popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

random.exe

RedLine stealer Generic Malware UPX Malicious Library Malicious Packer Downloader HTTP ScreenShot Create Service KeyLogger Internet API P2P DGA Http API Anti_VM FTP Socket Escalate priviledges DNS Code injection PWS Sniff Audio Steal credential
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us July 26, 2024, 10:25 a.m. July 26, 2024, 10:32 a.m.
Size 89.5KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 c225910168e4d400b52e9ee5106c8e7a
SHA256 c409e11a26c3a77f03e7074b91c9e3d492554029446116db90db71f2b8255583
CRC32 7BEE3063
ssdeep 1536:L7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIf0xLBOq:Hq6+ouCpk2mpcWJ0r+QNTBf0Rb
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • Malicious_Packer_Zero - Malicious Packer
  • IsPE32 - (no description)
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
crash-reports.mozilla.com
A 34.49.45.138
CNAME antenna-prod.socorro.prod.webservices.mozgcp.net
34.49.45.138
IP Address Status Action
185.215.113.16 Active Moloch
164.124.101.2 Active Moloch
34.49.45.138 Active Moloch

Time & API Arguments Status Return Repeated

GetComputerNameA

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
file C:\Program Files (x86)\Google\Chrome\Application\86.0.4240.111\Locales
file C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l2-1-0.dll
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .code
packer PureBasic 4.x -> Neil Hodgson
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
0xa90004
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30

exception.instruction_r: ff 15 16 1f 09 00 ff 25 00 00 00 00 aa a4 fc 76
exception.instruction: call qword ptr [rip + 0x91f16]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xa90004
registers.r14: 242348536
registers.r15: 86653920
registers.rcx: 1256
registers.rsi: 17302540
registers.r10: 0
registers.rbx: 242347792
registers.rsp: 242347512
registers.r11: 242351408
registers.r8: 2004779404
registers.r9: 0
registers.rdx: 1308
registers.r12: 242348152
registers.rbp: 242347648
registers.rdi: 53206752
registers.rax: 11075584
registers.r13: 86496944
1 0 0

__exception__

 stacktrace: 
0xcd1f04
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030

exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69
exception.instruction: cmp dword ptr [rip + 0x2d18d], 0
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xcd1f04
registers.r14: 9695224
registers.r15: 8791398979184
registers.rcx: 48
registers.rsi: 8791398910848
registers.r10: 0
registers.rbx: 0
registers.rsp: 9694856
registers.r11: 9698240
registers.r8: 2004779404
registers.r9: 0
registers.rdx: 8796092887632
registers.r12: 14914176
registers.rbp: 9694976
registers.rdi: 252821024
registers.rax: 13442816
registers.r13: 9695816
1 0 0

__exception__

 stacktrace: 
0xcd1f04
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030

exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69
exception.instruction: cmp dword ptr [rip + 0x2d18d], 0
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xcd1f04
registers.r14: 9827064
registers.r15: 8791557445232
registers.rcx: 48
registers.rsi: 8791557376896
registers.r10: 0
registers.rbx: 0
registers.rsp: 9826696
registers.r11: 9830080
registers.r8: 2004779404
registers.r9: 0
registers.rdx: 8796092887632
registers.r12: 14918016
registers.rbp: 9826816
registers.rdi: 254910496
registers.rax: 13442816
registers.r13: 9827656
1 0 0

__exception__

 stacktrace: 
0xcd1f04
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30

exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69
exception.instruction: cmp dword ptr [rip + 0x2d18d], 0
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xcd1f04
registers.r14: 8780816
registers.r15: 8780320
registers.rcx: 48
registers.rsi: 14706240
registers.r10: 0
registers.rbx: 0
registers.rsp: 8779368
registers.r11: 8781568
registers.r8: 2004779404
registers.r9: 0
registers.rdx: 8796092887632
registers.r12: 8780151
registers.rbp: 8779488
registers.rdi: 100
registers.rax: 13442816
registers.r13: 2
1 0 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2388
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000b80000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2388
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007700b000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2388
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000b80000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2388
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076fd6000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2388
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000003430000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2388
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000749ad000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 880
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000c80000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 880
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007700b000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 880
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000c80000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 880
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076fd6000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 880
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000028a0000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 880
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000749ad000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2696
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000c90000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2696
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007700b000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2696
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000c90000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2696
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076fd6000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2696
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000028a0000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2696
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000749ad000
process_handle: 0xffffffffffffffff
1 0 0
Application Crash Process chrome.exe with pid 2152 crashed
Application Crash Process firefox.exe with pid 2388 crashed
Application Crash Process firefox.exe with pid 880 crashed
Application Crash Process firefox.exe with pid 2696 crashed
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
0xa90004
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30

exception.instruction_r: ff 15 16 1f 09 00 ff 25 00 00 00 00 aa a4 fc 76
exception.instruction: call qword ptr [rip + 0x91f16]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xa90004
registers.r14: 242348536
registers.r15: 86653920
registers.rcx: 1256
registers.rsi: 17302540
registers.r10: 0
registers.rbx: 242347792
registers.rsp: 242347512
registers.r11: 242351408
registers.r8: 2004779404
registers.r9: 0
registers.rdx: 1308
registers.r12: 242348152
registers.rbp: 242347648
registers.rdi: 53206752
registers.rax: 11075584
registers.r13: 86496944
1 0 0

__exception__

 stacktrace: 
0xcd1f04
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030

exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69
exception.instruction: cmp dword ptr [rip + 0x2d18d], 0
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xcd1f04
registers.r14: 9695224
registers.r15: 8791398979184
registers.rcx: 48
registers.rsi: 8791398910848
registers.r10: 0
registers.rbx: 0
registers.rsp: 9694856
registers.r11: 9698240
registers.r8: 2004779404
registers.r9: 0
registers.rdx: 8796092887632
registers.r12: 14914176
registers.rbp: 9694976
registers.rdi: 252821024
registers.rax: 13442816
registers.r13: 9695816
1 0 0

__exception__

 stacktrace: 
0xcd1f04
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030

exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69
exception.instruction: cmp dword ptr [rip + 0x2d18d], 0
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xcd1f04
registers.r14: 9827064
registers.r15: 8791557445232
registers.rcx: 48
registers.rsi: 8791557376896
registers.r10: 0
registers.rbx: 0
registers.rsp: 9826696
registers.r11: 9830080
registers.r8: 2004779404
registers.r9: 0
registers.rdx: 8796092887632
registers.r12: 14918016
registers.rbp: 9826816
registers.rdi: 254910496
registers.rax: 13442816
registers.r13: 9827656
1 0 0

__exception__

 stacktrace: 
0xcd1f04
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30

exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69
exception.instruction: cmp dword ptr [rip + 0x2d18d], 0
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xcd1f04
registers.r14: 8780816
registers.r15: 8780320
registers.rcx: 48
registers.rsi: 14706240
registers.r10: 0
registers.rbx: 0
registers.rsp: 8779368
registers.r11: 8781568
registers.r8: 2004779404
registers.r9: 0
registers.rdx: 8796092887632
registers.r12: 8780151
registers.rbp: 8779488
registers.rdi: 100
registers.rax: 13442816
registers.r13: 2
1 0 0
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_0
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-66A30DEC-868.pma
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-spare.pma
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
file C:\Users\test22\AppData\Local\Google\Chrome\User Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_3
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\First Run
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\reports
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\metadata
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\index
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\reports\c7eaf519-0104-4ed4-8038-af7aa0745690.dmp
file C:\Users\test22\AppData\Local\Temp\C06C.tmp\C06D.tmp\C06E.bat
cmdline "C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\C06C.tmp\C06D.tmp\C06E.bat C:\Users\test22\AppData\Local\Temp\random.exe"
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: C:\Windows\sysnative\cmd
parameters: /c "C:\Users\test22\AppData\Local\Temp\C06C.tmp\C06D.tmp\C06E.bat C:\Users\test22\AppData\Local\Temp\random.exe"
filepath: C:\Windows\sysnative\cmd
1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2388
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x000000a7c0410000
process_handle: 0xffffffffffffffff
1 0 0
section {u'size_of_data': u'0x00003400', u'virtual_address': u'0x00013000', u'entropy': 7.110640338733982, u'name': u'.rdata', u'virtual_size': u'0x0000339d'} entropy 7.11064033873 description A section with a high entropy has been found
section {u'size_of_data': u'0x00001000', u'virtual_address': u'0x00019000', u'entropy': 7.51415339589285, u'name': u'.rsrc', u'virtual_size': u'0x00000f9c'} entropy 7.51415339589 description A section with a high entropy has been found
url https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%SYSTEM_CAPABILITIES%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml
url https://crash-reports.mozilla.com/submit?id=
url https://hg.mozilla.org/releases/mozilla-release/rev/92187d03adde4b31daef292087a266f10121379c
url http://crl.comodo.net/TrustedCertificateServices.crl0
url http://users.ocsp.d-trust.net03
url http://crl.ssc.lt/root-b/cacrl.crl0
url http://crl.securetrust.com/STCA.crl0
url http://crl.securetrust.com/SGCA.crl0
url http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=
url http://www.ssc.lt/cps03
url http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
url http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0
url http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0
url http://www.microsoft.com/pki/certs/TrustListPCA.crt0
url https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0
url http://www.pkioverheid.nl/policies/root-policy0
url http://cps.chambersign.org/cps/chambersroot.html0
url http://www.e-szigno.hu/SZSZ/0
url http://www.entrust.net/CRL/Client1.crl0
url http://crl.chambersign.org/publicnotaryroot.crl0
url http://crl.comodo.net/AAACertificateServices.crl0
url http://www.certplus.com/CRL/class3.crl0
url http://logo.verisign.com/vslogo.gif0
url http://www.acabogacia.org/doc0
url http://www.disig.sk/ca/crl/ca_disig.crl0
url https://www.catcert.net/verarrel
url http://www.sk.ee/cps/0
url http://www.quovadis.bm0
url https://www.catcert.net/verarrel05
url http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0
url http://crl.chambersign.org/chambersroot.crl0
url http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0
url http://crl.globalsign.net/root-r2.crl0
url http://certificates.starfieldtech.com/repository/1604
url http://www.d-trust.net0
url http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0
url http://crl.ssc.lt/root-a/cacrl.crl0
url http://crl.usertrust.com/UTN-DATACorpSGC.crl0
url http://www.certicamara.com/certicamaraca.crl0
url http://www.d-trust.net/crl/d-trust_root_class_2_ca_2007.crl0
url http://crl.usertrust.com/UTN-USERFirst-Object.crl0)
url http://www.post.trust.ie/reposit/cps.html0
url http://www.d-trust.net/crl/d-trust_qualified_root_ca_1_2007_pn.crl0
url http://www2.public-trust.com/crl/ct/ctroot.crl0
url http://www.certicamara.com0
url http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
url http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
url http://www.comsign.co.il/cps0
url http://crl.usertrust.com/UTN-USERFirst-NetworkApplications.crl0
url http://www.microsoft.com/pki/crl/products/TrustListPCA.crl
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Create a windows service rule Create_Service
description Communications over RAW Socket rule Network_TCP_Socket
description Communication using DGA rule Network_DGA
description Match Windows Http API call rule Str_Win32_Http_API
description Take ScreenShot rule ScreenShot
description Escalate priviledges rule Escalate_priviledges
description Steal credential rule local_credential_Steal
description PWS Memory rule Generic_PWS_Memory_Zero
description Record Audio rule Sniff_Audio
description Communications over HTTP rule Network_HTTP
description Communications use DNS rule Network_DNS
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__ConsoleCtrl
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description (no description) rule Check_Dlls
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
description File Downloader rule Network_Downloader
description Match Windows Inet API call rule Str_Win32_Internet_API
description Communications over FTP rule Network_FTP
description Run a KeyLogger rule KeyLogger
description Communications over P2P network rule Network_P2P_Win
description Code injection with CreateRemoteThread in a remote process rule Code_injection
Time & API Arguments Status Return Repeated

NtTerminateProcess

 status_code: 0xc0000005
process_identifier: 2152
process_handle: 0x00000000000000bc
0 0

NtTerminateProcess

 status_code: 0xc0000005
process_identifier: 2152
process_handle: 0x00000000000000bc
1 0 0
cmdline C:\Windows\sysnative\cmd /c "C:\Users\test22\AppData\Local\Temp\C06C.tmp\C06D.tmp\C06E.bat C:\Users\test22\AppData\Local\Temp\random.exe"
cmdline "C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\C06C.tmp\C06D.tmp\C06E.bat C:\Users\test22\AppData\Local\Temp\random.exe"
host 185.215.113.16
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2388
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077711000
process_handle: 0x0000000000000058
1 0 0

NtProtectVirtualMemory

 process_identifier: 2388
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000776e7000
process_handle: 0x0000000000000058
1 0 0

NtProtectVirtualMemory

 process_identifier: 880
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077711000
process_handle: 0x000000000000004c
1 0 0

NtProtectVirtualMemory

 process_identifier: 880
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000776e7000
process_handle: 0x000000000000004c
1 0 0

NtProtectVirtualMemory

 process_identifier: 2696
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077711000
process_handle: 0x000000000000004c
1 0 0

NtProtectVirtualMemory

 process_identifier: 2696
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000776e7000
process_handle: 0x000000000000004c
1 0 0
file C:\Users\test22\AppData\Local\Temp\C06C.tmp\C06D.tmp
file C:\Users\test22\AppData\Local\Temp\C06C.tmp\C06D.tmp\C06E.bat
file C:\Users\test22\AppData\Local\Temp\C06C.tmp
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: 
base_address: 0x000000013fb522b0
process_identifier: 2388
process_handle: 0x0000000000000054
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013fb60d88
process_identifier: 2388
process_handle: 0x0000000000000054
1 1 0

WriteProcessMemory

 buffer: I»`#²?Aÿã
base_address: 0x0000000077711590
process_identifier: 2388
process_handle: 0x0000000000000058
1 1 0

WriteProcessMemory

 buffer: ÁE
base_address: 0x000000013fb60d78
process_identifier: 2388
process_handle: 0x0000000000000054
1 1 0

WriteProcessMemory

 buffer: I» ²?Aÿã
base_address: 0x00000000776e7a90
process_identifier: 2388
process_handle: 0x0000000000000058
1 1 0

WriteProcessMemory

 buffer: ÁE
base_address: 0x000000013fb60d70
process_identifier: 2388
process_handle: 0x0000000000000054
1 1 0

WriteProcessMemory

 buffer: ϝT
base_address: 0x000000013fb00108
process_identifier: 2388
process_handle: 0x0000000000000054
1 1 0

WriteProcessMemory

 buffer: qw@qw qw@qwqw°qw €nwàTnw 3qwqwÀ´lw`,qwÀ‚owömw Yqw2qwVqw°ww€“nw€Rqw ›nwQqwÂnw ?owP€nw°Tnwàtnwð„owÐ1qw™mwÐOmw`êpwÐæpwÐæpwÐ.qw
base_address: 0x000000013fb5aae8
process_identifier: 2388
process_handle: 0x0000000000000054
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013fb60c78
process_identifier: 2388
process_handle: 0x0000000000000054
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013f1e22b0
process_identifier: 880
process_handle: 0x0000000000000048
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013f1f0d88
process_identifier: 880
process_handle: 0x0000000000000048
1 1 0

WriteProcessMemory

 buffer: I»`#?Aÿã
base_address: 0x0000000077711590
process_identifier: 880
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: =K
base_address: 0x000000013f1f0d78
process_identifier: 880
process_handle: 0x0000000000000048
1 1 0

WriteProcessMemory

 buffer: I» ?Aÿã
base_address: 0x00000000776e7a90
process_identifier: 880
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: =K
base_address: 0x000000013f1f0d70
process_identifier: 880
process_handle: 0x0000000000000048
1 1 0

WriteProcessMemory

 buffer: ϝT
base_address: 0x000000013f190108
process_identifier: 880
process_handle: 0x0000000000000048
1 1 0

WriteProcessMemory

 buffer: qw@qw qw@qwqw°qw €nwàTnw 3qwqwÀ´lw`,qwÀ‚owömw Yqw2qwVqw°ww€“nw€Rqw ›nwQqwÂnw ?owP€nw°Tnwàtnwð„owÐ1qw™mwÐOmw`êpwÐæpwÐæpwÐ.qw
base_address: 0x000000013f1eaae8
process_identifier: 880
process_handle: 0x0000000000000048
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013f1f0c78
process_identifier: 880
process_handle: 0x0000000000000048
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013f1e22b0
process_identifier: 2696
process_handle: 0x0000000000000048
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013f1f0d88
process_identifier: 2696
process_handle: 0x0000000000000048
1 1 0

WriteProcessMemory

 buffer: I»`#?Aÿã
base_address: 0x0000000077711590
process_identifier: 2696
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: z
base_address: 0x000000013f1f0d78
process_identifier: 2696
process_handle: 0x0000000000000048
1 1 0

WriteProcessMemory

 buffer: I» ?Aÿã
base_address: 0x00000000776e7a90
process_identifier: 2696
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: z
base_address: 0x000000013f1f0d70
process_identifier: 2696
process_handle: 0x0000000000000048
1 1 0

WriteProcessMemory

 buffer: ϝT
base_address: 0x000000013f190108
process_identifier: 2696
process_handle: 0x0000000000000048
1 1 0

WriteProcessMemory

 buffer: qw@qw qw@qwqw°qw €nwàTnw 3qwqwÀ´lw`,qwÀ‚owömw Yqw2qwVqw°ww€“nw€Rqw ›nwQqwÂnw ?owP€nw°Tnwàtnwð„owÐ1qw™mwÐOmw`êpwÐæpwÐæpwÐ.qw
base_address: 0x000000013f1eaae8
process_identifier: 2696
process_handle: 0x0000000000000048
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013f1f0c78
process_identifier: 2696
process_handle: 0x0000000000000048
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob
parent_process firefox.exe martian_process "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
parent_process firefox.exe martian_process "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
parent_process chrome.exe martian_process "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef3e36e00,0x7fef3e36e10,0x7fef3e36e20
parent_process chrome.exe martian_process "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1028,6796198753405259444,15423380739327287172,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=816 /prefetch:2
parent_process firefox.exe martian_process "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\minidumps\b40a0ab3-d4d2-479d-b4d0-e90f4848e2bb.dmp"
parent_process firefox.exe martian_process "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
file C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\parent.lock
file C:\Users\test22\AppData\Local\Temp\firefox\parent.lock
Process injection Process 1156 resumed a thread in remote process 2052
Process injection Process 2052 resumed a thread in remote process 2152
Process injection Process 2052 resumed a thread in remote process 2268
Process injection Process 2336 resumed a thread in remote process 2152
Process injection Process 2268 resumed a thread in remote process 2388
Process injection Process 2280 resumed a thread in remote process 880
Process injection Process 2724 resumed a thread in remote process 2696
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000210
suspend_count: 1
process_identifier: 2052
1 0 0

NtResumeThread

 thread_handle: 0x000000000000006c
suspend_count: 0
process_identifier: 2152
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000068
suspend_count: 0
process_identifier: 2268
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2152
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2152
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2152
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2152
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2152
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2152
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2152
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2152
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2152
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2152
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2152
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2152
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2152
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2152
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2152
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2152
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2152
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2152
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2152
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2152
1 0 0

NtResumeThread

 thread_handle: 0x000000000000004c
suspend_count: 1
process_identifier: 2388
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000044
suspend_count: 1
process_identifier: 880
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000044
suspend_count: 1
process_identifier: 2696
1 0 0
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000001d8
suspend_count: 1
process_identifier: 1156
1 0 0

CreateProcessInternalW

 thread_identifier: 2056
thread_handle: 0x00000210
process_identifier: 2052
current_directory: C:\Users\test22\AppData\Local\Temp\
filepath: C:\Windows\sysnative\cmd.exe
track: 1
command_line: "C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\C06C.tmp\C06D.tmp\C06E.bat C:\Users\test22\AppData\Local\Temp\random.exe"
filepath_r: C:\Windows\sysnative\cmd.exe
stack_pivoted: 0
creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_SUSPENDED|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000001fc
1 1 0

NtResumeThread

 thread_handle: 0x00000210
suspend_count: 1
process_identifier: 2052
1 0 0

CreateProcessInternalW

 thread_identifier: 2156
thread_handle: 0x000000000000006c
process_identifier: 2152
current_directory:
filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
track: 1
command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"
filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
stack_pivoted: 0
creation_flags: 525328 (CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x0000000000000068
1 1 0

NtResumeThread

 thread_handle: 0x000000000000006c
suspend_count: 0
process_identifier: 2152
1 0 0

CreateProcessInternalW

 thread_identifier: 2272
thread_handle: 0x0000000000000068
process_identifier: 2268
current_directory:
filepath: C:\Program Files\Mozilla Firefox\firefox.exe
track: 1
command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"
filepath_r: C:\Program Files\Mozilla Firefox\firefox.exe
stack_pivoted: 0
creation_flags: 525328 (CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x000000000000006c
1 1 0

NtResumeThread

 thread_handle: 0x0000000000000068
suspend_count: 0
process_identifier: 2268
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000078
suspend_count: 1
process_identifier: 2152
1 0 0

CreateProcessInternalW

 thread_identifier: 2340
thread_handle: 0x00000000000000c0
process_identifier: 2336
current_directory:
filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
track: 1
command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef3e36e00,0x7fef3e36e10,0x7fef3e36e20
filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000000000000c4
1 1 0

CreateProcessInternalW

 thread_identifier: 2252
thread_handle: 0x0000000000000518
process_identifier: 2256
current_directory:
filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
track: 1
command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1028,6796198753405259444,15423380739327287172,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=816 /prefetch:2
filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
stack_pivoted: 0
creation_flags: 17302540 (CREATE_BREAKAWAY_FROM_JOB|CREATE_SUSPENDED|CREATE_UNICODE_ENVIRONMENT|DETACHED_PROCESS|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x000000000000051c
1 1 0

NtResumeThread

 thread_handle: 0x00000000000000d4
suspend_count: 1
process_identifier: 2336
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000114
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2152
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000114
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2152
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000114
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2152
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000114
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2152
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000114
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2152
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000114
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2152
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000114
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2152
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000114
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2152
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000114
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2152
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000114
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2152
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000114
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2152
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000114
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2152
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000114
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2152
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000114
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2152
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000114
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2152
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000114
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2152
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000114
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2152
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000114
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2152
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000114
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2152
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000114
1 0 0