Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 2, 2022, 4:40 p.m.	Nov. 2, 2022, 4:42 p.m.

Size	671.8KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`3dd5e211cb02f98fe31c6dd83685d464`
SHA256	`dd228418c8681d5655b1189c61249f20c9da5e1661cad7efacea62a03fcf1687`
CRC32	`24E7198F`
ssdeep	`12288:3IxP6cOZjV3TkFngh/uc7RgPpSNRuqComEaZ1qvZxFM3O5/g7x0J2:3wPpO3hWcApSNRutoftvZ7Me5oCQ`
PDB Path	C:\Users\Administrator\Documents\CryptoObfuscator_Output\BNCNVCVCXHJ.pdb
Yara	IsPE32 - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature

eurob.exe "C:\Users\test22\AppData\Local\Temp\eurob.exe"
1440
- Powershell.exe "Powershell" Copy-Item 'C:\Users\test22\AppData\Local\Temp\eurob.exe' 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systemds.exe'
  2556
- RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2612
  - svchost.exe svchost.exe
    2736
    - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
      2952
      - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2952 CREDAT:145409
        3028
      - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2952 CREDAT:79875
        2640
  - svchost.exe svchost.exe
    1172
  - svchost.exe svchost.exe
    2552
  - svchost.exe svchost.exe
    2596
  - svchost.exe svchost.exe
    2480
  - svchost.exe svchost.exe
    2836

Name	Response	Post-Analysis Lookup
learn.microsoft.com	CNAME e13636.dscb.akamaiedge.net CNAME learn-public.trafficmanager.net A 104.71.174.10 CNAME learn.microsoft.com.edgekey.net CNAME learn.microsoft.com.edgekey.net.globalredir.akadns.net	104.76.76.50
geoplugin.net	A 178.237.33.50	178.237.33.50

IP Address	Status	Action
104.71.174.10	Active	Moloch
117.18.232.200	Active	Moloch
164.124.101.2	Active	Moloch
178.237.33.50	Active	Moloch
45.137.22.236	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49167 -> 45.137.22.236:5890	2036594	ET JA3 Hash - Remcos 3.x TLS Connection	Malware Command and Control Activity Detected
TCP 192.168.56.103:49184 -> 104.71.174.10:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49182 -> 104.71.174.10:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49188 -> 104.71.174.10:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 104.71.174.10:443 -> 192.168.56.103:49210	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49207 -> 104.71.174.10:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49223 -> 104.71.174.10:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49221 -> 104.71.174.10:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49236 -> 104.71.174.10:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49248 -> 104.71.174.10:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49211 -> 104.71.174.10:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 104.71.174.10:443 -> 192.168.56.103:49240	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49218 -> 104.71.174.10:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49219 -> 104.71.174.10:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49220 -> 104.71.174.10:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49238 -> 104.71.174.10:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49241 -> 104.71.174.10:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49186 -> 104.71.174.10:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 104.71.174.10:443 -> 192.168.56.103:49185	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49209 -> 104.71.174.10:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 104.71.174.10:443 -> 192.168.56.103:49222	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49235 -> 104.71.174.10:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49252 -> 104.71.174.10:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 104.71.174.10:443 -> 192.168.56.103:49254	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49181 -> 104.71.174.10:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49208 -> 104.71.174.10:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49212 -> 104.71.174.10:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49239 -> 104.71.174.10:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49249 -> 104.71.174.10:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49253 -> 104.71.174.10:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 23.207.99.220:80 -> 192.168.56.103:49216	2221010	SURICATA HTTP unable to match response to request	Generic Protocol Command Decode

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.3 192.168.56.103:49167 45.137.22.236:5890	None	None	None

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW Nov. 2, 2022, 4:41 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 2, 2022, 4:41 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 2, 2022, 4:41 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 2, 2022, 4:41 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 2, 2022, 4:41 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 2, 2022, 4:41 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 2, 2022, 4:40 p.m.			0	0
IsDebuggerPresent Nov. 2, 2022, 4:40 p.m.			0	0
IsDebuggerPresent Nov. 2, 2022, 4:40 p.m.			0	0
IsDebuggerPresent Nov. 2, 2022, 4:41 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (45 events)

Time & API	Arguments	Status	Return
CryptExportKey Nov. 2, 2022, 4:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004a1590 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2022, 4:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004a1610 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2022, 4:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004a1610 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2022, 4:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038bd08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2022, 4:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038be48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2022, 4:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038be48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2022, 4:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038be48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2022, 4:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038b648 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2022, 4:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038b648 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2022, 4:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038b648 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2022, 4:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038b648 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2022, 4:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038b648 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2022, 4:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038b648 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2022, 4:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038be48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2022, 4:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038be48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2022, 4:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038be48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2022, 4:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038c3c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2022, 4:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038c3c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2022, 4:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038c3c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2022, 4:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038c0c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2022, 4:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038c3c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2022, 4:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038c3c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2022, 4:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038c3c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2022, 4:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038c3c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2022, 4:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038c3c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2022, 4:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038c3c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2022, 4:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038c3c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2022, 4:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038c188 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2022, 4:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038c188 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2022, 4:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038c188 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2022, 4:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038c188 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2022, 4:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038c188 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2022, 4:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038c188 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2022, 4:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038c188 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2022, 4:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038c188 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2022, 4:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038c188 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2022, 4:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038c188 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2022, 4:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038c188 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2022, 4:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038c188 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2022, 4:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038c188 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2022, 4:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038c188 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2022, 4:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038c208 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2022, 4:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038c208 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2022, 4:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038c208 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2022, 4:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038c208 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

This executable has a PDB path (1 event)

pdb_path

C:\Users\Administrator\Documents\CryptoObfuscator_Output\BNCNVCVCXHJ.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 2, 2022, 4:40 p.m.		1	1	0

One or more processes crashed (5 events)

Time & API	Arguments	Status
__exception__ Nov. 2, 2022, 4:42 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x75b94387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x754bef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x754b6b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x754d5c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x755506b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x75c6d7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x75c6d876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x75c6ddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x75b88a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x75b88938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x75b8950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x75c6dccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x75c6db41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x75c6e1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x75b89367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x75b89326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755f788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x75b4a48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x75b4853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x75b4a4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x75b5cd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x75b5d87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 102298248 registers.edi: 83796132 registers.eax: 102298248 registers.ebp: 102298328 registers.edx: 192 registers.ebx: 102298612 registers.esi: 2147746133 registers.ecx: 83634296	1
__exception__ Nov. 2, 2022, 4:42 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x75b3fe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x75c6a338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x7532e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x753072ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x752fab0d GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x752fea98 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x752f87f7 CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x752fba32 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x755f7bca CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x7532516f CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x753250ce RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x752fa0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x752f9b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x752f9aa8 CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x7532530c URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x753257a0 DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x72c5540c DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x72c552ca CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x72d30ea3 RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x77907e96 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x778e54f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 62643232 registers.edi: 1974991376 registers.eax: 62643232 registers.ebp: 62643312 registers.edx: 1 registers.ebx: 5677236 registers.esi: 2147746133 registers.ecx: 600871862	1
__exception__ Nov. 2, 2022, 4:41 p.m.	stacktrace: GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755f6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755f6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x778b011a DialogBoxIndirectParamAorW+0x108 SetDlgItemTextW-0x44 user32+0x3cf5c @ 0x7561cf5c SoftModalMessageBox+0x757 MessageBoxTimeoutW-0x391 user32+0x6f73c @ 0x7564f73c SoftModalMessageBox+0xa33 MessageBoxTimeoutW-0xb5 user32+0x6fa18 @ 0x7564fa18 MessageBoxTimeoutW+0x52 MessageBoxTimeoutA-0x9 user32+0x6fb1f @ 0x7564fb1f New_user32_MessageBoxTimeoutW@24+0x137 New_user32_RegisterHotKey@16-0x80 @ 0x746777b7 MessageBoxExW+0x1b MessageBoxA-0x9 user32+0x6fd15 @ 0x7564fd15 MessageBoxW+0x18 SetSysColors-0x9 user32+0x6fd57 @ 0x7564fd57 GetTargetForVTableEntry+0x7bc2 GetXMLElement-0x710f mscoreei+0x39d9f @ 0x74609d9f GetTargetForVTableEntry+0x7f61 GetXMLElement-0x6d70 mscoreei+0x3a13e @ 0x7460a13e GetTargetForVTableEntry+0x862e GetXMLElement-0x66a3 mscoreei+0x3a80b @ 0x7460a80b GetTargetForVTableEntry+0x882d GetXMLElement-0x64a4 mscoreei+0x3aa0a @ 0x7460aa0a GetXMLObject+0x5df6 LockClrVersion-0xb83 mscoreei+0x1a27f @ 0x745ea27f LockClrVersion+0xd01 CorBindToRuntimeByPath-0x242e mscoreei+0x1bb03 @ 0x745ebb03 LockClrVersion+0x685 CorBindToRuntimeByPath-0x2aaa mscoreei+0x1b487 @ 0x745eb487 LockClrVersion+0x2b5a CorBindToRuntimeByPath-0x5d5 mscoreei+0x1d95c @ 0x745ed95c ND_WU1+0xc2f _CorExeMain-0x5ac mscoreei+0xef86 @ 0x745def86 ND_WU1+0xded _CorExeMain-0x3ee mscoreei+0xf144 @ 0x745df144 ND_WU1+0x109c _CorExeMain-0x13f mscoreei+0xf3f3 @ 0x745df3f3 ND_WU1+0x1166 _CorExeMain-0x75 mscoreei+0xf4bd @ 0x745df4bd _CorExeMain+0x54 GetFileVersion-0x2957 mscoreei+0xf586 @ 0x745df586 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74867f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74864de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x728f3f46 registers.esp: 2869064 registers.edi: 0 registers.eax: 1921990470 registers.ebp: 2869104 registers.edx: 0 registers.ebx: 0 registers.esi: 1921990470 registers.ecx: 9112936	1
__exception__ Nov. 2, 2022, 4:41 p.m.	stacktrace: GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755f6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755f6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x778b011a DialogBoxIndirectParamAorW+0x108 SetDlgItemTextW-0x44 user32+0x3cf5c @ 0x7561cf5c SoftModalMessageBox+0x757 MessageBoxTimeoutW-0x391 user32+0x6f73c @ 0x7564f73c SoftModalMessageBox+0xa33 MessageBoxTimeoutW-0xb5 user32+0x6fa18 @ 0x7564fa18 MessageBoxTimeoutW+0x52 MessageBoxTimeoutA-0x9 user32+0x6fb1f @ 0x7564fb1f New_user32_MessageBoxTimeoutW@24+0x137 New_user32_RegisterHotKey@16-0x80 @ 0x746777b7 MessageBoxExW+0x1b MessageBoxA-0x9 user32+0x6fd15 @ 0x7564fd15 MessageBoxW+0x18 SetSysColors-0x9 user32+0x6fd57 @ 0x7564fd57 GetTargetForVTableEntry+0x7bc2 GetXMLElement-0x710f mscoreei+0x39d9f @ 0x74609d9f GetTargetForVTableEntry+0x7f61 GetXMLElement-0x6d70 mscoreei+0x3a13e @ 0x7460a13e GetTargetForVTableEntry+0x862e GetXMLElement-0x66a3 mscoreei+0x3a80b @ 0x7460a80b GetTargetForVTableEntry+0x882d GetXMLElement-0x64a4 mscoreei+0x3aa0a @ 0x7460aa0a GetXMLObject+0x5df6 LockClrVersion-0xb83 mscoreei+0x1a27f @ 0x745ea27f LockClrVersion+0xd01 CorBindToRuntimeByPath-0x242e mscoreei+0x1bb03 @ 0x745ebb03 LockClrVersion+0x685 CorBindToRuntimeByPath-0x2aaa mscoreei+0x1b487 @ 0x745eb487 LockClrVersion+0x2b5a CorBindToRuntimeByPath-0x5d5 mscoreei+0x1d95c @ 0x745ed95c ND_WU1+0xc2f _CorExeMain-0x5ac mscoreei+0xef86 @ 0x745def86 ND_WU1+0xded _CorExeMain-0x3ee mscoreei+0xf144 @ 0x745df144 ND_WU1+0x109c _CorExeMain-0x13f mscoreei+0xf3f3 @ 0x745df3f3 ND_WU1+0x1166 _CorExeMain-0x75 mscoreei+0xf4bd @ 0x745df4bd _CorExeMain+0x54 GetFileVersion-0x2957 mscoreei+0xf586 @ 0x745df586 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74867f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74864de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x728f3f46 registers.esp: 2869064 registers.edi: 0 registers.eax: 1921990470 registers.ebp: 2869104 registers.edx: 0 registers.ebx: 0 registers.esi: 1921990470 registers.ecx: 9112936	1
__exception__ Nov. 2, 2022, 4:41 p.m.	stacktrace: GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755f788a SHGetDataFromIDListW+0x314 SHGetFolderPathAndSubDirW-0x2832 shell32+0x328ef @ 0x75d528ef ShellExecuteExW+0x5e1 SHGetNameFromIDList-0x8629 shell32+0x22427 @ 0x75d42427 SHGetMalloc+0x17e0 ShellExecuteExW-0x64 shell32+0x21de2 @ 0x75d41de2 ShellExecuteExW+0xb4 SHGetNameFromIDList-0x8b56 shell32+0x21efa @ 0x75d41efa ShellExecuteExW+0x42 SHGetNameFromIDList-0x8bc8 shell32+0x21e88 @ 0x75d41e88 New_shell32_ShellExecuteExW@4+0x1fa New_srvcli_NetShareEnum@28-0x8f @ 0x74675f28 ShellExecuteW+0x77 PathResolve-0x6af shell32+0x13ce8 @ 0x75d33ce8 LockClrVersion+0x14ac CorBindToRuntimeByPath-0x1c83 mscoreei+0x1c2ae @ 0x745ec2ae LockClrVersion+0x685 CorBindToRuntimeByPath-0x2aaa mscoreei+0x1b487 @ 0x745eb487 LockClrVersion+0x2b5a CorBindToRuntimeByPath-0x5d5 mscoreei+0x1d95c @ 0x745ed95c ND_WU1+0xc2f _CorExeMain-0x5ac mscoreei+0xef86 @ 0x745def86 ND_WU1+0xded _CorExeMain-0x3ee mscoreei+0xf144 @ 0x745df144 ND_WU1+0x109c _CorExeMain-0x13f mscoreei+0xf3f3 @ 0x745df3f3 ND_WU1+0x1166 _CorExeMain-0x75 mscoreei+0xf4bd @ 0x745df4bd _CorExeMain+0x54 GetFileVersion-0x2957 mscoreei+0xf586 @ 0x745df586 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74867f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74864de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x728f3f46 registers.esp: 2874284 registers.edi: 0 registers.eax: 1921990470 registers.ebp: 2874324 registers.edx: 0 registers.ebx: 0 registers.esi: 1921990470 registers.ecx: 9112936	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET http://geoplugin.net/json.gp

Performs some HTTP requests (3 events)

request	GET http://geoplugin.net/json.gp
request	GET http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=5&isServer=0
request	GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml

Allocates read-write-execute memory (usually to unpack itself) (50 out of 389 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 2, 2022, 4:40 p.m.	process_identifier: 1440 region_size: 2293760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2022, 4:40 p.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 2, 2022, 4:40 p.m.	process_identifier: 1440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 2, 2022, 4:40 p.m.	process_identifier: 1440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2022, 4:40 p.m.	process_identifier: 1440 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00570000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2022, 4:40 p.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00650000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2022, 4:40 p.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00412000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2022, 4:40 p.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00445000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2022, 4:40 p.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2022, 4:40 p.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00447000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2022, 4:40 p.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2022, 4:40 p.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2022, 4:40 p.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00436000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2022, 4:40 p.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2022, 4:40 p.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2022, 4:40 p.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00437000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2022, 4:40 p.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2022, 4:40 p.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2022, 4:41 p.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2022, 4:41 p.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2022, 4:41 p.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2022, 4:41 p.m.	process_identifier: 1440 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2022, 4:41 p.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2022, 4:41 p.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2022, 4:41 p.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05150000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2022, 4:41 p.m.	process_identifier: 1440 region_size: 45056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05151000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2022, 4:41 p.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0515c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2022, 4:41 p.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0515d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2022, 4:41 p.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00fc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 2, 2022, 4:41 p.m.	process_identifier: 1440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73db4000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2022, 4:41 p.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0515e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2022, 4:41 p.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01390000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2022, 4:41 p.m.	process_identifier: 1440 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01391000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2022, 4:41 p.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01396000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2022, 4:41 p.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01397000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2022, 4:41 p.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01398000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2022, 4:41 p.m.	process_identifier: 2556 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2022, 4:41 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02940000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 2, 2022, 4:41 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fd1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2022, 4:41 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0245a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 2, 2022, 4:41 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fd2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2022, 4:41 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02452000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2022, 4:41 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02462000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2022, 4:41 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02941000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2022, 4:41 p.m.	process_identifier: 2556 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02942000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2022, 4:41 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0248a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2022, 4:41 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02463000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2022, 4:41 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02464000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2022, 4:41 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0249b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 2, 2022, 4:41 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02497000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

RegSvcs.exe tried to sleep 271 seconds, actually delayed analysis time by 271 seconds

An application raised an exception which may be indicative of an exploit crash (3 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process iexplore.exe with pid 2952 crashed
__exception__ Nov. 2, 2022, 4:42 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x75b94387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x754bef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x754b6b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x754d5c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x755506b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x75c6d7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x75c6d876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x75c6ddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x75b88a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x75b88938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x75b8950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x75c6dccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x75c6db41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x75c6e1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x75b89367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x75b89326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755f788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x75b4a48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x75b4853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x75b4a4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x75b5cd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x75b5d87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 102298248 registers.edi: 83796132 registers.eax: 102298248 registers.ebp: 102298328 registers.edx: 192 registers.ebx: 102298612 registers.esi: 2147746133 registers.ecx: 83634296	1	0	0
__exception__ Nov. 2, 2022, 4:42 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x75b3fe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x75c6a338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x7532e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x753072ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x752fab0d GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x752fea98 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x752f87f7 CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x752fba32 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x755f7bca CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x7532516f CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x753250ce RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x752fa0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x752f9b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x752f9aa8 CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x7532530c URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x753257a0 DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x72c5540c DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x72c552ca CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x72d30ea3 RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x77907e96 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x778e54f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 62643232 registers.edi: 1974991376 registers.eax: 62643232 registers.ebp: 62643312 registers.edx: 1 registers.ebx: 5677236 registers.esi: 2147746133 registers.ecx: 600871862	1	0	0

Application Crash

Process iexplore.exe with pid 2952 crashed

Time & API

Arguments

Status

Return

Repeated

__exception__

Nov. 2, 2022, 4:42 p.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b
CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x75b94387
NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x754bef51
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c
NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x754b6b42
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c
NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x754d5c3a
NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x755506b8
WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x75c6d7e6
WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x75c6d876
WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x75c6ddd0
CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x75b88a43
CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x75b88938
DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x75b8950a
WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x75c6dccd
WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x75c6db41
WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x75c6e1fd
DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x75b89367
DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x75b89326
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755f788a
CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x75b4a48b
CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x75b4853b
CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x75b4a4ac
CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x75b5cd48
CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x75b5d87a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 102298248
registers.edi: 83796132
registers.eax: 102298248
registers.ebp: 102298328
registers.edx: 192
registers.ebx: 102298612
registers.esi: 2147746133
registers.ecx: 83634296

__exception__

Nov. 2, 2022, 4:42 p.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b
ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x75b3fe14
StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x75c6a338
IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x7532e99f
IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x753072ed
RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x752fab0d
GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x752fea98
RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x752f87f7
CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x752fba32
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4
DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x755f7bca
CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x7532516f
CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x753250ce
RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x752fa0d8
RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x752f9b85
RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x752f9aa8
CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x7532530c
URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x753257a0
DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x72c5540c
DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x72c552ca
CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x72d30ea3
RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x77907e96
TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x778e54f4
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 62643232
registers.edi: 1974991376
registers.eax: 62643232
registers.ebp: 62643312
registers.edx: 1
registers.ebx: 5677236
registers.esi: 2147746133
registers.ecx: 600871862

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (3 events)

cmdline	http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=5&isServer=0
cmdline	"Powershell" Copy-Item 'C:\Users\test22\AppData\Local\Temp\eurob.exe' 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systemds.exe'
cmdline	svchost.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Nov. 2, 2022, 4:41 p.m.	thread_identifier: 2560 thread_handle: 0x00000244 process_identifier: 2556 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "Powershell" Copy-Item 'C:\Users\test22\AppData\Local\Temp\eurob.exe' 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systemds.exe' filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000024c	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 2, 2022, 4:41 p.m.	process_identifier: 3028 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x05080000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x0009da00', u'virtual_address': u'0x00002000', u'entropy': 7.94332284515186, u'name': u'.text', u'virtual_size': u'0x0009d8ac'}

entropy

7.94332284515

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00008400', u'virtual_address': u'0x000a2000', u'entropy': 6.848242451527721, u'name': u'.rsrc', u'virtual_size': u'0x000083b4'}

entropy

6.84824245153

description

A section with a high entropy has been found

entropy

0.999246987952

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Nov. 2, 2022, 4:41 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Nov. 2, 2022, 4:41 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (50 out of 85 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications use DNS	rule	Network_DNS
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Win.Trojan.agentTesla	rule	Win_Trojan_agentTesla_Zero
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Run a KeyLogger	rule	KeyLogger
description	Google Chrome User Data Check	rule	Chrome_User_Data_Check_Zero
description	browser info stealer	rule	infoStealer_browser_Zero
description	File Downloader	rule	Network_Downloader
description	Escalate priviledges	rule	Escalate_priviledges
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2952 CREDAT:145409
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2952 CREDAT:79875
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

One or more of the buffers contains an embedded PE file (2 events)

buffer	Buffer with sha1: 132fa54cfbfab3e4bfe566b520e3a5b20810e1e6
buffer	Buffer with sha1: c7e45e550d183f01b5c9d6894d333f43e8389145

Communicates with host for which no DNS query was performed (2 events)

host	117.18.232.200
host	45.137.22.236

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Nov. 2, 2022, 4:41 p.m.	process_identifier: 2612 region_size: 520192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000268	1	0	0

Potential code injection by writing to the memory of another process (11 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Nov. 2, 2022, 4:41 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $B®¿!ÏÑrÏÑrÏÑr²S rÏÑr²S"r¡ÏÑr²S#rÏÑr·UrÏÑrorÏÑr«ÒsÏÑr«Ôs<ÏÑr«Õs$ÏÑr·BrÏÑrÏÐr*ÎÑr³ØsgÏÑr³.rÏÑr³ÓsÏÑrRichÏÑrPELcàD¤'`@ðXºð`K°¬98¤H@`¬.textKCD `.rdatas`tH@@.data,\à¼@À.tls @Ê@À.gfids0PÌ@@.rsrcK`LÐ@@.reloc¬9°:@B base_address: 0x00400000 process_identifier: 2612 process_handle: 0x00000268	1	1
WriteProcessMemory Nov. 2, 2022, 4:41 p.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ l¥Ep¨Ej¥E..páFLöFLöFLöFLöFLöFLöFLöFLöFLöFtáFPöFPöFPöFPöFPöFPöFPöFxáFÿÿÿÿp¨EâFâFâFâFâFxáFðªEp¬E¸ºEØáFpçFCPSTPDT âFàâFÿÿÿÿÿÿÿÿÿÿÿÿ ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZpçFþÿÿÿþÿÿÿu0Ï!tåa¾e¸Â¢z»^ âÈ¨3XF`3AdF6ApF%3AtfE.?AVtype_info@@tfE.?AVbad_alloc@std@@tfE.?AVbad_array_new_length@std@@tfE.?AVlogic_error@std@@tfE.?AVlength_error@std@@tfE.?AVout_of_range@std@@tfE.?AV_Facet_base@std@@tfE.?AV_Locimp@locale@std@@tfE.?AVfacet@locale@std@@tfE.?AU_Crt_new_delete@std@@tfE.?AVcodecvt_base@std@@tfE.?AUctype_base@std@@tfE.?AV?$ctype@D@std@@tfE.?AV?$codecvt@DDU_Mbstatet@@@std@@tfE.?AVbad_exception@std@@tfE.HtfE.?AVfailure@ios_base@std@@tfE.?AVruntime_error@std@@tfE.?AVsystem_error@std@@tfE.?AVbad_cast@std@@tfE.?AV_System_error@std@@tfE.?AVexception@std@@ base_address: 0x0046e000 process_identifier: 2612 process_handle: 0x00000268	1	1
WriteProcessMemory Nov. 2, 2022, 4:41 p.m.	buffer: base_address: 0x00474000 process_identifier: 2612 process_handle: 0x00000268	1	1
WriteProcessMemory Nov. 2, 2022, 4:41 p.m.	buffer: k>àú>H>9Â>êÄüu¦uZX.X?>Í-Í±-Y->>bÒaÎ¾áÜà×h2VîVîVÎXö¨Î©±¸SléVì£òóôðµb£V5ó9 b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` ¢§µ¶³´±²¯°¸ Y base_address: 0x00475000 process_identifier: 2612 process_handle: 0x00000268	1	1
WriteProcessMemory Nov. 2, 2022, 4:41 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2612 process_handle: 0x00000268	1	1
WriteProcessMemory Nov. 2, 2022, 4:41 p.m.	buffer: base_address: 0x7efde008 process_identifier: 2736 process_handle: 0x0000012c	1	1
WriteProcessMemory Nov. 2, 2022, 4:41 p.m.	buffer: base_address: 0x7efde008 process_identifier: 1172 process_handle: 0x000001cc	1	1
WriteProcessMemory Nov. 2, 2022, 4:41 p.m.	buffer: base_address: 0x7efde008 process_identifier: 2552 process_handle: 0x00000284	1	1
WriteProcessMemory Nov. 2, 2022, 4:41 p.m.	buffer: base_address: 0x7efde008 process_identifier: 2596 process_handle: 0x00000338	1	1
WriteProcessMemory Nov. 2, 2022, 4:42 p.m.	buffer: base_address: 0x7efde008 process_identifier: 2480 process_handle: 0x00000340	1	1
WriteProcessMemory Nov. 2, 2022, 4:42 p.m.	buffer: base_address: 0x7efde008 process_identifier: 2836 process_handle: 0x000002cc	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Nov. 2, 2022, 4:41 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $B®¿!ÏÑrÏÑrÏÑr²S rÏÑr²S"r¡ÏÑr²S#rÏÑr·UrÏÑrorÏÑr«ÒsÏÑr«Ôs<ÏÑr«Õs$ÏÑr·BrÏÑrÏÐr*ÎÑr³ØsgÏÑr³.rÏÑr³ÓsÏÑrRichÏÑrPELcàD¤'`@ðXºð`K°¬98¤H@`¬.textKCD `.rdatas`tH@@.data,\à¼@À.tls @Ê@À.gfids0PÌ@@.rsrcK`LÐ@@.reloc¬9°:@B base_address: 0x00400000 process_identifier: 2612 process_handle: 0x00000268	1	1	0

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA Nov. 2, 2022, 4:41 p.m.	thread_identifier: 0 callback_function: 0x0040932c hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00400000	1	1245627	0

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Network activity contains more than one unique useragent (2 events)

process	RegSvcs.exe				useragent
process	iexplore.exe				useragent	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (14 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1440 called NtSetContextThread to modify thread in remote process 2612
Process injection	Process 2612 called NtSetContextThread to modify thread in remote process 2736
Process injection	Process 2612 called NtSetContextThread to modify thread in remote process 1172
Process injection	Process 2612 called NtSetContextThread to modify thread in remote process 2552
Process injection	Process 2612 called NtSetContextThread to modify thread in remote process 2596
Process injection	Process 2612 called NtSetContextThread to modify thread in remote process 2480
Process injection	Process 2612 called NtSetContextThread to modify thread in remote process 2836
NtSetContextThread Nov. 2, 2022, 4:41 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4401060 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000264 process_identifier: 2612	1	0	0
NtSetContextThread Nov. 2, 2022, 4:41 p.m.	registers.eip: 2005598660 registers.esp: 1570976 registers.edi: 0 registers.eax: 754846 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000128 process_identifier: 2736	1	0	0
NtSetContextThread Nov. 2, 2022, 4:41 p.m.	registers.eip: 2005598660 registers.esp: 2358520 registers.edi: 0 registers.eax: 754846 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000001d8 process_identifier: 1172	1	0	0
NtSetContextThread Nov. 2, 2022, 4:41 p.m.	registers.eip: 2005598660 registers.esp: 2882316 registers.edi: 0 registers.eax: 1016990 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000150 process_identifier: 2552	1	0	0
NtSetContextThread Nov. 2, 2022, 4:41 p.m.	registers.eip: 2005598660 registers.esp: 2554960 registers.edi: 0 registers.eax: 754846 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000030c process_identifier: 2596	1	0	0
NtSetContextThread Nov. 2, 2022, 4:42 p.m.	registers.eip: 2005598660 registers.esp: 587924 registers.edi: 0 registers.eax: 1279134 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000334 process_identifier: 2480	1	0	0
NtSetContextThread Nov. 2, 2022, 4:42 p.m.	registers.eip: 2005598660 registers.esp: 785324 registers.edi: 0 registers.eax: 1279134 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000015c process_identifier: 2836	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (18 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1440 resumed a thread in remote process 2612
Process injection	Process 2612 resumed a thread in remote process 2736
Process injection	Process 2612 resumed a thread in remote process 1172
Process injection	Process 2612 resumed a thread in remote process 2552
Process injection	Process 2612 resumed a thread in remote process 2596
Process injection	Process 2612 resumed a thread in remote process 2480
Process injection	Process 2612 resumed a thread in remote process 2836
Process injection	Process 2952 resumed a thread in remote process 3028
Process injection	Process 2952 resumed a thread in remote process 2640
NtResumeThread Nov. 2, 2022, 4:41 p.m.	thread_handle: 0x00000264 suspend_count: 1 process_identifier: 2612	1	0	0
NtResumeThread Nov. 2, 2022, 4:41 p.m.	thread_handle: 0x00000128 suspend_count: 1 process_identifier: 2736	1	0	0
NtResumeThread Nov. 2, 2022, 4:41 p.m.	thread_handle: 0x000001d8 suspend_count: 1 process_identifier: 1172	1	0	0
NtResumeThread Nov. 2, 2022, 4:41 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2552	1	0	0
NtResumeThread Nov. 2, 2022, 4:41 p.m.	thread_handle: 0x0000030c suspend_count: 1 process_identifier: 2596	1	0	0
NtResumeThread Nov. 2, 2022, 4:42 p.m.	thread_handle: 0x00000334 suspend_count: 1 process_identifier: 2480	1	0	0
NtResumeThread Nov. 2, 2022, 4:42 p.m.	thread_handle: 0x0000015c suspend_count: 1 process_identifier: 2836	1	0	0
NtResumeThread Nov. 2, 2022, 4:41 p.m.	thread_handle: 0x00000338 suspend_count: 1 process_identifier: 3028	1	0	0
NtResumeThread Nov. 2, 2022, 4:41 p.m.	thread_handle: 0x000001f8 suspend_count: 1 process_identifier: 2640	1	0	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

192.168.56.103:49255

Executed a process and injected code into it, probably while unpacking (50 out of 88 events)

Time & API	Arguments	Status	Return
NtResumeThread Nov. 2, 2022, 4:40 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1440	1	0
NtResumeThread Nov. 2, 2022, 4:40 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 1440	1	0
NtResumeThread Nov. 2, 2022, 4:40 p.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 1440	1	0
NtResumeThread Nov. 2, 2022, 4:41 p.m.	thread_handle: 0x00000238 suspend_count: 1 process_identifier: 1440	1	0
CreateProcessInternalW Nov. 2, 2022, 4:41 p.m.	thread_identifier: 2560 thread_handle: 0x00000244 process_identifier: 2556 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "Powershell" Copy-Item 'C:\Users\test22\AppData\Local\Temp\eurob.exe' 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systemds.exe' filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000024c	1	1
CreateProcessInternalW Nov. 2, 2022, 4:41 p.m.	thread_identifier: 2616 thread_handle: 0x00000264 process_identifier: 2612 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000268	1	1
NtGetContextThread Nov. 2, 2022, 4:41 p.m.	thread_handle: 0x00000264	1	0
NtAllocateVirtualMemory Nov. 2, 2022, 4:41 p.m.	process_identifier: 2612 region_size: 520192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000268	1	0
WriteProcessMemory Nov. 2, 2022, 4:41 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $B®¿!ÏÑrÏÑrÏÑr²S rÏÑr²S"r¡ÏÑr²S#rÏÑr·UrÏÑrorÏÑr«ÒsÏÑr«Ôs<ÏÑr«Õs$ÏÑr·BrÏÑrÏÐr*ÎÑr³ØsgÏÑr³.rÏÑr³ÓsÏÑrRichÏÑrPELcàD¤'`@ðXºð`K°¬98¤H@`¬.textKCD `.rdatas`tH@@.data,\à¼@À.tls @Ê@À.gfids0PÌ@@.rsrcK`LÐ@@.reloc¬9°:@B base_address: 0x00400000 process_identifier: 2612 process_handle: 0x00000268	1	1
WriteProcessMemory Nov. 2, 2022, 4:41 p.m.	buffer: base_address: 0x00401000 process_identifier: 2612 process_handle: 0x00000268	1	1
WriteProcessMemory Nov. 2, 2022, 4:41 p.m.	buffer: base_address: 0x00456000 process_identifier: 2612 process_handle: 0x00000268	1	1
WriteProcessMemory Nov. 2, 2022, 4:41 p.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ l¥Ep¨Ej¥E..páFLöFLöFLöFLöFLöFLöFLöFLöFLöFtáFPöFPöFPöFPöFPöFPöFPöFxáFÿÿÿÿp¨EâFâFâFâFâFxáFðªEp¬E¸ºEØáFpçFCPSTPDT âFàâFÿÿÿÿÿÿÿÿÿÿÿÿ ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZpçFþÿÿÿþÿÿÿu0Ï!tåa¾e¸Â¢z»^ âÈ¨3XF`3AdF6ApF%3AtfE.?AVtype_info@@tfE.?AVbad_alloc@std@@tfE.?AVbad_array_new_length@std@@tfE.?AVlogic_error@std@@tfE.?AVlength_error@std@@tfE.?AVout_of_range@std@@tfE.?AV_Facet_base@std@@tfE.?AV_Locimp@locale@std@@tfE.?AVfacet@locale@std@@tfE.?AU_Crt_new_delete@std@@tfE.?AVcodecvt_base@std@@tfE.?AUctype_base@std@@tfE.?AV?$ctype@D@std@@tfE.?AV?$codecvt@DDU_Mbstatet@@@std@@tfE.?AVbad_exception@std@@tfE.HtfE.?AVfailure@ios_base@std@@tfE.?AVruntime_error@std@@tfE.?AVsystem_error@std@@tfE.?AVbad_cast@std@@tfE.?AV_System_error@std@@tfE.?AVexception@std@@ base_address: 0x0046e000 process_identifier: 2612 process_handle: 0x00000268	1	1
WriteProcessMemory Nov. 2, 2022, 4:41 p.m.	buffer: base_address: 0x00474000 process_identifier: 2612 process_handle: 0x00000268	1	1
WriteProcessMemory Nov. 2, 2022, 4:41 p.m.	buffer: k>àú>H>9Â>êÄüu¦uZX.X?>Í-Í±-Y->>bÒaÎ¾áÜà×h2VîVîVÎXö¨Î©±¸SléVì£òóôðµb£V5ó9 b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` ¢§µ¶³´±²¯°¸ Y base_address: 0x00475000 process_identifier: 2612 process_handle: 0x00000268	1	1
WriteProcessMemory Nov. 2, 2022, 4:41 p.m.	buffer: base_address: 0x00476000 process_identifier: 2612 process_handle: 0x00000268	1	1
WriteProcessMemory Nov. 2, 2022, 4:41 p.m.	buffer: base_address: 0x0047b000 process_identifier: 2612 process_handle: 0x00000268	1	1
WriteProcessMemory Nov. 2, 2022, 4:41 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2612 process_handle: 0x00000268	1	1
NtSetContextThread Nov. 2, 2022, 4:41 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4401060 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000264 process_identifier: 2612	1	0
NtResumeThread Nov. 2, 2022, 4:41 p.m.	thread_handle: 0x00000264 suspend_count: 1 process_identifier: 2612	1	0
NtResumeThread Nov. 2, 2022, 4:41 p.m.	thread_handle: 0x000002ac suspend_count: 1 process_identifier: 2556	1	0
NtResumeThread Nov. 2, 2022, 4:41 p.m.	thread_handle: 0x00000300 suspend_count: 1 process_identifier: 2556	1	0
NtResumeThread Nov. 2, 2022, 4:41 p.m.	thread_handle: 0x0000044c suspend_count: 1 process_identifier: 2556	1	0
NtResumeThread Nov. 2, 2022, 4:41 p.m.	thread_handle: 0x00000498 suspend_count: 1 process_identifier: 2556	1	0
CreateProcessInternalW Nov. 2, 2022, 4:41 p.m.	thread_identifier: 2740 thread_handle: 0x00000128 process_identifier: 2736 current_directory: filepath: track: 1 command_line: svchost.exe filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000012c	1	1
NtGetContextThread Nov. 2, 2022, 4:41 p.m.	thread_handle: 0x00000128	1	0
NtMapViewOfSection Nov. 2, 2022, 4:41 p.m.	section_handle: 0x00000134 process_identifier: 2736 commit_size: 0 win32_protect: 64 (PAGE_EXECUTE_READWRITE) buffer: base_address: 0x000b0000 allocation_type: 0 () section_offset: 0 view_size: 57344 process_handle: 0x0000012c	1	0
WriteProcessMemory Nov. 2, 2022, 4:41 p.m.	buffer: base_address: 0x7efde008 process_identifier: 2736 process_handle: 0x0000012c	1	1
NtSetContextThread Nov. 2, 2022, 4:41 p.m.	registers.eip: 2005598660 registers.esp: 1570976 registers.edi: 0 registers.eax: 754846 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000128 process_identifier: 2736	1	0
NtResumeThread Nov. 2, 2022, 4:41 p.m.	thread_handle: 0x00000128 suspend_count: 1 process_identifier: 2736	1	0
CreateProcessInternalW Nov. 2, 2022, 4:41 p.m.	thread_identifier: 1488 thread_handle: 0x000001d8 process_identifier: 1172 current_directory: filepath: track: 1 command_line: svchost.exe filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000001cc	1	1
NtGetContextThread Nov. 2, 2022, 4:41 p.m.	thread_handle: 0x000001d8	1	0
NtMapViewOfSection Nov. 2, 2022, 4:41 p.m.	section_handle: 0x00000154 process_identifier: 1172 commit_size: 0 win32_protect: 64 (PAGE_EXECUTE_READWRITE) buffer: base_address: 0x000b0000 allocation_type: 0 () section_offset: 0 view_size: 57344 process_handle: 0x000001cc	1	0
WriteProcessMemory Nov. 2, 2022, 4:41 p.m.	buffer: base_address: 0x7efde008 process_identifier: 1172 process_handle: 0x000001cc	1	1
NtSetContextThread Nov. 2, 2022, 4:41 p.m.	registers.eip: 2005598660 registers.esp: 2358520 registers.edi: 0 registers.eax: 754846 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000001d8 process_identifier: 1172	1	0
NtResumeThread Nov. 2, 2022, 4:41 p.m.	thread_handle: 0x000001d8 suspend_count: 1 process_identifier: 1172	1	0
CreateProcessInternalW Nov. 2, 2022, 4:41 p.m.	thread_identifier: 2684 thread_handle: 0x00000150 process_identifier: 2552 current_directory: filepath: track: 1 command_line: svchost.exe filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000284	1	1
NtGetContextThread Nov. 2, 2022, 4:41 p.m.	thread_handle: 0x00000150	1	0
NtMapViewOfSection Nov. 2, 2022, 4:41 p.m.	section_handle: 0x0000032c process_identifier: 2552 commit_size: 0 win32_protect: 64 (PAGE_EXECUTE_READWRITE) buffer: base_address: 0x000f0000 allocation_type: 0 () section_offset: 0 view_size: 57344 process_handle: 0x00000284	1	0
WriteProcessMemory Nov. 2, 2022, 4:41 p.m.	buffer: base_address: 0x7efde008 process_identifier: 2552 process_handle: 0x00000284	1	1
NtSetContextThread Nov. 2, 2022, 4:41 p.m.	registers.eip: 2005598660 registers.esp: 2882316 registers.edi: 0 registers.eax: 1016990 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000150 process_identifier: 2552	1	0
NtResumeThread Nov. 2, 2022, 4:41 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2552	1	0
CreateProcessInternalW Nov. 2, 2022, 4:41 p.m.	thread_identifier: 2396 thread_handle: 0x0000030c process_identifier: 2596 current_directory: filepath: track: 1 command_line: svchost.exe filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000338	1	1
NtGetContextThread Nov. 2, 2022, 4:41 p.m.	thread_handle: 0x0000030c	1	0
NtMapViewOfSection Nov. 2, 2022, 4:41 p.m.	section_handle: 0x0000033c process_identifier: 2596 commit_size: 0 win32_protect: 64 (PAGE_EXECUTE_READWRITE) buffer: base_address: 0x000b0000 allocation_type: 0 () section_offset: 0 view_size: 57344 process_handle: 0x00000338	1	0
WriteProcessMemory Nov. 2, 2022, 4:41 p.m.	buffer: base_address: 0x7efde008 process_identifier: 2596 process_handle: 0x00000338	1	1
NtSetContextThread Nov. 2, 2022, 4:41 p.m.	registers.eip: 2005598660 registers.esp: 2554960 registers.edi: 0 registers.eax: 754846 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000030c process_identifier: 2596	1	0
NtResumeThread Nov. 2, 2022, 4:41 p.m.	thread_handle: 0x0000030c suspend_count: 1 process_identifier: 2596	1	0
CreateProcessInternalW Nov. 2, 2022, 4:42 p.m.	thread_identifier: 2012 thread_handle: 0x00000334 process_identifier: 2480 current_directory: filepath: track: 1 command_line: svchost.exe filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000340	1	1
NtGetContextThread Nov. 2, 2022, 4:42 p.m.	thread_handle: 0x00000334	1	0
NtMapViewOfSection Nov. 2, 2022, 4:42 p.m.	section_handle: 0x00000348 process_identifier: 2480 commit_size: 0 win32_protect: 64 (PAGE_EXECUTE_READWRITE) buffer: base_address: 0x00130000 allocation_type: 0 () section_offset: 0 view_size: 57344 process_handle: 0x00000340	1	0

File has been identified by 35 AntiVirus engines on VirusTotal as malicious (35 events)

Bkav	W32.AIDetectNet.01
Cylance	Unsafe
Sangfor	Suspicious.Win32.Save.a
K7AntiVirus	Trojan ( 005944cf1 )
Alibaba	TrojanPSW:MSIL/Agensla.54ffdcb5
K7GW	Trojan ( 005944cf1 )
Cybereason	malicious.e0f6f5
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/Kryptik.AGFG
Cynet	Malicious (score: 99)
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-PSW.MSIL.Agensla.gen
Avast	Win32:TrojanX-gen [Trj]
Tencent	Win32.Trojan.FalseSign.Imnw
McAfee-GW-Edition	Artemis!Trojan
FireEye	Generic.mg.3dd5e211cb02f98f
Ikarus	Trojan.MSIL.Crypt
GData	Win32.Backdoor.Remcos.4TM3XX
Avira	TR/Dropper.Gen
ZoneAlarm	HEUR:Trojan-PSW.MSIL.Agensla.gen
Microsoft	Trojan:Win32/Remcos.SD!MTB
Google	Detected
AhnLab-V3	Trojan/Win.MSILKrypt.C5287848
McAfee	Artemis!3DD5E211CB02
Malwarebytes	Trojan.MalPack
TrendMicro-HouseCall	TROJ_GEN.R002H0CK122
Rising	Stealer.Agensla!8.13266 (CLOUD)
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Kryptik.AGFG!tr
BitDefenderTheta	Gen:NN.ZemsilF.34754.Pm1@aO@AH0h
AVG	Win32:TrojanX-gen [Trj]
CrowdStrike	win/malicious_confidence_100% (D)

eurob.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All