Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Nov. 10, 2021, 9:43 a.m.	Nov. 10, 2021, 9:45 a.m.

Size	1.8MB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.3, MSI Installer, Title: Installation Database, Subject: Python 3.5 biopython-1.66, Author: The Biopython Contributors, Template: Intel;1033, Revision Number: {640F74A9-847A-4040-9F77-9C37184BC0A4}, Number of Words: 2, Number of Pages: 200, Name of Creating Application: Python MSI Library
MD5	`1aec13cf9b79fd1858bbe91b6281f568`
SHA256	`00bd0269ec2f055542bc8117597194a1502cc090595751438a4c642180f3ef7b`
CRC32	`5F22578E`
ssdeep	`49152:g8mrwM5tl1mPM5IWV8ba9tb0f4N8fnEuA25iWrKy:z8/1mPM5V8ban0f68fnEupP`
Yara	Microsoft_Office_File_Zero - Microsoft Office File

java.exe "C:\Program Files (x86)\Java\jre1.8.0_131\bin\java.exe" -jar C:\Users\test22\AppData\Local\Temp\Arrival_7036PDF.jar
1860
- java.exe "C:\Program Files (x86)\Java\jre1.8.0_131\bin\java.exe" -jar "C:\Users\test22\Arrival_7036PDF.jar"
  2324
  - cmd.exe cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\Arrival_7036PDF.jar"
    2424
    - schtasks.exe schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\Arrival_7036PDF.jar"
      2296
  - java.exe "C:\Program Files (x86)\Java\jre1.8.0_131\bin\java.exe" -jar "C:\Users\test22\AppData\Roaming\Arrival_7036PDF.jar"
    196
    - cmd.exe cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"
      2844
      - WMIC.exe wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list
        2928
    - cmd.exe cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"
      2276
      - WMIC.exe wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list
        2232
    - cmd.exe cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"
      2212
      - WMIC.exe wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list
        2144
    - cmd.exe cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list"
      2484
      - WMIC.exe wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list
        560

Name	Response	Post-Analysis Lookup
objects.githubusercontent.com	A 185.199.109.133 A 185.199.111.133 A 185.199.110.133 A 185.199.108.133	185.199.108.133
repo1.maven.org	CNAME sonatype.map.fastly.net A 151.101.52.209	199.232.196.209
str-master.pw	A 147.182.174.188	147.182.174.188
github.com	A 15.164.81.167	52.78.231.108
ip-api.com	A 208.95.112.1	208.95.112.1

IP Address	Status	Action
147.182.174.188	Active	Moloch
15.164.81.167	Active	Moloch
151.101.52.209	Active	Moloch
164.124.101.2	Active	Moloch
185.199.109.133	Active	Moloch
185.205.210.106	Active	Moloch
208.95.112.1	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49162 -> 15.164.81.167:443	2028375	ET JA3 Hash - Possible Malware - Java Based RAT	Unknown Traffic
TCP 192.168.56.102:49164 -> 151.101.52.209:443	2028375	ET JA3 Hash - Possible Malware - Java Based RAT	Unknown Traffic
TCP 192.168.56.102:49166 -> 185.199.109.133:443	2028375	ET JA3 Hash - Possible Malware - Java Based RAT	Unknown Traffic
TCP 192.168.56.102:49163 -> 151.101.52.209:443	2028375	ET JA3 Hash - Possible Malware - Java Based RAT	Unknown Traffic
TCP 192.168.56.102:49165 -> 151.101.52.209:443	2028375	ET JA3 Hash - Possible Malware - Java Based RAT	Unknown Traffic
TCP 192.168.56.102:49179 -> 185.205.210.106:7070	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49179 -> 185.205.210.106:7070	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49179 -> 185.205.210.106:7070	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49179 -> 185.205.210.106:7070	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49179 -> 185.205.210.106:7070	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49179 -> 185.205.210.106:7070	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49179 -> 185.205.210.106:7070	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49179 -> 185.205.210.106:7070	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49179 -> 185.205.210.106:7070	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49179 -> 185.205.210.106:7070	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49179 -> 185.205.210.106:7070	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49179 -> 185.205.210.106:7070	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49179 -> 185.205.210.106:7070	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49179 -> 185.205.210.106:7070	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49179 -> 185.205.210.106:7070	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49179 -> 185.205.210.106:7070	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49179 -> 185.205.210.106:7070	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49179 -> 185.205.210.106:7070	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49179 -> 185.205.210.106:7070	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49179 -> 185.205.210.106:7070	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49179 -> 185.205.210.106:7070	2030358	ET MALWARE STRRAT CnC Checkin	Malware Command and Control Activity Detected
UDP 192.168.56.102:61695 -> 164.124.101.2:53	2016778	ET DNS Query to a *.pw domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.102:49188 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49178 -> 147.182.174.188:80	2030359	ET MALWARE STRRAT Initial HTTP Activity	Malware Command and Control Activity Detected
TCP 192.168.56.102:49178 -> 147.182.174.188:80	2016777	ET INFO HTTP Request to a *.pw domain	Potentially Bad Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.102:49162 15.164.81.167:443	C=US, O=DigiCert, Inc., CN=DigiCert High Assurance TLS Hybrid ECC SHA256 2020 CA1	C=US, ST=California, L=San Francisco, O=GitHub, Inc., CN=github.com	84:63:b3:a9:29:12:cc:fd:1d:31:47:05:98:9b:ec:13:99:37:d0:d7
TLS 1.2 192.168.56.102:49164 151.101.52.209:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Atlas R3 DV TLS CA H2 2021	CN=repo1.maven.org	e2:ba:c2:7f:d9:98:22:e2:6b:cb:17:2c:c0:15:62:76:df:a3:21:b0
TLS 1.2 192.168.56.102:49166 185.199.109.133:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=San Francisco, O=GitHub, Inc., CN=www.github.com	70:94:de:dd:e6:c4:69:48:3a:92:70:a1:48:56:78:2d:18:64:e0:b7
TLS 1.2 192.168.56.102:49163 151.101.52.209:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Atlas R3 DV TLS CA H2 2021	CN=repo1.maven.org	e2:ba:c2:7f:d9:98:22:e2:6b:cb:17:2c:c0:15:62:76:df:a3:21:b0
TLS 1.2 192.168.56.102:49165 151.101.52.209:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Atlas R3 DV TLS CA H2 2021	CN=repo1.maven.org	e2:ba:c2:7f:d9:98:22:e2:6b:cb:17:2c:c0:15:62:76:df:a3:21:b0

Queries for the computername (21 events)

Time & API	Arguments	Status	Return
GetComputerNameW Nov. 10, 2021, 9:43 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 10, 2021, 9:43 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 10, 2021, 9:43 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 10, 2021, 9:43 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 10, 2021, 9:43 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 10, 2021, 9:43 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 10, 2021, 9:43 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 10, 2021, 9:43 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 10, 2021, 9:43 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 10, 2021, 9:43 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 10, 2021, 9:43 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 10, 2021, 9:43 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 10, 2021, 9:43 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 10, 2021, 9:43 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 10, 2021, 9:43 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 10, 2021, 9:43 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 10, 2021, 9:43 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 10, 2021, 9:43 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 10, 2021, 9:43 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 10, 2021, 9:43 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 10, 2021, 9:43 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 10, 2021, 9:43 a.m.			0	0
IsDebuggerPresent Nov. 10, 2021, 9:43 a.m.			0	0
IsDebuggerPresent Nov. 10, 2021, 9:43 a.m.			0	0
IsDebuggerPresent Nov. 10, 2021, 9:43 a.m.			0	0

Command line console output was observed (3 events)

Time & API	Arguments	Status	Return
WriteConsoleA Nov. 10, 2021, 9:43 a.m.	buffer: ################################################ # # # ## # # ## ### ### ## ### # # # # # # # # # # # # # # # # ### # # ### # # # ## # # # # # ### ### # # # ### # # ### # # # # Obfuscation by Allatori Obfuscator v7.3 DEMO # # # # http://www.allatori.com # # # ################################################ console_handle: 0x00000007	1	1
WriteConsoleA Nov. 10, 2021, 9:43 a.m.	buffer: Starting Download console_handle: 0x00000007	1	1
WriteConsoleA Nov. 10, 2021, 9:43 a.m.	buffer: Waiting for dependency console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 10, 2021, 9:43 a.m.		1	1	0

One or more processes crashed (13 events)

Time & API	Arguments	Status
__exception__ Nov. 10, 2021, 9:43 a.m.	stacktrace: exception.instruction_r: 8b 06 8d b5 f8 00 00 00 c5 fe 7f 06 c5 fe 7f 7e exception.instruction: mov eax, dword ptr [esi] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x27c0202 registers.esp: 15988804 registers.edi: 1 registers.eax: 6 registers.ebp: 1952568512 registers.edx: 0 registers.ebx: 16910336 registers.esi: 0 registers.ecx: 3405691582	1
__exception__ Nov. 10, 2021, 9:43 a.m.	stacktrace: 0x29091e8 0x27c44e0 0x27c44e0 0x27c44e0 0x27c44e0 0x27c44e0 0x27c4854 0x27c4854 0x27c4854 0x290baa4 0x27c44e0 0x27c44e0 0x27c44e0 0x290ba44 0x27c4854 0x27c4889 0x27c0697 JVM_GetThreadStateNames+0x4d395 _JVM_EnqueueOperation@20-0x6191b jvm+0x15af45 @ 0x743eaf45 _JVM_FindSignal@4+0x6402e ??_7DCmdFactory@@6B@-0xa2d06 jvm+0x2213ae @ 0x744b13ae JVM_GetThreadStateNames+0x4d42e _JVM_EnqueueOperation@20-0x61882 jvm+0x15afde @ 0x743eafde JVM_GetThreadStateNames+0x4d5b6 _JVM_EnqueueOperation@20-0x616fa jvm+0x15b166 @ 0x743eb166 JVM_GetThreadStateNames+0x4d627 _JVM_EnqueueOperation@20-0x61689 jvm+0x15b1d7 @ 0x743eb1d7 jio_printf+0x9f _JVM_StartThread@8-0x11 jvm+0xff36f @ 0x7438f36f JVM_GetThreadStateNames+0x70080 _JVM_EnqueueOperation@20-0x3ec30 jvm+0x17dc30 @ 0x7440dc30 JVM_GetThreadStateNames+0x708fa _JVM_EnqueueOperation@20-0x3e3b6 jvm+0x17e4aa @ 0x7440e4aa _JVM_FindSignal@4+0x5b46 ??_7DCmdFactory@@6B@-0x1011ee jvm+0x1c2ec6 @ 0x74452ec6 _endthreadex+0x3a _beginthreadex-0xab msvcr100+0x5c556 @ 0x746bc556 _endthreadex+0xe4 _beginthreadex-0x1 msvcr100+0x5c600 @ 0x746bc600 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x750933ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77869ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77869ea5 exception.instruction_r: 85 05 00 01 39 00 8b c3 8b de 89 bc 24 c8 00 00 exception.instruction: test eax, dword ptr [0x390100] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x28f7551 registers.esp: 377612544 registers.edi: 1113627022 registers.eax: 3774873600 registers.ebp: 377612956 registers.edx: 2334395520 registers.ebx: 1686110208 registers.esi: 0 registers.ecx: 118	1
__exception__ Nov. 10, 2021, 9:43 a.m.	stacktrace: exception.instruction_r: 8b 06 8d b5 f8 00 00 00 c5 fe 7f 06 c5 fe 7f 7e exception.instruction: mov eax, dword ptr [esi] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x27c0202 registers.esp: 16118520 registers.edi: 1 registers.eax: 6 registers.ebp: 1951651008 registers.edx: 0 registers.ebx: 16910336 registers.esi: 0 registers.ecx: 3405691582	1
__exception__ Nov. 10, 2021, 9:43 a.m.	stacktrace: exception.instruction_r: 8b 06 8d b5 f8 00 00 00 c5 fe 7f 06 c5 fe 7f 7e exception.instruction: mov eax, dword ptr [esi] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x27c0202 registers.esp: 16184812 registers.edi: 1 registers.eax: 6 registers.ebp: 1945621696 registers.edx: 0 registers.ebx: 16910336 registers.esi: 0 registers.ecx: 3405691582	1
__exception__ Nov. 10, 2021, 9:43 a.m.	stacktrace: _JVM_SetVmMemoryPressure@4-0x128cd jvm+0x7273 @ 0x73bf7273 _JVM_SetVmMemoryPressure@4-0x127dc jvm+0x7364 @ 0x73bf7364 _JVM_GetManagementExt@4+0x1300f AsyncGetCallTrace-0xa7451 jvm+0x2e50f @ 0x73c1e50f _JVM_FindSignal@4+0x23fe9 ??_7DCmdFactory@@6B@-0xe2d4b jvm+0x1e1369 @ 0x73dd1369 _JVM_FindSignal@4+0xcf5ae ??_7DCmdFactory@@6B@-0x37786 jvm+0x28c92e @ 0x73e7c92e _JVM_FindSignal@4+0xef44a ??_7DCmdFactory@@6B@-0x178ea jvm+0x2ac7ca @ 0x73e9c7ca _JVM_FindSignal@4+0xdd796 ??_7DCmdFactory@@6B@-0x2959e jvm+0x29ab16 @ 0x73e8ab16 _JVM_FindSignal@4+0xcd04f ??_7DCmdFactory@@6B@-0x39ce5 jvm+0x28a3cf @ 0x73e7a3cf _JVM_FindSignal@4+0xcd3e9 ??_7DCmdFactory@@6B@-0x3994b jvm+0x28a769 @ 0x73e7a769 _JVM_FindSignal@4+0xcd4ba ??_7DCmdFactory@@6B@-0x3987a jvm+0x28a83a @ 0x73e7a83a _JVM_FindSignal@4+0xcd628 ??_7DCmdFactory@@6B@-0x3970c jvm+0x28a9a8 @ 0x73e7a9a8 _JVM_FindSignal@4+0xcd8a2 ??_7DCmdFactory@@6B@-0x39492 jvm+0x28ac22 @ 0x73e7ac22 _JVM_GetManagementExt@4+0x5519a AsyncGetCallTrace-0x652c6 jvm+0x7069a @ 0x73c6069a _JVM_GetManagementExt@4+0x5594f AsyncGetCallTrace-0x64b11 jvm+0x70e4f @ 0x73c60e4f JVM_GetThreadStateNames+0x70080 _JVM_EnqueueOperation@20-0x3ec30 jvm+0x17dc30 @ 0x73d6dc30 JVM_GetThreadStateNames+0x708fa _JVM_EnqueueOperation@20-0x3e3b6 jvm+0x17e4aa @ 0x73d6e4aa _JVM_FindSignal@4+0x5b46 ??_7DCmdFactory@@6B@-0x1011ee jvm+0x1c2ec6 @ 0x73db2ec6 _endthreadex+0x3a _beginthreadex-0xab msvcr100+0x5c556 @ 0x74a1c556 _endthreadex+0xe4 _beginthreadex-0x1 msvcr100+0x5c600 @ 0x74a1c600 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x750933ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77869ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77869ea5 exception.instruction_r: c7 04 08 01 00 00 00 5d c3 cc cc 83 3d 68 80 f7 exception.instruction: mov dword ptr [eax + ecx], 1 exception.exception_code: 0xc0000005 exception.symbol: _JVM_SetVmMemoryPressure@4-0x1293b jvm+0x7205 exception.address: 0x73bf7205 registers.esp: 368178412 registers.edi: 1963528672 registers.eax: 1408 registers.ebp: 368178412 registers.edx: 15 registers.ebx: 14101504 registers.esi: 14101504 registers.ecx: 12910592	1
__exception__ Nov. 10, 2021, 9:43 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75f7374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x75284387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x75f6ef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75f66a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x75f66b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75f66a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x75f85c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x760006b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x7535d7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x7535d876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x7535ddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x75278a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x75278938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x7527950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x7535dccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x7535db41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x7535e1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x75279367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x75279326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x756662fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75666d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x756677c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7566788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x7523a48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x7523853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x7523a4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x7524cd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x7524d87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x750933ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77869ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77869ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x75d6b727 registers.esp: 47443340 registers.edi: 6150180 registers.eax: 47443340 registers.ebp: 47443420 registers.edx: 50 registers.ebx: 47443704 registers.esi: 2147746133 registers.ecx: 5923560	1
__exception__ Nov. 10, 2021, 9:43 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75f7374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x7535f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x75f8414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x7522fe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x7535a338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x753fe99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x753d72ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x753cab0d IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x753fc048 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x753c87f7 RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x753c8926 RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x753cd55e IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x753fc44b RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x753cd1f6 RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x753cd1ac RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x753cd40b RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x753c991b RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x753c8d67 RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x753ca0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x753c9b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x753c9aa8 DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x74036f4f DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x74036e40 DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x740327a4 DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x74032652 DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x7403253d DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x74032411 DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x740325ab wmic+0x39c80 @ 0x2c9c80 wmic+0x3b06a @ 0x2cb06a wmic+0x3b1f8 @ 0x2cb1f8 wmic+0x36fcd @ 0x2c6fcd wmic+0x3d6e9 @ 0x2cd6e9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x750933ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77869ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77869ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x75d6b727 registers.esp: 3402000 registers.edi: 1965488656 registers.eax: 3402000 registers.ebp: 3402080 registers.edx: 1 registers.ebx: 5893220 registers.esi: 2147746133 registers.ecx: 979411175	1
__exception__ Nov. 10, 2021, 9:43 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75f7374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x75284387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x75f6ef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75f66a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x75f66b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75f66a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x75f85c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x760006b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x7535d7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x7535d876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x7535ddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x75278a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x75278938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x7527950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x7535dccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x7535db41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x7535e1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x75279367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x75279326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x756662fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75666d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x756677c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7566788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x7523a48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x7523853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x7523a4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x7524cd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x7524d87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x750933ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77869ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77869ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x75d6b727 registers.esp: 36107320 registers.edi: 3987652 registers.eax: 36107320 registers.ebp: 36107400 registers.edx: 50 registers.ebx: 36107684 registers.esi: 2147746133 registers.ecx: 3760912	1
__exception__ Nov. 10, 2021, 9:43 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75f7374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x7535f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x75f8414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x7522fe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x7535a338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x753fe99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x753d72ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x753cab0d IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x753fc048 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x753c87f7 RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x753c8926 RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x753cd55e IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x753fc44b RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x753cd1f6 RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x753cd1ac RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x753cd40b RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x753c991b RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x753c8d67 RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x753ca0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x753c9b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x753c9aa8 DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x74036f4f DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x74036e40 DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x740327a4 DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x74032652 DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x7403253d DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x74032411 DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x740325ab wmic+0x39c80 @ 0x579c80 wmic+0x3b06a @ 0x57b06a wmic+0x3b1f8 @ 0x57b1f8 wmic+0x36fcd @ 0x576fcd wmic+0x3d6e9 @ 0x57d6e9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x750933ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77869ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77869ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x75d6b727 registers.esp: 2878648 registers.edi: 1965488656 registers.eax: 2878648 registers.ebp: 2878728 registers.edx: 1 registers.ebx: 3730572 registers.esi: 2147746133 registers.ecx: 1025024588	1
__exception__ Nov. 10, 2021, 9:43 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75f7374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x75284387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x75f6ef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75f66a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x75f66b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75f66a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x75f85c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x760006b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x7535d7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x7535d876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x7535ddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x75278a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x75278938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x7527950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x7535dccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x7535db41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x7535e1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x75279367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x75279326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x756662fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75666d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x756677c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7566788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x7523a48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x7523853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x7523a4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x7524cd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x7524d87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x750933ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77869ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77869ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x75d6b727 registers.esp: 32894728 registers.edi: 3544020 registers.eax: 32894728 registers.ebp: 32894808 registers.edx: 50 registers.ebx: 32895092 registers.esi: 2147746133 registers.ecx: 3302088	1
__exception__ Nov. 10, 2021, 9:43 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75f7374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x7535f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x75f8414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x7522fe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x7535a338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x753fe99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x753d72ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x753cab0d IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x753fc048 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x753c87f7 RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x753c8926 RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x753cd55e IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x753fc44b RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x753cd1f6 RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x753cd1ac RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x753cd40b RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x753c991b RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x753c8d67 RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x753ca0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x753c9b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x753c9aa8 DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x74036f4f DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x74036e40 DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x740327a4 DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x74032652 DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x7403253d DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x74032411 DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x740325ab wmic+0x39c80 @ 0x469c80 wmic+0x3b06a @ 0x46b06a wmic+0x3b1f8 @ 0x46b1f8 wmic+0x36fcd @ 0x466fcd wmic+0x3d6e9 @ 0x46d6e9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x750933ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77869ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77869ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x75d6b727 registers.esp: 2221648 registers.edi: 1965488656 registers.eax: 2221648 registers.ebp: 2221728 registers.edx: 1 registers.ebx: 3271748 registers.esi: 2147746133 registers.ecx: 1032604610	1
__exception__ Nov. 10, 2021, 9:43 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75f7374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x75284387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x75f6ef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75f66a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x75f66b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75f66a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x75f85c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x760006b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x7535d7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x7535d876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x7535ddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x75278a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x75278938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x7527950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x7535dccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x7535db41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x7535e1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x75279367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x75279326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x756662fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75666d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x756677c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7566788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x7523a48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x7523853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x7523a4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x7524cd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x7524d87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x750933ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77869ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77869ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x75d6b727 registers.esp: 43840352 registers.edi: 5494820 registers.eax: 43840352 registers.ebp: 43840432 registers.edx: 50 registers.ebx: 43840716 registers.esi: 2147746133 registers.ecx: 5268248	1
__exception__ Nov. 10, 2021, 9:43 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75f7374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x7535f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x75f8414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x7522fe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x7535a338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x753fe99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x753d72ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x753cab0d IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x753fc048 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x753c87f7 RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x753c8926 RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x753cd55e IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x753fc44b RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x753cd1f6 RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x753cd1ac RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x753cd40b RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x753c991b RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x753c8d67 RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x753ca0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x753c9b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x753c9aa8 DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x74036f4f DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x74036e40 DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x740327a4 DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x74032652 DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x7403253d DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x74032411 DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x740325ab wmic+0x39c80 @ 0xd99c80 wmic+0x3b06a @ 0xd9b06a wmic+0x3b1f8 @ 0xd9b1f8 wmic+0x36fcd @ 0xd96fcd wmic+0x3d6e9 @ 0xd9d6e9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x750933ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77869ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77869ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x75d6b727 registers.esp: 976976 registers.edi: 1965488656 registers.eax: 976976 registers.ebp: 977056 registers.edx: 1 registers.ebx: 5237908 registers.esi: 2147746133 registers.ecx: 1008689498	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (2 events)

request	GET http://str-master.pw/strigoi/server/ping.php?lid=6PFI-EG99-VOD4-MX23-B7M4
request	GET http://ip-api.com/json/

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

str-master.pw

description

Palau domain TLD

Allocates read-write-execute memory (usually to unpack itself) (50 out of 107 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Nov. 10, 2021, 9:43 a.m.	process_identifier: 1860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 163840 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027c0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 9:43 a.m.	process_identifier: 1860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027e8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 9:43 a.m.	process_identifier: 1860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027f0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 9:43 a.m.	process_identifier: 1860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027f8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 9:43 a.m.	process_identifier: 1860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02800000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 9:43 a.m.	process_identifier: 1860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02808000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 9:43 a.m.	process_identifier: 1860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02810000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 9:43 a.m.	process_identifier: 1860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02818000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 9:43 a.m.	process_identifier: 1860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02820000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 9:43 a.m.	process_identifier: 1860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02828000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 9:43 a.m.	process_identifier: 1860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02830000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 9:43 a.m.	process_identifier: 1860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02838000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 9:43 a.m.	process_identifier: 1860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02840000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 9:43 a.m.	process_identifier: 1860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02848000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 9:43 a.m.	process_identifier: 1860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02850000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 9:43 a.m.	process_identifier: 1860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02858000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 9:43 a.m.	process_identifier: 1860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02860000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 9:43 a.m.	process_identifier: 1860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02868000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 9:43 a.m.	process_identifier: 1860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02870000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 9:43 a.m.	process_identifier: 1860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02878000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 9:43 a.m.	process_identifier: 1860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02880000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 9:43 a.m.	process_identifier: 1860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02888000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 9:43 a.m.	process_identifier: 1860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02890000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 9:43 a.m.	process_identifier: 1860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02898000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 9:43 a.m.	process_identifier: 1860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 9:43 a.m.	process_identifier: 1860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028a8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 9:43 a.m.	process_identifier: 1860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 9:43 a.m.	process_identifier: 1860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028b8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 9:43 a.m.	process_identifier: 1860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028c0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 9:43 a.m.	process_identifier: 1860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028c8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 9:43 a.m.	process_identifier: 1860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 9:43 a.m.	process_identifier: 1860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028d8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 9:43 a.m.	process_identifier: 1860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028e0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 9:43 a.m.	process_identifier: 1860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028e8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 9:43 a.m.	process_identifier: 1860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028f0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 9:43 a.m.	process_identifier: 1860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028f8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 9:43 a.m.	process_identifier: 1860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02900000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 9:43 a.m.	process_identifier: 1860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02908000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 9:43 a.m.	process_identifier: 1860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02910000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 9:43 a.m.	process_identifier: 2324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 163840 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027c0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 9:43 a.m.	process_identifier: 2324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027e8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 9:43 a.m.	process_identifier: 2324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027f0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 9:43 a.m.	process_identifier: 2324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027f8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 9:43 a.m.	process_identifier: 2324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02800000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 9:43 a.m.	process_identifier: 2324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02808000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 9:43 a.m.	process_identifier: 2324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02810000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 9:43 a.m.	process_identifier: 2324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02818000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 9:43 a.m.	process_identifier: 2324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02820000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 9:43 a.m.	process_identifier: 2324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02828000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 10, 2021, 9:43 a.m.	process_identifier: 2324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02830000 process_handle: 0xffffffff	1

Looks up the external IP address (1 event)

domain

ip-api.com

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\jna--877171118\jna7246327726045526337.dll
file	C:\Users\test22\AppData\Local\Temp\jna--877171118\jna3067347932530824664.dll

Creates a suspicious process (10 events)

cmdline	cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list"
cmdline	wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list
cmdline	cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"
cmdline	wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list
cmdline	cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\Arrival_7036PDF.jar"
cmdline	schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\Arrival_7036PDF.jar"
cmdline	cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"
cmdline	cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"
cmdline	wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list
cmdline	wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\jna--877171118\jna3067347932530824664.dll
file	C:\Users\test22\AppData\Local\Temp\jna--877171118\jna4115874404283386990.dll

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 10, 2021, 9:43 a.m.	process_identifier: 1860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x16200000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Nov. 10, 2021, 9:43 a.m.	flags: 28 family: 0	1	0	0

Uses Windows utilities for basic Windows functionality (10 events)

cmdline	cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list"
cmdline	wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list
cmdline	cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"
cmdline	wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list
cmdline	cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\Arrival_7036PDF.jar"
cmdline	schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\Arrival_7036PDF.jar"
cmdline	cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"
cmdline	cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"
cmdline	wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list
cmdline	wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	SELECT VolumeSerialNumber FROM win32_logicaldisk

Communicates with host for which no DNS query was performed (1 event)

host

185.205.210.106

Installs itself for autorun at Windows startup (6 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Arrival_7036PDF	reg_value	"C:\Program Files (x86)\Java\jre1.8.0_131\bin\javaw.exe" -jar "C:\Users\test22\AppData\Roaming\Arrival_7036PDF.jar"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Arrival_7036PDF	reg_value	"C:\Program Files (x86)\Java\jre1.8.0_131\bin\javaw.exe" -jar "C:\Users\test22\AppData\Roaming\Arrival_7036PDF.jar"
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Arrival_7036PDF.jar
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Arrival_7036PDF.jar
cmdline	cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\Arrival_7036PDF.jar"
cmdline	schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\Arrival_7036PDF.jar"

Executes one or more WMI queries (4 events)

wmi	SELECT Caption, OSArchitecture FROM win32_operatingsystem
wmi	SELECT displayName FROM antivirusproduct
wmi	SELECT VolumeSerialNumber FROM win32_logicaldisk
wmi	SELECT Version FROM win32_operatingsystem

File has been identified by 14 AntiVirus engines on VirusTotal as malicious (14 events)

FireEye	Exploit.AppendedJar.2.Gen
ALYac	Exploit.AppendedJar.2.Gen
Cyren	Java/Kryptik.F.gen!Eldorado
Symantec	Trojan.Appjar!gen1
Avast	Java:Malware-gen [Trj]
Kaspersky	HEUR:Trojan.Java.Agent.gen
BitDefender	Exploit.AppendedJar.2.Gen
Emsisoft	Exploit.AppendedJar.2.Gen (B)
GData	Exploit.AppendedJar.2.Gen
McAfee	Adwind-FELN.jar!0C8DB92413E5
MAX	malware (ai score=89)
Yandex	Trojan.Etecer.bVydoM.32
Fortinet	Java/GenericGB.29230!tr
AVG	Java:Malware-gen [Trj]

Harvests credentials from local email clients (1 event)

file	C:\Users\test22\Documents\Outlook 파일\Outlook.pst

The process java.exe wrote an executable file to disk (2 events)

file	C:\Users\test22\AppData\Local\Temp\jna--877171118\jna3067347932530824664.dll
file	C:\Users\test22\AppData\Local\Temp\jna--877171118\jna7246327726045526337.dll

Arrival_7036PDF.jar

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All