Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 7, 2021, 11:12 p.m.	July 7, 2021, 11:15 p.m.

Size	188.9KB
Type	Zip archive data, at least v2.0 to extract
MD5	`88811d5b8004bca2c3166e3cedd10fe3`
SHA256	`6a39055318c5ff39bb354e675325e0f929de46455a92117afba43b3824a4da9a`
CRC32	`07270557`
ssdeep	`3072:lacjzJ3t108fD2yIYgyZVDP1CdbpL0XVN4vS74xHtrLRJo3a98MbrlbV:laWysD2yIYgofspLsN4vS7Qh3b1V`
Yara	None matched

java.exe "C:\Program Files (x86)\Java\jre1.8.0_131\bin\java.exe" -jar C:\Users\test22\AppData\Local\Temp\InvoicePO-03092021.jar
912
- wscript.exe wscript C:\Users\test22\bqqnjhotkk.js
  2528
  - javaw.exe "C:\Program Files (x86)\Java\jre1.8.0_131\bin\javaw.exe" -jar "C:\Users\test22\AppData\Roaming\qktfimippt.txt"
    1952
    - java.exe "C:\Program Files (x86)\Java\jre1.8.0_131\bin\java.exe" -jar "C:\Users\test22\qktfimippt.txt"
      1312
      - cmd.exe cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\qktfimippt.txt"
        2472
        
        schtasks.exe schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\qktfimippt.txt"
        300
      - java.exe "C:\Program Files (x86)\Java\jre1.8.0_131\bin\java.exe" -jar "C:\Users\test22\AppData\Roaming\qktfimippt.txt"
        2220
        
        cmd.exe cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"
        876
        
        WMIC.exe wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list
        236
        
        cmd.exe cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"
        3024
        
        WMIC.exe wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list
        2004
        
        cmd.exe cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"
        2136
        
        WMIC.exe wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list
        896
        
        cmd.exe cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list"
        2632
        
        WMIC.exe wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list
        2604

Name	Response	Post-Analysis Lookup
repo1.maven.org	A 151.101.40.209 CNAME sonatype.map.fastly.net	199.232.196.209
edgedl.me.gvt1.com	A 34.104.35.123	34.104.35.123
str-master.pw
github-releases.githubusercontent.com	A 185.199.108.154 A 185.199.111.154 A 185.199.109.154 A 185.199.110.154	185.199.111.154
github.com	A 52.78.231.108	52.78.231.108
ip-api.com	A 208.95.112.1	208.95.112.1

IP Address	Status	Action
151.101.40.209	Active	Moloch
164.124.101.2	Active	Moloch
185.199.111.154	Active	Moloch
208.95.112.1	Active	Moloch
34.104.35.123	Active	Moloch
46.183.221.118	Active	Moloch
52.78.231.108	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49166 -> 151.101.40.209:443	2028375	ET JA3 Hash - Possible Malware - Java Based RAT	Unknown Traffic
TCP 192.168.56.102:49165 -> 52.78.231.108:443	2028375	ET JA3 Hash - Possible Malware - Java Based RAT	Unknown Traffic
TCP 192.168.56.102:49167 -> 151.101.40.209:443	2028375	ET JA3 Hash - Possible Malware - Java Based RAT	Unknown Traffic
TCP 192.168.56.102:49168 -> 151.101.40.209:443	2028375	ET JA3 Hash - Possible Malware - Java Based RAT	Unknown Traffic
TCP 192.168.56.102:49169 -> 185.199.111.154:443	2028375	ET JA3 Hash - Possible Malware - Java Based RAT	Unknown Traffic
UDP 192.168.56.102:49669 -> 164.124.101.2:53	2016778	ET DNS Query to a *.pw domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.102:49186 -> 172.217.161.131:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 34.104.35.123:80 -> 192.168.56.102:49187	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 34.104.35.123:80 -> 192.168.56.102:49187	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 192.168.56.102:49176 -> 46.183.221.118:3232	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49176 -> 46.183.221.118:3232	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49176 -> 46.183.221.118:3232	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49176 -> 46.183.221.118:3232	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49176 -> 46.183.221.118:3232	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49176 -> 46.183.221.118:3232	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49176 -> 46.183.221.118:3232	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49176 -> 46.183.221.118:3232	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49176 -> 46.183.221.118:3232	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49176 -> 46.183.221.118:3232	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49176 -> 46.183.221.118:3232	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49176 -> 46.183.221.118:3232	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49176 -> 46.183.221.118:3232	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49176 -> 46.183.221.118:3232	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49176 -> 46.183.221.118:3232	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49176 -> 46.183.221.118:3232	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49176 -> 46.183.221.118:3232	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49176 -> 46.183.221.118:3232	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49176 -> 46.183.221.118:3232	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49176 -> 46.183.221.118:3232	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49185 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49176 -> 46.183.221.118:3232	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.102:49166 151.101.40.209:443	C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA	C=US, ST=Maryland, L=Fulton, O=Sonatype, Inc, CN=repo1.maven.org	74:54:1d:15:cf:77:9e:e8:00:c2:ea:0d:77:6e:d3:02:51:0f:15:dd
TLS 1.2 192.168.56.102:49165 52.78.231.108:443	C=US, O=DigiCert, Inc., CN=DigiCert High Assurance TLS Hybrid ECC SHA256 2020 CA1	C=US, ST=California, L=San Francisco, O=GitHub, Inc., CN=github.com	84:63:b3:a9:29:12:cc:fd:1d:31:47:05:98:9b:ec:13:99:37:d0:d7
TLS 1.2 192.168.56.102:49167 151.101.40.209:443	C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA	C=US, ST=Maryland, L=Fulton, O=Sonatype, Inc, CN=repo1.maven.org	74:54:1d:15:cf:77:9e:e8:00:c2:ea:0d:77:6e:d3:02:51:0f:15:dd
TLS 1.2 192.168.56.102:49168 151.101.40.209:443	C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA	C=US, ST=Maryland, L=Fulton, O=Sonatype, Inc, CN=repo1.maven.org	74:54:1d:15:cf:77:9e:e8:00:c2:ea:0d:77:6e:d3:02:51:0f:15:dd
TLS 1.2 192.168.56.102:49169 185.199.111.154:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=San Francisco, O=GitHub, Inc., CN=www.github.com	70:94:de:dd:e6:c4:69:48:3a:92:70:a1:48:56:78:2d:18:64:e0:b7
TLS 1.2 192.168.56.102:49186 172.217.161.131:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=upload.video.google.com	f6:fd:3d:f7:f5:a4:58:28:2f:0c:7e:7d:9d:80:25:2b:b6:a2:84:72

Queries for the computername (21 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 7, 2021, 11:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 7, 2021, 11:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 7, 2021, 11:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 7, 2021, 11:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 7, 2021, 11:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 7, 2021, 11:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 7, 2021, 11:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 7, 2021, 11:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 7, 2021, 11:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 7, 2021, 11:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 7, 2021, 11:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 7, 2021, 11:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 7, 2021, 11:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 7, 2021, 11:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 7, 2021, 11:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 7, 2021, 11:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 7, 2021, 11:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 7, 2021, 11:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 7, 2021, 11:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 7, 2021, 11:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 7, 2021, 11:13 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 7, 2021, 11:13 p.m.			0	0
IsDebuggerPresent July 7, 2021, 11:13 p.m.			0	0
IsDebuggerPresent July 7, 2021, 11:13 p.m.			0	0
IsDebuggerPresent July 7, 2021, 11:13 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 7, 2021, 11:12 p.m.		1	1	0

One or more processes crashed (15 events)

Time & API	Arguments	Status
__exception__ July 7, 2021, 11:12 p.m.	stacktrace: exception.instruction_r: 8b 06 8d b5 f8 00 00 00 c5 fe 7f 06 c5 fe 7f 7e exception.instruction: mov eax, dword ptr [esi] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x2670202 registers.esp: 37353860 registers.edi: 1 registers.eax: 6 registers.ebp: 1953289408 registers.edx: 0 registers.ebx: 16910336 registers.esi: 0 registers.ecx: 3405691582	1
__exception__ July 7, 2021, 11:12 p.m.	stacktrace: exception.instruction_r: 8b 06 8d b5 f8 00 00 00 c5 fe 7f 06 c5 fe 7f 7e exception.instruction: mov eax, dword ptr [esi] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x2670202 registers.esp: 36959464 registers.edi: 1 registers.eax: 6 registers.ebp: 1954993344 registers.edx: 0 registers.ebx: 133120 registers.esi: 0 registers.ecx: 3405691582	1
__exception__ July 7, 2021, 11:13 p.m.	stacktrace: 0x27c1678 0x2674854 0x2674889 0x2670697 JVM_GetThreadStateNames+0x4d395 _JVM_EnqueueOperation@20-0x6191b jvm+0x15af45 @ 0x7463af45 _JVM_FindSignal@4+0x6402e ??_7DCmdFactory@@6B@-0xa2d06 jvm+0x2213ae @ 0x747013ae JVM_GetThreadStateNames+0x4d42e _JVM_EnqueueOperation@20-0x61882 jvm+0x15afde @ 0x7463afde JVM_GetThreadStateNames+0x4d5b6 _JVM_EnqueueOperation@20-0x616fa jvm+0x15b166 @ 0x7463b166 JVM_GetThreadStateNames+0x4d627 _JVM_EnqueueOperation@20-0x61689 jvm+0x15b1d7 @ 0x7463b1d7 jio_printf+0x9f _JVM_StartThread@8-0x11 jvm+0xff36f @ 0x745df36f JVM_GetThreadStateNames+0x70080 _JVM_EnqueueOperation@20-0x3ec30 jvm+0x17dc30 @ 0x7465dc30 JVM_GetThreadStateNames+0x708fa _JVM_EnqueueOperation@20-0x3e3b6 jvm+0x17e4aa @ 0x7465e4aa _JVM_FindSignal@4+0x5b46 ??_7DCmdFactory@@6B@-0x1011ee jvm+0x1c2ec6 @ 0x746a2ec6 _endthreadex+0x3a _beginthreadex-0xab msvcr100+0x5c556 @ 0x7490c556 _endthreadex+0xe4 _beginthreadex-0x1 msvcr100+0x5c600 @ 0x7490c600 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x758433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77ba9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77ba9ea5 exception.instruction_r: 89 0c 0d 00 00 1c 02 81 3d 88 82 86 74 00 00 00 exception.instruction: mov dword ptr [ecx + 0x21c0000], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x27c1497 registers.esp: 375191048 registers.edi: 372476928 registers.eax: 375182784 registers.ebp: 375191064 registers.edx: 2130279412 registers.ebx: 0 registers.esi: 0 registers.ecx: 384	1
__exception__ July 7, 2021, 11:13 p.m.	stacktrace: 0x27bb8a8 0x26744e0 0x26744e0 0x26744e0 0x26744e0 0x26744e0 0x2674854 0x27c614c 0x26744e0 0x26744e0 0x26744e0 0x27be104 0x2674854 0x2674889 0x2670697 JVM_GetThreadStateNames+0x4d395 _JVM_EnqueueOperation@20-0x6191b jvm+0x15af45 @ 0x7463af45 _JVM_FindSignal@4+0x6402e ??_7DCmdFactory@@6B@-0xa2d06 jvm+0x2213ae @ 0x747013ae JVM_GetThreadStateNames+0x4d42e _JVM_EnqueueOperation@20-0x61882 jvm+0x15afde @ 0x7463afde JVM_GetThreadStateNames+0x4d5b6 _JVM_EnqueueOperation@20-0x616fa jvm+0x15b166 @ 0x7463b166 JVM_GetThreadStateNames+0x4d627 _JVM_EnqueueOperation@20-0x61689 jvm+0x15b1d7 @ 0x7463b1d7 jio_printf+0x9f _JVM_StartThread@8-0x11 jvm+0xff36f @ 0x745df36f JVM_GetThreadStateNames+0x70080 _JVM_EnqueueOperation@20-0x3ec30 jvm+0x17dc30 @ 0x7465dc30 JVM_GetThreadStateNames+0x708fa _JVM_EnqueueOperation@20-0x3e3b6 jvm+0x17e4aa @ 0x7465e4aa _JVM_FindSignal@4+0x5b46 ??_7DCmdFactory@@6B@-0x1011ee jvm+0x1c2ec6 @ 0x746a2ec6 _endthreadex+0x3a _beginthreadex-0xab msvcr100+0x5c556 @ 0x7490c556 _endthreadex+0xe4 _beginthreadex-0x1 msvcr100+0x5c600 @ 0x7490c600 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x758433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77ba9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77ba9ea5 exception.instruction_r: 85 05 00 01 1b 02 8b c3 8b de 89 bc 24 c8 00 00 exception.instruction: test eax, dword ptr [0x21b0100] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x27a9c11 registers.esp: 376630240 registers.edi: 218979991 registers.eax: 3774873600 registers.ebp: 376630652 registers.edx: 3361518205 registers.ebx: 3128950784 registers.esi: 0 registers.ecx: 119	1
__exception__ July 7, 2021, 11:13 p.m.	stacktrace: 0x2674854 0x2674889 0x2670697 JVM_GetThreadStateNames+0x4d395 _JVM_EnqueueOperation@20-0x6191b jvm+0x15af45 @ 0x7463af45 _JVM_FindSignal@4+0x6402e ??_7DCmdFactory@@6B@-0xa2d06 jvm+0x2213ae @ 0x747013ae JVM_GetThreadStateNames+0x4d42e _JVM_EnqueueOperation@20-0x61882 jvm+0x15afde @ 0x7463afde JVM_GetThreadStateNames+0x4d5b6 _JVM_EnqueueOperation@20-0x616fa jvm+0x15b166 @ 0x7463b166 JVM_GetThreadStateNames+0x4d627 _JVM_EnqueueOperation@20-0x61689 jvm+0x15b1d7 @ 0x7463b1d7 jio_printf+0x9f _JVM_StartThread@8-0x11 jvm+0xff36f @ 0x745df36f JVM_GetThreadStateNames+0x70080 _JVM_EnqueueOperation@20-0x3ec30 jvm+0x17dc30 @ 0x7465dc30 JVM_GetThreadStateNames+0x708fa _JVM_EnqueueOperation@20-0x3e3b6 jvm+0x17e4aa @ 0x7465e4aa _JVM_FindSignal@4+0x5b46 ??_7DCmdFactory@@6B@-0x1011ee jvm+0x1c2ec6 @ 0x746a2ec6 _endthreadex+0x3a _beginthreadex-0xab msvcr100+0x5c556 @ 0x7490c556 _endthreadex+0xe4 _beginthreadex-0x1 msvcr100+0x5c600 @ 0x7490c600 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x758433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77ba9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77ba9ea5 exception.instruction_r: 85 05 00 01 1b 02 8b c3 8b de 89 bc 24 c8 00 00 exception.instruction: test eax, dword ptr [0x21b0100] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x27a9c11 registers.esp: 376630000 registers.edi: 2256973643 registers.eax: 0 registers.ebp: 376632312 registers.edx: 1680759102 registers.ebx: 1325400064 registers.esi: 0 registers.ecx: 120	1
__exception__ July 7, 2021, 11:13 p.m.	stacktrace: exception.instruction_r: 8b 06 8d b5 f8 00 00 00 c5 fe 7f 06 c5 fe 7f 7e exception.instruction: mov eax, dword ptr [esi] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x2840202 registers.esp: 3732644 registers.edi: 1 registers.eax: 6 registers.ebp: 1953289408 registers.edx: 0 registers.ebx: 133120 registers.esi: 0 registers.ecx: 3405691582	1
__exception__ July 7, 2021, 11:13 p.m.	stacktrace: exception.instruction_r: 8b 06 8d b5 f8 00 00 00 c5 fe 7f 06 c5 fe 7f 7e exception.instruction: mov eax, dword ptr [esi] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x2850202 registers.esp: 37877292 registers.edi: 1 registers.eax: 6 registers.ebp: 1952371904 registers.edx: 0 registers.ebx: 133120 registers.esi: 0 registers.ecx: 3405691582	1
__exception__ July 7, 2021, 11:13 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x76ad374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x76d24387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x76acef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x76ac6a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x76ac6b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x76ac6a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x76ae5c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x76b606b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x76dfd7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x76dfd876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x76dfddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x76d18a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x76d18938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x76d1950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x76dfdccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x76dfdb41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x76dfe1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x76d19367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x76d19326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x76e362fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x76e36d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x76e377c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x76e3788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x76cda48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x76cd853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x76cda4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x76cecd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x76ced87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x758433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77ba9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77ba9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7724b727 registers.esp: 46984740 registers.edi: 4053028 registers.eax: 46984740 registers.ebp: 46984820 registers.edx: 50 registers.ebx: 46985104 registers.esi: 2147746133 registers.ecx: 3826408	1
__exception__ July 7, 2021, 11:13 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x76ad374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x76dff725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x76ae414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x76ccfe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x76dfa338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x76f6e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x76f472ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x76f3ab0d IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x76f6c048 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x76f387f7 RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x76f38926 RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x76f3d55e IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x76f6c44b RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x76f3d1f6 RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x76f3d1ac RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x76f3d40b RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x76f3991b RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x76f38d67 RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x76f3a0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x76f39b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x76f39aa8 DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x73636f4f DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x73636e40 DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x736327a4 DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x73632652 DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x7363253d DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x73632411 DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x736325ab wmic+0x39c80 @ 0x949c80 wmic+0x3b06a @ 0x94b06a wmic+0x3b1f8 @ 0x94b1f8 wmic+0x36fcd @ 0x946fcd wmic+0x3d6e9 @ 0x94d6e9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x758433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77ba9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77ba9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7724b727 registers.esp: 2942720 registers.edi: 1993406992 registers.eax: 2942720 registers.ebp: 2942800 registers.edx: 1 registers.ebx: 3796068 registers.esi: 2147746133 registers.ecx: 3173213784	1
__exception__ July 7, 2021, 11:13 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x76ad374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x76d24387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x76acef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x76ac6a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x76ac6b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x76ac6a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x76ae5c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x76b606b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x76dfd7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x76dfd876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x76dfddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x76d18a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x76d18938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x76d1950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x76dfdccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x76dfdb41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x76dfe1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x76d19367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x76d19326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x76e362fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x76e36d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x76e377c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x76e3788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x76cda48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x76cd853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x76cda4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x76cecd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x76ced87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x758433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77ba9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77ba9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7724b727 registers.esp: 9761120 registers.edi: 5560516 registers.eax: 9761120 registers.ebp: 9761200 registers.edx: 50 registers.ebx: 9761484 registers.esi: 2147746133 registers.ecx: 5333776	1
__exception__ July 7, 2021, 11:13 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x76ad374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x76dff725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x76ae414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x76ccfe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x76dfa338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x76f6e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x76f472ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x76f3ab0d IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x76f6c048 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x76f387f7 RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x76f38926 RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x76f3d55e IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x76f6c44b RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x76f3d1f6 RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x76f3d1ac RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x76f3d40b RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x76f3991b RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x76f38d67 RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x76f3a0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x76f39b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x76f39aa8 DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x734f6f4f DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x734f6e40 DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x734f27a4 DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x734f2652 DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x734f253d DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x734f2411 DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x734f25ab wmic+0x39c80 @ 0xc79c80 wmic+0x3b06a @ 0xc7b06a wmic+0x3b1f8 @ 0xc7b1f8 wmic+0x36fcd @ 0xc76fcd wmic+0x3d6e9 @ 0xc7d6e9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x758433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77ba9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77ba9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7724b727 registers.esp: 2156368 registers.edi: 1993406992 registers.eax: 2156368 registers.ebp: 2156448 registers.edx: 1 registers.ebx: 5303436 registers.esi: 2147746133 registers.ecx: 3000743575	1
__exception__ July 7, 2021, 11:13 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x76ad374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x76d24387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x76acef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x76ac6a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x76ac6b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x76ac6a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x76ae5c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x76b606b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x76dfd7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x76dfd876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x76dfddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x76d18a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x76d18938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x76d1950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x76dfdccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x76dfdb41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x76dfe1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x76d19367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x76d19326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x76e362fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x76e36d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x76e377c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x76e3788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x76cda48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x76cd853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x76cda4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x76cecd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x76ced87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x758433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77ba9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77ba9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7724b727 registers.esp: 39580840 registers.edi: 2283636 registers.eax: 39580840 registers.ebp: 39580920 registers.edx: 50 registers.ebx: 39581204 registers.esi: 2147746133 registers.ecx: 2056904	1
__exception__ July 7, 2021, 11:13 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x76ad374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x76dff725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x76ae414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x76ccfe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x76dfa338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x76f6e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x76f472ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x76f3ab0d IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x76f6c048 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x76f387f7 RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x76f38926 RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x76f3d55e IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x76f6c44b RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x76f3d1f6 RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x76f3d1ac RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x76f3d40b RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x76f3991b RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x76f38d67 RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x76f3a0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x76f39b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x76f39aa8 DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x73636f4f DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x73636e40 DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x736327a4 DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x73632652 DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x7363253d DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x73632411 DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x736325ab wmic+0x39c80 @ 0xe69c80 wmic+0x3b06a @ 0xe6b06a wmic+0x3b1f8 @ 0xe6b1f8 wmic+0x36fcd @ 0xe66fcd wmic+0x3d6e9 @ 0xe6d6e9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x758433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77ba9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77ba9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7724b727 registers.esp: 583776 registers.edi: 1993406992 registers.eax: 583776 registers.ebp: 583856 registers.edx: 1 registers.ebx: 2026564 registers.esi: 2147746133 registers.ecx: 3000112405	1
__exception__ July 7, 2021, 11:13 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x76ad374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x76d24387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x76acef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x76ac6a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x76ac6b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x76ac6a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x76ae5c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x76b606b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x76dfd7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x76dfd876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x76dfddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x76d18a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x76d18938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x76d1950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x76dfdccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x76dfdb41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x76dfe1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x76d19367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x76d19326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x76e362fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x76e36d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x76e377c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x76e3788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x76cda48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x76cd853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x76cda4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x76cecd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x76ced87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x758433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77ba9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77ba9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7724b727 registers.esp: 39906820 registers.edi: 5298548 registers.eax: 39906820 registers.ebp: 39906900 registers.edx: 50 registers.ebx: 39907184 registers.esi: 2147746133 registers.ecx: 5071640	1
__exception__ July 7, 2021, 11:13 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x76ad374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x76dff725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x76ae414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x76ccfe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x76dfa338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x76f6e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x76f472ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x76f3ab0d IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x76f6c048 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x76f387f7 RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x76f38926 RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x76f3d55e IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x76f6c44b RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x76f3d1f6 RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x76f3d1ac RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x76f3d40b RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x76f3991b RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x76f38d67 RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x76f3a0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x76f39b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x76f39aa8 DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x734f6f4f DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x734f6e40 DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x734f27a4 DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x734f2652 DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x734f253d DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x734f2411 DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x734f25ab wmic+0x39c80 @ 0x199c80 wmic+0x3b06a @ 0x19b06a wmic+0x3b1f8 @ 0x19b1f8 wmic+0x36fcd @ 0x196fcd wmic+0x3d6e9 @ 0x19d6e9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x758433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77ba9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77ba9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7724b727 registers.esp: 780688 registers.edi: 1993406992 registers.eax: 780688 registers.ebp: 780768 registers.edx: 1 registers.ebx: 5041300 registers.esi: 2147746133 registers.ecx: 3000899348	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header

suspicious_request

POST https://update.googleapis.com/service/update2?cup2key=10:1185578559&cup2hreq=210abae0c0bf4c085ef3a032bf41ca5b683c508249b56d231bc6b32b3afcc509

Performs some HTTP requests (4 events)

request	GET http://ip-api.com/json/
request	HEAD http://edgedl.me.gvt1.com/edgedl/release2/chrome/ANHii5UY3d-4EiotgE5WL8M_91.0.4472.124/91.0.4472.124_chrome_installer.exe
request	GET http://edgedl.me.gvt1.com/edgedl/release2/chrome/ANHii5UY3d-4EiotgE5WL8M_91.0.4472.124/91.0.4472.124_chrome_installer.exe
request	POST https://update.googleapis.com/service/update2?cup2key=10:1185578559&cup2hreq=210abae0c0bf4c085ef3a032bf41ca5b683c508249b56d231bc6b32b3afcc509

Sends data using the HTTP POST Method (1 event)

request

POST https://update.googleapis.com/service/update2?cup2key=10:1185578559&cup2hreq=210abae0c0bf4c085ef3a032bf41ca5b683c508249b56d231bc6b32b3afcc509

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

str-master.pw

description

Palau domain TLD

Allocates read-write-execute memory (usually to unpack itself) (50 out of 132 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 7, 2021, 11:12 p.m.	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 163840 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02670000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 11:12 p.m.	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02698000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 11:12 p.m.	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 11:12 p.m.	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 11:12 p.m.	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 11:12 p.m.	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 11:12 p.m.	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 11:12 p.m.	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 11:12 p.m.	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 11:12 p.m.	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 11:12 p.m.	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 11:12 p.m.	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 11:12 p.m.	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 11:12 p.m.	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 11:12 p.m.	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02700000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 11:12 p.m.	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02708000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 11:12 p.m.	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02710000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 11:12 p.m.	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02718000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 11:12 p.m.	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02720000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 11:12 p.m.	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02728000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 11:12 p.m.	process_identifier: 2528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74762000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 11:12 p.m.	process_identifier: 1952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 163840 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02670000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 11:12 p.m.	process_identifier: 1952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02698000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 11:12 p.m.	process_identifier: 1952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 11:12 p.m.	process_identifier: 1952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 11:12 p.m.	process_identifier: 1952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 11:12 p.m.	process_identifier: 1952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 11:12 p.m.	process_identifier: 1952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 11:12 p.m.	process_identifier: 1952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 11:12 p.m.	process_identifier: 1952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 11:12 p.m.	process_identifier: 1952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 11:12 p.m.	process_identifier: 1952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 11:12 p.m.	process_identifier: 1952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 11:12 p.m.	process_identifier: 1952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 11:12 p.m.	process_identifier: 1952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 11:12 p.m.	process_identifier: 1952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02700000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 11:12 p.m.	process_identifier: 1952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02708000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 11:12 p.m.	process_identifier: 1952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02710000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 11:12 p.m.	process_identifier: 1952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02718000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 11:12 p.m.	process_identifier: 1952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02720000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 11:12 p.m.	process_identifier: 1952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02728000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 11:12 p.m.	process_identifier: 1952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02730000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 11:12 p.m.	process_identifier: 1952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02738000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 11:12 p.m.	process_identifier: 1952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02740000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 11:12 p.m.	process_identifier: 1952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02748000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 11:12 p.m.	process_identifier: 1952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02750000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 11:12 p.m.	process_identifier: 1952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02758000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 11:12 p.m.	process_identifier: 1952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02760000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 11:12 p.m.	process_identifier: 1952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02768000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2021, 11:12 p.m.	process_identifier: 1952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02770000 process_handle: 0xffffffff	1

Looks up the external IP address (1 event)

domain

ip-api.com

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Local\Temp\jna--877171118\jna3759689004139445972.dll
file	C:\Users\test22\bqqnjhotkk.js
file	C:\Users\test22\AppData\Local\Temp\jna--877171118\jna3187857898507258642.dll

Creates a suspicious process (10 events)

cmdline	schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\qktfimippt.txt"
cmdline	cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\qktfimippt.txt"
cmdline	wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list
cmdline	cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"
cmdline	cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"
cmdline	cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"
cmdline	wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list
cmdline	wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list
cmdline	wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list
cmdline	cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list"

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\jna--877171118\jna3187857898507258642.dll

File has been identified by 6 AntiVirus engines on VirusTotal as malicious (6 events)

Cyren	JS/Agent.AUY
Kaspersky	HEUR:Trojan.Java.Agent.gen
NANO-Antivirus	Trojan.Script.Heuristic-js.iacgm
McAfee-GW-Edition	BehavesLike.Downloader.cc
Avira	EXP/JAVA.Banload.MRAF.Gen
Cynet	Malicious (score: 99)

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 7, 2021, 11:12 p.m.	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x16200000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses July 7, 2021, 11:12 p.m.	flags: 28 family: 0	1	0	0

Uses Windows utilities for basic Windows functionality (10 events)

cmdline	schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\qktfimippt.txt"
cmdline	cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\qktfimippt.txt"
cmdline	wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list
cmdline	cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"
cmdline	cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"
cmdline	cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"
cmdline	wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list
cmdline	wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list
cmdline	wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list
cmdline	cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list"

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	SELECT VolumeSerialNumber FROM win32_logicaldisk

Communicates with host for which no DNS query was performed (1 event)

host

46.183.221.118

Installs itself for autorun at Windows startup (6 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\qktfimippt	reg_value	"C:\Users\test22\AppData\Roaming\qktfimippt.txt"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qktfimippt	reg_value	"C:\Users\test22\AppData\Roaming\qktfimippt.txt"
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qktfimippt.txt
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\qktfimippt.txt
cmdline	schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\qktfimippt.txt"
cmdline	cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\qktfimippt.txt"

Executes one or more WMI queries (4 events)

wmi	SELECT Caption, OSArchitecture FROM win32_operatingsystem
wmi	SELECT displayName FROM antivirusproduct
wmi	SELECT VolumeSerialNumber FROM win32_logicaldisk
wmi	SELECT Version FROM win32_operatingsystem

Harvests credentials from local email clients (1 event)

file	C:\Users\test22\Documents\Outlook 파일\Outlook.pst

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	C:\Program Files (x86)\Java\jre1.8.0_131\bin\javaw.exe -jar "C:\Users\test22\AppData\Roaming\qktfimippt.txt"
parent_process	wscript.exe				martian_process	"C:\Program Files (x86)\Java\jre1.8.0_131\bin\javaw.exe" -jar "C:\Users\test22\AppData\Roaming\qktfimippt.txt"

The processes wscript.exe, java.exe wrote an executable file to disk which it then attempted to execute (4 events)

file	C:\Windows\SysWOW64\wscript.exe
file	C:\Program Files (x86)\Java\jre1.8.0_131\bin\javaw.exe
file	C:\Users\test22\AppData\Local\Temp\jna--877171118\jna3187857898507258642.dll
file	C:\Users\test22\AppData\Local\Temp\jna--877171118\jna3759689004139445972.dll

InvoicePO-03092021.jar

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All