Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Jan. 17, 2024, 3:13 p.m.	Jan. 17, 2024, 3:16 p.m.

Size	895.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`5d01c27e7807d0c5d9d0076d6a803b55`
SHA256	`28984eb5158ff3e75ea46986ae9185740a930e4fc258337417edd57b6a380c4b`
CRC32	`7122A0A4`
ssdeep	`12288:oqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga2Tq:oqDEvCTbMWu7rQYlBQcBiT6rprG8aOq`
Yara	Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

go.exe "C:\Users\test22\AppData\Local\Temp\go.exe"
940
- iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  1820
  - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:1820 CREDAT:145409
    2124
- chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://accounts.google.com
  2832
  - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef2d06e00,0x7fef2d06e10,0x7fef2d06e20
    2988
- firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
  2916
  - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
    3036
    - crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\minidumps\0bc9a49d-6448-4f0a-8606-cf988ff772b1.dmp"
      2296
      - minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\minidumps\0bc9a49d-6448-4f0a-8606-cf988ff772b1.dmp"
        2780
      - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" "https://accounts.google.com"
        3040
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
        772
      - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" "https://accounts.google.com"
        1072
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
        3028

Name	Response	Post-Analysis Lookup
fbcdn.net	A 157.240.215.35	157.240.215.35
crash-reports.mozilla.com	A 34.210.194.201 A 50.112.239.245 CNAME socorro-collector.services.mozilla.com A 52.13.80.180	50.112.239.245
facebook.com	A 157.240.215.35	157.240.215.35
static.xx.fbcdn.net	A 157.240.215.14 CNAME scontent.xx.fbcdn.net	157.240.215.14
fbsbx.com	A 157.240.215.35	157.240.215.35
www.facebook.com	A 157.240.215.35 CNAME star-mini.c10r.facebook.com	157.240.215.35
connect.facebook.net	A 157.240.215.14 CNAME scontent.xx.fbcdn.net	157.240.215.14

IP Address	Status	Action
117.18.232.200	Active	Moloch
157.240.215.14	Active	Moloch
157.240.215.35	Active	Moloch
164.124.101.2	Active	Moloch
52.13.80.180	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49169 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49166 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49165 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49171 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49170 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49173 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49175 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49172 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49174 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49179 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49177 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49178 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49176 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49182 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49181 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49180 -> 157.240.215.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49183 -> 157.240.215.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49203 -> 52.13.80.180:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49206 -> 52.13.80.180:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49169 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	29:12:1f:fa:41:f6:0a:78:9c:f1:97:5a:43:e9:d8:b5:c2:d6:85:f5
TLSv1 192.168.56.103:49166 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	29:12:1f:fa:41:f6:0a:78:9c:f1:97:5a:43:e9:d8:b5:c2:d6:85:f5
TLSv1 192.168.56.103:49165 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	29:12:1f:fa:41:f6:0a:78:9c:f1:97:5a:43:e9:d8:b5:c2:d6:85:f5
TLSv1 192.168.56.103:49171 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	29:12:1f:fa:41:f6:0a:78:9c:f1:97:5a:43:e9:d8:b5:c2:d6:85:f5
TLSv1 192.168.56.103:49170 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	29:12:1f:fa:41:f6:0a:78:9c:f1:97:5a:43:e9:d8:b5:c2:d6:85:f5
TLSv1 192.168.56.103:49173 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	29:12:1f:fa:41:f6:0a:78:9c:f1:97:5a:43:e9:d8:b5:c2:d6:85:f5
TLSv1 192.168.56.103:49175 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	29:12:1f:fa:41:f6:0a:78:9c:f1:97:5a:43:e9:d8:b5:c2:d6:85:f5
TLSv1 192.168.56.103:49174 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	29:12:1f:fa:41:f6:0a:78:9c:f1:97:5a:43:e9:d8:b5:c2:d6:85:f5
TLSv1 192.168.56.103:49172 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	29:12:1f:fa:41:f6:0a:78:9c:f1:97:5a:43:e9:d8:b5:c2:d6:85:f5
TLSv1 192.168.56.103:49179 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=fbcdn.net	e1:b5:47:7b:aa:89:cf:ef:84:ea:87:3a:8e:d0:cd:a8:cd:5f:55:8b
TLSv1 192.168.56.103:49177 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	29:12:1f:fa:41:f6:0a:78:9c:f1:97:5a:43:e9:d8:b5:c2:d6:85:f5
TLSv1 192.168.56.103:49178 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=fbcdn.net	e1:b5:47:7b:aa:89:cf:ef:84:ea:87:3a:8e:d0:cd:a8:cd:5f:55:8b
TLSv1 192.168.56.103:49176 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	29:12:1f:fa:41:f6:0a:78:9c:f1:97:5a:43:e9:d8:b5:c2:d6:85:f5
TLSv1 192.168.56.103:49182 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	29:12:1f:fa:41:f6:0a:78:9c:f1:97:5a:43:e9:d8:b5:c2:d6:85:f5
TLSv1 192.168.56.103:49181 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=fbcdn.net	e1:b5:47:7b:aa:89:cf:ef:84:ea:87:3a:8e:d0:cd:a8:cd:5f:55:8b
TLSv1 192.168.56.103:49180 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=fbcdn.net	e1:b5:47:7b:aa:89:cf:ef:84:ea:87:3a:8e:d0:cd:a8:cd:5f:55:8b
TLSv1 192.168.56.103:49183 157.240.215.14:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com	29:12:1f:fa:41:f6:0a:78:9c:f1:97:5a:43:e9:d8:b5:c2:d6:85:f5
TLSv1 192.168.56.103:49203 52.13.80.180:443	C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1	C=US, ST=California, L=San Francisco, O=Mozilla Corporation, CN=crash-stats.mozilla.com	8c:af:bf:74:bc:60:0d:b5:d4:0e:6a:71:5c:1d:51:a6:56:d4:fb:d3
TLSv1 192.168.56.103:49206 52.13.80.180:443	None	None	None

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Jan. 17, 2024, 3:15 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (46 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 17, 2024, 3:13 p.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 3:14 p.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 3:14 p.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 3:14 p.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 3:14 p.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 3:14 p.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 3:14 p.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 3:14 p.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 3:14 p.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 3:14 p.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 3:14 p.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 3:14 p.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 3:14 p.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 3:14 p.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 3:14 p.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 3:15 p.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 3:15 p.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 3:15 p.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 3:15 p.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 3:15 p.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 3:15 p.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 3:14 p.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 3:14 p.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 3:14 p.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 3:14 p.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 3:14 p.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 3:14 p.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 3:14 p.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 3:14 p.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 3:14 p.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 3:14 p.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 3:14 p.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 3:15 p.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 3:08 p.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 3:08 p.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 3:08 p.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 3:08 p.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 3:08 p.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 3:08 p.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 3:08 p.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 3:08 p.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 3:08 p.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 3:08 p.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 3:08 p.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 3:08 p.m.			0	0
IsDebuggerPresent Jan. 17, 2024, 3:08 p.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (4 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l2-1-0.dll
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe\PATH
registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Jan. 17, 2024, 3:13 p.m.		1	1	0

One or more processes crashed (5 events)

Time & API	Arguments	Status
__exception__ Jan. 17, 2024, 3:15 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x75b94387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x754bef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x754b6b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x754d5c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x755506b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x75c6d7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x75c6d876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x75c6ddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x75b88a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x75b88938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x75b8950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x75c6dccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x75c6db41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x75c6e1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x75b89367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x75b89326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755f788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x75b4a48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x75b4853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x75b4a4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x75b5cd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x75b5d87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 108262352 registers.edi: 7745300 registers.eax: 108262352 registers.ebp: 108262432 registers.edx: 142 registers.ebx: 108262716 registers.esi: 2147746133 registers.ecx: 77045976	1
__exception__ Jan. 17, 2024, 3:15 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x75b3fe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x75c6a338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x7532e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x753072ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x752fab0d GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x752fea98 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x752f87f7 CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x752fba32 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x755f7bca CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x7532516f CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x753250ce RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x752fa0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x752f9b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x752f9aa8 CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x7532530c URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x753257a0 DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x72c5540c DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x72c552ca CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x72d30ea3 RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x77907e96 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x778e54f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 72736008 registers.edi: 1974991376 registers.eax: 72736008 registers.ebp: 72736088 registers.edx: 1 registers.ebx: 7663348 registers.esi: 2147746133 registers.ecx: 292779526	1
__exception__ Jan. 17, 2024, 3:15 p.m.	stacktrace: 0x190004 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: ff 15 16 1f 09 00 ff 25 00 00 00 00 aa a4 fc 76 exception.instruction: call qword ptr [rip + 0x91f16] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x190004 registers.r14: 267579304 registers.r15: 51875008 registers.rcx: 552 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 267578560 registers.rsp: 267578280 registers.r11: 267582176 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 1392 registers.r12: 267578920 registers.rbp: 267578416 registers.rdi: 51888576 registers.rax: 1638400 registers.r13: 86648096	1
__exception__ Jan. 17, 2024, 3:14 p.m.	stacktrace: 0xcd1f04 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 10350584 registers.r15: 8791381218928 registers.rcx: 48 registers.rsi: 8791381150592 registers.r10: 0 registers.rbx: 0 registers.rsp: 10350216 registers.r11: 10353600 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 14918256 registers.rbp: 10350336 registers.rdi: 250719072 registers.rax: 13442816 registers.r13: 10351176	1
__exception__ Jan. 17, 2024, 3:08 p.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 10549728 registers.r15: 10549232 registers.rcx: 48 registers.rsi: 14707296 registers.r10: 0 registers.rbx: 0 registers.rsp: 10548280 registers.r11: 10550480 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 10549063 registers.rbp: 10548400 registers.rdi: 100 registers.rax: 13442816 registers.r13: 2	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header

suspicious_request

POST https://crash-reports.mozilla.com/submit?id={ec8030f7-c20a-464f-9b0e-13a3a9e97384}&version=105.0.1&buildid=20220922151854

Performs some HTTP requests (18 events)

request	GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
request	GET https://static.xx.fbcdn.net/rsrc.php/v3/y2/l/0,cross/7_6o7HJ05F8.css?_nc_x=Ij3Wp8lg5Kz
request	GET https://static.xx.fbcdn.net/rsrc.php/v3/ya/l/0,cross/EQ0cyse2DGv.css?_nc_x=Ij3Wp8lg5Kz
request	GET https://static.xx.fbcdn.net/rsrc.php/v3/yr/l/0,cross/wMc7fNlPdnA.css?_nc_x=Ij3Wp8lg5Kz
request	GET https://static.xx.fbcdn.net/rsrc.php/v3/yb/r/S-jgxi6wsFP.js?_nc_x=Ij3Wp8lg5Kz
request	GET https://static.xx.fbcdn.net/rsrc.php/v3/yV/l/0,cross/om552iOCRxJ.css?_nc_x=Ij3Wp8lg5Kz
request	GET https://static.xx.fbcdn.net/rsrc.php/v3/y5/l/0,cross/QoWVNltU_ZO.css?_nc_x=Ij3Wp8lg5Kz
request	GET https://static.xx.fbcdn.net/rsrc.php/y1/r/4lCu2zih0ca.svg
request	GET https://facebook.com/security/hsts-pixel.gif?c=3.2.5
request	GET https://static.xx.fbcdn.net/rsrc.php/v3/yE/r/xGzxHIbkRpC.js?_nc_x=Ij3Wp8lg5Kz
request	GET https://fbcdn.net/security/hsts-pixel.gif?c=2.5
request	GET https://static.xx.fbcdn.net/rsrc.php/v3/yU/r/O7nelmd9XSI.png
request	GET https://static.xx.fbcdn.net/rsrc.php/v3/yB/r/Y0L6f5sxdIV.png
request	GET https://fbsbx.com/security/hsts-pixel.gif?c=5
request	GET https://static.xx.fbcdn.net/rsrc.php/v3/yK/r/Lzd-U--zeLf.js?_nc_x=Ij3Wp8lg5Kz
request	GET https://connect.facebook.net/security/hsts-pixel.gif
request	GET https://www.facebook.com/favicon.ico
request	POST https://crash-reports.mozilla.com/submit?id={ec8030f7-c20a-464f-9b0e-13a3a9e97384}&version=105.0.1&buildid=20220922151854

Sends data using the HTTP POST Method (1 event)

request

POST https://crash-reports.mozilla.com/submit?id={ec8030f7-c20a-464f-9b0e-13a3a9e97384}&version=105.0.1&buildid=20220922151854

Allocates read-write-execute memory (usually to unpack itself) (50 out of 512 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Jan. 17, 2024, 3:13 p.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 17, 2024, 3:13 p.m.	process_identifier: 1820 region_size: 2166784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c00000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 17, 2024, 3:13 p.m.	process_identifier: 1820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 3:13 p.m.	process_identifier: 1820 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 3:13 p.m.	process_identifier: 1820 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 3:13 p.m.	process_identifier: 1820 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 3:13 p.m.	process_identifier: 1820 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 3:13 p.m.	process_identifier: 1820 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7561c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 3:13 p.m.	process_identifier: 1820 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7563c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 3:13 p.m.	process_identifier: 1820 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7561c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 3:13 p.m.	process_identifier: 1820 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7563c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 3:13 p.m.	process_identifier: 1820 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74713000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 3:13 p.m.	process_identifier: 1820 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x747b7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 3:13 p.m.	process_identifier: 1820 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76af9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 3:13 p.m.	process_identifier: 1820 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75ac2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 3:13 p.m.	process_identifier: 1820 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75602000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 3:13 p.m.	process_identifier: 1820 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 3:13 p.m.	process_identifier: 1820 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 3:13 p.m.	process_identifier: 1820 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 17, 2024, 3:13 p.m.	process_identifier: 1820 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x030b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 3:15 p.m.	process_identifier: 1820 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74971000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 17, 2024, 3:13 p.m.	process_identifier: 2124 region_size: 12259328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ed0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 17, 2024, 3:13 p.m.	process_identifier: 2124 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03a80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 3:13 p.m.	process_identifier: 2124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 3:13 p.m.	process_identifier: 2124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 3:13 p.m.	process_identifier: 2124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 3:13 p.m.	process_identifier: 2124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 3:13 p.m.	process_identifier: 2124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7561c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 3:13 p.m.	process_identifier: 2124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7563c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 3:13 p.m.	process_identifier: 2124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7561c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 3:13 p.m.	process_identifier: 2124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7563c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 3:13 p.m.	process_identifier: 2124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74713000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 3:13 p.m.	process_identifier: 2124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x747b7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 3:13 p.m.	process_identifier: 2124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76af9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 3:13 p.m.	process_identifier: 2124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75ac2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 3:13 p.m.	process_identifier: 2124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75602000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 3:13 p.m.	process_identifier: 2124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75607000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 3:13 p.m.	process_identifier: 2124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7561f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 3:13 p.m.	process_identifier: 2124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75606000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 3:13 p.m.	process_identifier: 2124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 3:13 p.m.	process_identifier: 2124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778fd000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 3:13 p.m.	process_identifier: 2124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 3:13 p.m.	process_identifier: 2124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755f8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 3:13 p.m.	process_identifier: 2124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755fd000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 3:13 p.m.	process_identifier: 2124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778e2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 3:13 p.m.	process_identifier: 2124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778d2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 3:13 p.m.	process_identifier: 2124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75b36000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 3:13 p.m.	process_identifier: 2124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a94000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 3:13 p.m.	process_identifier: 2124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a93000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2024, 3:13 p.m.	process_identifier: 2124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a95000 process_handle: 0xffffffff	1

An application raised an exception which may be indicative of an exploit crash (9 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process iexplore.exe with pid 1820 crashed
Application Crash	Process chrome.exe with pid 2832 crashed
Application Crash	Process firefox.exe with pid 3036 crashed
Application Crash	Process firefox.exe with pid 3028 crashed
__exception__ Jan. 17, 2024, 3:15 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x75b94387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x754bef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x754b6b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x754b6a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x754d5c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x755506b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x75c6d7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x75c6d876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x75c6ddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x75b88a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x75b88938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x75b8950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x75c6dccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x75c6db41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x75c6e1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x75b89367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x75b89326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755f788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x75b4a48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x75b4853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x75b4a4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x75b5cd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x75b5d87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 108262352 registers.edi: 7745300 registers.eax: 108262352 registers.ebp: 108262432 registers.edx: 142 registers.ebx: 108262716 registers.esi: 2147746133 registers.ecx: 77045976	1	0	0
__exception__ Jan. 17, 2024, 3:15 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x75b3fe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x75c6a338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x7532e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x753072ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x752fab0d GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x752fea98 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x752f87f7 CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x752fba32 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x755f7bca CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x7532516f CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x753250ce RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x752fa0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x752f9b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x752f9aa8 CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x7532530c URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x753257a0 DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x72c5540c DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x72c552ca CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x72d30ea3 RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x77907e96 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x778e54f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 72736008 registers.edi: 1974991376 registers.eax: 72736008 registers.ebp: 72736088 registers.edx: 1 registers.ebx: 7663348 registers.esi: 2147746133 registers.ecx: 292779526	1	0	0
__exception__ Jan. 17, 2024, 3:15 p.m.	stacktrace: 0x190004 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: ff 15 16 1f 09 00 ff 25 00 00 00 00 aa a4 fc 76 exception.instruction: call qword ptr [rip + 0x91f16] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x190004 registers.r14: 267579304 registers.r15: 51875008 registers.rcx: 552 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 267578560 registers.rsp: 267578280 registers.r11: 267582176 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 1392 registers.r12: 267578920 registers.rbp: 267578416 registers.rdi: 51888576 registers.rax: 1638400 registers.r13: 86648096	1	0	0
__exception__ Jan. 17, 2024, 3:14 p.m.	stacktrace: 0xcd1f04 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 10350584 registers.r15: 8791381218928 registers.rcx: 48 registers.rsi: 8791381150592 registers.r10: 0 registers.rbx: 0 registers.rsp: 10350216 registers.r11: 10353600 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 14918256 registers.rbp: 10350336 registers.rdi: 250719072 registers.rax: 13442816 registers.r13: 10351176	1	0	0
__exception__ Jan. 17, 2024, 3:08 p.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 10549728 registers.r15: 10549232 registers.rcx: 48 registers.rsi: 14707296 registers.r10: 0 registers.rbx: 0 registers.rsp: 10548280 registers.r11: 10550480 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 10549063 registers.rbp: 10548400 registers.rdi: 100 registers.rax: 13442816 registers.r13: 2	1	0	0

Steals private information from local Internet browsers (23 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Version
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Policy\User Policy
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-65A78308-B10.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\First Run
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\reports
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\reports\120fb2d2-4a11-4e3d-a97a-82a118d0d956.dmp
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\index
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\metadata
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_0
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_3

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\S-jgxi6wsFP[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\xGzxHIbkRpC[1].js

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Jan. 17, 2024, 3:13 p.m.	process_identifier: 2124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x05aa0000 process_handle: 0xffffffff	1	0	0

Potentially malicious URLs were found in the process memory dump (3 events)

url	https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%SYSTEM_CAPABILITIES%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml
url	https://crash-reports.mozilla.com/submit?id=
url	https://hg.mozilla.org/releases/mozilla-release/rev/92187d03adde4b31daef292087a266f10121379c

Yara rule detected in process memory (44 events)

description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess Jan. 17, 2024, 3:15 p.m.	status_code: 0xc0000005 process_identifier: 2832 process_handle: 0x00000000000000bc		0	0
NtTerminateProcess Jan. 17, 2024, 3:15 p.m.	status_code: 0xc0000005 process_identifier: 2832 process_handle: 0x00000000000000bc	1	0	0

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:1820 CREDAT:145409
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

Communicates with host for which no DNS query was performed (1 event)

host

117.18.232.200

Allocates execute permission to another process indicative of possible code injection (6 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Jan. 17, 2024, 3:14 p.m.	process_identifier: 3036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077711000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Jan. 17, 2024, 3:14 p.m.	process_identifier: 3036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776e7000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Jan. 17, 2024, 3:08 p.m.	process_identifier: 772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077711000 process_handle: 0x000000000000004c	1
NtProtectVirtualMemory Jan. 17, 2024, 3:08 p.m.	process_identifier: 772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776e7000 process_handle: 0x000000000000004c	1
NtProtectVirtualMemory Jan. 17, 2024, 3:08 p.m.	process_identifier: 3028 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077711000 process_handle: 0x000000000000004c	1
NtProtectVirtualMemory Jan. 17, 2024, 3:08 p.m.	process_identifier: 3028 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776e7000 process_handle: 0x000000000000004c	1

Potential code injection by writing to the memory of another process (27 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Jan. 17, 2024, 3:14 p.m.	buffer: base_address: 0x000000013faa22b0 process_identifier: 3036 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Jan. 17, 2024, 3:14 p.m.	buffer: base_address: 0x000000013fab0d88 process_identifier: 3036 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Jan. 17, 2024, 3:14 p.m.	buffer: I»`#§?Aÿã base_address: 0x0000000077711590 process_identifier: 3036 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Jan. 17, 2024, 3:14 p.m.	buffer: Ä% base_address: 0x000000013fab0d78 process_identifier: 3036 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Jan. 17, 2024, 3:14 p.m.	buffer: I» §?Aÿã base_address: 0x00000000776e7a90 process_identifier: 3036 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Jan. 17, 2024, 3:14 p.m.	buffer: Ä% base_address: 0x000000013fab0d70 process_identifier: 3036 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Jan. 17, 2024, 3:14 p.m.	buffer: ÏT base_address: 0x000000013fa50108 process_identifier: 3036 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Jan. 17, 2024, 3:14 p.m.	buffer: qw@qw qw@qwqw°qw nwàTnw 3qwqwÀ´lw`,qwÀowömw Yqw2qwVqw°wwnwRqw nwQqwÂnw ?owPnw°TnwàtnwðowÐ1qwmwÐOmw`êpwÐæpwÐæpwÐ.qw base_address: 0x000000013faaaae8 process_identifier: 3036 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Jan. 17, 2024, 3:14 p.m.	buffer: base_address: 0x000000013fab0c78 process_identifier: 3036 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Jan. 17, 2024, 3:08 p.m.	buffer: base_address: 0x000000013f2c22b0 process_identifier: 772 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Jan. 17, 2024, 3:08 p.m.	buffer: base_address: 0x000000013f2d0d88 process_identifier: 772 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Jan. 17, 2024, 3:08 p.m.	buffer: I»`#)?Aÿã base_address: 0x0000000077711590 process_identifier: 772 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Jan. 17, 2024, 3:08 p.m.	buffer: Úk base_address: 0x000000013f2d0d78 process_identifier: 772 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Jan. 17, 2024, 3:08 p.m.	buffer: I» )?Aÿã base_address: 0x00000000776e7a90 process_identifier: 772 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Jan. 17, 2024, 3:08 p.m.	buffer: Úk base_address: 0x000000013f2d0d70 process_identifier: 772 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Jan. 17, 2024, 3:08 p.m.	buffer: ÏT base_address: 0x000000013f270108 process_identifier: 772 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Jan. 17, 2024, 3:08 p.m.	buffer: qw@qw qw@qwqw°qw nwàTnw 3qwqwÀ´lw`,qwÀowömw Yqw2qwVqw°wwnwRqw nwQqwÂnw ?owPnw°TnwàtnwðowÐ1qwmwÐOmw`êpwÐæpwÐæpwÐ.qw base_address: 0x000000013f2caae8 process_identifier: 772 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Jan. 17, 2024, 3:08 p.m.	buffer: base_address: 0x000000013f2d0c78 process_identifier: 772 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Jan. 17, 2024, 3:08 p.m.	buffer: base_address: 0x000000013f2c22b0 process_identifier: 3028 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Jan. 17, 2024, 3:08 p.m.	buffer: base_address: 0x000000013f2d0d88 process_identifier: 3028 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Jan. 17, 2024, 3:08 p.m.	buffer: I»`#)?Aÿã base_address: 0x0000000077711590 process_identifier: 3028 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Jan. 17, 2024, 3:08 p.m.	buffer: Qr base_address: 0x000000013f2d0d78 process_identifier: 3028 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Jan. 17, 2024, 3:08 p.m.	buffer: I» )?Aÿã base_address: 0x00000000776e7a90 process_identifier: 3028 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Jan. 17, 2024, 3:08 p.m.	buffer: Qr base_address: 0x000000013f2d0d70 process_identifier: 3028 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Jan. 17, 2024, 3:08 p.m.	buffer: ÏT base_address: 0x000000013f270108 process_identifier: 3028 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Jan. 17, 2024, 3:08 p.m.	buffer: qw@qw qw@qwqw°qw nwàTnw 3qwqwÀ´lw`,qwÀowömw Yqw2qwVqw°wwnwRqw nwQqwÂnw ?owPnw°TnwàtnwðowÐ1qwmwÐOmw`êpwÐæpwÐæpwÐ.qw base_address: 0x000000013f2caae8 process_identifier: 3028 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Jan. 17, 2024, 3:08 p.m.	buffer: base_address: 0x000000013f2d0c78 process_identifier: 3028 process_handle: 0x0000000000000048	1	1

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Network activity contains more than one unique useragent (2 events)

process	iexplore.exe				useragent	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
process	crashreporter.exe				useragent	Breakpad/1.0 (Windows)

One or more non-whitelisted processes were created (6 events)

parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef2d06e00,0x7fef2d06e10,0x7fef2d06e20
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1020,2745255426846950659,893974611208261184,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1036 /prefetch:2
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\minidumps\0bc9a49d-6448-4f0a-8606-cf988ff772b1.dmp"

Appends a known multi-family ransomware file extension to files that have been encrypted (2 events)

file	C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\parent.lock
file	C:\Users\test22\AppData\Local\Temp\firefox\parent.lock

Resumed a suspended thread in a remote process potentially indicative of process injection (36 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 940 resumed a thread in remote process 2832
Process injection	Process 940 resumed a thread in remote process 2916
Process injection	Process 1820 resumed a thread in remote process 2124
Process injection	Process 2916 resumed a thread in remote process 3036
Process injection	Process 2988 resumed a thread in remote process 2832
Process injection	Process 3040 resumed a thread in remote process 772
Process injection	Process 1072 resumed a thread in remote process 3028
NtResumeThread Jan. 17, 2024, 3:14 p.m.	thread_handle: 0x000002d4 suspend_count: 1 process_identifier: 2832	1	0	0
NtResumeThread Jan. 17, 2024, 3:14 p.m.	thread_handle: 0x000002d4 suspend_count: 1 process_identifier: 2916	1	0	0
NtResumeThread Jan. 17, 2024, 3:13 p.m.	thread_handle: 0x0000033c suspend_count: 1 process_identifier: 2124	1	0	0
NtResumeThread Jan. 17, 2024, 3:14 p.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 3036	1	0	0
NtResumeThread Jan. 17, 2024, 3:15 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2832	1	0	0
NtResumeThread Jan. 17, 2024, 3:15 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2832	1	0	0
NtResumeThread Jan. 17, 2024, 3:15 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2832	1	0	0
NtResumeThread Jan. 17, 2024, 3:15 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2832	1	0	0
NtResumeThread Jan. 17, 2024, 3:15 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2832	1	0	0
NtResumeThread Jan. 17, 2024, 3:15 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2832	1	0	0
NtResumeThread Jan. 17, 2024, 3:15 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2832	1	0	0
NtResumeThread Jan. 17, 2024, 3:15 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2832	1	0	0
NtResumeThread Jan. 17, 2024, 3:15 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2832	1	0	0
NtResumeThread Jan. 17, 2024, 3:15 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2832	1	0	0
NtResumeThread Jan. 17, 2024, 3:15 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2832	1	0	0
NtResumeThread Jan. 17, 2024, 3:15 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2832	1	0	0
NtResumeThread Jan. 17, 2024, 3:15 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2832	1	0	0
NtResumeThread Jan. 17, 2024, 3:15 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2832	1	0	0
NtResumeThread Jan. 17, 2024, 3:15 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2832	1	0	0
NtResumeThread Jan. 17, 2024, 3:15 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2832	1	0	0
NtResumeThread Jan. 17, 2024, 3:15 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2832	1	0	0
NtResumeThread Jan. 17, 2024, 3:15 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2832	1	0	0
NtResumeThread Jan. 17, 2024, 3:15 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2832	1	0	0
NtResumeThread Jan. 17, 2024, 3:15 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2832	1	0	0
NtResumeThread Jan. 17, 2024, 3:15 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2832	1	0	0
NtResumeThread Jan. 17, 2024, 3:15 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2832	1	0	0
NtResumeThread Jan. 17, 2024, 3:15 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2832	1	0	0
NtResumeThread Jan. 17, 2024, 3:08 p.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 772	1	0	0
NtResumeThread Jan. 17, 2024, 3:08 p.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 3028	1	0	0

Executed a process and injected code into it, probably while unpacking (50 out of 124 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Jan. 17, 2024, 3:13 p.m.	thread_identifier: 1960 thread_handle: 0x000001cc process_identifier: 1820 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Program Files (x86)\Internet Explorer\iexplore.exe track: 1 command_line: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome filepath_r: C:\Program Files (x86)\Internet Explorer\iexplore.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000001d4	1	1
NtResumeThread Jan. 17, 2024, 3:13 p.m.	thread_handle: 0x00000274 suspend_count: 1 process_identifier: 940	1	0
CreateProcessInternalW Jan. 17, 2024, 3:14 p.m.	thread_identifier: 2836 thread_handle: 0x000002d4 process_identifier: 2832 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://accounts.google.com filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002e0	1	1
NtResumeThread Jan. 17, 2024, 3:14 p.m.	thread_handle: 0x000002d4 suspend_count: 1 process_identifier: 2832	1	0
CreateProcessInternalW Jan. 17, 2024, 3:14 p.m.	thread_identifier: 2920 thread_handle: 0x000002d4 process_identifier: 2916 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com filepath_r: C:\Program Files\Mozilla Firefox\firefox.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002b8	1	1
NtResumeThread Jan. 17, 2024, 3:14 p.m.	thread_handle: 0x000002d4 suspend_count: 1 process_identifier: 2916	1	0
CreateProcessInternalW Jan. 17, 2024, 3:13 p.m.	thread_identifier: 2128 thread_handle: 0x0000033c process_identifier: 2124 current_directory: filepath: track: 1 command_line: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:1820 CREDAT:145409 filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000340	1	1
NtResumeThread Jan. 17, 2024, 3:13 p.m.	thread_handle: 0x0000033c suspend_count: 1 process_identifier: 2124	1	0
NtResumeThread Jan. 17, 2024, 3:13 p.m.	thread_handle: 0x00000410 suspend_count: 1 process_identifier: 1820	1	0
NtResumeThread Jan. 17, 2024, 3:13 p.m.	thread_handle: 0x00000294 suspend_count: 1 process_identifier: 1820	1	0
NtGetContextThread Jan. 17, 2024, 3:15 p.m.	thread_handle: 0x000004c8	1	0
NtResumeThread Jan. 17, 2024, 3:13 p.m.	thread_handle: 0x000001fc suspend_count: 1 process_identifier: 2124	1	0
NtResumeThread Jan. 17, 2024, 3:13 p.m.	thread_handle: 0x00000230 suspend_count: 1 process_identifier: 2124	1	0
NtResumeThread Jan. 17, 2024, 3:13 p.m.	thread_handle: 0x0000024c suspend_count: 1 process_identifier: 2124	1	0
NtResumeThread Jan. 17, 2024, 3:13 p.m.	thread_handle: 0x000007cc suspend_count: 1 process_identifier: 2124	1	0
NtResumeThread Jan. 17, 2024, 3:14 p.m.	thread_handle: 0x0000000000000078 suspend_count: 1 process_identifier: 2832	1	0
CreateProcessInternalW Jan. 17, 2024, 3:14 p.m.	thread_identifier: 2992 thread_handle: 0x00000000000000c0 process_identifier: 2988 current_directory: filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef2d06e00,0x7fef2d06e10,0x7fef2d06e20 filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000000000000c4	1	1
CreateProcessInternalW Jan. 17, 2024, 3:15 p.m.	thread_identifier: 3008 thread_handle: 0x000000000000057c process_identifier: 1952 current_directory: filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1020,2745255426846950659,893974611208261184,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1036 /prefetch:2 filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 17302540 (CREATE_BREAKAWAY_FROM_JOB\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|DETACHED_PROCESS\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000570	1	1
CreateProcessInternalW Jan. 17, 2024, 3:14 p.m.	thread_identifier: 3040 thread_handle: 0x0000000000000044 process_identifier: 3036 current_directory: filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com filepath_r: C:\Program Files\Mozilla Firefox\firefox.exe stack_pivoted: 0 creation_flags: 1028 (CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT) inherit_handles: 0 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Jan. 17, 2024, 3:14 p.m.	buffer: base_address: 0x000000013faa22b0 process_identifier: 3036 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Jan. 17, 2024, 3:14 p.m.	buffer: base_address: 0x000000013fab0d88 process_identifier: 3036 process_handle: 0x000000000000004c	1	1
NtMapViewOfSection Jan. 17, 2024, 3:14 p.m.	section_handle: 0x0000000000000060 process_identifier: 3036 commit_size: 0 win32_protect: 32 (PAGE_EXECUTE_READ) buffer: base_address: 0x0000000025c40000 allocation_type: 0 () section_offset: 0 view_size: 65536 process_handle: 0x0000000000000050	1	0
NtAllocateVirtualMemory Jan. 17, 2024, 3:14 p.m.	process_identifier: 3036 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x0000000025c40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x0000000000000050	1	0
WriteProcessMemory Jan. 17, 2024, 3:14 p.m.	buffer: I»`#§?Aÿã base_address: 0x0000000077711590 process_identifier: 3036 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Jan. 17, 2024, 3:14 p.m.	buffer: Ä% base_address: 0x000000013fab0d78 process_identifier: 3036 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Jan. 17, 2024, 3:14 p.m.	buffer: I» §?Aÿã base_address: 0x00000000776e7a90 process_identifier: 3036 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Jan. 17, 2024, 3:14 p.m.	buffer: Ä% base_address: 0x000000013fab0d70 process_identifier: 3036 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Jan. 17, 2024, 3:14 p.m.	buffer: ÏT base_address: 0x000000013fa50108 process_identifier: 3036 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Jan. 17, 2024, 3:14 p.m.	buffer: qw@qw qw@qwqw°qw nwàTnw 3qwqwÀ´lw`,qwÀowömw Yqw2qwVqw°wwnwRqw nwQqwÂnw ?owPnw°TnwàtnwðowÐ1qwmwÐOmw`êpwÐæpwÐæpwÐ.qw base_address: 0x000000013faaaae8 process_identifier: 3036 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Jan. 17, 2024, 3:14 p.m.	buffer: base_address: 0x000000013fab0c78 process_identifier: 3036 process_handle: 0x000000000000004c	1	1
NtResumeThread Jan. 17, 2024, 3:14 p.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 3036	1	0
NtResumeThread Jan. 17, 2024, 3:14 p.m.	thread_handle: 0x00000000000000f0 suspend_count: 1 process_identifier: 2988	1	0
NtGetContextThread Jan. 17, 2024, 3:15 p.m.	thread_handle: 0x0000000000000118	1	0
NtResumeThread Jan. 17, 2024, 3:15 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2832	1	0
NtGetContextThread Jan. 17, 2024, 3:15 p.m.	thread_handle: 0x0000000000000118	1	0
NtResumeThread Jan. 17, 2024, 3:15 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2832	1	0
NtGetContextThread Jan. 17, 2024, 3:15 p.m.	thread_handle: 0x0000000000000118	1	0
NtResumeThread Jan. 17, 2024, 3:15 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2832	1	0
NtGetContextThread Jan. 17, 2024, 3:15 p.m.	thread_handle: 0x0000000000000118	1	0
NtResumeThread Jan. 17, 2024, 3:15 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2832	1	0
NtGetContextThread Jan. 17, 2024, 3:15 p.m.	thread_handle: 0x0000000000000118	1	0
NtResumeThread Jan. 17, 2024, 3:15 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2832	1	0
NtGetContextThread Jan. 17, 2024, 3:15 p.m.	thread_handle: 0x0000000000000118	1	0
NtResumeThread Jan. 17, 2024, 3:15 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2832	1	0
NtGetContextThread Jan. 17, 2024, 3:15 p.m.	thread_handle: 0x0000000000000118	1	0
NtResumeThread Jan. 17, 2024, 3:15 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2832	1	0
NtGetContextThread Jan. 17, 2024, 3:15 p.m.	thread_handle: 0x0000000000000118	1	0
NtResumeThread Jan. 17, 2024, 3:15 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2832	1	0
NtGetContextThread Jan. 17, 2024, 3:15 p.m.	thread_handle: 0x0000000000000118	1	0
NtResumeThread Jan. 17, 2024, 3:15 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2832	1	0

go.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All