popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

random.exe

RedLine stealer Generic Malware Malicious Library UPX Code injection Anti_VM AntiDebug PE File OS Processor Check PE32 AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Feb. 26, 2025, 9:45 a.m. Feb. 26, 2025, 9:48 a.m.
Size 945.5KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 c2dcb9b4b8438e79d1630034e407e8e2
SHA256 e10b26ef3784d1dcfa4d7f15e3b9ba374c9909f48453f927e12d000d414cfdbf
CRC32 FE53BC55
ssdeep 24576:LqDEvCTbMWu7rQYlBQcBiT6rprG8aY2c0:LTvC/MTQYxsWR7aY2c
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • Generic_Malware_Zero - Generic Malware
  • OS_Processor_Check_Zero - OS Processor Check
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: ERROR: The process "firefox.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "chrome.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "msedge.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "opera.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "brave.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: SUCCESS: The process with PID 2220 (child process of PID 196) has been terminated.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: SUCCESS: The process with PID 196 (child process of PID 2656) has been terminated.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: ERROR: The process "chrome.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "msedge.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "opera.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "brave.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: SUCCESS: The process with PID 3056 (child process of PID 3068) has been terminated.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: SUCCESS: The process with PID 3068 (child process of PID 2656) has been terminated.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: ERROR: The process "chrome.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "msedge.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "opera.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "brave.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: SUCCESS: The process with PID 3000 (child process of PID 2924) has been terminated.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: SUCCESS: The process with PID 2924 (child process of PID 2656) has been terminated.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: ERROR: The process "chrome.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "msedge.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "opera.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "brave.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: SUCCESS: The process with PID 2732 (child process of PID 536) has been terminated.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: SUCCESS: The process with PID 536 (child process of PID 2656) has been terminated.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: ERROR: The process "chrome.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "msedge.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "opera.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "brave.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: SUCCESS: The process with PID 3060 (child process of PID 2880) has been terminated.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: SUCCESS: The process with PID 2880 (child process of PID 2656) has been terminated.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: ERROR: The process "chrome.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "msedge.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "opera.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "brave.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: SUCCESS: The process with PID 884 (child process of PID 2144) has been terminated.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: SUCCESS: The process with PID 2144 (child process of PID 2656) has been terminated.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: ERROR: The process "chrome.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "msedge.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "opera.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "brave.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: SUCCESS: The process with PID 320 (child process of PID 3040) has been terminated.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: SUCCESS: The process with PID 3040 (child process of PID 2656) has been terminated.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: ERROR: The process "chrome.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "msedge.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "opera.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "brave.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: SUCCESS: The process with PID 3584 (child process of PID 3540) has been terminated.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: SUCCESS: The process with PID 3540 (child process of PID 2656) has been terminated.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: ERROR: The process "chrome.exe" not found.
console_handle: 0x0000000b
1 1 0
file C:\Program Files\Mozilla Firefox\api-ms-win-crt-multibyte-l1-1-0.dll
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2656
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x734c2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2220
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000b80000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2220
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076c5b000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2220
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000b80000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2220
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076c26000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2220
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000003c70000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2220
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007398d000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000b80000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076c5b000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000b80000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076c26000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000030a0000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007398d000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000b80000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076c5b000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000b80000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076c26000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000028f0000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007398d000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000a40000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076c5b000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000a40000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076c26000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000003430000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007398d000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3060
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000c90000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3060
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076c5b000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3060
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000c90000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3060
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076c26000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3060
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000028b0000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3060
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007398d000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 884
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000c90000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 884
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076c5b000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 884
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000c90000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 884
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076c26000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 884
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000030a0000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 884
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007398d000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000a80000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076c5b000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000a80000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076c26000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000003480000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007398d000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3584
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000a80000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3584
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076c5b000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3584
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000a80000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3584
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076c26000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3584
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000003080000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3584
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007398d000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000c90000
process_handle: 0xffffffffffffffff
1 0 0
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x000001d8
process_name: mobsync.exe
process_identifier: 2280
1 1 0

Process32NextW

 snapshot_handle: 0x000001d8
process_name: taskhost.exe
process_identifier: 2496
1 1 0

Process32NextW

 snapshot_handle: 0x000001d8
process_name: WmiPrvSE.exe
process_identifier: 2844
1 1 0

Process32NextW

 snapshot_handle: 0x000001ec
process_name: firefox.exe
process_identifier: 196
1 1 0

Process32NextW

 snapshot_handle: 0x000001d8
process_name: svchost.exe
process_identifier: 2352
1 1 0

Process32NextW

 snapshot_handle: 0x000001ec
process_name: firefox.exe
process_identifier: 2924
1 1 0

Process32NextW

 snapshot_handle: 0x00000220
process_name: firefox.exe
process_identifier: 536
1 1 0

Process32NextW

 snapshot_handle: 0x00000220
process_name: firefox.exe
process_identifier: 2880
1 1 0

Process32NextW

 snapshot_handle: 0x00000220
process_name: firefox.exe
process_identifier: 2144
1 1 0

Process32NextW

 snapshot_handle: 0x00000224
process_name: taskhost.exe
process_identifier: 2408
1 1 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: firefox.exe
process_identifier: 3540
1 1 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: firefox.exe
process_identifier: 3140
1 1 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: firefox.exe
process_identifier: 3688
1 1 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: firefox.exe
process_identifier: 3364
1 1 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: firefox.exe
process_identifier: 1092
1 1 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: firefox.exe
process_identifier: 4020
1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 3060
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x0000000000c90000
process_handle: 0xffffffffffffffff
1 0 0
section {u'size_of_data': u'0x00015c00', u'virtual_address': u'0x000d4000', u'entropy': 7.145421915037016, u'name': u'.rsrc', u'virtual_size': u'0x00015ba8'} entropy 7.14542191504 description A section with a high entropy has been found
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x000001d8
process_name: svchost.exe
process_identifier: 2352
0 0

Process32NextW

 snapshot_handle: 0x000001d8
process_name: svchost.exe
process_identifier: 2352
0 0

Process32NextW

 snapshot_handle: 0x00000224
process_name: svchost.exe
process_identifier: 2352
0 0

Process32NextW

 snapshot_handle: 0x00000224
process_name: svchost.exe
process_identifier: 2352
0 0

Process32NextW

 snapshot_handle: 0x00000224
process_name: svchost.exe
process_identifier: 2352
0 0

Process32NextW

 snapshot_handle: 0x00000224
process_name: taskhost.exe
process_identifier: 2408
0 0

Process32NextW

 snapshot_handle: 0x00000204
process_name: taskhost.exe
process_identifier: 2408
0 0

Process32NextW

 snapshot_handle: 0x00000204
process_name: taskhost.exe
process_identifier: 2408
0 0

Process32NextW

 snapshot_handle: 0x00000204
process_name: taskhost.exe
process_identifier: 2408
0 0

Process32NextW

 snapshot_handle: 0x00000204
process_name: taskhost.exe
process_identifier: 2408
0 0

Process32NextW

 snapshot_handle: 0x00000204
process_name: taskhost.exe
process_identifier: 2408
0 0

Process32NextW

 snapshot_handle: 0x00000204
process_name: taskhost.exe
process_identifier: 2408
0 0
url https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%SYSTEM_CAPABILITIES%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml
url https://crash-reports.mozilla.com/submit?id=
url https://hg.mozilla.org/releases/mozilla-release/rev/92187d03adde4b31daef292087a266f10121379c
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
Time & API Arguments Status Return Repeated

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 2220
process_handle: 0x0000018c
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 2220
process_handle: 0x0000018c
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 196
process_handle: 0x0000018c
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 196
process_handle: 0x0000018c
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 3056
process_handle: 0x00000190
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 3056
process_handle: 0x00000190
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 3068
process_handle: 0x00000190
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 3068
process_handle: 0x00000190
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 3000
process_handle: 0x0000018c
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 3000
process_handle: 0x0000018c
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 2924
process_handle: 0x0000018c
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 2924
process_handle: 0x0000018c
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 2732
process_handle: 0x0000018c
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 2732
process_handle: 0x0000018c
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 536
process_handle: 0x0000018c
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 536
process_handle: 0x0000018c
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 3060
process_handle: 0x0000018c
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 3060
process_handle: 0x0000018c
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 2880
process_handle: 0x0000018c
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 2880
process_handle: 0x0000018c
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 884
process_handle: 0x0000018c
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 884
process_handle: 0x0000018c
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 2144
process_handle: 0x0000018c
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 2144
process_handle: 0x0000018c
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 320
process_handle: 0x0000018c
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 320
process_handle: 0x0000018c
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 3040
process_handle: 0x0000018c
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 3040
process_handle: 0x0000018c
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 3584
process_handle: 0x0000018c
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 3584
process_handle: 0x0000018c
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 3540
process_handle: 0x0000018c
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 3540
process_handle: 0x0000018c
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 1152
process_handle: 0x0000018c
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 1152
process_handle: 0x0000018c
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 3140
process_handle: 0x0000018c
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 3140
process_handle: 0x0000018c
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 3776
process_handle: 0x00000194
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 3776
process_handle: 0x00000194
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 3688
process_handle: 0x00000194
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 3688
process_handle: 0x00000194
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 3400
process_handle: 0x0000018c
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 3400
process_handle: 0x0000018c
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 3364
process_handle: 0x0000018c
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 3364
process_handle: 0x0000018c
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 3288
process_handle: 0x0000018c
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 3288
process_handle: 0x0000018c
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 1092
process_handle: 0x0000018c
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 1092
process_handle: 0x0000018c
1 0 0
cmdline taskkill /F /IM opera.exe /T
cmdline taskkill /F /IM chrome.exe /T
cmdline taskkill /F /IM msedge.exe /T
cmdline taskkill /F /IM firefox.exe /T
cmdline taskkill /F /IM brave.exe /T
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2220
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076d81000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 2220
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076d57000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 3056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076d81000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 3056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076d57000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 3000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076d81000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 3000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076d57000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 2732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076d81000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 2732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076d57000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 3060
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076d81000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 3060
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076d57000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 884
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076d81000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 884
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076d57000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076d81000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076d57000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 3584
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076d81000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 3584
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076d57000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 1152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076d81000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 1152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076d57000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 3776
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076d81000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 3776
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076d57000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 3400
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076d81000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 3400
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076d57000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 3288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076d81000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 3288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076d57000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 3232
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076d81000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 3232
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076d57000
process_handle: 0x0000000000000050
1 0 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: 
base_address: 0x000000013ff422b0
process_identifier: 2220
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013ff50d88
process_identifier: 2220
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: I»`#ñ?Aÿã
base_address: 0x0000000076d81590
process_identifier: 2220
process_handle: 0x0000000000000050
1 1 0

WriteProcessMemory

 buffer: ¸
base_address: 0x000000013ff50d78
process_identifier: 2220
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: I» ñ?Aÿã
base_address: 0x0000000076d57a90
process_identifier: 2220
process_handle: 0x0000000000000050
1 1 0

WriteProcessMemory

 buffer: ¸
base_address: 0x000000013ff50d70
process_identifier: 2220
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: ϝT
base_address: 0x000000013fef0108
process_identifier: 2220
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: Øv@Øv Øv@ØvØv°Øv €ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀ‚ÖvöÔv YØv2ØvVØv°Þv€“Õv€RØv ›ÕvQØvÂÕv ?ÖvP€Õv°TÕvàtÕvð„ÖvÐ1Øv™ÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv
base_address: 0x000000013ff4aae8
process_identifier: 2220
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013ff50c78
process_identifier: 2220
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013f5e22b0
process_identifier: 3056
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013f5f0d88
process_identifier: 3056
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: I»`#[?Aÿã
base_address: 0x0000000076d81590
process_identifier: 3056
process_handle: 0x0000000000000050
1 1 0

WriteProcessMemory

 buffer: Ö
base_address: 0x000000013f5f0d78
process_identifier: 3056
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: I» [?Aÿã
base_address: 0x0000000076d57a90
process_identifier: 3056
process_handle: 0x0000000000000050
1 1 0

WriteProcessMemory

 buffer: Ö
base_address: 0x000000013f5f0d70
process_identifier: 3056
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: ϝT
base_address: 0x000000013f590108
process_identifier: 3056
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: Øv@Øv Øv@ØvØv°Øv €ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀ‚ÖvöÔv YØv2ØvVØv°Þv€“Õv€RØv ›ÕvQØvÂÕv ?ÖvP€Õv°TÕvàtÕvð„ÖvÐ1Øv™ÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv
base_address: 0x000000013f5eaae8
process_identifier: 3056
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013f5f0c78
process_identifier: 3056
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013f4022b0
process_identifier: 3000
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013f410d88
process_identifier: 3000
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: I»`#=?Aÿã
base_address: 0x0000000076d81590
process_identifier: 3000
process_handle: 0x0000000000000050
1 1 0

WriteProcessMemory

 buffer: «<
base_address: 0x000000013f410d78
process_identifier: 3000
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: I» =?Aÿã
base_address: 0x0000000076d57a90
process_identifier: 3000
process_handle: 0x0000000000000050
1 1 0

WriteProcessMemory

 buffer: «<
base_address: 0x000000013f410d70
process_identifier: 3000
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: ϝT
base_address: 0x000000013f3b0108
process_identifier: 3000
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: Øv@Øv Øv@ØvØv°Øv €ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀ‚ÖvöÔv YØv2ØvVØv°Þv€“Õv€RØv ›ÕvQØvÂÕv ?ÖvP€Õv°TÕvàtÕvð„ÖvÐ1Øv™ÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv
base_address: 0x000000013f40aae8
process_identifier: 3000
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013f410c78
process_identifier: 3000
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013f3222b0
process_identifier: 2732
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013f330d88
process_identifier: 2732
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: I»`#/?Aÿã
base_address: 0x0000000076d81590
process_identifier: 2732
process_handle: 0x0000000000000050
1 1 0

WriteProcessMemory

 buffer: —#
base_address: 0x000000013f330d78
process_identifier: 2732
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: I» /?Aÿã
base_address: 0x0000000076d57a90
process_identifier: 2732
process_handle: 0x0000000000000050
1 1 0

WriteProcessMemory

 buffer: —#
base_address: 0x000000013f330d70
process_identifier: 2732
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: ϝT
base_address: 0x000000013f2d0108
process_identifier: 2732
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: Øv@Øv Øv@ØvØv°Øv €ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀ‚ÖvöÔv YØv2ØvVØv°Þv€“Õv€RØv ›ÕvQØvÂÕv ?ÖvP€Õv°TÕvàtÕvð„ÖvÐ1Øv™ÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv
base_address: 0x000000013f32aae8
process_identifier: 2732
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013f330c78
process_identifier: 2732
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013fbe22b0
process_identifier: 3060
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013fbf0d88
process_identifier: 3060
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: I»`#»?Aÿã
base_address: 0x0000000076d81590
process_identifier: 3060
process_handle: 0x0000000000000050
1 1 0

WriteProcessMemory

 buffer: ;C
base_address: 0x000000013fbf0d78
process_identifier: 3060
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: I» »?Aÿã
base_address: 0x0000000076d57a90
process_identifier: 3060
process_handle: 0x0000000000000050
1 1 0

WriteProcessMemory

 buffer: ;C
base_address: 0x000000013fbf0d70
process_identifier: 3060
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: ϝT
base_address: 0x000000013fb90108
process_identifier: 3060
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: Øv@Øv Øv@ØvØv°Øv €ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀ‚ÖvöÔv YØv2ØvVØv°Þv€“Õv€RØv ›ÕvQØvÂÕv ?ÖvP€Õv°TÕvàtÕvð„ÖvÐ1Øv™ÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv
base_address: 0x000000013fbeaae8
process_identifier: 3060
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013fbf0c78
process_identifier: 3060
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013f3722b0
process_identifier: 884
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013f380d88
process_identifier: 884
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: I»`#4?Aÿã
base_address: 0x0000000076d81590
process_identifier: 884
process_handle: 0x0000000000000050
1 1 0

WriteProcessMemory

 buffer: 6%
base_address: 0x000000013f380d78
process_identifier: 884
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: I» 4?Aÿã
base_address: 0x0000000076d57a90
process_identifier: 884
process_handle: 0x0000000000000050
1 1 0
process: potential browser injection target firefox.exe
parent_process firefox.exe martian_process "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
parent_process firefox.exe martian_process "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
parent_process firefox.exe martian_process "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
parent_process firefox.exe martian_process "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
parent_process firefox.exe martian_process "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
parent_process firefox.exe martian_process "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
parent_process firefox.exe martian_process "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
parent_process firefox.exe martian_process "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
parent_process firefox.exe martian_process "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
parent_process firefox.exe martian_process "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
parent_process firefox.exe martian_process "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
parent_process firefox.exe martian_process "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
parent_process firefox.exe martian_process "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
file C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\parent.lock
file C:\Users\test22\AppData\Local\Temp\firefox\parent.lock
Process injection Process 196 resumed a thread in remote process 2220
Process injection Process 3068 resumed a thread in remote process 3056
Process injection Process 2924 resumed a thread in remote process 3000
Process injection Process 536 resumed a thread in remote process 2732
Process injection Process 2880 resumed a thread in remote process 3060
Process injection Process 2144 resumed a thread in remote process 884
Process injection Process 3040 resumed a thread in remote process 320
Process injection Process 3540 resumed a thread in remote process 3584
Process injection Process 3140 resumed a thread in remote process 1152
Process injection Process 3688 resumed a thread in remote process 3776
Process injection Process 3364 resumed a thread in remote process 3400
Process injection Process 1092 resumed a thread in remote process 3288
Process injection Process 4020 resumed a thread in remote process 3232
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x0000000000000044
suspend_count: 1
process_identifier: 2220
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000044
suspend_count: 1
process_identifier: 3056
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000044
suspend_count: 1
process_identifier: 3000
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000044
suspend_count: 1
process_identifier: 2732
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000044
suspend_count: 1
process_identifier: 3060
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000044
suspend_count: 1
process_identifier: 884
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000044
suspend_count: 1
process_identifier: 320
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000044
suspend_count: 1
process_identifier: 3584
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000044
suspend_count: 1
process_identifier: 1152
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000044
suspend_count: 1
process_identifier: 3776
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000044
suspend_count: 1
process_identifier: 3400
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000044
suspend_count: 1
process_identifier: 3288
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000044
suspend_count: 1
process_identifier: 3232
1 0 0
Bkav W32.AIDetectMalware
Cynet Malicious (score: 99)
Skyhigh BehavesLike.Win32.Formbook.dh
Cylance Unsafe
Sangfor Virus.Win32.Save.a
VirIT Trojan.Win32.AutoIt_Heur.L
Elastic malicious (high confidence)
ESET-NOD32 a variant of Win32/HackTool.Silentall.N potentially unsafe
APEX Malicious
Rising HackTool.Silentall/Autoit!1.106C3 (CLASSIC)
F-Secure Trojan.TR/ATRAPS.Gen
DrWeb Trojan.Siggen30.17208
McAfeeD ti!E10B26EF3784
FireEye Generic.mg.c2dcb9b4b8438e79
Google Detected
Avira TR/ATRAPS.Gen
Microsoft Program:Win32/Wacapew.C!ml
Varist W32/AutoIt.AEG.gen!Eldorado
Ikarus PUA.HackTool.Silentall
huorong TrojanDownloader/AutoIT.Agent.d
Fortinet Riskware/Silentall
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000194
suspend_count: 1
process_identifier: 2656
1 0 0

CreateProcessInternalW

 thread_identifier: 2764
thread_handle: 0x000001ec
process_identifier: 2760
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM firefox.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000001d8
1 1 0

CreateProcessInternalW

 thread_identifier: 2892
thread_handle: 0x000001d8
process_identifier: 2888
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM chrome.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000001ec
1 1 0

CreateProcessInternalW

 thread_identifier: 2976
thread_handle: 0x000001ec
process_identifier: 2972
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM msedge.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000001d8
1 1 0

CreateProcessInternalW

 thread_identifier: 3056
thread_handle: 0x000001d8
process_identifier: 3052
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM opera.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000001ec
1 1 0

CreateProcessInternalW

 thread_identifier: 1404
thread_handle: 0x000001ec
process_identifier: 1384
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM brave.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000001d8
1 1 0

CreateProcessInternalW

 thread_identifier: 148
thread_handle: 0x000001d8
process_identifier: 196
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000001ec
1 1 0

CreateProcessInternalW

 thread_identifier: 2512
thread_handle: 0x000001ec
process_identifier: 2532
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM firefox.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000001d8
1 1 0

CreateProcessInternalW

 thread_identifier: 2696
thread_handle: 0x000001d8
process_identifier: 2644
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM chrome.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000001ec
1 1 0

CreateProcessInternalW

 thread_identifier: 2396
thread_handle: 0x000001ec
process_identifier: 2380
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM msedge.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000001d8
1 1 0

CreateProcessInternalW

 thread_identifier: 2884
thread_handle: 0x000001d8
process_identifier: 2800
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM opera.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000001ec
1 1 0

CreateProcessInternalW

 thread_identifier: 2984
thread_handle: 0x000001ec
process_identifier: 2988
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM brave.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000001d8
1 1 0

CreateProcessInternalW

 thread_identifier: 604
thread_handle: 0x000001d8
process_identifier: 3068
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000001ec
1 1 0

CreateProcessInternalW

 thread_identifier: 2272
thread_handle: 0x000001ec
process_identifier: 2240
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM firefox.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000001d8
1 1 0

CreateProcessInternalW

 thread_identifier: 2432
thread_handle: 0x000001d8
process_identifier: 2372
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM chrome.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000001ec
1 1 0

CreateProcessInternalW

 thread_identifier: 1656
thread_handle: 0x000001ec
process_identifier: 828
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM msedge.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000001d8
1 1 0

CreateProcessInternalW

 thread_identifier: 2704
thread_handle: 0x000001d8
process_identifier: 2692
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM opera.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000001ec
1 1 0

CreateProcessInternalW

 thread_identifier: 2796
thread_handle: 0x000001ec
process_identifier: 2740
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM brave.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000001d8
1 1 0

CreateProcessInternalW

 thread_identifier: 2992
thread_handle: 0x000001d8
process_identifier: 2924
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000001ec
1 1 0

CreateProcessInternalW

 thread_identifier: 1976
thread_handle: 0x000001ec
process_identifier: 2068
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM firefox.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000001d8
1 1 0

CreateProcessInternalW

 thread_identifier: 740
thread_handle: 0x00000224
process_identifier: 1668
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM chrome.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000220
1 1 0

CreateProcessInternalW

 thread_identifier: 452
thread_handle: 0x00000220
process_identifier: 2612
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM msedge.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000224
1 1 0

CreateProcessInternalW

 thread_identifier: 1364
thread_handle: 0x00000224
process_identifier: 1376
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM opera.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000220
1 1 0

CreateProcessInternalW

 thread_identifier: 544
thread_handle: 0x00000220
process_identifier: 1304
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM brave.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000224
1 1 0

CreateProcessInternalW

 thread_identifier: 1528
thread_handle: 0x00000224
process_identifier: 536
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000220
1 1 0

CreateProcessInternalW

 thread_identifier: 3040
thread_handle: 0x00000220
process_identifier: 744
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM firefox.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000224
1 1 0

CreateProcessInternalW

 thread_identifier: 2080
thread_handle: 0x00000224
process_identifier: 2244
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM chrome.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000220
1 1 0

CreateProcessInternalW

 thread_identifier: 2444
thread_handle: 0x00000220
process_identifier: 2356
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM msedge.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000224
1 1 0

CreateProcessInternalW

 thread_identifier: 2228
thread_handle: 0x00000224
process_identifier: 1320
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM opera.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000220
1 1 0

CreateProcessInternalW

 thread_identifier: 1656
thread_handle: 0x00000220
process_identifier: 1792
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM brave.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000224
1 1 0

CreateProcessInternalW

 thread_identifier: 2828
thread_handle: 0x00000224
process_identifier: 2880
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000220
1 1 0

CreateProcessInternalW

 thread_identifier: 2488
thread_handle: 0x00000220
process_identifier: 2056
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM firefox.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000224
1 1 0

CreateProcessInternalW

 thread_identifier: 2224
thread_handle: 0x00000224
process_identifier: 2652
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM chrome.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000220
1 1 0

CreateProcessInternalW

 thread_identifier: 1520
thread_handle: 0x00000220
process_identifier: 544
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM msedge.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000224
1 1 0

CreateProcessInternalW

 thread_identifier: 1528
thread_handle: 0x00000224
process_identifier: 2900
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM opera.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000220
1 1 0

CreateProcessInternalW

 thread_identifier: 1728
thread_handle: 0x00000220
process_identifier: 2120
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM brave.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000224
1 1 0

CreateProcessInternalW

 thread_identifier: 3012
thread_handle: 0x00000224
process_identifier: 2144
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000220
1 1 0

CreateProcessInternalW

 thread_identifier: 2492
thread_handle: 0x00000220
process_identifier: 2132
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM firefox.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000224
1 1 0

CreateProcessInternalW

 thread_identifier: 1364
thread_handle: 0x00000224
process_identifier: 1064
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM chrome.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000220
1 1 0

CreateProcessInternalW

 thread_identifier: 1656
thread_handle: 0x00000220
process_identifier: 2400
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM msedge.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000224
1 1 0

CreateProcessInternalW

 thread_identifier: 2136
thread_handle: 0x00000224
process_identifier: 2128
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM opera.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000220
1 1 0

CreateProcessInternalW

 thread_identifier: 2764
thread_handle: 0x00000220
process_identifier: 2224
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM brave.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000224
1 1 0

CreateProcessInternalW

 thread_identifier: 2396
thread_handle: 0x00000224
process_identifier: 3040
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000220
1 1 0

CreateProcessInternalW

 thread_identifier: 3128
thread_handle: 0x00000178
process_identifier: 3124
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM firefox.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000204
1 1 0

CreateProcessInternalW

 thread_identifier: 3220
thread_handle: 0x00000204
process_identifier: 3216
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM chrome.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000178
1 1 0

CreateProcessInternalW

 thread_identifier: 3304
thread_handle: 0x00000178
process_identifier: 3300
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM msedge.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000204
1 1 0

CreateProcessInternalW

 thread_identifier: 3384
thread_handle: 0x00000204
process_identifier: 3380
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM opera.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000178
1 1 0

CreateProcessInternalW

 thread_identifier: 3464
thread_handle: 0x00000178
process_identifier: 3460
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM brave.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000204
1 1 0

CreateProcessInternalW

 thread_identifier: 3544
thread_handle: 0x00000204
process_identifier: 3540
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000178
1 1 0

CreateProcessInternalW

 thread_identifier: 3716
thread_handle: 0x00000178
process_identifier: 3712
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM firefox.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000204
1 1 0