction_r: 8b 06 8d b5 f8 00 00 00 c5 fe 7f 06 c5 fe 7f 7e exception.instruction: mov eax, dword ptr [esi] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x28c0202 registers.esp: 17430476 registers.edi: 1 registers.eax: 6 registers.ebp: 1923470528 registers.edx: 0 registers.ebx: 133120 registers.esi: 0 registers.ecx: 3405691582	1
__exception__ July 7, 2021, 6:42 p.m.	stacktrace: exception.instruction_r: 8b 06 8d b5 f8 00 00 00 c5 fe 7f 06 c5 fe 7f 7e exception.instruction: mov eax, dword ptr [esi] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x26f0202 registers.esp: 13694128 registers.edi: 1 registers.eax: 6 registers.ebp: 1923470528 registers.edx: 0 registers.ebx: 133120 registers.esi: 0 registers.ecx: 3405691582	1
__exception__ July 7, 2021, 6:42 p.m.	stacktrace: 0x283afe8 0x26f44e0 0x26f44e0 0x26f44e0 0x26f44e0 0x26f44e0 0x26f4854 0x26f4854 0x26f4854 0x283d8a4 0x26f44e0 0x26f44e0 0x26f44e0 0x283d844 0x26f4854 0x26f4889 0x26f0697 JVM_GetThreadStateNames+0x4d395 _JVM_EnqueueOperation@20-0x6191b jvm+0x15af45 @ 0x7282af45 _JVM_FindSignal@4+0x6402e ??_7DCmdFactory@@6B@-0xa2d06 jvm+0x2213ae @ 0x728f13ae JVM_GetThreadStateNames+0x4d42e _JVM_EnqueueOperation@20-0x61882 jvm+0x15afde @ 0x7282afde JVM_GetThreadStateNames+0x4d5b6 _JVM_EnqueueOperation@20-0x616fa jvm+0x15b166 @ 0x7282b166 JVM_GetThreadStateNames+0x4d627 _JVM_EnqueueOperation@20-0x61689 jvm+0x15b1d7 @ 0x7282b1d7 jio_printf+0x9f _JVM_StartThread@8-0x11 jvm+0xff36f @ 0x727cf36f JVM_GetThreadStateNames+0x70080 _JVM_EnqueueOperation@20-0x3ec30 jvm+0x17dc30 @ 0x7284dc30 JVM_GetThreadStateNames+0x708fa _JVM_EnqueueOperation@20-0x3e3b6 jvm+0x17e4aa @ 0x7284e4aa _JVM_FindSignal@4+0x5b46 ??_7DCmdFactory@@6B@-0x1011ee jvm+0x1c2ec6 @ 0x72892ec6 _endthreadex+0x3a _beginthreadex-0xab msvcr100+0x5c556 @ 0x7393c556 _endthreadex+0xe4 _beginthreadex-0x1 msvcr100+0x5c600 @ 0x7393c600 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757933ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77259ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77259ea5 exception.instruction_r: 85 05 00 01 60 00 8b 74 24 1c 3b d6 7c bb 8b c7 exception.instruction: test eax, dword ptr [0x600100] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x282d477 registers.esp: 370275168 registers.edi: 822691990 registers.eax: 79940936 registers.ebp: 370275404 registers.edx: 1176 registers.ebx: 3064573811 registers.esi: 150 registers.ecx: 0	1
__exception__ July 7, 2021, 6:42 p.m.	stacktrace: 0x283afe8 0x26f44e0 0x26f44e0 0x26f44e0 0x26f44e0 0x26f44e0 0x26f4854 0x26f4854 0x26f4854 0x283d8a4 0x26f44e0 0x26f44e0 0x26f44e0 0x283d844 0x26f4854 0x26f4889 0x26f0697 JVM_GetThreadStateNames+0x4d395 _JVM_EnqueueOperation@20-0x6191b jvm+0x15af45 @ 0x7282af45 _JVM_FindSignal@4+0x6402e ??_7DCmdFactory@@6B@-0xa2d06 jvm+0x2213ae @ 0x728f13ae JVM_GetThreadStateNames+0x4d42e _JVM_EnqueueOperation@20-0x61882 jvm+0x15afde @ 0x7282afde JVM_GetThreadStateNames+0x4d5b6 _JVM_EnqueueOperation@20-0x616fa jvm+0x15b166 @ 0x7282b166 JVM_GetThreadStateNames+0x4d627 _JVM_EnqueueOperation@20-0x61689 jvm+0x15b1d7 @ 0x7282b1d7 jio_printf+0x9f _JVM_StartThread@8-0x11 jvm+0xff36f @ 0x727cf36f JVM_GetThreadStateNames+0x70080 _JVM_EnqueueOperation@20-0x3ec30 jvm+0x17dc30 @ 0x7284dc30 JVM_GetThreadStateNames+0x708fa _JVM_EnqueueOperation@20-0x3e3b6 jvm+0x17e4aa @ 0x7284e4aa _JVM_FindSignal@4+0x5b46 ??_7DCmdFactory@@6B@-0x1011ee jvm+0x1c2ec6 @ 0x72892ec6 _endthreadex+0x3a _beginthreadex-0xab msvcr100+0x5c556 @ 0x7393c556 _endthreadex+0xe4 _beginthreadex-0x1 msvcr100+0x5c600 @ 0x7393c600 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757933ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77259ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77259ea5 exception.instruction_r: 85 05 00 01 60 00 8b c3 8b de 89 bc 24 c8 00 00 exception.instruction: test eax, dword ptr [0x600100] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x2829411 registers.esp: 368700768 registers.edi: 1291859500 registers.eax: 3774873600 registers.ebp: 368701180 registers.edx: 3268550863 registers.ebx: 441319424 registers.esi: 0 registers.ecx: 113	1
__exception__ July 7, 2021, 6:43 p.m.	stacktrace: 0x283afe8 0x26f44e0 0x26f44e0 0x26f44e0 0x26f44e0 0x26f44e0 0x26f4854 0x284464c 0x26f44e0 0x26f44e0 0x26f44e0 0x283d844 0x26f4854 0x26f4889 0x26f0697 JVM_GetThreadStateNames+0x4d395 _JVM_EnqueueOperation@20-0x6191b jvm+0x15af45 @ 0x7282af45 _JVM_FindSignal@4+0x6402e ??_7DCmdFactory@@6B@-0xa2d06 jvm+0x2213ae @ 0x728f13ae JVM_GetThreadStateNames+0x4d42e _JVM_EnqueueOperation@20-0x61882 jvm+0x15afde @ 0x7282afde JVM_GetThreadStateNames+0x4d5b6 _JVM_EnqueueOperation@20-0x616fa jvm+0x15b166 @ 0x7282b166 JVM_GetThreadStateNames+0x4d627 _JVM_EnqueueOperation@20-0x61689 jvm+0x15b1d7 @ 0x7282b1d7 jio_printf+0x9f _JVM_StartThread@8-0x11 jvm+0xff36f @ 0x727cf36f JVM_GetThreadStateNames+0x70080 _JVM_EnqueueOperation@20-0x3ec30 jvm+0x17dc30 @ 0x7284dc30 JVM_GetThreadStateNames+0x708fa _JVM_EnqueueOperation@20-0x3e3b6 jvm+0x17e4aa @ 0x7284e4aa _JVM_FindSignal@4+0x5b46 ??_7DCmdFactory@@6B@-0x1011ee jvm+0x1c2ec6 @ 0x72892ec6 _endthreadex+0x3a _beginthreadex-0xab msvcr100+0x5c556 @ 0x7393c556 _endthreadex+0xe4 _beginthreadex-0x1 msvcr100+0x5c600 @ 0x7393c600 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757933ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77259ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77259ea5 exception.instruction_r: 85 05 00 01 60 00 8b ca 89 7c 24 70 89 5c 24 74 exception.instruction: test eax, dword ptr [0x600100] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x282914d registers.esp: 370275008 registers.edi: 2036192387 registers.eax: 52 registers.ebp: 370275420 registers.edx: 3143630848 registers.ebx: 355796195 registers.esi: 0 registers.ecx: 1	1
__exception__ July 7, 2021, 6:43 p.m.	stacktrace: _JVM_SetVmMemoryPressure@4-0x128cd jvm+0x7273 @ 0x726d7273 _JVM_SetVmMemoryPressure@4-0x1285c jvm+0x72e4 @ 0x726d72e4 _JVM_GetManagementExt@4+0x5505a AsyncGetCallTrace-0x65406 jvm+0x7055a @ 0x7274055a _JVM_GetManagementExt@4+0x5594f AsyncGetCallTrace-0x64b11 jvm+0x70e4f @ 0x72740e4f JVM_GetThreadStateNames+0x70080 _JVM_EnqueueOperation@20-0x3ec30 jvm+0x17dc30 @ 0x7284dc30 JVM_GetThreadStateNames+0x708fa _JVM_EnqueueOperation@20-0x3e3b6 jvm+0x17e4aa @ 0x7284e4aa _JVM_FindSignal@4+0x5b46 ??_7DCmdFactory@@6B@-0x1011ee jvm+0x1c2ec6 @ 0x72892ec6 _endthreadex+0x3a _beginthreadex-0xab msvcr100+0x5c556 @ 0x7393c556 _endthreadex+0xe4 _beginthreadex-0x1 msvcr100+0x5c600 @ 0x7393c600 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757933ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77259ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77259ea5 exception.instruction_r: c7 04 08 01 00 00 00 5d c3 cc cc 83 3d 68 80 a5 exception.instruction: mov dword ptr [eax + ecx], 1 exception.exception_code: 0xc0000005 exception.symbol: _JVM_SetVmMemoryPressure@4-0x1293b jvm+0x7205 exception.address: 0x726d7205 registers.esp: 363591372 registers.edi: 3974928 registers.eax: 3328 registers.ebp: 363591372 registers.edx: 0 registers.ebx: 14706688 registers.esi: 14706688 registers.ecx: 12845056	1
__exception__ July 7, 2021, 6:43 p.m.	stacktrace: exception.instruction_r: 8b 06 8d b5 f8 00 00 00 c5 fe 7f 06 c5 fe 7f 7e exception.instruction: mov eax, dword ptr [esi] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x28c0202 registers.esp: 16644736 registers.edi: 1 registers.eax: 6 registers.ebp: 1919472832 registers.edx: 0 registers.ebx: 133120 registers.esi: 0 registers.ecx: 3405691582	1
__exception__ July 7, 2021, 6:43 p.m.	stacktrace: exception.instruction_r: 8b 06 8d b5 f8 00 00 00 c5 fe 7f 06 c5 fe 7f 7e exception.instruction: mov eax, dword ptr [esi] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x28c0202 registers.esp: 3602920 registers.edi: 1 registers.eax: 6 registers.ebp: 1923470528 registers.edx: 0 registers.ebx: 133120 registers.esi: 0 registers.ecx: 3405691582	1
__exception__ July 7, 2021, 6:43 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x756b374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x74d24387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x756aef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x756a6a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x756a6b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x756a6a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x756c5c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x757406b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x74dfd7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x74dfd876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x74dfddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x74d18a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x74d18938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x74d1950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x74dfdccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x74dfdb41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x74dfe1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x74d19367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x74d19326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755462fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75546d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755477c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7554788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x74cda48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x74cd853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x74cda4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x74cecd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x74ced87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757933ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77259ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77259ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x751eb727 registers.esp: 42921660 registers.edi: 4335300 registers.eax: 42921660 registers.ebp: 42921740 registers.edx: 50 registers.ebx: 42922024 registers.esi: 2147746133 registers.ecx: 4088552	1
__exception__ July 7, 2021, 6:43 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x756b374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x74dff725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x756c414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x74ccfe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x74dfa338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x74a2e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x74a072ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x749fab0d IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x74a2c048 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x749f87f7 RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x749f8926 RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x749fd55e IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x74a2c44b RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x749fd1f6 RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x749fd1ac RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x749fd40b RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x749f991b RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x749f8d67 RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x749fa0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x749f9b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x749f9aa8 DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x72446f4f DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x72446e40 DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x724427a4 DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x72442652 DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x7244253d DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x72442411 DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x724425ab wmic+0x39c80 @ 0xa99c80 wmic+0x3b06a @ 0xa9b06a wmic+0x3b1f8 @ 0xa9b1f8 wmic+0x36fcd @ 0xa96fcd wmic+0x3d6e9 @ 0xa9d6e9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757933ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77259ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77259ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x751eb727 registers.esp: 2090944 registers.edi: 1959852560 registers.eax: 2090944 registers.ebp: 2091024 registers.edx: 1 registers.ebx: 4058212 registers.esi: 2147746133 registers.ecx: 776490042	1
__exception__ July 7, 2021, 6:43 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x756b374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x74d24387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x756aef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x756a6a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x756a6b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x756a6a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x756c5c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x757406b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x74dfd7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x74dfd876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x74dfddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x74d18a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x74d18938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x74d1950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x74dfdccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x74dfdb41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x74dfe1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x74d19367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x74d19326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755462fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75546d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755477c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7554788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x74cda48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x74cd853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x74cda4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x74cecd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x74ced87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757933ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77259ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77259ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x751eb727 registers.esp: 33222444 registers.edi: 5647036 registers.eax: 33222444 registers.ebp: 33222524 registers.edx: 50 registers.ebx: 33222808 registers.esi: 2147746133 registers.ecx: 5399312	1
__exception__ July 7, 2021, 6:43 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x756b374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x74dff725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x756c414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x74ccfe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x74dfa338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x74a2e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x74a072ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x749fab0d IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x74a2c048 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x749f87f7 RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x749f8926 RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x749fd55e IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x74a2c44b RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x749fd1f6 RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x749fd1ac RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x749fd40b RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x749f991b RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x749f8d67 RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x749fa0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x749f9b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x749f9aa8 DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x72406f4f DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x72406e40 DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x724027a4 DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x72402652 DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x7240253d DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x72402411 DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x724025ab wmic+0x39c80 @ 0xa29c80 wmic+0x3b06a @ 0xa2b06a wmic+0x3b1f8 @ 0xa2b1f8 wmic+0x36fcd @ 0xa26fcd wmic+0x3d6e9 @ 0xa2d6e9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757933ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77259ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77259ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x751eb727 registers.esp: 2222592 registers.edi: 1959852560 registers.eax: 2222592 registers.ebp: 2222672 registers.edx: 1 registers.ebx: 5368972 registers.esi: 2147746133 registers.ecx: 777441924	1
__exception__ July 7, 2021, 6:43 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x756b374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x74d24387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x756aef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x756a6a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x756a6b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x756a6a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x756c5c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x757406b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x74dfd7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x74dfd876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x74dfddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x74d18a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x74d18938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x74d1950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x74dfdccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x74dfdb41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x74dfe1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x74d19367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x74d19326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755462fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75546d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755477c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7554788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x74cda48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x74cd853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x74cda4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x74cecd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x74ced87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757933ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77259ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77259ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x751eb727 registers.esp: 42005088 registers.edi: 4450732 registers.eax: 42005088 registers.ebp: 42005168 registers.edx: 50 registers.ebx: 42005452 registers.esi: 2147746133 registers.ecx: 4219592	1
__exception__ July 7, 2021, 6:43 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x756b374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x74dff725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x756c414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x74ccfe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x74dfa338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x74a2e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x74a072ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x749fab0d IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x74a2c048 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x749f87f7 RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x749f8926 RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x749fd55e IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x74a2c44b RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x749fd1f6 RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x749fd1ac RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x749fd40b RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x749f991b RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x749f8d67 RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x749fa0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x749f9b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x749f9aa8 DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x72426f4f DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x72426e40 DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x724227a4 DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x72422652 DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x7242253d DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x72422411 DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x724225ab wmic+0x39c80 @ 0x179c80 wmic+0x3b06a @ 0x17b06a wmic+0x3b1f8 @ 0x17b1f8 wmic+0x36fcd @ 0x176fcd wmic+0x3d6e9 @ 0x17d6e9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757933ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77259ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77259ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x751eb727 registers.esp: 3008800 registers.edi: 1959852560 registers.eax: 3008800 registers.ebp: 3008880 registers.edx: 1 registers.ebx: 4189252 registers.esi: 2147746133 registers.ecx: 760571475	1
__exception__ July 7, 2021, 6:43 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x756b374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x74d24387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x756aef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x756a6a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x756a6b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x756a6a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x756c5c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x757406b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x74dfd7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x74dfd876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x74dfddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x74d18a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x74d18938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x74d1950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x74dfdccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x74dfdb41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x74dfe1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x74d19367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x74d19326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755462fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75546d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755477c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7554788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x74cda48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x74cd853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x74cda4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x74cecd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x74ced87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757933ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77259ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77259ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x751eb727 registers.esp: 47312368 registers.edi: 4118716 registers.eax: 47312368 registers.ebp: 47312448 registers.edx: 50 registers.ebx: 47312732 registers.esi: 2147746133 registers.ecx: 3891992	1
__exception__ July 7, 2021, 6:43 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x756b374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x74dff725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x756c414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x74ccfe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x74dfa338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x74a2e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x74a072ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x749fab0d IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x74a2c048 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x749f87f7 RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x749f8926 RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x749fd55e IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x74a2c44b RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x749fd1f6 RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x749fd1ac RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x749fd40b RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x749f991b RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x749f8d67 RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x749fa0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x749f9b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x749f9aa8 DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x72406f4f DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x72406e40 DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x724027a4 DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x72402652 DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x7240253d DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x72402411 DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x724025ab wmic+0x39c80 @ 0xa9c80 wmic+0x3b06a @ 0xab06a wmic+0x3b1f8 @ 0xab1f8 wmic+0x36fcd @ 0xa6fcd wmic+0x3d6e9 @ 0xad6e9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757933ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77259ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77259ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x751eb727 registers.esp: 1370312 registers.edi: 1959852560 registers.eax: 1370312 registers.ebp: 1370392 registers.edx: 1 registers.ebx: 3861652 registers.esi: 2147746133 registers.ecx: 757687025	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (1 event)

request

GET http://ip-api.com/json/

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

str-master.pw

description

Palau domain TLD

Allocates read-write-execute memory (usually to unpack itself) (50 out of 129 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 7, 2021, 6:42 p.m.	process_identifier: 1240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 163840 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028c0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 6:42 p.m.	process_identifier: 1240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028e8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 6:42 p.m.	process_identifier: 1240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028f0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 6:42 p.m.	process_identifier: 1240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028f8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 6:42 p.m.	process_identifier: 1240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02900000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 6:42 p.m.	process_identifier: 1240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02908000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 6:42 p.m.	process_identifier: 1240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02910000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 6:42 p.m.	process_identifier: 1240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02918000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 6:42 p.m.	process_identifier: 1240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02920000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 6:42 p.m.	process_identifier: 1240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02928000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 6:42 p.m.	process_identifier: 1240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02930000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 6:42 p.m.	process_identifier: 1240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02938000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 6:42 p.m.	process_identifier: 1240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02940000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 6:42 p.m.	process_identifier: 1240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02948000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 6:42 p.m.	process_identifier: 1240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02950000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 6:42 p.m.	process_identifier: 1240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02958000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 6:42 p.m.	process_identifier: 1240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02960000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 6:42 p.m.	process_identifier: 1240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02968000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 6:42 p.m.	process_identifier: 1240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02970000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 6:42 p.m.	process_identifier: 1240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02978000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 6:42 p.m.	process_identifier: 1536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x738c2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 6:42 p.m.	process_identifier: 1800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 163840 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 6:42 p.m.	process_identifier: 1800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02718000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 6:42 p.m.	process_identifier: 1800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02720000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 6:42 p.m.	process_identifier: 1800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02728000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 6:42 p.m.	process_identifier: 1800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02730000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 6:42 p.m.	process_identifier: 1800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02738000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 6:42 p.m.	process_identifier: 1800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02740000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 6:42 p.m.	process_identifier: 1800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02748000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 6:42 p.m.	process_identifier: 1800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02750000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 6:42 p.m.	process_identifier: 1800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02758000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 6:42 p.m.	process_identifier: 1800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02760000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 6:42 p.m.	process_identifier: 1800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02768000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 6:42 p.m.	process_identifier: 1800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02770000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 6:42 p.m.	process_identifier: 1800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02778000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 6:42 p.m.	process_identifier: 1800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02780000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 6:42 p.m.	process_identifier: 1800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02788000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 6:42 p.m.	process_identifier: 1800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02790000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 6:42 p.m.	process_identifier: 1800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02798000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 6:42 p.m.	process_identifier: 1800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 6:42 p.m.	process_identifier: 1800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027a8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 6:42 p.m.	process_identifier: 1800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 6:42 p.m.	process_identifier: 1800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027b8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 6:42 p.m.	process_identifier: 1800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027c0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 6:42 p.m.	process_identifier: 1800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027c8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 6:42 p.m.	process_identifier: 1800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 6:42 p.m.	process_identifier: 1800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 6:42 p.m.	process_identifier: 1800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027e0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 6:42 p.m.	process_identifier: 1800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027e8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 6:42 p.m.	process_identifier: 1800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027f0000 process_handle: 0xffffffff	1

Looks up the external IP address (1 event)

domain

ip-api.com

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Local\Temp\jna--877171118\jna7019705296349932347.dll
file	C:\Users\test22\AppData\Local\Temp\jna--877171118\jna8283762773324050760.dll
file	C:\Users\test22\bqqnjhotkk.js

Creates a suspicious process (10 events)

cmdline	cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list"
cmdline	schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\owchvlkxi.txt"
cmdline	cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"
cmdline	cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"
cmdline	wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list
cmdline	cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"
cmdline	wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list
cmdline	wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list
cmdline	wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list
cmdline	cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\owchvlkxi.txt"

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\jna--877171118\jna8283762773324050760.dll

File has been identified by 6 AntiVirus engines on VirusTotal as malicious (6 events)

Cyren	JS/Agent.AUY
Kaspersky	HEUR:Trojan.Java.Agent.gen
NANO-Antivirus	Trojan.Script.Heuristic-js.iacgm
McAfee-GW-Edition	BehavesLike.Downloader.cc
Avira	EXP/JAVA.Banload.MRAF.Gen
Cynet	Malicious (score: 99)

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 7, 2021, 6:42 p.m.	process_identifier: 1800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x16200000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses July 7, 2021, 6:42 p.m.	flags: 28 family: 0	1	0	0

Uses Windows utilities for basic Windows functionality (10 events)

cmdline	cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list"
cmdline	schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\owchvlkxi.txt"
cmdline	cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"
cmdline	cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"
cmdline	wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list
cmdline	cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"
cmdline	wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list
cmdline	wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list
cmdline	wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list
cmdline	cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\owchvlkxi.txt"

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	SELECT VolumeSerialNumber FROM win32_logicaldisk

Communicates with host for which no DNS query was performed (1 event)

host

46.183.221.118

Installs itself for autorun at Windows startup (6 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\owchvlkxi	reg_value	"C:\Users\test22\AppData\Roaming\owchvlkxi.txt"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\owchvlkxi	reg_value	"C:\Users\test22\AppData\Roaming\owchvlkxi.txt"
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\owchvlkxi.txt
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\owchvlkxi.txt
cmdline	schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\owchvlkxi.txt"
cmdline	cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\owchvlkxi.txt"

Executes one or more WMI queries (4 events)

wmi	SELECT Caption, OSArchitecture FROM win32_operatingsystem
wmi	SELECT displayName FROM antivirusproduct
wmi	SELECT VolumeSerialNumber FROM win32_logicaldisk
wmi	SELECT Version FROM win32_operatingsystem

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	C:\Program Files (x86)\Java\jre1.8.0_131\bin\javaw.exe -jar "C:\Users\test22\AppData\Roaming\owchvlkxi.txt"
parent_process	wscript.exe				martian_process	"C:\Program Files (x86)\Java\jre1.8.0_131\bin\javaw.exe" -jar "C:\Users\test22\AppData\Roaming\owchvlkxi.txt"

The processes wscript.exe, java.exe wrote an executable file to disk which it then attempted to execute (4 events)

file	C:\Windows\SysWOW64\wscript.exe
file	C:\Program Files (x86)\Java\jre1.8.0_131\bin\javaw.exe
file	C:\Users\test22\AppData\Local\Temp\jna--877171118\jna8283762773324050760.dll
file	C:\Users\test22\AppData\Local\Temp\jna--877171118\jna7019705296349932347.dll

InvoicePO-03092021.jar

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All