Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Oct. 15, 2021, 2:01 p.m.	Oct. 15, 2021, 2:03 p.m.

Size	22.1KB
Type	HTML document, ASCII text, with very long lines, with CRLF line terminators
MD5	`34e6eec71f5eda2bcc5590067f3d8791`
SHA256	`ffbe301561e81310b54ab863c8bcdb0c0b005d8d4adcc3542def8baadd1f6c8a`
CRC32	`3F9223B0`
ssdeep	`384:CfofWvIuxxtt2CojIytBvRnyI5gM3cySsW9lczbmIh2Ip:hMR29IoBvRnyigMRlnZ3`
Yara	None matched

iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\test22\AppData\Local\Temp\Wetranfer.html
672
- iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:672 CREDAT:145409
  2344

Name	Response	Post-Analysis Lookup
fonts.googleapis.com	A 142.250.66.106	142.250.196.106
images.sampletemplates.com	CNAME blueberry.map.fastly.net A 146.75.50.133	151.101.194.133
www.pngitem.com	A 173.208.219.13	173.208.219.13

IP Address	Status	Action
117.18.232.200	Active	Moloch
142.250.66.106	Active	Moloch
146.75.50.133	Active	Moloch
164.124.101.2	Active	Moloch
173.208.219.13	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49171 -> 146.75.50.133:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49168 -> 142.250.66.106:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49172 -> 146.75.50.133:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49169 -> 142.250.66.106:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49173 -> 146.75.50.133:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 146.75.50.133:443 -> 192.168.56.102:49175	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49176 -> 146.75.50.133:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49174 -> 146.75.50.133:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49181 -> 117.18.232.200:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49182 -> 117.18.232.200:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 117.18.232.200:443 -> 192.168.56.102:49183	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49167 -> 173.208.219.13:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49166 -> 173.208.219.13:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49168 142.250.66.106:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=upload.video.google.com	24:ff:81:76:91:b0:43:fa:10:ae:52:fb:55:a8:ce:ae:35:7f:87:3e
TLSv1 192.168.56.102:49169 142.250.66.106:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=upload.video.google.com	24:ff:81:76:91:b0:43:fa:10:ae:52:fb:55:a8:ce:ae:35:7f:87:3e

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Oct. 15, 2021, 1:55 p.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefde3a49d RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7feff9773c3 ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7feff2143bf IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7feff995295 I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7feff992799 Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7feffa3af1e Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7feffa3b76c NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7feff9948d6 CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7feff340883 CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7feff340ccd CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7feff340c43 CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7feff1fa4f0 GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7feff20d551 CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7feff34347e CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7feff34122b CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7feff343542 GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7feff20d42d GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7feff20d1d6 TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x77819bd1 TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x778198da GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7feff20d0ab CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7feff333e57 ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7feff1e0106 ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7feff1e0182 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x7721652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x7792c521 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 42141 exception.address: 0x7fefde3a49d registers.r14: 0 registers.r15: 0 registers.rcx: 103212672 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 103218624 registers.r11: 103214432 registers.r8: 0 registers.r9: 0 registers.rdx: 1 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1905116156 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Oct. 15, 2021, 1:55 p.m.

stacktrace:

RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefde3a49d
RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7feff9773c3
ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7feff2143bf
IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7feff995295
I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7feff992799
Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7feffa3af1e
Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7feffa3b76c
NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7feff9948d6
CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7feff340883
CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7feff340ccd
CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7feff340c43
CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7feff1fa4f0
GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7feff20d551
CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7feff34347e
CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7feff34122b
CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7feff343542
GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7feff20d42d
GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7feff20d1d6
TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x77819bd1
TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x778198da
GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7feff20d0ab
CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7feff333e57
ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7feff1e0106
ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7feff1e0182
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x7721652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x7792c521

exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00
exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d
exception.instruction: add rsp, 0xc8
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 42141
exception.address: 0x7fefde3a49d
registers.r14: 0
registers.r15: 0
registers.rcx: 103212672
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 103218624
registers.r11: 103214432
registers.r8: 0
registers.r9: 0
registers.rdx: 1
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 1905116156
registers.r13: 0

Performs some HTTP requests (2 events)

request	GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
request	GET https://fonts.googleapis.com/css?family=PT+Sans:400,700

Allocates read-write-execute memory (usually to unpack itself) (50 out of 56 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 15, 2021, 1:54 p.m.	process_identifier: 672 region_size: 13766656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002da0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 15, 2021, 1:54 p.m.	process_identifier: 672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003ac0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 1:54 p.m.	process_identifier: 672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077871000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 1:54 p.m.	process_identifier: 672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077871000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 1:54 p.m.	process_identifier: 672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077871000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 1:54 p.m.	process_identifier: 672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077871000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 1:54 p.m.	process_identifier: 672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077871000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 1:54 p.m.	process_identifier: 672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077871000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 1:54 p.m.	process_identifier: 672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007781d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 1:54 p.m.	process_identifier: 672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077842000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 1:54 p.m.	process_identifier: 672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077824000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 1:54 p.m.	process_identifier: 672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077842000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 1:54 p.m.	process_identifier: 672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc845000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 1:54 p.m.	process_identifier: 672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc845000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 1:54 p.m.	process_identifier: 672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff6e4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 1:54 p.m.	process_identifier: 672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefe141000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 1:54 p.m.	process_identifier: 672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007780a000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 15, 2021, 1:54 p.m.	process_identifier: 672 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003460000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 1:54 p.m.	process_identifier: 672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefb037000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 1:54 p.m.	process_identifier: 672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef6d79000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 1:55 p.m.	process_identifier: 672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef7d29000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 15, 2021, 1:54 p.m.	process_identifier: 2344 region_size: 8589312 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002b50000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 15, 2021, 1:54 p.m.	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003380000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 1:54 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077871000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 1:54 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077871000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 1:54 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077871000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 1:54 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077871000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 1:54 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077871000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 1:54 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077871000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 1:54 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007781d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 1:54 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077842000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 1:54 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077824000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 1:54 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077842000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 1:54 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc845000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 1:54 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc845000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 1:54 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff6e4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 1:54 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefe141000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 1:54 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007780a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 1:54 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007780f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 1:54 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007780d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 1:54 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007780b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 1:54 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077216000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 1:54 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077946000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 1:54 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077211000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 1:54 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077810000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 1:54 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007780a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 1:54 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007791f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 1:54 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007792b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 1:54 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff327000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 1:54 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff684000 process_handle: 0xffffffffffffffff	1

An application raised an exception which may be indicative of an exploit crash (2 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process iexplore.exe with pid 672 crashed
__exception__ Oct. 15, 2021, 1:55 p.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefde3a49d RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7feff9773c3 ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7feff2143bf IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7feff995295 I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7feff992799 Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7feffa3af1e Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7feffa3b76c NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7feff9948d6 CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7feff340883 CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7feff340ccd CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7feff340c43 CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7feff1fa4f0 GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7feff20d551 CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7feff34347e CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7feff34122b CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7feff343542 GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7feff20d42d GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7feff20d1d6 TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x77819bd1 TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x778198da GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7feff20d0ab CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7feff333e57 ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7feff1e0106 ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7feff1e0182 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x7721652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x7792c521 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 42141 exception.address: 0x7fefde3a49d registers.r14: 0 registers.r15: 0 registers.rcx: 103212672 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 103218624 registers.r11: 103214432 registers.r8: 0 registers.r9: 0 registers.rdx: 1 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1905116156 registers.r13: 0	1	0	0

Application Crash

Process iexplore.exe with pid 672 crashed

Time & API

Arguments

Status

Return

Repeated

__exception__

Oct. 15, 2021, 1:55 p.m.

stacktrace:

RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefde3a49d
RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7feff9773c3
ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7feff2143bf
IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7feff995295
I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7feff992799
Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7feffa3af1e
Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7feffa3b76c
NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7feff9948d6
CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7feff340883
CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7feff340ccd
CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7feff340c43
CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7feff1fa4f0
GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7feff20d551
CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7feff34347e
CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7feff34122b
CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7feff343542
GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7feff20d42d
GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7feff20d1d6
TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x77819bd1
TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x778198da
GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7feff20d0ab
CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7feff333e57
ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7feff1e0106
ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7feff1e0182
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x7721652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x7792c521

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 15, 2021, 1:54 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x000007fffff60000 process_handle: 0xffffffffffffffff	1	0	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:672 CREDAT:145409

Communicates with host for which no DNS query was performed (1 event)

host

117.18.232.200

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 672 resumed a thread in remote process 2344
NtResumeThread Oct. 15, 2021, 1:54 p.m.	thread_handle: 0x0000000000000344 suspend_count: 1 process_identifier: 2344	1	0	0

Wetranfer.html

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All