Summary | ZeroBOX
Downloader HTTP ScreenShot Create Service Internet API P2P DGA Hijack Network Http API persistence FTP Socket Escalate priviledges KeyLogger DNS Code injection Sniff Audio Steal credential PNG Format AntiDebug AntiVM MSOffice File
Category Machine Started Completed
ARCHIVE s1_win7_x6402 March 25, 2023, 12:59 a.m. March 25, 2023, 1:01 a.m.

Archive Untitled-2.workflow/Contents/QuickLook/Preview.png @ Untitled-2.workflow.zip

Summary

Size 111.0KB
Type PNG image data, 1206 x 1162, 8-bit/color RGBA, non-interlaced
MD5 f916f325e5d39fec8ff93922d43002d5
SHA1 d5ef2d09de569b43f2fe78c264fb26646d59671c
SHA256 8d917d525169799dbcb6d6b38374905a0cbb2f492030228e960f614f433b7ba7
SHA512
e72122d45b62f7cfcaae56ac8dad292d48cb14e0981ab540254f6fc618181f3ffa631d33d2bb04db605ecf5dd439423fc3dce58b89eab1e47a32c49579c7e7ce
CRC32 16C43BB4
ssdeep 3072:wVZpDSexYqCXH+z8eHmmmmmmmRLm0m84r7vC4SXj4Oq:wbpDjxYqDfEm0mz/vC4ST4Oq
Yara
  • PNG_Format_Zero - PNG Format

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
117.18.232.200 Active Moloch
164.124.101.2 Active Moloch

Time & API Arguments Status Return Repeated

__exception__

stacktrace:
RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefda5a49d
RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefddc73c3
ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7fefe0043bf
IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7fefdde5295
I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7fefdde2799
Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7fefde8af1e
Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7fefde8b76c
NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7fefdde48d6
CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7fefe130883
CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7fefe130ccd
CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7fefe130c43
CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7fefdfea4f0
GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7fefdffd551
CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7fefe13347e
CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7fefe13122b
CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7fefe133542
GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7fefdffd42d
GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7fefdffd1d6
TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x76ba9bd1
TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x76ba98da
GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7fefdffd0ab
CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7fefe123e57
ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7fefdfd0106
ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7fefdfd0182
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x7718652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x772bc521

exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00
exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d
exception.instruction: add rsp, 0xc8
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 42141
exception.address: 0x7fefda5a49d
registers.r14: 0
registers.r15: 0
registers.rcx: 94364144
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 94370096
registers.r11: 94365904
registers.r8: 0
registers.r9: 0
registers.rdx: 1
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 1923248566
registers.r13: 0
1 0 0
request GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

process_identifier: 2144
region_size: 2232320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000023a0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2144
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000025c0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2144
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076c01000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2144
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076c01000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2144
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076c01000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2144
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076c01000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2144
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076c01000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2144
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076c01000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2144
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076bad000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2144
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076bd2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2144
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076bb4000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2144
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076bd2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2144
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefc1d5000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2144
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefc1d5000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2144
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefdc44000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2144
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefdad1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2144
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076b9a000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2144
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002730000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2144
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefa1b7000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2144
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef69c9000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2144
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef18f9000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 1184
region_size: 14159872
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002e20000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 1184
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000003ba0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076c01000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076c01000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076c01000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076c01000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076c01000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076c01000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076bad000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076bd2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076bb4000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076bd2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefc1d5000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefc1d5000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefdc44000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefdad1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076b9a000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076b9f000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076b9d000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076b9b000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077186000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000772d6000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077181000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076ba0000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076b9a000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000772af000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000772bb000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefe117000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefdbe4000
process_handle: 0xffffffffffffffff
1 0 0
Application Crash Process iexplore.exe with pid 2144 crashed
Time & API Arguments Status Return Repeated

__exception__

stacktrace:
RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefda5a49d
RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefddc73c3
ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7fefe0043bf
IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7fefdde5295
I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7fefdde2799
Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7fefde8af1e
Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7fefde8b76c
NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7fefdde48d6
CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7fefe130883
CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7fefe130ccd
CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7fefe130c43
CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7fefdfea4f0
GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7fefdffd551
CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7fefe13347e
CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7fefe13122b
CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7fefe133542
GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7fefdffd42d
GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7fefdffd1d6
TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x76ba9bd1
TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x76ba98da
GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7fefdffd0ab
CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7fefe123e57
ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7fefdfd0106
ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7fefdfd0182
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x7718652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x772bc521

exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00
exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d
exception.instruction: add rsp, 0xc8
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 42141
exception.address: 0x7fefda5a49d
registers.r14: 0
registers.r15: 0
registers.rcx: 94364144
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 94370096
registers.r11: 94365904
registers.r8: 0
registers.r9: 0
registers.rdx: 1
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 1923248566
registers.r13: 0
1 0 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 1184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x0000000003ba0000
process_handle: 0xffffffffffffffff
1 0 0
url https://s.pstatic.net/static/newsstand/2020/logo/light/0604/941.png
url http://www.expedia.com/favicon.ico
url https://s.pstatic.net/shopping.phinf/20211101_9/6565979b-3e08-4e3d-8514-b2a585c9e46e.jpg
url http://uk.ask.com/favicon.ico
url http://www.priceminister.com/
url https://ssl.pstatic.net/static/pwe/common/img_use_mobile_version.png
url http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
url https://s.pstatic.net/static/www/mobile/edit/20210930/mobile_161522481722.png
url http://175.208.134.150:8282/test/test.eml
url http://www.disig.sk/ca/crl/ca_disig.crl0
url http://ru.wikipedia.org/
url http://ocsp.infonotary.com/responder.cgi0V
url http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0
url https://s.pstatic.net/dthumb.phinf/?src=%22https%3A%2F%2Fs.pstatic.net%2Fpost.phinf%2FMjAyMTEwMjhfODMg%2FMDAxNjM1NDI3NzQ2NzIy.2dYtsiaZ54mXegxs67agf9wcR5tmDGp1Y4ohBZFgiUwg.sAd2wiczLBiMlHpQAGWMveuOZYV34C-EKWqJcJjoopsg.PNG%2FItRl8seMrlvR8kMW8HHc2emHOvVs.jpg%22
url http://www.merlin.com.pl/favicon.ico
url https://s.pstatic.net/static/newsstand/2020/logo/light/0604/477.png
url http://www.cnet.com/favicon.ico
url https://www.semicolonworld.com/public/editor/styles/simditor.css
url https://t1.daumcdn.net/tistory_admin/static/sns/socialShare_big2.png
url http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0
url https://rcaptcha.nid.naver.com/rcaptCss?key=f2ZNjcOIuG0ASz
url https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
url http://crl.oces.certifikat.dk/oces.crl0
url https://tistory3.daumcdn.net/tistory/807805/skin/images/btn_reple.gif
url http://www.yceml.net/0559/10408495-1499411010011
url https://ssl.pstatic.net/tveta/libs/1364/1364526/a5068a6f44555ea499da_20211029164146193.jpg
url http://t.static.blog.naver.net/mylog/versioning/JindoComponent-190469086.js
url https://s.pstatic.net/static/newsstand/2020/logo/light/0604/529.png
url http://blogimgs.naver.net/nblog/mylog/post/btn_cancel3.gif
url https://siape.veta.naver.com/fxshow?su=SU10599
url https://s.pstatic.net/shopping.phinf/20211013_2/ee5c113b-bfae-4cf3-81e3-2ba12403fc6d.jpg
url https://ssl.pstatic.net/static/pwe/nm/b.gif
url http://search.nifty.com/
url https://castbox.shopping.naver.com/js/lazyload.js
url https://ssl.pstatic.net/tveta/libs/1339/1339221/f1a87c541e410a8250af_20211006100906815.jpg
url http://ns.adobe.com/exif/1.0/
url https://s.pstatic.net/shopping.phinf/20200729_1/2931dd60-1842-4048-a39c-1e3389db4a0e.jpg
url https://ssl.pstatic.net/static/pwe/nm/spr_vertical_0d25bb77f8.png
url http://www.etmall.com.tw/
url https://s.pstatic.net/static/newsstand/2020/logo/light/0604/042.png
url https://s.pstatic.net/dthumb.phinf/?src=%22https%3A%2F%2Fs.pstatic.net%2Fstatic%2Fwww%2Fmobile%2Fedit%2F20211012_1095%2Fupload_1634015607233BeFLd.JPEG%22
url http://crl.chambersign.org/publicnotaryroot.crl0
url https://s.pstatic.net/static/newsstand/2020/logo/light/0604/056.png
url http://search.goo.ne.jp/
url http://fr.wikipedia.org/favicon.ico
url https://t1.daumcdn.net/tistory_admin/blogs/plugins/PreventCopyContents/js/functions.js?_version_=9024c9023ed6ab26b00b4f2905e46ffa08aeb336
url http://busca.estadao.com.br/favicon.ico
url http://search.hanafos.com/favicon.ico
url https://s.pstatic.net/dthumb.phinf/?src=%22https%3A%2F%2Fs.pstatic.net%2Fstatic%2Fwww%2Fmobile%2Fedit%2F20211029_1095%2Fupload_1635469564183PpB2J.jpg%22
url https://s.pstatic.net/static/newsstand/2020/logo/light/0604/038.png
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Create a windows service rule Create_Service
description Communication using DGA rule Network_DGA
description Communications over RAW Socket rule Network_TCP_Socket
description Take ScreenShot rule ScreenShot
description Communications use DNS rule Network_DNS
description Match Windows Inet API call rule Str_Win32_Internet_API
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description PWS Memory rule Generic_PWS_Memory_Zero
description Hijack network configuration rule Hijack_Network
description Record Audio rule Sniff_Audio
description Communications over HTTP rule Network_HTTP
description Steal credential rule local_credential_Steal
description Run a KeyLogger rule KeyLogger
description Communications over P2P network rule Network_P2P_Win
description File Downloader rule Network_Downloader
description Escalate priviledges rule Escalate_priviledges
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__ConsoleCtrl
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description (no description) rule Check_Dlls
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
description Install itself for autorun at Windows startup rule Persistence
description Communications over FTP rule Network_FTP
description Match Windows Http API call rule Str_Win32_Http_API
description Create a windows service rule Create_Service
description Communication using DGA rule Network_DGA
description Communications over RAW Socket rule Network_TCP_Socket
description Take ScreenShot rule ScreenShot
description Communications use DNS rule Network_DNS
description Match Windows Inet API call rule Str_Win32_Internet_API
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description PWS Memory rule Generic_PWS_Memory_Zero
description Hijack network configuration rule Hijack_Network
cmdline "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2144 CREDAT:145409
host 117.18.232.200
url http://175.208.134.150:8282/test/test.eml
url http://175.208.134.150:8282/favicon.ico
url http://192.168.3.119/
url https://192.168.3.119/
Process injection Process 2144 resumed a thread in remote process 1184
Time & API Arguments Status Return Repeated

NtResumeThread

thread_handle: 0x0000000000000368
suspend_count: 1
process_identifier: 1184
1 0 0