Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 16, 2021, 9:41 a.m.	Sept. 16, 2021, 9:44 a.m.

Size	102.0KB
Type	Zip archive data, at least v2.0 to extract
MD5	`5655fa13d9f8c7758b78b1998836f17e`
SHA256	`c93f93c2da77f0d61ca43fa8cb6d71fd44c574b186f8108b87ca6ab23f8a2af7`
CRC32	`C7D86053`
ssdeep	`3072:XC0oDwmAKmAJaGKZdSYY9bMdszDE9S2Ws:sD0KTBKjSd9iszw9VWs`
Yara	None matched

java.exe "C:\Program Files (x86)\Java\jre1.8.0_131\bin\java.exe" -jar "C:\Users\test22\AppData\Local\Temp\RQF _1000281534.jar"
2140
- java.exe "C:\Program Files (x86)\Java\jre1.8.0_131\bin\java.exe" -jar "C:\Program Files (x86)\Java\jre1.8.0_131\RQF _1000281534.jar"
  2324
  - java.exe "C:\Program Files (x86)\Java\jre1.8.0_131\bin\java.exe" -jar "C:\Users\test22\RQF _1000281534.jar"
    2240
    - cmd.exe cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\RQF _1000281534.jar"
      2912
      - schtasks.exe schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\RQF _1000281534.jar"
        2508
    - java.exe "C:\Program Files (x86)\Java\jre1.8.0_131\bin\java.exe" -jar "C:\Users\test22\AppData\Roaming\RQF _1000281534.jar"
      1820
      - cmd.exe cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"
        672
        
        WMIC.exe wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list
        1136
      - cmd.exe cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"
        2848
        
        WMIC.exe wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list
        2860
      - cmd.exe cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"
        2756
        
        WMIC.exe wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list
        2268
      - cmd.exe cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list"
        2820
        
        WMIC.exe wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list
        2420

Name	Response	Post-Analysis Lookup
github-releases.githubusercontent.com	A 185.199.108.154 A 185.199.111.154 A 185.199.109.154 A 185.199.110.154	185.199.108.154
repo1.maven.org	A 151.101.196.209 CNAME sonatype.map.fastly.net	199.232.196.209
github.com	A 15.164.81.167	52.78.231.108
ip-api.com	A 208.95.112.1	208.95.112.1

IP Address	Status	Action
103.156.90.52	Active	Moloch
15.164.81.167	Active	Moloch
151.101.196.209	Active	Moloch
164.124.101.2	Active	Moloch
185.199.108.154	Active	Moloch
208.95.112.1	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49166 -> 151.101.196.209:443	2028375	ET JA3 Hash - Possible Malware - Java Based RAT	Unknown Traffic
TCP 192.168.56.102:49165 -> 15.164.81.167:443	2028375	ET JA3 Hash - Possible Malware - Java Based RAT	Unknown Traffic
TCP 192.168.56.102:49168 -> 151.101.196.209:443	2028375	ET JA3 Hash - Possible Malware - Java Based RAT	Unknown Traffic
TCP 192.168.56.102:49167 -> 151.101.196.209:443	2028375	ET JA3 Hash - Possible Malware - Java Based RAT	Unknown Traffic
TCP 192.168.56.102:49170 -> 185.199.108.154:443	2028375	ET JA3 Hash - Possible Malware - Java Based RAT	Unknown Traffic
TCP 192.168.56.102:49192 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49183 -> 103.156.90.52:4292	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49183 -> 103.156.90.52:4292	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49183 -> 103.156.90.52:4292	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49183 -> 103.156.90.52:4292	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49183 -> 103.156.90.52:4292	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49183 -> 103.156.90.52:4292	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49183 -> 103.156.90.52:4292	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49183 -> 103.156.90.52:4292	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49183 -> 103.156.90.52:4292	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49183 -> 103.156.90.52:4292	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49183 -> 103.156.90.52:4292	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49183 -> 103.156.90.52:4292	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49183 -> 103.156.90.52:4292	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49183 -> 103.156.90.52:4292	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49183 -> 103.156.90.52:4292	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49183 -> 103.156.90.52:4292	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49183 -> 103.156.90.52:4292	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49183 -> 103.156.90.52:4292	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49183 -> 103.156.90.52:4292	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49183 -> 103.156.90.52:4292	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49183 -> 103.156.90.52:4292	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.102:49166 151.101.196.209:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Atlas R3 DV TLS CA H2 2021	CN=repo1.maven.org	e2:ba:c2:7f:d9:98:22:e2:6b:cb:17:2c:c0:15:62:76:df:a3:21:b0
TLS 1.2 192.168.56.102:49165 15.164.81.167:443	C=US, O=DigiCert, Inc., CN=DigiCert High Assurance TLS Hybrid ECC SHA256 2020 CA1	C=US, ST=California, L=San Francisco, O=GitHub, Inc., CN=github.com	84:63:b3:a9:29:12:cc:fd:1d:31:47:05:98:9b:ec:13:99:37:d0:d7
TLS 1.2 192.168.56.102:49168 151.101.196.209:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Atlas R3 DV TLS CA H2 2021	CN=repo1.maven.org	e2:ba:c2:7f:d9:98:22:e2:6b:cb:17:2c:c0:15:62:76:df:a3:21:b0
TLS 1.2 192.168.56.102:49167 151.101.196.209:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Atlas R3 DV TLS CA H2 2021	CN=repo1.maven.org	e2:ba:c2:7f:d9:98:22:e2:6b:cb:17:2c:c0:15:62:76:df:a3:21:b0
TLS 1.2 192.168.56.102:49170 185.199.108.154:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=San Francisco, O=GitHub, Inc., CN=www.github.com	70:94:de:dd:e6:c4:69:48:3a:92:70:a1:48:56:78:2d:18:64:e0:b7

Queries for the computername (21 events)

Time & API	Arguments	Status	Return
GetComputerNameW Sept. 16, 2021, 9:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 16, 2021, 9:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 16, 2021, 9:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 16, 2021, 9:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 16, 2021, 9:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 16, 2021, 9:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 16, 2021, 9:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 16, 2021, 9:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 16, 2021, 9:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 16, 2021, 9:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 16, 2021, 9:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 16, 2021, 9:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 16, 2021, 9:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 16, 2021, 9:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 16, 2021, 9:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 16, 2021, 9:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 16, 2021, 9:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 16, 2021, 9:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 16, 2021, 9:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 16, 2021, 9:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 16, 2021, 9:42 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 16, 2021, 9:42 a.m.			0	0
IsDebuggerPresent Sept. 16, 2021, 9:42 a.m.			0	0
IsDebuggerPresent Sept. 16, 2021, 9:42 a.m.			0	0
IsDebuggerPresent Sept. 16, 2021, 9:42 a.m.			0	0

Command line console output was observed (8 events)

Time & API	Arguments	Status	Return
WriteConsoleA Sept. 16, 2021, 9:41 a.m.	buffer: ################################################ # # # ## # # ## ### ### ## ### # # # # # # # # # # # # # # # # ### # # ### # # # ## # # # # # ### ### # # # ### # # ### # # # # Obfuscation by Allatori Obfuscator v7.3 DEMO # # # # http://www.allatori.com # # # ################################################ console_handle: 0x00000007	1	1
WriteConsoleA Sept. 16, 2021, 9:41 a.m.	buffer: returned false console_handle: 0x00000007	1	1
WriteConsoleA Sept. 16, 2021, 9:41 a.m.	buffer: C:\Users\test22\lib\jna-5.5.0.jar console_handle: 0x00000007	1	1
WriteConsoleA Sept. 16, 2021, 9:41 a.m.	buffer: Downloaded: https://github.com/kristian/system-hook/releases/download/3.5/system-hook-3.5.jar console_handle: 0x00000007	1	1
WriteConsoleA Sept. 16, 2021, 9:41 a.m.	buffer: Downloaded: https://repo1.maven.org/maven2/net/java/dev/jna/jna/5.5.0/jna-5.5.0.jar console_handle: 0x00000007	1	1
WriteConsoleA Sept. 16, 2021, 9:42 a.m.	buffer: Downloaded: https://repo1.maven.org/maven2/net/java/dev/jna/jna-platform/5.5.0/jna-platform-5.5.0.jar console_handle: 0x00000007	1	1
WriteConsoleA Sept. 16, 2021, 9:42 a.m.	buffer: Downloaded: https://repo1.maven.org/maven2/org/xerial/sqlite-jdbc/3.14.2.1/sqlite-jdbc-3.14.2.1.jar console_handle: 0x00000007	1	1
WriteConsoleA Sept. 16, 2021, 9:42 a.m.	buffer: Waiting for dependency console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 16, 2021, 9:41 a.m.		1	1	0

One or more processes crashed (15 events)

Time & API	Arguments	Status
__exception__ Sept. 16, 2021, 9:41 a.m.	stacktrace: exception.instruction_r: 8b 06 8d b5 f8 00 00 00 c5 fe 7f 06 c5 fe 7f 7e exception.instruction: mov eax, dword ptr [esi] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x27d0202 registers.esp: 9761892 registers.edi: 1 registers.eax: 6 registers.ebp: 1937757376 registers.edx: 0 registers.ebx: 133120 registers.esi: 0 registers.ecx: 3405691582	1
__exception__ Sept. 16, 2021, 9:41 a.m.	stacktrace: 0x291f7e8 0x27d44e0 0x27d44e0 0x27d44e0 0x27d44e0 0x27d44e0 0x27d4854 0x27d4854 0x27d4854 0x29220a4 0x27d44e0 0x27d44e0 0x27d44e0 0x2922044 0x27d4854 0x27d4854 0x27d4889 0x27d0697 JVM_GetThreadStateNames+0x4d395 _JVM_EnqueueOperation@20-0x6191b jvm+0x15af45 @ 0x735caf45 _JVM_FindSignal@4+0x6402e ??_7DCmdFactory@@6B@-0xa2d06 jvm+0x2213ae @ 0x736913ae JVM_GetThreadStateNames+0x4d42e _JVM_EnqueueOperation@20-0x61882 jvm+0x15afde @ 0x735cafde JVM_GetThreadStateNames+0x4d5b6 _JVM_EnqueueOperation@20-0x616fa jvm+0x15b166 @ 0x735cb166 JVM_GetThreadStateNames+0x4d627 _JVM_EnqueueOperation@20-0x61689 jvm+0x15b1d7 @ 0x735cb1d7 jio_printf+0x9f _JVM_StartThread@8-0x11 jvm+0xff36f @ 0x7356f36f JVM_GetThreadStateNames+0x70080 _JVM_EnqueueOperation@20-0x3ec30 jvm+0x17dc30 @ 0x735edc30 JVM_GetThreadStateNames+0x708fa _JVM_EnqueueOperation@20-0x3e3b6 jvm+0x17e4aa @ 0x735ee4aa _JVM_FindSignal@4+0x5b46 ??_7DCmdFactory@@6B@-0x1011ee jvm+0x1c2ec6 @ 0x73632ec6 _endthreadex+0x3a _beginthreadex-0xab msvcr100+0x5c556 @ 0x73f4c556 _endthreadex+0xe4 _beginthreadex-0x1 msvcr100+0x5c600 @ 0x73f4c600 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 85 05 00 01 de 00 8b c3 8b de 89 bc 24 c8 00 00 exception.instruction: test eax, dword ptr [0xde0100] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x2911291 registers.esp: 376302640 registers.edi: 1890220673 registers.eax: 3774873600 registers.ebp: 376303052 registers.edx: 4158029227 registers.ebx: 2633873791 registers.esi: 2575399168 registers.ecx: 72	1
__exception__ Sept. 16, 2021, 9:42 a.m.	stacktrace: 0x291f7e8 0x27d44e0 0x27d44e0 0x27d44e0 0x27d44e0 0x27d44e0 0x27d4854 0x2924acc 0x27d44e0 0x27d44e0 0x27d44e0 0x2922044 0x27d4854 0x27d4854 0x27d4889 0x27d0697 JVM_GetThreadStateNames+0x4d395 _JVM_EnqueueOperation@20-0x6191b jvm+0x15af45 @ 0x735caf45 _JVM_FindSignal@4+0x6402e ??_7DCmdFactory@@6B@-0xa2d06 jvm+0x2213ae @ 0x736913ae JVM_GetThreadStateNames+0x4d42e _JVM_EnqueueOperation@20-0x61882 jvm+0x15afde @ 0x735cafde JVM_GetThreadStateNames+0x4d5b6 _JVM_EnqueueOperation@20-0x616fa jvm+0x15b166 @ 0x735cb166 JVM_GetThreadStateNames+0x4d627 _JVM_EnqueueOperation@20-0x61689 jvm+0x15b1d7 @ 0x735cb1d7 jio_printf+0x9f _JVM_StartThread@8-0x11 jvm+0xff36f @ 0x7356f36f JVM_GetThreadStateNames+0x70080 _JVM_EnqueueOperation@20-0x3ec30 jvm+0x17dc30 @ 0x735edc30 JVM_GetThreadStateNames+0x708fa _JVM_EnqueueOperation@20-0x3e3b6 jvm+0x17e4aa @ 0x735ee4aa _JVM_FindSignal@4+0x5b46 ??_7DCmdFactory@@6B@-0x1011ee jvm+0x1c2ec6 @ 0x73632ec6 _endthreadex+0x3a _beginthreadex-0xab msvcr100+0x5c556 @ 0x73f4c556 _endthreadex+0xe4 _beginthreadex-0x1 msvcr100+0x5c600 @ 0x73f4c600 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 85 05 00 01 de 00 8b c3 8b de 89 bc 24 c8 00 00 exception.instruction: test eax, dword ptr [0xde0100] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x2911291 registers.esp: 370338368 registers.edi: 2967275227 registers.eax: 3774873600 registers.ebp: 370338780 registers.edx: 2711236989 registers.ebx: 2611971534 registers.esi: 1405833216 registers.ecx: 76	1
__exception__ Sept. 16, 2021, 9:42 a.m.	stacktrace: exception.instruction_r: 8b 06 8d b5 f8 00 00 00 c5 fe 7f 06 c5 fe 7f 7e exception.instruction: mov eax, dword ptr [esi] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x27d0202 registers.esp: 17560816 registers.edi: 1 registers.eax: 6 registers.ebp: 1935594688 registers.edx: 0 registers.ebx: 133120 registers.esi: 0 registers.ecx: 3405691582	1
__exception__ Sept. 16, 2021, 9:42 a.m.	stacktrace: exception.instruction_r: 8b 06 8d b5 f8 00 00 00 c5 fe 7f 06 c5 fe 7f 7e exception.instruction: mov eax, dword ptr [esi] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x27d0202 registers.esp: 15792316 registers.edi: 1 registers.eax: 6 registers.ebp: 1937757376 registers.edx: 0 registers.ebx: 133120 registers.esi: 0 registers.ecx: 3405691582	1
__exception__ Sept. 16, 2021, 9:42 a.m.	stacktrace: exception.instruction_r: 8b 06 8d b5 f8 00 00 00 c5 fe 7f 06 c5 fe 7f 7e exception.instruction: mov eax, dword ptr [esi] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x29f0202 registers.esp: 5633508 registers.edi: 1 registers.eax: 6 registers.ebp: 1936053440 registers.edx: 0 registers.ebx: 16910336 registers.esi: 0 registers.ecx: 3405691582	1
__exception__ Sept. 16, 2021, 9:42 a.m.	stacktrace: _JVM_SetVmMemoryPressure@4-0x128cd jvm+0x7273 @ 0x732d7273 _JVM_SetVmMemoryPressure@4-0x127dc jvm+0x7364 @ 0x732d7364 _JVM_GetManagementExt@4+0x51a4 AsyncGetCallTrace-0xb52bc jvm+0x206a4 @ 0x732f06a4 _JVM_FindSignal@4+0xcc8c0 ??_7DCmdFactory@@6B@-0x3a474 jvm+0x289c40 @ 0x73559c40 _JVM_FindSignal@4+0xcd4d4 ??_7DCmdFactory@@6B@-0x39860 jvm+0x28a854 @ 0x7355a854 _JVM_FindSignal@4+0xcd628 ??_7DCmdFactory@@6B@-0x3970c jvm+0x28a9a8 @ 0x7355a9a8 _JVM_FindSignal@4+0xcd8a2 ??_7DCmdFactory@@6B@-0x39492 jvm+0x28ac22 @ 0x7355ac22 _JVM_GetManagementExt@4+0x5519a AsyncGetCallTrace-0x652c6 jvm+0x7069a @ 0x7334069a _JVM_GetManagementExt@4+0x5594f AsyncGetCallTrace-0x64b11 jvm+0x70e4f @ 0x73340e4f JVM_GetThreadStateNames+0x70080 _JVM_EnqueueOperation@20-0x3ec30 jvm+0x17dc30 @ 0x7344dc30 JVM_GetThreadStateNames+0x708fa _JVM_EnqueueOperation@20-0x3e3b6 jvm+0x17e4aa @ 0x7344e4aa _JVM_FindSignal@4+0x5b46 ??_7DCmdFactory@@6B@-0x1011ee jvm+0x1c2ec6 @ 0x73492ec6 _endthreadex+0x3a _beginthreadex-0xab msvcr100+0x5c556 @ 0x74d1c556 _endthreadex+0xe4 _beginthreadex-0x1 msvcr100+0x5c600 @ 0x74d1c600 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: c7 04 08 01 00 00 00 5d c3 cc cc 83 3d 68 80 65 exception.instruction: mov dword ptr [eax + ecx], 1 exception.exception_code: 0xc0000005 exception.symbol: _JVM_SetVmMemoryPressure@4-0x1293b jvm+0x7205 exception.address: 0x732d7205 registers.esp: 357626488 registers.edi: 350869624 registers.eax: 512 registers.ebp: 357626488 registers.edx: 361988936 registers.ebx: 350916608 registers.esi: 350916608 registers.ecx: 5636096	1
__exception__ Sept. 16, 2021, 9:42 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x7533374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x76934387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x7532ef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75326a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x75326b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75326a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x75345c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x753c06b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x76a0d7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x76a0d876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x76a0ddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x76928a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x76928938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x7692950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x76a0dccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x76a0db41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x76a0e1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x76929367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x76929326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755762fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75576d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755777c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7557788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x768ea48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x768e853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x768ea4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x768fcd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x768fd87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7566b727 registers.esp: 14151180 registers.edi: 7727492 registers.eax: 14151180 registers.ebp: 14151260 registers.edx: 50 registers.ebx: 14151544 registers.esi: 2147746133 registers.ecx: 7496424	1
__exception__ Sept. 16, 2021, 9:42 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x7533374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x76a0f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x7534414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x768dfe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x76a0a338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x76fbe99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x76f972ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x76f8ab0d IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x76fbc048 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x76f887f7 RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x76f88926 RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x76f8d55e IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x76fbc44b RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x76f8d1f6 RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x76f8d1ac RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x76f8d40b RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x76f8991b RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x76f88d67 RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x76f8a0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x76f89b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x76f89aa8 DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x73016f4f DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x73016e40 DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x730127a4 DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x73012652 DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x7301253d DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x73012411 DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x730125ab wmic+0x39c80 @ 0xdb9c80 wmic+0x3b06a @ 0xdbb06a wmic+0x3b1f8 @ 0xdbb1f8 wmic+0x36fcd @ 0xdb6fcd wmic+0x3d6e9 @ 0xdbd6e9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7566b727 registers.esp: 2746872 registers.edi: 1989278224 registers.eax: 2746872 registers.ebp: 2746952 registers.edx: 1 registers.ebx: 7466084 registers.esi: 2147746133 registers.ecx: 4200186168	1
__exception__ Sept. 16, 2021, 9:42 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x7533374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x76934387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x7532ef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75326a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x75326b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75326a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x75345c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x753c06b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x76a0d7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x76a0d876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x76a0ddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x76928a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x76928938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x7692950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x76a0dccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x76a0db41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x76a0e1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x76929367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x76929326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755762fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75576d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755777c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7557788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x768ea48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x768e853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x768ea4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x768fcd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x768fd87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7566b727 registers.esp: 10810236 registers.edi: 3791044 registers.eax: 10810236 registers.ebp: 10810316 registers.edx: 50 registers.ebx: 10810600 registers.esi: 2147746133 registers.ecx: 3564304	1
__exception__ Sept. 16, 2021, 9:42 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x7533374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x76a0f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x7534414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x768dfe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x76a0a338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x76fbe99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x76f972ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x76f8ab0d IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x76fbc048 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x76f887f7 RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x76f88926 RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x76f8d55e IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x76fbc44b RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x76f8d1f6 RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x76f8d1ac RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x76f8d40b RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x76f8991b RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x76f88d67 RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x76f8a0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x76f89b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x76f89aa8 DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x72ff6f4f DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x72ff6e40 DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x72ff27a4 DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x72ff2652 DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x72ff253d DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x72ff2411 DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x72ff25ab wmic+0x39c80 @ 0xe99c80 wmic+0x3b06a @ 0xe9b06a wmic+0x3b1f8 @ 0xe9b1f8 wmic+0x36fcd @ 0xe96fcd wmic+0x3d6e9 @ 0xe9d6e9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7566b727 registers.esp: 1436592 registers.edi: 1989278224 registers.eax: 1436592 registers.ebp: 1436672 registers.edx: 1 registers.ebx: 3533964 registers.esi: 2147746133 registers.ecx: 4183476044	1
__exception__ Sept. 16, 2021, 9:42 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x7533374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x76934387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x7532ef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75326a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x75326b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75326a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x75345c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x753c06b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x76a0d7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x76a0d876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x76a0ddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x76928a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x76928938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x7692950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x76a0dccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x76a0db41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x76a0e1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x76929367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x76929326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755762fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75576d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755777c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7557788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x768ea48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x768e853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x768ea4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x768fcd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x768fd87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7566b727 registers.esp: 47378620 registers.edi: 3008956 registers.eax: 47378620 registers.ebp: 47378700 registers.edx: 50 registers.ebx: 47378984 registers.esi: 2147746133 registers.ecx: 2777800	1
__exception__ Sept. 16, 2021, 9:42 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x7533374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x76a0f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x7534414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x768dfe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x76a0a338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x76fbe99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x76f972ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x76f8ab0d IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x76fbc048 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x76f887f7 RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x76f88926 RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x76f8d55e IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x76fbc44b RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x76f8d1f6 RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x76f8d1ac RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x76f8d40b RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x76f8991b RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x76f88d67 RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x76f8a0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x76f89b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x76f89aa8 DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x72f96f4f DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x72f96e40 DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x72f927a4 DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x72f92652 DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x72f9253d DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x72f92411 DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x72f925ab wmic+0x39c80 @ 0x749c80 wmic+0x3b06a @ 0x74b06a wmic+0x3b1f8 @ 0x74b1f8 wmic+0x36fcd @ 0x746fcd wmic+0x3d6e9 @ 0x74d6e9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7566b727 registers.esp: 2353104 registers.edi: 1989278224 registers.eax: 2353104 registers.ebp: 2353184 registers.edx: 1 registers.ebx: 2747460 registers.esi: 2147746133 registers.ecx: 4188242409	1
__exception__ Sept. 16, 2021, 9:42 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x7533374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x76934387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x7532ef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75326a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x75326b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75326a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x75345c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x753c06b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x76a0d7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x76a0d876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x76a0ddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x76928a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x76928938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x7692950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x76a0dccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x76a0db41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x76a0e1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x76929367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x76929326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755762fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75576d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755777c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7557788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x768ea48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x768e853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x768ea4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x768fcd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x768fd87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7566b727 registers.esp: 37875012 registers.edi: 3463204 registers.eax: 37875012 registers.ebp: 37875092 registers.edx: 50 registers.ebx: 37875376 registers.esi: 2147746133 registers.ecx: 3236632	1
__exception__ Sept. 16, 2021, 9:42 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x7533374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x76a0f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x7534414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x768dfe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x76a0a338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x76fbe99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x76f972ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x76f8ab0d IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x76fbc048 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x76f887f7 RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x76f88926 RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x76f8d55e IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x76fbc44b RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x76f8d1f6 RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x76f8d1ac RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x76f8d40b RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x76f8991b RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x76f88d67 RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x76f8a0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x76f89b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x76f89aa8 DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x72ff6f4f DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x72ff6e40 DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x72ff27a4 DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x72ff2652 DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x72ff253d DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x72ff2411 DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x72ff25ab wmic+0x39c80 @ 0x7a9c80 wmic+0x3b06a @ 0x7ab06a wmic+0x3b1f8 @ 0x7ab1f8 wmic+0x36fcd @ 0x7a6fcd wmic+0x3d6e9 @ 0x7ad6e9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7566b727 registers.esp: 2812224 registers.edi: 1989278224 registers.eax: 2812224 registers.ebp: 2812304 registers.edx: 1 registers.ebx: 3206292 registers.esi: 2147746133 registers.ecx: 4166615864	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (1 event)

request

GET http://ip-api.com/json/

Allocates read-write-execute memory (usually to unpack itself) (50 out of 139 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 16, 2021, 9:41 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 163840 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 16, 2021, 9:41 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027f8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 16, 2021, 9:41 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02800000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 16, 2021, 9:41 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02808000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 16, 2021, 9:41 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02810000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 16, 2021, 9:41 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02818000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 16, 2021, 9:41 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02820000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 16, 2021, 9:41 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02828000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 16, 2021, 9:41 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02830000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 16, 2021, 9:41 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02838000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 16, 2021, 9:41 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02840000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 16, 2021, 9:41 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02848000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 16, 2021, 9:41 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02850000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 16, 2021, 9:41 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02858000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 16, 2021, 9:41 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02860000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 16, 2021, 9:41 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02868000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 16, 2021, 9:41 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02870000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 16, 2021, 9:41 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02878000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 16, 2021, 9:41 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02880000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 16, 2021, 9:41 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02888000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 16, 2021, 9:41 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02890000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 16, 2021, 9:41 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02898000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 16, 2021, 9:41 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 16, 2021, 9:41 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028a8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 16, 2021, 9:41 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 16, 2021, 9:41 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028b8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 16, 2021, 9:41 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028c0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 16, 2021, 9:41 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028c8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 16, 2021, 9:41 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 16, 2021, 9:41 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028d8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 16, 2021, 9:41 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028e0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 16, 2021, 9:41 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028e8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 16, 2021, 9:41 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028f0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 16, 2021, 9:41 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028f8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 16, 2021, 9:41 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02900000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 16, 2021, 9:41 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02908000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 16, 2021, 9:41 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02910000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 16, 2021, 9:41 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02918000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 16, 2021, 9:41 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02920000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 16, 2021, 9:42 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02928000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 16, 2021, 9:42 a.m.	process_identifier: 2324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 163840 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 16, 2021, 9:42 a.m.	process_identifier: 2324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027f8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 16, 2021, 9:42 a.m.	process_identifier: 2324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02800000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 16, 2021, 9:42 a.m.	process_identifier: 2324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02808000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 16, 2021, 9:42 a.m.	process_identifier: 2324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02810000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 16, 2021, 9:42 a.m.	process_identifier: 2324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02818000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 16, 2021, 9:42 a.m.	process_identifier: 2324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02820000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 16, 2021, 9:42 a.m.	process_identifier: 2324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02828000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 16, 2021, 9:42 a.m.	process_identifier: 2324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02830000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 16, 2021, 9:42 a.m.	process_identifier: 2324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02838000 process_handle: 0xffffffff	1

Looks up the external IP address (1 event)

domain

ip-api.com

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\jna--877171118\jna7463694035313774443.dll
file	C:\Users\test22\AppData\Local\Temp\jna--877171118\jna8182448962962392440.dll

Creates a suspicious process (10 events)

cmdline	cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list"
cmdline	wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list
cmdline	schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\RQF _1000281534.jar"
cmdline	cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"
cmdline	wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list
cmdline	cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\RQF _1000281534.jar"
cmdline	cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"
cmdline	cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"
cmdline	wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list
cmdline	wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\jna--877171118\jna4115874404283386990.dll
file	C:\Users\test22\AppData\Local\Temp\jna--877171118\jna8182448962962392440.dll

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 16, 2021, 9:41 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x16200000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Sept. 16, 2021, 9:41 a.m.	flags: 28 family: 0	1	0	0

Uses Windows utilities for basic Windows functionality (10 events)

cmdline	cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list"
cmdline	wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list
cmdline	schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\RQF _1000281534.jar"
cmdline	cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"
cmdline	wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list
cmdline	cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\RQF _1000281534.jar"
cmdline	cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"
cmdline	cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"
cmdline	wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list
cmdline	wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	SELECT VolumeSerialNumber FROM win32_logicaldisk

Communicates with host for which no DNS query was performed (1 event)

host

103.156.90.52

Installs itself for autorun at Windows startup (6 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\RQF _1000281534	reg_value	"C:\Program Files (x86)\Java\jre1.8.0_131\bin\javaw.exe" -jar "C:\Users\test22\AppData\Roaming\RQF _1000281534.jar"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RQF _1000281534	reg_value	"C:\Program Files (x86)\Java\jre1.8.0_131\bin\javaw.exe" -jar "C:\Users\test22\AppData\Roaming\RQF _1000281534.jar"
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\RQF _1000281534.jar
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RQF _1000281534.jar
cmdline	schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\RQF _1000281534.jar"
cmdline	cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\RQF _1000281534.jar"

Executes one or more WMI queries (4 events)

wmi	SELECT Caption, OSArchitecture FROM win32_operatingsystem
wmi	SELECT displayName FROM antivirusproduct
wmi	SELECT VolumeSerialNumber FROM win32_logicaldisk
wmi	SELECT Version FROM win32_operatingsystem

Harvests credentials from local email clients (1 event)

file	C:\Users\test22\Documents\Outlook 파일\Outlook.pst

The process java.exe wrote an executable file to disk (2 events)

file	C:\Users\test22\AppData\Local\Temp\jna--877171118\jna8182448962962392440.dll
file	C:\Users\test22\AppData\Local\Temp\jna--877171118\jna7463694035313774443.dll

File has been identified by 23 AntiVirus engines on VirusTotal as malicious (23 events)

Lionic	Trojan.Script.Generic.4!c
MicroWorld-eScan	Java.Trojan.GenericGB.29244
Alibaba	TrojanSpy:JAVA/Banload.d563a765
Arcabit	Java.Trojan.GenericGB.D723C
Cyren	Java/Agent.BLO
ESET-NOD32	a variant of Java/Spy.Agent.X
Kaspersky	UDS:Trojan.Java.Agent.gen
BitDefender	Java.Trojan.GenericGB.29244
Tencent	Java.Trojan.Trojan.Suxp
Ad-Aware	Java.Trojan.GenericGB.29244
F-Secure	Exploit.EXP/JAVA.Banload.VPB.Gen
TrendMicro	TROJ_GEN.F04IE00IF21
McAfee-GW-Edition	Artemis!Trojan
FireEye	Java.Trojan.GenericGB.29244
Emsisoft	Java.Trojan.GenericGB.29244 (B)
Ikarus	Trojan.Java.GenericGB
GData	Java.Backdoor.StrRat.C
Avira	EXP/JAVA.Banload.VPB.Gen
ZoneAlarm	UDS:DangerousObject.Multi.Generic
Cynet	Malicious (score: 99)
McAfee	Adwind-FELN.jar!D9F9E125648C
MAX	malware (ai score=80)
Fortinet	Java/GenericGB.29230!tr

RQF _1000281534.jar

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All