Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	July 26, 2024, 10:23 a.m.	July 26, 2024, 10:25 a.m.

Size	1.2MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`d04ce1fea5d986c68c8570a9e73f01b6`
SHA256	`14c17279ae4211995b707e006f7c616189182835be98c5e37488c25b411bce5b`
CRC32	`9CC40312`
ssdeep	`24576:JqDEvCTbMWu7rQYlBQcBiT6rprG8aL22Sbly7TWEPje:JTvC/MTQYxsWR7aL22dW`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

random.exe "C:\Users\test22\AppData\Local\Temp\random.exe"
1648
- firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
  2116
  - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
    2188
    - crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\minidumps\8262ecc5-5978-42cb-89b5-8d0c80d5ab36.dmp"
      2664
      - minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\minidumps\8262ecc5-5978-42cb-89b5-8d0c80d5ab36.dmp"
        2712
      - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"
        2816
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
        2864
        
        crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\minidumps\954bb3ae-e7e2-418e-a27f-dd3a43613efe.dmp"
        2244
        
        minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\minidumps\954bb3ae-e7e2-418e-a27f-dd3a43613efe.dmp"
        1676
      - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"
        2956
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
        3008
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3008.0.1202050082\1699928177" -parentBuildID 20220922151854 -prefsHandle 1136 -prefMapHandle 1128 -prefsLen 17556 -prefMapSize 230265 -appDir "C:\Program Files\Mozilla Firefox\browser" - {40948a44-2f3d-44c4-865f-575dfcdd8f0e} 3008 "\\.\pipe\gecko-crash-server-pipe.3008" 1200 ecfb558 gpu
        2728

Name	Response	Post-Analysis Lookup
crash-reports.mozilla.com	A 34.49.45.138 CNAME antenna-prod.socorro.prod.webservices.mozgcp.net	34.49.45.138

IP Address	Status	Action
164.124.101.2	Active	Moloch
34.49.45.138	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49174 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49175 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49178 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49179 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA July 26, 2024, 10:24 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (50 out of 106 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 26, 2024, 10:23 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:23 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:23 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:23 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:23 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:23 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:23 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:23 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:23 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:24 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:17 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:17 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:17 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:17 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:17 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:17 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:17 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:17 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:17 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:17 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:17 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:17 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:17 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:17 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:17 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:17 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:17 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:17 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:17 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:17 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:17 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:17 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:17 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:17 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:17 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:17 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:17 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:17 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:17 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:17 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:17 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:17 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:17 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:17 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:17 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:17 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:17 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:17 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:17 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:17 a.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l2-1-0.dll
registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 26, 2024, 10:23 a.m.		1	1	0

One or more processes crashed (3 events)

Time & API	Arguments	Status
__exception__ July 26, 2024, 10:23 a.m.	stacktrace: 0xb81f04 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb81f04 registers.r14: 10415592 registers.r15: 8791557379696 registers.rcx: 48 registers.rsi: 8791557311360 registers.r10: 0 registers.rbx: 0 registers.rsp: 10415224 registers.r11: 10418608 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 15965872 registers.rbp: 10415344 registers.rdi: 254915776 registers.rax: 12066560 registers.r13: 10416184	1
__exception__ July 26, 2024, 10:17 a.m.	stacktrace: 0xce1f04 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xce1f04 registers.r14: 9432504 registers.r15: 8791414380144 registers.rcx: 48 registers.rsi: 8791414311808 registers.r10: 0 registers.rbx: 0 registers.rsp: 9432136 registers.r11: 9435520 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092879440 registers.r12: 14921136 registers.rbp: 9432256 registers.rdi: 67215392 registers.rax: 13508352 registers.r13: 9433096	1
__exception__ July 26, 2024, 10:18 a.m.	stacktrace: 0xca1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xca1f04 registers.r14: 14730864 registers.r15: 14992352 registers.rcx: 48 registers.rsi: 15511400 registers.r10: 0 registers.rbx: 14992352 registers.rsp: 8907352 registers.r11: 8911056 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 3008 registers.rbp: 8907472 registers.rdi: 15090560 registers.rax: 13246208 registers.r13: 8791352707296	1

Time & API

Arguments

Status

Return

Repeated

__exception__

July 26, 2024, 10:23 a.m.

stacktrace:

0xb81f04
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030

exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69
exception.instruction: cmp dword ptr [rip + 0x2d18d], 0
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xb81f04
registers.r14: 10415592
registers.r15: 8791557379696
registers.rcx: 48
registers.rsi: 8791557311360
registers.r10: 0
registers.rbx: 0
registers.rsp: 10415224
registers.r11: 10418608
registers.r8: 2004779404
registers.r9: 0
registers.rdx: 8796092887632
registers.r12: 15965872
registers.rbp: 10415344
registers.rdi: 254915776
registers.rax: 12066560
registers.r13: 10416184

__exception__

July 26, 2024, 10:17 a.m.

stacktrace:

0xce1f04
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030

exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69
exception.instruction: cmp dword ptr [rip + 0x2d18d], 0
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xce1f04
registers.r14: 9432504
registers.r15: 8791414380144
registers.rcx: 48
registers.rsi: 8791414311808
registers.r10: 0
registers.rbx: 0
registers.rsp: 9432136
registers.r11: 9435520
registers.r8: 2004779404
registers.r9: 0
registers.rdx: 8796092879440
registers.r12: 14921136
registers.rbp: 9432256
registers.rdi: 67215392
registers.rax: 13508352
registers.r13: 9433096

__exception__

July 26, 2024, 10:18 a.m.

stacktrace:

0xca1f04
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30

exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69
exception.instruction: cmp dword ptr [rip + 0x2d18d], 0
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xca1f04
registers.r14: 14730864
registers.r15: 14992352
registers.rcx: 48
registers.rsi: 15511400
registers.r10: 0
registers.rbx: 14992352
registers.rsp: 8907352
registers.r11: 8911056
registers.r8: 2004779404
registers.r9: 0
registers.rdx: 8796092887632
registers.r12: 3008
registers.rbp: 8907472
registers.rdi: 15090560
registers.rax: 13246208
registers.r13: 8791352707296

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Starts servers listening (3 events)

Time & API	Arguments	Status	Return
bind July 26, 2024, 10:17 a.m.	ip_address: 127.0.0.1 socket: 856 port: 0	1	0
listen July 26, 2024, 10:17 a.m.	socket: 856 backlog: 5	1	0
accept July 26, 2024, 10:17 a.m.	ip_address: 127.0.0.1 socket: 856 port: 49190	1	872

Allocates read-write-execute memory (usually to unpack itself) (24 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 26, 2024, 10:23 a.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000b40000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 26, 2024, 10:23 a.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007700b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 26, 2024, 10:23 a.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000b40000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 26, 2024, 10:23 a.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076fd6000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 26, 2024, 10:23 a.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002870000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 26, 2024, 10:23 a.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000749ad000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 26, 2024, 10:17 a.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000ca0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 26, 2024, 10:17 a.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007700b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 26, 2024, 10:17 a.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000ca0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 26, 2024, 10:17 a.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076fd6000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 26, 2024, 10:17 a.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002870000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 26, 2024, 10:17 a.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000749ad000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 26, 2024, 10:17 a.m.	process_identifier: 3008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000b40000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 26, 2024, 10:17 a.m.	process_identifier: 3008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007700b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 26, 2024, 10:17 a.m.	process_identifier: 3008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000b40000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 26, 2024, 10:17 a.m.	process_identifier: 3008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076fd6000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 26, 2024, 10:17 a.m.	process_identifier: 3008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000033b0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 26, 2024, 10:17 a.m.	process_identifier: 3008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000749ad000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 26, 2024, 10:18 a.m.	process_identifier: 2728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000c70000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 26, 2024, 10:18 a.m.	process_identifier: 2728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007700b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 26, 2024, 10:18 a.m.	process_identifier: 2728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000c70000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 26, 2024, 10:18 a.m.	process_identifier: 2728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076fd6000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 26, 2024, 10:18 a.m.	process_identifier: 2728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000006d630000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 26, 2024, 10:18 a.m.	process_identifier: 2728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000749af000 process_handle: 0xffffffffffffffff	1

An application raised an exception which may be indicative of an exploit crash (6 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process firefox.exe with pid 2188 crashed
Application Crash	Process firefox.exe with pid 2864 crashed
Application Crash	Process firefox.exe with pid 2728 crashed
__exception__ July 26, 2024, 10:23 a.m.	stacktrace: 0xb81f04 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb81f04 registers.r14: 10415592 registers.r15: 8791557379696 registers.rcx: 48 registers.rsi: 8791557311360 registers.r10: 0 registers.rbx: 0 registers.rsp: 10415224 registers.r11: 10418608 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 15965872 registers.rbp: 10415344 registers.rdi: 254915776 registers.rax: 12066560 registers.r13: 10416184	1	0	0
__exception__ July 26, 2024, 10:17 a.m.	stacktrace: 0xce1f04 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xce1f04 registers.r14: 9432504 registers.r15: 8791414380144 registers.rcx: 48 registers.rsi: 8791414311808 registers.r10: 0 registers.rbx: 0 registers.rsp: 9432136 registers.r11: 9435520 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092879440 registers.r12: 14921136 registers.rbp: 9432256 registers.rdi: 67215392 registers.rax: 13508352 registers.r13: 9433096	1	0	0
__exception__ July 26, 2024, 10:18 a.m.	stacktrace: 0xca1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xca1f04 registers.r14: 14730864 registers.r15: 14992352 registers.rcx: 48 registers.rsi: 15511400 registers.r10: 0 registers.rbx: 14992352 registers.rsp: 8907352 registers.r11: 8911056 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 3008 registers.rbp: 8907472 registers.rdi: 15090560 registers.rax: 13246208 registers.r13: 8791352707296	1	0	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 26, 2024, 10:23 a.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x0000003982800000 process_handle: 0xffffffffffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00050c00', u'virtual_address': u'0x000d4000', u'entropy': 7.873535576348271, u'name': u'.rsrc', u'virtual_size': u'0x00050abc'}

entropy

7.87353557635

description

A section with a high entropy has been found

entropy

0.2736128759

description

Overall entropy of this PE file is high

Potentially malicious URLs were found in the process memory dump (50 out of 193 events)

url	https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%SYSTEM_CAPABILITIES%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml
url	https://crash-reports.mozilla.com/submit?id=
url	https://hg.mozilla.org/releases/mozilla-release/rev/92187d03adde4b31daef292087a266f10121379c
url	http://mathematicsmargin-top
url	http://allowlisted.example.com
url	https://webextensions.settings.services.mozilla.com/v1
url	http://.jpg
url	http://www.webrtc.org/experiments/rtp-hdrext/abs-capture-time
url	https://monitor.firefox.com/user/preferences
url	http://www.years
url	https://.
url	http://option
url	http://www.webrtc.org/experiments/rtp-hdrext/playout-delay
url	https://accounts.firefox.com/
url	http://www.C//DTD
url	http://wpad/wpad.dat
url	https://coverage.mozilla.org
url	https://token.services.mozilla.com/1.0/sync/1.5
url	https://addons.mozilla.org/%LOCALE%/firefox/
url	https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor
url	https://support.mozilla.org/kb/captive-portal
url	http://cript
url	https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/nightly-error-collection
url	https://contile.services.mozilla.com/v1/tiles
url	https://services.addons.mozilla.org/api/v4/addons/language-tools/?app=firefox
url	http://www.webrtc.org/experiments/rtp-hdrext/abs-send-time
url	http://www
url	http://www.language
url	http://www.
url	http://.css
url	http://www.webrtc.org/experiments/rtp-hdrext/generic-frame-descriptor-00
url	http://dictionaryperceptionrevolutionfoundationpx
url	https://was
url	http://px
url	http://www.webrtc.org/experiments/rtp-hdrext/video-timing
url	https://addons.mozilla.org/%LOCALE%/firefox/themes
url	http://detectportal.firefox.com/success.txt?ipv4
url	http://detectportal.firefox.com/success.txt?ipv6
url	https://bugzilla.mozilla.org/enter_bug.cgi?product=Core
url	http://whether
url	http://addEventListenerresponsible
url	https://www.mozilla.org/%LOCALE%/firefox/new?reason=manual-update
url	http://www.style
url	http://iparticipation
url	https://fpn.firefox.com/browser?utm_source=firefox-desktop
url	https://profile.accounts.firefox.com/v1
url	https://api.accounts.firefox.com/v1
url	http://www.icon
url	http://ator
url	http://www.text-decoration

Yara rule detected in process memory (50 out of 216 events)

description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Hijack network configuration	rule	Hijack_Network
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Perform crypto currency mining	rule	BitCoin
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Possibly employs anti-virtualization techniques	rule	vmdetect
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Install itself for autorun at Windows startup	rule	Persistence

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3008.0.1202050082\1699928177" -parentBuildID 20220922151854 -prefsHandle 1136 -prefMapHandle 1128 -prefsLen 17556 -prefMapSize 230265 -appDir "C:\Program Files\Mozilla Firefox\browser" - {40948a44-2f3d-44c4-865f-575dfcdd8f0e} 3008 "\\.\pipe\gecko-crash-server-pipe.3008" 1200 ecfb558 gpu

Allocates execute permission to another process indicative of possible code injection (6 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 26, 2024, 10:23 a.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077711000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory July 26, 2024, 10:23 a.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776e7000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory July 26, 2024, 10:17 a.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077711000 process_handle: 0x000000000000004c	1
NtProtectVirtualMemory July 26, 2024, 10:17 a.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776e7000 process_handle: 0x000000000000004c	1
NtProtectVirtualMemory July 26, 2024, 10:17 a.m.	process_identifier: 3008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077711000 process_handle: 0x000000000000004c	1
NtProtectVirtualMemory July 26, 2024, 10:17 a.m.	process_identifier: 3008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776e7000 process_handle: 0x000000000000004c	1

Potential code injection by writing to the memory of another process (27 events)

Time & API	Arguments	Status	Return
WriteProcessMemory July 26, 2024, 10:23 a.m.	buffer: base_address: 0x000000013f8922b0 process_identifier: 2188 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 26, 2024, 10:23 a.m.	buffer: base_address: 0x000000013f8a0d88 process_identifier: 2188 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 26, 2024, 10:23 a.m.	buffer: I»`#?Aÿã base_address: 0x0000000077711590 process_identifier: 2188 process_handle: 0x0000000000000050	1	1
WriteProcessMemory July 26, 2024, 10:23 a.m.	buffer: fu base_address: 0x000000013f8a0d78 process_identifier: 2188 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 26, 2024, 10:23 a.m.	buffer: I» ?Aÿã base_address: 0x00000000776e7a90 process_identifier: 2188 process_handle: 0x0000000000000050	1	1
WriteProcessMemory July 26, 2024, 10:23 a.m.	buffer: fu base_address: 0x000000013f8a0d70 process_identifier: 2188 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 26, 2024, 10:23 a.m.	buffer: ÏT base_address: 0x000000013f840108 process_identifier: 2188 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 26, 2024, 10:23 a.m.	buffer: qw@qw qw@qwqw°qw nwàTnw 3qwqwÀ´lw`,qwÀowömw Yqw2qwVqw°wwnwRqw nwQqwÂnw ?owPnw°TnwàtnwðowÐ1qwmwÐOmw`êpwÐæpwÐæpwÐ.qw base_address: 0x000000013f89aae8 process_identifier: 2188 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 26, 2024, 10:23 a.m.	buffer: base_address: 0x000000013f8a0c78 process_identifier: 2188 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 26, 2024, 10:17 a.m.	buffer: base_address: 0x000000013f3022b0 process_identifier: 2864 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 26, 2024, 10:17 a.m.	buffer: base_address: 0x000000013f310d88 process_identifier: 2864 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 26, 2024, 10:17 a.m.	buffer: I»`#-?Aÿã base_address: 0x0000000077711590 process_identifier: 2864 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 26, 2024, 10:17 a.m.	buffer: base_address: 0x000000013f310d78 process_identifier: 2864 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 26, 2024, 10:17 a.m.	buffer: I» -?Aÿã base_address: 0x00000000776e7a90 process_identifier: 2864 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 26, 2024, 10:17 a.m.	buffer: base_address: 0x000000013f310d70 process_identifier: 2864 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 26, 2024, 10:17 a.m.	buffer: ÏT base_address: 0x000000013f2b0108 process_identifier: 2864 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 26, 2024, 10:17 a.m.	buffer: qw@qw qw@qwqw°qw nwàTnw 3qwqwÀ´lw`,qwÀowömw Yqw2qwVqw°wwnwRqw nwQqwÂnw ?owPnw°TnwàtnwðowÐ1qwmwÐOmw`êpwÐæpwÐæpwÐ.qw base_address: 0x000000013f30aae8 process_identifier: 2864 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 26, 2024, 10:17 a.m.	buffer: base_address: 0x000000013f310c78 process_identifier: 2864 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 26, 2024, 10:17 a.m.	buffer: base_address: 0x000000013f3022b0 process_identifier: 3008 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 26, 2024, 10:17 a.m.	buffer: base_address: 0x000000013f310d88 process_identifier: 3008 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 26, 2024, 10:17 a.m.	buffer: I»`#-?Aÿã base_address: 0x0000000077711590 process_identifier: 3008 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 26, 2024, 10:17 a.m.	buffer: " base_address: 0x000000013f310d78 process_identifier: 3008 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 26, 2024, 10:17 a.m.	buffer: I» -?Aÿã base_address: 0x00000000776e7a90 process_identifier: 3008 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 26, 2024, 10:17 a.m.	buffer: " base_address: 0x000000013f310d70 process_identifier: 3008 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 26, 2024, 10:17 a.m.	buffer: ÏT base_address: 0x000000013f2b0108 process_identifier: 3008 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 26, 2024, 10:17 a.m.	buffer: qw@qw qw@qwqw°qw nwàTnw 3qwqwÀ´lw`,qwÀowömw Yqw2qwVqw°wwnwRqw nwQqwÂnw ?owPnw°TnwàtnwðowÐ1qwmwÐOmw`êpwÐæpwÐæpwÐ.qw base_address: 0x000000013f30aae8 process_identifier: 3008 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 26, 2024, 10:17 a.m.	buffer: base_address: 0x000000013f310c78 process_identifier: 3008 process_handle: 0x0000000000000048	1	1

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

One or more non-whitelisted processes were created (6 events)

parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3008.0.1202050082\1699928177" -parentBuildID 20220922151854 -prefsHandle 1136 -prefMapHandle 1128 -prefsLen 17556 -prefMapSize 230265 -appDir "C:\Program Files\Mozilla Firefox\browser" - {40948a44-2f3d-44c4-865f-575dfcdd8f0e} 3008 "\\.\pipe\gecko-crash-server-pipe.3008" 1200 ecfb558 gpu
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\minidumps\8262ecc5-5978-42cb-89b5-8d0c80d5ab36.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\minidumps\954bb3ae-e7e2-418e-a27f-dd3a43613efe.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account

Found URLs in memory pointing to an IP address rather than a domain (potentially indicative of Command & Control traffic) (1 event)

url	http://127.0.0.1

Appends a known multi-family ransomware file extension to files that have been encrypted (2 events)

file	C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\parent.lock
file	C:\Users\test22\AppData\Local\Temp\firefox\parent.lock

Resumed a suspended thread in a remote process potentially indicative of process injection (15 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1648 resumed a thread in remote process 2116
Process injection	Process 2116 resumed a thread in remote process 2188
Process injection	Process 2816 resumed a thread in remote process 2864
Process injection	Process 2956 resumed a thread in remote process 3008
Process injection	Process 3008 resumed a thread in remote process 2728
NtResumeThread July 26, 2024, 10:23 a.m.	thread_handle: 0x000002a4 suspend_count: 1 process_identifier: 2116	1	0	0
NtResumeThread July 26, 2024, 10:23 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 2188	1	0	0
NtResumeThread July 26, 2024, 10:17 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 2864	1	0	0
NtResumeThread July 26, 2024, 10:17 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 3008	1	0	0
NtResumeThread July 26, 2024, 10:18 a.m.	thread_handle: 0x0000000000000520 suspend_count: 1 process_identifier: 2728	1	0	0
NtResumeThread July 26, 2024, 10:18 a.m.	thread_handle: 0x000000000000052c suspend_count: 1 process_identifier: 2728	1	0	0
NtResumeThread July 26, 2024, 10:18 a.m.	thread_handle: 0x0000000000000528 suspend_count: 1 process_identifier: 2728	1	0	0
NtResumeThread July 26, 2024, 10:18 a.m.	thread_handle: 0x0000000000000530 suspend_count: 1 process_identifier: 2728	1	0	0
NtResumeThread July 26, 2024, 10:18 a.m.	thread_handle: 0x0000000000000534 suspend_count: 0 process_identifier: 2728	1	0	0
NtResumeThread July 26, 2024, 10:18 a.m.	thread_handle: 0x0000000000000538 suspend_count: 0 process_identifier: 2728	1	0	0

Uses Sysinternals tools in order to add additional command line functionality (1 event)

cmdline

Executed a process and injected code into it, probably while unpacking (50 out of 113 events)

Time & API	Arguments	Status	Return
NtResumeThread July 26, 2024, 10:23 a.m.	thread_handle: 0x00000284 suspend_count: 1 process_identifier: 1648	1	0
CreateProcessInternalW July 26, 2024, 10:23 a.m.	thread_identifier: 2120 thread_handle: 0x000002a4 process_identifier: 2116 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account filepath_r: C:\Program Files\Mozilla Firefox\firefox.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002ac	1	1
NtResumeThread July 26, 2024, 10:23 a.m.	thread_handle: 0x000002a4 suspend_count: 1 process_identifier: 2116	1	0
CreateProcessInternalW July 26, 2024, 10:23 a.m.	thread_identifier: 2192 thread_handle: 0x0000000000000044 process_identifier: 2188 current_directory: filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account filepath_r: C:\Program Files\Mozilla Firefox\firefox.exe stack_pivoted: 0 creation_flags: 1028 (CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT) inherit_handles: 0 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 26, 2024, 10:23 a.m.	buffer: base_address: 0x000000013f8922b0 process_identifier: 2188 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 26, 2024, 10:23 a.m.	buffer: base_address: 0x000000013f8a0d88 process_identifier: 2188 process_handle: 0x000000000000004c	1	1
NtMapViewOfSection July 26, 2024, 10:23 a.m.	section_handle: 0x0000000000000060 process_identifier: 2188 commit_size: 0 win32_protect: 32 (PAGE_EXECUTE_READ) buffer: base_address: 0x0000000075660000 allocation_type: 0 () section_offset: 0 view_size: 65536 process_handle: 0x0000000000000050	1	0
NtAllocateVirtualMemory July 26, 2024, 10:23 a.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x0000000075660000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x0000000000000050	1	0
WriteProcessMemory July 26, 2024, 10:23 a.m.	buffer: I»`#?Aÿã base_address: 0x0000000077711590 process_identifier: 2188 process_handle: 0x0000000000000050	1	1
WriteProcessMemory July 26, 2024, 10:23 a.m.	buffer: fu base_address: 0x000000013f8a0d78 process_identifier: 2188 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 26, 2024, 10:23 a.m.	buffer: I» ?Aÿã base_address: 0x00000000776e7a90 process_identifier: 2188 process_handle: 0x0000000000000050	1	1
WriteProcessMemory July 26, 2024, 10:23 a.m.	buffer: fu base_address: 0x000000013f8a0d70 process_identifier: 2188 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 26, 2024, 10:23 a.m.	buffer: ÏT base_address: 0x000000013f840108 process_identifier: 2188 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 26, 2024, 10:23 a.m.	buffer: qw@qw qw@qwqw°qw nwàTnw 3qwqwÀ´lw`,qwÀowömw Yqw2qwVqw°wwnwRqw nwQqwÂnw ?owPnw°TnwàtnwðowÐ1qwmwÐOmw`êpwÐæpwÐæpwÐ.qw base_address: 0x000000013f89aae8 process_identifier: 2188 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 26, 2024, 10:23 a.m.	buffer: base_address: 0x000000013f8a0c78 process_identifier: 2188 process_handle: 0x000000000000004c	1	1
NtResumeThread July 26, 2024, 10:23 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 2188	1	0
NtResumeThread July 26, 2024, 10:23 a.m.	thread_handle: 0x000000000000016c suspend_count: 1 process_identifier: 2188	1	0
NtGetContextThread July 26, 2024, 10:23 a.m.	thread_handle: 0x0000000000000230	1	0
NtGetContextThread July 26, 2024, 10:23 a.m.	thread_handle: 0x0000000000000238	1	0
NtGetContextThread July 26, 2024, 10:23 a.m.	thread_handle: 0x000000000000023c	1	0
NtGetContextThread July 26, 2024, 10:23 a.m.	thread_handle: 0x0000000000000240	1	0
NtGetContextThread July 26, 2024, 10:23 a.m.	thread_handle: 0x0000000000000244	1	0
NtGetContextThread July 26, 2024, 10:23 a.m.	thread_handle: 0x0000000000000248	1	0
NtGetContextThread July 26, 2024, 10:23 a.m.	thread_handle: 0x000000000000024c	1	0
NtGetContextThread July 26, 2024, 10:23 a.m.	thread_handle: 0x0000000000000250	1	0
NtResumeThread July 26, 2024, 10:24 a.m.	thread_handle: 0x0000000000000230 suspend_count: 1 process_identifier: 2188	1	0
NtResumeThread July 26, 2024, 10:24 a.m.	thread_handle: 0x0000000000000238 suspend_count: 1 process_identifier: 2188	1	0
NtResumeThread July 26, 2024, 10:24 a.m.	thread_handle: 0x000000000000023c suspend_count: 1 process_identifier: 2188	1	0
NtResumeThread July 26, 2024, 10:24 a.m.	thread_handle: 0x0000000000000240 suspend_count: 1 process_identifier: 2188	1	0
NtResumeThread July 26, 2024, 10:24 a.m.	thread_handle: 0x0000000000000248 suspend_count: 1 process_identifier: 2188	1	0
NtResumeThread July 26, 2024, 10:24 a.m.	thread_handle: 0x000000000000024c suspend_count: 1 process_identifier: 2188	1	0
NtResumeThread July 26, 2024, 10:24 a.m.	thread_handle: 0x0000000000000250 suspend_count: 1 process_identifier: 2188	1	0
CreateProcessInternalW July 26, 2024, 10:24 a.m.	thread_identifier: 2668 thread_handle: 0x00000000000001f8 process_identifier: 2664 current_directory: filepath: track: 1 command_line: "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\minidumps\8262ecc5-5978-42cb-89b5-8d0c80d5ab36.dmp" filepath_r: stack_pivoted: 0 creation_flags: 150994976 (CREATE_BREAKAWAY_FROM_JOB\|CREATE_NO_WINDOW\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x000000000000021c	1	1
CreateProcessInternalW July 26, 2024, 10:24 a.m.	thread_identifier: 2716 thread_handle: 0x00000000000000a0 process_identifier: 2712 current_directory: filepath: track: 1 command_line: "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\minidumps\8262ecc5-5978-42cb-89b5-8d0c80d5ab36.dmp" filepath_r: stack_pivoted: 0 creation_flags: 134217760 (CREATE_NO_WINDOW\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000000000000a4	1	1
NtResumeThread July 26, 2024, 10:24 a.m.	thread_handle: 0x0000000000000150 suspend_count: 1 process_identifier: 2664	1	0
CreateProcessInternalW July 26, 2024, 10:24 a.m.	thread_identifier: 2820 thread_handle: 0x0000000000000164 process_identifier: 2816 current_directory: filepath: track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account" filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000000000000168	1	1
CreateProcessInternalW July 26, 2024, 10:24 a.m.	thread_identifier: 2960 thread_handle: 0x0000000000000304 process_identifier: 2956 current_directory: filepath: track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account" filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000000000000170	1	1
NtResumeThread July 26, 2024, 10:24 a.m.	thread_handle: 0x00000000000000c0 suspend_count: 1 process_identifier: 2712	1	0
CreateProcessInternalW July 26, 2024, 10:17 a.m.	thread_identifier: 2868 thread_handle: 0x0000000000000044 process_identifier: 2864 current_directory: filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account filepath_r: C:\Program Files\Mozilla Firefox\firefox.exe stack_pivoted: 0 creation_flags: 1028 (CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT) inherit_handles: 0 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 26, 2024, 10:17 a.m.	buffer: base_address: 0x000000013f3022b0 process_identifier: 2864 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 26, 2024, 10:17 a.m.	buffer: base_address: 0x000000013f310d88 process_identifier: 2864 process_handle: 0x0000000000000048	1	1
NtMapViewOfSection July 26, 2024, 10:17 a.m.	section_handle: 0x000000000000005c process_identifier: 2864 commit_size: 0 win32_protect: 32 (PAGE_EXECUTE_READ) buffer: base_address: 0x0000000000900000 allocation_type: 0 () section_offset: 0 view_size: 65536 process_handle: 0x000000000000004c	1	0
NtAllocateVirtualMemory July 26, 2024, 10:17 a.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x0000000000900000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x000000000000004c	1	0
WriteProcessMemory July 26, 2024, 10:17 a.m.	buffer: I»`#-?Aÿã base_address: 0x0000000077711590 process_identifier: 2864 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 26, 2024, 10:17 a.m.	buffer: base_address: 0x000000013f310d78 process_identifier: 2864 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 26, 2024, 10:17 a.m.	buffer: I» -?Aÿã base_address: 0x00000000776e7a90 process_identifier: 2864 process_handle: 0x000000000000004c	1	1
WriteProcessMemory July 26, 2024, 10:17 a.m.	buffer: base_address: 0x000000013f310d70 process_identifier: 2864 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 26, 2024, 10:17 a.m.	buffer: ÏT base_address: 0x000000013f2b0108 process_identifier: 2864 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 26, 2024, 10:17 a.m.	buffer: qw@qw qw@qwqw°qw nwàTnw 3qwqwÀ´lw`,qwÀowömw Yqw2qwVqw°wwnwRqw nwQqwÂnw ?owPnw°TnwàtnwðowÐ1qwmwÐOmw`êpwÐæpwÐæpwÐ.qw base_address: 0x000000013f30aae8 process_identifier: 2864 process_handle: 0x0000000000000048	1	1
WriteProcessMemory July 26, 2024, 10:17 a.m.	buffer: base_address: 0x000000013f310c78 process_identifier: 2864 process_handle: 0x0000000000000048	1	1

File has been identified by 32 AntiVirus engines on VirusTotal as malicious (32 events)

Bkav	W32.AIDetectMalware
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.Injector.tc
ALYac	AIT:Trojan.AutoIT.Agent.ADK
Cylance	Unsafe
VIPRE	AIT:Trojan.AutoIT.Agent.ADK
BitDefender	AIT:Trojan.AutoIT.Agent.ADK
VirIT	Trojan.Win32.AutoIt.GZD
ESET-NOD32	Win32/Autoit.D potentially unsafe
Avast	Script:SNH-gen [Trj]
Kaspersky	Trojan.Script.Agentb.cj
MicroWorld-eScan	AIT:Trojan.AutoIT.Agent.ADK
Rising	Trojan.Injector/Autoit!1.FF84 (CLASSIC)
Emsisoft	AIT:Trojan.AutoIT.Agent.ADK (B)
F-Secure	Trojan.TR/Redcap.lbili
DrWeb	Trojan.Siggen29.1867
McAfeeD	Real Protect-LS!D04CE1FEA5D9
FireEye	Generic.mg.d04ce1fea5d986c6
Sophos	Generic ML PUA (PUA)
Avira	TR/Redcap.lbili
MAX	malware (ai score=84)
Microsoft	Trojan:Win32/AutoInj.GZN!MTB
ZoneAlarm	Trojan.Script.Agentb.cj
GData	AIT:Trojan.AutoIT.Agent.ADK
BitDefenderTheta	Gen:NN.ZexaCO.36810.jvW@aKCpZvdi
TACHYON	Trojan/W32.Agent.1209856.B
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.Injector.AutoIt
huorong	Trojan/AutoIT.Agent.d
Fortinet	AutoIt/Inject.1867!tr
AVG	Script:SNH-gen [Trj]

random.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All