Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 19, 2021, 10:31 a.m.	July 19, 2021, 10:57 a.m.

Size	1.1MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`291192d5184d78dc4f49972a092598d8`
SHA256	`a77affc8aade0e41bacc74406c6db70c087971dad3f5acb73eaa0531ecb0135f`
CRC32	`26DC836D`
ssdeep	`24576:xAHnh+eWsN3skA4RV1Hom2KXMmHa1ggWBKRtD5:Ih+ZkldoPK8Ya+gDV`
Yara	PE_Header_Zero - PE File Signature Device_Check_Zero - Device Check Zero OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) UPX_Zero - UPX packed file Process_Snapshot_Kill_Zero - Process Kill Zero FindFirstVolume_Zero - FindFirstVolume Zero CryptGenKey_Zero - CryptGenKey Zero

id27315002.php "C:\Users\test22\AppData\Local\Temp\id27315002.php"
2444
- 1323691892.exe C:\Users\test22\AppData\Local\Temp\1323691892.exe
  2708
  - 1323691892.exe C:\Users\test22\AppData\Local\Temp\1323691892.exe
    2876
- 1253121518.exe C:\Users\test22\AppData\Local\Temp\1253121518.exe
  2992
  - 1253121518.exe C:\Users\test22\AppData\Local\Temp\1253121518.exe
    2720
- iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2144
  - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2144 CREDAT:145409
    1880
- cmd.exe "C:\Windows\system32\cmd.exe" /k ping 0 & del C:\Users\test22\AppData\Local\Temp\id27315002.php & exit
  1308
  - PING.EXE ping 0
    2272

Name	Response	Post-Analysis Lookup
iplogger.com	A 88.99.66.31	88.99.66.31
densalenge.xyz	A 85.192.56.21	85.192.56.21
api.ip.sb	CNAME api.ip.sb.cdn.cloudflare.net A 104.26.13.31 A 104.26.12.31 A 172.67.75.172	104.26.12.31
usa01.info	A 45.139.184.124	45.139.184.124
tstamore.info	A 45.139.184.124	45.139.184.124
www.binance.com	A 52.84.150.20 A 52.84.150.16 A 52.84.150.4 A 52.84.150.33 CNAME dobbmei4jnjlh.cloudfront.net	52.84.150.4

IP Address	Status	Action
104.21.21.221	Active	Moloch
104.21.78.28	Active	Moloch
117.18.232.200	Active	Moloch
164.124.101.2	Active	Moloch
172.67.75.172	Active	Moloch
45.139.184.124	Active	Moloch
52.84.150.20	Active	Moloch
85.192.56.21	Active	Moloch
88.99.66.31	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49163 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49164 -> 45.139.184.124:80	2030880	ET USER_AGENTS Suspicious User-Agent (Installed OK)	Potentially Bad Traffic
TCP 192.168.56.102:49164 -> 45.139.184.124:80	2030880	ET USER_AGENTS Suspicious User-Agent (Installed OK)	Potentially Bad Traffic
TCP 45.139.184.124:80 -> 192.168.56.102:49164	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 45.139.184.124:80 -> 192.168.56.102:49164	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 45.139.184.124:80 -> 192.168.56.102:49167	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 45.139.184.124:80 -> 192.168.56.102:49167	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 192.168.56.102:49184 -> 52.84.150.20:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49187 -> 52.84.150.20:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49171 -> 172.67.75.172:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 52.84.150.20:443 -> 192.168.56.102:49189	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49189 -> 52.84.150.20:443	2260002	SURICATA Applayer Detect protocol only one direction	Generic Protocol Command Decode
TCP 192.168.56.102:49185 -> 52.84.150.20:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49188 -> 52.84.150.20:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49186 -> 52.84.150.20:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49199 -> 172.67.75.172:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 45.139.184.124:80 -> 192.168.56.102:49170	2221010	SURICATA HTTP unable to match response to request	Generic Protocol Command Decode
TCP 85.192.56.21:80 -> 192.168.56.102:49198	2221010	SURICATA HTTP unable to match response to request	Generic Protocol Command Decode

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49163 88.99.66.31:443	C=US, O=Let's Encrypt, CN=R3	CN=iplogger.com	b7:20:6e:d3:e1:a5:09:a7:c9:50:32:85:ae:77:62:e4:85:33:3e:58
TLSv1 192.168.56.102:49171 172.67.75.172:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	5e:7d:19:2d:d7:66:0c:63:45:a5:24:8f:b7:db:35:a7:61:6d:89:0e
TLSv1 192.168.56.102:49199 172.67.75.172:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	5e:7d:19:2d:d7:66:0c:63:45:a5:24:8f:b7:db:35:a7:61:6d:89:0e

Queries for the computername (23 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 19, 2021, 10:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 19, 2021, 10:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 19, 2021, 10:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 19, 2021, 10:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 19, 2021, 10:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 19, 2021, 10:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 19, 2021, 10:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 19, 2021, 10:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 19, 2021, 10:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 19, 2021, 10:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 19, 2021, 10:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 19, 2021, 10:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 19, 2021, 10:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 19, 2021, 10:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 19, 2021, 10:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 19, 2021, 10:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 19, 2021, 10:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 19, 2021, 10:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 19, 2021, 10:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 19, 2021, 10:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 19, 2021, 10:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 19, 2021, 10:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 19, 2021, 10:32 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (9 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 19, 2021, 10:31 a.m.			0	0
IsDebuggerPresent July 19, 2021, 10:31 a.m.			0	0
IsDebuggerPresent July 19, 2021, 10:31 a.m.			0	0
IsDebuggerPresent July 19, 2021, 10:31 a.m.			0	0
IsDebuggerPresent July 19, 2021, 10:31 a.m.			0	0
IsDebuggerPresent July 19, 2021, 10:31 a.m.			0	0
IsDebuggerPresent July 19, 2021, 10:31 a.m.			0	0
IsDebuggerPresent July 19, 2021, 10:31 a.m.			0	0
IsDebuggerPresent July 19, 2021, 10:31 a.m.			0	0

Command line console output was observed (7 events)

Time & API	Arguments	Status	Return
WriteConsoleA July 19, 2021, 10:32 a.m.	buffer: Pinging 0.0.0.0 console_handle: 0x00000007	1	1
WriteConsoleA July 19, 2021, 10:32 a.m.	buffer: with 32 bytes of data: console_handle: 0x00000007	1	1
WriteConsoleA July 19, 2021, 10:32 a.m.	buffer: PING: transmit failed. General failure. console_handle: 0x00000007	1	1
WriteConsoleA July 19, 2021, 10:32 a.m.	buffer: PING: transmit failed. General failure. console_handle: 0x00000007	1	1
WriteConsoleA July 19, 2021, 10:32 a.m.	buffer: PING: transmit failed. General failure. console_handle: 0x00000007	1	1
WriteConsoleA July 19, 2021, 10:32 a.m.	buffer: PING: transmit failed. General failure. console_handle: 0x00000007	1	1
WriteConsoleA July 19, 2021, 10:32 a.m.	buffer: Ping statistics for 0.0.0.0: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (18 events)

Time & API	Arguments	Status	Return
CryptExportKey July 19, 2021, 10:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a09e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 19, 2021, 10:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a08e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 19, 2021, 10:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a08e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 19, 2021, 10:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0049edd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 19, 2021, 10:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0049edd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 19, 2021, 10:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0049ee50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 19, 2021, 10:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053e678 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 19, 2021, 10:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053e678 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 19, 2021, 10:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053e4b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 19, 2021, 10:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076ecb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 19, 2021, 10:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076ebb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 19, 2021, 10:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076ebb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 19, 2021, 10:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0074f820 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 19, 2021, 10:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0074f820 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 19, 2021, 10:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0074f860 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 19, 2021, 10:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007fa848 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 19, 2021, 10:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007fa848 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 19, 2021, 10:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007fa688 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 19, 2021, 10:31 a.m.		1	1	0

One or more processes crashed (4 events)

Time & API	Arguments	Status
__exception__ July 19, 2021, 10:31 a.m.	stacktrace: 0xa9e8ea 0xa9e610 0xa912a2 0xa902b8 0xa90070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72782652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7279264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72792e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72847610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73d4f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73e47f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73e44de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 8b d0 85 c0 75 06 8b 15 2c exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa9e979 registers.esp: 3666240 registers.edi: 39427796 registers.eax: 0 registers.ebp: 3666264 registers.edx: 4677488 registers.ebx: 37494896 registers.esi: 39427976 registers.ecx: 0	1
__exception__ July 19, 2021, 10:32 a.m.	stacktrace: 0x50ac3a 0x50a960 0x5012a2 0x5002b8 0x500070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72272652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7228264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72282e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x723374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72337610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x723c1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x723c1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x723c1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x723c416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7291f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73e47f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73e44de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 8b d0 85 c0 75 06 8b 15 2c exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x50acc9 registers.esp: 3928368 registers.edi: 38428516 registers.eax: 0 registers.ebp: 3928392 registers.edx: 7498136 registers.ebx: 37036140 registers.esi: 38428696 registers.ecx: 0	1
__exception__ July 19, 2021, 10:32 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x7548374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x75654387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x7547ef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75476a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x75476b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75476a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x75495c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x755106b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x7572d7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x7572d876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x7572ddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x75648a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x75648938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x7564950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x7572dccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x7572db41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x7572e1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x75649367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x75649326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x75dc62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75dc6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x75dc77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x75dc788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x7560a48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x7560853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x7560a4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x7561cd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x7561d87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x75b333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x75f4b727 registers.esp: 97120952 registers.edi: 5716164 registers.eax: 97120952 registers.ebp: 97121032 registers.edx: 147 registers.ebx: 97121316 registers.esi: 2147746133 registers.ecx: 86192240	1
__exception__ July 19, 2021, 10:32 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x7548374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x7572f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x7549414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x755ffe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x7572a338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x76cee99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x76cc72ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x76cbab0d GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x76cbea98 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x76cb87f7 CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x76cbba32 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x75dc62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75dc6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x75dc77c4 DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x75dc7bca CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x76ce516f CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x76ce50ce RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x76cba0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x76cb9b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x76cb9aa8 CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x76ce530c URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x76ce57a0 DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x72b9540c DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x72b952ca CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x72c70ea3 RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x777c7e96 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x777a54f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x75b333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x75f4b727 registers.esp: 65001408 registers.edi: 1969486352 registers.eax: 65001408 registers.ebp: 65001488 registers.edx: 1 registers.ebx: 6295364 registers.esi: 2147746133 registers.ecx: 3758960589	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (3 events)

suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://tstamore.info/
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://densalenge.xyz/
suspicious_features	GET method with no useragent header	suspicious_request	GET https://api.ip.sb/geoip

Performs some HTTP requests (10 events)

request	GET http://usa01.info/users/content/id03084901/mmow.txt
request	GET http://usa01.info/function/v2tmp/momomoomomom.php
request	GET http://usa01.info/books/userpaths/birbik/harrypotter2.txt
request	GET http://usa01.info/app/files/ap/id27315002.php
request	POST http://tstamore.info/
request	POST http://densalenge.xyz/
request	GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
request	GET https://iplogger.com/1Fs397
request	GET https://iplogger.com/1Fd397
request	GET https://api.ip.sb/geoip

Sends data using the HTTP POST Method (2 events)

request	POST http://tstamore.info/
request	POST http://densalenge.xyz/

Allocates read-write-execute memory (usually to unpack itself) (50 out of 274 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x743f2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2708 region_size: 786432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00540000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e22000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2708 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02230000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00512000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00585000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00587000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00820000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00821000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007df000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0051a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0051c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00822000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00823000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00824000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00825000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00537000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00826000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2708 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00827000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0082a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2708 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0082b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0082e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0082f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007d1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a21000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2708 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a22000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a25000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007d3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2876 region_size: 1114112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72781000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72782000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2876 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f50000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02090000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

An application raised an exception which may be indicative of an exploit crash (3 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process iexplore.exe with pid 2144 crashed
__exception__ July 19, 2021, 10:32 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x7548374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x75654387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x7547ef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75476a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x75476b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75476a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x75495c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x755106b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x7572d7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x7572d876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x7572ddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x75648a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x75648938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x7564950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x7572dccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x7572db41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x7572e1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x75649367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x75649326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x75dc62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75dc6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x75dc77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x75dc788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x7560a48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x7560853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x7560a4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x7561cd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x7561d87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x75b333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x75f4b727 registers.esp: 97120952 registers.edi: 5716164 registers.eax: 97120952 registers.ebp: 97121032 registers.edx: 147 registers.ebx: 97121316 registers.esi: 2147746133 registers.ecx: 86192240	1	0	0
__exception__ July 19, 2021, 10:32 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x7548374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x7572f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x7549414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x755ffe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x7572a338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x76cee99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x76cc72ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x76cbab0d GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x76cbea98 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x76cb87f7 CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x76cbba32 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x75dc62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75dc6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x75dc77c4 DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x75dc7bca CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x76ce516f CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x76ce50ce RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x76cba0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x76cb9b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x76cb9aa8 CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x76ce530c URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x76ce57a0 DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x72b9540c DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x72b952ca CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x72c70ea3 RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x777c7e96 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x777a54f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x75b333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x75f4b727 registers.esp: 65001408 registers.edi: 1969486352 registers.eax: 65001408 registers.ebp: 65001488 registers.edx: 1 registers.ebx: 6295364 registers.esi: 2147746133 registers.ecx: 3758960589	1	0	0

Application Crash

Process iexplore.exe with pid 2144 crashed

Time & API

Arguments

Status

Return

Repeated

__exception__

July 19, 2021, 10:32 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x7548374b
CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x75654387
NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x7547ef51
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75476a9c
NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x75476b42
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75476a9c
NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x75495c3a
NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x755106b8
WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x7572d7e6
WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x7572d876
WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x7572ddd0
CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x75648a43
CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x75648938
DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x7564950a
WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x7572dccd
WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x7572db41
WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x7572e1fd
DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x75649367
DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x75649326
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x75dc62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75dc6d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x75dc77c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x75dc788a
CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x7560a48b
CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x7560853b
CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x7560a4ac
CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x7561cd48
CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x7561d87a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x75b333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x75f4b727
registers.esp: 97120952
registers.edi: 5716164
registers.eax: 97120952
registers.ebp: 97121032
registers.edx: 147
registers.ebx: 97121316
registers.esi: 2147746133
registers.ecx: 86192240

__exception__

July 19, 2021, 10:32 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x7548374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x7572f725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x7549414b
ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x755ffe14
StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x7572a338
IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x76cee99f
IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x76cc72ed
RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x76cbab0d
GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x76cbea98
RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x76cb87f7
CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x76cbba32
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x75dc62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75dc6d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x75dc77c4
DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x75dc7bca
CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x76ce516f
CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x76ce50ce
RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x76cba0d8
RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x76cb9b85
RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x76cb9aa8
CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x76ce530c
URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x76ce57a0
DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x72b9540c
DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x72b952ca
CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x72c70ea3
RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x777c7e96
TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x777a54f4
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x75b333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x75f4b727
registers.esp: 65001408
registers.edi: 1969486352
registers.eax: 65001408
registers.ebp: 65001488
registers.edx: 1
registers.ebx: 6295364
registers.esi: 2147746133
registers.ecx: 3758960589

Steals private information from local Internet browsers (4 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\1323691892.exe
file	C:\Users\test22\AppData\Local\Temp\1253121518.exe

Creates a suspicious process (2 events)

cmdline	"C:\Windows\system32\cmd.exe" /k ping 0 & del C:\Users\test22\AppData\Local\Temp\id27315002.php & exit
cmdline	C:\Windows\System32\cmd.exe /k ping 0 & del C:\Users\test22\AppData\Local\Temp\id27315002.php & exit

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Local\Temp\id27315002.php
file	C:\Users\test22\AppData\Local\Temp\1253121518.exe
file	C:\Users\test22\AppData\Local\Temp\1323691892.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW July 19, 2021, 10:31 a.m.	show_type: 0 filepath_r: C:\Windows\system32\cmd.exe parameters: /k ping 0 & del C:\Users\test22\AppData\Local\Temp\id27315002.php & exit filepath: C:\Windows\System32\cmd.exe	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 19, 2021, 10:32 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x04b80000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses July 19, 2021, 10:31 a.m.	flags: 15 family: 0		111	0

An executable file was downloaded by the process id27315002.php (2 events)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile July 19, 2021, 10:31 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELµô`àn¬2 @ ò@èJ º¨À,` H.text8m n `.rsrcº¨ ªp@@.reloc`@BH h.+{d +÷.+{e +÷V(f }d }e 0+Ou+N+R+V.:-2+U,.,ö+Q+V{d +R{d +N,(g {e {e oh ,È,½%,Û8«ÿÿÿ 8¬ÿÿÿ8¨ÿÿÿ8¤ÿÿÿ+¨(i +¨+§+«oj +«0X g;øÎ%,%, )UU¥Z+#+({d +$X )UU¥Z+"+'{e +#X-ñ-Ð(i +Ö+Õok +Õ(g +×+Öol +Ö0vrp%+S{d +O%q-&+þo ¢%+/{e ++%q-&+þo ¢+ +ª +®+Î+Ò( +ì~*.+ request_handle: 0x00cc000c	1	1	0
InternetReadFile July 19, 2021, 10:31 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL]Îpà0¼¬ÞÚ à@ ÀS@ÚKàp¨jà, H.textäº ¼ `.rsrcp¨àª¾@@.reloc h@BÀÚHÍô\|V :+(::{ :+(iHuF{ +(ÛP(Ì( } } 0¯+(ÚJ@8KþEG8B;8( { { o *9õÿÿÿ8'u8¾ÿÿÿ8Þÿÿÿ ( 9ÿÿÿ&8ÿÿÿ( { { o :ÿÿÿ ( :gÿÿÿ&8]ÿÿÿî+(¤o0 g;øÎ )UU¥Z( { o X )UU¥Z( { o X0\|+(Å´jC (`%{ %q:&8þo ¢%{ %q:&8 request_handle: 0x00cc000c	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00043000', u'virtual_address': u'0x000c8000', u'entropy': 7.654397434338228, u'name': u'.rsrc', u'virtual_size': u'0x00042f87'}

entropy

7.65439743434

description

A section with a high entropy has been found

entropy

0.248954946586

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (4 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW July 19, 2021, 10:31 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 19, 2021, 10:31 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 19, 2021, 10:31 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 19, 2021, 10:32 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (35 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Virtual currency	rule	Virtual_currency_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Virtual currency	rule	Virtual_currency_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (50 out of 90 events)

Time & API	Arguments	Status
RegOpenKeyExW July 19, 2021, 10:31 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000230 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW July 19, 2021, 10:31 a.m.	regkey_r: 7-Zip base_handle: 0x00000230 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW July 19, 2021, 10:31 a.m.	regkey_r: AddressBook base_handle: 0x00000230 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW July 19, 2021, 10:31 a.m.	regkey_r: Adobe AIR base_handle: 0x00000230 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExW July 19, 2021, 10:31 a.m.	regkey_r: Connection Manager base_handle: 0x00000230 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW July 19, 2021, 10:31 a.m.	regkey_r: DirectDrawEx base_handle: 0x00000230 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW July 19, 2021, 10:31 a.m.	regkey_r: EditPlus base_handle: 0x00000230 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW July 19, 2021, 10:31 a.m.	regkey_r: Fontcore base_handle: 0x00000230 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW July 19, 2021, 10:31 a.m.	regkey_r: Google Chrome base_handle: 0x00000230 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW July 19, 2021, 10:31 a.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x00000230 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW July 19, 2021, 10:31 a.m.	regkey_r: IE40 base_handle: 0x00000230 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW July 19, 2021, 10:31 a.m.	regkey_r: IE4Data base_handle: 0x00000230 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW July 19, 2021, 10:31 a.m.	regkey_r: IE5BAKEX base_handle: 0x00000230 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW July 19, 2021, 10:31 a.m.	regkey_r: IEData base_handle: 0x00000230 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW July 19, 2021, 10:31 a.m.	regkey_r: MobileOptionPack base_handle: 0x00000230 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW July 19, 2021, 10:31 a.m.	regkey_r: Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x00000230 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExW July 19, 2021, 10:31 a.m.	regkey_r: Office14.PROPLUS base_handle: 0x00000230 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office14.PROPLUS	1
RegOpenKeyExW July 19, 2021, 10:31 a.m.	regkey_r: SchedulingAgent base_handle: 0x00000230 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW July 19, 2021, 10:31 a.m.	regkey_r: WIC base_handle: 0x00000230 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW July 19, 2021, 10:31 a.m.	regkey_r: {00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x00000230 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExW July 19, 2021, 10:31 a.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x00000230 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW July 19, 2021, 10:31 a.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x00000230 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW July 19, 2021, 10:31 a.m.	regkey_r: {26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x00000230 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExW July 19, 2021, 10:31 a.m.	regkey_r: {4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x00000230 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExW July 19, 2021, 10:31 a.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x00000230 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW July 19, 2021, 10:31 a.m.	regkey_r: {90140000-0011-0000-0000-0000000FF1CE} base_handle: 0x00000230 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0011-0000-0000-0000000FF1CE}	1
RegOpenKeyExW July 19, 2021, 10:31 a.m.	regkey_r: {90140000-0015-0412-0000-0000000FF1CE} base_handle: 0x00000230 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 19, 2021, 10:31 a.m.	regkey_r: {90140000-0016-0412-0000-0000000FF1CE} base_handle: 0x00000230 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 19, 2021, 10:31 a.m.	regkey_r: {90140000-0018-0412-0000-0000000FF1CE} base_handle: 0x00000230 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0018-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 19, 2021, 10:31 a.m.	regkey_r: {90140000-0019-0412-0000-0000000FF1CE} base_handle: 0x00000230 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0019-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 19, 2021, 10:31 a.m.	regkey_r: {90140000-001A-0412-0000-0000000FF1CE} base_handle: 0x00000230 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001A-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 19, 2021, 10:31 a.m.	regkey_r: {90140000-001B-0412-0000-0000000FF1CE} base_handle: 0x00000230 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001B-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 19, 2021, 10:31 a.m.	regkey_r: {90140000-001F-0409-0000-0000000FF1CE} base_handle: 0x00000230 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW July 19, 2021, 10:31 a.m.	regkey_r: {90140000-001F-0412-0000-0000000FF1CE} base_handle: 0x00000230 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 19, 2021, 10:31 a.m.	regkey_r: {90140000-0028-0412-0000-0000000FF1CE} base_handle: 0x00000230 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0028-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 19, 2021, 10:31 a.m.	regkey_r: {90140000-002C-0412-0000-0000000FF1CE} base_handle: 0x00000230 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002C-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 19, 2021, 10:31 a.m.	regkey_r: {90140000-0044-0412-0000-0000000FF1CE} base_handle: 0x00000230 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0044-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 19, 2021, 10:31 a.m.	regkey_r: {90140000-006E-0412-0000-0000000FF1CE} base_handle: 0x00000230 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-006E-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 19, 2021, 10:31 a.m.	regkey_r: {90140000-00A1-0412-0000-0000000FF1CE} base_handle: 0x00000230 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00A1-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 19, 2021, 10:31 a.m.	regkey_r: {90140000-00BA-0412-0000-0000000FF1CE} base_handle: 0x00000230 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00BA-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 19, 2021, 10:31 a.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x00000230 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW July 19, 2021, 10:31 a.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x00000230 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExW July 19, 2021, 10:31 a.m.	regkey_r: {AC76BA86-7AD7-1033-7B44-A90000000001} base_handle: 0x00000230 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}	1
RegOpenKeyExW July 19, 2021, 10:31 a.m.	regkey_r: {BB8B979E-E336-47E7-96BC-1031C1B94561} base_handle: 0x00000230 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}	1
RegOpenKeyExW July 19, 2021, 10:31 a.m.	regkey_r: {d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x00000230 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1
RegOpenKeyExW July 19, 2021, 10:32 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x0000023c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW July 19, 2021, 10:32 a.m.	regkey_r: 7-Zip base_handle: 0x0000023c key_handle: 0x0000039c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW July 19, 2021, 10:32 a.m.	regkey_r: AddressBook base_handle: 0x0000023c key_handle: 0x0000039c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW July 19, 2021, 10:32 a.m.	regkey_r: Adobe AIR base_handle: 0x0000023c key_handle: 0x0000039c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExW July 19, 2021, 10:32 a.m.	regkey_r: Connection Manager base_handle: 0x0000023c key_handle: 0x0000039c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1

Terminates another process (4 events)

Time & API	Arguments	Status
NtTerminateProcess July 19, 2021, 10:31 a.m.	status_code: 0x00000000 process_identifier: 2660 process_handle: 0x00000220
NtTerminateProcess July 19, 2021, 10:31 a.m.	status_code: 0x00000000 process_identifier: 2660 process_handle: 0x00000220	1
NtTerminateProcess July 19, 2021, 10:31 a.m.	status_code: 0x00000000 process_identifier: 2460 process_handle: 0x00000260
NtTerminateProcess July 19, 2021, 10:31 a.m.	status_code: 0x00000000 process_identifier: 2460 process_handle: 0x00000260	1

Uses Windows utilities for basic Windows functionality (5 events)

cmdline	"C:\Windows\system32\cmd.exe" /k ping 0 & del C:\Users\test22\AppData\Local\Temp\id27315002.php & exit
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2144 CREDAT:145409
cmdline	ping 0
cmdline	C:\Windows\System32\cmd.exe /k ping 0 & del C:\Users\test22\AppData\Local\Temp\id27315002.php & exit
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

One or more of the buffers contains an embedded PE file (2 events)

buffer	Buffer with sha1: 2857184fa2be72b874e6d9ace58959388f6e266c
buffer	Buffer with sha1: bc918e8515d422c042b910fd1c02ea0062625a73

Communicates with host for which no DNS query was performed (3 events)

host	104.21.21.221
host	104.21.78.28
host	117.18.232.200

Allocates execute permission to another process indicative of possible code injection (4 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2876 region_size: 122880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000220	1	0
NtAllocateVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2660 region_size: 122880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000220		3221225496
NtAllocateVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2460 region_size: 122880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000260		3221225496
NtAllocateVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2720 region_size: 122880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000264	1	0

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Manipulates memory of a non-child process indicative of process injection (6 events)

Time & API	Arguments	Return	Repeated
Process injection	Process 2992 manipulating memory of non-child process 2660
Process injection	Process 2992 manipulating memory of non-child process 2460
NtUnmapViewOfSection July 19, 2021, 10:31 a.m.	base_address: 0x00400000 region_size: 184320 process_identifier: 2660 process_handle: 0x00000220	3221225497	0
NtAllocateVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2660 region_size: 122880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000220	3221225496	0
NtUnmapViewOfSection July 19, 2021, 10:31 a.m.	base_address: 0x00400000 region_size: 380928 process_identifier: 2460 process_handle: 0x00000260	3221225497	0
NtAllocateVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2460 region_size: 122880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000260	3221225496	0

Collects information about installed applications (50 out of 64 events)

Time & API	Arguments	Status
RegQueryValueExW July 19, 2021, 10:31 a.m.	key_handle: 0x0000023c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW July 19, 2021, 10:31 a.m.	key_handle: 0x0000023c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW July 19, 2021, 10:31 a.m.	key_handle: 0x0000023c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW July 19, 2021, 10:31 a.m.	key_handle: 0x0000023c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW July 19, 2021, 10:31 a.m.	key_handle: 0x0000023c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW July 19, 2021, 10:31 a.m.	key_handle: 0x0000023c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW July 19, 2021, 10:31 a.m.	key_handle: 0x0000023c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office14.PROPLUS\DisplayName	1
RegQueryValueExW July 19, 2021, 10:31 a.m.	key_handle: 0x0000023c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExW July 19, 2021, 10:31 a.m.	key_handle: 0x0000023c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW July 19, 2021, 10:31 a.m.	key_handle: 0x0000023c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW July 19, 2021, 10:31 a.m.	key_handle: 0x0000023c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExW July 19, 2021, 10:31 a.m.	key_handle: 0x0000023c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExW July 19, 2021, 10:31 a.m.	key_handle: 0x0000023c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW July 19, 2021, 10:31 a.m.	key_handle: 0x0000023c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 19, 2021, 10:31 a.m.	key_handle: 0x0000023c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 19, 2021, 10:31 a.m.	key_handle: 0x0000023c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 19, 2021, 10:31 a.m.	key_handle: 0x0000023c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 19, 2021, 10:31 a.m.	key_handle: 0x0000023c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 19, 2021, 10:31 a.m.	key_handle: 0x0000023c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 19, 2021, 10:31 a.m.	key_handle: 0x0000023c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 19, 2021, 10:31 a.m.	key_handle: 0x0000023c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 19, 2021, 10:31 a.m.	key_handle: 0x0000023c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 19, 2021, 10:31 a.m.	key_handle: 0x0000023c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 19, 2021, 10:31 a.m.	key_handle: 0x0000023c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 19, 2021, 10:31 a.m.	key_handle: 0x0000023c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 19, 2021, 10:31 a.m.	key_handle: 0x0000023c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 19, 2021, 10:31 a.m.	key_handle: 0x0000023c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 19, 2021, 10:31 a.m.	key_handle: 0x0000023c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00BA-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 19, 2021, 10:31 a.m.	key_handle: 0x0000023c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW July 19, 2021, 10:31 a.m.	key_handle: 0x0000023c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW July 19, 2021, 10:31 a.m.	key_handle: 0x0000023c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Reader 9 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}\DisplayName	1
RegQueryValueExW July 19, 2021, 10:31 a.m.	key_handle: 0x0000023c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1
RegQueryValueExW July 19, 2021, 10:32 a.m.	key_handle: 0x0000039c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW July 19, 2021, 10:32 a.m.	key_handle: 0x0000039c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW July 19, 2021, 10:32 a.m.	key_handle: 0x0000039c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW July 19, 2021, 10:32 a.m.	key_handle: 0x0000039c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW July 19, 2021, 10:32 a.m.	key_handle: 0x0000039c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW July 19, 2021, 10:32 a.m.	key_handle: 0x0000039c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW July 19, 2021, 10:32 a.m.	key_handle: 0x0000039c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office14.PROPLUS\DisplayName	1
RegQueryValueExW July 19, 2021, 10:32 a.m.	key_handle: 0x0000039c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExW July 19, 2021, 10:32 a.m.	key_handle: 0x0000039c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW July 19, 2021, 10:32 a.m.	key_handle: 0x0000039c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW July 19, 2021, 10:32 a.m.	key_handle: 0x0000039c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExW July 19, 2021, 10:32 a.m.	key_handle: 0x0000039c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExW July 19, 2021, 10:32 a.m.	key_handle: 0x0000039c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW July 19, 2021, 10:32 a.m.	key_handle: 0x0000039c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 19, 2021, 10:32 a.m.	key_handle: 0x0000039c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 19, 2021, 10:32 a.m.	key_handle: 0x0000039c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 19, 2021, 10:32 a.m.	key_handle: 0x0000039c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 19, 2021, 10:32 a.m.	key_handle: 0x0000039c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0019-0412-0000-0000000FF1CE}\DisplayName	1

Network activity contains more than one unique useragent (4 events)

process	id27315002.php	useragent	Installed OK 5.0/2
process	id27315002.php	useragent	Installed OK 1.0/3
process	id27315002.php	useragent	Mozilla/5.0 (compatible; adscanner/)
process	iexplore.exe	useragent	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2708 called NtSetContextThread to modify thread in remote process 2876
Process injection	Process 2992 called NtSetContextThread to modify thread in remote process 2720
NtSetContextThread July 19, 2021, 10:31 a.m.	registers.eip: 2004287940 registers.esp: 3669504 registers.edi: 0 registers.eax: 4292130 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000021c process_identifier: 2876	1	0	0
NtSetContextThread July 19, 2021, 10:31 a.m.	registers.eip: 2004287940 registers.esp: 3931636 registers.edi: 0 registers.eax: 4292130 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000268 process_identifier: 2720	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (8 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2444 resumed a thread in remote process 1308
Process injection	Process 2708 resumed a thread in remote process 2876
Process injection	Process 2992 resumed a thread in remote process 2720
Process injection	Process 2144 resumed a thread in remote process 1880
NtResumeThread July 19, 2021, 10:31 a.m.	thread_handle: 0x00000514 suspend_count: 1 process_identifier: 1308	1	0	0
NtResumeThread July 19, 2021, 10:31 a.m.	thread_handle: 0x0000021c suspend_count: 1 process_identifier: 2876	1	0	0
NtResumeThread July 19, 2021, 10:31 a.m.	thread_handle: 0x00000268 suspend_count: 1 process_identifier: 2720	1	0	0
NtResumeThread July 19, 2021, 10:31 a.m.	thread_handle: 0x00000334 suspend_count: 1 process_identifier: 1880	1	0	0

File has been identified by 22 AntiVirus engines on VirusTotal as malicious (22 events)

Bkav	W32.AIDetect.malware2
Lionic	Hacktool.Win32.Gamehack.3!e
Elastic	malicious (high confidence)
FireEye	Generic.mg.291192d5184d78dc
McAfee	Artemis!291192D5184D
Sangfor	Trojan.Win32.Save.a
Alibaba	TrojanDownloader:Win32/Injector.a6e76bb3
CrowdStrike	win/malicious_confidence_100% (W)
ESET-NOD32	a variant of Win32/Injector.Autoit.DXO
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Malware.Autoit-9849407-0
Kaspersky	UDS:Trojan.Script.Generic
Avast	FileRepMetagen [Malware]
McAfee-GW-Edition	BehavesLike.Win32.TrojanAitInject.tc
Kingsoft	Win32.Troj.Undef.(kcloud)
Microsoft	Trojan:Win32/Wacatac.B!ml
Cynet	Malicious (score: 100)
Malwarebytes	Malware.AI.4281772108
TrendMicro-HouseCall	TROJ_GEN.R002H0DGI21
AVG	FileRepMetagen [Malware]
Qihoo-360	HEUR/QVM10.1.AB77.Malware.Gen

Executed a process and injected code into it, probably while unpacking (50 out of 66 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW July 19, 2021, 10:31 a.m.	thread_identifier: 2544 thread_handle: 0x000002a4 process_identifier: 2540 current_directory: filepath: C:\Windows\System32\rundll32.exe track: 1 command_line: "C:\Windows\system32\rundll32.exe" "C:\Windows\syswow64\WININET.dll",DispatchAPICall 1 filepath_r: C:\Windows\system32\rundll32.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x000002a8	1	1
CreateProcessInternalW July 19, 2021, 10:31 a.m.	thread_identifier: 2636 thread_handle: 0x00000518 process_identifier: 2632 current_directory: filepath: C:\Windows\System32\rundll32.exe track: 1 command_line: "C:\Windows\system32\rundll32.exe" "C:\Windows\syswow64\WININET.dll",DispatchAPICall 1 filepath_r: C:\Windows\system32\rundll32.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000051c	1	1
CreateProcessInternalW July 19, 2021, 10:31 a.m.	thread_identifier: 2672 thread_handle: 0x00000510 process_identifier: 2668 current_directory: filepath: C:\Windows\System32\rundll32.exe track: 1 command_line: "C:\Windows\system32\rundll32.exe" "C:\Windows\syswow64\WININET.dll",DispatchAPICall 1 filepath_r: C:\Windows\system32\rundll32.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000514	1	1
CreateProcessInternalW July 19, 2021, 10:31 a.m.	thread_identifier: 2712 thread_handle: 0x0000051c process_identifier: 2708 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\1323691892.exe filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000518	1	1
CreateProcessInternalW July 19, 2021, 10:31 a.m.	thread_identifier: 2944 thread_handle: 0x00000520 process_identifier: 2940 current_directory: filepath: C:\Windows\System32\rundll32.exe track: 1 command_line: "C:\Windows\system32\rundll32.exe" "C:\Windows\syswow64\WININET.dll",DispatchAPICall 1 filepath_r: C:\Windows\system32\rundll32.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000524	1	1
CreateProcessInternalW July 19, 2021, 10:31 a.m.	thread_identifier: 2996 thread_handle: 0x00000520 process_identifier: 2992 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\1253121518.exe filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000510	1	1
CreateProcessInternalW July 19, 2021, 10:31 a.m.	thread_identifier: 2148 thread_handle: 0x0000057c process_identifier: 2144 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Program Files (x86)\Internet Explorer\iexplore.exe track: 1 command_line: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome filepath_r: C:\Program Files (x86)\Internet Explorer\iexplore.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000594	1	1
CreateProcessInternalW July 19, 2021, 10:31 a.m.	thread_identifier: 1212 thread_handle: 0x00000514 process_identifier: 1308 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\system32\cmd.exe" /k ping 0 & del C:\Users\test22\AppData\Local\Temp\id27315002.php & exit filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002f8	1	1
NtResumeThread July 19, 2021, 10:31 a.m.	thread_handle: 0x00000514 suspend_count: 1 process_identifier: 1308	1	0
NtResumeThread July 19, 2021, 10:31 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2708	1	0
NtResumeThread July 19, 2021, 10:31 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2708	1	0
NtResumeThread July 19, 2021, 10:31 a.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 2708	1	0
CreateProcessInternalW July 19, 2021, 10:31 a.m.	thread_identifier: 2880 thread_handle: 0x0000021c process_identifier: 2876 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\1323691892.exe filepath_r: stack_pivoted: 0 creation_flags: 134217740 (CREATE_NO_WINDOW\|CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 0 process_handle: 0x00000220	1	1
NtUnmapViewOfSection July 19, 2021, 10:31 a.m.	base_address: 0x00400000 region_size: 7340032 process_identifier: 2876 process_handle: 0x00000220		3221225497
NtAllocateVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2876 region_size: 122880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000220	1	0
NtGetContextThread July 19, 2021, 10:31 a.m.	thread_handle: 0x0000021c	1	0
NtSetContextThread July 19, 2021, 10:31 a.m.	registers.eip: 2004287940 registers.esp: 3669504 registers.edi: 0 registers.eax: 4292130 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000021c process_identifier: 2876	1	0
NtResumeThread July 19, 2021, 10:31 a.m.	thread_handle: 0x0000021c suspend_count: 1 process_identifier: 2876	1	0
NtResumeThread July 19, 2021, 10:31 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2876	1	0
NtResumeThread July 19, 2021, 10:31 a.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2876	1	0
NtResumeThread July 19, 2021, 10:31 a.m.	thread_handle: 0x000001b8 suspend_count: 1 process_identifier: 2876	1	0
NtResumeThread July 19, 2021, 10:31 a.m.	thread_handle: 0x00000354 suspend_count: 1 process_identifier: 2876	1	0
NtResumeThread July 19, 2021, 10:31 a.m.	thread_handle: 0x0000060c suspend_count: 1 process_identifier: 2876	1	0
NtResumeThread July 19, 2021, 10:31 a.m.	thread_handle: 0x00000634 suspend_count: 1 process_identifier: 2876	1	0
NtGetContextThread July 19, 2021, 10:31 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread July 19, 2021, 10:31 a.m.	thread_handle: 0x000000e0	1	0
NtResumeThread July 19, 2021, 10:31 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2876	1	0
NtGetContextThread July 19, 2021, 10:31 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread July 19, 2021, 10:31 a.m.	thread_handle: 0x000000e0	1	0
NtResumeThread July 19, 2021, 10:31 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2876	1	0
NtResumeThread July 19, 2021, 10:31 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2992	1	0
NtResumeThread July 19, 2021, 10:31 a.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2992	1	0
NtResumeThread July 19, 2021, 10:31 a.m.	thread_handle: 0x000001c4 suspend_count: 1 process_identifier: 2992	1	0
CreateProcessInternalW July 19, 2021, 10:31 a.m.	thread_identifier: 2664 thread_handle: 0x0000021c process_identifier: 2660 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\1253121518.exe filepath_r: stack_pivoted: 0 creation_flags: 134217740 (CREATE_NO_WINDOW\|CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 0 process_handle: 0x00000220	1	1
NtUnmapViewOfSection July 19, 2021, 10:31 a.m.	base_address: 0x00400000 region_size: 184320 process_identifier: 2660 process_handle: 0x00000220		3221225497
NtAllocateVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2660 region_size: 122880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000220		3221225496
CreateProcessInternalW July 19, 2021, 10:31 a.m.	thread_identifier: 2464 thread_handle: 0x00000254 process_identifier: 2460 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\1253121518.exe filepath_r: stack_pivoted: 0 creation_flags: 134217740 (CREATE_NO_WINDOW\|CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 0 process_handle: 0x00000260	1	1
NtUnmapViewOfSection July 19, 2021, 10:31 a.m.	base_address: 0x00400000 region_size: 380928 process_identifier: 2460 process_handle: 0x00000260		3221225497
NtAllocateVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2460 region_size: 122880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000260		3221225496
CreateProcessInternalW July 19, 2021, 10:31 a.m.	thread_identifier: 2740 thread_handle: 0x00000268 process_identifier: 2720 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\1253121518.exe filepath_r: stack_pivoted: 0 creation_flags: 134217740 (CREATE_NO_WINDOW\|CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 0 process_handle: 0x00000264	1	1
NtUnmapViewOfSection July 19, 2021, 10:31 a.m.	base_address: 0x00400000 region_size: 9371648 process_identifier: 2720 process_handle: 0x00000264		3221225497
NtAllocateVirtualMemory July 19, 2021, 10:31 a.m.	process_identifier: 2720 region_size: 122880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000264	1	0
NtGetContextThread July 19, 2021, 10:31 a.m.	thread_handle: 0x00000268	1	0
NtSetContextThread July 19, 2021, 10:31 a.m.	registers.eip: 2004287940 registers.esp: 3931636 registers.edi: 0 registers.eax: 4292130 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000268 process_identifier: 2720	1	0
NtResumeThread July 19, 2021, 10:31 a.m.	thread_handle: 0x00000268 suspend_count: 1 process_identifier: 2720	1	0
NtResumeThread July 19, 2021, 10:31 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2720	1	0
NtResumeThread July 19, 2021, 10:31 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2720	1	0
NtResumeThread July 19, 2021, 10:31 a.m.	thread_handle: 0x000001e0 suspend_count: 1 process_identifier: 2720	1	0
NtResumeThread July 19, 2021, 10:32 a.m.	thread_handle: 0x00000358 suspend_count: 1 process_identifier: 2720	1	0
NtResumeThread July 19, 2021, 10:32 a.m.	thread_handle: 0x0000022c suspend_count: 1 process_identifier: 2720	1	0

id27315002.php

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All