Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Oct. 29, 2021, 10:47 a.m.	Oct. 29, 2021, 10:50 a.m.

Size	1.7MB
Type	HTML document, ASCII text, with very long lines, with CRLF line terminators
MD5	`d12cde9ca145f75251c08af9cef0b7f3`
SHA256	`2184352199ac4ad6ee3eadaca1895ef7469d8fff6026a718ddeaeffc59ee34eb`
CRC32	`07388482`
ssdeep	`24576:LbzsfNaUoW+GUHUqPlXsZ7UTX8SQJN1TCJ302crZDByUaQKDkKwx10xoIhGYkvUa:gkM91BHatAKccKNqhZnxK`
Yara	NPKI_Zero - File included NPKI

iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\test22\AppData\Local\Temp\hta.hta.html
288
- iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:288 CREDAT:145409
  2372

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
117.18.232.200	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49185 -> 117.18.232.200:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 117.18.232.200:443 -> 192.168.56.102:49186	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49184 -> 117.18.232.200:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

No Suricata TLS

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Oct. 29, 2021, 10:41 a.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefd8ba49d RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefdc773c3 ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7feff4143bf IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7fefdc95295 I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7fefdc92799 Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7fefdd3af1e Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7fefdd3b76c NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7fefdc948d6 CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7feff540883 CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7feff540ccd CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7feff540c43 CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7feff3fa4f0 GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7feff40d551 CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7feff54347e CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7feff54122b CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7feff543542 GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7feff40d42d GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7feff40d1d6 TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x77239bd1 TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x772398da GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7feff40d0ab CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7feff533e57 ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7feff3e0106 ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7feff3e0182 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x7711652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x7734c521 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 42141 exception.address: 0x7fefd8ba49d registers.r14: 0 registers.r15: 0 registers.rcx: 98428480 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 98434432 registers.r11: 98430240 registers.r8: 0 registers.r9: 0 registers.rdx: 1 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1922867167 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Oct. 29, 2021, 10:41 a.m.

stacktrace:

RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefd8ba49d
RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefdc773c3
ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7feff4143bf
IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7fefdc95295
I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7fefdc92799
Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7fefdd3af1e
Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7fefdd3b76c
NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7fefdc948d6
CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7feff540883
CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7feff540ccd
CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7feff540c43
CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7feff3fa4f0
GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7feff40d551
CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7feff54347e
CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7feff54122b
CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7feff543542
GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7feff40d42d
GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7feff40d1d6
TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x77239bd1
TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x772398da
GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7feff40d0ab
CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7feff533e57
ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7feff3e0106
ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7feff3e0182
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x7711652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x7734c521

exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00
exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d
exception.instruction: add rsp, 0xc8
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 42141
exception.address: 0x7fefd8ba49d
registers.r14: 0
registers.r15: 0
registers.rcx: 98428480
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 98434432
registers.r11: 98430240
registers.r8: 0
registers.r9: 0
registers.rdx: 1
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 1922867167
registers.r13: 0

Performs some HTTP requests (1 event)

request

GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml

Allocates read-write-execute memory (usually to unpack itself) (50 out of 56 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 29, 2021, 10:40 a.m.	process_identifier: 288 region_size: 10031104 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000024a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 10:40 a.m.	process_identifier: 288 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002e30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 29, 2021, 10:40 a.m.	process_identifier: 288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077291000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 29, 2021, 10:40 a.m.	process_identifier: 288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077291000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 29, 2021, 10:40 a.m.	process_identifier: 288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077291000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 29, 2021, 10:40 a.m.	process_identifier: 288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077291000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 29, 2021, 10:40 a.m.	process_identifier: 288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077291000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 29, 2021, 10:40 a.m.	process_identifier: 288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077291000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 29, 2021, 10:40 a.m.	process_identifier: 288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007723d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 29, 2021, 10:40 a.m.	process_identifier: 288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077262000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 29, 2021, 10:40 a.m.	process_identifier: 288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077244000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 29, 2021, 10:40 a.m.	process_identifier: 288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077262000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 29, 2021, 10:40 a.m.	process_identifier: 288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc265000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 29, 2021, 10:40 a.m.	process_identifier: 288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc265000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 29, 2021, 10:40 a.m.	process_identifier: 288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdbb4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 29, 2021, 10:40 a.m.	process_identifier: 288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff341000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 29, 2021, 10:40 a.m.	process_identifier: 288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007722a000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 10:40 a.m.	process_identifier: 288 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000028e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 29, 2021, 10:40 a.m.	process_identifier: 288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa937000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 29, 2021, 10:40 a.m.	process_identifier: 288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef6969000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 29, 2021, 10:41 a.m.	process_identifier: 288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef5eb9000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 10:40 a.m.	process_identifier: 2372 region_size: 9375744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002850000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 10:40 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003140000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 29, 2021, 10:40 a.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077291000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 29, 2021, 10:40 a.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077291000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 29, 2021, 10:40 a.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077291000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 29, 2021, 10:40 a.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077291000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 29, 2021, 10:40 a.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077291000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 29, 2021, 10:40 a.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077291000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 29, 2021, 10:40 a.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007723d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 29, 2021, 10:40 a.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077262000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 29, 2021, 10:40 a.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077244000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 29, 2021, 10:40 a.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077262000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 29, 2021, 10:40 a.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc265000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 29, 2021, 10:40 a.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc265000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 29, 2021, 10:40 a.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdbb4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 29, 2021, 10:40 a.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff341000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 29, 2021, 10:40 a.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007722a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 29, 2021, 10:40 a.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007722f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 29, 2021, 10:40 a.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007722d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 29, 2021, 10:40 a.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007722b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 29, 2021, 10:40 a.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077116000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 29, 2021, 10:40 a.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077366000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 29, 2021, 10:40 a.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077111000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 29, 2021, 10:40 a.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077230000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 29, 2021, 10:40 a.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007722a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 29, 2021, 10:40 a.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007733f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 29, 2021, 10:40 a.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007734b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 29, 2021, 10:40 a.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff527000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 29, 2021, 10:40 a.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdb54000 process_handle: 0xffffffffffffffff	1

An application raised an exception which may be indicative of an exploit crash (2 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process iexplore.exe with pid 288 crashed
__exception__ Oct. 29, 2021, 10:41 a.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefd8ba49d RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefdc773c3 ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7feff4143bf IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7fefdc95295 I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7fefdc92799 Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7fefdd3af1e Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7fefdd3b76c NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7fefdc948d6 CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7feff540883 CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7feff540ccd CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7feff540c43 CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7feff3fa4f0 GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7feff40d551 CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7feff54347e CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7feff54122b CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7feff543542 GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7feff40d42d GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7feff40d1d6 TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x77239bd1 TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x772398da GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7feff40d0ab CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7feff533e57 ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7feff3e0106 ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7feff3e0182 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x7711652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x7734c521 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 42141 exception.address: 0x7fefd8ba49d registers.r14: 0 registers.r15: 0 registers.rcx: 98428480 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 98434432 registers.r11: 98430240 registers.r8: 0 registers.r9: 0 registers.rdx: 1 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1922867167 registers.r13: 0	1	0	0

Application Crash

Process iexplore.exe with pid 288 crashed

Time & API

Arguments

Status

Return

Repeated

__exception__

Oct. 29, 2021, 10:41 a.m.

stacktrace:

RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefd8ba49d
RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefdc773c3
ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7feff4143bf
IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7fefdc95295
I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7fefdc92799
Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7fefdd3af1e
Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7fefdd3b76c
NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7fefdc948d6
CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7feff540883
CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7feff540ccd
CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7feff540c43
CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7feff3fa4f0
GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7feff40d551
CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7feff54347e
CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7feff54122b
CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7feff543542
GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7feff40d42d
GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7feff40d1d6
TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x77239bd1
TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x772398da
GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7feff40d0ab
CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7feff533e57
ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7feff3e0106
ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7feff3e0182
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x7711652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x7734c521

File has been identified by one AntiVirus engine on VirusTotal as malicious (1 event)

NANO-Antivirus

Trojan.Script.Dropper.foxxbq

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 29, 2021, 10:40 a.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x000007fffff80000 process_handle: 0xffffffffffffffff	1	0	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:288 CREDAT:145409

Communicates with host for which no DNS query was performed (1 event)

host

117.18.232.200

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 288 resumed a thread in remote process 2372
NtResumeThread Oct. 29, 2021, 10:40 a.m.	thread_handle: 0x0000000000000360 suspend_count: 1 process_identifier: 2372	1	0	0

hta.hta

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All