Summary | ZeroBOX

Category	Machine	Started	Completed
URL	s1_win7_x6403_us	Oct. 6, 2021, 2:50 p.m.	Oct. 6, 2021, 2:53 p.m.

URL	https://kyahogysammajhnailagrahiat1.blogspot.com/p/og1-1.html

iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" https://kyahogysammajhnailagrahiat1.blogspot.com/p/og1-1.html
2604
- iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2604 CREDAT:145409
  2100

Name	Response	Post-Analysis Lookup
www.google-analytics.com	CNAME www-google-analytics.l.google.com A 142.250.204.142	216.58.220.142
accounts.google.com	A 142.250.204.45	172.217.161.77
fonts.gstatic.com	CNAME gstaticadssl.l.google.com A 142.250.66.67	142.250.196.99
kyahogysammajhnailagrahiat1.blogspot.com	CNAME blogspot.l.googleusercontent.com A 142.250.204.129	172.217.24.129
www.google.com	A 142.250.204.100	172.217.175.100
fonts.googleapis.com	A 142.250.66.74	172.217.25.74
www.blogger.com	CNAME blogger.l.google.com A 142.250.66.73	216.58.197.201
resources.blogblog.com	CNAME blogger.l.google.com A 142.250.66.41	216.58.197.201
www.gstatic.com	A 172.217.161.163	142.250.196.131

IP Address	Status	Action
117.18.232.200	Active	Moloch
142.250.204.100	Active	Moloch
142.250.204.129	Active	Moloch
142.250.204.142	Active	Moloch
142.250.204.45	Active	Moloch
142.250.66.41	Active	Moloch
142.250.66.67	Active	Moloch
142.250.66.73	Active	Moloch
142.250.66.74	Active	Moloch
164.124.101.2	Active	Moloch
172.217.161.163	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49188 -> 142.250.204.142:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49175 -> 142.250.66.41:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49171 -> 142.250.204.129:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49173 -> 142.250.66.73:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49181 -> 142.250.66.73:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49186 -> 142.250.204.100:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49174 -> 142.250.66.73:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49187 -> 142.250.204.142:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49180 -> 142.250.66.73:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49170 -> 142.250.204.129:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49177 -> 142.250.204.45:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49176 -> 142.250.66.41:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49190 -> 142.250.66.67:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49178 -> 142.250.204.45:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49182 -> 142.250.66.74:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49185 -> 142.250.66.73:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49192 -> 172.217.161.163:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49191 -> 142.250.66.67:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49183 -> 142.250.66.74:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49184 -> 142.250.204.100:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49193 -> 172.217.161.163:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49188 142.250.204.142:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.google-analytics.com	80:3c:82:b4:37:5b:08:af:80:c3:bb:87:87:38:71:f5:88:ac:e2:3e
TLSv1 192.168.56.103:49175 142.250.66.41:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.blogger.com	76:d9:ed:9a:97:01:f9:eb:d2:fb:79:86:c4:64:4f:02:1a:32:16:3b
TLSv1 192.168.56.103:49171 142.250.204.129:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=misc-sni.blogspot.com	fc:db:2e:5e:8f:df:23:25:9a:03:2f:a3:eb:58:73:23:f5:30:86:76
TLSv1 192.168.56.103:49173 142.250.66.73:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.blogger.com	76:d9:ed:9a:97:01:f9:eb:d2:fb:79:86:c4:64:4f:02:1a:32:16:3b
TLSv1 192.168.56.103:49174 142.250.66.73:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.blogger.com	76:d9:ed:9a:97:01:f9:eb:d2:fb:79:86:c4:64:4f:02:1a:32:16:3b
TLSv1 192.168.56.103:49187 142.250.204.142:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.google-analytics.com	80:3c:82:b4:37:5b:08:af:80:c3:bb:87:87:38:71:f5:88:ac:e2:3e
TLSv1 192.168.56.103:49181 142.250.66.73:443	None	None	None
TLSv1 192.168.56.103:49186 142.250.204.100:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=www.google.com	81:d3:b1:30:44:e4:01:e1:77:92:f3:6a:43:36:6a:ad:ee:99:4f:36
TLSv1 192.168.56.103:49170 142.250.204.129:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=misc-sni.blogspot.com	fc:db:2e:5e:8f:df:23:25:9a:03:2f:a3:eb:58:73:23:f5:30:86:76
TLSv1 192.168.56.103:49180 142.250.66.73:443	None	None	None
TLSv1 192.168.56.103:49177 142.250.204.45:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=accounts.google.com	93:a7:6a:4d:d9:a2:77:32:f5:f7:30:8d:11:b8:34:12:df:c8:99:dc
TLSv1 192.168.56.103:49176 142.250.66.41:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.blogger.com	76:d9:ed:9a:97:01:f9:eb:d2:fb:79:86:c4:64:4f:02:1a:32:16:3b
TLSv1 192.168.56.103:49190 142.250.66.67:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	23:92:2f:c1:07:f1:5f:c3:2e:a0:86:05:c8:72:04:34:1a:7a:d5:da
TLSv1 192.168.56.103:49178 142.250.204.45:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=accounts.google.com	93:a7:6a:4d:d9:a2:77:32:f5:f7:30:8d:11:b8:34:12:df:c8:99:dc
TLSv1 192.168.56.103:49182 142.250.66.74:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=upload.video.google.com	24:ff:81:76:91:b0:43:fa:10:ae:52:fb:55:a8:ce:ae:35:7f:87:3e
TLSv1 192.168.56.103:49185 142.250.66.73:443	None	None	None
TLSv1 192.168.56.103:49192 172.217.161.163:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	23:92:2f:c1:07:f1:5f:c3:2e:a0:86:05:c8:72:04:34:1a:7a:d5:da
TLSv1 192.168.56.103:49191 142.250.66.67:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	23:92:2f:c1:07:f1:5f:c3:2e:a0:86:05:c8:72:04:34:1a:7a:d5:da
TLSv1 192.168.56.103:49183 142.250.66.74:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=upload.video.google.com	24:ff:81:76:91:b0:43:fa:10:ae:52:fb:55:a8:ce:ae:35:7f:87:3e
TLSv1 192.168.56.103:49184 142.250.204.100:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=www.google.com	81:d3:b1:30:44:e4:01:e1:77:92:f3:6a:43:36:6a:ad:ee:99:4f:36
TLSv1 192.168.56.103:49193 172.217.161.163:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	23:92:2f:c1:07:f1:5f:c3:2e:a0:86:05:c8:72:04:34:1a:7a:d5:da

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Oct. 6, 2021, 2:52 p.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefd8ba49d RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7feff3673c3 ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7fefdbd43bf IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7feff385295 I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7feff382799 Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7feff42af1e Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7feff42b76c NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7feff3848d6 CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7fefdd00883 CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7fefdd00ccd CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7fefdd00c43 CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7fefdbba4f0 GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7fefdbcd551 CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7fefdd0347e CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7fefdd0122b CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7fefdd03542 GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7fefdbcd42d GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7fefdbcd1d6 TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x77279bd1 TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x772798da GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7fefdbcd0ab CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7fefdcf3e57 ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7fefdba0106 ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7fefdba0182 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76dd652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x7738c521 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 42141 exception.address: 0x7fefd8ba49d registers.r14: 0 registers.r15: 0 registers.rcx: 104392688 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 104398640 registers.r11: 104394448 registers.r8: 0 registers.r9: 0 registers.rdx: 1 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1903187160 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Oct. 6, 2021, 2:52 p.m.

stacktrace:

RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefd8ba49d
RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7feff3673c3
ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7fefdbd43bf
IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7feff385295
I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7feff382799
Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7feff42af1e
Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7feff42b76c
NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7feff3848d6
CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7fefdd00883
CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7fefdd00ccd
CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7fefdd00c43
CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7fefdbba4f0
GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7fefdbcd551
CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7fefdd0347e
CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7fefdd0122b
CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7fefdd03542
GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7fefdbcd42d
GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7fefdbcd1d6
TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x77279bd1
TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x772798da
GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7fefdbcd0ab
CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7fefdcf3e57
ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7fefdba0106
ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7fefdba0182
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76dd652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x7738c521

exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00
exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d
exception.instruction: add rsp, 0xc8
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 42141
exception.address: 0x7fefd8ba49d
registers.r14: 0
registers.r15: 0
registers.rcx: 104392688
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 104398640
registers.r11: 104394448
registers.r8: 0
registers.r9: 0
registers.rdx: 1
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 1903187160
registers.r13: 0

Performs some HTTP requests (35 events)

request	GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
request	GET https://kyahogysammajhnailagrahiat1.blogspot.com/p/og1-1.html
request	GET https://www.blogger.com/static/v1/widgets/1667664774-css_bundle_v2.css
request	GET https://www.blogger.com/static/v1/jsbin/403901366-ieretrofit.js
request	GET https://www.blogger.com/dyn-css/authorization.css?targetBlogID=8965474558532949541&zx=c284ae92-b0d2-4f96-8852-ffc3b557f602
request	GET https://www.blogger.com/static/v1/jsbin/186635561-comment_from_post_iframe.js
request	GET https://www.blogger.com/static/v1/widgets/963277127-widgets.js
request	GET https://resources.blogblog.com/img/icon18_edit_allbkg.gif
request	GET https://www.blogger.com/blogin.g?blogspotURL=https://kyahogysammajhnailagrahiat1.blogspot.com/p/og1-1.html&type=blog
request	GET https://accounts.google.com/ServiceLogin?passive=true&continue=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://kyahogysammajhnailagrahiat1.blogspot.com/p/og1-1.html%26type%3Dblog%26bpli%3D1&followup=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://kyahogysammajhnailagrahiat1.blogspot.com/p/og1-1.html%26type%3Dblog%26bpli%3D1&go=true
request	GET https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fkyahogysammajhnailagrahiat1.blogspot.com%2Fp%2Fog1-1.html&type=blog&bpli=1
request	GET https://www.blogger.com/comment-iframe.g?blogID=8965474558532949541&pageID=6736565095014907579&blogspotRpcToken=1540682
request	GET https://accounts.google.com/ServiceLogin?passive=true&continue=https://www.blogger.com/comment-iframe.g?blogID%3D8965474558532949541%26pageID%3D6736565095014907579%26blogspotRpcToken%3D1540682%26bpli%3D1&followup=https://www.blogger.com/comment-iframe.g?blogID%3D8965474558532949541%26pageID%3D6736565095014907579%26blogspotRpcToken%3D1540682%26bpli%3D1&go=true
request	GET https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png
request	GET https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png
request	GET https://www.blogger.com/img/share_buttons_20_3.png
request	GET https://www.blogger.com/comment-iframe.g?blogID=8965474558532949541&pageID=6736565095014907579&blogspotRpcToken=1540682&bpli=1
request	GET https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.js
request	GET https://www.blogger.com/static/v1/v-css/281434096-static_pages.css
request	GET https://fonts.googleapis.com/css?family=Open+Sans:300
request	GET https://www.google.com/css/maia.css
request	GET https://www.google-analytics.com/analytics.js
request	GET https://www.blogger.com/static/v1/v-css/2621646369-cmtfp.css
request	GET https://www.blogger.com/static/v1/jsbin/1613438611-cmt__en_gb.js
request	GET https://resources.blogblog.com/img/blank.gif
request	GET https://www.google.com/js/bg/HVOBT6Mp1feN9noQtTICieFh_C2gsjCcO__mLFs-bwg.js
request	GET https://fonts.gstatic.com/s/opensans/v26/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsiH0B4gaVQ.woff
request	GET https://www.blogger.com/img/blogger-logotype-color-black-1x.png
request	GET https://www.blogger.com/comment-iframe-bg.g?bgresponse=js_disabled&iemode=9&page=1&bgint=HVOBT6Mp1feN9noQtTICieFh_C2gsjCcO__mLFs-bwg
request	GET https://fonts.googleapis.com/css?lang=ko&family=Product+Sans\|Roboto:400,700
request	GET https://fonts.gstatic.com/s/roboto/v29/KFOmCnqEu92Fr1Mu4mxM.woff
request	GET https://fonts.gstatic.com/s/roboto/v29/KFOlCnqEu92Fr1MmWUlfBBc-.woff
request	GET https://resources.blogblog.com/img/anon36.png
request	GET https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_clr_74x24px.svg
request	GET https://kyahogysammajhnailagrahiat1.blogspot.com/favicon.ico

Allocates read-write-execute memory (usually to unpack itself) (50 out of 53 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 6, 2021, 2:51 p.m.	process_identifier: 2604 region_size: 16060416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000029f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 2:51 p.m.	process_identifier: 2604 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003940000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:51 p.m.	process_identifier: 2604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:51 p.m.	process_identifier: 2604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:51 p.m.	process_identifier: 2604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:51 p.m.	process_identifier: 2604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:51 p.m.	process_identifier: 2604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:51 p.m.	process_identifier: 2604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:51 p.m.	process_identifier: 2604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007727d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:51 p.m.	process_identifier: 2604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:51 p.m.	process_identifier: 2604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077284000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:51 p.m.	process_identifier: 2604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:51 p.m.	process_identifier: 2604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc2a5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:51 p.m.	process_identifier: 2604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc2a5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:51 p.m.	process_identifier: 2604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff2d4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:51 p.m.	process_identifier: 2604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff101000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:51 p.m.	process_identifier: 2604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007726a000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 2:51 p.m.	process_identifier: 2604 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002ed0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:52 p.m.	process_identifier: 2604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef06b9000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 2:51 p.m.	process_identifier: 2100 region_size: 1773568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002c80000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 2:51 p.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002e30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:51 p.m.	process_identifier: 2100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:51 p.m.	process_identifier: 2100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:51 p.m.	process_identifier: 2100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:51 p.m.	process_identifier: 2100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:51 p.m.	process_identifier: 2100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:51 p.m.	process_identifier: 2100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:51 p.m.	process_identifier: 2100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007727d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:51 p.m.	process_identifier: 2100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:51 p.m.	process_identifier: 2100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077284000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:51 p.m.	process_identifier: 2100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:51 p.m.	process_identifier: 2100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc2a5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:51 p.m.	process_identifier: 2100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc2a5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:51 p.m.	process_identifier: 2100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff2d4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:51 p.m.	process_identifier: 2100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff101000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:51 p.m.	process_identifier: 2100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007726a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:51 p.m.	process_identifier: 2100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007726f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:51 p.m.	process_identifier: 2100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007726d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:51 p.m.	process_identifier: 2100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007726b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:51 p.m.	process_identifier: 2100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076dd6000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:51 p.m.	process_identifier: 2100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000773a6000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:51 p.m.	process_identifier: 2100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076dd1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:51 p.m.	process_identifier: 2100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077270000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:51 p.m.	process_identifier: 2100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007726a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:51 p.m.	process_identifier: 2100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007737f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:51 p.m.	process_identifier: 2100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007738b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:51 p.m.	process_identifier: 2100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdce7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:51 p.m.	process_identifier: 2100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff274000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:51 p.m.	process_identifier: 2100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff271000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 2:51 p.m.	process_identifier: 2100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff276000 process_handle: 0xffffffffffffffff	1

An application raised an exception which may be indicative of an exploit crash (2 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process iexplore.exe with pid 2604 crashed
__exception__ Oct. 6, 2021, 2:52 p.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefd8ba49d RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7feff3673c3 ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7fefdbd43bf IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7feff385295 I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7feff382799 Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7feff42af1e Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7feff42b76c NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7feff3848d6 CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7fefdd00883 CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7fefdd00ccd CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7fefdd00c43 CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7fefdbba4f0 GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7fefdbcd551 CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7fefdd0347e CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7fefdd0122b CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7fefdd03542 GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7fefdbcd42d GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7fefdbcd1d6 TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x77279bd1 TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x772798da GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7fefdbcd0ab CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7fefdcf3e57 ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7fefdba0106 ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7fefdba0182 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76dd652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x7738c521 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 42141 exception.address: 0x7fefd8ba49d registers.r14: 0 registers.r15: 0 registers.rcx: 104392688 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 104398640 registers.r11: 104394448 registers.r8: 0 registers.r9: 0 registers.rdx: 1 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1903187160 registers.r13: 0	1	0	0

Application Crash

Process iexplore.exe with pid 2604 crashed

Time & API

Arguments

Status

Return

Repeated

__exception__

Oct. 6, 2021, 2:52 p.m.

stacktrace:

RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefd8ba49d
RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7feff3673c3
ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7fefdbd43bf
IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7feff385295
I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7feff382799
Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7feff42af1e
Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7feff42b76c
NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7feff3848d6
CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7fefdd00883
CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7fefdd00ccd
CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7fefdd00c43
CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7fefdbba4f0
GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7fefdbcd551
CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7fefdd0347e
CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7fefdd0122b
CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7fefdd03542
GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7fefdbcd42d
GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7fefdbcd1d6
TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x77279bd1
TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x772798da
GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7fefdbcd0ab
CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7fefdcf3e57
ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7fefdba0106
ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7fefdba0182
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76dd652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x7738c521

Creates executable files on the filesystem (7 events)

file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\186635561-comment_from_post_iframe[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\1613438611-cmt__en_gb[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\analytics[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\403901366-ieretrofit[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\963277127-widgets[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\HVOBT6Mp1feN9noQtTICieFh_C2gsjCcO__mLFs-bwg[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\3101730221-analytics_autotrack[1].js

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 6, 2021, 2:51 p.m.	process_identifier: 2100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x000007fffff70000 process_handle: 0xffffffffffffffff	1	0	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2604 CREDAT:145409

Communicates with host for which no DNS query was performed (1 event)

host

117.18.232.200

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2604 resumed a thread in remote process 2100
NtResumeThread Oct. 6, 2021, 2:51 p.m.	thread_handle: 0x000000000000033c suspend_count: 1 process_identifier: 2100	1	0	0

https://kyahogysammajhnailagrahiat1.blogspot.com/p/og1-1.html

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All