Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Jan. 12, 2024, 7:55 a.m.	Jan. 12, 2024, 7:57 a.m.

Size	5.0MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`d3420ffb07677d83ab1fd50b1c45c96d`
SHA256	`40d8b1fd2c8d83fd7286d6fe0d0ee76a1f95ba6610bf4cec76d15b3b74acf326`
CRC32	`FA3A5D98`
ssdeep	`98304:147lIc8AXBTRHLb1Q78+J9WsepD3X4wyR7tggMnLVra79t9l96dZ9+vgM8lFyg:1uLXzHV48+WswW+gG98/l9UlLHy`
PDB Path	wextract.pdb
Yara	Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) PE_Header_Zero - PE File Signature Win32_Trojan_Emotet_RL_Gen_Zero - Win32 Trojan Emotet Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet CAB_file_format - CAB archive file UPX_Zero - UPX packed file

love.exe "C:\Users\test22\AppData\Local\Temp\love.exe"
1072
- qq5sQ68.exe C:\Users\test22\AppData\Local\Temp\IXP000.TMP\qq5sQ68.exe
  444
  - tI9tP63.exe C:\Users\test22\AppData\Local\Temp\IXP001.TMP\tI9tP63.exe
    2108
    - fS0ej98.exe C:\Users\test22\AppData\Local\Temp\IXP002.TMP\fS0ej98.exe
      2160
      - 1sV84eY5.exe C:\Users\test22\AppData\Local\Temp\IXP003.TMP\1sV84eY5.exe
        2212
        
        iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
        2272
        
        iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2272 CREDAT:145409
        2348
      - 2sz4899.exe C:\Users\test22\AppData\Local\Temp\IXP003.TMP\2sz4899.exe
        2556
    - 3vI14Vg.exe C:\Users\test22\AppData\Local\Temp\IXP002.TMP\3vI14Vg.exe
      2996

Name	Response	Post-Analysis Lookup
www.instagram.com	CNAME geo-p42.instagram.com A 157.240.215.174 CNAME z-p42-instagram.c10r.instagram.com	157.240.215.174
instagram.com	A 157.240.215.174	157.240.215.174

IP Address	Status	Action
117.18.232.200	Active	Moloch
157.240.215.174	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49173 -> 157.240.215.174:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49174 -> 157.240.215.174:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49171 -> 157.240.215.174:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49172 -> 157.240.215.174:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49175 -> 157.240.215.174:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 157.240.215.174:443 -> 192.168.56.103:49176	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49177 -> 157.240.215.174:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49171 157.240.215.174:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.instagram.com	72:b2:0f:9c:52:65:1e:b6:4f:4c:68:7f:14:65:92:4f:57:75:fb:9d
TLSv1 192.168.56.103:49172 157.240.215.174:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.instagram.com	72:b2:0f:9c:52:65:1e:b6:4f:4c:68:7f:14:65:92:4f:57:75:fb:9d

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Jan. 12, 2024, 7:55 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 12, 2024, 7:55 a.m.			0	0
IsDebuggerPresent Jan. 12, 2024, 7:55 a.m.			0	0
IsDebuggerPresent Jan. 12, 2024, 7:55 a.m.			0	0

This executable has a PDB path (1 event)

pdb_path

wextract.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Jan. 12, 2024, 7:55 a.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

AVI

One or more processes crashed (42 events)

Time & API	Arguments	Status
__exception__ Jan. 12, 2024, 7:56 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x75b94387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x754bef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x754b6b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x754d5c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x755506b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x75c6d7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x75c6d876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x75c6ddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x75b88a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x75b88938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x75b8950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x75c6dccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x75c6db41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x75c6e1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x75b89367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x75b89326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755f788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x75b4a48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x75b4853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x75b4a4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x75b5cd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x75b5d87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 102560924 registers.edi: 82205364 registers.eax: 102560924 registers.ebp: 102561004 registers.edx: 594 registers.ebx: 102561288 registers.esi: 2147746133 registers.ecx: 82365360	1
__exception__ Jan. 12, 2024, 7:56 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x75b3fe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x75c6a338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x7532e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x753072ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x752fab0d GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x752fea98 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x752f87f7 CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x752fba32 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x755f7bca CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x7532516f CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x753250ce RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x752fa0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x752f9b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x752f9aa8 CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x7532530c URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x753257a0 DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x72c5540c DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x72c552ca CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x72d30ea3 RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x77907e96 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x778e54f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 65525952 registers.edi: 1974991376 registers.eax: 65525952 registers.ebp: 65526032 registers.edx: 1 registers.ebx: 82150212 registers.esi: 2147746133 registers.ecx: 267779381	1
__exception__ Jan. 12, 2024, 7:55 a.m.	stacktrace: 2sz4899+0x1597eb @ 0x9f97eb 2sz4899+0xe58dc @ 0x9858dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2sz4899+0xc21d9 exception.instruction: div eax exception.module: 2sz4899.exe exception.exception_code: 0xc0000094 exception.offset: 795097 exception.address: 0x9621d9 registers.esp: 2817588 registers.edi: 10428556 registers.eax: 0 registers.ebp: 2817616 registers.edx: 0 registers.ebx: 42611516 registers.esi: 3 registers.ecx: 42611516	1
__exception__ Jan. 12, 2024, 7:55 a.m.	stacktrace: 2sz4899+0x1597eb @ 0x9f97eb 2sz4899+0xe58dc @ 0x9858dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2sz4899+0xc2204 exception.instruction: ud2 exception.module: 2sz4899.exe exception.exception_code: 0xc000001d exception.offset: 795140 exception.address: 0x962204 registers.esp: 2817588 registers.edi: 2817588 registers.eax: 0 registers.ebp: 2817616 registers.edx: 2 registers.ebx: 9839087 registers.esi: 0 registers.ecx: 2817796	1
__exception__ Jan. 12, 2024, 7:55 a.m.	stacktrace: 2sz4899+0x1597eb @ 0x9f97eb 2sz4899+0xe58dc @ 0x9858dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2sz4899+0xc21d9 exception.instruction: div eax exception.module: 2sz4899.exe exception.exception_code: 0xc0000094 exception.offset: 795097 exception.address: 0x9621d9 registers.esp: 2817588 registers.edi: 2817588 registers.eax: 0 registers.ebp: 2817616 registers.edx: 0 registers.ebx: 9839130 registers.esi: 0 registers.ecx: 2817796	1
__exception__ Jan. 12, 2024, 7:55 a.m.	stacktrace: 2sz4899+0x1597eb @ 0x9f97eb 2sz4899+0xe58dc @ 0x9858dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2sz4899+0xc2204 exception.instruction: ud2 exception.module: 2sz4899.exe exception.exception_code: 0xc000001d exception.offset: 795140 exception.address: 0x962204 registers.esp: 2817588 registers.edi: 2817588 registers.eax: 0 registers.ebp: 2817616 registers.edx: 2 registers.ebx: 9839087 registers.esi: 0 registers.ecx: 2817796	1
__exception__ Jan. 12, 2024, 7:55 a.m.	stacktrace: 2sz4899+0x1597eb @ 0x9f97eb 2sz4899+0xe58dc @ 0x9858dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2sz4899+0xc21d9 exception.instruction: div eax exception.module: 2sz4899.exe exception.exception_code: 0xc0000094 exception.offset: 795097 exception.address: 0x9621d9 registers.esp: 2817588 registers.edi: 2817588 registers.eax: 0 registers.ebp: 2817616 registers.edx: 0 registers.ebx: 9839130 registers.esi: 0 registers.ecx: 2817796	1
__exception__ Jan. 12, 2024, 7:55 a.m.	stacktrace: 2sz4899+0x1597eb @ 0x9f97eb 2sz4899+0xe58dc @ 0x9858dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2sz4899+0xc21d9 exception.instruction: div eax exception.module: 2sz4899.exe exception.exception_code: 0xc0000094 exception.offset: 795097 exception.address: 0x9621d9 registers.esp: 2817588 registers.edi: 2817588 registers.eax: 0 registers.ebp: 2817616 registers.edx: 0 registers.ebx: 9839087 registers.esi: 0 registers.ecx: 2817796	1
__exception__ Jan. 12, 2024, 7:55 a.m.	stacktrace: 2sz4899+0x15d215 @ 0x9fd215 2sz4899+0x15b3dc @ 0x9fb3dc 2sz4899+0xe58dc @ 0x9858dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2sz4899+0xc21d9 exception.instruction: div eax exception.module: 2sz4899.exe exception.exception_code: 0xc0000094 exception.offset: 795097 exception.address: 0x9621d9 registers.esp: 2817540 registers.edi: 10428556 registers.eax: 0 registers.ebp: 2817568 registers.edx: 0 registers.ebx: 4898816 registers.esi: 9093120 registers.ecx: 9093120	1
__exception__ Jan. 12, 2024, 7:55 a.m.	stacktrace: 2sz4899+0x15d215 @ 0x9fd215 2sz4899+0x15b3dc @ 0x9fb3dc 2sz4899+0xe58dc @ 0x9858dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2sz4899+0xc21d9 exception.instruction: div eax exception.module: 2sz4899.exe exception.exception_code: 0xc0000094 exception.offset: 795097 exception.address: 0x9621d9 registers.esp: 2817540 registers.edi: 2817540 registers.eax: 0 registers.ebp: 2817568 registers.edx: 0 registers.ebx: 9839087 registers.esi: 0 registers.ecx: 2817576	1
__exception__ Jan. 12, 2024, 7:55 a.m.	stacktrace: 2sz4899+0x15d215 @ 0x9fd215 2sz4899+0x15b3dc @ 0x9fb3dc 2sz4899+0xe58dc @ 0x9858dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2sz4899+0xc2204 exception.instruction: ud2 exception.module: 2sz4899.exe exception.exception_code: 0xc000001d exception.offset: 795140 exception.address: 0x962204 registers.esp: 2817540 registers.edi: 2817540 registers.eax: 0 registers.ebp: 2817568 registers.edx: 2 registers.ebx: 9839087 registers.esi: 0 registers.ecx: 2817576	1
__exception__ Jan. 12, 2024, 7:55 a.m.	stacktrace: 2sz4899+0x15d215 @ 0x9fd215 2sz4899+0x15b3dc @ 0x9fb3dc 2sz4899+0xe58dc @ 0x9858dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2sz4899+0xc21d9 exception.instruction: div eax exception.module: 2sz4899.exe exception.exception_code: 0xc0000094 exception.offset: 795097 exception.address: 0x9621d9 registers.esp: 2817540 registers.edi: 2817540 registers.eax: 0 registers.ebp: 2817568 registers.edx: 0 registers.ebx: 9839130 registers.esi: 0 registers.ecx: 2817576	1
__exception__ Jan. 12, 2024, 7:55 a.m.	stacktrace: 2sz4899+0x15d215 @ 0x9fd215 2sz4899+0x15b3dc @ 0x9fb3dc 2sz4899+0xe58dc @ 0x9858dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2sz4899+0xc21d9 exception.instruction: div eax exception.module: 2sz4899.exe exception.exception_code: 0xc0000094 exception.offset: 795097 exception.address: 0x9621d9 registers.esp: 2817540 registers.edi: 2817540 registers.eax: 0 registers.ebp: 2817568 registers.edx: 0 registers.ebx: 9839087 registers.esi: 0 registers.ecx: 2817576	1
__exception__ Jan. 12, 2024, 7:55 a.m.	stacktrace: 2sz4899+0x15d215 @ 0x9fd215 2sz4899+0x15b3dc @ 0x9fb3dc 2sz4899+0xe58dc @ 0x9858dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2sz4899+0xc2204 exception.instruction: ud2 exception.module: 2sz4899.exe exception.exception_code: 0xc000001d exception.offset: 795140 exception.address: 0x962204 registers.esp: 2817540 registers.edi: 2817540 registers.eax: 0 registers.ebp: 2817568 registers.edx: 2 registers.ebx: 9839087 registers.esi: 0 registers.ecx: 2817576	1
__exception__ Jan. 12, 2024, 7:55 a.m.	stacktrace: 2sz4899+0x15d2f1 @ 0x9fd2f1 2sz4899+0x15b3dc @ 0x9fb3dc 2sz4899+0xe58dc @ 0x9858dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2sz4899+0xc2204 exception.instruction: ud2 exception.module: 2sz4899.exe exception.exception_code: 0xc000001d exception.offset: 795140 exception.address: 0x962204 registers.esp: 2817540 registers.edi: 10428556 registers.eax: 0 registers.ebp: 2817568 registers.edx: 2 registers.ebx: 4898816 registers.esi: 9093120 registers.ecx: 0	1
__exception__ Jan. 12, 2024, 7:55 a.m.	stacktrace: 2sz4899+0x15d2f1 @ 0x9fd2f1 2sz4899+0x15b3dc @ 0x9fb3dc 2sz4899+0xe58dc @ 0x9858dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2sz4899+0xc21d9 exception.instruction: div eax exception.module: 2sz4899.exe exception.exception_code: 0xc0000094 exception.offset: 795097 exception.address: 0x9621d9 registers.esp: 2817540 registers.edi: 2817540 registers.eax: 0 registers.ebp: 2817568 registers.edx: 0 registers.ebx: 9839130 registers.esi: 0 registers.ecx: 2817576	1
__exception__ Jan. 12, 2024, 7:55 a.m.	stacktrace: 2sz4899+0x15d2f1 @ 0x9fd2f1 2sz4899+0x15b3dc @ 0x9fb3dc 2sz4899+0xe58dc @ 0x9858dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2sz4899+0xc21d9 exception.instruction: div eax exception.module: 2sz4899.exe exception.exception_code: 0xc0000094 exception.offset: 795097 exception.address: 0x9621d9 registers.esp: 2817540 registers.edi: 2817540 registers.eax: 0 registers.ebp: 2817568 registers.edx: 0 registers.ebx: 9839087 registers.esi: 0 registers.ecx: 2817576	1
__exception__ Jan. 12, 2024, 7:55 a.m.	stacktrace: 2sz4899+0x15d2f1 @ 0x9fd2f1 2sz4899+0x15b3dc @ 0x9fb3dc 2sz4899+0xe58dc @ 0x9858dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2sz4899+0xc2204 exception.instruction: ud2 exception.module: 2sz4899.exe exception.exception_code: 0xc000001d exception.offset: 795140 exception.address: 0x962204 registers.esp: 2817540 registers.edi: 2817540 registers.eax: 0 registers.ebp: 2817568 registers.edx: 2 registers.ebx: 9839087 registers.esi: 0 registers.ecx: 2817576	1
__exception__ Jan. 12, 2024, 7:55 a.m.	stacktrace: 2sz4899+0x15d2f1 @ 0x9fd2f1 2sz4899+0x15b3dc @ 0x9fb3dc 2sz4899+0xe58dc @ 0x9858dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2sz4899+0xc21d9 exception.instruction: div eax exception.module: 2sz4899.exe exception.exception_code: 0xc0000094 exception.offset: 795097 exception.address: 0x9621d9 registers.esp: 2817540 registers.edi: 2817540 registers.eax: 0 registers.ebp: 2817568 registers.edx: 0 registers.ebx: 9839130 registers.esi: 0 registers.ecx: 2817576	1
__exception__ Jan. 12, 2024, 7:55 a.m.	stacktrace: 2sz4899+0x15d2f1 @ 0x9fd2f1 2sz4899+0x15b3dc @ 0x9fb3dc 2sz4899+0xe58dc @ 0x9858dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2sz4899+0xc21d9 exception.instruction: div eax exception.module: 2sz4899.exe exception.exception_code: 0xc0000094 exception.offset: 795097 exception.address: 0x9621d9 registers.esp: 2817540 registers.edi: 2817540 registers.eax: 0 registers.ebp: 2817568 registers.edx: 0 registers.ebx: 9839087 registers.esi: 0 registers.ecx: 2817576	1
__exception__ Jan. 12, 2024, 7:55 a.m.	stacktrace: 2sz4899+0x15d2f1 @ 0x9fd2f1 2sz4899+0x15b3dc @ 0x9fb3dc 2sz4899+0xe58dc @ 0x9858dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2sz4899+0xc2204 exception.instruction: ud2 exception.module: 2sz4899.exe exception.exception_code: 0xc000001d exception.offset: 795140 exception.address: 0x962204 registers.esp: 2817540 registers.edi: 2817540 registers.eax: 0 registers.ebp: 2817568 registers.edx: 2 registers.ebx: 9839087 registers.esi: 0 registers.ecx: 2817576	1
__exception__ Jan. 12, 2024, 7:55 a.m.	stacktrace: 2sz4899+0x15d2f1 @ 0x9fd2f1 2sz4899+0x15b3dc @ 0x9fb3dc 2sz4899+0xe58dc @ 0x9858dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2sz4899+0xc21d9 exception.instruction: div eax exception.module: 2sz4899.exe exception.exception_code: 0xc0000094 exception.offset: 795097 exception.address: 0x9621d9 registers.esp: 2817540 registers.edi: 2817540 registers.eax: 0 registers.ebp: 2817568 registers.edx: 0 registers.ebx: 9839130 registers.esi: 0 registers.ecx: 2817576	1
__exception__ Jan. 12, 2024, 7:55 a.m.	stacktrace: 2sz4899+0x15d3c3 @ 0x9fd3c3 2sz4899+0x15b3dc @ 0x9fb3dc 2sz4899+0xe58dc @ 0x9858dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2sz4899+0xc21d9 exception.instruction: div eax exception.module: 2sz4899.exe exception.exception_code: 0xc0000094 exception.offset: 795097 exception.address: 0x9621d9 registers.esp: 2817540 registers.edi: 10428556 registers.eax: 0 registers.ebp: 2817568 registers.edx: 0 registers.ebx: 4898816 registers.esi: 9093120 registers.ecx: 2817568	1
__exception__ Jan. 12, 2024, 7:55 a.m.	stacktrace: 2sz4899+0x15d3c3 @ 0x9fd3c3 2sz4899+0x15b3dc @ 0x9fb3dc 2sz4899+0xe58dc @ 0x9858dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2sz4899+0xc2204 exception.instruction: ud2 exception.module: 2sz4899.exe exception.exception_code: 0xc000001d exception.offset: 795140 exception.address: 0x962204 registers.esp: 2817540 registers.edi: 2817540 registers.eax: 0 registers.ebp: 2817568 registers.edx: 2 registers.ebx: 9839087 registers.esi: 0 registers.ecx: 2817576	1
__exception__ Jan. 12, 2024, 7:55 a.m.	stacktrace: 2sz4899+0x15d4bd @ 0x9fd4bd 2sz4899+0x15b3dc @ 0x9fb3dc 2sz4899+0xe58dc @ 0x9858dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2sz4899+0xc21d9 exception.instruction: div eax exception.module: 2sz4899.exe exception.exception_code: 0xc0000094 exception.offset: 795097 exception.address: 0x9621d9 registers.esp: 2817540 registers.edi: 10428556 registers.eax: 0 registers.ebp: 2817568 registers.edx: 0 registers.ebx: 4898816 registers.esi: 9093120 registers.ecx: 2535335616	1
__exception__ Jan. 12, 2024, 7:55 a.m.	stacktrace: 2sz4899+0x15d4bd @ 0x9fd4bd 2sz4899+0x15b3dc @ 0x9fb3dc 2sz4899+0xe58dc @ 0x9858dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2sz4899+0xc21d9 exception.instruction: div eax exception.module: 2sz4899.exe exception.exception_code: 0xc0000094 exception.offset: 795097 exception.address: 0x9621d9 registers.esp: 2817540 registers.edi: 2817540 registers.eax: 0 registers.ebp: 2817568 registers.edx: 0 registers.ebx: 9839087 registers.esi: 0 registers.ecx: 2817576	1
__exception__ Jan. 12, 2024, 7:55 a.m.	stacktrace: 2sz4899+0x15d4bd @ 0x9fd4bd 2sz4899+0x15b3dc @ 0x9fb3dc 2sz4899+0xe58dc @ 0x9858dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2sz4899+0xc21d9 exception.instruction: div eax exception.module: 2sz4899.exe exception.exception_code: 0xc0000094 exception.offset: 795097 exception.address: 0x9621d9 registers.esp: 2817540 registers.edi: 2817540 registers.eax: 0 registers.ebp: 2817568 registers.edx: 0 registers.ebx: 9839087 registers.esi: 0 registers.ecx: 2817576	1
__exception__ Jan. 12, 2024, 7:55 a.m.	stacktrace: 2sz4899+0x15d4bd @ 0x9fd4bd 2sz4899+0x15b3dc @ 0x9fb3dc 2sz4899+0xe58dc @ 0x9858dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2sz4899+0xc21d9 exception.instruction: div eax exception.module: 2sz4899.exe exception.exception_code: 0xc0000094 exception.offset: 795097 exception.address: 0x9621d9 registers.esp: 2817540 registers.edi: 2817540 registers.eax: 0 registers.ebp: 2817568 registers.edx: 0 registers.ebx: 9839087 registers.esi: 0 registers.ecx: 2817576	1
__exception__ Jan. 12, 2024, 7:55 a.m.	stacktrace: 2sz4899+0x15d553 @ 0x9fd553 2sz4899+0x15b3dc @ 0x9fb3dc 2sz4899+0xe58dc @ 0x9858dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2sz4899+0xc2204 exception.instruction: ud2 exception.module: 2sz4899.exe exception.exception_code: 0xc000001d exception.offset: 795140 exception.address: 0x962204 registers.esp: 2817540 registers.edi: 10428556 registers.eax: 0 registers.ebp: 2817568 registers.edx: 2 registers.ebx: 4898816 registers.esi: 9093120 registers.ecx: 1215525733	1
__exception__ Jan. 12, 2024, 7:55 a.m.	stacktrace: 2sz4899+0x15d553 @ 0x9fd553 2sz4899+0x15b3dc @ 0x9fb3dc 2sz4899+0xe58dc @ 0x9858dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2sz4899+0xc2204 exception.instruction: ud2 exception.module: 2sz4899.exe exception.exception_code: 0xc000001d exception.offset: 795140 exception.address: 0x962204 registers.esp: 2817540 registers.edi: 2817540 registers.eax: 0 registers.ebp: 2817568 registers.edx: 2 registers.ebx: 9839130 registers.esi: 0 registers.ecx: 2817576	1
__exception__ Jan. 12, 2024, 7:55 a.m.	stacktrace: 2sz4899+0x15d553 @ 0x9fd553 2sz4899+0x15b3dc @ 0x9fb3dc 2sz4899+0xe58dc @ 0x9858dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2sz4899+0xc2204 exception.instruction: ud2 exception.module: 2sz4899.exe exception.exception_code: 0xc000001d exception.offset: 795140 exception.address: 0x962204 registers.esp: 2817540 registers.edi: 2817540 registers.eax: 0 registers.ebp: 2817568 registers.edx: 2 registers.ebx: 9839130 registers.esi: 0 registers.ecx: 2817576	1
__exception__ Jan. 12, 2024, 7:55 a.m.	stacktrace: 2sz4899+0x15d553 @ 0x9fd553 2sz4899+0x15b3dc @ 0x9fb3dc 2sz4899+0xe58dc @ 0x9858dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2sz4899+0xc21d9 exception.instruction: div eax exception.module: 2sz4899.exe exception.exception_code: 0xc0000094 exception.offset: 795097 exception.address: 0x9621d9 registers.esp: 2817540 registers.edi: 2817540 registers.eax: 0 registers.ebp: 2817568 registers.edx: 0 registers.ebx: 9839130 registers.esi: 0 registers.ecx: 2817576	1
__exception__ Jan. 12, 2024, 7:55 a.m.	stacktrace: 2sz4899+0x15d553 @ 0x9fd553 2sz4899+0x15b3dc @ 0x9fb3dc 2sz4899+0xe58dc @ 0x9858dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2sz4899+0xc2204 exception.instruction: ud2 exception.module: 2sz4899.exe exception.exception_code: 0xc000001d exception.offset: 795140 exception.address: 0x962204 registers.esp: 2817540 registers.edi: 2817540 registers.eax: 0 registers.ebp: 2817568 registers.edx: 2 registers.ebx: 9839087 registers.esi: 0 registers.ecx: 2817576	1
__exception__ Jan. 12, 2024, 7:55 a.m.	stacktrace: 2sz4899+0x15d553 @ 0x9fd553 2sz4899+0x15b3dc @ 0x9fb3dc 2sz4899+0xe58dc @ 0x9858dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2sz4899+0xc2204 exception.instruction: ud2 exception.module: 2sz4899.exe exception.exception_code: 0xc000001d exception.offset: 795140 exception.address: 0x962204 registers.esp: 2817540 registers.edi: 2817540 registers.eax: 0 registers.ebp: 2817568 registers.edx: 2 registers.ebx: 9839130 registers.esi: 0 registers.ecx: 2817576	1
__exception__ Jan. 12, 2024, 7:55 a.m.	stacktrace: 2sz4899+0x15d553 @ 0x9fd553 2sz4899+0x15b3dc @ 0x9fb3dc 2sz4899+0xe58dc @ 0x9858dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 2sz4899+0xc2204 exception.instruction: ud2 exception.module: 2sz4899.exe exception.exception_code: 0xc000001d exception.offset: 795140 exception.address: 0x962204 registers.esp: 2817540 registers.edi: 2817540 registers.eax: 0 registers.ebp: 2817568 registers.edx: 2 registers.ebx: 9839130 registers.esi: 0 registers.ecx: 2817576	1
__exception__ Jan. 12, 2024, 7:55 a.m.	stacktrace: 3vi14vg+0x3100d7 @ 0x13800d7 3vi14vg+0x31af6a @ 0x138af6a 3vi14vg+0x4052fb @ 0x14752fb exception.instruction_r: 0f 0b e8 41 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 3vi14vg+0x2645d0 exception.instruction: ud2 exception.module: 3vI14Vg.exe exception.exception_code: 0xc000001d exception.offset: 2508240 exception.address: 0x12d45d0 registers.esp: 3866060 registers.edi: 21455088 registers.eax: 0 registers.ebp: 3866088 registers.edx: 2 registers.ebx: 1265483798 registers.esi: 18812928 registers.ecx: 15087776	1
__exception__ Jan. 12, 2024, 7:55 a.m.	stacktrace: 3vi14vg+0x3100d7 @ 0x13800d7 3vi14vg+0x31af6a @ 0x138af6a 3vi14vg+0x4052fb @ 0x14752fb exception.instruction_r: 0f 0b e8 41 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 3vi14vg+0x2645d0 exception.instruction: ud2 exception.module: 3vI14Vg.exe exception.exception_code: 0xc000001d exception.offset: 2508240 exception.address: 0x12d45d0 registers.esp: 3866060 registers.edi: 3866060 registers.eax: 0 registers.ebp: 3866088 registers.edx: 2 registers.ebx: 19744230 registers.esi: 0 registers.ecx: 3866096	1
__exception__ Jan. 12, 2024, 7:55 a.m.	stacktrace: 3vi14vg+0x3100d7 @ 0x13800d7 3vi14vg+0x31af6a @ 0x138af6a 3vi14vg+0x4052fb @ 0x14752fb exception.instruction_r: 0f 0b e8 41 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 3vi14vg+0x2645d0 exception.instruction: ud2 exception.module: 3vI14Vg.exe exception.exception_code: 0xc000001d exception.offset: 2508240 exception.address: 0x12d45d0 registers.esp: 3866060 registers.edi: 3866060 registers.eax: 0 registers.ebp: 3866088 registers.edx: 2 registers.ebx: 19744230 registers.esi: 0 registers.ecx: 3866096	1
__exception__ Jan. 12, 2024, 7:55 a.m.	stacktrace: 3vi14vg+0x3100d7 @ 0x13800d7 3vi14vg+0x31af6a @ 0x138af6a 3vi14vg+0x4052fb @ 0x14752fb exception.instruction_r: f7 f0 e8 6c 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 3vi14vg+0x2645a5 exception.instruction: div eax exception.module: 3vI14Vg.exe exception.exception_code: 0xc0000094 exception.offset: 2508197 exception.address: 0x12d45a5 registers.esp: 3866060 registers.edi: 3866060 registers.eax: 0 registers.ebp: 3866088 registers.edx: 0 registers.ebx: 19744230 registers.esi: 0 registers.ecx: 3866096	1
__exception__ Jan. 12, 2024, 7:55 a.m.	stacktrace: 3vi14vg+0x3100d7 @ 0x13800d7 3vi14vg+0x31af6a @ 0x138af6a 3vi14vg+0x4052fb @ 0x14752fb exception.instruction_r: 0f 0b e8 41 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 3vi14vg+0x2645d0 exception.instruction: ud2 exception.module: 3vI14Vg.exe exception.exception_code: 0xc000001d exception.offset: 2508240 exception.address: 0x12d45d0 registers.esp: 3866060 registers.edi: 3866060 registers.eax: 0 registers.ebp: 3866088 registers.edx: 2 registers.ebx: 19744187 registers.esi: 0 registers.ecx: 3866096	1
__exception__ Jan. 12, 2024, 7:55 a.m.	stacktrace: 3vi14vg+0x3100d7 @ 0x13800d7 3vi14vg+0x31af6a @ 0x138af6a 3vi14vg+0x4052fb @ 0x14752fb exception.instruction_r: 0f 0b e8 41 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 3vi14vg+0x2645d0 exception.instruction: ud2 exception.module: 3vI14Vg.exe exception.exception_code: 0xc000001d exception.offset: 2508240 exception.address: 0x12d45d0 registers.esp: 3866060 registers.edi: 3866060 registers.eax: 0 registers.ebp: 3866088 registers.edx: 2 registers.ebx: 19744230 registers.esi: 0 registers.ecx: 3866096	1
__exception__ Jan. 12, 2024, 7:55 a.m.	stacktrace: 3vi14vg+0x3100d7 @ 0x13800d7 3vi14vg+0x31af6a @ 0x138af6a 3vi14vg+0x4052fb @ 0x14752fb exception.instruction_r: f7 f0 e8 6c 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 3vi14vg+0x2645a5 exception.instruction: div eax exception.module: 3vI14Vg.exe exception.exception_code: 0xc0000094 exception.offset: 2508197 exception.address: 0x12d45a5 registers.esp: 3866060 registers.edi: 3866060 registers.eax: 0 registers.ebp: 3866088 registers.edx: 0 registers.ebx: 19744230 registers.esi: 0 registers.ecx: 3866096	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (3 events)

request	GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
request	GET https://instagram.com/accounts/login
request	GET https://instagram.com/accounts/login/

Allocates read-write-execute memory (usually to unpack itself) (50 out of 212 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 1072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74011000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 1072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fe1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74011000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 2108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74011000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 2108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fe1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 2160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74011000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 2160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 2212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ec1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72c31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75ab1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 2272 region_size: 11407360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02690000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03170000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7561c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7563c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7561c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7563c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74783000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74827000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76af9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75ac2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75602000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73db1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73dc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76d71000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 2272 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ba0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ce1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73cc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73cb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ca1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72841000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ec1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71621000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71a11000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75201000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76971000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74fc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75061000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ee21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ffc1000 process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (8 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW Jan. 12, 2024, 7:55 a.m.	number_of_free_clusters: 2424294 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 12, 2024, 7:55 a.m.	number_of_free_clusters: 2424294 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 12, 2024, 7:55 a.m.	number_of_free_clusters: 2422813 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 12, 2024, 7:55 a.m.	number_of_free_clusters: 2422813 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 12, 2024, 7:55 a.m.	number_of_free_clusters: 2421721 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 12, 2024, 7:55 a.m.	number_of_free_clusters: 2421721 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 12, 2024, 7:55 a.m.	number_of_free_clusters: 2420984 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 12, 2024, 7:55 a.m.	number_of_free_clusters: 2420984 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1

An application raised an exception which may be indicative of an exploit crash (3 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process iexplore.exe with pid 2272 crashed
__exception__ Jan. 12, 2024, 7:56 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x75b94387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x754bef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x754b6b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x754d5c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x755506b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x75c6d7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x75c6d876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x75c6ddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x75b88a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x75b88938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x75b8950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x75c6dccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x75c6db41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x75c6e1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x75b89367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x75b89326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755f788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x75b4a48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x75b4853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x75b4a4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x75b5cd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x75b5d87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 102560924 registers.edi: 82205364 registers.eax: 102560924 registers.ebp: 102561004 registers.edx: 594 registers.ebx: 102561288 registers.esi: 2147746133 registers.ecx: 82365360	1	0	0
__exception__ Jan. 12, 2024, 7:56 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x75b3fe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x75c6a338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x7532e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x753072ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x752fab0d GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x752fea98 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x752f87f7 CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x752fba32 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x755f7bca CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x7532516f CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x753250ce RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x752fa0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x752f9b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x752f9aa8 CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x7532530c URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x753257a0 DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x72c5540c DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x72c552ca CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x72d30ea3 RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x77907e96 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x778e54f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 65525952 registers.edi: 1974991376 registers.eax: 65525952 registers.ebp: 65526032 registers.edx: 1 registers.ebx: 82150212 registers.esi: 2147746133 registers.ecx: 267779381	1	0	0

Application Crash

Process iexplore.exe with pid 2272 crashed

Time & API

Arguments

Status

Return

Repeated

__exception__

Jan. 12, 2024, 7:56 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b
CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x75b94387
NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x754bef51
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c
NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x754b6b42
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c
NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x754d5c3a
NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x755506b8
WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x75c6d7e6
WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x75c6d876
WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x75c6ddd0
CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x75b88a43
CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x75b88938
DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x75b8950a
WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x75c6dccd
WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x75c6db41
WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x75c6e1fd
DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x75b89367
DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x75b89326
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755f788a
CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x75b4a48b
CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x75b4853b
CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x75b4a4ac
CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x75b5cd48
CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x75b5d87a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 102560924
registers.edi: 82205364
registers.eax: 102560924
registers.ebp: 102561004
registers.edx: 594
registers.ebx: 102561288
registers.esi: 2147746133
registers.ecx: 82365360

__exception__

Jan. 12, 2024, 7:56 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b
ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x75b3fe14
StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x75c6a338
IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x7532e99f
IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x753072ed
RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x752fab0d
GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x752fea98
RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x752f87f7
CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x752fba32
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4
DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x755f7bca
CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x7532516f
CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x753250ce
RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x752fa0d8
RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x752f9b85
RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x752f9aa8
CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x7532530c
URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x753257a0
DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x72c5540c
DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x72c552ca
CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x72d30ea3
RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x77907e96
TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x778e54f4
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 65525952
registers.edi: 1974991376
registers.eax: 65525952
registers.ebp: 65526032
registers.edx: 1
registers.ebx: 82150212
registers.esi: 2147746133
registers.ecx: 267779381

Creates executable files on the filesystem (8 events)

file	C:\Users\test22\AppData\Local\Temp\IXP003.TMP\2sz4899.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\qq5sQ68.exe
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\tI9tP63.exe
file	C:\Users\test22\AppData\Local\Temp\IXP002.TMP\3vI14Vg.exe
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\4Hh616gf.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\5Ev6rx6.exe
file	C:\Users\test22\AppData\Local\Temp\IXP003.TMP\1sV84eY5.exe
file	C:\Users\test22\AppData\Local\Temp\IXP002.TMP\fS0ej98.exe

Drops an executable to the user AppData folder (6 events)

file	C:\Users\test22\AppData\Local\Temp\IXP002.TMP\fS0ej98.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\qq5sQ68.exe
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\tI9tP63.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\5Ev6rx6.exe
file	C:\Users\test22\AppData\Local\Temp\IXP002.TMP\3vI14Vg.exe
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\4Hh616gf.exe

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Jan. 12, 2024, 7:55 a.m.	process_identifier: 2348 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x049f0000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x004f3800', u'virtual_address': u'0x0000c000', u'entropy': 7.996657398948551, u'name': u'.rsrc', u'virtual_size': u'0x004f4000'}

entropy

7.99665739895

description

A section with a high entropy has been found

entropy

0.993630573248

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Jan. 12, 2024, 7:55 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2272 CREDAT:145409
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

Communicates with host for which no DNS query was performed (1 event)

host

117.18.232.200

Attempts to stop active services (2 events)

Time & API	Arguments	Status	Return	Repeated
ControlService Jan. 12, 2024, 7:55 a.m.	service_handle: 0x004362d0 service_name: WinDefend control_code: 1		0	0
ControlService Jan. 12, 2024, 7:55 a.m.	service_handle: 0x00437c70 service_name: wuauserv control_code: 1		0	0

Installs itself for autorun at Windows startup (4 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP000.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP001.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP002.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP003.TMP\"

Attempts to disable Windows Auto Updates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate

Queries information on disks, possibly for anti-virtualization (2 events)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Jan. 12, 2024, 7:55 a.m.	create_disposition: 1 (FILE_OPEN) file_handle: 0x00000178 filepath: \??\Scsi0: desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 0 () filepath_r: \??\Scsi0: create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 0 (FILE_SUPERSEDED) share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	1	0	0
DeviceIoControl Jan. 12, 2024, 7:55 a.m.	input_buffer: SCSIDISK ì control_code: 315400 () device_handle: 0x00000178 output_buffer: <INVALID POINTER>		0	0

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2272 resumed a thread in remote process 2348
NtResumeThread Jan. 12, 2024, 7:55 a.m.	thread_handle: 0x00000390 suspend_count: 1 process_identifier: 2348	1	0	0

Disables Windows Security features (6 events)

description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection

File has been identified by 45 AntiVirus engines on VirusTotal as malicious (45 events)

Bkav	W32.AIDetectMalware
Elastic	malicious (high confidence)
Cynet	Malicious (score: 99)
CAT-QuickHeal	Trojan.IGENERIC
Skyhigh	BehavesLike.Win32.Generic.rc
VIPRE	Gen:Heur.Crifi.1
K7AntiVirus	Trojan ( 005aad751 )
BitDefender	Gen:Heur.Crifi.1
K7GW	Trojan ( 005aad751 )
Cybereason	malicious.99f3ef
Arcabit	Trojan.Crifi.1
VirIT	Trojan.Win32.Genus.UWC
ESET-NOD32	multiple detections
APEX	Malicious
McAfee	Artemis!D3420FFB0767
Avast	WAT:Blacked-E
ClamAV	Win.Trojan.Scar-6903585-0
Kaspersky	Trojan.MSIL.Injurer.cbd
NANO-Antivirus	Trojan.Win32.Drop.kfhzge
MicroWorld-eScan	Gen:Heur.Crifi.1
Rising	Downloader.Agent!1.D93C (CLASSIC)
Emsisoft	Gen:Heur.Crifi.1 (B)
F-Secure	Trojan.TR/Redcap.yrizz
DrWeb	Trojan.MulDrop24.34418
TrendMicro	TROJ_GEN.R002C0XLK23
Sophos	Generic ML PUA (PUA)
Ikarus	Trojan.Spy.Stealer
Jiangmin	Trojan.Script.awbz
Google	Detected
Avira	TR/Redcap.yrizz
Antiy-AVL	Trojan/Win32.RiseProStealer
Gridinsoft	Spy.Win32.Redline.lu!heur
Microsoft	Trojan:Win32/RiseProStealer.AC!MTB
ZoneAlarm	Trojan.MSIL.Injurer.cbd
GData	Gen:Heur.Crifi.1
Varist	W32/Kryptik.JKR.gen!Eldorado
Malwarebytes	Malware.AI.667579570
Zoner	Probably Heur.ExeHeaderL
TrendMicro-HouseCall	TROJ_GEN.R002C0XLK23
Yandex	Trojan.Injurer!WuJEubRFsx4
SentinelOne	Static AI - Malicious SFX
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/PossibleThreat
AVG	WAT:Blacked-E
CrowdStrike	win/malicious_confidence_70% (D)

love.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All