popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

random.exe

Generic Malware UPX Malicious Library Malicious Packer Downloader HTTP ScreenShot Create Service KeyLogger Internet API P2P DGA Http API FTP Socket Escalate priviledges DNS Code injection PWS Sniff Audio Steal credential AntiDebug PE File AntiVM PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Aug. 1, 2024, 10:53 a.m. Aug. 1, 2024, 10:56 a.m.
Size 89.5KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 d9cb86f07f84abd7359a4b51371db020
SHA256 009e010215fc78a080662f6ca095fd9beb018cf1cf94b7aa539a969e232a89a8
CRC32 C6A0D4C1
ssdeep 1536:L7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIfoxfigOq:Hq6+ouCpk2mpcWJ0r+QNTBfopD
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • Malicious_Packer_Zero - Malicious Packer
  • IsPE32 - (no description)
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
crash-reports.mozilla.com
A 34.49.45.138
CNAME antenna-prod.socorro.prod.webservices.mozgcp.net
34.49.45.138
IP Address Status Action
164.124.101.2 Active Moloch
34.49.45.138 Active Moloch

Time & API Arguments Status Return Repeated

GetComputerNameA

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
file C:\Program Files (x86)\Google\Chrome\Application\86.0.4240.111\Locales
file C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l2-1-0.dll
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .code
packer PureBasic 4.x -> Neil Hodgson
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
0x180004
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30

exception.instruction_r: ff 15 16 1f 09 00 ff 25 00 00 00 00 aa a4 fc 76
exception.instruction: call qword ptr [rip + 0x91f16]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x180004
registers.r14: 250016744
registers.r15: 83069856
registers.rcx: 544
registers.rsi: 17302540
registers.r10: 0
registers.rbx: 250016000
registers.rsp: 250015720
registers.r11: 250019616
registers.r8: 2004779404
registers.r9: 0
registers.rdx: 548
registers.r12: 250016360
registers.rbp: 250015856
registers.rdi: 83108656
registers.rax: 1572864
registers.r13: 83141936
1 0 0

__exception__

 stacktrace: 
0xcd1f04
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030

exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69
exception.instruction: cmp dword ptr [rip + 0x2d18d], 0
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xcd1f04
registers.r14: 8646504
registers.r15: 8791398061680
registers.rcx: 48
registers.rsi: 8791397993344
registers.r10: 0
registers.rbx: 0
registers.rsp: 8646136
registers.r11: 8649520
registers.r8: 2004779404
registers.r9: 0
registers.rdx: 8796092887632
registers.r12: 14912224
registers.rbp: 8646256
registers.rdi: 254910496
registers.rax: 13442816
registers.r13: 8647096
1 0 0

__exception__

 stacktrace: 
0xcd1f04
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030

exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69
exception.instruction: cmp dword ptr [rip + 0x2d18d], 0
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xcd1f04
registers.r14: 9563656
registers.r15: 8791554102896
registers.rcx: 48
registers.rsi: 8791554034560
registers.r10: 0
registers.rbx: 0
registers.rsp: 9563288
registers.r11: 9566672
registers.r8: 2004779404
registers.r9: 0
registers.rdx: 8796092883536
registers.r12: 14921136
registers.rbp: 9563408
registers.rdi: 65119680
registers.rax: 13442816
registers.r13: 9564248
1 0 0

__exception__

 stacktrace: 
0xcd1f04
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30

exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69
exception.instruction: cmp dword ptr [rip + 0x2d18d], 0
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xcd1f04
registers.r14: 8976128
registers.r15: 8975632
registers.rcx: 48
registers.rsi: 14705952
registers.r10: 0
registers.rbx: 0
registers.rsp: 8974680
registers.r11: 8976880
registers.r8: 2004779404
registers.r9: 0
registers.rdx: 8796092883536
registers.r12: 8975463
registers.rbp: 8974800
registers.rdi: 100
registers.rax: 13442816
registers.r13: 2
1 0 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2464
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000c90000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2464
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007700b000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2464
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000c90000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2464
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076fd6000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2464
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000003370000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2464
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000749ad000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2476
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000b80000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2476
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007700b000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2476
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000b80000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2476
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076fd6000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2476
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002860000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2476
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000749ad000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000c90000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007700b000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000c90000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076fd6000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002860000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000749ad000
process_handle: 0xffffffffffffffff
1 0 0
Application Crash Process chrome.exe with pid 2212 crashed
Application Crash Process firefox.exe with pid 2464 crashed
Application Crash Process firefox.exe with pid 2476 crashed
Application Crash Process firefox.exe with pid 1364 crashed
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
0x180004
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30

exception.instruction_r: ff 15 16 1f 09 00 ff 25 00 00 00 00 aa a4 fc 76
exception.instruction: call qword ptr [rip + 0x91f16]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x180004
registers.r14: 250016744
registers.r15: 83069856
registers.rcx: 544
registers.rsi: 17302540
registers.r10: 0
registers.rbx: 250016000
registers.rsp: 250015720
registers.r11: 250019616
registers.r8: 2004779404
registers.r9: 0
registers.rdx: 548
registers.r12: 250016360
registers.rbp: 250015856
registers.rdi: 83108656
registers.rax: 1572864
registers.r13: 83141936
1 0 0

__exception__

 stacktrace: 
0xcd1f04
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030

exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69
exception.instruction: cmp dword ptr [rip + 0x2d18d], 0
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xcd1f04
registers.r14: 8646504
registers.r15: 8791398061680
registers.rcx: 48
registers.rsi: 8791397993344
registers.r10: 0
registers.rbx: 0
registers.rsp: 8646136
registers.r11: 8649520
registers.r8: 2004779404
registers.r9: 0
registers.rdx: 8796092887632
registers.r12: 14912224
registers.rbp: 8646256
registers.rdi: 254910496
registers.rax: 13442816
registers.r13: 8647096
1 0 0

__exception__

 stacktrace: 
0xcd1f04
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030

exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69
exception.instruction: cmp dword ptr [rip + 0x2d18d], 0
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xcd1f04
registers.r14: 9563656
registers.r15: 8791554102896
registers.rcx: 48
registers.rsi: 8791554034560
registers.r10: 0
registers.rbx: 0
registers.rsp: 9563288
registers.r11: 9566672
registers.r8: 2004779404
registers.r9: 0
registers.rdx: 8796092883536
registers.r12: 14921136
registers.rbp: 9563408
registers.rdi: 65119680
registers.rax: 13442816
registers.r13: 9564248
1 0 0

__exception__

 stacktrace: 
0xcd1f04
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30

exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69
exception.instruction: cmp dword ptr [rip + 0x2d18d], 0
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xcd1f04
registers.r14: 8976128
registers.r15: 8975632
registers.rcx: 48
registers.rsi: 14705952
registers.r10: 0
registers.rbx: 0
registers.rsp: 8974680
registers.r11: 8976880
registers.r8: 2004779404
registers.r9: 0
registers.rdx: 8796092883536
registers.r12: 8975463
registers.rbp: 8974800
registers.rdi: 100
registers.rax: 13442816
registers.r13: 2
1 0 0
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-spare.pma
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Version
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Preferences
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad
file C:\Users\test22\AppData\Local\Google\Chrome\User Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\First Run
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\reports
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Policy\User Policy
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\index
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-66AB5FE1-8A4.pma
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\reports\beedfbf0-f9be-41b0-96cb-32d3b633da10.dmp
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\metadata
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_0
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_3
file C:\Users\test22\AppData\Local\Temp\BD11.tmp\BD22.tmp\BD23.bat
cmdline "C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\BD11.tmp\BD22.tmp\BD23.bat C:\Users\test22\AppData\Local\Temp\random.exe"
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: C:\Windows\sysnative\cmd
parameters: /c "C:\Users\test22\AppData\Local\Temp\BD11.tmp\BD22.tmp\BD23.bat C:\Users\test22\AppData\Local\Temp\random.exe"
filepath: C:\Windows\sysnative\cmd
1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2464
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x00000179ece90000
process_handle: 0xffffffffffffffff
1 0 0
section {u'size_of_data': u'0x00003400', u'virtual_address': u'0x00013000', u'entropy': 7.110640338733982, u'name': u'.rdata', u'virtual_size': u'0x0000339d'} entropy 7.11064033873 description A section with a high entropy has been found
section {u'size_of_data': u'0x00001000', u'virtual_address': u'0x00019000', u'entropy': 7.5081635333927705, u'name': u'.rsrc', u'virtual_size': u'0x00000f9c'} entropy 7.50816353339 description A section with a high entropy has been found
url https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%SYSTEM_CAPABILITIES%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml
url https://crash-reports.mozilla.com/submit?id=
url https://hg.mozilla.org/releases/mozilla-release/rev/92187d03adde4b31daef292087a266f10121379c
url http://crl.comodo.net/TrustedCertificateServices.crl0
url http://users.ocsp.d-trust.net03
url http://crl.ssc.lt/root-b/cacrl.crl0
url http://crl.securetrust.com/STCA.crl0
url http://crl.securetrust.com/SGCA.crl0
url http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=
url http://www.ssc.lt/cps03
url http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
url http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0
url http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0
url http://www.microsoft.com/pki/certs/TrustListPCA.crt0
url https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0
url http://www.pkioverheid.nl/policies/root-policy0
url http://cps.chambersign.org/cps/chambersroot.html0
url http://www.e-szigno.hu/SZSZ/0
url http://www.entrust.net/CRL/Client1.crl0
url http://crl.chambersign.org/publicnotaryroot.crl0
url http://crl.comodo.net/AAACertificateServices.crl0
url http://www.certplus.com/CRL/class3.crl0
url http://logo.verisign.com/vslogo.gif0
url http://www.acabogacia.org/doc0
url http://www.disig.sk/ca/crl/ca_disig.crl0
url https://www.catcert.net/verarrel
url http://www.sk.ee/cps/0
url http://www.quovadis.bm0
url https://www.catcert.net/verarrel05
url http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0
url http://crl.chambersign.org/chambersroot.crl0
url http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0
url http://crl.globalsign.net/root-r2.crl0
url http://certificates.starfieldtech.com/repository/1604
url http://www.d-trust.net0
url http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0
url http://crl.ssc.lt/root-a/cacrl.crl0
url http://crl.usertrust.com/UTN-DATACorpSGC.crl0
url http://www.certicamara.com/certicamaraca.crl0
url http://www.d-trust.net/crl/d-trust_root_class_2_ca_2007.crl0
url http://crl.usertrust.com/UTN-USERFirst-Object.crl0)
url http://www.post.trust.ie/reposit/cps.html0
url http://www.d-trust.net/crl/d-trust_qualified_root_ca_1_2007_pn.crl0
url http://www2.public-trust.com/crl/ct/ctroot.crl0
url http://www.certicamara.com0
url http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
url http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
url http://www.comsign.co.il/cps0
url http://crl.usertrust.com/UTN-USERFirst-NetworkApplications.crl0
url http://www.microsoft.com/pki/crl/products/TrustListPCA.crl
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Create a windows service rule Create_Service
description Communications over RAW Socket rule Network_TCP_Socket
description Communication using DGA rule Network_DGA
description Match Windows Http API call rule Str_Win32_Http_API
description Take ScreenShot rule ScreenShot
description Escalate priviledges rule Escalate_priviledges
description Steal credential rule local_credential_Steal
description PWS Memory rule Generic_PWS_Memory_Zero
description Record Audio rule Sniff_Audio
description Communications over HTTP rule Network_HTTP
description Communications use DNS rule Network_DNS
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__ConsoleCtrl
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description (no description) rule Check_Dlls
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
description File Downloader rule Network_Downloader
description Match Windows Inet API call rule Str_Win32_Internet_API
description Communications over FTP rule Network_FTP
description Run a KeyLogger rule KeyLogger
description Communications over P2P network rule Network_P2P_Win
description Code injection with CreateRemoteThread in a remote process rule Code_injection
Time & API Arguments Status Return Repeated

NtTerminateProcess

 status_code: 0xc0000005
process_identifier: 2212
process_handle: 0x00000000000000bc
0 0

NtTerminateProcess

 status_code: 0xc0000005
process_identifier: 2212
process_handle: 0x00000000000000bc
1 0 0
cmdline "C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\BD11.tmp\BD22.tmp\BD23.bat C:\Users\test22\AppData\Local\Temp\random.exe"
cmdline C:\Windows\sysnative\cmd /c "C:\Users\test22\AppData\Local\Temp\BD11.tmp\BD22.tmp\BD23.bat C:\Users\test22\AppData\Local\Temp\random.exe"
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2464
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077711000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 2464
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000776e7000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 2476
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077711000
process_handle: 0x000000000000004c
1 0 0

NtProtectVirtualMemory

 process_identifier: 2476
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000776e7000
process_handle: 0x000000000000004c
1 0 0

NtProtectVirtualMemory

 process_identifier: 1364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077711000
process_handle: 0x000000000000004c
1 0 0

NtProtectVirtualMemory

 process_identifier: 1364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000776e7000
process_handle: 0x000000000000004c
1 0 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: 
base_address: 0x000000013f2022b0
process_identifier: 2464
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013f210d88
process_identifier: 2464
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: I»`#?Aÿã
base_address: 0x0000000077711590
process_identifier: 2464
process_handle: 0x0000000000000050
1 1 0

WriteProcessMemory

 buffer: ia
base_address: 0x000000013f210d78
process_identifier: 2464
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: I» ?Aÿã
base_address: 0x00000000776e7a90
process_identifier: 2464
process_handle: 0x0000000000000050
1 1 0

WriteProcessMemory

 buffer: ia
base_address: 0x000000013f210d70
process_identifier: 2464
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: ϝT
base_address: 0x000000013f1b0108
process_identifier: 2464
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: qw@qw qw@qwqw°qw €nwàTnw 3qwqwÀ´lw`,qwÀ‚owömw Yqw2qwVqw°ww€“nw€Rqw ›nwQqwÂnw ?owP€nw°Tnwàtnwð„owÐ1qw™mwÐOmw`êpwÐæpwÐæpwÐ.qw
base_address: 0x000000013f20aae8
process_identifier: 2464
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013f210c78
process_identifier: 2464
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013f5d22b0
process_identifier: 2476
process_handle: 0x0000000000000048
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013f5e0d88
process_identifier: 2476
process_handle: 0x0000000000000048
1 1 0

WriteProcessMemory

 buffer: I»`#Z?Aÿã
base_address: 0x0000000077711590
process_identifier: 2476
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: w
base_address: 0x000000013f5e0d78
process_identifier: 2476
process_handle: 0x0000000000000048
1 1 0

WriteProcessMemory

 buffer: I» Z?Aÿã
base_address: 0x00000000776e7a90
process_identifier: 2476
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: w
base_address: 0x000000013f5e0d70
process_identifier: 2476
process_handle: 0x0000000000000048
1 1 0

WriteProcessMemory

 buffer: ϝT
base_address: 0x000000013f580108
process_identifier: 2476
process_handle: 0x0000000000000048
1 1 0

WriteProcessMemory

 buffer: qw@qw qw@qwqw°qw €nwàTnw 3qwqwÀ´lw`,qwÀ‚owömw Yqw2qwVqw°ww€“nw€Rqw ›nwQqwÂnw ?owP€nw°Tnwàtnwð„owÐ1qw™mwÐOmw`êpwÐæpwÐæpwÐ.qw
base_address: 0x000000013f5daae8
process_identifier: 2476
process_handle: 0x0000000000000048
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013f5e0c78
process_identifier: 2476
process_handle: 0x0000000000000048
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013f5d22b0
process_identifier: 1364
process_handle: 0x0000000000000048
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013f5e0d88
process_identifier: 1364
process_handle: 0x0000000000000048
1 1 0

WriteProcessMemory

 buffer: I»`#Z?Aÿã
base_address: 0x0000000077711590
process_identifier: 1364
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: xz
base_address: 0x000000013f5e0d78
process_identifier: 1364
process_handle: 0x0000000000000048
1 1 0

WriteProcessMemory

 buffer: I» Z?Aÿã
base_address: 0x00000000776e7a90
process_identifier: 1364
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: xz
base_address: 0x000000013f5e0d70
process_identifier: 1364
process_handle: 0x0000000000000048
1 1 0

WriteProcessMemory

 buffer: ϝT
base_address: 0x000000013f580108
process_identifier: 1364
process_handle: 0x0000000000000048
1 1 0

WriteProcessMemory

 buffer: qw@qw qw@qwqw°qw €nwàTnw 3qwqwÀ´lw`,qwÀ‚owömw Yqw2qwVqw°ww€“nw€Rqw ›nwQqwÂnw ?owP€nw°Tnwàtnwð„owÐ1qw™mwÐOmw`êpwÐæpwÐæpwÐ.qw
base_address: 0x000000013f5daae8
process_identifier: 1364
process_handle: 0x0000000000000048
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013f5e0c78
process_identifier: 1364
process_handle: 0x0000000000000048
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob
parent_process firefox.exe martian_process "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\minidumps\040da165-a33e-442c-9aed-f2816bdb6337.dmp"
parent_process chrome.exe martian_process "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef3e36e00,0x7fef3e36e10,0x7fef3e36e20
parent_process chrome.exe martian_process "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1044,10115720158348348824,15988900441655601596,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1052 /prefetch:2
parent_process firefox.exe martian_process "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
parent_process firefox.exe martian_process "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
parent_process firefox.exe martian_process "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
file C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\parent.lock
file C:\Users\test22\AppData\Local\Temp\firefox\parent.lock
Process injection Process 652 resumed a thread in remote process 2120
Process injection Process 2120 resumed a thread in remote process 2212
Process injection Process 2120 resumed a thread in remote process 2296
Process injection Process 2372 resumed a thread in remote process 2212
Process injection Process 2296 resumed a thread in remote process 2464
Process injection Process 840 resumed a thread in remote process 2476
Process injection Process 316 resumed a thread in remote process 1364
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000208
suspend_count: 1
process_identifier: 2120
1 0 0

NtResumeThread

 thread_handle: 0x000000000000006c
suspend_count: 0
process_identifier: 2212
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000068
suspend_count: 0
process_identifier: 2296
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2212
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2212
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2212
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2212
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2212
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2212
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2212
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2212
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2212
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2212
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2212
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2212
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2212
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2212
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2212
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2212
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2212
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2212
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2212
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2212
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2212
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2212
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2212
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000044
suspend_count: 1
process_identifier: 2464
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000044
suspend_count: 1
process_identifier: 2476
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000044
suspend_count: 1
process_identifier: 1364
1 0 0
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000001d8
suspend_count: 1
process_identifier: 652
1 0 0

CreateProcessInternalW

 thread_identifier: 2124
thread_handle: 0x00000208
process_identifier: 2120
current_directory: C:\Users\test22\AppData\Local\Temp\
filepath: C:\Windows\sysnative\cmd.exe
track: 1
command_line: "C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\BD11.tmp\BD22.tmp\BD23.bat C:\Users\test22\AppData\Local\Temp\random.exe"
filepath_r: C:\Windows\sysnative\cmd.exe
stack_pivoted: 0
creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_SUSPENDED|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000210
1 1 0

NtResumeThread

 thread_handle: 0x00000208
suspend_count: 1
process_identifier: 2120
1 0 0

CreateProcessInternalW

 thread_identifier: 2216
thread_handle: 0x000000000000006c
process_identifier: 2212
current_directory:
filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
track: 1
command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"
filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
stack_pivoted: 0
creation_flags: 525328 (CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x0000000000000068
1 1 0

NtResumeThread

 thread_handle: 0x000000000000006c
suspend_count: 0
process_identifier: 2212
1 0 0

CreateProcessInternalW

 thread_identifier: 2300
thread_handle: 0x0000000000000068
process_identifier: 2296
current_directory:
filepath: C:\Program Files\Mozilla Firefox\firefox.exe
track: 1
command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"
filepath_r: C:\Program Files\Mozilla Firefox\firefox.exe
stack_pivoted: 0
creation_flags: 525328 (CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x000000000000006c
1 1 0

NtResumeThread

 thread_handle: 0x0000000000000068
suspend_count: 0
process_identifier: 2296
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000078
suspend_count: 1
process_identifier: 2212
1 0 0

CreateProcessInternalW

 thread_identifier: 2376
thread_handle: 0x00000000000000c0
process_identifier: 2372
current_directory:
filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
track: 1
command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef3e36e00,0x7fef3e36e10,0x7fef3e36e20
filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000000000000c4
1 1 0

CreateProcessInternalW

 thread_identifier: 1200
thread_handle: 0x0000000000000578
process_identifier: 2116
current_directory:
filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
track: 1
command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1044,10115720158348348824,15988900441655601596,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1052 /prefetch:2
filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
stack_pivoted: 0
creation_flags: 17302540 (CREATE_BREAKAWAY_FROM_JOB|CREATE_SUSPENDED|CREATE_UNICODE_ENVIRONMENT|DETACHED_PROCESS|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x0000000000000224
1 1 0

NtResumeThread

 thread_handle: 0x00000000000000dc
suspend_count: 1
process_identifier: 2372
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000114
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2212
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000114
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2212
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000114
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2212
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000114
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2212
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000114
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2212
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000114
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2212
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000114
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2212
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000114
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2212
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000114
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2212
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000114
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2212
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000114
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2212
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000114
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2212
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000114
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2212
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000114
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2212
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000114
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2212
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000114
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2212
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000114
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2212
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000114
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2212
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000114
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2212
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000114
1 0 0
Bkav W32.AIDetectMalware
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKDZ.107747
CAT-QuickHeal Trojan.IGENERICPMF.S2481492
Skyhigh BehavesLike.Win32.Generic.mh
ALYac Trojan.GenericKDZ.107747
Cylance Unsafe
VIPRE Trojan.GenericKDZ.107747
Sangfor Trojan.Win32.Save.a
BitDefender Trojan.GenericKDZ.107747
VirIT Trojan.Win32.Genus.IHW
APEX Malicious
McAfee Babadeda!D9CB86F07F84
Cynet Malicious (score: 100)
Emsisoft Trojan.GenericKDZ.107747 (B)
Zillya Tool.Lazagne.Win32.102
McAfeeD Real Protect-LS!D9CB86F07F84
FireEye Generic.mg.d9cb86f07f84abd7
Sophos Generic ML PUA (PUA)
Ikarus Trojan.MSIL.Injector
Webroot W32.Trojan.Gen
Google Detected
MAX malware (ai score=89)
Antiy-AVL Trojan/Win32.Tiggre
Kingsoft malware.kb.a.982
GData Trojan.GenericKDZ.107747
Varist W32/Kryptik.FDM.gen!Eldorado
DeepInstinct MALICIOUS
Malwarebytes Generic.Malware.AI.DDS
Zoner Trojan.Win32.85523
MaxSecure Trojan.Malware.1728101.susgen
CrowdStrike win/malicious_confidence_70% (D)