Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 9, 2023, 1:51 p.m.	March 9, 2023, 1:53 p.m.

Size	627.9KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`d543b38b01f033815b048cd17cd658dd`
SHA256	`b8a7a405433e2382aeafcac799e1031cd0ef3016bbfd180f490f37f225ca9584`
CRC32	`FDCB5A64`
ssdeep	`12288:ZUk6NAQQU+f1ojhDtNXjhlGzVk+0qCNS20ESkJ/H0:2kGXyAfCVp07NS20Ex/H0`
PDB Path	D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library OS_Processor_Check_Zero - OS Processor Check PE_Header_Zero - PE File Signature IsPE64 - (no description)

Fix.exe "C:\Users\test22\AppData\Local\Temp\Fix.exe"
2660
- cmd.exe "C:\Windows\System32\cmd.exe" /c title J A I E F R A&color 0a&reg add "HKCU\SOFTWARE\Topaz Labs LLC\Topaz Gigapixel AI\appMain" /v "autoUpdatePreview" /t "REG_SZ" /d "false" /f&reg add "HKCU\SOFTWARE\Topaz Labs LLC\Topaz Gigapixel AI\appMain" /v "canDownloadModels" /t "REG_SZ" /d "false" /f&reg add "HKCU\SOFTWARE\Topaz Labs LLC\Topaz Gigapixel AI\appMain" /v "enableAnonDataCollection" /t "REG_SZ" /d "false" /f&reg add "HKCU\SOFTWARE\Topaz Labs LLC\Topaz Gigapixel AI\appMain" /v "fileLoggingEnabled" /t "REG_SZ" /d "false" /f&reg add "HKCU\SOFTWARE\Topaz Labs LLC\Topaz Gigapixel AI\appMain" /v "forceLogin" /t "REG_SZ" /d "false" /f&reg add "HKCU\SOFTWARE\Topaz Labs LLC\Topaz Gigapixel AI\appMain" /v "ia0" /t "REG_SZ" /d "aWk=" /f&reg add "HKCU\SOFTWARE\Topaz Labs LLC\Topaz Gigapixel AI\appMain" /v "lastLoggedInUserName" /t "REG_SZ" /d "JAIEFRA" /f&reg add "HKCU\SOFTWARE\Topaz Labs LLC\Topaz Gigapixel AI\appMain" /v "userPw" /t "REG_SZ" /d "JAIEFRA" /f&echo.&echo Successfully completed.&ping -n 2 localhost >nul&cls&echo.&echo Successfully completed..&ping -n 2 localhost >nul&cls&echo.&echo Successfully completed...&ping -n 2 localhost >nul&start https://www.jaiefra.com
  2784
  - reg.exe reg add "HKCU\SOFTWARE\Topaz Labs LLC\Topaz Gigapixel AI\appMain" /v "autoUpdatePreview" /t "REG_SZ" /d "false" /f
    2872
  - reg.exe reg add "HKCU\SOFTWARE\Topaz Labs LLC\Topaz Gigapixel AI\appMain" /v "canDownloadModels" /t "REG_SZ" /d "false" /f
    2916
  - reg.exe reg add "HKCU\SOFTWARE\Topaz Labs LLC\Topaz Gigapixel AI\appMain" /v "enableAnonDataCollection" /t "REG_SZ" /d "false" /f
    2960
  - reg.exe reg add "HKCU\SOFTWARE\Topaz Labs LLC\Topaz Gigapixel AI\appMain" /v "fileLoggingEnabled" /t "REG_SZ" /d "false" /f
    3004
  - reg.exe reg add "HKCU\SOFTWARE\Topaz Labs LLC\Topaz Gigapixel AI\appMain" /v "forceLogin" /t "REG_SZ" /d "false" /f
    3048
  - reg.exe reg add "HKCU\SOFTWARE\Topaz Labs LLC\Topaz Gigapixel AI\appMain" /v "ia0" /t "REG_SZ" /d "aWk=" /f
    812
  - reg.exe reg add "HKCU\SOFTWARE\Topaz Labs LLC\Topaz Gigapixel AI\appMain" /v "lastLoggedInUserName" /t "REG_SZ" /d "JAIEFRA" /f
    1384
  - reg.exe reg add "HKCU\SOFTWARE\Topaz Labs LLC\Topaz Gigapixel AI\appMain" /v "userPw" /t "REG_SZ" /d "JAIEFRA" /f
    1484
  - PING.EXE ping -n 2 localhost
    2164
  - PING.EXE ping -n 2 localhost
    2264
  - PING.EXE ping -n 2 localhost
    2356
  - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
    2628
    - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2628 CREDAT:145409
      2708
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
use.fontawesome.com	CNAME use.fontawesome.com.cdn.cloudflare.net A 172.64.133.15 A 172.64.132.15	172.64.132.15
www.jaiefra.com	CNAME ghs.google.com A 142.250.76.147	142.250.76.147
cdn.jsdelivr.net	CNAME cdn.jsdelivr.net.cdn.cloudflare.net A 104.16.86.20 A 104.16.85.20 A 104.16.88.20 A 104.16.87.20 A 104.16.89.20	104.16.86.20
fonts.gstatic.com	A 142.250.207.99	142.250.207.99
scontent-ssn1-1.xx.fbcdn.net	A 157.240.215.14	157.240.215.14
unpkg.com	A 104.16.124.175 A 104.16.123.175 A 104.16.126.175 A 104.16.125.175 A 104.16.122.175	104.16.123.175
static.xx.fbcdn.net	CNAME scontent.xx.fbcdn.net A 157.240.215.14	157.240.215.14
i.imgur.com	CNAME ipv4.imgur.map.fastly.net A 151.101.24.193	151.101.40.193
fonts.googleapis.com	A 142.250.207.106	142.250.207.106
www.blogger.com	CNAME blogger.l.google.com A 142.250.206.233	142.250.206.233
www.facebook.com	CNAME star-mini.c10r.facebook.com A 157.240.215.35	157.240.215.35
2.bp.blogspot.com	CNAME photos-ugc.l.googleusercontent.com A 172.217.25.161	172.217.25.161
connect.facebook.net	CNAME scontent.xx.fbcdn.net A 157.240.215.14	157.240.215.14
cdnjs.cloudflare.com	A 104.17.25.14 A 104.17.24.14	104.17.25.14

IP Address	Status	Action
104.16.124.175	Active	Moloch
104.16.86.20	Active	Moloch
104.17.25.14	Active	Moloch
117.18.232.200	Active	Moloch
142.250.206.233	Active	Moloch
142.250.207.106	Active	Moloch
142.250.207.99	Active	Moloch
142.250.76.147	Active	Moloch
151.101.24.193	Active	Moloch
157.240.215.14	Active	Moloch
157.240.215.35	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.161	Active	Moloch
172.64.133.15	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49189 -> 104.17.25.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49187 -> 142.250.207.106:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49183 -> 142.250.76.147:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49184 -> 142.250.76.147:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49200 -> 142.250.207.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49197 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49196 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49199 -> 142.250.207.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49206 -> 104.16.86.20:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49213 -> 142.250.206.233:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49188 -> 104.17.25.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49193 -> 151.101.24.193:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49186 -> 142.250.207.106:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49205 -> 104.16.86.20:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49210 -> 104.16.124.175:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49212 -> 142.250.206.233:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49202 -> 142.250.207.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49203 -> 142.250.207.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49195 -> 151.101.24.193:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49190 -> 151.101.24.193:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49191 -> 151.101.24.193:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49208 -> 172.64.133.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49194 -> 151.101.24.193:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49192 -> 151.101.24.193:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49215 -> 172.217.25.161:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49209 -> 172.64.133.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49216 -> 172.217.25.161:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49218 -> 142.250.207.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49220 -> 151.101.24.193:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49230 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49225 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49227 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49235 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49221 -> 151.101.24.193:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49217 -> 151.101.24.193:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49228 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49224 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49233 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49226 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49231 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49185 -> 142.250.207.106:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49204 -> 104.16.86.20:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49211 -> 104.16.124.175:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49198 -> 142.250.207.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49201 -> 142.250.207.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49207 -> 172.64.133.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49214 -> 142.250.207.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49219 -> 151.101.24.193:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49222 -> 151.101.24.193:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49229 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49232 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49234 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49236 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49237 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49189 104.17.25.14:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	67:d0:35:19:c9:22:af:5c:3d:b9:30:de:5f:94:56:46:43:26:3c:26
TLSv1 192.168.56.101:49187 142.250.207.106:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=upload.video.google.com	0d:3f:c1:7d:9e:00:7f:70:7c:c7:ac:be:1f:6c:3b:60:00:eb:e1:54
TLSv1 192.168.56.101:49183 142.250.76.147:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1D4	CN=www.jaiefra.com	96:97:74:76:8b:1a:3d:98:54:f3:97:f4:31:7c:a7:8d:2a:33:b9:39
TLSv1 192.168.56.101:49184 142.250.76.147:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1D4	CN=www.jaiefra.com	96:97:74:76:8b:1a:3d:98:54:f3:97:f4:31:7c:a7:8d:2a:33:b9:39
TLSv1 192.168.56.101:49200 142.250.207.99:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	46:f9:cf:a6:46:c2:48:4c:99:e2:86:f6:db:80:20:22:15:ef:9e:e8
TLSv1 192.168.56.101:49197 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	f0:56:df:ba:d3:56:fc:d0:b6:d3:0b:23:8c:85:07:06:9c:39:2c:84
TLSv1 192.168.56.101:49196 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	f0:56:df:ba:d3:56:fc:d0:b6:d3:0b:23:8c:85:07:06:9c:39:2c:84
TLSv1 192.168.56.101:49199 142.250.207.99:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	46:f9:cf:a6:46:c2:48:4c:99:e2:86:f6:db:80:20:22:15:ef:9e:e8
TLSv1 192.168.56.101:49206 104.16.86.20:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:4e:38:d2:ab:0c:39:fc:95:85:66:54:9f:99:0d:44:27:5c:db:d4
TLSv1 192.168.56.101:49213 142.250.206.233:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.blogger.com	0b:7f:43:3a:a7:56:b8:af:94:6e:60:f9:ed:04:04:6b:1d:55:c9:33
TLSv1 192.168.56.101:49188 104.17.25.14:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	67:d0:35:19:c9:22:af:5c:3d:b9:30:de:5f:94:56:46:43:26:3c:26
TLSv1 192.168.56.101:49193 151.101.24.193:443	C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1	C=US, ST=California, L=San Francisco, O=Imgur, Inc., CN=*.imgur.com	3a:86:9a:d0:bd:e1:27:71:2e:3f:a1:3a:19:cd:83:20:2e:3c:8a:2c
TLSv1 192.168.56.101:49186 142.250.207.106:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=upload.video.google.com	0d:3f:c1:7d:9e:00:7f:70:7c:c7:ac:be:1f:6c:3b:60:00:eb:e1:54
TLSv1 192.168.56.101:49205 104.16.86.20:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:4e:38:d2:ab:0c:39:fc:95:85:66:54:9f:99:0d:44:27:5c:db:d4
TLSv1 192.168.56.101:49210 104.16.124.175:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	32:c4:31:6f:04:83:8a:15:8f:fd:32:03:3f:45:60:ea:f1:66:87:7e
TLSv1 192.168.56.101:49212 142.250.206.233:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.blogger.com	0b:7f:43:3a:a7:56:b8:af:94:6e:60:f9:ed:04:04:6b:1d:55:c9:33
TLSv1 192.168.56.101:49202 142.250.207.99:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	46:f9:cf:a6:46:c2:48:4c:99:e2:86:f6:db:80:20:22:15:ef:9e:e8
TLSv1 192.168.56.101:49203 142.250.207.99:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	46:f9:cf:a6:46:c2:48:4c:99:e2:86:f6:db:80:20:22:15:ef:9e:e8
TLSv1 192.168.56.101:49190 151.101.24.193:443	C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1	C=US, ST=California, L=San Francisco, O=Imgur, Inc., CN=*.imgur.com	3a:86:9a:d0:bd:e1:27:71:2e:3f:a1:3a:19:cd:83:20:2e:3c:8a:2c
TLSv1 192.168.56.101:49191 151.101.24.193:443	C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1	C=US, ST=California, L=San Francisco, O=Imgur, Inc., CN=*.imgur.com	3a:86:9a:d0:bd:e1:27:71:2e:3f:a1:3a:19:cd:83:20:2e:3c:8a:2c
TLSv1 192.168.56.101:49195 151.101.24.193:443	C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1	C=US, ST=California, L=San Francisco, O=Imgur, Inc., CN=*.imgur.com	3a:86:9a:d0:bd:e1:27:71:2e:3f:a1:3a:19:cd:83:20:2e:3c:8a:2c
TLSv1 192.168.56.101:49208 172.64.133.15:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	f8:b8:f9:45:bf:19:61:f1:60:e0:b4:af:f4:e5:96:31:40:a4:84:69
TLSv1 192.168.56.101:49194 151.101.24.193:443	C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1	C=US, ST=California, L=San Francisco, O=Imgur, Inc., CN=*.imgur.com	3a:86:9a:d0:bd:e1:27:71:2e:3f:a1:3a:19:cd:83:20:2e:3c:8a:2c
TLSv1 192.168.56.101:49192 151.101.24.193:443	C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1	C=US, ST=California, L=San Francisco, O=Imgur, Inc., CN=*.imgur.com	3a:86:9a:d0:bd:e1:27:71:2e:3f:a1:3a:19:cd:83:20:2e:3c:8a:2c
TLSv1 192.168.56.101:49209 172.64.133.15:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	f8:b8:f9:45:bf:19:61:f1:60:e0:b4:af:f4:e5:96:31:40:a4:84:69
TLSv1 192.168.56.101:49216 172.217.25.161:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=misc-sni.blogspot.com	d3:bf:c3:cb:9d:93:34:a5:41:0a:34:bb:05:25:d5:b1:b3:cb:7a:45
TLSv1 192.168.56.101:49218 142.250.207.99:443	None	None	None
TLSv1 192.168.56.101:49220 151.101.24.193:443	None	None	None
TLSv1 192.168.56.101:49230 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	f0:56:df:ba:d3:56:fc:d0:b6:d3:0b:23:8c:85:07:06:9c:39:2c:84
TLSv1 192.168.56.101:49225 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	f0:56:df:ba:d3:56:fc:d0:b6:d3:0b:23:8c:85:07:06:9c:39:2c:84
TLSv1 192.168.56.101:49227 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	f0:56:df:ba:d3:56:fc:d0:b6:d3:0b:23:8c:85:07:06:9c:39:2c:84
TLSv1 192.168.56.101:49235 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	f0:56:df:ba:d3:56:fc:d0:b6:d3:0b:23:8c:85:07:06:9c:39:2c:84
TLSv1 192.168.56.101:49221 151.101.24.193:443	None	None	None
TLSv1 192.168.56.101:49215 172.217.25.161:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=misc-sni.blogspot.com	d3:bf:c3:cb:9d:93:34:a5:41:0a:34:bb:05:25:d5:b1:b3:cb:7a:45
TLSv1 192.168.56.101:49217 151.101.24.193:443	None	None	None
TLSv1 192.168.56.101:49228 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	f0:56:df:ba:d3:56:fc:d0:b6:d3:0b:23:8c:85:07:06:9c:39:2c:84
TLSv1 192.168.56.101:49224 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	f0:56:df:ba:d3:56:fc:d0:b6:d3:0b:23:8c:85:07:06:9c:39:2c:84
TLSv1 192.168.56.101:49233 157.240.215.14:443	None	None	None
TLSv1 192.168.56.101:49226 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	f0:56:df:ba:d3:56:fc:d0:b6:d3:0b:23:8c:85:07:06:9c:39:2c:84
TLSv1 192.168.56.101:49231 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	f0:56:df:ba:d3:56:fc:d0:b6:d3:0b:23:8c:85:07:06:9c:39:2c:84
TLSv1 192.168.56.101:49185 142.250.207.106:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=upload.video.google.com	0d:3f:c1:7d:9e:00:7f:70:7c:c7:ac:be:1f:6c:3b:60:00:eb:e1:54
TLSv1 192.168.56.101:49204 104.16.86.20:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:4e:38:d2:ab:0c:39:fc:95:85:66:54:9f:99:0d:44:27:5c:db:d4
TLSv1 192.168.56.101:49211 104.16.124.175:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	32:c4:31:6f:04:83:8a:15:8f:fd:32:03:3f:45:60:ea:f1:66:87:7e
TLSv1 192.168.56.101:49198 142.250.207.99:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	46:f9:cf:a6:46:c2:48:4c:99:e2:86:f6:db:80:20:22:15:ef:9e:e8
TLSv1 192.168.56.101:49201 142.250.207.99:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	46:f9:cf:a6:46:c2:48:4c:99:e2:86:f6:db:80:20:22:15:ef:9e:e8
TLSv1 192.168.56.101:49207 172.64.133.15:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	f8:b8:f9:45:bf:19:61:f1:60:e0:b4:af:f4:e5:96:31:40:a4:84:69
TLSv1 192.168.56.101:49214 142.250.207.99:443	None	None	None
TLSv1 192.168.56.101:49219 151.101.24.193:443	None	None	None
TLSv1 192.168.56.101:49222 151.101.24.193:443	None	None	None
TLSv1 192.168.56.101:49229 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	f0:56:df:ba:d3:56:fc:d0:b6:d3:0b:23:8c:85:07:06:9c:39:2c:84
TLSv1 192.168.56.101:49232 157.240.215.14:443	None	None	None
TLSv1 192.168.56.101:49234 157.240.215.14:443	None	None	None
TLSv1 192.168.56.101:49236 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	f0:56:df:ba:d3:56:fc:d0:b6:d3:0b:23:8c:85:07:06:9c:39:2c:84
TLSv1 192.168.56.101:49237 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	f0:56:df:ba:d3:56:fc:d0:b6:d3:0b:23:8c:85:07:06:9c:39:2c:84

Command line console output was observed (11 events)

Time & API	Arguments	Status	Return
WriteConsoleW March 9, 2023, 1:44 p.m.	buffer: Successfully completed. console_handle: 0x0000000000000007	1	1
WriteConsoleW March 9, 2023, 1:44 p.m.	buffer: Successfully completed.. console_handle: 0x0000000000000007	1	1
WriteConsoleW March 9, 2023, 1:44 p.m.	buffer: Successfully completed... console_handle: 0x0000000000000007	1	1
WriteConsoleW March 9, 2023, 1:44 p.m.	buffer: The operation completed successfully. console_handle: 0x0000000000000007	1	1
WriteConsoleW March 9, 2023, 1:44 p.m.	buffer: The operation completed successfully. console_handle: 0x0000000000000007	1	1
WriteConsoleW March 9, 2023, 1:44 p.m.	buffer: The operation completed successfully. console_handle: 0x0000000000000007	1	1
WriteConsoleW March 9, 2023, 1:44 p.m.	buffer: The operation completed successfully. console_handle: 0x0000000000000007	1	1
WriteConsoleW March 9, 2023, 1:44 p.m.	buffer: The operation completed successfully. console_handle: 0x0000000000000007	1	1
WriteConsoleW March 9, 2023, 1:44 p.m.	buffer: The operation completed successfully. console_handle: 0x0000000000000007	1	1
WriteConsoleW March 9, 2023, 1:44 p.m.	buffer: The operation completed successfully. console_handle: 0x0000000000000007	1	1
WriteConsoleW March 9, 2023, 1:44 p.m.	buffer: The operation completed successfully. console_handle: 0x0000000000000007	1	1

This executable has a PDB path (1 event)

pdb_path

D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 9, 2023, 1:44 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.didat
section	_RDATA

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

PNG

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ March 9, 2023, 1:52 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75c5374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x74724387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x75c4ef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75c46a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x75c46b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75c46a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x75c65c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x75ce06b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x747fd7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x747fd876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x747fddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x74718a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x74718938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x7471950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x747fdccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x747fdb41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x747fe1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x74719367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x74719326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75856d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x758577c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7585788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x746da48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x746d853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x746da4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x746ecd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x746ed87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 112520532 registers.edi: 2879716 registers.eax: 112520532 registers.ebp: 112520612 registers.edx: 3211392 registers.ebx: 112520896 registers.esi: 2147746133 registers.ecx: 2937224	1	0	0
__exception__ March 9, 2023, 1:52 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75c5374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x747ff725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x75c6414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x746cfe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x747fa338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x761ae99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x761872ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x7617ab0d GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x7617ea98 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x761787f7 CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x7617ba32 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75856d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x758577c4 DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x75857bca CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x761a516f CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x761a50ce RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x7617a0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x76179b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x76179aa8 CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x761a530c URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x761a57a0 DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x71bc540c DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x71bc52ca CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x71ca0ea3 RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x76f77e96 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x76f554f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 79289616 registers.edi: 1953561104 registers.eax: 79289616 registers.ebp: 79289696 registers.edx: 1 registers.ebx: 2652516 registers.esi: 2147746133 registers.ecx: 4156836151	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

March 9, 2023, 1:52 p.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75c5374b
CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x74724387
NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x75c4ef51
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75c46a9c
NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x75c46b42
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75c46a9c
NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x75c65c3a
NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x75ce06b8
WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x747fd7e6
WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x747fd876
WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x747fddd0
CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x74718a43
CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x74718938
DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x7471950a
WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x747fdccd
WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x747fdb41
WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x747fe1fd
DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x74719367
DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x74719326
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75856d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x758577c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7585788a
CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x746da48b
CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x746d853b
CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x746da4ac
CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x746ecd48
CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x746ed87a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x7597b727
registers.esp: 112520532
registers.edi: 2879716
registers.eax: 112520532
registers.ebp: 112520612
registers.edx: 3211392
registers.ebx: 112520896
registers.esi: 2147746133
registers.ecx: 2937224

__exception__

March 9, 2023, 1:52 p.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75c5374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x747ff725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x75c6414b
ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x746cfe14
StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x747fa338
IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x761ae99f
IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x761872ed
RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x7617ab0d
GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x7617ea98
RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x761787f7
CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x7617ba32
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75856d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x758577c4
DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x75857bca
CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x761a516f
CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x761a50ce
RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x7617a0d8
RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x76179b85
RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x76179aa8
CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x761a530c
URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x761a57a0
DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x71bc540c
DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x71bc52ca
CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x71ca0ea3
RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x76f77e96
TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x76f554f4
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x7597b727
registers.esp: 79289616
registers.edi: 1953561104
registers.eax: 79289616
registers.ebp: 79289696
registers.edx: 1
registers.ebx: 2652516
registers.esi: 2147746133
registers.ecx: 4156836151

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (45 events)

request	GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
request	GET https://www.jaiefra.com/
request	GET https://cdnjs.cloudflare.com/ajax/libs/animate.css/4.1.1/animate.min.css
request	GET https://fonts.googleapis.com/css2?family=Roboto:wght@100;300;400;500;700;900&display=swap
request	GET https://fonts.googleapis.com/css2?family=Oswald&display=swap
request	GET https://connect.facebook.net/es_LA/sdk/xfbml.customerchat.js
request	GET https://cdnjs.cloudflare.com/ajax/libs/clipboard.js/2.0.6/clipboard.min.js
request	GET https://cdn.jsdelivr.net/gh/zkreations/whale@1.5.5/dist/js/whale.min.js
request	GET https://cdn.jsdelivr.net/gh/danieIabel/rellax@1.8.0/rellax.min.js
request	GET https://unpkg.com/feather-icons
request	GET https://unpkg.com/feather-icons@4.29.0
request	GET https://unpkg.com/feather-icons@4.29.0/dist/feather.min.js
request	GET https://fonts.gstatic.com/s/roboto/v30/KFOkCnqEu92Fr1MmgWxM.woff
request	GET https://fonts.gstatic.com/s/roboto/v30/KFOmCnqEu92Fr1Me5g.woff
request	GET https://fonts.gstatic.com/s/roboto/v30/KFOlCnqEu92Fr1MmYUtvAA.woff
request	GET https://fonts.gstatic.com/s/roboto/v30/KFOlCnqEu92Fr1MmEU9vAA.woff
request	GET https://fonts.gstatic.com/s/roboto/v30/KFOlCnqEu92Fr1MmWUlvAA.woff
request	GET https://www.blogger.com/static/v1/widgets/229057146-widgets.js
request	GET https://fonts.gstatic.com/s/roboto/v30/KFOlCnqEu92Fr1MmSU5vAA.woff
request	GET https://i.imgur.com/nsHW2sD.jpg
request	GET https://i.imgur.com/Dk4kbVR.jpg
request	GET https://i.imgur.com/6MYEl1l.jpg
request	GET https://i.imgur.com/HFGWqH9.jpg
request	GET https://i.imgur.com/2y3RhsW.jpg
request	GET https://use.fontawesome.com/releases/v6.1.1/css/all.css
request	GET https://2.bp.blogspot.com/-6FlMntiv-QM/XHqS-LCeUaI/AAAAAAAAD4M/Ytwi80ug7NMakyJvZKNdhj54iZFjanCMgCLcBGAs/s1600/header-01.jpg
request	GET https://use.fontawesome.com/releases/v5.15.4/css/all.css
request	GET https://fonts.gstatic.com/s/oswald/v49/TK3_WkUHHAIjg75cFRf3bXL8LICs1_FvgUI.woff
request	GET https://i.imgur.com/6kRvFKg.jpg
request	GET https://i.imgur.com/nZtfyNw.jpg
request	GET https://i.imgur.com/lSf6ELo.jpg
request	GET https://i.imgur.com/scAAvrJ.jpg
request	GET https://www.facebook.com/plugins/page.php?adapt_container_width=true&app_id=&channel=https%3A%2F%2Fstaticxx.facebook.com%2Fx%2Fconnect%2Fxd_arbiter%2F%3Fversion%3D46%23cb%3Df34fdb5418190dc%26domain%3Dwww.jaiefra.com%26is_canvas%3Dfalse%26origin%3Dhttps%253A%252F%252Fwww.jaiefra.com%252Ff209ab796ac5354%26relation%3Dparent.parent&container_width=300&hide_cover=false&href=https%3A%2F%2Fwww.facebook.com%2Fjaiefra&locale=es_LA&sdk=joey&show_facepile=false&small_header=false&tabs=&width=
request	GET https://static.xx.fbcdn.net/rsrc.php/v3iWO94/yu/l/es_LA/w3cpxApqWUX.js?_nc_x=Ij3Wp8lg5Kz
request	GET https://static.xx.fbcdn.net/rsrc.php/v3/yW/l/0,cross/sbAUsFSFkMm.css?_nc_x=Ij3Wp8lg5Kz
request	GET https://static.xx.fbcdn.net/rsrc.php/v3/y1/r/dXk5exdOVhk.js?_nc_x=Ij3Wp8lg5Kz
request	GET https://static.xx.fbcdn.net/rsrc.php/v3/yo/r/J6ifX-SKuSy.js?_nc_x=Ij3Wp8lg5Kz
request	GET https://static.xx.fbcdn.net/rsrc.php/v3/y5/r/VnkLYxrrsQ6.js?_nc_x=Ij3Wp8lg5Kz
request	GET https://static.xx.fbcdn.net/rsrc.php/v3/yN/l/0,cross/zzibYZcrR6-.css?_nc_x=Ij3Wp8lg5Kz
request	GET https://static.xx.fbcdn.net/rsrc.php/v3/ye/r/Dkx2xQN1fRV.js?_nc_x=Ij3Wp8lg5Kz
request	GET https://static.xx.fbcdn.net/rsrc.php/v3/yH/r/P8FoGCIGp4L.js?_nc_x=Ij3Wp8lg5Kz
request	GET https://static.xx.fbcdn.net/rsrc.php/v3/yw/r/UXtr_j2Fwe-.png
request	GET https://scontent-ssn1-1.xx.fbcdn.net/v/t39.30808-6/274807150_3110650415868810_6155898568556935251_n.jpg?stp=dst-jpg_p130x130&_nc_cat=104&ccb=1-7&_nc_sid=dd9801&_nc_ohc=YwkpRMD6IQgAX82-_QL&_nc_ht=scontent-ssn1-1.xx&edm=ADwHzz8EAAAA&oh=00_AfCuu1QHp9xS8ATdxkZBk-yOJPB2063OvUNcaglCMdsmCg&oe=640F4ACA
request	GET https://scontent-ssn1-1.xx.fbcdn.net/v/t39.30808-1/309787944_467309492095485_6740795535777712297_n.jpg?stp=cp0_dst-jpg_p50x50&_nc_cat=109&ccb=1-7&_nc_sid=dbb9e7&_nc_ohc=hcNmGrJIxpQAX_WRHMe&_nc_ht=scontent-ssn1-1.xx&edm=ADwHzz8EAAAA&oh=00_AfDP3q8bQdDV7qvBOI7BIV_ACuLIJjOnGQp06pc45clwXg&oe=640D9E97
request	GET https://www.jaiefra.com/favicon.ico

Allocates read-write-execute memory (usually to unpack itself) (50 out of 574 events)

Time & API	Arguments	Status
NtProtectVirtualMemory March 9, 2023, 1:44 p.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 9, 2023, 1:51 p.m.	process_identifier: 2628 region_size: 15863808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f90000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2023, 1:51 p.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03eb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:51 p.m.	process_identifier: 2628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:51 p.m.	process_identifier: 2628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:51 p.m.	process_identifier: 2628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:51 p.m.	process_identifier: 2628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:51 p.m.	process_identifier: 2628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7587c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:51 p.m.	process_identifier: 2628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7589c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:51 p.m.	process_identifier: 2628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7587c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:51 p.m.	process_identifier: 2628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7589c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:51 p.m.	process_identifier: 2628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73573000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:51 p.m.	process_identifier: 2628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73617000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:51 p.m.	process_identifier: 2628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757c9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:51 p.m.	process_identifier: 2628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75522000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:51 p.m.	process_identifier: 2628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75862000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:51 p.m.	process_identifier: 2628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:51 p.m.	process_identifier: 2628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:51 p.m.	process_identifier: 2628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2023, 1:51 p.m.	process_identifier: 2628 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x034e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:51 p.m.	process_identifier: 2628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73392000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:52 p.m.	process_identifier: 2628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f601000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2023, 1:51 p.m.	process_identifier: 2708 region_size: 3346432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d80000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2023, 1:51 p.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x030b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:51 p.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:51 p.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:51 p.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:51 p.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:51 p.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7587c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:51 p.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7589c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:51 p.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7587c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:51 p.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7589c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:51 p.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73573000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:51 p.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73617000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:51 p.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757c9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:51 p.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75522000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:51 p.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75862000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:51 p.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75867000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:51 p.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7587f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:51 p.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75866000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:51 p.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755c3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:51 p.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f6d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:51 p.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755c7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:51 p.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75858000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:51 p.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7585d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:51 p.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f52000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:51 p.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f42000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:51 p.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x746c6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:51 p.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75764000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2023, 1:51 p.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75763000 process_handle: 0xffffffff	1

An application raised an exception which may be indicative of an exploit crash (3 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process iexplore.exe with pid 2628 crashed
__exception__ March 9, 2023, 1:52 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75c5374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x74724387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x75c4ef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75c46a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x75c46b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75c46a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x75c65c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x75ce06b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x747fd7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x747fd876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x747fddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x74718a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x74718938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x7471950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x747fdccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x747fdb41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x747fe1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x74719367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x74719326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75856d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x758577c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7585788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x746da48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x746d853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x746da4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x746ecd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x746ed87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 112520532 registers.edi: 2879716 registers.eax: 112520532 registers.ebp: 112520612 registers.edx: 3211392 registers.ebx: 112520896 registers.esi: 2147746133 registers.ecx: 2937224	1	0	0
__exception__ March 9, 2023, 1:52 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75c5374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x747ff725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x75c6414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x746cfe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x747fa338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x761ae99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x761872ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x7617ab0d GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x7617ea98 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x761787f7 CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x7617ba32 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75856d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x758577c4 DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x75857bca CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x761a516f CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x761a50ce RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x7617a0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x76179b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x76179aa8 CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x761a530c URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x761a57a0 DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x71bc540c DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x71bc52ca CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x71ca0ea3 RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x76f77e96 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x76f554f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 79289616 registers.edi: 1953561104 registers.eax: 79289616 registers.ebp: 79289696 registers.edx: 1 registers.ebx: 2652516 registers.esi: 2147746133 registers.ecx: 4156836151	1	0	0

Application Crash

Process iexplore.exe with pid 2628 crashed

Time & API

Arguments

Status

Return

Repeated

__exception__

March 9, 2023, 1:52 p.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75c5374b
CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x74724387
NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x75c4ef51
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75c46a9c
NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x75c46b42
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75c46a9c
NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x75c65c3a
NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x75ce06b8
WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x747fd7e6
WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x747fd876
WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x747fddd0
CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x74718a43
CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x74718938
DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x7471950a
WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x747fdccd
WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x747fdb41
WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x747fe1fd
DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x74719367
DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x74719326
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75856d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x758577c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7585788a
CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x746da48b
CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x746d853b
CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x746da4ac
CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x746ecd48
CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x746ed87a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

__exception__

March 9, 2023, 1:52 p.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75c5374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x747ff725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x75c6414b
ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x746cfe14
StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x747fa338
IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x761ae99f
IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x761872ed
RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x7617ab0d
GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x7617ea98
RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x761787f7
CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x7617ba32
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75856d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x758577c4
DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x75857bca
CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x761a516f
CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x761a50ce
RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x7617a0d8
RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x76179b85
RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x76179aa8
CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x761a530c
URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x761a57a0
DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x71bc540c
DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x71bc52ca
CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x71ca0ea3
RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x76f77e96
TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x76f554f4
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x7597b727
registers.esp: 79289616
registers.edi: 1953561104
registers.eax: 79289616
registers.ebp: 79289696
registers.edx: 1
registers.ebx: 2652516
registers.esi: 2147746133
registers.ecx: 4156836151

Creates executable files on the filesystem (12 events)

file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\Dkx2xQN1fRV[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\whale.min[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\229057146-widgets[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\feather.min[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\xfbml.customerchat[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\rellax.min[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\J6ifX-SKuSy[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\P8FoGCIGp4L[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\dXk5exdOVhk[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\w3cpxApqWUX[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\VnkLYxrrsQ6[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\clipboard.min[1].js

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /c title J A I E F R A&color 0a&reg add "HKCU\SOFTWARE\Topaz Labs LLC\Topaz Gigapixel AI\appMain" /v "autoUpdatePreview" /t "REG_SZ" /d "false" /f&reg add "HKCU\SOFTWARE\Topaz Labs LLC\Topaz Gigapixel AI\appMain" /v "canDownloadModels" /t "REG_SZ" /d "false" /f&reg add "HKCU\SOFTWARE\Topaz Labs LLC\Topaz Gigapixel AI\appMain" /v "enableAnonDataCollection" /t "REG_SZ" /d "false" /f&reg add "HKCU\SOFTWARE\Topaz Labs LLC\Topaz Gigapixel AI\appMain" /v "fileLoggingEnabled" /t "REG_SZ" /d "false" /f&reg add "HKCU\SOFTWARE\Topaz Labs LLC\Topaz Gigapixel AI\appMain" /v "forceLogin" /t "REG_SZ" /d "false" /f&reg add "HKCU\SOFTWARE\Topaz Labs LLC\Topaz Gigapixel AI\appMain" /v "ia0" /t "REG_SZ" /d "aWk=" /f&reg add "HKCU\SOFTWARE\Topaz Labs LLC\Topaz Gigapixel AI\appMain" /v "lastLoggedInUserName" /t "REG_SZ" /d "JAIEFRA" /f&reg add "HKCU\SOFTWARE\Topaz Labs LLC\Topaz Gigapixel AI\appMain" /v "userPw" /t "REG_SZ" /d "JAIEFRA" /f&echo.&echo Successfully completed.&ping -n 2 localhost >nul&cls&echo.&echo Successfully completed..&ping -n 2 localhost >nul&cls&echo.&echo Successfully completed...&ping -n 2 localhost >nul&start https://www.jaiefra.com

File has been identified by 2 AntiVirus engines on VirusTotal as malicious (2 events)

Cynet	Malicious (score: 100)
Zoner	Probably Heur.RARAutorun

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory March 9, 2023, 1:51 p.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x06e40000 process_handle: 0xffffffff	1	0	0

Yara rule detected in process memory (17 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (13 events)

cmdline	reg add "HKCU\SOFTWARE\Topaz Labs LLC\Topaz Gigapixel AI\appMain" /v "autoUpdatePreview" /t "REG_SZ" /d "false" /f
cmdline	reg add "HKCU\SOFTWARE\Topaz Labs LLC\Topaz Gigapixel AI\appMain" /v "lastLoggedInUserName" /t "REG_SZ" /d "JAIEFRA" /f
cmdline	reg add "HKCU\SOFTWARE\Topaz Labs LLC\Topaz Gigapixel AI\appMain" /v "fileLoggingEnabled" /t "REG_SZ" /d "false" /f
cmdline	reg add "HKCU\SOFTWARE\Topaz Labs LLC\Topaz Gigapixel AI\appMain" /v "ia0" /t "REG_SZ" /d "aWk=" /f
cmdline	"C:\Windows\System32\cmd.exe" /c title J A I E F R A&color 0a&reg add "HKCU\SOFTWARE\Topaz Labs LLC\Topaz Gigapixel AI\appMain" /v "autoUpdatePreview" /t "REG_SZ" /d "false" /f&reg add "HKCU\SOFTWARE\Topaz Labs LLC\Topaz Gigapixel AI\appMain" /v "canDownloadModels" /t "REG_SZ" /d "false" /f&reg add "HKCU\SOFTWARE\Topaz Labs LLC\Topaz Gigapixel AI\appMain" /v "enableAnonDataCollection" /t "REG_SZ" /d "false" /f&reg add "HKCU\SOFTWARE\Topaz Labs LLC\Topaz Gigapixel AI\appMain" /v "fileLoggingEnabled" /t "REG_SZ" /d "false" /f&reg add "HKCU\SOFTWARE\Topaz Labs LLC\Topaz Gigapixel AI\appMain" /v "forceLogin" /t "REG_SZ" /d "false" /f&reg add "HKCU\SOFTWARE\Topaz Labs LLC\Topaz Gigapixel AI\appMain" /v "ia0" /t "REG_SZ" /d "aWk=" /f&reg add "HKCU\SOFTWARE\Topaz Labs LLC\Topaz Gigapixel AI\appMain" /v "lastLoggedInUserName" /t "REG_SZ" /d "JAIEFRA" /f&reg add "HKCU\SOFTWARE\Topaz Labs LLC\Topaz Gigapixel AI\appMain" /v "userPw" /t "REG_SZ" /d "JAIEFRA" /f&echo.&echo Successfully completed.&ping -n 2 localhost >nul&cls&echo.&echo Successfully completed..&ping -n 2 localhost >nul&cls&echo.&echo Successfully completed...&ping -n 2 localhost >nul&start https://www.jaiefra.com
cmdline	reg add "HKCU\SOFTWARE\Topaz Labs LLC\Topaz Gigapixel AI\appMain" /v "userPw" /t "REG_SZ" /d "JAIEFRA" /f
cmdline	reg add "HKCU\SOFTWARE\Topaz Labs LLC\Topaz Gigapixel AI\appMain" /v "enableAnonDataCollection" /t "REG_SZ" /d "false" /f
cmdline	reg add "HKCU\SOFTWARE\Topaz Labs LLC\Topaz Gigapixel AI\appMain" /v "canDownloadModels" /t "REG_SZ" /d "false" /f
cmdline	cmd /c title J A I E F R A&color 0a&reg add "HKCU\SOFTWARE\Topaz Labs LLC\Topaz Gigapixel AI\appMain" /v "autoUpdatePreview" /t "REG_SZ" /d "false" /f&reg add "HKCU\SOFTWARE\Topaz Labs LLC\Topaz Gigapixel AI\appMain" /v "canDownloadModels" /t "REG_SZ" /d "false" /f&reg add "HKCU\SOFTWARE\Topaz Labs LLC\Topaz Gigapixel AI\appMain" /v "enableAnonDataCollection" /t "REG_SZ" /d "false" /f&reg add "HKCU\SOFTWARE\Topaz Labs LLC\Topaz Gigapixel AI\appMain" /v "fileLoggingEnabled" /t "REG_SZ" /d "false" /f&reg add "HKCU\SOFTWARE\Topaz Labs LLC\Topaz Gigapixel AI\appMain" /v "forceLogin" /t "REG_SZ" /d "false" /f&reg add "HKCU\SOFTWARE\Topaz Labs LLC\Topaz Gigapixel AI\appMain" /v "ia0" /t "REG_SZ" /d "aWk=" /f&reg add "HKCU\SOFTWARE\Topaz Labs LLC\Topaz Gigapixel AI\appMain" /v "lastLoggedInUserName" /t "REG_SZ" /d "JAIEFRA" /f&reg add "HKCU\SOFTWARE\Topaz Labs LLC\Topaz Gigapixel AI\appMain" /v "userPw" /t "REG_SZ" /d "JAIEFRA" /f&echo.&echo Successfully completed.&ping -n 2 localhost >nul&cls&echo.&echo Successfully completed..&ping -n 2 localhost >nul&cls&echo.&echo Successfully completed...&ping -n 2 localhost >nul&start https://www.jaiefra.com
cmdline	reg add "HKCU\SOFTWARE\Topaz Labs LLC\Topaz Gigapixel AI\appMain" /v "forceLogin" /t "REG_SZ" /d "false" /f
cmdline	ping -n 2 localhost
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2628 CREDAT:145409
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

Communicates with host for which no DNS query was performed (1 event)

host

117.18.232.200

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2660 resumed a thread in remote process 2784
Process injection	Process 2628 resumed a thread in remote process 2708
NtResumeThread March 9, 2023, 1:44 p.m.	thread_handle: 0x0000000000000298 suspend_count: 1 process_identifier: 2784	1	0	0
NtResumeThread March 9, 2023, 1:51 p.m.	thread_handle: 0x00000334 suspend_count: 1 process_identifier: 2708	1	0	0

Fix.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All