Summary | ZeroBOX
Downloader FTP Code injection DGA HTTP Socket Escalate priviledges Hijack Network persistence Create Service KeyLogger Internet API Sniff Audio DNS Http API Steal credential ScreenShot P2P MSOffice File AntiVM AntiDebug
Category Machine Started Completed
ARCHIVE s1_win7_x6402 Nov. 5, 2021, 3:03 a.m. Nov. 5, 2021, 3:07 a.m.

Archive assets/scripts/game/lua/common/common/serializable.bytes @ xcbwlua.assetbundle

Summary

Size 7.0KB
Type data
MD5 72eb6da57b976dc0f4ee7c4ce27695ed
SHA1 a37ac0dca5174f34b2863f5281f3cd7b36e075a6
SHA256 102addcecc8477430ed3c17c00fe8c8fb53777afe3e30c32d8ee1e8f482c40d6
SHA512
6d2b7b5083bf49d65ff6574109e68497dc701eab0c763ab02a44e14fc1b28ab5eb6c89f3d29604603930371ec47da3e50200a81dc9311770304d8455f6494ee3
CRC32 C20182E0
ssdeep 192:ynsGDerEkZa7U6+p1E+GnfR2yr5uqMF1QFhZl1x0K0:qsGD6mD+p1ErfR3H01YU
Yara None matched

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
117.18.232.200 Active Moloch
164.124.101.2 Active Moloch

Time & API Arguments Status Return Repeated

__exception__

stacktrace:
RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefdcfa49d
RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7feff2373c3
ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7feff6d43bf
IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7feff255295
I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7feff252799
Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7feff2faf1e
Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7feff2fb76c
NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7feff2548d6
CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7feff800883
CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7feff800ccd
CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7feff800c43
CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7feff6ba4f0
GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7feff6cd551
CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7feff80347e
CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7feff80122b
CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7feff803542
GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7feff6cd42d
GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7feff6cd1d6
TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x77569bd1
TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x775698da
GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7feff6cd0ab
CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7feff7f3e57
ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7feff6a0106
ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7feff6a0182
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x772e652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x7767c521

exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00
exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d
exception.instruction: add rsp, 0xc8
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 42141
exception.address: 0x7fefdcfa49d
registers.r14: 0
registers.r15: 0
registers.rcx: 101835600
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 101841552
registers.r11: 101837360
registers.r8: 0
registers.r9: 0
registers.rdx: 1
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 1902660121
registers.r13: 0
1 0 0
request GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

process_identifier: 2140
region_size: 1970176
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002b60000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2140
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002d40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2140
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2140
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2140
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2140
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2140
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2140
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2140
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007756d000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2140
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077592000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2140
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077574000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2140
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077592000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2140
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefc5c5000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2140
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefc5c5000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2140
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefe0c4000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2140
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007feff4a1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2140
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007755a000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2140
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002f30000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2140
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefa7c7000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2140
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef7019000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2140
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef38e9000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 1544
region_size: 4722688
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002660000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 1544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002ae0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007756d000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077592000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077574000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077592000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefc5c5000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefc5c5000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefe0c4000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007feff4a1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007755a000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007755f000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007755d000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007755b000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000772e6000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077696000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000772e1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077560000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007755a000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007766f000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007767b000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007feff7e7000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefe064000
process_handle: 0xffffffffffffffff
1 0 0
Application Crash Process iexplore.exe with pid 2140 crashed
Time & API Arguments Status Return Repeated

__exception__

stacktrace:
RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefdcfa49d
RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7feff2373c3
ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7feff6d43bf
IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7feff255295
I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7feff252799
Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7feff2faf1e
Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7feff2fb76c
NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7feff2548d6
CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7feff800883
CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7feff800ccd
CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7feff800c43
CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7feff6ba4f0
GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7feff6cd551
CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7feff80347e
CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7feff80122b
CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7feff803542
GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7feff6cd42d
GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7feff6cd1d6
TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x77569bd1
TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x775698da
GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7feff6cd0ab
CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7feff7f3e57
ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7feff6a0106
ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7feff6a0182
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x772e652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x7767c521

exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00
exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d
exception.instruction: add rsp, 0xc8
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 42141
exception.address: 0x7fefdcfa49d
registers.r14: 0
registers.r15: 0
registers.rcx: 101835600
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 101841552
registers.r11: 101837360
registers.r8: 0
registers.r9: 0
registers.rdx: 1
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 1902660121
registers.r13: 0
1 0 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 1544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x000007fffff90000
process_handle: 0xffffffffffffffff
1 0 0
url https://s.pstatic.net/static/newsstand/2020/logo/light/0604/941.png
url http://www.expedia.com/favicon.ico
url https://s.pstatic.net/shopping.phinf/20211101_9/6565979b-3e08-4e3d-8514-b2a585c9e46e.jpg
url http://uk.ask.com/favicon.ico
url http://www.priceminister.com/
url https://ssl.pstatic.net/static/pwe/common/img_use_mobile_version.png
url http://www.httpwatch.com/download
url http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
url https://s.pstatic.net/static/www/mobile/edit/20210930/mobile_161522481722.png
url http://175.208.134.150:8282/test/test.eml
url http://www.disig.sk/ca/crl/ca_disig.crl0
url http://ru.wikipedia.org/
url http://ocsp.infonotary.com/responder.cgi0V
url http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0
url https://s.pstatic.net/dthumb.phinf/?src=%22https%3A%2F%2Fs.pstatic.net%2Fpost.phinf%2FMjAyMTEwMjhfODMg%2FMDAxNjM1NDI3NzQ2NzIy.2dYtsiaZ54mXegxs67agf9wcR5tmDGp1Y4ohBZFgiUwg.sAd2wiczLBiMlHpQAGWMveuOZYV34C-EKWqJcJjoopsg.PNG%2FItRl8seMrlvR8kMW8HHc2emHOvVs.jpg%22
url http://www.merlin.com.pl/favicon.ico
url https://s.pstatic.net/static/newsstand/2020/logo/light/0604/477.png
url http://www.cnet.com/favicon.ico
url https://www.semicolonworld.com/public/editor/styles/simditor.css
url https://t1.daumcdn.net/tistory_admin/static/sns/socialShare_big2.png
url http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0
url https://rcaptcha.nid.naver.com/rcaptCss?key=f2ZNjcOIuG0ASz
url https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
url http://crl.oces.certifikat.dk/oces.crl0
url https://tistory3.daumcdn.net/tistory/807805/skin/images/btn_reple.gif
url http://www.yceml.net/0559/10408495-1499411010011
url https://ssl.pstatic.net/tveta/libs/1364/1364526/a5068a6f44555ea499da_20211029164146193.jpg
url http://t.static.blog.naver.net/mylog/versioning/JindoComponent-190469086.js
url https://s.pstatic.net/static/newsstand/2020/logo/light/0604/529.png
url http://blogimgs.naver.net/nblog/mylog/post/btn_cancel3.gif
url https://ssl.pstatic.net/tveta/libs/assets/js/pc/main/min/pc.veta.core.min.js?20180423
url https://s.pstatic.net/shopping.phinf/20211013_2/ee5c113b-bfae-4cf3-81e3-2ba12403fc6d.jpg
url https://ssl.pstatic.net/static/pwe/nm/b.gif
url http://search.nifty.com/
url https://castbox.shopping.naver.com/js/lazyload.js
url https://ssl.pstatic.net/tveta/libs/1339/1339221/f1a87c541e410a8250af_20211006100906815.jpg
url http://ns.adobe.com/exif/1.0/
url https://s.pstatic.net/shopping.phinf/20200729_1/2931dd60-1842-4048-a39c-1e3389db4a0e.jpg
url https://ssl.pstatic.net/static/pwe/nm/spr_vertical_0d25bb77f8.png
url http://www.etmall.com.tw/
url https://s.pstatic.net/static/newsstand/2020/logo/light/0604/042.png
url https://s.pstatic.net/dthumb.phinf/?src=%22https%3A%2F%2Fs.pstatic.net%2Fstatic%2Fwww%2Fmobile%2Fedit%2F20211012_1095%2Fupload_1634015607233BeFLd.JPEG%22
url http://crl.chambersign.org/publicnotaryroot.crl0
url https://s.pstatic.net/static/newsstand/2020/logo/light/0604/056.png
url http://search.goo.ne.jp/
url http://fr.wikipedia.org/favicon.ico
url https://t1.daumcdn.net/tistory_admin/blogs/plugins/PreventCopyContents/js/functions.js?_version_=9024c9023ed6ab26b00b4f2905e46ffa08aeb336
url http://busca.estadao.com.br/favicon.ico
url http://search.hanafos.com/favicon.ico
url https://s.pstatic.net/dthumb.phinf/?src=%22https%3A%2F%2Fs.pstatic.net%2Fstatic%2Fwww%2Fmobile%2Fedit%2F20211029_1095%2Fupload_1635469564183PpB2J.jpg%22
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Create a windows service rule Create_Service
description Communication using DGA rule Network_DGA
description Communications over RAW Socket rule Network_TCP_Socket
description Steal credential rule local_credential_Steal
description Communications use DNS rule Network_DNS
description Match Windows Inet API call rule Str_Win32_Internet_API
description Hijack network configuration rule Hijack_Network
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description Record Audio rule Sniff_Audio
description Communications over HTTP rule Network_HTTP
description Run a KeyLogger rule KeyLogger
description Communications over FTP rule Network_FTP
description Escalate priviledges rule Escalate_priviledges
description File Downloader rule Network_Downloader
description Take ScreenShot rule ScreenShot
description Match Windows Http API call rule Str_Win32_Http_API
description Communications over P2P network rule Network_P2P_Win
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__ConsoleCtrl
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description (no description) rule Check_Dlls
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
description Install itself for autorun at Windows startup rule Persistence
description Create a windows service rule Create_Service
description Communication using DGA rule Network_DGA
description Communications over RAW Socket rule Network_TCP_Socket
description Steal credential rule local_credential_Steal
description Communications use DNS rule Network_DNS
description Match Windows Inet API call rule Str_Win32_Internet_API
description Hijack network configuration rule Hijack_Network
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description Record Audio rule Sniff_Audio
description Communications over HTTP rule Network_HTTP
cmdline "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2140 CREDAT:145409
host 117.18.232.200
url http://175.208.134.150:8282/test/test.eml
url http://175.208.134.150:8282/favicon.ico
url http://192.168.3.119/
url https://192.168.3.119/
Process injection Process 2140 resumed a thread in remote process 1544
Time & API Arguments Status Return Repeated

NtResumeThread

thread_handle: 0x0000000000000360
suspend_count: 1
process_identifier: 1544
1 0 0