popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

random.exe

RedLine stealer Generic Malware UPX Malicious Library Malicious Packer Downloader HTTP ScreenShot Create Service KeyLogger Internet API P2P DGA Http API Anti_VM FTP Socket Escalate priviledges DNS Code injection PWS Sniff Audio Steal credential
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Sept. 2, 2024, 10:58 a.m. Sept. 2, 2024, 11 a.m.
Size 89.5KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 fb5e045c6e6d9f559ae90490d139c2fe
SHA256 482366a7f9d8d709043b6aadbafe9dd27f98d93522ede9b5de1dd2582ffd2f62
CRC32 FF183C46
ssdeep 1536:L7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIfDxEi2kO+:Hq6+ouCpk2mpcWJ0r+QNTBfDB
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • Malicious_Packer_Zero - Malicious Packer
  • IsPE32 - (no description)
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
crash-reports.mozilla.com
A 34.49.45.138
CNAME antenna-prod.socorro.prod.webservices.mozgcp.net
34.49.45.138
IP Address Status Action
164.124.101.2 Active Moloch
34.49.45.138 Active Moloch

Time & API Arguments Status Return Repeated

GetComputerNameA

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
file C:\Program Files (x86)\Google\Chrome\Application\86.0.4240.111\Locales
file C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l2-1-0.dll
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .code
packer PureBasic 4.x -> Neil Hodgson
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
0x180004
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30

exception.instruction_r: ff 15 16 1f 09 00 ff 25 00 00 00 00 aa a4 fc 76
exception.instruction: call qword ptr [rip + 0x91f16]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x180004
registers.r14: 240316968
registers.r15: 82363056
registers.rcx: 1132
registers.rsi: 17302540
registers.r10: 0
registers.rbx: 240316224
registers.rsp: 240315944
registers.r11: 240319840
registers.r8: 2004779404
registers.r9: 0
registers.rdx: 1296
registers.r12: 240316584
registers.rbp: 240316080
registers.rdi: 11999072
registers.rax: 1572864
registers.r13: 84607632
1 0 0

__exception__

 stacktrace: 
0xcd1f04
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030

exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69
exception.instruction: cmp dword ptr [rip + 0x2d18d], 0
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xcd1f04
registers.r14: 8776808
registers.r15: 8791397078640
registers.rcx: 48
registers.rsi: 8791397010304
registers.r10: 0
registers.rbx: 0
registers.rsp: 8776440
registers.r11: 8779824
registers.r8: 2004779404
registers.r9: 0
registers.rdx: 8796092887632
registers.r12: 14915376
registers.rbp: 8776560
registers.rdi: 68263968
registers.rax: 13442816
registers.r13: 8777400
1 0 0

__exception__

 stacktrace: 
0xcd1f04
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030

exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69
exception.instruction: cmp dword ptr [rip + 0x2d18d], 0
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xcd1f04
registers.r14: 8973464
registers.r15: 8791552661104
registers.rcx: 48
registers.rsi: 8791552592768
registers.r10: 0
registers.rbx: 0
registers.rsp: 8973096
registers.r11: 8976480
registers.r8: 2004779404
registers.r9: 0
registers.rdx: 8796092887632
registers.r12: 14923568
registers.rbp: 8973216
registers.rdi: 65122560
registers.rax: 13442816
registers.r13: 8974056
1 0 0

__exception__

 stacktrace: 
0xcd1f04
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30

exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69
exception.instruction: cmp dword ptr [rip + 0x2d18d], 0
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xcd1f04
registers.r14: 9697008
registers.r15: 9696512
registers.rcx: 48
registers.rsi: 14758240
registers.r10: 0
registers.rbx: 0
registers.rsp: 9695560
registers.r11: 9697760
registers.r8: 2004779404
registers.r9: 0
registers.rdx: 8796092887632
registers.r12: 9696343
registers.rbp: 9695680
registers.rdi: 100
registers.rax: 13442816
registers.r13: 2
1 0 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000c90000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007700b000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000c90000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076fd6000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002860000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000749ad000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2244
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000c90000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2244
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007700b000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2244
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000c90000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2244
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076fd6000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2244
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000033c0000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2244
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000749ad000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 416
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000c90000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 416
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007700b000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 416
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000c90000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 416
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076fd6000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 416
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002840000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 416
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000749ad000
process_handle: 0xffffffffffffffff
1 0 0
Application Crash Process chrome.exe with pid 2156 crashed
Application Crash Process firefox.exe with pid 2384 crashed
Application Crash Process firefox.exe with pid 2244 crashed
Application Crash Process firefox.exe with pid 416 crashed
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
0x180004
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30

exception.instruction_r: ff 15 16 1f 09 00 ff 25 00 00 00 00 aa a4 fc 76
exception.instruction: call qword ptr [rip + 0x91f16]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x180004
registers.r14: 240316968
registers.r15: 82363056
registers.rcx: 1132
registers.rsi: 17302540
registers.r10: 0
registers.rbx: 240316224
registers.rsp: 240315944
registers.r11: 240319840
registers.r8: 2004779404
registers.r9: 0
registers.rdx: 1296
registers.r12: 240316584
registers.rbp: 240316080
registers.rdi: 11999072
registers.rax: 1572864
registers.r13: 84607632
1 0 0

__exception__

 stacktrace: 
0xcd1f04
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030

exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69
exception.instruction: cmp dword ptr [rip + 0x2d18d], 0
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xcd1f04
registers.r14: 8776808
registers.r15: 8791397078640
registers.rcx: 48
registers.rsi: 8791397010304
registers.r10: 0
registers.rbx: 0
registers.rsp: 8776440
registers.r11: 8779824
registers.r8: 2004779404
registers.r9: 0
registers.rdx: 8796092887632
registers.r12: 14915376
registers.rbp: 8776560
registers.rdi: 68263968
registers.rax: 13442816
registers.r13: 8777400
1 0 0

__exception__

 stacktrace: 
0xcd1f04
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030

exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69
exception.instruction: cmp dword ptr [rip + 0x2d18d], 0
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xcd1f04
registers.r14: 8973464
registers.r15: 8791552661104
registers.rcx: 48
registers.rsi: 8791552592768
registers.r10: 0
registers.rbx: 0
registers.rsp: 8973096
registers.r11: 8976480
registers.r8: 2004779404
registers.r9: 0
registers.rdx: 8796092887632
registers.r12: 14923568
registers.rbp: 8973216
registers.rdi: 65122560
registers.rax: 13442816
registers.r13: 8974056
1 0 0

__exception__

 stacktrace: 
0xcd1f04
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30

exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69
exception.instruction: cmp dword ptr [rip + 0x2d18d], 0
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xcd1f04
registers.r14: 9697008
registers.r15: 9696512
registers.rcx: 48
registers.rsi: 14758240
registers.r10: 0
registers.rbx: 0
registers.rsp: 9695560
registers.r11: 9697760
registers.r8: 2004779404
registers.r9: 0
registers.rdx: 8796092887632
registers.r12: 9696343
registers.rbp: 9695680
registers.rdi: 100
registers.rax: 13442816
registers.r13: 2
1 0 0
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\metadata
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\reports\8dfd50d1-69f6-4c59-84fc-bb01ad8da10e.dmp
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_0
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-spare.pma
file C:\Users\test22\AppData\Local\Google\Chrome\User Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\First Run
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\reports
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-66D54158-86C.pma
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\index
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_3
file C:\Users\test22\AppData\Local\Temp\BFEF.tmp\BFF0.tmp\C001.bat
cmdline "C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\BFEF.tmp\BFF0.tmp\C001.bat C:\Users\test22\AppData\Local\Temp\random.exe"
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: C:\Windows\sysnative\cmd
parameters: /c "C:\Users\test22\AppData\Local\Temp\BFEF.tmp\BFF0.tmp\C001.bat C:\Users\test22\AppData\Local\Temp\random.exe"
filepath: C:\Windows\sysnative\cmd
1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x000002b1e69f0000
process_handle: 0xffffffffffffffff
1 0 0
section {u'size_of_data': u'0x00003400', u'virtual_address': u'0x00013000', u'entropy': 7.110640338733982, u'name': u'.rdata', u'virtual_size': u'0x0000339d'} entropy 7.11064033873 description A section with a high entropy has been found
section {u'size_of_data': u'0x00001000', u'virtual_address': u'0x00019000', u'entropy': 7.539060682863378, u'name': u'.rsrc', u'virtual_size': u'0x00000ffc'} entropy 7.53906068286 description A section with a high entropy has been found
url https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%SYSTEM_CAPABILITIES%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml
url https://crash-reports.mozilla.com/submit?id=
url https://hg.mozilla.org/releases/mozilla-release/rev/92187d03adde4b31daef292087a266f10121379c
url http://crl.comodo.net/TrustedCertificateServices.crl0
url http://users.ocsp.d-trust.net03
url https://accounts.google.com/ServiceLogin?service=accountsettings
url http://crl.ssc.lt/root-b/cacrl.crl0
url http://crl.securetrust.com/STCA.crl0
url http://crl.securetrust.com/SGCA.crl0
url http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=
url http://www.ssc.lt/cps03
url http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
url http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0
url http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0
url http://www.microsoft.com/pki/certs/TrustListPCA.crt0
url https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0
url http://www.pkioverheid.nl/policies/root-policy0
url http://cps.chambersign.org/cps/chambersroot.html0
url http://www.e-szigno.hu/SZSZ/0
url http://www.entrust.net/CRL/Client1.crl0
url http://crl.chambersign.org/publicnotaryroot.crl0
url http://crl.comodo.net/AAACertificateServices.crl0
url http://www.certplus.com/CRL/class3.crl0
url http://logo.verisign.com/vslogo.gif0
url http://www.acabogacia.org/doc0
url http://www.disig.sk/ca/crl/ca_disig.crl0
url https://www.catcert.net/verarrel
url http://www.sk.ee/cps/0
url http://www.quovadis.bm0
url https://www.catcert.net/verarrel05
url http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0
url http://crl.chambersign.org/chambersroot.crl0
url http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0
url http://crl.globalsign.net/root-r2.crl0
url http://certificates.starfieldtech.com/repository/1604
url http://www.d-trust.net0
url http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0
url http://crl.ssc.lt/root-a/cacrl.crl0
url http://crl.usertrust.com/UTN-DATACorpSGC.crl0
url http://www.certicamara.com/certicamaraca.crl0
url http://www.d-trust.net/crl/d-trust_root_class_2_ca_2007.crl0
url http://crl.usertrust.com/UTN-USERFirst-Object.crl0)
url http://www.post.trust.ie/reposit/cps.html0
url http://www.d-trust.net/crl/d-trust_qualified_root_ca_1_2007_pn.crl0
url http://www2.public-trust.com/crl/ct/ctroot.crl0
url http://www.certicamara.com0
url http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
url http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
url http://www.comsign.co.il/cps0
url http://crl.usertrust.com/UTN-USERFirst-NetworkApplications.crl0
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Create a windows service rule Create_Service
description Communications over RAW Socket rule Network_TCP_Socket
description Communication using DGA rule Network_DGA
description Match Windows Http API call rule Str_Win32_Http_API
description Take ScreenShot rule ScreenShot
description Escalate priviledges rule Escalate_priviledges
description Steal credential rule local_credential_Steal
description PWS Memory rule Generic_PWS_Memory_Zero
description Record Audio rule Sniff_Audio
description Communications over HTTP rule Network_HTTP
description Communications use DNS rule Network_DNS
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__ConsoleCtrl
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description (no description) rule Check_Dlls
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
description File Downloader rule Network_Downloader
description Match Windows Inet API call rule Str_Win32_Internet_API
description Communications over FTP rule Network_FTP
description Run a KeyLogger rule KeyLogger
description Communications over P2P network rule Network_P2P_Win
description Code injection with CreateRemoteThread in a remote process rule Code_injection
Time & API Arguments Status Return Repeated

NtTerminateProcess

 status_code: 0xc0000005
process_identifier: 2156
process_handle: 0x00000000000000bc
0 0

NtTerminateProcess

 status_code: 0xc0000005
process_identifier: 2156
process_handle: 0x00000000000000bc
1 0 0
cmdline C:\Windows\sysnative\cmd /c "C:\Users\test22\AppData\Local\Temp\BFEF.tmp\BFF0.tmp\C001.bat C:\Users\test22\AppData\Local\Temp\random.exe"
cmdline "C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\BFEF.tmp\BFF0.tmp\C001.bat C:\Users\test22\AppData\Local\Temp\random.exe"
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077711000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 2384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000776e7000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 2244
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077711000
process_handle: 0x000000000000004c
1 0 0

NtProtectVirtualMemory

 process_identifier: 2244
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000776e7000
process_handle: 0x000000000000004c
1 0 0

NtProtectVirtualMemory

 process_identifier: 416
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077711000
process_handle: 0x000000000000004c
1 0 0

NtProtectVirtualMemory

 process_identifier: 416
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000776e7000
process_handle: 0x000000000000004c
1 0 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: 
base_address: 0x000000013f4622b0
process_identifier: 2384
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013f470d88
process_identifier: 2384
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: I»`#C?Aÿã
base_address: 0x0000000077711590
process_identifier: 2384
process_handle: 0x0000000000000050
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013f470d78
process_identifier: 2384
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: I» C?Aÿã
base_address: 0x00000000776e7a90
process_identifier: 2384
process_handle: 0x0000000000000050
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013f470d70
process_identifier: 2384
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: ϝT
base_address: 0x000000013f410108
process_identifier: 2384
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: qw@qw qw@qwqw°qw €nwàTnw 3qwqwÀ´lw`,qwÀ‚owömw Yqw2qwVqw°ww€“nw€Rqw ›nwQqwÂnw ?owP€nw°Tnwàtnwð„owÐ1qw™mwÐOmw`êpwÐæpwÐæpwÐ.qw
base_address: 0x000000013f46aae8
process_identifier: 2384
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013f470c78
process_identifier: 2384
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013fd022b0
process_identifier: 2244
process_handle: 0x0000000000000048
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013fd10d88
process_identifier: 2244
process_handle: 0x0000000000000048
1 1 0

WriteProcessMemory

 buffer: I»`#Í?Aÿã
base_address: 0x0000000077711590
process_identifier: 2244
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: y
base_address: 0x000000013fd10d78
process_identifier: 2244
process_handle: 0x0000000000000048
1 1 0

WriteProcessMemory

 buffer: I» Í?Aÿã
base_address: 0x00000000776e7a90
process_identifier: 2244
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: y
base_address: 0x000000013fd10d70
process_identifier: 2244
process_handle: 0x0000000000000048
1 1 0

WriteProcessMemory

 buffer: ϝT
base_address: 0x000000013fcb0108
process_identifier: 2244
process_handle: 0x0000000000000048
1 1 0

WriteProcessMemory

 buffer: qw@qw qw@qwqw°qw €nwàTnw 3qwqwÀ´lw`,qwÀ‚owömw Yqw2qwVqw°ww€“nw€Rqw ›nwQqwÂnw ?owP€nw°Tnwàtnwð„owÐ1qw™mwÐOmw`êpwÐæpwÐæpwÐ.qw
base_address: 0x000000013fd0aae8
process_identifier: 2244
process_handle: 0x0000000000000048
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013fd10c78
process_identifier: 2244
process_handle: 0x0000000000000048
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013fd022b0
process_identifier: 416
process_handle: 0x0000000000000048
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013fd10d88
process_identifier: 416
process_handle: 0x0000000000000048
1 1 0

WriteProcessMemory

 buffer: I»`#Í?Aÿã
base_address: 0x0000000077711590
process_identifier: 416
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: ˆ
base_address: 0x000000013fd10d78
process_identifier: 416
process_handle: 0x0000000000000048
1 1 0

WriteProcessMemory

 buffer: I» Í?Aÿã
base_address: 0x00000000776e7a90
process_identifier: 416
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: ˆ
base_address: 0x000000013fd10d70
process_identifier: 416
process_handle: 0x0000000000000048
1 1 0

WriteProcessMemory

 buffer: ϝT
base_address: 0x000000013fcb0108
process_identifier: 416
process_handle: 0x0000000000000048
1 1 0

WriteProcessMemory

 buffer: qw@qw qw@qwqw°qw €nwàTnw 3qwqwÀ´lw`,qwÀ‚owömw Yqw2qwVqw°ww€“nw€Rqw ›nwQqwÂnw ?owP€nw°Tnwàtnwð„owÐ1qw™mwÐOmw`êpwÐæpwÐæpwÐ.qw
base_address: 0x000000013fd0aae8
process_identifier: 416
process_handle: 0x0000000000000048
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013fd10c78
process_identifier: 416
process_handle: 0x0000000000000048
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob
parent_process firefox.exe martian_process "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
parent_process firefox.exe martian_process "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
parent_process firefox.exe martian_process "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\minidumps\c216a6e7-4e2b-436a-a742-46e4a5c15def.dmp"
parent_process chrome.exe martian_process "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef3e36e00,0x7fef3e36e10,0x7fef3e36e20
parent_process chrome.exe martian_process "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1064,405328435193604317,3726656886444491162,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1032 /prefetch:2
parent_process firefox.exe martian_process "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
file C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\parent.lock
file C:\Users\test22\AppData\Local\Temp\firefox\parent.lock
Process injection Process 1932 resumed a thread in remote process 2060
Process injection Process 2060 resumed a thread in remote process 2156
Process injection Process 2060 resumed a thread in remote process 2240
Process injection Process 2300 resumed a thread in remote process 2156
Process injection Process 2240 resumed a thread in remote process 2384
Process injection Process 2408 resumed a thread in remote process 2244
Process injection Process 2864 resumed a thread in remote process 416
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000208
suspend_count: 1
process_identifier: 2060
1 0 0

NtResumeThread

 thread_handle: 0x000000000000006c
suspend_count: 0
process_identifier: 2156
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000068
suspend_count: 0
process_identifier: 2240
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2156
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2156
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2156
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2156
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2156
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2156
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2156
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2156
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2156
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2156
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2156
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2156
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2156
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2156
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2156
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2156
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2156
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2156
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2156
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2156
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000044
suspend_count: 1
process_identifier: 2384
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000044
suspend_count: 1
process_identifier: 2244
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000044
suspend_count: 1
process_identifier: 416
1 0 0
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000001d8
suspend_count: 1
process_identifier: 1932
1 0 0

CreateProcessInternalW

 thread_identifier: 2064
thread_handle: 0x00000208
process_identifier: 2060
current_directory: C:\Users\test22\AppData\Local\Temp\
filepath: C:\Windows\sysnative\cmd.exe
track: 1
command_line: "C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\BFEF.tmp\BFF0.tmp\C001.bat C:\Users\test22\AppData\Local\Temp\random.exe"
filepath_r: C:\Windows\sysnative\cmd.exe
stack_pivoted: 0
creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_SUSPENDED|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000210
1 1 0

NtResumeThread

 thread_handle: 0x00000208
suspend_count: 1
process_identifier: 2060
1 0 0

CreateProcessInternalW

 thread_identifier: 2160
thread_handle: 0x000000000000006c
process_identifier: 2156
current_directory:
filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
track: 1
command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" "https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd"
filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
stack_pivoted: 0
creation_flags: 525328 (CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x0000000000000068
1 1 0

NtResumeThread

 thread_handle: 0x000000000000006c
suspend_count: 0
process_identifier: 2156
1 0 0

CreateProcessInternalW

 thread_identifier: 2244
thread_handle: 0x0000000000000068
process_identifier: 2240
current_directory:
filepath: C:\Program Files\Mozilla Firefox\firefox.exe
track: 1
command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" "https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd"
filepath_r: C:\Program Files\Mozilla Firefox\firefox.exe
stack_pivoted: 0
creation_flags: 525328 (CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x000000000000006c
1 1 0

NtResumeThread

 thread_handle: 0x0000000000000068
suspend_count: 0
process_identifier: 2240
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000078
suspend_count: 1
process_identifier: 2156
1 0 0

CreateProcessInternalW

 thread_identifier: 2304
thread_handle: 0x00000000000000c0
process_identifier: 2300
current_directory:
filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
track: 1
command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef3e36e00,0x7fef3e36e10,0x7fef3e36e20
filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000000000000c4
1 1 0

CreateProcessInternalW

 thread_identifier: 2256
thread_handle: 0x0000000000000508
process_identifier: 2252
current_directory:
filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
track: 1
command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1064,405328435193604317,3726656886444491162,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1032 /prefetch:2
filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
stack_pivoted: 0
creation_flags: 17302540 (CREATE_BREAKAWAY_FROM_JOB|CREATE_SUSPENDED|CREATE_UNICODE_ENVIRONMENT|DETACHED_PROCESS|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x0000000000000510
1 1 0

NtResumeThread

 thread_handle: 0x00000000000000e0
suspend_count: 1
process_identifier: 2300
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000114
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2156
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000114
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2156
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000114
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2156
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000114
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2156
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000114
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2156
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000114
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2156
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000114
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2156
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000114
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2156
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000114
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2156
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000114
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2156
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000114
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2156
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000114
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2156
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000114
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2156
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000114
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2156
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000114
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2156
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000114
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2156
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000114
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2156
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000114
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2156
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000114
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000114
suspend_count: 2
process_identifier: 2156
1 0 0

NtGetContextThread

 thread_handle: 0x0000000000000114
1 0 0
Elastic malicious (high confidence)
Cynet Malicious (score: 100)
CAT-QuickHeal Trojan.IGENERICPMF.S2481492
Skyhigh BehavesLike.Win32.Generic.mh
Cylance Unsafe
Sangfor Trojan.Win32.Save.a
VirIT Trojan.Win32.Genus.IHW
ESET-NOD32 BAT/Agent.QJD
APEX Malicious
McAfee GenericRXWO-YL!FB5E045C6E6D
Avast Win32:Evo-gen [Trj]
Zillya Tool.Lazagne.Win32.102
McAfeeD Real Protect-LS!FB5E045C6E6D
FireEye Generic.mg.fb5e045c6e6d9f55
Sophos Generic ML PUA (PUA)
SentinelOne Static AI - Suspicious PE
Webroot W32.Trojan.Gen
Google Detected
Kingsoft malware.kb.a.984
Microsoft Trojan:Win32/Babadeda.AMD!MTB
Varist W32/Kryptik.FDM.gen!Eldorado
DeepInstinct MALICIOUS
Malwarebytes Generic.Malware.AI.DDS
Ikarus Trojan.Win32
Zoner Trojan.Win32.85523
Tencent Trojan.Bat.Agent.ha
huorong HEUR:Trojan/BAT.Agent.da
MaxSecure Trojan.Malware.1728101.susgen
Fortinet W32/Babadeda.SS!tr
AVG Win32:Evo-gen [Trj]
CrowdStrike win/malicious_confidence_70% (D)