Summary | ZeroBOX

Category	Machine	Started	Completed
URL	s1_win7_x6402	Nov. 12, 2021, 7:54 a.m.	Nov. 12, 2021, 7:56 a.m.

URL	http://tigerdrill.xyz/EYWCET97LV2U.html
File	9b3a5b1c64e211c9_eywcet97lv2u[1].htm
Size	6.0KB
Type	HTML document, ASCII text, with very long lines, with CRLF line terminators
MD5	`cf43050494012ba1f8ec57b3d07e070c`
SHA256	`9b3a5b1c64e211c9e523a297db8cb67359301be04035ee9971aab3a5ca349b50`
CRC32	`75D73393`
ssdeep	`192:1QhKCIZWsITd0VTLoYj6EwnH6Z9qYJw+g000000000SAWRYaFu:CsCICgTIx6Dqg/D`
Yara	None matched

iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" http://tigerdrill.xyz/EYWCET97LV2U.html
2128
- iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2128 CREDAT:145409
  1544
- iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2128 CREDAT:210945
  2468

Name	Response	Post-Analysis Lookup
tigerdrill.xyz	A 159.223.68.213	159.223.68.213

IP Address	Status	Action
117.18.232.200	Active	Moloch
159.223.68.213	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49179 -> 117.18.232.200:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49180 -> 117.18.232.200:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 117.18.232.200:443 -> 192.168.56.102:49181	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ Nov. 12, 2021, 7:55 a.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefdcfa49d RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7feff2373c3 ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7feff6d43bf IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7feff255295 I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7feff252799 Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7feff2faf1e Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7feff2fb76c NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7feff2548d6 CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7feff800883 CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7feff800ccd CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7feff800c43 CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7feff6ba4f0 GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7feff6cd551 CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7feff80347e CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7feff80122b CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7feff803542 GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7feff6cd42d GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7feff6cd1d6 TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x77569bd1 TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x775698da GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7feff6cd0ab CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7feff7f3e57 ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7feff6a0106 ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7feff6a0182 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x772e652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x7767c521 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 42141 exception.address: 0x7fefdcfa49d registers.r14: 0 registers.r15: 0 registers.rcx: 111141424 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 111147376 registers.r11: 111143184 registers.r8: 0 registers.r9: 0 registers.rdx: 1 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1911011072 registers.r13: 0	1	0	0
__exception__ Nov. 12, 2021, 7:54 a.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefdcfa49d RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7feff2373c3 CoGetInstanceFromFile+0xa70a HACCEL_UserFree-0x16c6 ole32+0x1762ba @ 0x7feff8062ba Ndr64AsyncServerCallAll+0x14c9 Ndr64AsyncClientCall-0x517 rpcrt4+0xdb949 @ 0x7feff2fb949 CoGetInstanceFromFile+0x6620 HACCEL_UserFree-0x57b0 ole32+0x1721d0 @ 0x7feff8021d0 DcomChannelSetHResult+0x3066 ObjectStublessClient3-0x7ee ole32+0x2d8a2 @ 0x7feff6bd8a2 ObjectStublessClient5+0x183 IsValidInterface-0x105d ole32+0x31bb3 @ 0x7feff6c1bb3 ObjectStublessClient5+0xf2 IsValidInterface-0x10ee ole32+0x31b22 @ 0x7feff6c1b22 CoMarshalInterface+0x263f ObjectStublessClient5-0x245 ole32+0x317eb @ 0x7feff6c17eb CoMarshalInterface+0x226b ObjectStublessClient5-0x619 ole32+0x31417 @ 0x7feff6c1417 CoSetState+0x45a DcomChannelSetHResult-0x1342 ole32+0x294fa @ 0x7feff6b94fa CoSetState+0x388 DcomChannelSetHResult-0x1414 ole32+0x29428 @ 0x7feff6b9428 CoSetState+0xaa9 DcomChannelSetHResult-0xcf3 ole32+0x29b49 @ 0x7feff6b9b49 CoInternetGetSession+0x655b MkParseDisplayNameEx-0x1a711 urlmon+0x55b5f @ 0x76fa5b5f ImportPrivacySettings+0x4017 IEAssociateThreadWithTab-0xa0531 ieframe+0x113417 @ 0x7fef4843417 ImportPrivacySettings+0xa890 IEAssociateThreadWithTab-0x99cb8 ieframe+0x119c90 @ 0x7fef4849c90 ImportPrivacySettings+0x7d103 IEAssociateThreadWithTab-0x27445 ieframe+0x18c503 @ 0x7fef48bc503 ImportPrivacySettings+0x6b111 IEAssociateThreadWithTab-0x39437 ieframe+0x17a511 @ 0x7fef48aa511 ImportPrivacySettings+0x6c023 IEAssociateThreadWithTab-0x38525 ieframe+0x17b423 @ 0x7fef48ab423 ImportPrivacySettings+0x6d680 IEAssociateThreadWithTab-0x36ec8 ieframe+0x17ca80 @ 0x7fef48aca80 IEDisassociateThreadWithTab+0x1485e SoftwareUpdateMessageBox-0x6bdf2 ieframe+0x1c8252 @ 0x7fef48f8252 ImportPrivacySettings+0x71268 IEAssociateThreadWithTab-0x332e0 ieframe+0x180668 @ 0x7fef48b0668 ImportPrivacySettings+0x71927 IEAssociateThreadWithTab-0x32c21 ieframe+0x180d27 @ 0x7fef48b0d27 IEDisassociateThreadWithTab+0x1c4cd SoftwareUpdateMessageBox-0x64183 ieframe+0x1cfec1 @ 0x7fef48ffec1 IEDisassociateThreadWithTab+0x17422 SoftwareUpdateMessageBox-0x6922e ieframe+0x1cae16 @ 0x7fef48fae16 ImportPrivacySettings+0x12fd7 IEAssociateThreadWithTab-0x91571 ieframe+0x1223d7 @ 0x7fef48523d7 ImportPrivacySettings+0x13191 IEAssociateThreadWithTab-0x913b7 ieframe+0x122591 @ 0x7fef4852591 ImportPrivacySettings+0x1324c IEAssociateThreadWithTab-0x912fc ieframe+0x12264c @ 0x7fef485264c CTravelLog_CreateInstance+0x14ee7 DllCanUnloadNow-0xed60d mshtml+0x30c393 @ 0x7277c393 CTravelLog_CreateInstance+0x12644 DllCanUnloadNow-0xefeb0 mshtml+0x309af0 @ 0x72779af0 CTravelLog_CreateInstance+0x161c7 DllCanUnloadNow-0xec32d mshtml+0x30d673 @ 0x7277d673 CTravelLog_CreateInstance+0x2d56d DllCanUnloadNow-0xd4f87 mshtml+0x324a19 @ 0x72794a19 CTravelLog_CreateInstance+0x2d591 DllCanUnloadNow-0xd4f63 mshtml+0x324a3d @ 0x72794a3d CTravelLog_CreateInstance+0x14dc1 DllCanUnloadNow-0xed733 mshtml+0x30c26d @ 0x7277c26d CTravelLog_CreateInstance+0x1223f DllCanUnloadNow-0xf02b5 mshtml+0x3096eb @ 0x727796eb CTravelLog_CreateInstance+0x12145 DllCanUnloadNow-0xf03af mshtml+0x3095f1 @ 0x727795f1 CTravelLog_CreateInstance+0x11bff DllCanUnloadNow-0xf08f5 mshtml+0x3090ab @ 0x727790ab CTravelLog_CreateInstance+0x109f4 DllCanUnloadNow-0xf1b00 mshtml+0x307ea0 @ 0x72777ea0 CTravelLog_CreateInstance+0xdb2cf DllCanUnloadNow-0x27225 mshtml+0x3d277b @ 0x7284277b TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x77569bd1 TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x775698da CreateExtensionGuidEnumerator+0x37005 DllInstall-0x2828f ieframe+0x8b2cd @ 0x7fef47bb2cd DllRegisterServer+0x33bf4 CreateExtensionGuidEnumerator-0x1c7e4 ieframe+0x37ae4 @ 0x7fef4767ae4 FastMimeGetFileExtension+0x9c53 LCIEUnpackString-0x6111 iertutil+0x153cf @ 0x770c53cf DllRegisterServer+0x14d67 CreateExtensionGuidEnumerator-0x3b671 ieframe+0x18c57 @ 0x7fef4748c57 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x772e652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x7767c521 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0x80010012 exception.offset: 42141 exception.address: 0x7fefdcfa49d registers.r14: 0 registers.r15: 0 registers.rcx: 89165760 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 89193264 registers.r11: 89167520 registers.r8: 0 registers.r9: 0 registers.rdx: 1 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1915300877 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Nov. 12, 2021, 7:55 a.m.

stacktrace:

RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefdcfa49d
RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7feff2373c3
ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7feff6d43bf
IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7feff255295
I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7feff252799
Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7feff2faf1e
Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7feff2fb76c
NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7feff2548d6
CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7feff800883
CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7feff800ccd
CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7feff800c43
CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7feff6ba4f0
GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7feff6cd551
CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7feff80347e
CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7feff80122b
CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7feff803542
GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7feff6cd42d
GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7feff6cd1d6
TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x77569bd1
TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x775698da
GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7feff6cd0ab
CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7feff7f3e57
ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7feff6a0106
ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7feff6a0182
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x772e652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x7767c521

exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00
exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d
exception.instruction: add rsp, 0xc8
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 42141
exception.address: 0x7fefdcfa49d
registers.r14: 0
registers.r15: 0
registers.rcx: 111141424
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 111147376
registers.r11: 111143184
registers.r8: 0
registers.r9: 0
registers.rdx: 1
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 1911011072
registers.r13: 0

__exception__

Nov. 12, 2021, 7:54 a.m.

stacktrace:

RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefdcfa49d
RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7feff2373c3
CoGetInstanceFromFile+0xa70a HACCEL_UserFree-0x16c6 ole32+0x1762ba @ 0x7feff8062ba
Ndr64AsyncServerCallAll+0x14c9 Ndr64AsyncClientCall-0x517 rpcrt4+0xdb949 @ 0x7feff2fb949
CoGetInstanceFromFile+0x6620 HACCEL_UserFree-0x57b0 ole32+0x1721d0 @ 0x7feff8021d0
DcomChannelSetHResult+0x3066 ObjectStublessClient3-0x7ee ole32+0x2d8a2 @ 0x7feff6bd8a2
ObjectStublessClient5+0x183 IsValidInterface-0x105d ole32+0x31bb3 @ 0x7feff6c1bb3
ObjectStublessClient5+0xf2 IsValidInterface-0x10ee ole32+0x31b22 @ 0x7feff6c1b22
CoMarshalInterface+0x263f ObjectStublessClient5-0x245 ole32+0x317eb @ 0x7feff6c17eb
CoMarshalInterface+0x226b ObjectStublessClient5-0x619 ole32+0x31417 @ 0x7feff6c1417
CoSetState+0x45a DcomChannelSetHResult-0x1342 ole32+0x294fa @ 0x7feff6b94fa
CoSetState+0x388 DcomChannelSetHResult-0x1414 ole32+0x29428 @ 0x7feff6b9428
CoSetState+0xaa9 DcomChannelSetHResult-0xcf3 ole32+0x29b49 @ 0x7feff6b9b49
CoInternetGetSession+0x655b MkParseDisplayNameEx-0x1a711 urlmon+0x55b5f @ 0x76fa5b5f
ImportPrivacySettings+0x4017 IEAssociateThreadWithTab-0xa0531 ieframe+0x113417 @ 0x7fef4843417
ImportPrivacySettings+0xa890 IEAssociateThreadWithTab-0x99cb8 ieframe+0x119c90 @ 0x7fef4849c90
ImportPrivacySettings+0x7d103 IEAssociateThreadWithTab-0x27445 ieframe+0x18c503 @ 0x7fef48bc503
ImportPrivacySettings+0x6b111 IEAssociateThreadWithTab-0x39437 ieframe+0x17a511 @ 0x7fef48aa511
ImportPrivacySettings+0x6c023 IEAssociateThreadWithTab-0x38525 ieframe+0x17b423 @ 0x7fef48ab423
ImportPrivacySettings+0x6d680 IEAssociateThreadWithTab-0x36ec8 ieframe+0x17ca80 @ 0x7fef48aca80
IEDisassociateThreadWithTab+0x1485e SoftwareUpdateMessageBox-0x6bdf2 ieframe+0x1c8252 @ 0x7fef48f8252
ImportPrivacySettings+0x71268 IEAssociateThreadWithTab-0x332e0 ieframe+0x180668 @ 0x7fef48b0668
ImportPrivacySettings+0x71927 IEAssociateThreadWithTab-0x32c21 ieframe+0x180d27 @ 0x7fef48b0d27
IEDisassociateThreadWithTab+0x1c4cd SoftwareUpdateMessageBox-0x64183 ieframe+0x1cfec1 @ 0x7fef48ffec1
IEDisassociateThreadWithTab+0x17422 SoftwareUpdateMessageBox-0x6922e ieframe+0x1cae16 @ 0x7fef48fae16
ImportPrivacySettings+0x12fd7 IEAssociateThreadWithTab-0x91571 ieframe+0x1223d7 @ 0x7fef48523d7
ImportPrivacySettings+0x13191 IEAssociateThreadWithTab-0x913b7 ieframe+0x122591 @ 0x7fef4852591
ImportPrivacySettings+0x1324c IEAssociateThreadWithTab-0x912fc ieframe+0x12264c @ 0x7fef485264c
CTravelLog_CreateInstance+0x14ee7 DllCanUnloadNow-0xed60d mshtml+0x30c393 @ 0x7277c393
CTravelLog_CreateInstance+0x12644 DllCanUnloadNow-0xefeb0 mshtml+0x309af0 @ 0x72779af0
CTravelLog_CreateInstance+0x161c7 DllCanUnloadNow-0xec32d mshtml+0x30d673 @ 0x7277d673
CTravelLog_CreateInstance+0x2d56d DllCanUnloadNow-0xd4f87 mshtml+0x324a19 @ 0x72794a19
CTravelLog_CreateInstance+0x2d591 DllCanUnloadNow-0xd4f63 mshtml+0x324a3d @ 0x72794a3d
CTravelLog_CreateInstance+0x14dc1 DllCanUnloadNow-0xed733 mshtml+0x30c26d @ 0x7277c26d
CTravelLog_CreateInstance+0x1223f DllCanUnloadNow-0xf02b5 mshtml+0x3096eb @ 0x727796eb
CTravelLog_CreateInstance+0x12145 DllCanUnloadNow-0xf03af mshtml+0x3095f1 @ 0x727795f1
CTravelLog_CreateInstance+0x11bff DllCanUnloadNow-0xf08f5 mshtml+0x3090ab @ 0x727790ab
CTravelLog_CreateInstance+0x109f4 DllCanUnloadNow-0xf1b00 mshtml+0x307ea0 @ 0x72777ea0
CTravelLog_CreateInstance+0xdb2cf DllCanUnloadNow-0x27225 mshtml+0x3d277b @ 0x7284277b
TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x77569bd1
TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x775698da
CreateExtensionGuidEnumerator+0x37005 DllInstall-0x2828f ieframe+0x8b2cd @ 0x7fef47bb2cd
DllRegisterServer+0x33bf4 CreateExtensionGuidEnumerator-0x1c7e4 ieframe+0x37ae4 @ 0x7fef4767ae4
FastMimeGetFileExtension+0x9c53 LCIEUnpackString-0x6111 iertutil+0x153cf @ 0x770c53cf
DllRegisterServer+0x14d67 CreateExtensionGuidEnumerator-0x3b671 ieframe+0x18c57 @ 0x7fef4748c57
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x772e652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x7767c521

exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00
exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d
exception.instruction: add rsp, 0xc8
exception.module: KERNELBASE.dll
exception.exception_code: 0x80010012
exception.offset: 42141
exception.address: 0x7fefdcfa49d
registers.r14: 0
registers.r15: 0
registers.rcx: 89165760
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 89193264
registers.r11: 89167520
registers.r8: 0
registers.r9: 0
registers.rdx: 1
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 1915300877
registers.r13: 0

Performs some HTTP requests (3 events)

request	GET http://tigerdrill.xyz/EYWCET97LV2U.cab
request	GET http://tigerdrill.xyz/EYWCET97LV2U.html
request	GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml

Allocates read-write-execute memory (usually to unpack itself) (50 out of 89 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 12, 2021, 7:54 a.m.	process_identifier: 2128 region_size: 2428928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000025a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 12, 2021, 7:54 a.m.	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000027f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 7:54 a.m.	process_identifier: 2128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000775c1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 7:54 a.m.	process_identifier: 2128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000775c1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 7:54 a.m.	process_identifier: 2128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000775c1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 7:54 a.m.	process_identifier: 2128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000775c1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 7:54 a.m.	process_identifier: 2128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000775c1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 7:54 a.m.	process_identifier: 2128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000775c1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 7:54 a.m.	process_identifier: 2128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007756d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 7:54 a.m.	process_identifier: 2128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077592000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 7:54 a.m.	process_identifier: 2128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077574000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 7:54 a.m.	process_identifier: 2128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077592000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 7:54 a.m.	process_identifier: 2128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc5c5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 7:54 a.m.	process_identifier: 2128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc5c5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 7:54 a.m.	process_identifier: 2128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefe0c4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 7:54 a.m.	process_identifier: 2128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff4a1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 7:54 a.m.	process_identifier: 2128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007755a000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 12, 2021, 7:54 a.m.	process_identifier: 2128 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000029f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 7:54 a.m.	process_identifier: 2128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa7c7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 7:54 a.m.	process_identifier: 2128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef7019000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 7:55 a.m.	process_identifier: 2128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1609000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 12, 2021, 7:54 a.m.	process_identifier: 1544 region_size: 4001792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003190000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 12, 2021, 7:54 a.m.	process_identifier: 1544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003560000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 7:54 a.m.	process_identifier: 1544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000775c1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 7:54 a.m.	process_identifier: 1544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000775c1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 7:54 a.m.	process_identifier: 1544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000775c1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 7:54 a.m.	process_identifier: 1544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000775c1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 7:54 a.m.	process_identifier: 1544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000775c1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 7:54 a.m.	process_identifier: 1544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000775c1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 7:54 a.m.	process_identifier: 1544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007756d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 7:54 a.m.	process_identifier: 1544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077592000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 7:54 a.m.	process_identifier: 1544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077574000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 7:54 a.m.	process_identifier: 1544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077592000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 7:54 a.m.	process_identifier: 1544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc5c5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 7:54 a.m.	process_identifier: 1544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc5c5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 7:54 a.m.	process_identifier: 1544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefe0c4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 7:54 a.m.	process_identifier: 1544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff4a1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 7:54 a.m.	process_identifier: 1544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007755a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 7:54 a.m.	process_identifier: 1544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007755f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 7:54 a.m.	process_identifier: 1544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007755d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 7:54 a.m.	process_identifier: 1544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007755b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 7:54 a.m.	process_identifier: 1544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772e6000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 7:54 a.m.	process_identifier: 1544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077696000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 7:54 a.m.	process_identifier: 1544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772e1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 7:54 a.m.	process_identifier: 1544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077560000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 7:54 a.m.	process_identifier: 1544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007755a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 7:54 a.m.	process_identifier: 1544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007766f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 7:54 a.m.	process_identifier: 1544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007767b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 7:54 a.m.	process_identifier: 1544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff7e7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 7:54 a.m.	process_identifier: 1544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefe064000 process_handle: 0xffffffffffffffff	1

An application raised an exception which may be indicative of an exploit crash (4 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process iexplore.exe with pid 2128 crashed
Application Crash	Process iexplore.exe with pid 2468 crashed
__exception__ Nov. 12, 2021, 7:55 a.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefdcfa49d RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7feff2373c3 ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7feff6d43bf IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7feff255295 I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7feff252799 Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7feff2faf1e Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7feff2fb76c NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7feff2548d6 CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7feff800883 CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7feff800ccd CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7feff800c43 CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7feff6ba4f0 GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7feff6cd551 CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7feff80347e CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7feff80122b CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7feff803542 GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7feff6cd42d GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7feff6cd1d6 TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x77569bd1 TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x775698da GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7feff6cd0ab CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7feff7f3e57 ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7feff6a0106 ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7feff6a0182 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x772e652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x7767c521 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 42141 exception.address: 0x7fefdcfa49d registers.r14: 0 registers.r15: 0 registers.rcx: 111141424 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 111147376 registers.r11: 111143184 registers.r8: 0 registers.r9: 0 registers.rdx: 1 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1911011072 registers.r13: 0	1	0	0
__exception__ Nov. 12, 2021, 7:54 a.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefdcfa49d RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7feff2373c3 CoGetInstanceFromFile+0xa70a HACCEL_UserFree-0x16c6 ole32+0x1762ba @ 0x7feff8062ba Ndr64AsyncServerCallAll+0x14c9 Ndr64AsyncClientCall-0x517 rpcrt4+0xdb949 @ 0x7feff2fb949 CoGetInstanceFromFile+0x6620 HACCEL_UserFree-0x57b0 ole32+0x1721d0 @ 0x7feff8021d0 DcomChannelSetHResult+0x3066 ObjectStublessClient3-0x7ee ole32+0x2d8a2 @ 0x7feff6bd8a2 ObjectStublessClient5+0x183 IsValidInterface-0x105d ole32+0x31bb3 @ 0x7feff6c1bb3 ObjectStublessClient5+0xf2 IsValidInterface-0x10ee ole32+0x31b22 @ 0x7feff6c1b22 CoMarshalInterface+0x263f ObjectStublessClient5-0x245 ole32+0x317eb @ 0x7feff6c17eb CoMarshalInterface+0x226b ObjectStublessClient5-0x619 ole32+0x31417 @ 0x7feff6c1417 CoSetState+0x45a DcomChannelSetHResult-0x1342 ole32+0x294fa @ 0x7feff6b94fa CoSetState+0x388 DcomChannelSetHResult-0x1414 ole32+0x29428 @ 0x7feff6b9428 CoSetState+0xaa9 DcomChannelSetHResult-0xcf3 ole32+0x29b49 @ 0x7feff6b9b49 CoInternetGetSession+0x655b MkParseDisplayNameEx-0x1a711 urlmon+0x55b5f @ 0x76fa5b5f ImportPrivacySettings+0x4017 IEAssociateThreadWithTab-0xa0531 ieframe+0x113417 @ 0x7fef4843417 ImportPrivacySettings+0xa890 IEAssociateThreadWithTab-0x99cb8 ieframe+0x119c90 @ 0x7fef4849c90 ImportPrivacySettings+0x7d103 IEAssociateThreadWithTab-0x27445 ieframe+0x18c503 @ 0x7fef48bc503 ImportPrivacySettings+0x6b111 IEAssociateThreadWithTab-0x39437 ieframe+0x17a511 @ 0x7fef48aa511 ImportPrivacySettings+0x6c023 IEAssociateThreadWithTab-0x38525 ieframe+0x17b423 @ 0x7fef48ab423 ImportPrivacySettings+0x6d680 IEAssociateThreadWithTab-0x36ec8 ieframe+0x17ca80 @ 0x7fef48aca80 IEDisassociateThreadWithTab+0x1485e SoftwareUpdateMessageBox-0x6bdf2 ieframe+0x1c8252 @ 0x7fef48f8252 ImportPrivacySettings+0x71268 IEAssociateThreadWithTab-0x332e0 ieframe+0x180668 @ 0x7fef48b0668 ImportPrivacySettings+0x71927 IEAssociateThreadWithTab-0x32c21 ieframe+0x180d27 @ 0x7fef48b0d27 IEDisassociateThreadWithTab+0x1c4cd SoftwareUpdateMessageBox-0x64183 ieframe+0x1cfec1 @ 0x7fef48ffec1 IEDisassociateThreadWithTab+0x17422 SoftwareUpdateMessageBox-0x6922e ieframe+0x1cae16 @ 0x7fef48fae16 ImportPrivacySettings+0x12fd7 IEAssociateThreadWithTab-0x91571 ieframe+0x1223d7 @ 0x7fef48523d7 ImportPrivacySettings+0x13191 IEAssociateThreadWithTab-0x913b7 ieframe+0x122591 @ 0x7fef4852591 ImportPrivacySettings+0x1324c IEAssociateThreadWithTab-0x912fc ieframe+0x12264c @ 0x7fef485264c CTravelLog_CreateInstance+0x14ee7 DllCanUnloadNow-0xed60d mshtml+0x30c393 @ 0x7277c393 CTravelLog_CreateInstance+0x12644 DllCanUnloadNow-0xefeb0 mshtml+0x309af0 @ 0x72779af0 CTravelLog_CreateInstance+0x161c7 DllCanUnloadNow-0xec32d mshtml+0x30d673 @ 0x7277d673 CTravelLog_CreateInstance+0x2d56d DllCanUnloadNow-0xd4f87 mshtml+0x324a19 @ 0x72794a19 CTravelLog_CreateInstance+0x2d591 DllCanUnloadNow-0xd4f63 mshtml+0x324a3d @ 0x72794a3d CTravelLog_CreateInstance+0x14dc1 DllCanUnloadNow-0xed733 mshtml+0x30c26d @ 0x7277c26d CTravelLog_CreateInstance+0x1223f DllCanUnloadNow-0xf02b5 mshtml+0x3096eb @ 0x727796eb CTravelLog_CreateInstance+0x12145 DllCanUnloadNow-0xf03af mshtml+0x3095f1 @ 0x727795f1 CTravelLog_CreateInstance+0x11bff DllCanUnloadNow-0xf08f5 mshtml+0x3090ab @ 0x727790ab CTravelLog_CreateInstance+0x109f4 DllCanUnloadNow-0xf1b00 mshtml+0x307ea0 @ 0x72777ea0 CTravelLog_CreateInstance+0xdb2cf DllCanUnloadNow-0x27225 mshtml+0x3d277b @ 0x7284277b TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x77569bd1 TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x775698da CreateExtensionGuidEnumerator+0x37005 DllInstall-0x2828f ieframe+0x8b2cd @ 0x7fef47bb2cd DllRegisterServer+0x33bf4 CreateExtensionGuidEnumerator-0x1c7e4 ieframe+0x37ae4 @ 0x7fef4767ae4 FastMimeGetFileExtension+0x9c53 LCIEUnpackString-0x6111 iertutil+0x153cf @ 0x770c53cf DllRegisterServer+0x14d67 CreateExtensionGuidEnumerator-0x3b671 ieframe+0x18c57 @ 0x7fef4748c57 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x772e652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x7767c521 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0x80010012 exception.offset: 42141 exception.address: 0x7fefdcfa49d registers.r14: 0 registers.r15: 0 registers.rcx: 89165760 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 89193264 registers.r11: 89167520 registers.r8: 0 registers.r9: 0 registers.rdx: 1 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1915300877 registers.r13: 0	1	0	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 12, 2021, 7:54 a.m.	process_identifier: 1544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x000007fffff80000 process_handle: 0xffffffffffffffff	1	0	0

Yara rule detected in process memory (16 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2128 CREDAT:210945
cmdline	"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2128 CREDAT:145409

Communicates with host for which no DNS query was performed (1 event)

host

117.18.232.200

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2128 resumed a thread in remote process 1544
Process injection	Process 2128 resumed a thread in remote process 2468
NtResumeThread Nov. 12, 2021, 7:54 a.m.	thread_handle: 0x0000000000000334 suspend_count: 1 process_identifier: 1544	1	0	0
NtResumeThread Nov. 12, 2021, 7:54 a.m.	thread_handle: 0x0000000000000544 suspend_count: 1 process_identifier: 2468	1	0	0

http://tigerdrill.xyz/EYWCET97LV2U.html

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All