Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 22, 2024, 11:25 a.m.	Aug. 22, 2024, 11:29 a.m.

Size	1.2MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`a151cbfbefd0a8e04caa4aa5be8f388e`
SHA256	`7cc54dd43fa3e4e1b39548126510bf38a0fafe6986d75edea5248989238af217`
CRC32	`4AD636FE`
ssdeep	`24576:kqDEvCTbMWu7rQYlBQcBiT6rprG8a4IhvVqxsS8TAyj:kTvC/MTQYxsWR7a4I/qxsS8TB`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

random.exe "C:\Users\test22\AppData\Local\Temp\random.exe"
1952
- firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
  2188
  - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
    2260
    - crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\minidumps\da341a66-5ea8-42c5-a945-eda24449ce35.dmp"
      2728
      - minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\minidumps\da341a66-5ea8-42c5-a945-eda24449ce35.dmp"
        2772
      - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" "https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password"
        2876
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
        2924
        
        crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\minidumps\08d8f1ba-e82b-4a72-a4fe-b1512fe6e7f7.dmp"
        2304
        
        minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\minidumps\08d8f1ba-e82b-4a72-a4fe-b1512fe6e7f7.dmp"
        2460
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" "https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password"
        2824
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
        2708
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" "https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password"
        3040
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
        2208
      - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" "https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password"
        3020
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
        416
        
        crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\b0ff9cd7-04aa-4fe3-b477-bf8826f93d7b.dmp"
        2064
        
        minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Local\Temp\\b0ff9cd7-04aa-4fe3-b477-bf8826f93d7b.dmp"
        2596
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" "https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password"
        1596
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
        1968
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" "https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password"
        1884
        
        firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
        112

Name	Response	Post-Analysis Lookup
crash-reports.mozilla.com	A 34.49.45.138 CNAME antenna-prod.socorro.prod.webservices.mozgcp.net	34.49.45.138

IP Address	Status	Action
164.124.101.2	Active	Moloch
34.49.45.138	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49179 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49180 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49217 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49201 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49198 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49202 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49211 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49218 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49212 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49175 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49176 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49197 -> 34.49.45.138:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameA Aug. 22, 2024, 11:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 22, 2024, 11:20 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 22, 2024, 11:20 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (48 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 22, 2024, 11:25 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:18 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:18 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:18 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:18 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:18 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:18 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:18 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:18 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:19 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:19 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:19 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:19 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:19 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:19 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:19 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:19 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:19 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:19 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:19 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:19 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:19 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:19 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:20 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:20 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:20 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:20 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:20 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:20 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:20 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:20 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:20 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:20 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:20 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:20 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:20 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:20 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:20 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:20 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:20 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:20 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:20 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:20 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:20 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:20 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:20 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:20 a.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 11:20 a.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l2-1-0.dll
registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 22, 2024, 11:25 a.m.		1	1	0

One or more processes crashed (7 events)

Time & API	Arguments	Status
__exception__ Aug. 22, 2024, 11:18 a.m.	stacktrace: 0xcc1f04 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcc1f04 registers.r14: 10023688 registers.r15: 8791557510768 registers.rcx: 48 registers.rsi: 8791557442432 registers.r10: 0 registers.rbx: 0 registers.rsp: 10023320 registers.r11: 10026704 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 15971424 registers.rbp: 10023440 registers.rdi: 258056224 registers.rax: 13377280 registers.r13: 10024280	1
__exception__ Aug. 22, 2024, 11:19 a.m.	stacktrace: 0xcd1f04 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 8776760 registers.r15: 8791414445680 registers.rcx: 48 registers.rsi: 8791414377344 registers.r10: 0 registers.rbx: 0 registers.rsp: 8776392 registers.r11: 8779776 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 14922608 registers.rbp: 8776512 registers.rdi: 65125440 registers.rax: 13442816 registers.r13: 8777352	1
__exception__ Aug. 22, 2024, 11:19 a.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 8582832 registers.r15: 8582336 registers.rcx: 48 registers.rsi: 14759392 registers.r10: 0 registers.rbx: 0 registers.rsp: 8581384 registers.r11: 8583584 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 8582167 registers.rbp: 8581504 registers.rdi: 100 registers.rax: 13442816 registers.r13: 2	1
__exception__ Aug. 22, 2024, 11:20 a.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 10285256 registers.r15: 139236976 registers.rcx: 48 registers.rsi: 139168640 registers.r10: 0 registers.rbx: 0 registers.rsp: 10284888 registers.r11: 10288272 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092883536 registers.r12: 14915856 registers.rbp: 10285008 registers.rdi: 370254336 registers.rax: 13442816 registers.r13: 10285848	1
__exception__ Aug. 22, 2024, 11:20 a.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 9893056 registers.r15: 9892560 registers.rcx: 48 registers.rsi: 14759488 registers.r10: 0 registers.rbx: 0 registers.rsp: 9891608 registers.r11: 9893808 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 9892391 registers.rbp: 9891728 registers.rdi: 100 registers.rax: 13442816 registers.r13: 2	1
__exception__ Aug. 22, 2024, 11:20 a.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 9434816 registers.r15: 9434320 registers.rcx: 48 registers.rsi: 14760352 registers.r10: 0 registers.rbx: 0 registers.rsp: 9433368 registers.r11: 9435568 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 9434151 registers.rbp: 9433488 registers.rdi: 100 registers.rax: 13442816 registers.r13: 2	1
__exception__ Aug. 22, 2024, 11:20 a.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 10091104 registers.r15: 10090608 registers.rcx: 48 registers.rsi: 14758720 registers.r10: 0 registers.rbx: 0 registers.rsp: 10089656 registers.r11: 10091856 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092879440 registers.r12: 10090439 registers.rbp: 10089776 registers.rdi: 100 registers.rax: 13442816 registers.r13: 2	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 74 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 22, 2024, 11:18 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000c80000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 22, 2024, 11:18 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007700b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 22, 2024, 11:18 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000c80000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 22, 2024, 11:18 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076fd6000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 22, 2024, 11:18 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000027e0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 22, 2024, 11:18 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000749ad000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 22, 2024, 11:19 a.m.	process_identifier: 2924 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000c90000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 22, 2024, 11:19 a.m.	process_identifier: 2924 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007700b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 22, 2024, 11:19 a.m.	process_identifier: 2924 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000c90000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 22, 2024, 11:19 a.m.	process_identifier: 2924 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076fd6000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 22, 2024, 11:19 a.m.	process_identifier: 2924 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002860000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 22, 2024, 11:19 a.m.	process_identifier: 2924 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000749ad000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 22, 2024, 11:19 a.m.	process_identifier: 416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000b80000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 22, 2024, 11:19 a.m.	process_identifier: 416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007700b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 22, 2024, 11:19 a.m.	process_identifier: 416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000b80000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 22, 2024, 11:19 a.m.	process_identifier: 416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076fd6000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 22, 2024, 11:19 a.m.	process_identifier: 416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002860000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 22, 2024, 11:19 a.m.	process_identifier: 416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000749ad000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 22, 2024, 11:20 a.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000c90000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 22, 2024, 11:20 a.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007700b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 22, 2024, 11:20 a.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000c90000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 22, 2024, 11:20 a.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076fd6000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 22, 2024, 11:20 a.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 85934080 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003241000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 22, 2024, 11:20 a.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 15130624 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000008435000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 22, 2024, 11:20 a.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 2252800 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000093f3000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 22, 2024, 11:20 a.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000009619000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 22, 2024, 11:20 a.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000000961a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 22, 2024, 11:20 a.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000000961b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 22, 2024, 11:20 a.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 12288 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000000a479000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 22, 2024, 11:20 a.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 765952 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000000a47c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 22, 2024, 11:20 a.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000030a0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 22, 2024, 11:20 a.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000749ad000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 22, 2024, 11:20 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000c90000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 22, 2024, 11:20 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007700b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 22, 2024, 11:20 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000c90000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 22, 2024, 11:20 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076fd6000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 22, 2024, 11:20 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 85934080 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000033e1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 22, 2024, 11:20 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 15130624 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000085d5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 22, 2024, 11:20 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 2252800 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000009593000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 22, 2024, 11:20 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000097b9000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 22, 2024, 11:20 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000097ba000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 22, 2024, 11:20 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000097bb000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 22, 2024, 11:20 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 12288 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000000a619000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 22, 2024, 11:20 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 765952 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000000a61c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 22, 2024, 11:20 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002860000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 22, 2024, 11:20 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000749ad000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 22, 2024, 11:20 a.m.	process_identifier: 1968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000c90000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 22, 2024, 11:20 a.m.	process_identifier: 1968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007700b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 22, 2024, 11:20 a.m.	process_identifier: 1968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000c90000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 22, 2024, 11:20 a.m.	process_identifier: 1968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076fd6000 process_handle: 0xffffffffffffffff	1

An application raised an exception which may be indicative of an exploit crash (14 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process firefox.exe with pid 2260 crashed
Application Crash	Process firefox.exe with pid 2924 crashed
Application Crash	Process firefox.exe with pid 416 crashed
Application Crash	Process firefox.exe with pid 2708 crashed
Application Crash	Process firefox.exe with pid 2208 crashed
Application Crash	Process firefox.exe with pid 1968 crashed
Application Crash	Process firefox.exe with pid 112 crashed
__exception__ Aug. 22, 2024, 11:18 a.m.	stacktrace: 0xcc1f04 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcc1f04 registers.r14: 10023688 registers.r15: 8791557510768 registers.rcx: 48 registers.rsi: 8791557442432 registers.r10: 0 registers.rbx: 0 registers.rsp: 10023320 registers.r11: 10026704 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 15971424 registers.rbp: 10023440 registers.rdi: 258056224 registers.rax: 13377280 registers.r13: 10024280	1	0	0
__exception__ Aug. 22, 2024, 11:19 a.m.	stacktrace: 0xcd1f04 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 8776760 registers.r15: 8791414445680 registers.rcx: 48 registers.rsi: 8791414377344 registers.r10: 0 registers.rbx: 0 registers.rsp: 8776392 registers.r11: 8779776 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 14922608 registers.rbp: 8776512 registers.rdi: 65125440 registers.rax: 13442816 registers.r13: 8777352	1	0	0
__exception__ Aug. 22, 2024, 11:19 a.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 8582832 registers.r15: 8582336 registers.rcx: 48 registers.rsi: 14759392 registers.r10: 0 registers.rbx: 0 registers.rsp: 8581384 registers.r11: 8583584 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 8582167 registers.rbp: 8581504 registers.rdi: 100 registers.rax: 13442816 registers.r13: 2	1	0	0
__exception__ Aug. 22, 2024, 11:20 a.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 10285256 registers.r15: 139236976 registers.rcx: 48 registers.rsi: 139168640 registers.r10: 0 registers.rbx: 0 registers.rsp: 10284888 registers.r11: 10288272 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092883536 registers.r12: 14915856 registers.rbp: 10285008 registers.rdi: 370254336 registers.rax: 13442816 registers.r13: 10285848	1	0	0
__exception__ Aug. 22, 2024, 11:20 a.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 9893056 registers.r15: 9892560 registers.rcx: 48 registers.rsi: 14759488 registers.r10: 0 registers.rbx: 0 registers.rsp: 9891608 registers.r11: 9893808 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 9892391 registers.rbp: 9891728 registers.rdi: 100 registers.rax: 13442816 registers.r13: 2	1	0	0
__exception__ Aug. 22, 2024, 11:20 a.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 9434816 registers.r15: 9434320 registers.rcx: 48 registers.rsi: 14760352 registers.r10: 0 registers.rbx: 0 registers.rsp: 9433368 registers.r11: 9435568 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 9434151 registers.rbp: 9433488 registers.rdi: 100 registers.rax: 13442816 registers.r13: 2	1	0	0
__exception__ Aug. 22, 2024, 11:20 a.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 10091104 registers.r15: 10090608 registers.rcx: 48 registers.rsi: 14758720 registers.r10: 0 registers.rbx: 0 registers.rsp: 10089656 registers.r11: 10091856 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092879440 registers.r12: 10090439 registers.rbp: 10089776 registers.rdi: 100 registers.rax: 13442816 registers.r13: 2	1	0	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 22, 2024, 11:18 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x0000005292be0000 process_handle: 0xffffffffffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00051400', u'virtual_address': u'0x000d4000', u'entropy': 7.874807390878743, u'name': u'.rsrc', u'virtual_size': u'0x000513b8'}

entropy

7.87480739088

description

A section with a high entropy has been found

entropy

0.274841437632

description

Overall entropy of this PE file is high

Potentially malicious URLs were found in the process memory dump (3 events)

url	https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%SYSTEM_CAPABILITIES%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml
url	https://crash-reports.mozilla.com/submit?id=
url	https://hg.mozilla.org/releases/mozilla-release/rev/92187d03adde4b31daef292087a266f10121379c

Yara rule detected in process memory (50 out of 72 events)

description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active

Allocates execute permission to another process indicative of possible code injection (14 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 22, 2024, 11:18 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077711000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Aug. 22, 2024, 11:18 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776e7000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Aug. 22, 2024, 11:19 a.m.	process_identifier: 2924 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077711000 process_handle: 0x000000000000004c	1
NtProtectVirtualMemory Aug. 22, 2024, 11:19 a.m.	process_identifier: 2924 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776e7000 process_handle: 0x000000000000004c	1
NtProtectVirtualMemory Aug. 22, 2024, 11:19 a.m.	process_identifier: 416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077711000 process_handle: 0x000000000000004c	1
NtProtectVirtualMemory Aug. 22, 2024, 11:19 a.m.	process_identifier: 416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776e7000 process_handle: 0x000000000000004c	1
NtProtectVirtualMemory Aug. 22, 2024, 11:20 a.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077711000 process_handle: 0x000000000000004c	1
NtProtectVirtualMemory Aug. 22, 2024, 11:20 a.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776e7000 process_handle: 0x000000000000004c	1
NtProtectVirtualMemory Aug. 22, 2024, 11:20 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077711000 process_handle: 0x000000000000004c	1
NtProtectVirtualMemory Aug. 22, 2024, 11:20 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776e7000 process_handle: 0x000000000000004c	1
NtProtectVirtualMemory Aug. 22, 2024, 11:20 a.m.	process_identifier: 1968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077711000 process_handle: 0x000000000000004c	1
NtProtectVirtualMemory Aug. 22, 2024, 11:20 a.m.	process_identifier: 1968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776e7000 process_handle: 0x000000000000004c	1
NtProtectVirtualMemory Aug. 22, 2024, 11:20 a.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077711000 process_handle: 0x000000000000004c	1
NtProtectVirtualMemory Aug. 22, 2024, 11:20 a.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776e7000 process_handle: 0x000000000000004c	1

Potential code injection by writing to the memory of another process (50 out of 63 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Aug. 22, 2024, 11:18 a.m.	buffer: base_address: 0x000000013f9d22b0 process_identifier: 2260 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 22, 2024, 11:18 a.m.	buffer: base_address: 0x000000013f9e0d88 process_identifier: 2260 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 22, 2024, 11:18 a.m.	buffer: I»`#?Aÿã base_address: 0x0000000077711590 process_identifier: 2260 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Aug. 22, 2024, 11:18 a.m.	buffer: _ base_address: 0x000000013f9e0d78 process_identifier: 2260 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 22, 2024, 11:18 a.m.	buffer: I» ?Aÿã base_address: 0x00000000776e7a90 process_identifier: 2260 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Aug. 22, 2024, 11:18 a.m.	buffer: _ base_address: 0x000000013f9e0d70 process_identifier: 2260 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 22, 2024, 11:18 a.m.	buffer: ÏT base_address: 0x000000013f980108 process_identifier: 2260 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 22, 2024, 11:18 a.m.	buffer: qw@qw qw@qwqw°qw nwàTnw 3qwqwÀ´lw`,qwÀowömw Yqw2qwVqw°wwnwRqw nwQqwÂnw ?owPnw°TnwàtnwðowÐ1qwmwÐOmw`êpwÐæpwÐæpwÐ.qw base_address: 0x000000013f9daae8 process_identifier: 2260 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 22, 2024, 11:18 a.m.	buffer: base_address: 0x000000013f9e0c78 process_identifier: 2260 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 22, 2024, 11:19 a.m.	buffer: base_address: 0x000000013f2622b0 process_identifier: 2924 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 22, 2024, 11:19 a.m.	buffer: base_address: 0x000000013f270d88 process_identifier: 2924 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 22, 2024, 11:19 a.m.	buffer: I»`##?Aÿã base_address: 0x0000000077711590 process_identifier: 2924 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 22, 2024, 11:19 a.m.	buffer: / base_address: 0x000000013f270d78 process_identifier: 2924 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 22, 2024, 11:19 a.m.	buffer: I» #?Aÿã base_address: 0x00000000776e7a90 process_identifier: 2924 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 22, 2024, 11:19 a.m.	buffer: / base_address: 0x000000013f270d70 process_identifier: 2924 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 22, 2024, 11:19 a.m.	buffer: ÏT base_address: 0x000000013f210108 process_identifier: 2924 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 22, 2024, 11:19 a.m.	buffer: qw@qw qw@qwqw°qw nwàTnw 3qwqwÀ´lw`,qwÀowömw Yqw2qwVqw°wwnwRqw nwQqwÂnw ?owPnw°TnwàtnwðowÐ1qwmwÐOmw`êpwÐæpwÐæpwÐ.qw base_address: 0x000000013f26aae8 process_identifier: 2924 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 22, 2024, 11:19 a.m.	buffer: base_address: 0x000000013f270c78 process_identifier: 2924 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 22, 2024, 11:19 a.m.	buffer: base_address: 0x000000013f2622b0 process_identifier: 416 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 22, 2024, 11:19 a.m.	buffer: base_address: 0x000000013f270d88 process_identifier: 416 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 22, 2024, 11:19 a.m.	buffer: I»`##?Aÿã base_address: 0x0000000077711590 process_identifier: 416 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 22, 2024, 11:19 a.m.	buffer: : base_address: 0x000000013f270d78 process_identifier: 416 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 22, 2024, 11:19 a.m.	buffer: I» #?Aÿã base_address: 0x00000000776e7a90 process_identifier: 416 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 22, 2024, 11:19 a.m.	buffer: : base_address: 0x000000013f270d70 process_identifier: 416 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 22, 2024, 11:19 a.m.	buffer: ÏT base_address: 0x000000013f210108 process_identifier: 416 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 22, 2024, 11:19 a.m.	buffer: qw@qw qw@qwqw°qw nwàTnw 3qwqwÀ´lw`,qwÀowömw Yqw2qwVqw°wwnwRqw nwQqwÂnw ?owPnw°TnwàtnwðowÐ1qwmwÐOmw`êpwÐæpwÐæpwÐ.qw base_address: 0x000000013f26aae8 process_identifier: 416 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 22, 2024, 11:19 a.m.	buffer: base_address: 0x000000013f270c78 process_identifier: 416 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 22, 2024, 11:20 a.m.	buffer: base_address: 0x000000013f0822b0 process_identifier: 2708 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 22, 2024, 11:20 a.m.	buffer: base_address: 0x000000013f090d88 process_identifier: 2708 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 22, 2024, 11:20 a.m.	buffer: I»`#?Aÿã base_address: 0x0000000077711590 process_identifier: 2708 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 22, 2024, 11:20 a.m.	buffer: ¥8 base_address: 0x000000013f090d78 process_identifier: 2708 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 22, 2024, 11:20 a.m.	buffer: I» ?Aÿã base_address: 0x00000000776e7a90 process_identifier: 2708 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 22, 2024, 11:20 a.m.	buffer: ¥8 base_address: 0x000000013f090d70 process_identifier: 2708 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 22, 2024, 11:20 a.m.	buffer: ÏT base_address: 0x000000013f030108 process_identifier: 2708 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 22, 2024, 11:20 a.m.	buffer: qw@qw qw@qwqw°qw nwàTnw 3qwqwÀ´lw`,qwÀowömw Yqw2qwVqw°wwnwRqw nwQqwÂnw ?owPnw°TnwàtnwðowÐ1qwmwÐOmw`êpwÐæpwÐæpwÐ.qw base_address: 0x000000013f08aae8 process_identifier: 2708 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 22, 2024, 11:20 a.m.	buffer: base_address: 0x000000013f090c78 process_identifier: 2708 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 22, 2024, 11:20 a.m.	buffer: base_address: 0x000000013f0822b0 process_identifier: 2208 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 22, 2024, 11:20 a.m.	buffer: base_address: 0x000000013f090d88 process_identifier: 2208 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 22, 2024, 11:20 a.m.	buffer: I»`#?Aÿã base_address: 0x0000000077711590 process_identifier: 2208 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 22, 2024, 11:20 a.m.	buffer: ßB base_address: 0x000000013f090d78 process_identifier: 2208 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 22, 2024, 11:20 a.m.	buffer: I» ?Aÿã base_address: 0x00000000776e7a90 process_identifier: 2208 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 22, 2024, 11:20 a.m.	buffer: ßB base_address: 0x000000013f090d70 process_identifier: 2208 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 22, 2024, 11:20 a.m.	buffer: ÏT base_address: 0x000000013f030108 process_identifier: 2208 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 22, 2024, 11:20 a.m.	buffer: qw@qw qw@qwqw°qw nwàTnw 3qwqwÀ´lw`,qwÀowömw Yqw2qwVqw°wwnwRqw nwQqwÂnw ?owPnw°TnwàtnwðowÐ1qwmwÐOmw`êpwÐæpwÐæpwÐ.qw base_address: 0x000000013f08aae8 process_identifier: 2208 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 22, 2024, 11:20 a.m.	buffer: base_address: 0x000000013f090c78 process_identifier: 2208 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 22, 2024, 11:20 a.m.	buffer: base_address: 0x000000013f0822b0 process_identifier: 1968 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 22, 2024, 11:20 a.m.	buffer: base_address: 0x000000013f090d88 process_identifier: 1968 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 22, 2024, 11:20 a.m.	buffer: I»`#?Aÿã base_address: 0x0000000077711590 process_identifier: 1968 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 22, 2024, 11:20 a.m.	buffer: k base_address: 0x000000013f090d78 process_identifier: 1968 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 22, 2024, 11:20 a.m.	buffer: I» ?Aÿã base_address: 0x00000000776e7a90 process_identifier: 1968 process_handle: 0x000000000000004c	1	1

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

One or more non-whitelisted processes were created (10 events)

parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\b0ff9cd7-04aa-4fe3-b477-bf8826f93d7b.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\minidumps\08d8f1ba-e82b-4a72-a4fe-b1512fe6e7f7.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\minidumps\da341a66-5ea8-42c5-a945-eda24449ce35.dmp"

Appends a known multi-family ransomware file extension to files that have been encrypted (2 events)

file	C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\parent.lock
file	C:\Users\test22\AppData\Local\Temp\firefox\parent.lock

Resumed a suspended thread in a remote process potentially indicative of process injection (16 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1952 resumed a thread in remote process 2188
Process injection	Process 2188 resumed a thread in remote process 2260
Process injection	Process 2876 resumed a thread in remote process 2924
Process injection	Process 3020 resumed a thread in remote process 416
Process injection	Process 2824 resumed a thread in remote process 2708
Process injection	Process 3040 resumed a thread in remote process 2208
Process injection	Process 1596 resumed a thread in remote process 1968
Process injection	Process 1884 resumed a thread in remote process 112
NtResumeThread Aug. 22, 2024, 11:25 a.m.	thread_handle: 0x000002a8 suspend_count: 1 process_identifier: 2188	1	0	0
NtResumeThread Aug. 22, 2024, 11:18 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 2260	1	0	0
NtResumeThread Aug. 22, 2024, 11:19 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 2924	1	0	0
NtResumeThread Aug. 22, 2024, 11:19 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 416	1	0	0
NtResumeThread Aug. 22, 2024, 11:20 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 2708	1	0	0
NtResumeThread Aug. 22, 2024, 11:20 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 2208	1	0	0
NtResumeThread Aug. 22, 2024, 11:20 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 1968	1	0	0
NtResumeThread Aug. 22, 2024, 11:20 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 112	1	0	0

File has been identified by 20 AntiVirus engines on VirusTotal as malicious (20 events)

Bkav	W32.AIDetectMalware
Elastic	malicious (high confidence)
Skyhigh	BehavesLike.Win32.Genericuh.tc
Cylance	Unsafe
Avast	Win32:Evo-gen [Trj]
McAfeeD	Real Protect-LS!A151CBFBEFD0
FireEye	Generic.mg.a151cbfbefd0a8e0
Sophos	Generic ML PUA (PUA)
Google	Detected
Kingsoft	malware.kb.a.703
Microsoft	Trojan:Win32/Phonzy.B!ml
Varist	W32/Autoit.APO.gen!Eldorado
BitDefenderTheta	Gen:NN.ZexaCO.36812.jvW@aKhxb0ni
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.Injector.AutoIt
Ikarus	Trojan.Win32.AutoitInject
huorong	Trojan/AutoIT.Agent.d
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	AutoIt/Inject.1867!tr
AVG	Win32:Evo-gen [Trj]

Executed a process and injected code into it, probably while unpacking (50 out of 178 events)

Time & API	Arguments	Status	Return
NtResumeThread Aug. 22, 2024, 11:25 a.m.	thread_handle: 0x00000284 suspend_count: 1 process_identifier: 1952	1	0
CreateProcessInternalW Aug. 22, 2024, 11:25 a.m.	thread_identifier: 2192 thread_handle: 0x000002a8 process_identifier: 2188 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password filepath_r: C:\Program Files\Mozilla Firefox\firefox.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002b0	1	1
NtResumeThread Aug. 22, 2024, 11:25 a.m.	thread_handle: 0x000002a8 suspend_count: 1 process_identifier: 2188	1	0
CreateProcessInternalW Aug. 22, 2024, 11:18 a.m.	thread_identifier: 2264 thread_handle: 0x0000000000000044 process_identifier: 2260 current_directory: filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password filepath_r: C:\Program Files\Mozilla Firefox\firefox.exe stack_pivoted: 0 creation_flags: 1028 (CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT) inherit_handles: 0 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 22, 2024, 11:18 a.m.	buffer: base_address: 0x000000013f9d22b0 process_identifier: 2260 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 22, 2024, 11:18 a.m.	buffer: base_address: 0x000000013f9e0d88 process_identifier: 2260 process_handle: 0x000000000000004c	1	1
NtMapViewOfSection Aug. 22, 2024, 11:18 a.m.	section_handle: 0x0000000000000060 process_identifier: 2260 commit_size: 0 win32_protect: 32 (PAGE_EXECUTE_READ) buffer: base_address: 0x000000005f870000 allocation_type: 0 () section_offset: 0 view_size: 65536 process_handle: 0x0000000000000050	1	0
NtAllocateVirtualMemory Aug. 22, 2024, 11:18 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x000000005f870000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x0000000000000050	1	0
WriteProcessMemory Aug. 22, 2024, 11:18 a.m.	buffer: I»`#?Aÿã base_address: 0x0000000077711590 process_identifier: 2260 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Aug. 22, 2024, 11:18 a.m.	buffer: _ base_address: 0x000000013f9e0d78 process_identifier: 2260 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 22, 2024, 11:18 a.m.	buffer: I» ?Aÿã base_address: 0x00000000776e7a90 process_identifier: 2260 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Aug. 22, 2024, 11:18 a.m.	buffer: _ base_address: 0x000000013f9e0d70 process_identifier: 2260 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 22, 2024, 11:18 a.m.	buffer: ÏT base_address: 0x000000013f980108 process_identifier: 2260 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 22, 2024, 11:18 a.m.	buffer: qw@qw qw@qwqw°qw nwàTnw 3qwqwÀ´lw`,qwÀowömw Yqw2qwVqw°wwnwRqw nwQqwÂnw ?owPnw°TnwàtnwðowÐ1qwmwÐOmw`êpwÐæpwÐæpwÐ.qw base_address: 0x000000013f9daae8 process_identifier: 2260 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 22, 2024, 11:18 a.m.	buffer: base_address: 0x000000013f9e0c78 process_identifier: 2260 process_handle: 0x000000000000004c	1	1
NtResumeThread Aug. 22, 2024, 11:18 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 2260	1	0
NtResumeThread Aug. 22, 2024, 11:18 a.m.	thread_handle: 0x0000000000000170 suspend_count: 1 process_identifier: 2260	1	0
NtGetContextThread Aug. 22, 2024, 11:18 a.m.	thread_handle: 0x0000000000000228	1	0
NtGetContextThread Aug. 22, 2024, 11:18 a.m.	thread_handle: 0x0000000000000230	1	0
NtGetContextThread Aug. 22, 2024, 11:18 a.m.	thread_handle: 0x0000000000000234	1	0
NtGetContextThread Aug. 22, 2024, 11:18 a.m.	thread_handle: 0x0000000000000238	1	0
NtGetContextThread Aug. 22, 2024, 11:18 a.m.	thread_handle: 0x000000000000023c	1	0
NtGetContextThread Aug. 22, 2024, 11:18 a.m.	thread_handle: 0x0000000000000240	1	0
NtGetContextThread Aug. 22, 2024, 11:18 a.m.	thread_handle: 0x0000000000000244	1	0
NtResumeThread Aug. 22, 2024, 11:19 a.m.	thread_handle: 0x0000000000000228 suspend_count: 1 process_identifier: 2260	1	0
NtResumeThread Aug. 22, 2024, 11:19 a.m.	thread_handle: 0x0000000000000230 suspend_count: 1 process_identifier: 2260	1	0
NtResumeThread Aug. 22, 2024, 11:19 a.m.	thread_handle: 0x0000000000000234 suspend_count: 1 process_identifier: 2260	1	0
NtResumeThread Aug. 22, 2024, 11:19 a.m.	thread_handle: 0x0000000000000238 suspend_count: 1 process_identifier: 2260	1	0
NtResumeThread Aug. 22, 2024, 11:19 a.m.	thread_handle: 0x000000000000023c suspend_count: 1 process_identifier: 2260	1	0
NtResumeThread Aug. 22, 2024, 11:19 a.m.	thread_handle: 0x0000000000000244 suspend_count: 1 process_identifier: 2260	1	0
CreateProcessInternalW Aug. 22, 2024, 11:19 a.m.	thread_identifier: 2732 thread_handle: 0x0000000000000298 process_identifier: 2728 current_directory: filepath: track: 1 command_line: "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\minidumps\da341a66-5ea8-42c5-a945-eda24449ce35.dmp" filepath_r: stack_pivoted: 0 creation_flags: 150994976 (CREATE_BREAKAWAY_FROM_JOB\|CREATE_NO_WINDOW\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x0000000000000214	1	1
CreateProcessInternalW Aug. 22, 2024, 11:19 a.m.	thread_identifier: 2776 thread_handle: 0x00000000000000a0 process_identifier: 2772 current_directory: filepath: track: 1 command_line: "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\minidumps\da341a66-5ea8-42c5-a945-eda24449ce35.dmp" filepath_r: stack_pivoted: 0 creation_flags: 134217760 (CREATE_NO_WINDOW\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000000000000a4	1	1
NtResumeThread Aug. 22, 2024, 11:19 a.m.	thread_handle: 0x0000000000000150 suspend_count: 1 process_identifier: 2728	1	0
CreateProcessInternalW Aug. 22, 2024, 11:19 a.m.	thread_identifier: 2880 thread_handle: 0x0000000000000164 process_identifier: 2876 current_directory: filepath: track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" "https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password" filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000000000000168	1	1
CreateProcessInternalW Aug. 22, 2024, 11:19 a.m.	thread_identifier: 3024 thread_handle: 0x0000000000000378 process_identifier: 3020 current_directory: filepath: track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" "https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password" filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x000000000000037c	1	1
NtResumeThread Aug. 22, 2024, 11:19 a.m.	thread_handle: 0x00000000000000c4 suspend_count: 1 process_identifier: 2772	1	0
CreateProcessInternalW Aug. 22, 2024, 11:19 a.m.	thread_identifier: 2928 thread_handle: 0x0000000000000044 process_identifier: 2924 current_directory: filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password filepath_r: C:\Program Files\Mozilla Firefox\firefox.exe stack_pivoted: 0 creation_flags: 1028 (CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT) inherit_handles: 0 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 22, 2024, 11:19 a.m.	buffer: base_address: 0x000000013f2622b0 process_identifier: 2924 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 22, 2024, 11:19 a.m.	buffer: base_address: 0x000000013f270d88 process_identifier: 2924 process_handle: 0x0000000000000048	1	1
NtMapViewOfSection Aug. 22, 2024, 11:19 a.m.	section_handle: 0x000000000000005c process_identifier: 2924 commit_size: 0 win32_protect: 32 (PAGE_EXECUTE_READ) buffer: base_address: 0x00000000122f0000 allocation_type: 0 () section_offset: 0 view_size: 65536 process_handle: 0x000000000000004c	1	0
NtAllocateVirtualMemory Aug. 22, 2024, 11:19 a.m.	process_identifier: 2924 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00000000122f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x000000000000004c	1	0
WriteProcessMemory Aug. 22, 2024, 11:19 a.m.	buffer: I»`##?Aÿã base_address: 0x0000000077711590 process_identifier: 2924 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 22, 2024, 11:19 a.m.	buffer: / base_address: 0x000000013f270d78 process_identifier: 2924 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 22, 2024, 11:19 a.m.	buffer: I» #?Aÿã base_address: 0x00000000776e7a90 process_identifier: 2924 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Aug. 22, 2024, 11:19 a.m.	buffer: / base_address: 0x000000013f270d70 process_identifier: 2924 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 22, 2024, 11:19 a.m.	buffer: ÏT base_address: 0x000000013f210108 process_identifier: 2924 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 22, 2024, 11:19 a.m.	buffer: qw@qw qw@qwqw°qw nwàTnw 3qwqwÀ´lw`,qwÀowömw Yqw2qwVqw°wwnwRqw nwQqwÂnw ?owPnw°TnwàtnwðowÐ1qwmwÐOmw`êpwÐæpwÐæpwÐ.qw base_address: 0x000000013f26aae8 process_identifier: 2924 process_handle: 0x0000000000000048	1	1
WriteProcessMemory Aug. 22, 2024, 11:19 a.m.	buffer: base_address: 0x000000013f270c78 process_identifier: 2924 process_handle: 0x0000000000000048	1	1
NtResumeThread Aug. 22, 2024, 11:19 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 2924	1	0
NtResumeThread Aug. 22, 2024, 11:19 a.m.	thread_handle: 0x0000000000000170 suspend_count: 1 process_identifier: 2924	1	0

random.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All