Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 17, 2024, 10:37 a.m.	Oct. 17, 2024, 10:47 a.m.

Size	898.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`18e64b3509e95557b6614610df2fcf20`
SHA256	`3c758f6490891a556c3d5c6a80d1b64214c57dfc1a5b06f7e1bae0ca427f9188`
CRC32	`DCFE9A6A`
ssdeep	`12288:2qDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga0TV:2qDEvCTbMWu7rQYlBQcBiT6rprG8aUV`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

well_clean.exe "C:\Users\test22\AppData\Local\Temp\well_clean.exe"
2552
- taskkill.exe taskkill /IM msedge.exe /F
  2604
- taskkill.exe taskkill /IM opera.exe /F
  2692
- taskkill.exe taskkill /IM firefox.exe /F
  2748
- taskkill.exe taskkill /IM chrome.exe /F
  2640
- taskkill.exe taskkill /F /IM firefox.exe /T
  744
- taskkill.exe taskkill /F /IM chrome.exe /T
  1484
- taskkill.exe taskkill /F /IM msedge.exe /T
  2224
- taskkill.exe taskkill /F /IM opera.exe /T
  2420
- taskkill.exe taskkill /F /IM brave.exe /T
  2488
- firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
  2728
  - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
    2888
- taskkill.exe taskkill /F /IM firefox.exe /T
  2648
- taskkill.exe taskkill /F /IM chrome.exe /T
  604
- taskkill.exe taskkill /F /IM msedge.exe /T
  2112
- taskkill.exe taskkill /F /IM opera.exe /T
  2240
- taskkill.exe taskkill /F /IM brave.exe /T
  2564
- firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
  2724
  - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
    2800
- taskkill.exe taskkill /F /IM firefox.exe /T
  1796
- taskkill.exe taskkill /F /IM chrome.exe /T
  2304
- taskkill.exe taskkill /F /IM msedge.exe /T
  3044
- taskkill.exe taskkill /F /IM opera.exe /T
  3048
- taskkill.exe taskkill /F /IM brave.exe /T
  908
- firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
  2416
  - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
    2500
- taskkill.exe taskkill /F /IM firefox.exe /T
  2836
- taskkill.exe taskkill /F /IM chrome.exe /T
  1156
- taskkill.exe taskkill /F /IM msedge.exe /T
  1168
- taskkill.exe taskkill /F /IM opera.exe /T
  2908
- taskkill.exe taskkill /F /IM brave.exe /T
  1848
- firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
  1108
  - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
    2164
- taskkill.exe taskkill /F /IM firefox.exe /T
  1952
- taskkill.exe taskkill /F /IM chrome.exe /T
  2736
- taskkill.exe taskkill /F /IM msedge.exe /T
  2812
- taskkill.exe taskkill /F /IM opera.exe /T
  740
- taskkill.exe taskkill /F /IM brave.exe /T
  452
- firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
  2592
  - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
    536
- taskkill.exe taskkill /F /IM firefox.exe /T
  2388
- taskkill.exe taskkill /F /IM chrome.exe /T
  416
- taskkill.exe taskkill /F /IM msedge.exe /T
  2668
- taskkill.exe taskkill /F /IM opera.exe /T
  2132
- taskkill.exe taskkill /F /IM brave.exe /T
  2504
- firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
  1080
  - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
    560
- taskkill.exe taskkill /F /IM firefox.exe /T
  176
- taskkill.exe taskkill /F /IM chrome.exe /T
  2196
- taskkill.exe taskkill /F /IM msedge.exe /T
  1432
- taskkill.exe taskkill /F /IM opera.exe /T
  3084
- taskkill.exe taskkill /F /IM brave.exe /T
  3164
- firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
  3244
  - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
    3288
- taskkill.exe taskkill /F /IM firefox.exe /T
  3408
- taskkill.exe taskkill /F /IM chrome.exe /T
  3496
- taskkill.exe taskkill /F /IM msedge.exe /T
  3576
- taskkill.exe taskkill /F /IM opera.exe /T
  3656
- taskkill.exe taskkill /F /IM brave.exe /T
  3740
- firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
  3820
  - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
    3864
- taskkill.exe taskkill /F /IM firefox.exe /T
  3976
- taskkill.exe taskkill /F /IM chrome.exe /T
  4060
- taskkill.exe taskkill /F /IM msedge.exe /T
  3104
- taskkill.exe taskkill /F /IM opera.exe /T
  3204
- taskkill.exe taskkill /F /IM brave.exe /T
  3316
- firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
  532
  - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
    2180
- taskkill.exe taskkill /F /IM firefox.exe /T
  3484
- taskkill.exe taskkill /F /IM chrome.exe /T
  3588
- taskkill.exe taskkill /F /IM msedge.exe /T
  3732
- taskkill.exe taskkill /F /IM opera.exe /T
  3796
- taskkill.exe taskkill /F /IM brave.exe /T
  152
- firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
  3972
  - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
    4020
- taskkill.exe taskkill /F /IM firefox.exe /T
  3184
- taskkill.exe taskkill /F /IM chrome.exe /T
  3264
- taskkill.exe taskkill /F /IM msedge.exe /T
  1016
- taskkill.exe taskkill /F /IM opera.exe /T
  3444
- taskkill.exe taskkill /F /IM brave.exe /T
  3508
- firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
  3592
  - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
    3788
- taskkill.exe taskkill /F /IM firefox.exe /T
  3952
- taskkill.exe taskkill /F /IM chrome.exe /T
  3100
- taskkill.exe taskkill /F /IM msedge.exe /T
  3152
- taskkill.exe taskkill /F /IM opera.exe /T
  2984
- taskkill.exe taskkill /F /IM brave.exe /T
  3452
- firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
  3572
  - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
    3676
- taskkill.exe taskkill /F /IM firefox.exe /T
  3880
- taskkill.exe taskkill /F /IM chrome.exe /T
  3996

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (50 out of 66 events)

Time & API	Arguments	Status	Return
GetComputerNameW Oct. 17, 2024, 10:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2024, 10:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2024, 10:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2024, 10:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2024, 10:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2024, 10:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2024, 10:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2024, 10:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2024, 10:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2024, 10:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2024, 10:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2024, 10:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2024, 10:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2024, 10:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2024, 10:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2024, 10:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2024, 10:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2024, 10:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2024, 10:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2024, 10:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2024, 10:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2024, 10:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2024, 10:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2024, 10:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2024, 10:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2024, 10:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2024, 10:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2024, 10:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2024, 10:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2024, 10:38 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2024, 10:38 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2024, 10:38 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2024, 10:38 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2024, 10:38 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2024, 10:38 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2024, 10:38 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2024, 10:38 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2024, 10:38 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2024, 10:38 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2024, 10:38 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2024, 10:38 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2024, 10:38 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2024, 10:38 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2024, 10:38 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2024, 10:38 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2024, 10:38 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2024, 10:38 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2024, 10:38 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2024, 10:38 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2024, 10:38 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (50 out of 70 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 17, 2024, 10:37 a.m.			0	0
IsDebuggerPresent Oct. 17, 2024, 10:37 a.m.			0	0
IsDebuggerPresent Oct. 17, 2024, 10:37 a.m.			0	0
IsDebuggerPresent Oct. 17, 2024, 10:37 a.m.			0	0
IsDebuggerPresent Oct. 17, 2024, 10:37 a.m.			0	0
IsDebuggerPresent Oct. 17, 2024, 10:37 a.m.			0	0
IsDebuggerPresent Oct. 17, 2024, 10:37 a.m.			0	0
IsDebuggerPresent Oct. 17, 2024, 10:37 a.m.			0	0
IsDebuggerPresent Oct. 17, 2024, 10:37 a.m.			0	0
IsDebuggerPresent Oct. 17, 2024, 10:37 a.m.			0	0
IsDebuggerPresent Oct. 17, 2024, 10:37 a.m.			0	0
IsDebuggerPresent Oct. 17, 2024, 10:37 a.m.			0	0
IsDebuggerPresent Oct. 17, 2024, 10:37 a.m.			0	0
IsDebuggerPresent Oct. 17, 2024, 10:37 a.m.			0	0
IsDebuggerPresent Oct. 17, 2024, 10:37 a.m.			0	0
IsDebuggerPresent Oct. 17, 2024, 10:37 a.m.			0	0
IsDebuggerPresent Oct. 17, 2024, 10:37 a.m.			0	0
IsDebuggerPresent Oct. 17, 2024, 10:37 a.m.			0	0
IsDebuggerPresent Oct. 17, 2024, 10:37 a.m.			0	0
IsDebuggerPresent Oct. 17, 2024, 10:37 a.m.			0	0
IsDebuggerPresent Oct. 17, 2024, 10:37 a.m.			0	0
IsDebuggerPresent Oct. 17, 2024, 10:37 a.m.			0	0
IsDebuggerPresent Oct. 17, 2024, 10:37 a.m.			0	0
IsDebuggerPresent Oct. 17, 2024, 10:37 a.m.			0	0
IsDebuggerPresent Oct. 17, 2024, 10:37 a.m.			0	0
IsDebuggerPresent Oct. 17, 2024, 10:37 a.m.			0	0
IsDebuggerPresent Oct. 17, 2024, 10:37 a.m.			0	0
IsDebuggerPresent Oct. 17, 2024, 10:37 a.m.			0	0
IsDebuggerPresent Oct. 17, 2024, 10:38 a.m.			0	0
IsDebuggerPresent Oct. 17, 2024, 10:38 a.m.			0	0
IsDebuggerPresent Oct. 17, 2024, 10:38 a.m.			0	0
IsDebuggerPresent Oct. 17, 2024, 10:38 a.m.			0	0
IsDebuggerPresent Oct. 17, 2024, 10:38 a.m.			0	0
IsDebuggerPresent Oct. 17, 2024, 10:38 a.m.			0	0
IsDebuggerPresent Oct. 17, 2024, 10:38 a.m.			0	0
IsDebuggerPresent Oct. 17, 2024, 10:38 a.m.			0	0
IsDebuggerPresent Oct. 17, 2024, 10:38 a.m.			0	0
IsDebuggerPresent Oct. 17, 2024, 10:38 a.m.			0	0
IsDebuggerPresent Oct. 17, 2024, 10:38 a.m.			0	0
IsDebuggerPresent Oct. 17, 2024, 10:38 a.m.			0	0
IsDebuggerPresent Oct. 17, 2024, 10:38 a.m.			0	0
IsDebuggerPresent Oct. 17, 2024, 10:38 a.m.			0	0
IsDebuggerPresent Oct. 17, 2024, 10:38 a.m.			0	0
IsDebuggerPresent Oct. 17, 2024, 10:38 a.m.			0	0
IsDebuggerPresent Oct. 17, 2024, 10:38 a.m.			0	0
IsDebuggerPresent Oct. 17, 2024, 10:38 a.m.			0	0
IsDebuggerPresent Oct. 17, 2024, 10:38 a.m.			0	0
IsDebuggerPresent Oct. 17, 2024, 10:38 a.m.			0	0
IsDebuggerPresent Oct. 17, 2024, 10:38 a.m.			0	0
IsDebuggerPresent Oct. 17, 2024, 10:38 a.m.			0	0

Command line console output was observed (50 out of 78 events)

Time & API	Arguments	Status	Return
WriteConsoleW Oct. 17, 2024, 10:37 a.m.	buffer: ERROR: The process "msedge.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 17, 2024, 10:37 a.m.	buffer: ERROR: The process "opera.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 17, 2024, 10:37 a.m.	buffer: ERROR: The process "firefox.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 17, 2024, 10:37 a.m.	buffer: ERROR: The process "chrome.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 17, 2024, 10:37 a.m.	buffer: ERROR: The process "firefox.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 17, 2024, 10:37 a.m.	buffer: ERROR: The process "chrome.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 17, 2024, 10:37 a.m.	buffer: ERROR: The process "msedge.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 17, 2024, 10:37 a.m.	buffer: ERROR: The process "opera.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 17, 2024, 10:37 a.m.	buffer: ERROR: The process "brave.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 17, 2024, 10:37 a.m.	buffer: SUCCESS: The process with PID 2888 (child process of PID 2728) has been terminated. console_handle: 0x00000007	1	1
WriteConsoleW Oct. 17, 2024, 10:37 a.m.	buffer: SUCCESS: The process with PID 2728 (child process of PID 2552) has been terminated. console_handle: 0x00000007	1	1
WriteConsoleW Oct. 17, 2024, 10:37 a.m.	buffer: ERROR: The process "chrome.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 17, 2024, 10:37 a.m.	buffer: ERROR: The process "msedge.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 17, 2024, 10:37 a.m.	buffer: ERROR: The process "opera.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 17, 2024, 10:37 a.m.	buffer: ERROR: The process "brave.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 17, 2024, 10:37 a.m.	buffer: SUCCESS: The process with PID 2800 (child process of PID 2724) has been terminated. console_handle: 0x00000007	1	1
WriteConsoleW Oct. 17, 2024, 10:37 a.m.	buffer: SUCCESS: The process with PID 2724 (child process of PID 2552) has been terminated. console_handle: 0x00000007	1	1
WriteConsoleW Oct. 17, 2024, 10:37 a.m.	buffer: ERROR: The process "chrome.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 17, 2024, 10:37 a.m.	buffer: ERROR: The process "msedge.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 17, 2024, 10:37 a.m.	buffer: ERROR: The process "opera.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 17, 2024, 10:37 a.m.	buffer: ERROR: The process "brave.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 17, 2024, 10:37 a.m.	buffer: SUCCESS: The process with PID 2500 (child process of PID 2416) has been terminated. console_handle: 0x00000007	1	1
WriteConsoleW Oct. 17, 2024, 10:37 a.m.	buffer: SUCCESS: The process with PID 2416 (child process of PID 2552) has been terminated. console_handle: 0x00000007	1	1
WriteConsoleW Oct. 17, 2024, 10:37 a.m.	buffer: ERROR: The process "chrome.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 17, 2024, 10:37 a.m.	buffer: ERROR: The process "msedge.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 17, 2024, 10:37 a.m.	buffer: ERROR: The process "opera.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 17, 2024, 10:37 a.m.	buffer: ERROR: The process "brave.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 17, 2024, 10:37 a.m.	buffer: SUCCESS: The process with PID 2164 (child process of PID 1108) has been terminated. console_handle: 0x00000007	1	1
WriteConsoleW Oct. 17, 2024, 10:37 a.m.	buffer: SUCCESS: The process with PID 1108 (child process of PID 2552) has been terminated. console_handle: 0x00000007	1	1
WriteConsoleW Oct. 17, 2024, 10:37 a.m.	buffer: ERROR: The process "chrome.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 17, 2024, 10:37 a.m.	buffer: ERROR: The process "msedge.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 17, 2024, 10:37 a.m.	buffer: ERROR: The process "opera.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 17, 2024, 10:37 a.m.	buffer: ERROR: The process "brave.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 17, 2024, 10:38 a.m.	buffer: SUCCESS: The process with PID 536 (child process of PID 2592) has been terminated. console_handle: 0x00000007	1	1
WriteConsoleW Oct. 17, 2024, 10:38 a.m.	buffer: SUCCESS: The process with PID 2592 (child process of PID 2552) has been terminated. console_handle: 0x00000007	1	1
WriteConsoleW Oct. 17, 2024, 10:38 a.m.	buffer: ERROR: The process "chrome.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 17, 2024, 10:38 a.m.	buffer: ERROR: The process "msedge.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 17, 2024, 10:38 a.m.	buffer: ERROR: The process "opera.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 17, 2024, 10:38 a.m.	buffer: ERROR: The process "brave.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 17, 2024, 10:38 a.m.	buffer: SUCCESS: The process with PID 560 (child process of PID 1080) has been terminated. console_handle: 0x00000007	1	1
WriteConsoleW Oct. 17, 2024, 10:38 a.m.	buffer: SUCCESS: The process with PID 1080 (child process of PID 2552) has been terminated. console_handle: 0x00000007	1	1
WriteConsoleW Oct. 17, 2024, 10:38 a.m.	buffer: ERROR: The process "chrome.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 17, 2024, 10:38 a.m.	buffer: ERROR: The process "msedge.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 17, 2024, 10:38 a.m.	buffer: ERROR: The process "opera.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 17, 2024, 10:38 a.m.	buffer: ERROR: The process "brave.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 17, 2024, 10:38 a.m.	buffer: SUCCESS: The process with PID 3288 (child process of PID 3244) has been terminated. console_handle: 0x00000007	1	1
WriteConsoleW Oct. 17, 2024, 10:38 a.m.	buffer: SUCCESS: The process with PID 3244 (child process of PID 2552) has been terminated. console_handle: 0x00000007	1	1
WriteConsoleW Oct. 17, 2024, 10:38 a.m.	buffer: ERROR: The process "chrome.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 17, 2024, 10:38 a.m.	buffer: ERROR: The process "msedge.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 17, 2024, 10:38 a.m.	buffer: ERROR: The process "opera.exe" not found. console_handle: 0x0000000b	1	1

Tries to locate where the browsers are installed (1 event)

file	C:\Program Files\Mozilla Firefox\api-ms-win-crt-multibyte-l1-1-0.dll

Allocates read-write-execute memory (usually to unpack itself) (50 out of 97 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734c2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000c90000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c5b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000c90000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c26000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000028b0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007398d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000c90000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c5b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000c90000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c26000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000033b0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007398d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000c90000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c5b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000c90000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c26000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003490000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007398d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000c90000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c5b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000c90000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c26000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000030a0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007398d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000b50000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c5b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000b50000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c26000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:38 a.m.	process_identifier: 536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000028a0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:38 a.m.	process_identifier: 536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007398d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:38 a.m.	process_identifier: 560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000c90000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:38 a.m.	process_identifier: 560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c5b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:38 a.m.	process_identifier: 560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000c90000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:38 a.m.	process_identifier: 560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c26000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:38 a.m.	process_identifier: 560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000028b0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:38 a.m.	process_identifier: 560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007398d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:38 a.m.	process_identifier: 3288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000c90000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:38 a.m.	process_identifier: 3288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c5b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:38 a.m.	process_identifier: 3288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000c90000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:38 a.m.	process_identifier: 3288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c26000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:38 a.m.	process_identifier: 3288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000028e0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:38 a.m.	process_identifier: 3288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007398d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:38 a.m.	process_identifier: 3864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a50000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:38 a.m.	process_identifier: 3864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c5b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:38 a.m.	process_identifier: 3864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a50000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:38 a.m.	process_identifier: 3864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c26000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:38 a.m.	process_identifier: 3864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 85934080 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003131000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:38 a.m.	process_identifier: 3864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 15130624 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000008325000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:38 a.m.	process_identifier: 3864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 2252800 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000092e3000 process_handle: 0xffffffffffffffff	1

Steals private information from local Internet browsers (50 out of 3408 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\contentscript_bin_prod.js
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data\Network\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\sr\Network\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\pt_PT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\nl\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\fil\Network\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\zh_HK\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\nl\Network\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\de\Network\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_metadata\computed_hashes.json\Network\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\si\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\en_US\Network\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\tr\Network\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\a4b90990b418581487bb13a2cc67700a3c359804f91bdfb8e377cd0ec80ddc10.sth
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\is\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\sv\messages.json\Network\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\iw
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\it
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Network\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\Network\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\fil\Network\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\fil
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\de
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\vi\Network\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\id
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\fil
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7619.603.0.2_0\_locales\mr\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\es_419\messages.json\Network\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\pt_BR\messages.json\Network\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\ja\Network\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\en_GB\messages.json\Network\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\si\Network\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\th\messages.json\Network\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\gl\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\tr\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\icon_128.png\Network\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\id\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\fr
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\sr\messages.json\Network\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\bg\messages.json\Network\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\zh_HK\messages.json\Network\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\fr\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\fil\messages.json
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\lt\messages.json\Network\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_metadata\Network\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\pl\Network\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\c652a0ec48ceb3fcab170992c43a87413309e80065a26252401ba3362a17c565.sth
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\68f698f81f6482be3a8ceeb9281d4cfc71515d6793d444d10a67acbb4f4ffbc4.sth

Executes one or more WMI queries (5 events)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "opera.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "msedge.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "firefox.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "chrome.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (13 events)

Time & API	Arguments	Status	Return
Process32NextW Oct. 17, 2024, 10:37 a.m.	snapshot_handle: 0x00000134 process_name: taskhost.exe process_identifier: 2376	1	1
Process32NextW Oct. 17, 2024, 10:37 a.m.	snapshot_handle: 0x00000134 process_name: well_clean.exe process_identifier: 2552	1	1
Process32NextW Oct. 17, 2024, 10:37 a.m.	snapshot_handle: 0x00000134 process_name: WmiPrvSE.exe process_identifier: 2928	1	1
Process32NextW Oct. 17, 2024, 10:37 a.m.	snapshot_handle: 0x0000013c process_name: firefox.exe process_identifier: 2728	1	1
Process32NextW Oct. 17, 2024, 10:37 a.m.	snapshot_handle: 0x00000134 process_name: svchost.exe process_identifier: 2844	1	1
Process32NextW Oct. 17, 2024, 10:37 a.m.	snapshot_handle: 0x0000013c process_name: firefox.exe process_identifier: 2724	1	1
Process32NextW Oct. 17, 2024, 10:37 a.m.	snapshot_handle: 0x0000013c process_name: firefox.exe process_identifier: 2416	1	1
Process32NextW Oct. 17, 2024, 10:37 a.m.	snapshot_handle: 0x0000013c process_name: firefox.exe process_identifier: 1108	1	1
Process32NextW Oct. 17, 2024, 10:38 a.m.	snapshot_handle: 0x0000013c process_name: firefox.exe process_identifier: 1080	1	1
Process32NextW Oct. 17, 2024, 10:38 a.m.	snapshot_handle: 0x0000013c process_name: firefox.exe process_identifier: 3244	1	1
Process32NextW Oct. 17, 2024, 10:38 a.m.	snapshot_handle: 0x0000013c process_name: firefox.exe process_identifier: 3820	1	1
Process32NextW Oct. 17, 2024, 10:38 a.m.	snapshot_handle: 0x0000013c process_name: firefox.exe process_identifier: 532	1	1
Process32NextW Oct. 17, 2024, 10:38 a.m.	snapshot_handle: 0x0000013c process_name: firefox.exe process_identifier: 3972	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x0000013e96bf0000 process_handle: 0xffffffffffffffff	1	0	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (50 out of 66 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Oct. 17, 2024, 10:37 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 17, 2024, 10:37 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 17, 2024, 10:37 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 17, 2024, 10:37 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 17, 2024, 10:37 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 17, 2024, 10:37 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 17, 2024, 10:37 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 17, 2024, 10:37 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 17, 2024, 10:37 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 17, 2024, 10:37 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 17, 2024, 10:37 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 17, 2024, 10:37 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 17, 2024, 10:37 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 17, 2024, 10:37 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 17, 2024, 10:37 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 17, 2024, 10:37 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 17, 2024, 10:37 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 17, 2024, 10:37 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 17, 2024, 10:37 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 17, 2024, 10:37 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 17, 2024, 10:37 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 17, 2024, 10:37 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 17, 2024, 10:37 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 17, 2024, 10:37 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 17, 2024, 10:37 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 17, 2024, 10:37 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 17, 2024, 10:37 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 17, 2024, 10:37 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 17, 2024, 10:37 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 17, 2024, 10:38 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 17, 2024, 10:38 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 17, 2024, 10:38 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 17, 2024, 10:38 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 17, 2024, 10:38 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 17, 2024, 10:38 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 17, 2024, 10:38 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 17, 2024, 10:38 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 17, 2024, 10:38 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 17, 2024, 10:38 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 17, 2024, 10:38 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 17, 2024, 10:38 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 17, 2024, 10:38 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 17, 2024, 10:38 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 17, 2024, 10:38 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 17, 2024, 10:38 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 17, 2024, 10:38 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 17, 2024, 10:38 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 17, 2024, 10:38 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 17, 2024, 10:38 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 17, 2024, 10:38 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (11 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW Oct. 17, 2024, 10:37 a.m.	snapshot_handle: 0x00000134 process_name: svchost.exe process_identifier: 2844		0	0
Process32NextW Oct. 17, 2024, 10:37 a.m.	snapshot_handle: 0x00000134 process_name: svchost.exe process_identifier: 2844		0	0
Process32NextW Oct. 17, 2024, 10:37 a.m.	snapshot_handle: 0x00000134 process_name: svchost.exe process_identifier: 2844		0	0
Process32NextW Oct. 17, 2024, 10:37 a.m.	snapshot_handle: 0x00000134 process_name: svchost.exe process_identifier: 2844		0	0
Process32NextW Oct. 17, 2024, 10:38 a.m.	snapshot_handle: 0x00000134 process_name: taskhost.exe process_identifier: 2288		0	0
Process32NextW Oct. 17, 2024, 10:38 a.m.	snapshot_handle: 0x00000134 process_name: taskhost.exe process_identifier: 2288		0	0
Process32NextW Oct. 17, 2024, 10:38 a.m.	snapshot_handle: 0x00000134 process_name: taskhost.exe process_identifier: 2288		0	0
Process32NextW Oct. 17, 2024, 10:38 a.m.	snapshot_handle: 0x00000134 process_name: taskhost.exe process_identifier: 2288		0	0
Process32NextW Oct. 17, 2024, 10:38 a.m.	snapshot_handle: 0x00000134 process_name: taskhost.exe process_identifier: 2288		0	0
Process32NextW Oct. 17, 2024, 10:38 a.m.	snapshot_handle: 0x00000134 process_name: taskhost.exe process_identifier: 2288		0	0
Process32NextW Oct. 17, 2024, 10:39 a.m.	snapshot_handle: 0x00000134 process_name: taskhost.exe process_identifier: 2288		0	0

Potentially malicious URLs were found in the process memory dump (3 events)

url	https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%SYSTEM_CAPABILITIES%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml
url	https://crash-reports.mozilla.com/submit?id=
url	https://hg.mozilla.org/releases/mozilla-release/rev/92187d03adde4b31daef292087a266f10121379c

Yara rule detected in process memory (50 out of 108 events)

description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active

Terminates another process (48 events)

Time & API	Arguments	Status
NtTerminateProcess Oct. 17, 2024, 10:37 a.m.	status_code: 0x00000001 process_identifier: 2888 process_handle: 0x0000018c
NtTerminateProcess Oct. 17, 2024, 10:37 a.m.	status_code: 0x00000001 process_identifier: 2888 process_handle: 0x0000018c	1
NtTerminateProcess Oct. 17, 2024, 10:37 a.m.	status_code: 0x00000001 process_identifier: 2728 process_handle: 0x0000018c
NtTerminateProcess Oct. 17, 2024, 10:37 a.m.	status_code: 0x00000001 process_identifier: 2728 process_handle: 0x0000018c	1
NtTerminateProcess Oct. 17, 2024, 10:37 a.m.	status_code: 0x00000001 process_identifier: 2800 process_handle: 0x0000018c
NtTerminateProcess Oct. 17, 2024, 10:37 a.m.	status_code: 0x00000001 process_identifier: 2800 process_handle: 0x0000018c	1
NtTerminateProcess Oct. 17, 2024, 10:37 a.m.	status_code: 0x00000001 process_identifier: 2724 process_handle: 0x0000018c
NtTerminateProcess Oct. 17, 2024, 10:37 a.m.	status_code: 0x00000001 process_identifier: 2724 process_handle: 0x0000018c	1
NtTerminateProcess Oct. 17, 2024, 10:37 a.m.	status_code: 0x00000001 process_identifier: 2500 process_handle: 0x0000018c
NtTerminateProcess Oct. 17, 2024, 10:37 a.m.	status_code: 0x00000001 process_identifier: 2500 process_handle: 0x0000018c	1
NtTerminateProcess Oct. 17, 2024, 10:37 a.m.	status_code: 0x00000001 process_identifier: 2416 process_handle: 0x0000018c
NtTerminateProcess Oct. 17, 2024, 10:37 a.m.	status_code: 0x00000001 process_identifier: 2416 process_handle: 0x0000018c	1
NtTerminateProcess Oct. 17, 2024, 10:37 a.m.	status_code: 0x00000001 process_identifier: 2164 process_handle: 0x0000018c
NtTerminateProcess Oct. 17, 2024, 10:37 a.m.	status_code: 0x00000001 process_identifier: 2164 process_handle: 0x0000018c	1
NtTerminateProcess Oct. 17, 2024, 10:37 a.m.	status_code: 0x00000001 process_identifier: 1108 process_handle: 0x0000018c
NtTerminateProcess Oct. 17, 2024, 10:37 a.m.	status_code: 0x00000001 process_identifier: 1108 process_handle: 0x0000018c	1
NtTerminateProcess Oct. 17, 2024, 10:38 a.m.	status_code: 0x00000001 process_identifier: 536 process_handle: 0x0000018c
NtTerminateProcess Oct. 17, 2024, 10:38 a.m.	status_code: 0x00000001 process_identifier: 536 process_handle: 0x0000018c	1
NtTerminateProcess Oct. 17, 2024, 10:38 a.m.	status_code: 0x00000001 process_identifier: 2592 process_handle: 0x0000018c
NtTerminateProcess Oct. 17, 2024, 10:38 a.m.	status_code: 0x00000001 process_identifier: 2592 process_handle: 0x0000018c	1
NtTerminateProcess Oct. 17, 2024, 10:38 a.m.	status_code: 0x00000001 process_identifier: 560 process_handle: 0x0000018c
NtTerminateProcess Oct. 17, 2024, 10:38 a.m.	status_code: 0x00000001 process_identifier: 560 process_handle: 0x0000018c	1
NtTerminateProcess Oct. 17, 2024, 10:38 a.m.	status_code: 0x00000001 process_identifier: 1080 process_handle: 0x0000018c
NtTerminateProcess Oct. 17, 2024, 10:38 a.m.	status_code: 0x00000001 process_identifier: 1080 process_handle: 0x0000018c	1
NtTerminateProcess Oct. 17, 2024, 10:38 a.m.	status_code: 0x00000001 process_identifier: 3288 process_handle: 0x0000018c
NtTerminateProcess Oct. 17, 2024, 10:38 a.m.	status_code: 0x00000001 process_identifier: 3288 process_handle: 0x0000018c	1
NtTerminateProcess Oct. 17, 2024, 10:38 a.m.	status_code: 0x00000001 process_identifier: 3244 process_handle: 0x0000018c
NtTerminateProcess Oct. 17, 2024, 10:38 a.m.	status_code: 0x00000001 process_identifier: 3244 process_handle: 0x0000018c	1
NtTerminateProcess Oct. 17, 2024, 10:38 a.m.	status_code: 0x00000001 process_identifier: 3864 process_handle: 0x0000018c
NtTerminateProcess Oct. 17, 2024, 10:38 a.m.	status_code: 0x00000001 process_identifier: 3864 process_handle: 0x0000018c	1
NtTerminateProcess Oct. 17, 2024, 10:38 a.m.	status_code: 0x00000001 process_identifier: 3820 process_handle: 0x0000018c
NtTerminateProcess Oct. 17, 2024, 10:38 a.m.	status_code: 0x00000001 process_identifier: 3820 process_handle: 0x0000018c	1
NtTerminateProcess Oct. 17, 2024, 10:38 a.m.	status_code: 0x00000001 process_identifier: 2180 process_handle: 0x0000018c
NtTerminateProcess Oct. 17, 2024, 10:38 a.m.	status_code: 0x00000001 process_identifier: 2180 process_handle: 0x0000018c	1
NtTerminateProcess Oct. 17, 2024, 10:38 a.m.	status_code: 0x00000001 process_identifier: 532 process_handle: 0x0000018c
NtTerminateProcess Oct. 17, 2024, 10:38 a.m.	status_code: 0x00000001 process_identifier: 532 process_handle: 0x0000018c	1
NtTerminateProcess Oct. 17, 2024, 10:38 a.m.	status_code: 0x00000001 process_identifier: 4020 process_handle: 0x00000190
NtTerminateProcess Oct. 17, 2024, 10:38 a.m.	status_code: 0x00000001 process_identifier: 4020 process_handle: 0x00000190	1
NtTerminateProcess Oct. 17, 2024, 10:38 a.m.	status_code: 0x00000001 process_identifier: 3972 process_handle: 0x00000190
NtTerminateProcess Oct. 17, 2024, 10:38 a.m.	status_code: 0x00000001 process_identifier: 3972 process_handle: 0x00000190	1
NtTerminateProcess Oct. 17, 2024, 10:38 a.m.	status_code: 0x00000001 process_identifier: 3788 process_handle: 0x00000194
NtTerminateProcess Oct. 17, 2024, 10:38 a.m.	status_code: 0x00000001 process_identifier: 3788 process_handle: 0x00000194	1
NtTerminateProcess Oct. 17, 2024, 10:38 a.m.	status_code: 0x00000001 process_identifier: 3592 process_handle: 0x00000194
NtTerminateProcess Oct. 17, 2024, 10:38 a.m.	status_code: 0x00000001 process_identifier: 3592 process_handle: 0x00000194	1
NtTerminateProcess Oct. 17, 2024, 10:39 a.m.	status_code: 0x00000001 process_identifier: 3676 process_handle: 0x00000190
NtTerminateProcess Oct. 17, 2024, 10:39 a.m.	status_code: 0x00000001 process_identifier: 3676 process_handle: 0x00000190	1
NtTerminateProcess Oct. 17, 2024, 10:39 a.m.	status_code: 0x00000001 process_identifier: 3572 process_handle: 0x00000190
NtTerminateProcess Oct. 17, 2024, 10:39 a.m.	status_code: 0x00000001 process_identifier: 3572 process_handle: 0x00000190	1

Uses Windows utilities for basic Windows functionality (9 events)

cmdline	taskkill /F /IM opera.exe /T
cmdline	taskkill /IM msedge.exe /F
cmdline	taskkill /IM opera.exe /F
cmdline	taskkill /F /IM chrome.exe /T
cmdline	taskkill /F /IM msedge.exe /T
cmdline	taskkill /F /IM firefox.exe /T
cmdline	taskkill /F /IM brave.exe /T
cmdline	taskkill /IM firefox.exe /F
cmdline	taskkill /IM chrome.exe /F

Allocates execute permission to another process indicative of possible code injection (24 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Oct. 17, 2024, 10:37 a.m.	process_identifier: 536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Oct. 17, 2024, 10:38 a.m.	process_identifier: 560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Oct. 17, 2024, 10:38 a.m.	process_identifier: 560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Oct. 17, 2024, 10:38 a.m.	process_identifier: 3288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Oct. 17, 2024, 10:38 a.m.	process_identifier: 3288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Oct. 17, 2024, 10:38 a.m.	process_identifier: 3864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Oct. 17, 2024, 10:38 a.m.	process_identifier: 3864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Oct. 17, 2024, 10:38 a.m.	process_identifier: 2180 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Oct. 17, 2024, 10:38 a.m.	process_identifier: 2180 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Oct. 17, 2024, 10:38 a.m.	process_identifier: 4020 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Oct. 17, 2024, 10:38 a.m.	process_identifier: 4020 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Oct. 17, 2024, 10:38 a.m.	process_identifier: 3788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Oct. 17, 2024, 10:38 a.m.	process_identifier: 3788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Oct. 17, 2024, 10:39 a.m.	process_identifier: 3676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Oct. 17, 2024, 10:39 a.m.	process_identifier: 3676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x0000000000000050	1

Potential code injection by writing to the memory of another process (50 out of 108 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Oct. 17, 2024, 10:37 a.m.	buffer: base_address: 0x000000013fe322b0 process_identifier: 2888 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Oct. 17, 2024, 10:37 a.m.	buffer: base_address: 0x000000013fe40d88 process_identifier: 2888 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Oct. 17, 2024, 10:37 a.m.	buffer: I»`#à?Aÿã base_address: 0x0000000076d81590 process_identifier: 2888 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Oct. 17, 2024, 10:37 a.m.	buffer: Ð base_address: 0x000000013fe40d78 process_identifier: 2888 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Oct. 17, 2024, 10:37 a.m.	buffer: I» à?Aÿã base_address: 0x0000000076d57a90 process_identifier: 2888 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Oct. 17, 2024, 10:37 a.m.	buffer: Ð base_address: 0x000000013fe40d70 process_identifier: 2888 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Oct. 17, 2024, 10:37 a.m.	buffer: ÏT base_address: 0x000000013fde0108 process_identifier: 2888 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Oct. 17, 2024, 10:37 a.m.	buffer: Øv@Øv Øv@ØvØv°Øv ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀÖvöÔv YØv2ØvVØv°ÞvÕvRØv ÕvQØvÂÕv ?ÖvPÕv°TÕvàtÕvðÖvÐ1ØvÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv base_address: 0x000000013fe3aae8 process_identifier: 2888 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Oct. 17, 2024, 10:37 a.m.	buffer: base_address: 0x000000013fe40c78 process_identifier: 2888 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Oct. 17, 2024, 10:37 a.m.	buffer: base_address: 0x000000013f9822b0 process_identifier: 2800 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Oct. 17, 2024, 10:37 a.m.	buffer: base_address: 0x000000013f990d88 process_identifier: 2800 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Oct. 17, 2024, 10:37 a.m.	buffer: I»`#?Aÿã base_address: 0x0000000076d81590 process_identifier: 2800 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Oct. 17, 2024, 10:37 a.m.	buffer: Y6 base_address: 0x000000013f990d78 process_identifier: 2800 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Oct. 17, 2024, 10:37 a.m.	buffer: I» ?Aÿã base_address: 0x0000000076d57a90 process_identifier: 2800 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Oct. 17, 2024, 10:37 a.m.	buffer: Y6 base_address: 0x000000013f990d70 process_identifier: 2800 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Oct. 17, 2024, 10:37 a.m.	buffer: ÏT base_address: 0x000000013f930108 process_identifier: 2800 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Oct. 17, 2024, 10:37 a.m.	buffer: Øv@Øv Øv@ØvØv°Øv ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀÖvöÔv YØv2ØvVØv°ÞvÕvRØv ÕvQØvÂÕv ?ÖvPÕv°TÕvàtÕvðÖvÐ1ØvÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv base_address: 0x000000013f98aae8 process_identifier: 2800 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Oct. 17, 2024, 10:37 a.m.	buffer: base_address: 0x000000013f990c78 process_identifier: 2800 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Oct. 17, 2024, 10:37 a.m.	buffer: base_address: 0x000000013f2922b0 process_identifier: 2500 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Oct. 17, 2024, 10:37 a.m.	buffer: base_address: 0x000000013f2a0d88 process_identifier: 2500 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Oct. 17, 2024, 10:37 a.m.	buffer: I»`#&?Aÿã base_address: 0x0000000076d81590 process_identifier: 2500 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Oct. 17, 2024, 10:37 a.m.	buffer: ç base_address: 0x000000013f2a0d78 process_identifier: 2500 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Oct. 17, 2024, 10:37 a.m.	buffer: I» &?Aÿã base_address: 0x0000000076d57a90 process_identifier: 2500 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Oct. 17, 2024, 10:37 a.m.	buffer: ç base_address: 0x000000013f2a0d70 process_identifier: 2500 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Oct. 17, 2024, 10:37 a.m.	buffer: ÏT base_address: 0x000000013f240108 process_identifier: 2500 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Oct. 17, 2024, 10:37 a.m.	buffer: Øv@Øv Øv@ØvØv°Øv ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀÖvöÔv YØv2ØvVØv°ÞvÕvRØv ÕvQØvÂÕv ?ÖvPÕv°TÕvàtÕvðÖvÐ1ØvÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv base_address: 0x000000013f29aae8 process_identifier: 2500 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Oct. 17, 2024, 10:37 a.m.	buffer: base_address: 0x000000013f2a0c78 process_identifier: 2500 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Oct. 17, 2024, 10:37 a.m.	buffer: base_address: 0x000000013fba22b0 process_identifier: 2164 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Oct. 17, 2024, 10:37 a.m.	buffer: base_address: 0x000000013fbb0d88 process_identifier: 2164 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Oct. 17, 2024, 10:37 a.m.	buffer: I»`#·?Aÿã base_address: 0x0000000076d81590 process_identifier: 2164 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Oct. 17, 2024, 10:37 a.m.	buffer: ù base_address: 0x000000013fbb0d78 process_identifier: 2164 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Oct. 17, 2024, 10:37 a.m.	buffer: I» ·?Aÿã base_address: 0x0000000076d57a90 process_identifier: 2164 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Oct. 17, 2024, 10:37 a.m.	buffer: ù base_address: 0x000000013fbb0d70 process_identifier: 2164 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Oct. 17, 2024, 10:37 a.m.	buffer: ÏT base_address: 0x000000013fb50108 process_identifier: 2164 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Oct. 17, 2024, 10:37 a.m.	buffer: Øv@Øv Øv@ØvØv°Øv ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀÖvöÔv YØv2ØvVØv°ÞvÕvRØv ÕvQØvÂÕv ?ÖvPÕv°TÕvàtÕvðÖvÐ1ØvÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv base_address: 0x000000013fbaaae8 process_identifier: 2164 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Oct. 17, 2024, 10:37 a.m.	buffer: base_address: 0x000000013fbb0c78 process_identifier: 2164 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Oct. 17, 2024, 10:37 a.m.	buffer: base_address: 0x000000013f6e22b0 process_identifier: 536 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Oct. 17, 2024, 10:37 a.m.	buffer: base_address: 0x000000013f6f0d88 process_identifier: 536 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Oct. 17, 2024, 10:37 a.m.	buffer: I»`#k?Aÿã base_address: 0x0000000076d81590 process_identifier: 536 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Oct. 17, 2024, 10:37 a.m.	buffer: Æ# base_address: 0x000000013f6f0d78 process_identifier: 536 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Oct. 17, 2024, 10:37 a.m.	buffer: I» k?Aÿã base_address: 0x0000000076d57a90 process_identifier: 536 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Oct. 17, 2024, 10:37 a.m.	buffer: Æ# base_address: 0x000000013f6f0d70 process_identifier: 536 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Oct. 17, 2024, 10:37 a.m.	buffer: ÏT base_address: 0x000000013f690108 process_identifier: 536 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Oct. 17, 2024, 10:37 a.m.	buffer: Øv@Øv Øv@ØvØv°Øv ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀÖvöÔv YØv2ØvVØv°ÞvÕvRØv ÕvQØvÂÕv ?ÖvPÕv°TÕvàtÕvðÖvÐ1ØvÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv base_address: 0x000000013f6eaae8 process_identifier: 536 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Oct. 17, 2024, 10:37 a.m.	buffer: base_address: 0x000000013f6f0c78 process_identifier: 536 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Oct. 17, 2024, 10:38 a.m.	buffer: base_address: 0x000000013fe422b0 process_identifier: 560 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Oct. 17, 2024, 10:38 a.m.	buffer: base_address: 0x000000013fe50d88 process_identifier: 560 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Oct. 17, 2024, 10:38 a.m.	buffer: I»`#á?Aÿã base_address: 0x0000000076d81590 process_identifier: 560 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Oct. 17, 2024, 10:38 a.m.	buffer: base_address: 0x000000013fe50d78 process_identifier: 560 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Oct. 17, 2024, 10:38 a.m.	buffer: I» á?Aÿã base_address: 0x0000000076d57a90 process_identifier: 560 process_handle: 0x0000000000000050	1	1

Expresses interest in specific running processes (1 event)

process: potential browser injection target

firefox.exe

One or more non-whitelisted processes were created (12 events)

parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking

Appends a known multi-family ransomware file extension to files that have been encrypted (2 events)

file	C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\parent.lock
file	C:\Users\test22\AppData\Local\Temp\firefox\parent.lock

Resumed a suspended thread in a remote process potentially indicative of process injection (24 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2728 resumed a thread in remote process 2888
Process injection	Process 2724 resumed a thread in remote process 2800
Process injection	Process 2416 resumed a thread in remote process 2500
Process injection	Process 1108 resumed a thread in remote process 2164
Process injection	Process 2592 resumed a thread in remote process 536
Process injection	Process 1080 resumed a thread in remote process 560
Process injection	Process 3244 resumed a thread in remote process 3288
Process injection	Process 3820 resumed a thread in remote process 3864
Process injection	Process 532 resumed a thread in remote process 2180
Process injection	Process 3972 resumed a thread in remote process 4020
Process injection	Process 3592 resumed a thread in remote process 3788
Process injection	Process 3572 resumed a thread in remote process 3676
NtResumeThread Oct. 17, 2024, 10:37 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 2888	1	0	0
NtResumeThread Oct. 17, 2024, 10:37 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 2800	1	0	0
NtResumeThread Oct. 17, 2024, 10:37 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 2500	1	0	0
NtResumeThread Oct. 17, 2024, 10:37 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 2164	1	0	0
NtResumeThread Oct. 17, 2024, 10:37 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 536	1	0	0
NtResumeThread Oct. 17, 2024, 10:38 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 560	1	0	0
NtResumeThread Oct. 17, 2024, 10:38 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 3288	1	0	0
NtResumeThread Oct. 17, 2024, 10:38 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 3864	1	0	0
NtResumeThread Oct. 17, 2024, 10:38 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 2180	1	0	0
NtResumeThread Oct. 17, 2024, 10:38 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 4020	1	0	0
NtResumeThread Oct. 17, 2024, 10:38 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 3788	1	0	0
NtResumeThread Oct. 17, 2024, 10:39 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 3676	1	0	0

Executed a process and injected code into it, probably while unpacking (50 out of 245 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Oct. 17, 2024, 10:37 a.m.	thread_identifier: 2608 thread_handle: 0x00000134 process_identifier: 2604 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: taskkill /IM msedge.exe /F filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000138	1	1
CreateProcessInternalW Oct. 17, 2024, 10:37 a.m.	thread_identifier: 2644 thread_handle: 0x00000138 process_identifier: 2640 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: taskkill /IM chrome.exe /F filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000134	1	1
CreateProcessInternalW Oct. 17, 2024, 10:37 a.m.	thread_identifier: 2696 thread_handle: 0x00000134 process_identifier: 2692 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: taskkill /IM opera.exe /F filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000138	1	1
CreateProcessInternalW Oct. 17, 2024, 10:37 a.m.	thread_identifier: 2752 thread_handle: 0x00000138 process_identifier: 2748 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: taskkill /IM firefox.exe /F filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000134	1	1
CreateProcessInternalW Oct. 17, 2024, 10:37 a.m.	thread_identifier: 1216 thread_handle: 0x0000013c process_identifier: 744 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: taskkill /F /IM firefox.exe /T filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000134	1	1
CreateProcessInternalW Oct. 17, 2024, 10:37 a.m.	thread_identifier: 1264 thread_handle: 0x00000134 process_identifier: 1484 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: taskkill /F /IM chrome.exe /T filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000013c	1	1
CreateProcessInternalW Oct. 17, 2024, 10:37 a.m.	thread_identifier: 2248 thread_handle: 0x0000013c process_identifier: 2224 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: taskkill /F /IM msedge.exe /T filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000134	1	1
CreateProcessInternalW Oct. 17, 2024, 10:37 a.m.	thread_identifier: 2448 thread_handle: 0x00000134 process_identifier: 2420 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: taskkill /F /IM opera.exe /T filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000013c	1	1
CreateProcessInternalW Oct. 17, 2024, 10:37 a.m.	thread_identifier: 2528 thread_handle: 0x0000013c process_identifier: 2488 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: taskkill /F /IM brave.exe /T filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000134	1	1
CreateProcessInternalW Oct. 17, 2024, 10:37 a.m.	thread_identifier: 2720 thread_handle: 0x00000134 process_identifier: 2728 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000013c	1	1
CreateProcessInternalW Oct. 17, 2024, 10:37 a.m.	thread_identifier: 3032 thread_handle: 0x0000013c process_identifier: 2648 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: taskkill /F /IM firefox.exe /T filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000134	1	1
CreateProcessInternalW Oct. 17, 2024, 10:37 a.m.	thread_identifier: 1964 thread_handle: 0x00000134 process_identifier: 604 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: taskkill /F /IM chrome.exe /T filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000013c	1	1
CreateProcessInternalW Oct. 17, 2024, 10:37 a.m.	thread_identifier: 2064 thread_handle: 0x0000013c process_identifier: 2112 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: taskkill /F /IM msedge.exe /T filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000134	1	1
CreateProcessInternalW Oct. 17, 2024, 10:37 a.m.	thread_identifier: 2228 thread_handle: 0x00000134 process_identifier: 2240 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: taskkill /F /IM opera.exe /T filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000013c	1	1
CreateProcessInternalW Oct. 17, 2024, 10:37 a.m.	thread_identifier: 2568 thread_handle: 0x0000013c process_identifier: 2564 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: taskkill /F /IM brave.exe /T filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000134	1	1
CreateProcessInternalW Oct. 17, 2024, 10:37 a.m.	thread_identifier: 2668 thread_handle: 0x00000134 process_identifier: 2724 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000013c	1	1
CreateProcessInternalW Oct. 17, 2024, 10:37 a.m.	thread_identifier: 1536 thread_handle: 0x0000013c process_identifier: 1796 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: taskkill /F /IM firefox.exe /T filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000134	1	1
CreateProcessInternalW Oct. 17, 2024, 10:37 a.m.	thread_identifier: 2828 thread_handle: 0x00000134 process_identifier: 2304 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: taskkill /F /IM chrome.exe /T filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000013c	1	1
CreateProcessInternalW Oct. 17, 2024, 10:37 a.m.	thread_identifier: 2056 thread_handle: 0x0000013c process_identifier: 3044 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: taskkill /F /IM msedge.exe /T filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000134	1	1
CreateProcessInternalW Oct. 17, 2024, 10:37 a.m.	thread_identifier: 3064 thread_handle: 0x00000134 process_identifier: 3048 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: taskkill /F /IM opera.exe /T filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000013c	1	1
CreateProcessInternalW Oct. 17, 2024, 10:37 a.m.	thread_identifier: 2076 thread_handle: 0x0000013c process_identifier: 908 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: taskkill /F /IM brave.exe /T filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000134	1	1
CreateProcessInternalW Oct. 17, 2024, 10:37 a.m.	thread_identifier: 2368 thread_handle: 0x00000134 process_identifier: 2416 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000013c	1	1
CreateProcessInternalW Oct. 17, 2024, 10:37 a.m.	thread_identifier: 416 thread_handle: 0x0000013c process_identifier: 2836 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: taskkill /F /IM firefox.exe /T filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000134	1	1
CreateProcessInternalW Oct. 17, 2024, 10:37 a.m.	thread_identifier: 916 thread_handle: 0x00000134 process_identifier: 1156 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: taskkill /F /IM chrome.exe /T filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000013c	1	1
CreateProcessInternalW Oct. 17, 2024, 10:37 a.m.	thread_identifier: 2900 thread_handle: 0x0000013c process_identifier: 1168 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: taskkill /F /IM msedge.exe /T filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000134	1	1
CreateProcessInternalW Oct. 17, 2024, 10:37 a.m.	thread_identifier: 2828 thread_handle: 0x00000134 process_identifier: 2908 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: taskkill /F /IM opera.exe /T filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000013c	1	1
CreateProcessInternalW Oct. 17, 2024, 10:37 a.m.	thread_identifier: 1728 thread_handle: 0x0000013c process_identifier: 1848 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: taskkill /F /IM brave.exe /T filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000134	1	1
CreateProcessInternalW Oct. 17, 2024, 10:37 a.m.	thread_identifier: 2212 thread_handle: 0x00000134 process_identifier: 1108 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000013c	1	1
CreateProcessInternalW Oct. 17, 2024, 10:37 a.m.	thread_identifier: 1576 thread_handle: 0x0000013c process_identifier: 1952 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: taskkill /F /IM firefox.exe /T filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000134	1	1
CreateProcessInternalW Oct. 17, 2024, 10:37 a.m.	thread_identifier: 1536 thread_handle: 0x00000134 process_identifier: 2736 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: taskkill /F /IM chrome.exe /T filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000013c	1	1
CreateProcessInternalW Oct. 17, 2024, 10:37 a.m.	thread_identifier: 3008 thread_handle: 0x0000013c process_identifier: 2812 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: taskkill /F /IM msedge.exe /T filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000134	1	1
CreateProcessInternalW Oct. 17, 2024, 10:37 a.m.	thread_identifier: 2100 thread_handle: 0x00000134 process_identifier: 740 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: taskkill /F /IM opera.exe /T filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000013c	1	1
CreateProcessInternalW Oct. 17, 2024, 10:37 a.m.	thread_identifier: 2540 thread_handle: 0x0000013c process_identifier: 452 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: taskkill /F /IM brave.exe /T filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000134	1	1
CreateProcessInternalW Oct. 17, 2024, 10:37 a.m.	thread_identifier: 1948 thread_handle: 0x00000134 process_identifier: 2592 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000013c	1	1
CreateProcessInternalW Oct. 17, 2024, 10:38 a.m.	thread_identifier: 2088 thread_handle: 0x0000013c process_identifier: 2388 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: taskkill /F /IM firefox.exe /T filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000134	1	1
CreateProcessInternalW Oct. 17, 2024, 10:38 a.m.	thread_identifier: 176 thread_handle: 0x00000134 process_identifier: 416 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: taskkill /F /IM chrome.exe /T filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000013c	1	1
CreateProcessInternalW Oct. 17, 2024, 10:38 a.m.	thread_identifier: 1504 thread_handle: 0x0000013c process_identifier: 2668 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: taskkill /F /IM msedge.exe /T filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000134	1	1
CreateProcessInternalW Oct. 17, 2024, 10:38 a.m.	thread_identifier: 2128 thread_handle: 0x00000134 process_identifier: 2132 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: taskkill /F /IM opera.exe /T filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000013c	1	1
CreateProcessInternalW Oct. 17, 2024, 10:38 a.m.	thread_identifier: 2684 thread_handle: 0x0000013c process_identifier: 2504 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: taskkill /F /IM brave.exe /T filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000134	1	1
CreateProcessInternalW Oct. 17, 2024, 10:38 a.m.	thread_identifier: 2196 thread_handle: 0x00000134 process_identifier: 1080 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000013c	1	1
CreateProcessInternalW Oct. 17, 2024, 10:38 a.m.	thread_identifier: 2144 thread_handle: 0x0000013c process_identifier: 176 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: taskkill /F /IM firefox.exe /T filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000134	1	1
CreateProcessInternalW Oct. 17, 2024, 10:38 a.m.	thread_identifier: 2212 thread_handle: 0x00000134 process_identifier: 2196 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: taskkill /F /IM chrome.exe /T filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000013c	1	1
CreateProcessInternalW Oct. 17, 2024, 10:38 a.m.	thread_identifier: 1632 thread_handle: 0x0000013c process_identifier: 1432 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: taskkill /F /IM msedge.exe /T filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000134	1	1
CreateProcessInternalW Oct. 17, 2024, 10:38 a.m.	thread_identifier: 3088 thread_handle: 0x00000134 process_identifier: 3084 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: taskkill /F /IM opera.exe /T filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000013c	1	1
CreateProcessInternalW Oct. 17, 2024, 10:38 a.m.	thread_identifier: 3168 thread_handle: 0x0000013c process_identifier: 3164 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: taskkill /F /IM brave.exe /T filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000134	1	1
CreateProcessInternalW Oct. 17, 2024, 10:38 a.m.	thread_identifier: 3248 thread_handle: 0x00000134 process_identifier: 3244 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000013c	1	1
CreateProcessInternalW Oct. 17, 2024, 10:38 a.m.	thread_identifier: 3412 thread_handle: 0x0000013c process_identifier: 3408 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: taskkill /F /IM firefox.exe /T filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000134	1	1
CreateProcessInternalW Oct. 17, 2024, 10:38 a.m.	thread_identifier: 3500 thread_handle: 0x00000134 process_identifier: 3496 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: taskkill /F /IM chrome.exe /T filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000013c	1	1
CreateProcessInternalW Oct. 17, 2024, 10:38 a.m.	thread_identifier: 3580 thread_handle: 0x0000013c process_identifier: 3576 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: taskkill /F /IM msedge.exe /T filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000134	1	1
CreateProcessInternalW Oct. 17, 2024, 10:38 a.m.	thread_identifier: 3660 thread_handle: 0x00000134 process_identifier: 3656 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: taskkill /F /IM opera.exe /T filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000013c	1	1

File has been identified by 38 AntiVirus engines on VirusTotal as malicious (38 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win64.Injects.ts93
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.Genericuh.ch
Cylance	Unsafe
Sangfor	Trojan.Win32.Agent.V2nc
VirIT	Trojan.Win32.AutoIt_Heur.K
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Autoit.ORL
APEX	Malicious
Avast	Win32:Malware-gen
Kaspersky	UDS:DangerousObject.Multi.Generic
Rising	Stealer.Browser/Autoit!1.10428 (CLASSIC)
F-Secure	Trojan.TR/Redcap.qeoft
TrendMicro	Trojan.Win32.AMADEY.YXEJPZ
McAfeeD	Real Protect-LS!18E64B3509E9
CTX	exe.trojan.autoit
Sophos	Mal/Generic-S
FireEye	Generic.mg.18e64b3509e95557
Google	Detected
Avira	TR/Redcap.qeoft
Kingsoft	Win32.Troj.Unknown.a
Gridinsoft	Ransom.Win32.Sabsik.sa
Microsoft	Trojan:Win32/CredentialFlusher.CCJG!MTB
ZoneAlarm	UDS:DangerousObject.Multi.Generic
Varist	W32/AutoIt.ABS.gen!Eldorado
McAfee	Artemis!18E64B3509E9
DeepInstinct	MALICIOUS
VBA32	Trojan.Autoit.Flush
Malwarebytes	Trojan.Injector.AutoIt
Ikarus	Win32.Outbreak
TrendMicro-HouseCall	Trojan.Win32.AMADEY.YXEJPZ
Tencent	Unk.Win32.Script.404787
huorong	Trojan/AutoIT.Agent.f
MaxSecure	Trojan.Malware.121218.susgen
Fortinet	W32/PossibleThreat
AVG	Win32:Malware-gen
Paloalto	generic.ml

well_clean.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All