Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Feb. 20, 2024, 7:51 a.m.	Feb. 20, 2024, 8:02 a.m.

Size	897.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`d09970b966577e4e5bdf10badfda4672`
SHA256	`8b80176a54381c29e97fa7ebc8687469581e51bcefdec242761fa5aa68bd0065`
CRC32	`B362DC2D`
ssdeep	`24576:bqDEvCTbMWu7rQYlBQcBiT6rprG8acdg:bTvC/MTQYxsWR7ac`
Yara	Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

fu.exe "C:\Users\test22\AppData\Local\Temp\fu.exe"
2544
- iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2604
  - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2604 CREDAT:145409
    2684
- chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://www.youtube.com
  192
  - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef4eef1e8,0x7fef4eef1f8,0x7fef4eef208
    2716
  - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=152 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
    2232
- chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://www.facebook.com/video
  2252
  - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef4eef1e8,0x7fef4eef1f8,0x7fef4eef208
    2888
  - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2208 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
    2000
- chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://accounts.google.com
  2436
  - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef4eef1e8,0x7fef4eef1f8,0x7fef4eef208
    3036
  - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2432 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
    1316
- firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
  2524
  - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
    908
    - crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\fceb6fbf-cb0d-45c2-9305-6ad407c133d6.dmp"
      3092
      - minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Local\Temp\\fceb6fbf-cb0d-45c2-9305-6ad407c133d6.dmp"
        3412
- firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video
  2872
  - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video
    1812
    - crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\minidumps\f3a1fcdb-37cc-46b8-bfb0-e6c428d33a34.dmp"
      3756
      - minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\minidumps\f3a1fcdb-37cc-46b8-bfb0-e6c428d33a34.dmp"
        1708
- firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
  2052
  - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
    2104
    - crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\401bc5cb-1ebb-4bb4-a1b3-fcab4075fc9f.dmp"
      3260
      - minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Local\Temp\\401bc5cb-1ebb-4bb4-a1b3-fcab4075fc9f.dmp"
        3444

Name	Response	Post-Analysis Lookup
ssl.gstatic.com	A 142.250.66.35	142.250.76.131
accounts.google.com	A 108.177.97.84	64.233.188.84
www.google.com	A 172.217.24.100	142.250.207.100

IP Address	Status	Action
108.177.97.84	Active	Moloch
117.18.232.200	Active	Moloch
142.250.66.35	Active	Moloch
164.124.101.2	Active	Moloch
172.217.24.100	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49174 -> 172.217.24.100:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49170 -> 142.250.66.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49175 -> 172.217.24.100:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49172 -> 108.177.97.84:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49166 -> 108.177.97.84:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49165 -> 108.177.97.84:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49169 -> 142.250.66.35:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49173 -> 108.177.97.84:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49174 172.217.24.100:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=www.google.com	2a:14:a8:9a:ea:5b:44:20:c3:ae:90:ff:4d:2f:4c:22:15:54:f9:7c
TLSv1 192.168.56.101:49170 142.250.66.35:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	f1:41:dd:4f:a6:9f:7b:ae:ae:af:78:bd:08:f8:c8:40:3c:c4:8c:93
TLSv1 192.168.56.101:49175 172.217.24.100:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=www.google.com	2a:14:a8:9a:ea:5b:44:20:c3:ae:90:ff:4d:2f:4c:22:15:54:f9:7c
TLSv1 192.168.56.101:49172 108.177.97.84:443	None	None	None
TLSv1 192.168.56.101:49166 108.177.97.84:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=accounts.google.com	22:f1:10:1f:49:c5:97:f4:85:76:5a:20:dd:85:7c:ff:e2:c9:2a:1f
TLSv1 192.168.56.101:49165 108.177.97.84:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=accounts.google.com	22:f1:10:1f:49:c5:97:f4:85:76:5a:20:dd:85:7c:ff:e2:c9:2a:1f
TLSv1 192.168.56.101:49169 142.250.66.35:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	f1:41:dd:4f:a6:9f:7b:ae:ae:af:78:bd:08:f8:c8:40:3c:c4:8c:93
TLSv1 192.168.56.101:49173 108.177.97.84:443	None	None	None

Checks if process is being debugged by a debugger (50 out of 104 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Feb. 20, 2024, 7:51 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0
IsDebuggerPresent Feb. 20, 2024, 7:52 a.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (4 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l2-1-0.dll
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe\PATH
registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Feb. 20, 2024, 7:51 a.m.		1	1	0

One or more processes crashed (8 events)

Time & API	Arguments	Status
__exception__ Feb. 20, 2024, 7:52 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75c5374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x74724387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x75c4ef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75c46a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x75c46b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75c46a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x75c65c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x75ce06b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x747fd7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x747fd876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x747fddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x74718a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x74718938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x7471950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x747fdccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x747fdb41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x747fe1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x74719367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x74719326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75856d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x758577c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7585788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x746da48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x746d853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x746da4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x746ecd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x746ed87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 110161400 registers.edi: 91759844 registers.eax: 110161400 registers.ebp: 110161480 registers.edx: 126 registers.ebx: 110161764 registers.esi: 2147746133 registers.ecx: 7759208	1
__exception__ Feb. 20, 2024, 7:52 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75c5374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x747ff725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x75c6414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x746cfe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x747fa338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x761ae99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x761872ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x7617ab0d GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x7617ea98 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x761787f7 CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x7617ba32 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75856d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x758577c4 DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x75857bca CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x761a516f CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x761a50ce RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x7617a0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x76179b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x76179aa8 CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x761a530c URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x761a57a0 DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x71bc540c DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x71bc52ca CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x71ca0ea3 RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x76f77e96 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x76f554f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 69655360 registers.edi: 1953561104 registers.eax: 69655360 registers.ebp: 69655440 registers.edx: 1 registers.ebx: 7514916 registers.esi: 2147746133 registers.ecx: 523437607	1
__exception__ Feb. 20, 2024, 7:52 a.m.	stacktrace: 0x11000 0x3a2e0a 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 exception.instruction: add byte ptr [rax], al exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x11000 registers.r14: 189525152 registers.r15: 189525592 registers.rcx: 1292 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 82275648 registers.rsp: 189524328 registers.r11: 189528848 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 1364 registers.r12: 32158928 registers.rbp: 189524464 registers.rdi: 32158672 registers.rax: 3812864 registers.r13: 189525024	1
__exception__ Feb. 20, 2024, 7:52 a.m.	stacktrace: 0x534d18 0x4a2e0a 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 18 4d 53 00 00 00 00 00 18 4d 53 00 00 00 00 00 exception.instruction: sbb byte ptr [rbp + 0x53], cl exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x534d18 registers.r14: 187756336 registers.r15: 187756776 registers.rcx: 1388 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 80093072 registers.rsp: 187755512 registers.r11: 187760032 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 464 registers.r12: 34780448 registers.rbp: 187755648 registers.rdi: 34517696 registers.rax: 4861440 registers.r13: 187756208	1
__exception__ Feb. 20, 2024, 7:53 a.m.	stacktrace: 0x1d52e04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: ff 15 16 1f 09 00 ff 25 00 00 00 00 aa a4 c1 76 exception.instruction: call qword ptr [rip + 0x91f16] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x1d52e04 registers.r14: 188411328 registers.r15: 188411768 registers.rcx: 1132 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 78504880 registers.rsp: 188410504 registers.r11: 188415024 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 1388 registers.r12: 32552208 registers.rbp: 188410640 registers.rdi: 32289456 registers.rax: 30748160 registers.r13: 188411200	1
__exception__ Feb. 20, 2024, 7:52 a.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 9763968 registers.r15: 9763472 registers.rcx: 48 registers.rsi: 14749952 registers.r10: 0 registers.rbx: 0 registers.rsp: 9762520 registers.r11: 9764720 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 9763303 registers.rbp: 9762640 registers.rdi: 100 registers.rax: 13442816 registers.r13: 2	1
__exception__ Feb. 20, 2024, 7:52 a.m.	stacktrace: 0xcd1f04 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 10154440 registers.r15: 8791504164464 registers.rcx: 48 registers.rsi: 8791504096128 registers.r10: 0 registers.rbx: 0 registers.rsp: 10154072 registers.r11: 10157456 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092883536 registers.r12: 14905984 registers.rbp: 10154192 registers.rdi: 279027744 registers.rax: 13442816 registers.r13: 10155032	1
__exception__ Feb. 20, 2024, 7:52 a.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 9762896 registers.r15: 9762400 registers.rcx: 48 registers.rsi: 14706240 registers.r10: 0 registers.rbx: 0 registers.rsp: 9761448 registers.r11: 9763648 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 9762231 registers.rbp: 9761568 registers.rdi: 100 registers.rax: 13442816 registers.r13: 2	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (10 events)

request	GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
request	GET https://accounts.google.com/
request	GET https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F
request	GET https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=ATuJsjzivvee_FJ1wb2D4rcMlNXvsEib2-sk11jQ1P69jU4HflVnDIHCLXYJUku888CIwvh8rV3mBw
request	GET https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=ATuJsjyy1uNiRCJCkMc9dQUhFBgIHZZJOwTUYo41MXCdlv-VvBTjt8ySKnpapdyobHYdiu1lw3qK&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-435650299%3A1708383643040252
request	GET https://accounts.google.com/_/bscframe
request	GET https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
request	GET https://accounts.google.com/favicon.ico
request	GET https://accounts.google.com/generate_204?eK1wKA
request	GET https://www.google.com/favicon.ico

Allocates read-write-execute memory (usually to unpack itself) (50 out of 518 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734c2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x030c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2604 region_size: 5115904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e80000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2604 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03360000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7587c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7589c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7587c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7589c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73783000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73827000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757c9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75522000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75862000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2604 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x033e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734c2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 20, 2024, 7:52 a.m.	process_identifier: 2604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72571000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2684 region_size: 8065024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b00000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x032b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7587c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7589c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7587c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7589c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73783000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73827000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757c9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75522000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75862000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75867000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7587f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75866000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755c3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f6d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755c7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75858000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7585d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f52000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f42000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x746c6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75764000 process_handle: 0xffffffff	1

An application raised an exception which may be indicative of an exploit crash (15 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process iexplore.exe with pid 2604 crashed
Application Crash	Process chrome.exe with pid 192 crashed
Application Crash	Process chrome.exe with pid 2252 crashed
Application Crash	Process chrome.exe with pid 2436 crashed
Application Crash	Process firefox.exe with pid 908 crashed
Application Crash	Process firefox.exe with pid 1812 crashed
Application Crash	Process firefox.exe with pid 2104 crashed
__exception__ Feb. 20, 2024, 7:52 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75c5374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x74724387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x75c4ef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75c46a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x75c46b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75c46a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x75c65c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x75ce06b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x747fd7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x747fd876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x747fddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x74718a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x74718938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x7471950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x747fdccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x747fdb41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x747fe1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x74719367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x74719326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75856d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x758577c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7585788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x746da48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x746d853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x746da4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x746ecd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x746ed87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 110161400 registers.edi: 91759844 registers.eax: 110161400 registers.ebp: 110161480 registers.edx: 126 registers.ebx: 110161764 registers.esi: 2147746133 registers.ecx: 7759208	1	0	0
__exception__ Feb. 20, 2024, 7:52 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75c5374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x747ff725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x75c6414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x746cfe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x747fa338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x761ae99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x761872ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x7617ab0d GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x7617ea98 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x761787f7 CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x7617ba32 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75856d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x758577c4 DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x75857bca CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x761a516f CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x761a50ce RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x7617a0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x76179b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x76179aa8 CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x761a530c URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x761a57a0 DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x71bc540c DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x71bc52ca CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x71ca0ea3 RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x76f77e96 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x76f554f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 69655360 registers.edi: 1953561104 registers.eax: 69655360 registers.ebp: 69655440 registers.edx: 1 registers.ebx: 7514916 registers.esi: 2147746133 registers.ecx: 523437607	1	0	0
__exception__ Feb. 20, 2024, 7:52 a.m.	stacktrace: 0x11000 0x3a2e0a 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 exception.instruction: add byte ptr [rax], al exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x11000 registers.r14: 189525152 registers.r15: 189525592 registers.rcx: 1292 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 82275648 registers.rsp: 189524328 registers.r11: 189528848 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 1364 registers.r12: 32158928 registers.rbp: 189524464 registers.rdi: 32158672 registers.rax: 3812864 registers.r13: 189525024	1	0	0
__exception__ Feb. 20, 2024, 7:52 a.m.	stacktrace: 0x534d18 0x4a2e0a 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 18 4d 53 00 00 00 00 00 18 4d 53 00 00 00 00 00 exception.instruction: sbb byte ptr [rbp + 0x53], cl exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x534d18 registers.r14: 187756336 registers.r15: 187756776 registers.rcx: 1388 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 80093072 registers.rsp: 187755512 registers.r11: 187760032 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 464 registers.r12: 34780448 registers.rbp: 187755648 registers.rdi: 34517696 registers.rax: 4861440 registers.r13: 187756208	1	0	0
__exception__ Feb. 20, 2024, 7:53 a.m.	stacktrace: 0x1d52e04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: ff 15 16 1f 09 00 ff 25 00 00 00 00 aa a4 c1 76 exception.instruction: call qword ptr [rip + 0x91f16] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x1d52e04 registers.r14: 188411328 registers.r15: 188411768 registers.rcx: 1132 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 78504880 registers.rsp: 188410504 registers.r11: 188415024 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 1388 registers.r12: 32552208 registers.rbp: 188410640 registers.rdi: 32289456 registers.rax: 30748160 registers.r13: 188411200	1	0	0
__exception__ Feb. 20, 2024, 7:52 a.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 9763968 registers.r15: 9763472 registers.rcx: 48 registers.rsi: 14749952 registers.r10: 0 registers.rbx: 0 registers.rsp: 9762520 registers.r11: 9764720 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 9763303 registers.rbp: 9762640 registers.rdi: 100 registers.rax: 13442816 registers.r13: 2	1	0	0
__exception__ Feb. 20, 2024, 7:52 a.m.	stacktrace: 0xcd1f04 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 10154440 registers.r15: 8791504164464 registers.rcx: 48 registers.rsi: 8791504096128 registers.r10: 0 registers.rbx: 0 registers.rsp: 10154072 registers.r11: 10157456 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092883536 registers.r12: 14905984 registers.rbp: 10154192 registers.rdi: 279027744 registers.rax: 13442816 registers.r13: 10155032	1	0	0
__exception__ Feb. 20, 2024, 7:52 a.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 9762896 registers.r15: 9762400 registers.rcx: 48 registers.rsi: 14706240 registers.r10: 0 registers.rbx: 0 registers.rsp: 9761448 registers.r11: 9763648 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 9762231 registers.rbp: 9761568 registers.rdi: 100 registers.rax: 13442816 registers.r13: 2	1	0	0

Steals private information from local Internet browsers (38 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_0
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Bloom Prefix Set
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing IP Blacklist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\old_GPUCache_000
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Module Whitelist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\ChromeFilenameClientIncident.store
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-65D42205-984.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Side-Effect Free Whitelist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing UwS List Prefix Set
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Inclusion Whitelist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Csd Whitelist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-65D421FD-8CC.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-active.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Extension Blacklist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-63327DF3-A54.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Resource Blacklist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\First Run
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\reports
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Download Whitelist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Download
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Bloom
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-65D4220A-C0.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing UwS List
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\metadata
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\index
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\AnyIpMalware.store

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Feb. 20, 2024, 7:51 a.m.	process_identifier: 2684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x05310000 process_handle: 0xffffffff	1	0	0

Potentially malicious URLs were found in the process memory dump (50 out of 1136 events)

url	https://crashpad.chromium.org/bug/new
url	https://crashpad.chromium.org/
url	https://clients4.google.com/invalidation/android/request/
url	http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
url	http://services.ukrposhta.com/postindex_new/
url	http://dts.search-results.com/sr?lng=
url	http://inposdom.gob.do/codigo-postal/
url	http://creativecommons.org/ns
url	http://www.postur.fo/
url	https://qc.search.yahoo.com/search?ei=
url	https://cacert.omniroot.com/baltimoreroot.crt09
url	http://crbug.com/122474.
url	https://search.yahoo.com/search?ei=
url	http://t1.symcb.com/ThawtePCA.crl0/
url	http://crbug.com/31395.
url	https://support.google.com/chrome/answer/165139
url	http://crbug.com/320723
url	https://datasaver.googleapis.com/v1/clientConfigs
url	http://crl.starfieldtech.com/sfroot-g2.crl0L
url	https://ct.startssl.com/
url	https://suggest.yandex.com.tr/suggest-ff.cgi?part=
url	https://de.search.yahoo.com/favicon.ico
url	https://github.com/GoogleChrome/Lighthouse/issues
url	http://www.searchnu.com/favicon.ico
url	https://support.google.com/installer/?product=
url	http://msdn.microsoft.com/en-us/library/ms792901.aspx
url	https://www.najdi.si/search.jsp?q=
url	http://x.ss2.us/x.cer0
url	http://crl.geotrust.com/crls/gtglobal.crl04
url	https://accounts.google.com/ServiceLogin
url	https://accounts.google.com/OAuthLogin
url	https://c.android.clients.google.com/
url	https://www.google.com/tools/feedback/chrome/__submit
url	https://chrome.google.com/webstore/category/collection/dark_themes
url	http://check.googlezip.net/generate_204
url	http://ocsp.starfieldtech.com/08
url	http://www.guernseypost.com/postcode_finder/
url	http://crl.certum.pl/ca.crl0h
url	http://ator
url	https://suggest.yandex.by/suggest-ff.cgi?part=
url	http://feed.snap.do/?q=
url	https://sp.uk.ask.com/sh/i/a16/favicon/favicon.ico
url	http://www.language
url	https://support.google.com/chrome/
url	http://developer.chrome.com/apps/declare_permissions.html
url	http://www.google.com/chrome/intl/ko/eula_text.html
url	https://www.globalsign.com/repository/03
url	http://www.startssl.com/sfsca.crl0
url	http://UA-Compatible
url	https://se.search.yahoo.com/search?ei=

Yara rule detected in process memory (50 out of 2081 events)

description	Match Windows Http API call	rule	Str_Win32_Http_API
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Create a windows service	rule	Create_Service
description	Client_SW_User_Data_Stealer	rule	Client_SW_User_Data_Stealer
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	browser info stealer	rule	infoStealer_browser_Zero
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Google Chrome User Data Check	rule	Chrome_User_Data_Check_Zero
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Perform crypto currency mining	rule	BitCoin
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Possibly employs anti-virtualization techniques	rule	vmdetect
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Install itself for autorun at Windows startup	rule	Persistence
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Virtual currency	rule	Virtual_currency_Zero

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2604 CREDAT:145409

Communicates with host for which no DNS query was performed (1 event)

host

117.18.232.200

Allocates execute permission to another process indicative of possible code injection (6 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Feb. 20, 2024, 7:52 a.m.	process_identifier: 908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Feb. 20, 2024, 7:52 a.m.	process_identifier: 908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Feb. 20, 2024, 7:52 a.m.	process_identifier: 1812 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Feb. 20, 2024, 7:52 a.m.	process_identifier: 1812 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Feb. 20, 2024, 7:52 a.m.	process_identifier: 2104 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Feb. 20, 2024, 7:52 a.m.	process_identifier: 2104 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x0000000000000050	1

Potential code injection by writing to the memory of another process (27 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: base_address: 0x000000013fb422b0 process_identifier: 908 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: base_address: 0x000000013fb50d88 process_identifier: 908 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: I»`#±?Aÿã base_address: 0x0000000076d81590 process_identifier: 908 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: êM base_address: 0x000000013fb50d78 process_identifier: 908 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: I» ±?Aÿã base_address: 0x0000000076d57a90 process_identifier: 908 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: êM base_address: 0x000000013fb50d70 process_identifier: 908 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: ÏT base_address: 0x000000013faf0108 process_identifier: 908 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: Øv@Øv Øv@ØvØv°Øv ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀÖvöÔv YØv2ØvVØv°ÞvÕvRØv ÕvQØvÂÕv ?ÖvPÕv°TÕvàtÕvðÖvÐ1ØvÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv base_address: 0x000000013fb4aae8 process_identifier: 908 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: base_address: 0x000000013fb50c78 process_identifier: 908 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: base_address: 0x000000013fb422b0 process_identifier: 1812 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: base_address: 0x000000013fb50d88 process_identifier: 1812 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: I»`#±?Aÿã base_address: 0x0000000076d81590 process_identifier: 1812 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: base_address: 0x000000013fb50d78 process_identifier: 1812 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: I» ±?Aÿã base_address: 0x0000000076d57a90 process_identifier: 1812 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: base_address: 0x000000013fb50d70 process_identifier: 1812 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: ÏT base_address: 0x000000013faf0108 process_identifier: 1812 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: Øv@Øv Øv@ØvØv°Øv ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀÖvöÔv YØv2ØvVØv°ÞvÕvRØv ÕvQØvÂÕv ?ÖvPÕv°TÕvàtÕvðÖvÐ1ØvÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv base_address: 0x000000013fb4aae8 process_identifier: 1812 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: base_address: 0x000000013fb50c78 process_identifier: 1812 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: base_address: 0x000000013fb422b0 process_identifier: 2104 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: base_address: 0x000000013fb50d88 process_identifier: 2104 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: I»`#±?Aÿã base_address: 0x0000000076d81590 process_identifier: 2104 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: ¢P base_address: 0x000000013fb50d78 process_identifier: 2104 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: I» ±?Aÿã base_address: 0x0000000076d57a90 process_identifier: 2104 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: ¢P base_address: 0x000000013fb50d70 process_identifier: 2104 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: ÏT base_address: 0x000000013faf0108 process_identifier: 2104 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: Øv@Øv Øv@ØvØv°Øv ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀÖvöÔv YØv2ØvVØv°ÞvÕvRØv ÕvQØvÂÕv ?ÖvPÕv°TÕvàtÕvðÖvÐ1ØvÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv base_address: 0x000000013fb4aae8 process_identifier: 2104 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: base_address: 0x000000013fb50c78 process_identifier: 2104 process_handle: 0x000000000000004c	1	1

One or more non-whitelisted processes were created (15 events)

parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\fceb6fbf-cb0d-45c2-9305-6ad407c133d6.dmp"
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2432 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef4eef1e8,0x7fef4eef1f8,0x7fef4eef208
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1224,15508876811763539633,14908828261247677933,131072 --gpu-preferences=KAAAAAAAAAAABwAAAQAAAAAAAAAAAGAAAQAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x80ee --gpu-device-id=0xbeef --gpu-driver-vendor=Microsoft --gpu-driver-version=6.1.7600.16385 --gpu-driver-date=6-21-2006 --service-request-channel-token=2D31AC0B9AE441C59492267138F3FB5E --mojo-platform-channel-handle=1236 --ignored=" --type=renderer " /prefetch:2
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1156,5346270290976932088,4895801594140803039,131072 --gpu-preferences=KAAAAAAAAAAABwAAAQAAAAAAAAAAAGAAAQAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x80ee --gpu-device-id=0xbeef --gpu-driver-vendor=Microsoft --gpu-driver-version=6.1.7600.16385 --gpu-driver-date=6-21-2006 --service-request-channel-token=29904A0E3CF92D771F024B5D385384A5 --mojo-platform-channel-handle=1184 --ignored=" --type=renderer " /prefetch:2
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef4eef1e8,0x7fef4eef1f8,0x7fef4eef208
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=152 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2208 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef4eef1e8,0x7fef4eef1f8,0x7fef4eef208
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1236,660408766898355561,10390240557112349917,131072 --gpu-preferences=KAAAAAAAAAAABwAAAQAAAAAAAAAAAGAAAQAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x80ee --gpu-device-id=0xbeef --gpu-driver-vendor=Microsoft --gpu-driver-version=6.1.7600.16385 --gpu-driver-date=6-21-2006 --service-request-channel-token=6967A24194F2E9F606AA22008B430BFA --mojo-platform-channel-handle=1252 --ignored=" --type=renderer " /prefetch:2
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\401bc5cb-1ebb-4bb4-a1b3-fcab4075fc9f.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\minidumps\f3a1fcdb-37cc-46b8-bfb0-e6c428d33a34.dmp"

Found URLs in memory pointing to an IP address rather than a domain (potentially indicative of Command & Control traffic) (1 event)

url	http://127.0.0.1

Appends a known multi-family ransomware file extension to files that have been encrypted (2 events)

file	C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\parent.lock
file	C:\Users\test22\AppData\Local\Temp\firefox\parent.lock

Resumed a suspended thread in a remote process potentially indicative of process injection (50 out of 75 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2544 resumed a thread in remote process 192
Process injection	Process 2544 resumed a thread in remote process 2252
Process injection	Process 2544 resumed a thread in remote process 2436
Process injection	Process 2544 resumed a thread in remote process 2524
Process injection	Process 2544 resumed a thread in remote process 2872
Process injection	Process 2544 resumed a thread in remote process 2052
Process injection	Process 2604 resumed a thread in remote process 2684
Process injection	Process 2524 resumed a thread in remote process 908
Process injection	Process 2716 resumed a thread in remote process 192
Process injection	Process 2888 resumed a thread in remote process 2252
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x000002c4 suspend_count: 1 process_identifier: 192	1	0	0
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x000002c4 suspend_count: 1 process_identifier: 2252	1	0	0
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x00000288 suspend_count: 1 process_identifier: 2436	1	0	0
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x000002ac suspend_count: 1 process_identifier: 2524	1	0	0
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x000002a8 suspend_count: 1 process_identifier: 2872	1	0	0
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x00000290 suspend_count: 1 process_identifier: 2052	1	0	0
NtResumeThread Feb. 20, 2024, 7:51 a.m.	thread_handle: 0x00000334 suspend_count: 1 process_identifier: 2684	1	0	0
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 908	1	0	0
NtResumeThread Feb. 20, 2024, 7:53 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 192	1	0	0
NtResumeThread Feb. 20, 2024, 7:53 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 192	1	0	0
NtResumeThread Feb. 20, 2024, 7:53 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 192	1	0	0
NtResumeThread Feb. 20, 2024, 7:53 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 192	1	0	0
NtResumeThread Feb. 20, 2024, 7:53 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 192	1	0	0
NtResumeThread Feb. 20, 2024, 7:53 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 192	1	0	0
NtResumeThread Feb. 20, 2024, 7:53 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 192	1	0	0
NtResumeThread Feb. 20, 2024, 7:53 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 192	1	0	0
NtResumeThread Feb. 20, 2024, 7:53 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 192	1	0	0
NtResumeThread Feb. 20, 2024, 7:53 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 192	1	0	0
NtResumeThread Feb. 20, 2024, 7:53 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 192	1	0	0
NtResumeThread Feb. 20, 2024, 7:53 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 192	1	0	0
NtResumeThread Feb. 20, 2024, 7:53 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 192	1	0	0
NtResumeThread Feb. 20, 2024, 7:53 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 192	1	0	0
NtResumeThread Feb. 20, 2024, 7:53 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 192	1	0	0
NtResumeThread Feb. 20, 2024, 7:53 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 192	1	0	0
NtResumeThread Feb. 20, 2024, 7:53 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 192	1	0	0
NtResumeThread Feb. 20, 2024, 7:53 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 192	1	0	0
NtResumeThread Feb. 20, 2024, 7:53 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 192	1	0	0
NtResumeThread Feb. 20, 2024, 7:53 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 192	1	0	0
NtResumeThread Feb. 20, 2024, 7:53 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2252	1	0	0
NtResumeThread Feb. 20, 2024, 7:53 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2252	1	0	0
NtResumeThread Feb. 20, 2024, 7:53 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2252	1	0	0
NtResumeThread Feb. 20, 2024, 7:53 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2252	1	0	0
NtResumeThread Feb. 20, 2024, 7:53 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2252	1	0	0
NtResumeThread Feb. 20, 2024, 7:53 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2252	1	0	0
NtResumeThread Feb. 20, 2024, 7:53 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2252	1	0	0
NtResumeThread Feb. 20, 2024, 7:53 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2252	1	0	0
NtResumeThread Feb. 20, 2024, 7:53 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2252	1	0	0
NtResumeThread Feb. 20, 2024, 7:53 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2252	1	0	0
NtResumeThread Feb. 20, 2024, 7:53 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2252	1	0	0
NtResumeThread Feb. 20, 2024, 7:53 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2252	1	0	0

Executed a process and injected code into it, probably while unpacking (50 out of 232 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Feb. 20, 2024, 7:51 a.m.	thread_identifier: 2608 thread_handle: 0x000001cc process_identifier: 2604 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Program Files (x86)\Internet Explorer\iexplore.exe track: 1 command_line: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome filepath_r: C:\Program Files (x86)\Internet Explorer\iexplore.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000001c8	1	1
NtResumeThread Feb. 20, 2024, 7:51 a.m.	thread_handle: 0x00000268 suspend_count: 1 process_identifier: 2544	1	0
CreateProcessInternalW Feb. 20, 2024, 7:52 a.m.	thread_identifier: 152 thread_handle: 0x000002c4 process_identifier: 192 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://www.youtube.com filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002d0	1	1
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x000002c4 suspend_count: 1 process_identifier: 192	1	0
CreateProcessInternalW Feb. 20, 2024, 7:52 a.m.	thread_identifier: 2208 thread_handle: 0x000002c4 process_identifier: 2252 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://www.facebook.com/video filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000278	1	1
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x000002c4 suspend_count: 1 process_identifier: 2252	1	0
CreateProcessInternalW Feb. 20, 2024, 7:52 a.m.	thread_identifier: 2432 thread_handle: 0x00000288 process_identifier: 2436 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://accounts.google.com filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000001cc	1	1
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x00000288 suspend_count: 1 process_identifier: 2436	1	0
CreateProcessInternalW Feb. 20, 2024, 7:52 a.m.	thread_identifier: 2564 thread_handle: 0x000002ac process_identifier: 2524 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com filepath_r: C:\Program Files\Mozilla Firefox\firefox.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002c4	1	1
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x000002ac suspend_count: 1 process_identifier: 2524	1	0
CreateProcessInternalW Feb. 20, 2024, 7:52 a.m.	thread_identifier: 2876 thread_handle: 0x000002a8 process_identifier: 2872 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video filepath_r: C:\Program Files\Mozilla Firefox\firefox.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000028c	1	1
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x000002a8 suspend_count: 1 process_identifier: 2872	1	0
CreateProcessInternalW Feb. 20, 2024, 7:52 a.m.	thread_identifier: 3068 thread_handle: 0x00000290 process_identifier: 2052 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com filepath_r: C:\Program Files\Mozilla Firefox\firefox.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002ac	1	1
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x00000290 suspend_count: 1 process_identifier: 2052	1	0
CreateProcessInternalW Feb. 20, 2024, 7:51 a.m.	thread_identifier: 2688 thread_handle: 0x00000334 process_identifier: 2684 current_directory: filepath: track: 1 command_line: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2604 CREDAT:145409 filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000338	1	1
NtResumeThread Feb. 20, 2024, 7:51 a.m.	thread_handle: 0x00000334 suspend_count: 1 process_identifier: 2684	1	0
NtResumeThread Feb. 20, 2024, 7:51 a.m.	thread_handle: 0x00000410 suspend_count: 1 process_identifier: 2604	1	0
NtResumeThread Feb. 20, 2024, 7:51 a.m.	thread_handle: 0x00000290 suspend_count: 1 process_identifier: 2604	1	0
NtGetContextThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x000002f4	1	0
NtResumeThread Feb. 20, 2024, 7:51 a.m.	thread_handle: 0x000001f8 suspend_count: 1 process_identifier: 2684	1	0
NtResumeThread Feb. 20, 2024, 7:51 a.m.	thread_handle: 0x00000230 suspend_count: 1 process_identifier: 2684	1	0
NtResumeThread Feb. 20, 2024, 7:51 a.m.	thread_handle: 0x00000240 suspend_count: 1 process_identifier: 2684	1	0
NtResumeThread Feb. 20, 2024, 7:51 a.m.	thread_handle: 0x000006a8 suspend_count: 1 process_identifier: 2684	1	0
CreateProcessInternalW Feb. 20, 2024, 7:52 a.m.	thread_identifier: 2712 thread_handle: 0x0000000000000098 process_identifier: 2716 current_directory: filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef4eef1e8,0x7fef4eef1f8,0x7fef4eef208 filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000000000009c	1	1
CreateProcessInternalW Feb. 20, 2024, 7:52 a.m.	thread_identifier: 2240 thread_handle: 0x0000000000000144 process_identifier: 2232 current_directory: filepath: track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=152 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6 filepath_r: stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000148	1	1
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x0000000000000218 suspend_count: 1 process_identifier: 192	1	0
CreateProcessInternalW Feb. 20, 2024, 7:52 a.m.	thread_identifier: 3680 thread_handle: 0x0000000000000530 process_identifier: 3676 current_directory: filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1156,5346270290976932088,4895801594140803039,131072 --gpu-preferences=KAAAAAAAAAAABwAAAQAAAAAAAAAAAGAAAQAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x80ee --gpu-device-id=0xbeef --gpu-driver-vendor=Microsoft --gpu-driver-version=6.1.7600.16385 --gpu-driver-date=6-21-2006 --service-request-channel-token=29904A0E3CF92D771F024B5D385384A5 --mojo-platform-channel-handle=1184 --ignored=" --type=renderer " /prefetch:2 filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 17302540 (CREATE_BREAKAWAY_FROM_JOB\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|DETACHED_PROCESS\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000554	1	1
CreateProcessInternalW Feb. 20, 2024, 7:52 a.m.	thread_identifier: 2884 thread_handle: 0x0000000000000098 process_identifier: 2888 current_directory: filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef4eef1e8,0x7fef4eef1f8,0x7fef4eef208 filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000000000009c	1	1
CreateProcessInternalW Feb. 20, 2024, 7:52 a.m.	thread_identifier: 2080 thread_handle: 0x0000000000000144 process_identifier: 2000 current_directory: filepath: track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2208 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6 filepath_r: stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000148	1	1
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x0000000000000210 suspend_count: 1 process_identifier: 2252	1	0
CreateProcessInternalW Feb. 20, 2024, 7:52 a.m.	thread_identifier: 3532 thread_handle: 0x00000000000005ac process_identifier: 3528 current_directory: filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1236,660408766898355561,10390240557112349917,131072 --gpu-preferences=KAAAAAAAAAAABwAAAQAAAAAAAAAAAGAAAQAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x80ee --gpu-device-id=0xbeef --gpu-driver-vendor=Microsoft --gpu-driver-version=6.1.7600.16385 --gpu-driver-date=6-21-2006 --service-request-channel-token=6967A24194F2E9F606AA22008B430BFA --mojo-platform-channel-handle=1252 --ignored=" --type=renderer " /prefetch:2 filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 17302540 (CREATE_BREAKAWAY_FROM_JOB\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|DETACHED_PROCESS\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000000000001d0	1	1
CreateProcessInternalW Feb. 20, 2024, 7:52 a.m.	thread_identifier: 2864 thread_handle: 0x0000000000000098 process_identifier: 3036 current_directory: filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef4eef1e8,0x7fef4eef1f8,0x7fef4eef208 filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000000000009c	1	1
CreateProcessInternalW Feb. 20, 2024, 7:52 a.m.	thread_identifier: 1376 thread_handle: 0x0000000000000144 process_identifier: 1316 current_directory: filepath: track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2432 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6 filepath_r: stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000148	1	1
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x000000000000020c suspend_count: 1 process_identifier: 2436	1	0
CreateProcessInternalW Feb. 20, 2024, 7:53 a.m.	thread_identifier: 3984 thread_handle: 0x0000000000000534 process_identifier: 4048 current_directory: filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1224,15508876811763539633,14908828261247677933,131072 --gpu-preferences=KAAAAAAAAAAABwAAAQAAAAAAAAAAAGAAAQAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x80ee --gpu-device-id=0xbeef --gpu-driver-vendor=Microsoft --gpu-driver-version=6.1.7600.16385 --gpu-driver-date=6-21-2006 --service-request-channel-token=2D31AC0B9AE441C59492267138F3FB5E --mojo-platform-channel-handle=1236 --ignored=" --type=renderer " /prefetch:2 filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 17302540 (CREATE_BREAKAWAY_FROM_JOB\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|DETACHED_PROCESS\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000000000056c	1	1
CreateProcessInternalW Feb. 20, 2024, 7:52 a.m.	thread_identifier: 2056 thread_handle: 0x0000000000000044 process_identifier: 908 current_directory: filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com filepath_r: C:\Program Files\Mozilla Firefox\firefox.exe stack_pivoted: 0 creation_flags: 1028 (CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT) inherit_handles: 0 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: base_address: 0x000000013fb422b0 process_identifier: 908 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: base_address: 0x000000013fb50d88 process_identifier: 908 process_handle: 0x000000000000004c	1	1
NtMapViewOfSection Feb. 20, 2024, 7:52 a.m.	section_handle: 0x0000000000000060 process_identifier: 908 commit_size: 0 win32_protect: 32 (PAGE_EXECUTE_READ) buffer: base_address: 0x000000004dea0000 allocation_type: 0 () section_offset: 0 view_size: 65536 process_handle: 0x0000000000000050	1	0
NtAllocateVirtualMemory Feb. 20, 2024, 7:52 a.m.	process_identifier: 908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x000000004dea0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x0000000000000050	1	0
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: I»`#±?Aÿã base_address: 0x0000000076d81590 process_identifier: 908 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: êM base_address: 0x000000013fb50d78 process_identifier: 908 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: I» ±?Aÿã base_address: 0x0000000076d57a90 process_identifier: 908 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: êM base_address: 0x000000013fb50d70 process_identifier: 908 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: ÏT base_address: 0x000000013faf0108 process_identifier: 908 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: Øv@Øv Øv@ØvØv°Øv ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀÖvöÔv YØv2ØvVØv°ÞvÕvRØv ÕvQØvÂÕv ?ÖvPÕv°TÕvàtÕvðÖvÐ1ØvÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv base_address: 0x000000013fb4aae8 process_identifier: 908 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 20, 2024, 7:52 a.m.	buffer: base_address: 0x000000013fb50c78 process_identifier: 908 process_handle: 0x000000000000004c	1	1
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 908	1	0
NtResumeThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x00000000000000dc suspend_count: 1 process_identifier: 2716	1	0
NtGetContextThread Feb. 20, 2024, 7:52 a.m.	thread_handle: 0x0000000000000154	1	0

fu.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All