Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 21, 2024, 1:49 p.m.	Sept. 21, 2024, 2:15 p.m.

Size	900.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`9b638c429ac9e4c032d7e6852b464dbd`
SHA256	`9886495bbc317e2309057d661f0c9be3e4607df5c71619565f99ca5d24bb9512`
CRC32	`EC60D6B6`
ssdeep	`12288:aqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgaaTk:aqDEvCTbMWu7rQYlBQcBiT6rprG8aqk`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

random.exe "C:\Users\test22\AppData\Local\Temp\random.exe"
2060
- firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
  2116
  - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
    2160
    - crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\minidumps\4049b43a-223f-428e-b4f0-2e05208c9150.dmp"
      2056
      - minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\minidumps\4049b43a-223f-428e-b4f0-2e05208c9150.dmp"
        2012
- firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
  2272
  - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
    2316
    - crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\58ae6a1a-6c81-471e-b523-42fbc34c4a67.dmp"
      1692
      - minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Local\Temp\\58ae6a1a-6c81-471e-b523-42fbc34c4a67.dmp"
        2652
- firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
  2472
  - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
    2524
    - crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\f0c8c63a-5d3a-4963-b6d1-525de8933f1c.dmp"
      1960
      - minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Local\Temp\\f0c8c63a-5d3a-4963-b6d1-525de8933f1c.dmp"
        2608
- firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
  2648
  - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
    2712
    - crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\bce29965-ba79-455d-9ef6-f4265051121a.dmp"
      2872
      - minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Local\Temp\\bce29965-ba79-455d-9ef6-f4265051121a.dmp"
        2924
- firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
  2848
  - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
    2976
- firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
  884
  - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
    2240
    - crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\6e065bad-2917-4022-adeb-3969130642a1.dmp"
      1740
      - minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Local\Temp\\6e065bad-2917-4022-adeb-3969130642a1.dmp"
        1268
- firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
  912
  - crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\3babec9f-9ea1-4aec-b579-6c134653a928.dmp"
    1600
    - minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Local\Temp\\3babec9f-9ea1-4aec-b579-6c134653a928.dmp"
      1956
- firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
  2276
  - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
    2828
- firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
  1804
  - crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\minidumps\9b3d9c87-17bf-4f7b-8a3f-9e2f795429a2.dmp"
    1884
    - minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\minidumps\9b3d9c87-17bf-4f7b-8a3f-9e2f795429a2.dmp"
      2988
- firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
  3060
  - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
    2668
- firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
  1212
  - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
    724
    - crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\f8a97331-0c4d-4dbb-bf05-102f0096f98a.dmp"
      3328
      - minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Local\Temp\\f8a97331-0c4d-4dbb-bf05-102f0096f98a.dmp"
        3440
- firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
  2644
  - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
    1532
    - crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\6d27f449-5388-47c8-97d9-57065ecb8949.dmp"
      3728
      - minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Local\Temp\\6d27f449-5388-47c8-97d9-57065ecb8949.dmp"
        3860
- firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
  3148
  - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
    3240
    - crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\7f203aae-85a8-4300-b472-b3b5ef47d2e2.dmp"
      4076
- firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
  3272
  - crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\08e0f83a-d4c7-49bb-8624-9ece66b471b8.dmp"
    4032
- firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
  3456
  - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
    3608
- firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
  3664
  - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
    3828

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (50 out of 138 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 21, 2024, 1:49 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:42 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:42 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:42 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:42 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:42 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:42 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:42 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:42 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:42 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:42 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:42 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:42 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:42 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:42 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:42 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:42 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:42 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:42 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:42 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:42 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:42 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:42 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:42 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:42 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:42 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:42 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:42 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:42 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:42 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:42 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:42 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:42 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:42 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:42 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:42 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:42 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:42 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:43 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:43 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:43 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:43 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:43 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:43 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:43 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:43 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:43 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:43 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:43 p.m.			0	0
IsDebuggerPresent Sept. 21, 2024, 1:43 p.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (1 event)

file	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l2-1-0.dll

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 21, 2024, 1:43 p.m.		1	1	0

One or more processes crashed (13 events)

Time & API	Arguments	Status
__exception__ Sept. 21, 2024, 1:42 p.m.	stacktrace: 0xcd1f04 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 10285720 registers.r15: 8791556003440 registers.rcx: 48 registers.rsi: 8791555935104 registers.r10: 0 registers.rbx: 0 registers.rsp: 10285352 registers.r11: 10288736 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 14914176 registers.rbp: 10285472 registers.rdi: 252818144 registers.rax: 13442816 registers.r13: 10286312	1
__exception__ Sept. 21, 2024, 1:42 p.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 8780352 registers.r15: 8779856 registers.rcx: 48 registers.rsi: 14706336 registers.r10: 0 registers.rbx: 0 registers.rsp: 8778904 registers.r11: 8781104 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092883536 registers.r12: 8779687 registers.rbp: 8779024 registers.rdi: 100 registers.rax: 13442816 registers.r13: 3	1
__exception__ Sept. 21, 2024, 1:42 p.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 9238688 registers.r15: 9238192 registers.rcx: 48 registers.rsi: 14706240 registers.r10: 0 registers.rbx: 0 registers.rsp: 9237240 registers.r11: 9239440 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 9238023 registers.rbp: 9237360 registers.rdi: 100 registers.rax: 13442816 registers.r13: 3	1
__exception__ Sept. 21, 2024, 1:42 p.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 10614544 registers.r15: 10614048 registers.rcx: 48 registers.rsi: 14705376 registers.r10: 0 registers.rbx: 0 registers.rsp: 10613096 registers.r11: 10615296 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 10613879 registers.rbp: 10613216 registers.rdi: 100 registers.rax: 13442816 registers.r13: 3	1
__exception__ Sept. 21, 2024, 1:42 p.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 9828640 registers.r15: 9828144 registers.rcx: 48 registers.rsi: 14707200 registers.r10: 0 registers.rbx: 0 registers.rsp: 9827192 registers.r11: 9829392 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 9827975 registers.rbp: 9827312 registers.rdi: 100 registers.rax: 13442816 registers.r13: 3	1
__exception__ Sept. 21, 2024, 1:42 p.m.	stacktrace: 0xcc1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcc1f04 registers.r14: 9500928 registers.r15: 9500432 registers.rcx: 48 registers.rsi: 14706816 registers.r10: 0 registers.rbx: 0 registers.rsp: 9499480 registers.r11: 9501680 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 9500263 registers.rbp: 9499600 registers.rdi: 100 registers.rax: 13377280 registers.r13: 3	1
__exception__ Sept. 21, 2024, 1:42 p.m.	stacktrace: 0xac1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xac1f04 registers.r14: 10614272 registers.r15: 10613776 registers.rcx: 48 registers.rsi: 14704704 registers.r10: 0 registers.rbx: 0 registers.rsp: 10612824 registers.r11: 10615024 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 10613607 registers.rbp: 10612944 registers.rdi: 100 registers.rax: 11280128 registers.r13: 3	1
__exception__ Sept. 21, 2024, 1:43 p.m.	stacktrace: 0xcc1f04 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcc1f04 registers.r14: 9171144 registers.r15: 8791556003440 registers.rcx: 48 registers.rsi: 8791555935104 registers.r10: 0 registers.rbx: 0 registers.rsp: 9170776 registers.r11: 9174160 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 14908384 registers.rbp: 9170896 registers.rdi: 251770048 registers.rax: 13377280 registers.r13: 9171736	1
__exception__ Sept. 21, 2024, 1:43 p.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 9697280 registers.r15: 9696784 registers.rcx: 48 registers.rsi: 14705280 registers.r10: 0 registers.rbx: 0 registers.rsp: 9695832 registers.r11: 9698032 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 9696615 registers.rbp: 9695952 registers.rdi: 100 registers.rax: 13442816 registers.r13: 3	1
__exception__ Sept. 21, 2024, 1:43 p.m.	stacktrace: 0xcd2104 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd2104 registers.r14: 14726592 registers.r15: 8714288 registers.rcx: 48 registers.rsi: 14742240 registers.r10: 0 registers.rbx: 14743360 registers.rsp: 8713288 registers.r11: 8715504 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 8713592 registers.rbp: 8713408 registers.rdi: 100 registers.rax: 13443328 registers.r13: 562954248388608	1
__exception__ Sept. 21, 2024, 1:43 p.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 8713392 registers.r15: 8712896 registers.rcx: 48 registers.rsi: 14707104 registers.r10: 0 registers.rbx: 0 registers.rsp: 8711944 registers.r11: 8714144 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 8712727 registers.rbp: 8712064 registers.rdi: 100 registers.rax: 13442816 registers.r13: 3	1
__exception__ Sept. 21, 2024, 1:44 p.m.	stacktrace: 0xcc2104 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcc2104 registers.r14: 14726448 registers.r15: 9368720 registers.rcx: 48 registers.rsi: 14741680 registers.r10: 0 registers.rbx: 14742240 registers.rsp: 9367720 registers.r11: 9369936 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 9368024 registers.rbp: 9367840 registers.rdi: 100 registers.rax: 13377792 registers.r13: 562954248388608	1
__exception__ Sept. 21, 2024, 1:44 p.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 8911008 registers.r15: 8910512 registers.rcx: 48 registers.rsi: 14704992 registers.r10: 0 registers.rbx: 0 registers.rsp: 8909560 registers.r11: 8911760 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092883536 registers.r12: 8910343 registers.rbp: 8909680 registers.rdi: 100 registers.rax: 13442816 registers.r13: 3	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Starts servers listening (3 events)

Time & API	Arguments	Status	Return
bind Sept. 21, 2024, 1:44 p.m.	ip_address: 127.0.0.1 socket: 1008 port: 0	1	0
listen Sept. 21, 2024, 1:44 p.m.	socket: 1008 backlog: 5	1	0
accept Sept. 21, 2024, 1:44 p.m.	ip_address: 127.0.0.1 socket: 1008 port: 49217	1	1084

Allocates read-write-execute memory (usually to unpack itself) (50 out of 102 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 2160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000b50000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 2160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007700b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 2160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000b50000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 2160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076fd6000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 2160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003470000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 2160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000749ad000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000c90000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007700b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000c90000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076fd6000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002840000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000749ad000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 2524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000c90000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 2524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007700b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 2524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000c90000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 2524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076fd6000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 2524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000027a0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 2524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000749ad000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 2712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000c90000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 2712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007700b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 2712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000c90000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 2712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076fd6000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 2712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000028a0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 2712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000749ad000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 2976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000c90000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 2976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007700b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 2976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000c90000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 2976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076fd6000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 2976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000033f0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 2976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000749ad000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000c70000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007700b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000c70000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076fd6000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004ea0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000749af000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002810000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000749ad000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 2240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a80000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 2240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007700b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 2240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a80000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 2240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076fd6000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 2240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002860000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 2240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000749ad000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 1:43 p.m.	process_identifier: 1804 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000c70000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 1:43 p.m.	process_identifier: 1804 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007700b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 1:43 p.m.	process_identifier: 1804 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000c70000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 1:43 p.m.	process_identifier: 1804 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076fd6000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 1:43 p.m.	process_identifier: 1804 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000004da60000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 21, 2024, 1:43 p.m.	process_identifier: 1804 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000749af000 process_handle: 0xffffffffffffffff	1

An application raised an exception which may be indicative of an exploit crash (26 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process firefox.exe with pid 2160 crashed
Application Crash	Process firefox.exe with pid 2316 crashed
Application Crash	Process firefox.exe with pid 2524 crashed
Application Crash	Process firefox.exe with pid 2712 crashed
Application Crash	Process firefox.exe with pid 2976 crashed
Application Crash	Process firefox.exe with pid 912 crashed
Application Crash	Process firefox.exe with pid 2240 crashed
Application Crash	Process firefox.exe with pid 1804 crashed
Application Crash	Process firefox.exe with pid 2828 crashed
Application Crash	Process firefox.exe with pid 724 crashed
Application Crash	Process firefox.exe with pid 1532 crashed
Application Crash	Process firefox.exe with pid 3272 crashed
Application Crash	Process firefox.exe with pid 3240 crashed
__exception__ Sept. 21, 2024, 1:42 p.m.	stacktrace: 0xcd1f04 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 10285720 registers.r15: 8791556003440 registers.rcx: 48 registers.rsi: 8791555935104 registers.r10: 0 registers.rbx: 0 registers.rsp: 10285352 registers.r11: 10288736 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 14914176 registers.rbp: 10285472 registers.rdi: 252818144 registers.rax: 13442816 registers.r13: 10286312	1	0	0
__exception__ Sept. 21, 2024, 1:42 p.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 8780352 registers.r15: 8779856 registers.rcx: 48 registers.rsi: 14706336 registers.r10: 0 registers.rbx: 0 registers.rsp: 8778904 registers.r11: 8781104 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092883536 registers.r12: 8779687 registers.rbp: 8779024 registers.rdi: 100 registers.rax: 13442816 registers.r13: 3	1	0	0
__exception__ Sept. 21, 2024, 1:42 p.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 9238688 registers.r15: 9238192 registers.rcx: 48 registers.rsi: 14706240 registers.r10: 0 registers.rbx: 0 registers.rsp: 9237240 registers.r11: 9239440 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 9238023 registers.rbp: 9237360 registers.rdi: 100 registers.rax: 13442816 registers.r13: 3	1	0	0
__exception__ Sept. 21, 2024, 1:42 p.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 10614544 registers.r15: 10614048 registers.rcx: 48 registers.rsi: 14705376 registers.r10: 0 registers.rbx: 0 registers.rsp: 10613096 registers.r11: 10615296 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 10613879 registers.rbp: 10613216 registers.rdi: 100 registers.rax: 13442816 registers.r13: 3	1	0	0
__exception__ Sept. 21, 2024, 1:42 p.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 9828640 registers.r15: 9828144 registers.rcx: 48 registers.rsi: 14707200 registers.r10: 0 registers.rbx: 0 registers.rsp: 9827192 registers.r11: 9829392 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 9827975 registers.rbp: 9827312 registers.rdi: 100 registers.rax: 13442816 registers.r13: 3	1	0	0
__exception__ Sept. 21, 2024, 1:42 p.m.	stacktrace: 0xcc1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcc1f04 registers.r14: 9500928 registers.r15: 9500432 registers.rcx: 48 registers.rsi: 14706816 registers.r10: 0 registers.rbx: 0 registers.rsp: 9499480 registers.r11: 9501680 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 9500263 registers.rbp: 9499600 registers.rdi: 100 registers.rax: 13377280 registers.r13: 3	1	0	0
__exception__ Sept. 21, 2024, 1:42 p.m.	stacktrace: 0xac1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xac1f04 registers.r14: 10614272 registers.r15: 10613776 registers.rcx: 48 registers.rsi: 14704704 registers.r10: 0 registers.rbx: 0 registers.rsp: 10612824 registers.r11: 10615024 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 10613607 registers.rbp: 10612944 registers.rdi: 100 registers.rax: 11280128 registers.r13: 3	1	0	0
__exception__ Sept. 21, 2024, 1:43 p.m.	stacktrace: 0xcc1f04 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcc1f04 registers.r14: 9171144 registers.r15: 8791556003440 registers.rcx: 48 registers.rsi: 8791555935104 registers.r10: 0 registers.rbx: 0 registers.rsp: 9170776 registers.r11: 9174160 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 14908384 registers.rbp: 9170896 registers.rdi: 251770048 registers.rax: 13377280 registers.r13: 9171736	1	0	0
__exception__ Sept. 21, 2024, 1:43 p.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 9697280 registers.r15: 9696784 registers.rcx: 48 registers.rsi: 14705280 registers.r10: 0 registers.rbx: 0 registers.rsp: 9695832 registers.r11: 9698032 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 9696615 registers.rbp: 9695952 registers.rdi: 100 registers.rax: 13442816 registers.r13: 3	1	0	0
__exception__ Sept. 21, 2024, 1:43 p.m.	stacktrace: 0xcd2104 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd2104 registers.r14: 14726592 registers.r15: 8714288 registers.rcx: 48 registers.rsi: 14742240 registers.r10: 0 registers.rbx: 14743360 registers.rsp: 8713288 registers.r11: 8715504 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 8713592 registers.rbp: 8713408 registers.rdi: 100 registers.rax: 13443328 registers.r13: 562954248388608	1	0	0
__exception__ Sept. 21, 2024, 1:43 p.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 8713392 registers.r15: 8712896 registers.rcx: 48 registers.rsi: 14707104 registers.r10: 0 registers.rbx: 0 registers.rsp: 8711944 registers.r11: 8714144 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 8712727 registers.rbp: 8712064 registers.rdi: 100 registers.rax: 13442816 registers.r13: 3	1	0	0
__exception__ Sept. 21, 2024, 1:44 p.m.	stacktrace: 0xcc2104 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcc2104 registers.r14: 14726448 registers.r15: 9368720 registers.rcx: 48 registers.rsi: 14741680 registers.r10: 0 registers.rbx: 14742240 registers.rsp: 9367720 registers.r11: 9369936 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 9368024 registers.rbp: 9367840 registers.rdi: 100 registers.rax: 13377792 registers.r13: 562954248388608	1	0	0
__exception__ Sept. 21, 2024, 1:44 p.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 8911008 registers.r15: 8910512 registers.rcx: 48 registers.rsi: 14704992 registers.r10: 0 registers.rbx: 0 registers.rsp: 8909560 registers.r11: 8911760 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092883536 registers.r12: 8910343 registers.rbp: 8909680 registers.rdi: 100 registers.rax: 13442816 registers.r13: 3	1	0	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 2160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x000003cfc3610000 process_handle: 0xffffffffffffffff	1	0	0

Potentially malicious URLs were found in the process memory dump (3 events)

url	https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%SYSTEM_CAPABILITIES%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml
url	https://crash-reports.mozilla.com/submit?id=
url	https://hg.mozilla.org/releases/mozilla-release/rev/92187d03adde4b31daef292087a266f10121379c

Yara rule detected in process memory (50 out of 117 events)

description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active

Allocates execute permission to another process indicative of possible code injection (26 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 2160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077711000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 2160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776e7000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077711000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776e7000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 2524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077711000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 2524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776e7000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 2712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077711000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 2712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776e7000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 2976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077711000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 2976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776e7000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 2240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077711000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 2240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776e7000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077711000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776e7000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 1:43 p.m.	process_identifier: 2668 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077711000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 1:43 p.m.	process_identifier: 2668 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776e7000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 1:43 p.m.	process_identifier: 724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077711000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 1:43 p.m.	process_identifier: 724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776e7000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 1:43 p.m.	process_identifier: 1532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077711000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 1:43 p.m.	process_identifier: 1532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776e7000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 1:43 p.m.	process_identifier: 3240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077711000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 1:43 p.m.	process_identifier: 3240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776e7000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 1:44 p.m.	process_identifier: 3608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077711000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 1:44 p.m.	process_identifier: 3608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776e7000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 1:44 p.m.	process_identifier: 3828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077711000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Sept. 21, 2024, 1:44 p.m.	process_identifier: 3828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776e7000 process_handle: 0x0000000000000050	1

Potential code injection by writing to the memory of another process (50 out of 117 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: base_address: 0x000000013fde22b0 process_identifier: 2160 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: base_address: 0x000000013fdf0d88 process_identifier: 2160 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: I»`#Û?Aÿã base_address: 0x0000000077711590 process_identifier: 2160 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: ²x base_address: 0x000000013fdf0d78 process_identifier: 2160 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: I» Û?Aÿã base_address: 0x00000000776e7a90 process_identifier: 2160 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: ²x base_address: 0x000000013fdf0d70 process_identifier: 2160 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: ÏT base_address: 0x000000013fd90108 process_identifier: 2160 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: qw@qw qw@qwqw°qw nwàTnw 3qwqwÀ´lw`,qwÀowömw Yqw2qwVqw°wwnwRqw nwQqwÂnw ?owPnw°TnwàtnwðowÐ1qwmwÐOmw`êpwÐæpwÐæpwÐ.qw base_address: 0x000000013fdeaae8 process_identifier: 2160 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: base_address: 0x000000013fdf0c78 process_identifier: 2160 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: base_address: 0x000000013fde22b0 process_identifier: 2316 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: base_address: 0x000000013fdf0d88 process_identifier: 2316 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: I»`#Û?Aÿã base_address: 0x0000000077711590 process_identifier: 2316 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: ¤ base_address: 0x000000013fdf0d78 process_identifier: 2316 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: I» Û?Aÿã base_address: 0x00000000776e7a90 process_identifier: 2316 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: ¤ base_address: 0x000000013fdf0d70 process_identifier: 2316 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: ÏT base_address: 0x000000013fd90108 process_identifier: 2316 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: qw@qw qw@qwqw°qw nwàTnw 3qwqwÀ´lw`,qwÀowömw Yqw2qwVqw°wwnwRqw nwQqwÂnw ?owPnw°TnwàtnwðowÐ1qwmwÐOmw`êpwÐæpwÐæpwÐ.qw base_address: 0x000000013fdeaae8 process_identifier: 2316 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: base_address: 0x000000013fdf0c78 process_identifier: 2316 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: base_address: 0x000000013fde22b0 process_identifier: 2524 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: base_address: 0x000000013fdf0d88 process_identifier: 2524 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: I»`#Û?Aÿã base_address: 0x0000000077711590 process_identifier: 2524 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: base_address: 0x000000013fdf0d78 process_identifier: 2524 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: I» Û?Aÿã base_address: 0x00000000776e7a90 process_identifier: 2524 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: base_address: 0x000000013fdf0d70 process_identifier: 2524 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: ÏT base_address: 0x000000013fd90108 process_identifier: 2524 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: qw@qw qw@qwqw°qw nwàTnw 3qwqwÀ´lw`,qwÀowömw Yqw2qwVqw°wwnwRqw nwQqwÂnw ?owPnw°TnwàtnwðowÐ1qwmwÐOmw`êpwÐæpwÐæpwÐ.qw base_address: 0x000000013fdeaae8 process_identifier: 2524 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: base_address: 0x000000013fdf0c78 process_identifier: 2524 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: base_address: 0x000000013fde22b0 process_identifier: 2712 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: base_address: 0x000000013fdf0d88 process_identifier: 2712 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: I»`#Û?Aÿã base_address: 0x0000000077711590 process_identifier: 2712 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: ) base_address: 0x000000013fdf0d78 process_identifier: 2712 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: I» Û?Aÿã base_address: 0x00000000776e7a90 process_identifier: 2712 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: ) base_address: 0x000000013fdf0d70 process_identifier: 2712 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: ÏT base_address: 0x000000013fd90108 process_identifier: 2712 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: qw@qw qw@qwqw°qw nwàTnw 3qwqwÀ´lw`,qwÀowömw Yqw2qwVqw°wwnwRqw nwQqwÂnw ?owPnw°TnwàtnwðowÐ1qwmwÐOmw`êpwÐæpwÐæpwÐ.qw base_address: 0x000000013fdeaae8 process_identifier: 2712 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: base_address: 0x000000013fdf0c78 process_identifier: 2712 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: base_address: 0x000000013fde22b0 process_identifier: 2976 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: base_address: 0x000000013fdf0d88 process_identifier: 2976 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: I»`#Û?Aÿã base_address: 0x0000000077711590 process_identifier: 2976 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: ¡T base_address: 0x000000013fdf0d78 process_identifier: 2976 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: I» Û?Aÿã base_address: 0x00000000776e7a90 process_identifier: 2976 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: ¡T base_address: 0x000000013fdf0d70 process_identifier: 2976 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: ÏT base_address: 0x000000013fd90108 process_identifier: 2976 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: qw@qw qw@qwqw°qw nwàTnw 3qwqwÀ´lw`,qwÀowömw Yqw2qwVqw°wwnwRqw nwQqwÂnw ?owPnw°TnwàtnwðowÐ1qwmwÐOmw`êpwÐæpwÐæpwÐ.qw base_address: 0x000000013fdeaae8 process_identifier: 2976 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: base_address: 0x000000013fdf0c78 process_identifier: 2976 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: base_address: 0x000000013fde22b0 process_identifier: 2240 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: base_address: 0x000000013fdf0d88 process_identifier: 2240 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: I»`#Û?Aÿã base_address: 0x0000000077711590 process_identifier: 2240 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: ` base_address: 0x000000013fdf0d78 process_identifier: 2240 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: I» Û?Aÿã base_address: 0x00000000776e7a90 process_identifier: 2240 process_handle: 0x0000000000000050	1	1

File has been identified by 14 AntiVirus engines on VirusTotal as malicious (14 events)

Bkav	W32.AIDetectMalware
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.Genericuh.dh
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Autoit.ORF
APEX	Malicious
McAfeeD	Real Protect-LS!9B638C429AC9
FireEye	Generic.mg.9b638c429ac9e4c0
Microsoft	PWS:Win32/Fareit!ml
DeepInstinct	MALICIOUS
huorong	Trojan/AutoIT.Agent.d
Fortinet	W32/Autoit.ORF!tr

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

One or more non-whitelisted processes were created (24 events)

parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\bce29965-ba79-455d-9ef6-f4265051121a.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\minidumps\9b3d9c87-17bf-4f7b-8a3f-9e2f795429a2.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\7f203aae-85a8-4300-b472-b3b5ef47d2e2.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\f0c8c63a-5d3a-4963-b6d1-525de8933f1c.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\58ae6a1a-6c81-471e-b523-42fbc34c4a67.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\6e065bad-2917-4022-adeb-3969130642a1.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\08e0f83a-d4c7-49bb-8624-9ece66b471b8.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\f8a97331-0c4d-4dbb-bf05-102f0096f98a.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\3babec9f-9ea1-4aec-b579-6c134653a928.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\minidumps\4049b43a-223f-428e-b4f0-2e05208c9150.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\6d27f449-5388-47c8-97d9-57065ecb8949.dmp"

Appends a known multi-family ransomware file extension to files that have been encrypted (2 events)

file	C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\parent.lock
file	C:\Users\test22\AppData\Local\Temp\firefox\parent.lock

Resumed a suspended thread in a remote process potentially indicative of process injection (26 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2116 resumed a thread in remote process 2160
Process injection	Process 2272 resumed a thread in remote process 2316
Process injection	Process 2472 resumed a thread in remote process 2524
Process injection	Process 2648 resumed a thread in remote process 2712
Process injection	Process 2848 resumed a thread in remote process 2976
Process injection	Process 884 resumed a thread in remote process 2240
Process injection	Process 2276 resumed a thread in remote process 2828
Process injection	Process 3060 resumed a thread in remote process 2668
Process injection	Process 1212 resumed a thread in remote process 724
Process injection	Process 2644 resumed a thread in remote process 1532
Process injection	Process 3148 resumed a thread in remote process 3240
Process injection	Process 3456 resumed a thread in remote process 3608
Process injection	Process 3664 resumed a thread in remote process 3828
NtResumeThread Sept. 21, 2024, 1:42 p.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 2160	1	0	0
NtResumeThread Sept. 21, 2024, 1:42 p.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 2316	1	0	0
NtResumeThread Sept. 21, 2024, 1:42 p.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 2524	1	0	0
NtResumeThread Sept. 21, 2024, 1:42 p.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 2712	1	0	0
NtResumeThread Sept. 21, 2024, 1:42 p.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 2976	1	0	0
NtResumeThread Sept. 21, 2024, 1:42 p.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 2240	1	0	0
NtResumeThread Sept. 21, 2024, 1:43 p.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 2828	1	0	0
NtResumeThread Sept. 21, 2024, 1:43 p.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 2668	1	0	0
NtResumeThread Sept. 21, 2024, 1:43 p.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 724	1	0	0
NtResumeThread Sept. 21, 2024, 1:43 p.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 1532	1	0	0
NtResumeThread Sept. 21, 2024, 1:43 p.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 3240	1	0	0
NtResumeThread Sept. 21, 2024, 1:44 p.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 3608	1	0	0
NtResumeThread Sept. 21, 2024, 1:44 p.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 3828	1	0	0

Executed a process and injected code into it, probably while unpacking (50 out of 369 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Sept. 21, 2024, 1:49 p.m.	thread_identifier: 2120 thread_handle: 0x0000012c process_identifier: 2116 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Program Files\Mozilla Firefox\firefox.exe --kiosk https://www.youtube.com/account filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000130	1	1
CreateProcessInternalW Sept. 21, 2024, 1:49 p.m.	thread_identifier: 2276 thread_handle: 0x00000130 process_identifier: 2272 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Program Files\Mozilla Firefox\firefox.exe --kiosk https://www.youtube.com/account filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000012c	1	1
CreateProcessInternalW Sept. 21, 2024, 1:49 p.m.	thread_identifier: 2476 thread_handle: 0x0000012c process_identifier: 2472 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Program Files\Mozilla Firefox\firefox.exe --kiosk https://www.youtube.com/account filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000130	1	1
CreateProcessInternalW Sept. 21, 2024, 1:49 p.m.	thread_identifier: 2652 thread_handle: 0x00000130 process_identifier: 2648 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Program Files\Mozilla Firefox\firefox.exe --kiosk https://www.youtube.com/account filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000012c	1	1
CreateProcessInternalW Sept. 21, 2024, 1:49 p.m.	thread_identifier: 2852 thread_handle: 0x0000012c process_identifier: 2848 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Program Files\Mozilla Firefox\firefox.exe --kiosk https://www.youtube.com/account filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000130	1	1
CreateProcessInternalW Sept. 21, 2024, 1:49 p.m.	thread_identifier: 1872 thread_handle: 0x00000130 process_identifier: 884 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Program Files\Mozilla Firefox\firefox.exe --kiosk https://www.youtube.com/account filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000012c	1	1
CreateProcessInternalW Sept. 21, 2024, 1:49 p.m.	thread_identifier: 804 thread_handle: 0x0000012c process_identifier: 912 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Program Files\Mozilla Firefox\firefox.exe --kiosk https://www.youtube.com/account filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000130	1	1
CreateProcessInternalW Sept. 21, 2024, 1:50 p.m.	thread_identifier: 2312 thread_handle: 0x00000130 process_identifier: 2276 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Program Files\Mozilla Firefox\firefox.exe --kiosk https://www.youtube.com/account filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000012c	1	1
CreateProcessInternalW Sept. 21, 2024, 1:50 p.m.	thread_identifier: 1348 thread_handle: 0x0000012c process_identifier: 1804 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Program Files\Mozilla Firefox\firefox.exe --kiosk https://www.youtube.com/account filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000130	1	1
CreateProcessInternalW Sept. 21, 2024, 1:50 p.m.	thread_identifier: 3036 thread_handle: 0x00000130 process_identifier: 3060 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Program Files\Mozilla Firefox\firefox.exe --kiosk https://www.youtube.com/account filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000012c	1	1
CreateProcessInternalW Sept. 21, 2024, 1:50 p.m.	thread_identifier: 2164 thread_handle: 0x0000012c process_identifier: 1212 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Program Files\Mozilla Firefox\firefox.exe --kiosk https://www.youtube.com/account filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000130	1	1
CreateProcessInternalW Sept. 21, 2024, 1:50 p.m.	thread_identifier: 2044 thread_handle: 0x00000130 process_identifier: 2644 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Program Files\Mozilla Firefox\firefox.exe --kiosk https://www.youtube.com/account filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000012c	1	1
CreateProcessInternalW Sept. 21, 2024, 1:50 p.m.	thread_identifier: 3152 thread_handle: 0x0000012c process_identifier: 3148 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Program Files\Mozilla Firefox\firefox.exe --kiosk https://www.youtube.com/account filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000130	1	1
CreateProcessInternalW Sept. 21, 2024, 1:50 p.m.	thread_identifier: 3276 thread_handle: 0x00000130 process_identifier: 3272 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Program Files\Mozilla Firefox\firefox.exe --kiosk https://www.youtube.com/account filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000012c	1	1
CreateProcessInternalW Sept. 21, 2024, 1:51 p.m.	thread_identifier: 3460 thread_handle: 0x0000012c process_identifier: 3456 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Program Files\Mozilla Firefox\firefox.exe --kiosk https://www.youtube.com/account filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000130	1	1
CreateProcessInternalW Sept. 21, 2024, 1:51 p.m.	thread_identifier: 3668 thread_handle: 0x00000130 process_identifier: 3664 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Program Files\Mozilla Firefox\firefox.exe --kiosk https://www.youtube.com/account filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000012c	1	1
CreateProcessInternalW Sept. 21, 2024, 1:42 p.m.	thread_identifier: 2164 thread_handle: 0x0000000000000044 process_identifier: 2160 current_directory: filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account filepath_r: C:\Program Files\Mozilla Firefox\firefox.exe stack_pivoted: 0 creation_flags: 1028 (CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT) inherit_handles: 0 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: base_address: 0x000000013fde22b0 process_identifier: 2160 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: base_address: 0x000000013fdf0d88 process_identifier: 2160 process_handle: 0x000000000000004c	1	1
NtMapViewOfSection Sept. 21, 2024, 1:42 p.m.	section_handle: 0x0000000000000060 process_identifier: 2160 commit_size: 0 win32_protect: 32 (PAGE_EXECUTE_READ) buffer: base_address: 0x0000000078b20000 allocation_type: 0 () section_offset: 0 view_size: 65536 process_handle: 0x0000000000000050	1	0
NtAllocateVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x0000000078b20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x0000000000000050	1	0
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: I»`#Û?Aÿã base_address: 0x0000000077711590 process_identifier: 2160 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: ²x base_address: 0x000000013fdf0d78 process_identifier: 2160 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: I» Û?Aÿã base_address: 0x00000000776e7a90 process_identifier: 2160 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: ²x base_address: 0x000000013fdf0d70 process_identifier: 2160 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: ÏT base_address: 0x000000013fd90108 process_identifier: 2160 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: qw@qw qw@qwqw°qw nwàTnw 3qwqwÀ´lw`,qwÀowömw Yqw2qwVqw°wwnwRqw nwQqwÂnw ?owPnw°TnwàtnwðowÐ1qwmwÐOmw`êpwÐæpwÐæpwÐ.qw base_address: 0x000000013fdeaae8 process_identifier: 2160 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: base_address: 0x000000013fdf0c78 process_identifier: 2160 process_handle: 0x000000000000004c	1	1
NtResumeThread Sept. 21, 2024, 1:42 p.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 2160	1	0
NtResumeThread Sept. 21, 2024, 1:42 p.m.	thread_handle: 0x000000000000016c suspend_count: 1 process_identifier: 2160	1	0
NtGetContextThread Sept. 21, 2024, 1:42 p.m.	thread_handle: 0x0000000000000240	1	0
NtGetContextThread Sept. 21, 2024, 1:42 p.m.	thread_handle: 0x0000000000000248	1	0
NtGetContextThread Sept. 21, 2024, 1:42 p.m.	thread_handle: 0x000000000000024c	1	0
NtGetContextThread Sept. 21, 2024, 1:42 p.m.	thread_handle: 0x0000000000000250	1	0
NtGetContextThread Sept. 21, 2024, 1:42 p.m.	thread_handle: 0x0000000000000254	1	0
NtGetContextThread Sept. 21, 2024, 1:42 p.m.	thread_handle: 0x0000000000000258	1	0
NtGetContextThread Sept. 21, 2024, 1:42 p.m.	thread_handle: 0x000000000000025c	1	0
NtResumeThread Sept. 21, 2024, 1:42 p.m.	thread_handle: 0x0000000000000240 suspend_count: 1 process_identifier: 2160	1	0
NtResumeThread Sept. 21, 2024, 1:42 p.m.	thread_handle: 0x0000000000000248 suspend_count: 1 process_identifier: 2160	1	0
NtResumeThread Sept. 21, 2024, 1:42 p.m.	thread_handle: 0x000000000000024c suspend_count: 1 process_identifier: 2160	1	0
NtResumeThread Sept. 21, 2024, 1:42 p.m.	thread_handle: 0x0000000000000250 suspend_count: 1 process_identifier: 2160	1	0
NtResumeThread Sept. 21, 2024, 1:42 p.m.	thread_handle: 0x0000000000000254 suspend_count: 1 process_identifier: 2160	1	0
NtResumeThread Sept. 21, 2024, 1:42 p.m.	thread_handle: 0x000000000000025c suspend_count: 1 process_identifier: 2160	1	0
CreateProcessInternalW Sept. 21, 2024, 1:43 p.m.	thread_identifier: 2096 thread_handle: 0x0000000000000220 process_identifier: 2056 current_directory: filepath: track: 1 command_line: "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\minidumps\4049b43a-223f-428e-b4f0-2e05208c9150.dmp" filepath_r: stack_pivoted: 0 creation_flags: 150994976 (CREATE_BREAKAWAY_FROM_JOB\|CREATE_NO_WINDOW\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000000000001d8	1	1
CreateProcessInternalW Sept. 21, 2024, 1:42 p.m.	thread_identifier: 2320 thread_handle: 0x0000000000000044 process_identifier: 2316 current_directory: filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account filepath_r: C:\Program Files\Mozilla Firefox\firefox.exe stack_pivoted: 0 creation_flags: 1028 (CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT) inherit_handles: 0 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: base_address: 0x000000013fde22b0 process_identifier: 2316 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: base_address: 0x000000013fdf0d88 process_identifier: 2316 process_handle: 0x000000000000004c	1	1
NtMapViewOfSection Sept. 21, 2024, 1:42 p.m.	section_handle: 0x0000000000000060 process_identifier: 2316 commit_size: 0 win32_protect: 32 (PAGE_EXECUTE_READ) buffer: base_address: 0x0000000010a40000 allocation_type: 0 () section_offset: 0 view_size: 65536 process_handle: 0x0000000000000050	1	0
NtAllocateVirtualMemory Sept. 21, 2024, 1:42 p.m.	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x0000000010a40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x0000000000000050	1	0
WriteProcessMemory Sept. 21, 2024, 1:42 p.m.	buffer: I»`#Û?Aÿã base_address: 0x0000000077711590 process_identifier: 2316 process_handle: 0x0000000000000050	1	1

random.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All