Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 12, 2021, 9:59 a.m.	July 12, 2021, 10:01 a.m.

Size	54.8KB
Type	data
MD5	`97034187ab9def80518c895abf06350f`
SHA256	`eff3f7c752702b25a6524efeea81e3d2f4f8c383d4ce17b7a2c3fc815038f811`
CRC32	`721B0C1D`
ssdeep	`1536:TQcmTiHJueHDG+adBig97teP1WkmCyL3LE2Vk87BcYoEcwDVBiE3hHN/B+GXxDlC:XmTgu3+8c`
Yara	None matched

iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\test22\AppData\Local\Temp\index.php.html
2488
- iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2488 CREDAT:145409
  2600

Name	Response	Post-Analysis Lookup
tootirrruahapowsadassa.com	A 172.67.218.104 A 104.21.94.22	104.21.94.22
login.live.com	A 40.126.52.149 A 40.126.52.0 A 40.126.52.148 A 40.126.52.1 A 40.126.52.150 A 40.126.52.146 A 40.126.52.3 CNAME www.tm.a.prd.aadg.trafficmanager.net CNAME login.msa.msidentity.com CNAME www.tm.lg.prod.aadmsa.trafficmanager.net CNAME prda.aadg.msidentity.com CNAME krc.next.a.prd.aadg.trafficmanager.net A 40.126.16.160	20.190.166.130
www2.bing.com	CNAME www2-bing-com.dual-a-0001.a-msedge.net CNAME dual-a-0001.a-msedge.net A 204.79.197.200 A 13.107.21.200	13.107.21.200
login.microsoftonline.com	CNAME a.privatelink.msidentity.com CNAME sin.next.a.prd.aadg.trafficmanager.net A 20.190.163.21 A 40.126.35.129 A 40.126.35.80 CNAME www.tm.a.prd.aadg.trafficmanager.net A 20.190.163.19 A 40.126.35.64 A 40.126.35.86 CNAME prda.aadg.msidentity.com A 40.126.35.87 A 40.126.35.128	20.190.141.39

IP Address	Status	Action
104.21.94.22	Active	Moloch
117.18.232.200	Active	Moloch
13.107.21.200	Active	Moloch
164.124.101.2	Active	Moloch
40.126.35.87	Active	Moloch
40.126.52.1	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ July 12, 2021, 9:59 a.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefdd4a49d RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefe3f73c3 CoGetInstanceFromFile+0xa70a HACCEL_UserFree-0x16c6 ole32+0x1762ba @ 0x7fefe3462ba RpcAsyncAbortCall+0x1a1 RpcAsyncInitializeHandle-0x16f rpcrt4+0xdfd61 @ 0x7fefe4bfd61 CoGetInstanceFromFile+0x3c7f HACCEL_UserFree-0x8151 ole32+0x16f82f @ 0x7fefe33f82f DcomChannelSetHResult+0x3066 ObjectStublessClient3-0x7ee ole32+0x2d8a2 @ 0x7fefe1fd8a2 IERegisterXMLNS+0xa434 mshtml+0x773424 @ 0x72b13424 IERegisterXMLNS+0xa919 mshtml+0x773909 @ 0x72b13909 IERegisterXMLNS+0xa502 mshtml+0x7734f2 @ 0x72b134f2 IERegisterXMLNS+0xa919 mshtml+0x773909 @ 0x72b13909 IERegisterXMLNS+0xa838 mshtml+0x773828 @ 0x72b13828 IERegisterXMLNS+0x77f7 mshtml+0x7707e7 @ 0x72b107e7 CTravelLog_CreateInstance+0xe9983 DllCanUnloadNow-0x18b71 mshtml+0x3e0e2f @ 0x72780e2f IERegisterXMLNS+0x75dd mshtml+0x7705cd @ 0x72b105cd CTravelLog_CreateInstance+0xe7f59 DllCanUnloadNow-0x1a59b mshtml+0x3df405 @ 0x7277f405 DllRegisterServer+0x14d67 CreateExtensionGuidEnumerator-0x3b671 ieframe+0x18c57 @ 0x7fef45c8c57 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x770b652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x775ac521 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0x80004002 exception.offset: 42141 exception.address: 0x7fefdd4a49d registers.r14: 0 registers.r15: 0 registers.rcx: 152627136 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 152633072 registers.r11: 152628896 registers.r8: 0 registers.r9: 0 registers.rdx: 1 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 2121507693 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

July 12, 2021, 9:59 a.m.

stacktrace:

RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefdd4a49d
RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefe3f73c3
CoGetInstanceFromFile+0xa70a HACCEL_UserFree-0x16c6 ole32+0x1762ba @ 0x7fefe3462ba
RpcAsyncAbortCall+0x1a1 RpcAsyncInitializeHandle-0x16f rpcrt4+0xdfd61 @ 0x7fefe4bfd61
CoGetInstanceFromFile+0x3c7f HACCEL_UserFree-0x8151 ole32+0x16f82f @ 0x7fefe33f82f
DcomChannelSetHResult+0x3066 ObjectStublessClient3-0x7ee ole32+0x2d8a2 @ 0x7fefe1fd8a2
IERegisterXMLNS+0xa434 mshtml+0x773424 @ 0x72b13424
IERegisterXMLNS+0xa919 mshtml+0x773909 @ 0x72b13909
IERegisterXMLNS+0xa502 mshtml+0x7734f2 @ 0x72b134f2
IERegisterXMLNS+0xa919 mshtml+0x773909 @ 0x72b13909
IERegisterXMLNS+0xa838 mshtml+0x773828 @ 0x72b13828
IERegisterXMLNS+0x77f7 mshtml+0x7707e7 @ 0x72b107e7
CTravelLog_CreateInstance+0xe9983 DllCanUnloadNow-0x18b71 mshtml+0x3e0e2f @ 0x72780e2f
IERegisterXMLNS+0x75dd mshtml+0x7705cd @ 0x72b105cd
CTravelLog_CreateInstance+0xe7f59 DllCanUnloadNow-0x1a59b mshtml+0x3df405 @ 0x7277f405
DllRegisterServer+0x14d67 CreateExtensionGuidEnumerator-0x3b671 ieframe+0x18c57 @ 0x7fef45c8c57
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x770b652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x775ac521

exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00
exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d
exception.instruction: add rsp, 0xc8
exception.module: KERNELBASE.dll
exception.exception_code: 0x80004002
exception.offset: 42141
exception.address: 0x7fefdd4a49d
registers.r14: 0
registers.r15: 0
registers.rcx: 152627136
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 152633072
registers.r11: 152628896
registers.r8: 0
registers.r9: 0
registers.rdx: 1
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 2121507693
registers.r13: 0

Performs some HTTP requests (34 events)

request	GET https://tootirrruahapowsadassa.com/
request	GET https://www.bing.com/
request	GET https://www.bing.com/rp/hceflue5sqxkKta9dP3R-IFtPuY.gz.js
request	GET https://www.bing.com/rp/a282eRIAnHsW_URoyogdzsukm_o.gz.js
request	GET https://www.bing.com/rp/MDr1f9aJs4rBVf1F5DAtlALvweY.gz.js
request	GET https://www.bing.com/rp/svI82uPNFRD54V4bMLaeahXQXBI.gz.js
request	GET https://www.bing.com/th?id=OHR.SpiralAloe_ROW5735249957_1920x1080.jpg&rf=LaDigue_1920x1080.jpg&pid=hp
request	GET https://www.bing.com/rp/B0oC6BX98v6fWz1fuvaeRm9bOak.png
request	GET https://www.bing.com/sa/simg/favicon-2x.ico
request	GET https://www.bing.com/fd/ls/l?IG=486BFDD4AF874628A32A3B534D18D4CE&CID=20C39707454C63423352877544EE62C3&Type=Event.CPT&DATA={"pp":{"S":"L","FC":-1,"BC":-1,"SE":-1,"TC":-1,"H":1202,"BP":1381,"CT":1489,"IL":1},"ad":[-1,-1,1365,899,1365,899,5]}&P=SERP&DA=HKGE01
request	POST https://www.bing.com/fd/ls/lsp.aspx?
request	GET https://www.bing.com/rp/eXdbF2NtD4gTGo0NW7kvRe0M6uc.gz.js
request	GET https://www.bing.com/rp/2ajnlX1juJQ_Nu80sW46BDUL1-A.gz.js
request	GET https://www.bing.com/rp/swyt_VnIjJDWZW5KEq7a8l_1AEw.gz.js
request	GET https://www.bing.com/rp/Dta1_Or8JEDr20O5LJEJy7sv1z0.gz.js
request	GET https://www.bing.com/rp/P3LN8DHh0udC9Pbh8UHnw5FJ8R8.gz.js
request	GET https://www.bing.com/rp/T_fuRJ5ONhzzZUcXzufvynXGXyQ.gz.js
request	GET https://www.bing.com/rp/MstqcgNaYngCBavkktAoSE0--po.gz.js
request	GET https://www.bing.com/rp/eaMqCdNxIXjLc0ATep7tsFkfmSA.gz.js
request	GET https://www.bing.com/rp/RXZtj0lYpFm5XDPMpuGSsNG8i9I.gz.js
request	GET https://www.bing.com/rp/FvkosEDIbuCPhD1mwLAN-LJ7Coc.gz.js
request	GET https://www.bing.com/rp/Xp-HPHGHOZznHBwdn7OWdva404Y.gz.js
request	GET https://www.bing.com/rp/6sxhavkE4_SZHA_K4rwWmg67vF0.gz.js
request	GET https://www.bing.com/rp/ozS3T0fsBUPZy4zlY0UX_e0TUwY.gz.js
request	GET https://www.bing.com/rp/_ofc7e4WqqkT9lPqQJykFP4vxq4.gz.js
request	GET https://www.bing.com/rp/pCNhfy2VQinsKZ9KIqxtGogwDv0.gz.js
request	GET https://www.bing.com/ipv6test/test?FORM=MONITR
request	GET https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token+code&nonce=f09033d5-93f0-414a-9651-e3f5d8fdc8b4&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fconditional&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%22486BFDD4AF874628A32A3B534D18D4CE%22%7d
request	GET https://www2.bing.com/ipv6test/test
request	GET https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1626051576&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=1042&id=264960&checkda=1
request	POST https://www.bing.com/fd/ls/lsp.aspx
request	POST https://www.bing.com/orgid/idtoken/conditional
request	GET https://www.bing.com/secure/Passport.aspx?popup=1&ssl=1
request	GET https://www.bing.com/fd/ls/l?IG=486BFDD4AF874628A32A3B534D18D4CE&CID=20C39707454C63423352877544EE62C3&TYPE=Event.ClientInst&DATA=%5B%7B%22T%22%3A%22CI.Init%22%2C%22TS%22%3A1626051571052%2C%22Name%22%3A%22Base%22%2C%22FID%22%3A%22CI%22%7D%2C%7B%22width%22%3A%221365%22%2C%22T%22%3A%22CI.Info%22%2C%22TS%22%3A1626051571052%2C%22Name%22%3A%22W%22%2C%22FID%22%3A%22BRW%22%7D%2C%7B%22height%22%3A%22899%22%2C%22T%22%3A%22CI.Info%22%2C%22TS%22%3A1626051571052%2C%22Name%22%3A%22M%22%2C%22FID%22%3A%22BRH%22%7D%2C%7B%22T%22%3A%22CI.Info%22%2C%22TS%22%3A1626051571052%2C%22Name%22%3A%221%22%2C%22FID%22%3A%22Mutation%22%7D%2C%7B%22T%22%3A%22CI.Info%22%2C%22TS%22%3A1626051571052%2C%22Name%22%3A%224%22%2C%22FID%22%3A%22DM%22%7D%2C%7B%22RTT%22%3A%221626051567465%22%2C%22T%22%3A%22CI.Init%22%2C%22TS%22%3A1626051571384%2C%22Name%22%3A%22ClientPerf%22%2C%22FID%22%3A%22HP%22%7D%2C%7B%22w%22%3A%221365%22%2C%22h%22%3A%221024%22%2C%22dpr%22%3A%220%22%2C%22T%22%3A%22CI.Init%22%2C%22TS%22%3A1626051571387%2C%22Name%22%3A%22ClientScreen%22%2C%22FID%22%3A%22HP%22%7D%2C%7B%22Time%22%3A3963%2C%22T%22%3A%22CI.Latency%22%2C%22TS%22%3A1626051571428%2C%22Name%22%3A%22sBoxTime%22%2C%22FID%22%3A%22HP%22%7D%2C%7B%22T%22%3A%22CI.ClientInst%22%2C%22TS%22%3A1626051571665%2C%22Name%22%3A%22OrgId%22%2C%22FID%22%3A%22NoSignInAttempt%22%7D%5D

Sends data using the HTTP POST Method (3 events)

request	POST https://www.bing.com/fd/ls/lsp.aspx?
request	POST https://www.bing.com/fd/ls/lsp.aspx
request	POST https://www.bing.com/orgid/idtoken/conditional

Allocates read-write-execute memory (usually to unpack itself) (50 out of 53 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 12, 2021, 9:59 a.m.	process_identifier: 2488 region_size: 9506816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002370000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 12, 2021, 9:59 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002c80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 12, 2021, 9:59 a.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000774f1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 12, 2021, 9:59 a.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000774f1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 12, 2021, 9:59 a.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000774f1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 12, 2021, 9:59 a.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000774f1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 12, 2021, 9:59 a.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000774f1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 12, 2021, 9:59 a.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000774f1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 12, 2021, 9:59 a.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007749d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 12, 2021, 9:59 a.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000774c2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 12, 2021, 9:59 a.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000774a4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 12, 2021, 9:59 a.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000774c2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 12, 2021, 9:59 a.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc4f5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 12, 2021, 9:59 a.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc4f5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 12, 2021, 9:59 a.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdfd4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 12, 2021, 9:59 a.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefe811000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 12, 2021, 9:59 a.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007748a000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 12, 2021, 9:59 a.m.	process_identifier: 2488 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002780000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 12, 2021, 9:59 a.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa2c7000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 12, 2021, 9:59 a.m.	process_identifier: 2600 region_size: 11472896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003170000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 12, 2021, 9:59 a.m.	process_identifier: 2600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003c60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 12, 2021, 9:59 a.m.	process_identifier: 2600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000774f1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 12, 2021, 9:59 a.m.	process_identifier: 2600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000774f1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 12, 2021, 9:59 a.m.	process_identifier: 2600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000774f1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 12, 2021, 9:59 a.m.	process_identifier: 2600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000774f1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 12, 2021, 9:59 a.m.	process_identifier: 2600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000774f1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 12, 2021, 9:59 a.m.	process_identifier: 2600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000774f1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 12, 2021, 9:59 a.m.	process_identifier: 2600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007749d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 12, 2021, 9:59 a.m.	process_identifier: 2600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000774c2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 12, 2021, 9:59 a.m.	process_identifier: 2600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000774a4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 12, 2021, 9:59 a.m.	process_identifier: 2600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000774c2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 12, 2021, 9:59 a.m.	process_identifier: 2600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc4f5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 12, 2021, 9:59 a.m.	process_identifier: 2600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc4f5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 12, 2021, 9:59 a.m.	process_identifier: 2600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdfd4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 12, 2021, 9:59 a.m.	process_identifier: 2600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefe811000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 12, 2021, 9:59 a.m.	process_identifier: 2600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007748a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 12, 2021, 9:59 a.m.	process_identifier: 2600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007748f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 12, 2021, 9:59 a.m.	process_identifier: 2600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007748d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 12, 2021, 9:59 a.m.	process_identifier: 2600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007748b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 12, 2021, 9:59 a.m.	process_identifier: 2600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000770b6000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 12, 2021, 9:59 a.m.	process_identifier: 2600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000775c6000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 12, 2021, 9:59 a.m.	process_identifier: 2600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000770b1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 12, 2021, 9:59 a.m.	process_identifier: 2600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077490000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 12, 2021, 9:59 a.m.	process_identifier: 2600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007748a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 12, 2021, 9:59 a.m.	process_identifier: 2600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007759f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 12, 2021, 9:59 a.m.	process_identifier: 2600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000775ab000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 12, 2021, 9:59 a.m.	process_identifier: 2600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefe327000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 12, 2021, 9:59 a.m.	process_identifier: 2600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdf74000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 12, 2021, 9:59 a.m.	process_identifier: 2600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdf71000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 12, 2021, 9:59 a.m.	process_identifier: 2600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdf76000 process_handle: 0xffffffffffffffff	1

An application raised an exception which may be indicative of an exploit crash (2 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process iexplore.exe with pid 2600 crashed
__exception__ July 12, 2021, 9:59 a.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefdd4a49d RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefe3f73c3 CoGetInstanceFromFile+0xa70a HACCEL_UserFree-0x16c6 ole32+0x1762ba @ 0x7fefe3462ba RpcAsyncAbortCall+0x1a1 RpcAsyncInitializeHandle-0x16f rpcrt4+0xdfd61 @ 0x7fefe4bfd61 CoGetInstanceFromFile+0x3c7f HACCEL_UserFree-0x8151 ole32+0x16f82f @ 0x7fefe33f82f DcomChannelSetHResult+0x3066 ObjectStublessClient3-0x7ee ole32+0x2d8a2 @ 0x7fefe1fd8a2 IERegisterXMLNS+0xa434 mshtml+0x773424 @ 0x72b13424 IERegisterXMLNS+0xa919 mshtml+0x773909 @ 0x72b13909 IERegisterXMLNS+0xa502 mshtml+0x7734f2 @ 0x72b134f2 IERegisterXMLNS+0xa919 mshtml+0x773909 @ 0x72b13909 IERegisterXMLNS+0xa838 mshtml+0x773828 @ 0x72b13828 IERegisterXMLNS+0x77f7 mshtml+0x7707e7 @ 0x72b107e7 CTravelLog_CreateInstance+0xe9983 DllCanUnloadNow-0x18b71 mshtml+0x3e0e2f @ 0x72780e2f IERegisterXMLNS+0x75dd mshtml+0x7705cd @ 0x72b105cd CTravelLog_CreateInstance+0xe7f59 DllCanUnloadNow-0x1a59b mshtml+0x3df405 @ 0x7277f405 DllRegisterServer+0x14d67 CreateExtensionGuidEnumerator-0x3b671 ieframe+0x18c57 @ 0x7fef45c8c57 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x770b652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x775ac521 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0x80004002 exception.offset: 42141 exception.address: 0x7fefdd4a49d registers.r14: 0 registers.r15: 0 registers.rcx: 152627136 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 152633072 registers.r11: 152628896 registers.r8: 0 registers.r9: 0 registers.rdx: 1 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 2121507693 registers.r13: 0	1	0	0

Application Crash

Process iexplore.exe with pid 2600 crashed

Time & API

Arguments

Status

Return

Repeated

__exception__

July 12, 2021, 9:59 a.m.

stacktrace:

RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefdd4a49d
RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefe3f73c3
CoGetInstanceFromFile+0xa70a HACCEL_UserFree-0x16c6 ole32+0x1762ba @ 0x7fefe3462ba
RpcAsyncAbortCall+0x1a1 RpcAsyncInitializeHandle-0x16f rpcrt4+0xdfd61 @ 0x7fefe4bfd61
CoGetInstanceFromFile+0x3c7f HACCEL_UserFree-0x8151 ole32+0x16f82f @ 0x7fefe33f82f
DcomChannelSetHResult+0x3066 ObjectStublessClient3-0x7ee ole32+0x2d8a2 @ 0x7fefe1fd8a2
IERegisterXMLNS+0xa434 mshtml+0x773424 @ 0x72b13424
IERegisterXMLNS+0xa919 mshtml+0x773909 @ 0x72b13909
IERegisterXMLNS+0xa502 mshtml+0x7734f2 @ 0x72b134f2
IERegisterXMLNS+0xa919 mshtml+0x773909 @ 0x72b13909
IERegisterXMLNS+0xa838 mshtml+0x773828 @ 0x72b13828
IERegisterXMLNS+0x77f7 mshtml+0x7707e7 @ 0x72b107e7
CTravelLog_CreateInstance+0xe9983 DllCanUnloadNow-0x18b71 mshtml+0x3e0e2f @ 0x72780e2f
IERegisterXMLNS+0x75dd mshtml+0x7705cd @ 0x72b105cd
CTravelLog_CreateInstance+0xe7f59 DllCanUnloadNow-0x1a59b mshtml+0x3df405 @ 0x7277f405
DllRegisterServer+0x14d67 CreateExtensionGuidEnumerator-0x3b671 ieframe+0x18c57 @ 0x7fef45c8c57
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x770b652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x775ac521

Creates executable files on the filesystem (19 events)

file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\svI82uPNFRD54V4bMLaeahXQXBI.gz[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\ozS3T0fsBUPZy4zlY0UX_e0TUwY.gz[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\6sxhavkE4_SZHA_K4rwWmg67vF0.gz[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\_ofc7e4WqqkT9lPqQJykFP4vxq4.gz[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\Xp-HPHGHOZznHBwdn7OWdva404Y.gz[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\2ajnlX1juJQ_Nu80sW46BDUL1-A.gz[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\RXZtj0lYpFm5XDPMpuGSsNG8i9I.gz[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\FvkosEDIbuCPhD1mwLAN-LJ7Coc.gz[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\eXdbF2NtD4gTGo0NW7kvRe0M6uc.gz[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\a282eRIAnHsW_URoyogdzsukm_o.gz[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\eaMqCdNxIXjLc0ATep7tsFkfmSA.gz[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\MDr1f9aJs4rBVf1F5DAtlALvweY.gz[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\T_fuRJ5ONhzzZUcXzufvynXGXyQ.gz[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\pCNhfy2VQinsKZ9KIqxtGogwDv0.gz[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\swyt_VnIjJDWZW5KEq7a8l_1AEw.gz[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\Dta1_Or8JEDr20O5LJEJy7sv1z0.gz[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\MstqcgNaYngCBavkktAoSE0--po.gz[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\hceflue5sqxkKta9dP3R-IFtPuY.gz[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\P3LN8DHh0udC9Pbh8UHnw5FJ8R8.gz[1].js

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 12, 2021, 9:59 a.m.	process_identifier: 2600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x000007fffff80000 process_handle: 0xffffffffffffffff	1	0	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2488 CREDAT:145409

Communicates with host for which no DNS query was performed (1 event)

host

117.18.232.200

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2488 resumed a thread in remote process 2600
NtResumeThread July 12, 2021, 9:59 a.m.	thread_handle: 0x0000000000000368 suspend_count: 1 process_identifier: 2600	1	0	0

index.php.html

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All