Edit tour

Windows Analysis Report
zotero.exe

Overview

General Information

Sample name:	zotero.exe
Analysis ID:	1658235
MD5:	711dd0f14a39dee504fae44f70657abf
SHA1:	ab5414f6b567928375767b18dbba500ce6d03747
SHA256:	864020d53802749d006af3f5c3ddf983cfd0a0eae08d217e2bbf76515a2c496d
Infos:

Errors Corrupt sample or wrongly selected analyzer. Details: 36b1 Corrupt sample or wrongly selected analyzer. Details: 36b1 Corrupt sample or wrongly selected analyzer. Details: 36b1

Detection

Score:	25
Range:	0 - 100
Confidence:	40%

Signatures

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found potential string decryption / allocating functions

PE file contains more sections than normal

PE file contains sections with non-standard names

Program does not show much activity (idle)

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

zotero.exe (PID: 7756 cmdline: "C:\Users\user\Desktop\zotero.exe" -install MD5: 711DD0F14A39DEE504FAE44F70657ABF)

zotero.exe (PID: 7800 cmdline: "C:\Users\user\Desktop\zotero.exe" /install MD5: 711DD0F14A39DEE504FAE44F70657ABF)

zotero.exe (PID: 7924 cmdline: "C:\Users\user\Desktop\zotero.exe" /load MD5: 711DD0F14A39DEE504FAE44F70657ABF)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: zotero.exe

Static PE information: certificate valid

Source: zotero.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: zotero.exe	String found in binary or memory: http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q
Source: zotero.exe	String found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0_
Source: zotero.exe	String found in binary or memory: http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0
Source: zotero.exe	String found in binary or memory: http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0
Source: zotero.exe	String found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0
Source: zotero.exe	String found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
Source: zotero.exe	String found in binary or memory: http://ocsps.ssl.com0
Source: zotero.exe	String found in binary or memory: http://ocsps.ssl.com0?
Source: zotero.exe	String found in binary or memory: http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0
Source: zotero.exe	String found in binary or memory: http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0
Source: zotero.exe	String found in binary or memory: https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%
Source: zotero.exe	String found in binary or memory: https://crash-reports.mozilla.com/submit?id=
Source: zotero.exe	String found in binary or memory: https://hg.mozilla.org/mozilla-unified/rev/e1174a2473ad7e8fdde28d29e2e9e14ae1f15a72
Source: zotero.exe	String found in binary or memory: https://www.ssl.com/repository0

Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B415450 VerSetConditionMask,NtQueryInformationProcess,OpenProcess,QueryFullProcessImageNameW,GetLastError,GetLastError,CloseHandle,getenv,_putenv,getenv,DebugBreak,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,_wgetenv,wcstoul,GetCurrentProcessId,Sleep,GetCurrentProcess,QueryFullProcessImageNameW,getenv,getenv,GetModuleFileNameW,GetLastError,GetStdHandle,GetStdHandle,GetStdHandle,GetStdHandle,GetLastError,RtlInitUnicodeString,RtlInitUnicodeString,RtlEqualUnicodeString,free,free,free,CloseHandle,CloseHandle,GetStartupInfoW,CreateProcessW,GetLastError,TerminateProcess,ResumeThread,IsDebuggerPresent,GetLastError,TerminateProcess,WaitForSingleObject,CloseHandle,CloseHandle,CloseHandle,GetExitCodeProcess,exit,_Init_thread_header,_invalid_parameter_noinfo_noreturn,
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B45D4F0 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B41ACA0 NtReadVirtualMemory,
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B45F4D0 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,_Init_thread_header,GetSystemInfo,
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B41CB60 moz_xmalloc,moz_xmalloc,moz_xmalloc,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,moz_xmalloc,
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B41F380 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,_Init_thread_header,GetSystemInfo,
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B423B40 NtQueryVirtualMemory,RtlCompareUnicodeString,RtlAcquireSRWLockShared,RtlRunOnceExecuteOnce,RtlReleaseSRWLockShared,RtlInitAnsiString,RtlAnsiStringToUnicodeString,RtlCompareUnicodeString,RtlFreeUnicodeString,RtlReleaseSRWLockShared,RtlDuplicateUnicodeString,RtlFreeUnicodeString,NtUnmapViewOfSection,RtlReleaseSRWLockShared,
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B424BE0 NtQueryObject,NtUnmapViewOfSection,
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B4262D0 NtMapViewOfSection,RtlNtStatusToDosError,RtlSetLastWin32Error,
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B426130 NtMapViewOfSection,RtlNtStatusToDosError,RtlSetLastWin32Error,memcpy,NtUnmapViewOfSection,RtlNtStatusToDosError,RtlSetLastWin32Error,
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B424120 NtMapViewOfSection,RtlNtStatusToDosError,RtlSetLastWin32Error,RtlInitUnicodeString,RtlCompareUnicodeString,RtlGetLastWin32Error,memcpy,memset,NtUnmapViewOfSection,RtlNtStatusToDosError,RtlSetLastWin32Error,
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B41B050 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B425FB0 CreateFileMappingW,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,GetLastError,NtUnmapViewOfSection,RtlNtStatusToDosError,RtlSetLastWin32Error,
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B425620 NtQueryVirtualMemory,RtlDuplicateUnicodeString,
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B425700 NtQueryVirtualMemory,memmove,
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B41FEA0 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,_Init_thread_header,GetSystemInfo,
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B45CD50 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B425D40 NtQueryInformationProcess,RtlCompareUnicodeString,

Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B44E470
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B420490
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B42FC90
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B415450
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B4524F0
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B459505
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B42CCB0
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B45F4D0
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B424370
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B452B70
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B41F380
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B41FB20
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B423B40
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B432BB0
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B4383D0
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B451A90
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B427A80
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B45C2F0
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B425300
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B427300
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B458B00
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B45AAB0
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B41B190
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B452140
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B452940
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B45D9A6
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B42F9A0
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B418860
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B42D050
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B4190B0
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B4358A1
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B4270D0
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B45BF60
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B41CF30
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B411000
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B42EFB0
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B45CE90
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B41C650
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B426650
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B431F10
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B44B580
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B4125F0
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B417DB0
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B457DB0
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B4475D0

Source: C:\Users\user\Desktop\zotero.exe

Code function: String function: 00007FF78B45BC90 appears 31 times

Source: zotero.exe

Static PE information: Number of sections : 11 > 10

Source: zotero.exe	Binary string: ntdll.dll////////\Device\
Source: zotero.exe	Binary string: \\.\ntdll.dll\Device\\Device\HarddiskVolumekernel32ext-ms-win-ntuser-windowstation-l1-1-0

Source: classification engine

Classification label: sus25.evad.winEXE@3/0@0/0

Source: zotero.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: zotero.exe	String found in binary or memory: C:/mozilla-source/mozilla-unified/toolkit/xre/LauncherRegistryInfo.cpp
Source: zotero.exe	String found in binary or memory: force-launcher
Source: zotero.exe	String found in binary or memory: log-launcher-error
Source: zotero.exe	String found in binary or memory: C:/mozilla-source/mozilla-unified/browser/app/winlauncher/LauncherProcessWin.cpp
Source: zotero.exe	String found in binary or memory: C:/mozilla-source/mozilla-unified/browser/app/winlauncher/LaunchUnelevated.cpp
Source: zotero.exe	String found in binary or memory: log-launcher-error
Source: zotero.exe	String found in binary or memory: force-launcher
Source: zotero.exe	String found in binary or memory: C:/mozilla-source/mozilla-unified/toolkit/xre/LauncherRegistryInfo.cpp
Source: zotero.exe	String found in binary or memory: C:/mozilla-source/mozilla-unified/browser/app/winlauncher/LauncherProcessWin.cpp
Source: zotero.exe	String found in binary or memory: C:/mozilla-source/mozilla-unified/browser/app/winlauncher/LaunchUnelevated.cpp

Source: unknown	Process created: C:\Users\user\Desktop\zotero.exe "C:\Users\user\Desktop\zotero.exe" -install
Source: unknown	Process created: C:\Users\user\Desktop\zotero.exe "C:\Users\user\Desktop\zotero.exe" /install
Source: unknown	Process created: C:\Users\user\Desktop\zotero.exe "C:\Users\user\Desktop\zotero.exe" /load

Source: zotero.exe

Static PE information: certificate valid

Source: zotero.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: zotero.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: zotero.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: zotero.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: zotero.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: zotero.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: zotero.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\zotero.exe

Code function: 0_2_00007FF78B411BF0 __stdio_common_vsnprintf_s,MultiByteToWideChar,LoadLibraryW,GetProcAddress,FreeLibrary,

Source: zotero.exe	Static PE information: section name: .00cfg
Source: zotero.exe	Static PE information: section name: .freestd
Source: zotero.exe	Static PE information: section name: .retplne
Source: zotero.exe	Static PE information: section name: .voltbl

Source: C:\Users\user\Desktop\zotero.exe

Code function: 0_2_00007FF78B436091 push rax; ret

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: zotero.exe

Binary or memory string: SOFTWARE\POLICIES\MOZILLA\FIREFOXPROFILE FOR CHROME SANDBOXAVMVIRTUALSOURCE.AXVWCSOURCE.AXYCWEBCAMERASOURCE.AXUSERENVALPC PORT\SESSIONS\%D\APPCONTAINERNAMEDOBJECTS\%LSVORBIS.ACMOLY.DLLAVGRSSTX.DLLBABYFOX.DLLRF-FIREFOX.DLLPRNX.DLLOPNX.DLLPMNX.DLLRLNX.DLLNPRPFFBROWSERRECORDEXT.DLLNPRNDLFFBROWSERRECORDEXT.DLLHMPALERT.DLLASWJSFLT.DLLCYINJCT.DLLLIBINJECT.DLLNHASUSSTRIXDEVPROPS.DLLNAHIMICVRDEVPROPS.DLLNAHIMICMSIDEVPROPS.DLLSS3DEVPROPS.DLLSS2DEVPROPS.DLLNAHIMIC2DEVPROPS.DLLPRLS.DLLOPLS.DLLPMLS.DLLRLLS.DLLWRUSR.DLLEOPPMONITOR.DLLSPROTECTOR.DLLACCELERATOR.DLLBEID35CARDLAYER.DLLVKSAVER.DLLEOPPBROWSER.DLLVIDEOCAPTURER.DLLBLETOKENCREDENTIALPROVIDER.DLLNLSP.DLLATKDX11DISP.DLLQIPCAP.DLLIWPRN.DLLSXWMON.DLLNPFFADDON.DLLPSICON.DLLRNDLMAINBROWSERRECORDPLUGIN.DLLK7PSWSEN.DLLROBOFORM.DLLNZBRCOM.DLLSAFAWEB_M.DLLSAFAWEB64_M.DLLNTDLL.DLLGRABDLL.DLLGRABKERNEL.DLLASWHOOK.DLLPGHOOK.DLLDGAPI.DLLKS3RDHMPG.DLLRLXF.DLLRNDLNPSHIMSWF.DLLFCAGFF.DLLMOZGLUE.DLLKERNELBASE.DLLDATABASE.DLLUSRDNIECERTSTORE.DLLNHASUSSTRIXOSD.DLLNAHIMICMSIOSD.DLLNAHIMICOSD.DLLSS2OSD.DLLNAHIMIC2OSD.DLLBITGUARD.DLLDBROVERLAYICONNOTBACKUPED.DLLDBROVERLAYICONBACKUPED.DLLWBLOAD.DLLDTWXSVC.DLLCALC.DLLMFFLAC.DLLFGJK4WVB.DLLRADHSLIB.DLLRDOLIB.DLLSAFAWEB.DLLIDMCCHANDLER7.DLLIWPRN_X86.DLLWRDLL.X86.DLLIDMCCHANDLER5.DLLOLY64.DLLWRDLL.X64.DLLPDZIPMENU64.DLLASUSWSSHELLEXT64.DLLHNCSHELLEXT64.DLLACTIVEDETECT64.DLLPRLS64.DLLOPLS64.DLLPMLS64.DLLRLLS64.DLLQIPCAP64.DLLKISFDPRO64.DLLSXWMON64.DLLSAFEMON64.DLLGDKBFLTDLL64.DLLWINDOWSAPIHOOKDLL64.DLLPAVSHOOK64.DLLPAVLSPHOOK64.DLLVIDEOCAPTURERHK64.DLLKLSIHK64.DLLKWSUI64.DLLDGAPI64.DLLSMCI64.DLLNVIEWH64.DLLDGHMPG64.DLLIPSENG64.DLLFCAGFF64.DLLCYLANCEMEMDEF64.DLLBANKSAFE64.DLLISEGUARD64.DLLEXPLORERPATCHER.AMD64.DLLSAFAWEB64.DLLIDMCCHANDLER7_64.DLLIDMCCHANDLER5_64.DLLGOOGLEDESKTOPNETWORK3.DLLLIBINJECT2.DLLAUDIODEVPROPS2.DLLLIBREDIR2.DLLPDZIPMENU32.DLLACTIVEDETECT32.DLLUSER32.DLLWINDOWSAPIHOOKDLL32.DLLKERNEL32.DLLKERNEL32.DLLVIDEOCAPTURERHK32.DLLGDI32.DLLSMCI32.DLLIPSENG32.DLLISEGUARD32.DLLSPVC32.DLLRF-FIREFOX-22.DLLONEPIN-OPENSC-PKCS11.DLLRF-FIREFOX-40.DLLAPI-MS-WIN-CORE-APIQUERY-L1-1-0.DLLDISABLETHIRDPARTYMODULEBLOCKINGSECHANGENOTIFYPRIVILEGEDISABLESAFEMODE%DSBOX_ALTERNATE_DESKTOP_LOCAL_WINSTATION_\\?\%LLX0X%XHKEY_PERFORMANCE_TEXTHKEY_PERFORMANCE_NLSTEXTHKEY_CLASSES_ROOTHKEY_USERS\SESSIONS\BNOLINKSHKEY_CURRENT_USERPATHHKEY_CURRENT_CONFIGMOZ_DEBUG_BROWSER_PAUSEHKEY_LOCAL_MACHINEHKEY_DYN_DATAHKEY_PERFORMANCE_DATA;;;S-1-16-12288S-1-16-2048S-1-16-4096S-1-16-16384S-1-16-6144S-1-16-8192KERNEL32S-1-16-0/\MOZILLA\FIREFOX\BLOCKLIST-*~*\/?/?\*)RELEASESRWLOCKEXCLUSIVEACQUIRESRWLOCKEXCLUSIVEWAKEALLCONDITIONVARIABLESLEEPCONDITIONVARIABLECSKERNEL32.DLLKERNEL32.DLLAPI-MS-WIN-CORE-SYNCH-L1-2-0.DLL

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\zotero.exe

Code function: 0_2_00007FF78B460480 VirtualAlloc,_Init_thread_header,GetSystemInfo,_Init_thread_header,GetSystemInfo,

Source: C:\Users\user\Desktop\zotero.exe

Code function: 0_2_00007FF78B415450 VerSetConditionMask,NtQueryInformationProcess,OpenProcess,QueryFullProcessImageNameW,GetLastError,GetLastError,CloseHandle,getenv,_putenv,getenv,DebugBreak,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,_wgetenv,wcstoul,GetCurrentProcessId,Sleep,GetCurrentProcess,QueryFullProcessImageNameW,getenv,getenv,GetModuleFileNameW,GetLastError,GetStdHandle,GetStdHandle,GetStdHandle,GetStdHandle,GetLastError,RtlInitUnicodeString,RtlInitUnicodeString,RtlEqualUnicodeString,free,free,free,CloseHandle,CloseHandle,GetStartupInfoW,CreateProcessW,GetLastError,TerminateProcess,ResumeThread,IsDebuggerPresent,GetLastError,TerminateProcess,WaitForSingleObject,CloseHandle,CloseHandle,CloseHandle,GetExitCodeProcess,exit,_Init_thread_header,_invalid_parameter_noinfo_noreturn,

Source: C:\Users\user\Desktop\zotero.exe

Code function: 0_2_00007FF78B411BF0 __stdio_common_vsnprintf_s,MultiByteToWideChar,LoadLibraryW,GetProcAddress,FreeLibrary,

Source: C:\Users\user\Desktop\zotero.exe

Code function: 0_2_00007FF78B440090 GetProcessHeaps,GetProcessHeaps,??_U@YAPEAX_K@Z,GetProcessHeaps,??_V@YAXPEAX@Z,

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B462A28 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B46272C IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\zotero.exe	Code function: 0_2_00007FF78B46271C SetUnhandledExceptionFilter,

Source: C:\Users\user\Desktop\zotero.exe

Code function: GetCurrentProcess,TerminateProcess,GetCurrentProcess,TerminateProcess,GetCurrentProcess,TerminateProcess,GetCurrentProcess,TerminateProcess,GetUserDefaultLangID,GetUserDefaultLCID,GetUserDefaultLocaleName,GetCurrentProcess,TerminateProcess,EnumSystemLocalesEx,HeapDestroy,GetCurrentProcess,TerminateProcess,GetCurrentProcess,TerminateProcess,

Source: C:\Users\user\Desktop\zotero.exe

Code function: 0_2_00007FF78B443240 CreateNamedPipeW,GetCurrentProcess,DuplicateHandle,

Source: C:\Users\user\Desktop\zotero.exe

Code function: 0_2_00007FF78B463054 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

Source: C:\Users\user\Desktop\zotero.exe

Code function: 0_2_00007FF78B4346C0 memset,GetVersionExW,GetProductInfo,??2@YAPEAX_K@Z,_Init_thread_header,GetNativeSystemInfo,

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	Path Interception	2 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	2 Process Injection	LSASS Memory	12 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	13 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
zotero.exe	0%	Virustotal		Browse
zotero.exe	0%	ReversingLabs

Name	Source	Malicious	Reputation
http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0	zotero.exe	false	high
http://crls.ssl.com/ssl.com-rsa-RootCA.crl0	zotero.exe	false	high
http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0	zotero.exe	false	high
https://crash-reports.mozilla.com/submit?id=	zotero.exe	false	high
https://www.ssl.com/repository0	zotero.exe	false	high
http://ocsps.ssl.com0?	zotero.exe	false	high
http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0	zotero.exe	false	high
https://hg.mozilla.org/mozilla-unified/rev/e1174a2473ad7e8fdde28d29e2e9e14ae1f15a72	zotero.exe	false	high
http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q	zotero.exe	false	high
http://ocsps.ssl.com0	zotero.exe	false	high
http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0	zotero.exe	false	high
http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0_	zotero.exe	false	high
http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0	zotero.exe	false	high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1658235
Start date and time:	2025-04-07 13:42:27 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 34s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Cmdline fuzzy
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	zotero.exe
Detection:	SUS
Classification:	sus25.evad.winEXE@3/0@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Unable to launch sample, stop analysis

Errors

Corrupt sample or wrongly selected analyzer. Details: 36b1
Corrupt sample or wrongly selected analyzer. Details: 36b1
Corrupt sample or wrongly selected analyzer. Details: 36b1

Warnings

Exclude process from analysis (whitelisted): svchost.exe
Excluded IPs from analysis (whitelisted): 23.204.23.20
Excluded domains from analysis (whitelisted): fs.microsoft.com
Execution Graph export aborted for target zotero.exe, PID 7756 because there are no executed function

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.665193987302042
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	zotero.exe
File size:	628'864 bytes
MD5:	711dd0f14a39dee504fae44f70657abf
SHA1:	ab5414f6b567928375767b18dbba500ce6d03747
SHA256:	864020d53802749d006af3f5c3ddf983cfd0a0eae08d217e2bbf76515a2c496d
SHA512:	477aa9642df1ec33b7e8f97caf517616f37c51e9cb9aaa770662a5d157244d23bfc5eff70475e7c9024332176c274a9b57ae61c7d038b97413ef0e581e916ae9
SSDEEP:	6144:qQzUWA77y/MIZ6mjFT8HDpFJwHTEb9CjffCo8A1E7eN3iKqdNQB7nIheAgUgMJO:qQzUprDp4TZTfC1Au7B7AIheAgUgME
TLSH:	73D47C03F74225BCE49BE5748613A533B1327C454B2069DF0BE97B2A2E71AD02B7972D
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...!..f.........."..........<......@0.........@..........................................`........................................

File Icon


Icon Hash:	b8969ecc8696a082

Static PE Info

General

Entrypoint:	0x140053040
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x66CAC921 [Sun Aug 25 06:03:13 2024 UTC]
TLS Callbacks:	0x40022ae0, 0x1, 0x400523a0, 0x1
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	31e2e6b0881e64e27f547492b9855b8e

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=SSL.com EV Code Signing Intermediate CA RSA R3, O=SSL Corp, L=Houston, S=Texas, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	03/01/2024 16:46:19 02/01/2027 16:46:19
Subject Chain	OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.1.3.6.1.4.1.311.60.2.1.2=Virginia, OID.2.5.4.15=Private Organization, CN=Corporation for Digital Scholarship, SERIALNUMBER=07147937, O=Corporation for Digital Scholarship, L=Vienna, S=Virginia, C=US
Version:	3
Thumbprint MD5:	EC4BDEE9916E34CA21C10B82266A0997
Thumbprint SHA-1:	1667BFAB98EFEB0E290B9B9C8EFF503AD1CFD33D
Thumbprint SHA-256:	AB4B4A32DEAE50BC8024DB688DFC694C2319500183CAEA2C194420299B6BC078
Serial:	7EABCE145218073C976D8392786A729B

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FAD4CBA1780h
dec eax
add esp, 28h
jmp 00007FAD4CBA15DFh
int3
int3
dec eax
mov dword ptr [esp+20h], ebx
push ebp
dec eax
mov ebp, esp
dec eax
sub esp, 20h
dec eax
mov eax, dword ptr [0000F010h]
dec eax
mov ebx, 2DDFA232h
cdq
sub eax, dword ptr [eax]
add byte ptr [eax+3Bh], cl
ret
jne 00007FAD4CBA17E6h
dec eax
and dword ptr [ebp+18h], 00000000h
dec eax
lea ecx, dword ptr [ebp+18h]
call dword ptr [00009A1Ah]
dec eax
mov eax, dword ptr [ebp+18h]
dec eax
mov dword ptr [ebp+10h], eax
call dword ptr [0000994Ch]
mov eax, eax
dec eax
xor dword ptr [ebp+10h], eax
call dword ptr [00009928h]
mov eax, eax
dec eax
lea ecx, dword ptr [ebp+20h]
dec eax
xor dword ptr [ebp+10h], eax
call dword ptr [00009AE0h]
mov eax, dword ptr [ebp+20h]
dec eax
lea ecx, dword ptr [ebp+10h]
dec eax
shl eax, 20h
dec eax
xor eax, dword ptr [ebp+20h]
dec eax
xor eax, dword ptr [ebp+10h]
dec eax
xor eax, ecx
dec eax
mov ecx, FFFFFFFFh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x5ace0	0xd6f	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5ba4f	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6d000	0x32e88	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x65000	0x29dc	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x97200	0x2680	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa0000	0x40c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x56710	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x565b0	0x138	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x5c590	0xa00	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x5a4e8	0xe0	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x52d78	0x52e00	de7d18a3afecb6fd2bffb4294cb2fd37	False	0.49473274886877827	data	6.273125441062079	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x54000	0xd0b4	0xd200	d17523c27b0fa0b5582d5a1476664cac	False	0.32645089285714285	data	5.2930958956668395	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x62000	0x2a90	0x400	63a9557e81e8bb498185a0175b56c972	False	0.2978515625	DOS executable (block device driver)	2.8953454228118893	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x65000	0x29dc	0x2a00	26beba003dc32261cc5dd531235fc34e	False	0.5164620535714286	data	5.621221511507246	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.00cfg	0x68000	0x28	0x200	1cc1fa00faf5003e7e20a75fbc738370	False	0.05859375	data	0.42449845906755646	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.freestd	0x69000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.retplne	0x6a000	0x24	0x200	60e7349e46063b144cf642326da037fd	False	0.052734375	data	0.5561266276729913
.tls	0x6b000	0x16	0x200	adb00c88d5919bab3c4b160cbf2abed5	False	0.03515625	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.voltbl	0x6c000	0x1a	0x200	ed7f30de8d6e1325c45072ae50404904	False	0.076171875	data	0.48861744622245973
.rsrc	0x6d000	0x32e88	0x33000	8f1e9b7968e903ed677be2e3c950de31	False	0.4717610677083333	data	6.750638403880936	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa0000	0x40c	0x600	f3fe29cc31f8f0a13d2fb96959f457e2	False	0.4609375	data	4.3277564672750355	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x6d748	0x528	Device independent bitmap graphic, 16 x 32 x 32, image size 1280	English	United States	0.09090909090909091
RT_ICON	0x6dc70	0xb68	Device independent bitmap graphic, 24 x 48 x 32, image size 2880	English	United States	0.2554794520547945
RT_ICON	0x6e7d8	0x1428	Device independent bitmap graphic, 32 x 64 x 32, image size 5120	English	United States	0.22635658914728682
RT_ICON	0x6fc00	0x2d28	Device independent bitmap graphic, 48 x 96 x 32, image size 11520	English	United States	0.15077854671280277
RT_ICON	0x72928	0x528	Device independent bitmap graphic, 16 x 32 x 32, image size 1280	English	United States	0.38712121212121214
RT_ICON	0x72e50	0x1428	Device independent bitmap graphic, 32 x 64 x 32, image size 5120	English	United States	0.2872093023255814
RT_ICON	0x74278	0x2d28	Device independent bitmap graphic, 48 x 96 x 32, image size 11520	English	United States	0.23961937716262977
RT_ICON	0x76fa0	0x6ae8	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9976980415083309
RT_ICON	0x7da88	0x528	Device independent bitmap graphic, 16 x 32 x 32, image size 1280	English	United States	0.09090909090909091
RT_ICON	0x7dfb0	0xb68	Device independent bitmap graphic, 24 x 48 x 32, image size 2880	English	United States	0.2554794520547945
RT_ICON	0x7eb18	0x1428	Device independent bitmap graphic, 32 x 64 x 32, image size 5120	English	United States	0.22635658914728682
RT_ICON	0x7ff40	0x2d28	Device independent bitmap graphic, 48 x 96 x 32, image size 11520	English	United States	0.15077854671280277
RT_ICON	0x82c68	0x528	Device independent bitmap graphic, 16 x 32 x 32, image size 1280	English	United States	0.32651515151515154
RT_ICON	0x83190	0x1428	Device independent bitmap graphic, 32 x 64 x 32, image size 5120	English	United States	0.16608527131782946
RT_ICON	0x845b8	0x528	Device independent bitmap graphic, 16 x 32 x 32, image size 1280	English	United States	0.2916666666666667
RT_ICON	0x84ae0	0x1428	Device independent bitmap graphic, 32 x 64 x 32, image size 5120	English	United States	0.15232558139534882
RT_ICON	0x85f08	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.5780141843971631
RT_ICON	0x86370	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.400093808630394
RT_ICON	0x87418	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.32354771784232367
RT_ICON	0x899c0	0x518c	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9970300823912627
RT_ICON	0x8eb4c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m	English	United States	0.20301418439716312
RT_ICON	0x8efb4	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m	English	United States	0.12429643527204502
RT_ICON	0x9005c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m	English	United States	0.07562240663900414
RT_ICON	0x92604	0x131c	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9566639411283728
RT_ICON	0x93920	0x5b77	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9451206491565236
RT_ICON	0x99498	0x5b77	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9451206491565236
RT_STRING	0x9f010	0x2e	data	English	United States	0.6304347826086957
RT_GROUP_ICON	0x9f040	0x4c	data	English	United States	0.8026315789473685
RT_GROUP_ICON	0x9f08c	0x3e	data	English	United States	0.8548387096774194
RT_GROUP_ICON	0x9f0cc	0x22	data	English	United States	1.0294117647058822
RT_GROUP_ICON	0x9f0f0	0x22	data	English	United States	1.0294117647058822
RT_GROUP_ICON	0x9f114	0x3e	data	English	United States	0.8548387096774194
RT_GROUP_ICON	0x9f154	0x3e	data	English	United States	0.8548387096774194
RT_GROUP_ICON	0x9f194	0x4c	data	English	United States	0.8289473684210527
RT_VERSION	0x9f1e0	0x60c	data			0.3281653746770026
RT_MANIFEST	0x9f7ec	0x69c	XML 1.0 document, ASCII text	English	United States	0.35697399527186763

Imports

DLL	Import
mozglue.dll	??$AddMarker@UTextMarker@markers@baseprofiler@mozilla@@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@baseprofiler@mozilla@@YA?AVProfileBufferBlockIndex@1@AEBV?$ProfilerStringView@D@1@AEBVMarkerCategory@1@$$QEAVMarkerOptions@1@UTextMarker@markers@01@AEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z, ??0PrintfTarget@mozilla@@IEAA@XZ, ??1MutexImpl@detail@mozilla@@QEAA@XZ, ??2@YAPEAX_K@Z, ??3@YAXPEAX@Z, ??3@YAXPEAX_K@Z, ??GTimeStampValue@mozilla@@QEBA_KAEBV01@@Z, ??_U@YAPEAX_K@Z, ??_V@YAXPEAX@Z, ?CleanupProcessRuntime@mozilla@@YAXXZ, ?CreateAndStorePreXULSkeletonUI@mozilla@@YAXPEAUHINSTANCE__@@HPEAPEAD@Z, ?DllBlocklist_Initialize@@YAXI@Z, ?GetProfilingStack@AutoProfilerLabel@baseprofiler@mozilla@@SAPEAVProfilingStack@23@XZ, ?IsActiveAndUnpaused@RacyFeatures@detail@baseprofiler@mozilla@@SA_NXZ, ?IsWin32kLockedDown@mozilla@@YA_NXZ, ?MapRemoteViewOfFile@mozilla@@YAPEAXPEAX0_K01KK@Z, ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z, ?PollPreXULSkeletonUIEvents@mozilla@@YAXXZ, ?RegisterRuntimeExceptionModule@CrashReporter@@YAXXZ, ?SetGeckoProcessType@mozilla@@YAXPEBD@Z, ?SetWin32kLockedDownInPolicy@mozilla@@YAXXZ, ?UnregisterRuntimeExceptionModule@CrashReporter@@YAXXZ, ?WindowsDpiInitialization@mozilla@@YA?AW4WindowsDpiInitializationResult@1@XZ, ?ensureCapacitySlow@ProfilingStack@baseprofiler@mozilla@@AEAAXXZ, ?lock@MutexImpl@detail@mozilla@@IEAAXXZ, ?profiler_current_thread_id@baseprofiler@mozilla@@YA?AVBaseProfilerThreadId@12@XZ, ?profiler_init@baseprofiler@mozilla@@YAXPEAX@Z, ?profiler_shutdown@baseprofiler@mozilla@@YAXXZ, ?sChildProcessType@startup@mozilla@@3W4GeckoProcessType@@A, ?unlock@MutexImpl@detail@mozilla@@IEAAXXZ, ?vprint@PrintfTarget@mozilla@@QEAA_NPEBDPEAD@Z, _wcsdup, free, malloc, moz_xmalloc, mozalloc_abort, realloc, strdup
ntdll.dll	NtMapViewOfSection, NtOpenFile, NtQueryInformationProcess, NtQueryObject, NtQueryVirtualMemory, NtReadVirtualMemory, NtUnmapViewOfSection, RtlAcquireSRWLockExclusive, RtlAcquireSRWLockShared, RtlAddFunctionTable, RtlAllocateHeap, RtlAnsiStringToUnicodeString, RtlCaptureContext, RtlCaptureStackBackTrace, RtlCompareMemory, RtlCompareUnicodeString, RtlDuplicateUnicodeString, RtlEqualUnicodeString, RtlFreeHeap, RtlFreeUnicodeString, RtlGetLastWin32Error, RtlGetVersion, RtlInitAnsiString, RtlInitUnicodeString, RtlLookupFunctionEntry, RtlNtStatusToDosError, RtlQueryPerformanceCounter, RtlReAllocateHeap, RtlReleaseSRWLockExclusive, RtlReleaseSRWLockShared, RtlRunOnceExecuteOnce, RtlRunOnceInitialize, RtlSetLastWin32Error, RtlVirtualUnwind, VerSetConditionMask, memcmp, memcpy, memmove, memset
MSVCP140.dll	??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ, ??0ios_base@std@@IEAA@XZ, ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??1ios_base@std@@UEAA@XZ, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@PEBX@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_J@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z, ?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ, ?_Raise_handler@std@@3P6AXAEBVexception@stdext@@@ZEA, ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ, ?_Xlength_error@std@@YAXPEBD@Z, ?_Xout_of_range@std@@YAXPEBD@Z, ?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ, ?good@ios_base@std@@QEBA_NXZ, ?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z, ?init@?$basic_ios@DU?$char_traits@D@std@@@std@@IEAAXPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@_N@Z, ?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z, ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z, ?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ, ?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ, ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z, ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
KERNEL32.dll	AcquireSRWLockExclusive, AssignProcessToJobObject, AttachConsole, CloseHandle, CreateEventW, CreateFileA, CreateFileMappingA, CreateFileMappingW, CreateFileW, CreateIoCompletionPort, CreateJobObjectW, CreateMutexW, CreateNamedPipeW, CreateProcessW, CreateRemoteThread, CreateThread, DebugBreak, DeleteCriticalSection, DeleteProcThreadAttributeList, DuplicateHandle, EncodePointer, EnterCriticalSection, EnumSystemLocalesEx, ExpandEnvironmentStringsW, FlushInstructionCache, FreeEnvironmentStringsW, FreeLibrary, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentProcessId, GetCurrentProcessorNumber, GetCurrentThread, GetCurrentThreadId, GetEnvironmentStringsW, GetEnvironmentVariableW, GetExitCodeProcess, GetFileInformationByHandle, GetFileInformationByHandleEx, GetFileType, GetLastError, GetLongPathNameW, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetNativeSystemInfo, GetProcAddress, GetProcessHandleCount, GetProcessHeaps, GetProcessId, GetProductInfo, GetQueuedCompletionStatus, GetStartupInfoW, GetStdHandle, GetSystemDirectoryW, GetSystemInfo, GetSystemTimeAsFileTime, GetThreadId, GetTickCount, GetUserDefaultLCID, GetUserDefaultLangID, GetUserDefaultLocaleName, GetVersionExW, HeapDestroy, HeapSetInformation, InitOnceExecuteOnce, InitializeCriticalSection, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeProcThreadAttributeList, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsWow64Process, LeaveCriticalSection, LoadLibraryExA, LoadLibraryExW, LoadLibraryW, LocalFree, MapViewOfFile, MultiByteToWideChar, OpenProcess, OutputDebugStringA, PostQueuedCompletionStatus, ProcessIdToSessionId, QueryFullProcessImageNameW, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, ReadFile, ReadProcessMemory, RegisterWaitForSingleObject, ReleaseSRWLockExclusive, ResetEvent, ResumeThread, SearchPathW, SetDllDirectoryW, SetEnvironmentVariableW, SetEvent, SetFilePointerEx, SetHandleInformation, SetInformationJobObject, SetLastError, SetStdHandle, SetThreadAffinityMask, SetUnhandledExceptionFilter, SignalObjectAndWait, Sleep, TerminateJobObject, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, UnmapViewOfFile, UnregisterWait, UnregisterWaitEx, UpdateProcThreadAttribute, VerifyVersionInfoW, VirtualAlloc, VirtualAllocEx, VirtualFree, VirtualFreeEx, VirtualProtect, VirtualProtectEx, VirtualQuery, WaitForSingleObject, WaitForSingleObjectEx, WideCharToMultiByte, WriteProcessMemory, lstrlenW
VCRUNTIME140.dll	_CxxThrowException, __C_specific_handler, __current_exception, __current_exception_context, _purecall, strrchr, wcschr
VCRUNTIME140_1.dll	__CxxFrameHandler4
api-ms-win-crt-stdio-l1-1-0.dll	__acrt_iob_func, __p__commode, __stdio_common_vfprintf, __stdio_common_vsnprintf_s, __stdio_common_vsnwprintf_s, __stdio_common_vsprintf, __stdio_common_vswprintf, _dup, _fileno, _get_osfhandle, _set_fmode, _wfopen, fclose, fgets, freopen
api-ms-win-crt-environment-l1-1-0.dll	__p__environ, _putenv, _putenv_s, _wgetenv, getenv
api-ms-win-crt-runtime-l1-1-0.dll	__p___argc, __p___wargv, _c_exit, _cexit, _configure_wide_argv, _crt_atexit, _errno, _exit, _get_initial_wide_environment, _initialize_onexit_table, _initialize_wide_environment, _initterm, _initterm_e, _invalid_parameter_noinfo_noreturn, _invoke_watson, _register_onexit_function, _register_thread_local_exe_atexit_callback, _seh_filter_exe, _set_app_type, exit, terminate
api-ms-win-crt-math-l1-1-0.dll	__setusermatherr, _fdopen, ceilf
api-ms-win-crt-convert-l1-1-0.dll	_ltoa_s, wcstoul
api-ms-win-crt-string-l1-1-0.dll	_stricmp, _wcsnicmp, strcpy, strlen, towlower, wcscmp, wcscpy, wcscpy_s, wcslen, wcsncmp, wcsncpy, wcspbrk, wcstok_s
api-ms-win-crt-utility-l1-1-0.dll	rand_s
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale
api-ms-win-crt-heap-l1-1-0.dll	_set_new_mode

Exports

Name	Ordinal	Address
GetHandleVerifier	1	0x140023440
GetNtLoaderAPI	2	0x140009020
IsSandboxedProcess	3	0x140041860
NativeNtBlockSet_Write	4	0x140013700
TargetConfigureOPMProtectedOutput	5	0x140037710
TargetConfigureOPMProtectedOutput64	6	0x140032530
TargetCreateNamedPipeW	7	0x140032f80
TargetCreateNamedPipeW64	8	0x140031fd0
TargetCreateOPMProtectedOutputs	9	0x1400383a0
TargetCreateOPMProtectedOutputs64	10	0x1400323e0
TargetCreateProcessA	11	0x14003b580
TargetCreateProcessA64	12	0x140032140
TargetCreateProcessW	13	0x14003afe0
TargetCreateProcessW64	14	0x1400320e0
TargetCreateThread	15	0x14003b8d0
TargetCreateThread64	16	0x1400321a0
TargetDestroyOPMProtectedOutput	17	0x1400375f0
TargetDestroyOPMProtectedOutput64	18	0x1400324c0
TargetEnumDisplayDevicesA	19	0x14000c220
TargetEnumDisplayDevicesA64	20	0x140032350
TargetEnumDisplayMonitors	21	0x140036b40
TargetEnumDisplayMonitors64	22	0x140032320
TargetGdiDllInitialize	23	0x140016ac0
TargetGdiDllInitialize64	24	0x1400322e0
TargetGetCertificate	25	0x1400370c0
TargetGetCertificate64	26	0x140032420
TargetGetCertificateByHandle	27	0x1400375d0
TargetGetCertificateByHandle64	28	0x140032470
TargetGetCertificateSize	29	0x140037400
TargetGetCertificateSize64	30	0x140032450
TargetGetCertificateSizeByHandle	31	0x1400375e0
TargetGetCertificateSizeByHandle64	32	0x1400324a0
TargetGetMonitorInfoA	33	0x140036e20
TargetGetMonitorInfoA64	34	0x140032380
TargetGetMonitorInfoW	35	0x140037010
TargetGetMonitorInfoW64	36	0x1400323a0
TargetGetOPMInformation	37	0x140037a20
TargetGetOPMInformation64	38	0x1400324d0
TargetGetOPMRandomNumber	39	0x140037c40
TargetGetOPMRandomNumber64	40	0x1400324f0
TargetGetStockObject	41	0x14000c220
TargetGetStockObject64	42	0x140032300
TargetGetSuggestedOPMProtectedOutputArraySize	43	0x140037ec0
TargetGetSuggestedOPMProtectedOutputArraySize64	44	0x1400323c0
TargetNtCreateEvent	45	0x140047580
TargetNtCreateEvent64	46	0x140032280
TargetNtCreateFile	47	0x14002a470
TargetNtCreateFile64	48	0x140031e80
TargetNtCreateKey	49	0x14003cc60
TargetNtCreateKey64	50	0x1400321e0
TargetNtCreateSection	51	0x140046870
TargetNtCreateSection64	52	0x140032560
TargetNtMapViewOfSection	53	0x140048510
TargetNtMapViewOfSection64	54	0x140031d50
TargetNtOpenEvent	55	0x1400477d0
TargetNtOpenEvent64	56	0x1400322c0
TargetNtOpenFile	57	0x14002aa40
TargetNtOpenFile64	58	0x140031f10
TargetNtOpenKey	59	0x14003d6c0
TargetNtOpenKey64	60	0x140032230
TargetNtOpenKeyEx	61	0x14003d730
TargetNtOpenKeyEx64	62	0x140032250
TargetNtOpenProcess	63	0x14003a960
TargetNtOpenProcess64	64	0x140032060
TargetNtOpenProcessToken	65	0x14003aad0
TargetNtOpenProcessToken64	66	0x140032090
TargetNtOpenProcessTokenEx	67	0x14003ad20
TargetNtOpenProcessTokenEx64	68	0x1400320b0
TargetNtOpenThread	69	0x14003a6b0
TargetNtOpenThread64	70	0x140032030
TargetNtOpenThreadToken	71	0x140034d60
TargetNtOpenThreadToken64	72	0x140031e10
TargetNtOpenThreadTokenEx	73	0x140034dd0
TargetNtOpenThreadTokenEx64	74	0x140031e40
TargetNtQueryAttributesFile	75	0x14002af50
TargetNtQueryAttributesFile64	76	0x140031f50
TargetNtQueryFullAttributesFile	77	0x14002b370
TargetNtQueryFullAttributesFile64	78	0x140031f70
TargetNtSetInformationFile	79	0x14002b5b0
TargetNtSetInformationFile64	80	0x140031f90
TargetNtSetInformationThread	81	0x140034ca0
TargetNtSetInformationThread64	82	0x140031de0
TargetNtUnmapViewOfSection	83	0x140048700
TargetNtUnmapViewOfSection64	84	0x140031dc0
TargetRegisterClassW	85	0x140036b30
TargetRegisterClassW64	86	0x140032310
TargetSetOPMSigningKeyAndSequenceNumbers	87	0x140038280
TargetSetOPMSigningKeyAndSequenceNumbers64	88	0x140032510
g_handles_to_close	89	0x140063f78
g_interceptions	90	0x1400640f0
g_nt	91	0x1400641a0
g_originals	92	0x140063fa0
g_shared_IPC_size	93	0x140064268
g_shared_delayed_integrity_level	94	0x140062060
g_shared_delayed_mitigations	95	0x1400642d8
g_shared_policy_size	96	0x140064270
g_shared_section	97	0x140064198

Version Infos

Description	Data
Comments
LegalCopyright	Corporation for Digital Scholarship; available under the AGPLv3 license.
CompanyName	Corporation for Digital Scholarship
FileDescription	Zotero
FileVersion	7.0.15
ProductVersion	7.0.15
InternalName	Zotero
LegalTrademarks	Zotero is a trademark of the Corporation for Digital Scholarship.
OriginalFilename	zotero.exe
ProductName	Zotero
BuildID	{{BUILD_ID}}
Translation	0x0000 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	07:43:24
Start date:	07/04/2025
Path:	C:\Users\user\Desktop\zotero.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\zotero.exe" -install
Imagebase:	0x7ff78b410000
File size:	628'864 bytes
MD5 hash:	711DD0F14A39DEE504FAE44F70657ABF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Analysis Process: zotero.exePID: 7800, Parent PID: 3964

General

Target ID:	1
Start time:	07:43:27
Start date:	07/04/2025
Path:	C:\Users\user\Desktop\zotero.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\zotero.exe" /install
Imagebase:	0x7ff78b410000
File size:	628'864 bytes
MD5 hash:	711DD0F14A39DEE504FAE44F70657ABF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Analysis Process: zotero.exePID: 7924, Parent PID: 3964

General

Target ID:	3
Start time:	07:43:29
Start date:	07/04/2025
Path:	C:\Users\user\Desktop\zotero.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\zotero.exe" /load
Imagebase:	0x7ff78b410000
File size:	628'864 bytes
MD5 hash:	711DD0F14A39DEE504FAE44F70657ABF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Disassembly

⊘No disassembly

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report zotero.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Errors

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Statistics

Behavior

System Behavior

Analysis Process: zotero.exePID: 7756, Parent PID: 3964

General

Analysis Process: zotero.exePID: 7800, Parent PID: 3964

General

Analysis Process: zotero.exePID: 7924, Parent PID: 3964

General

Disassembly

Windows Analysis Report
zotero.exe