popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

random.exe

RedLine stealer Generic Malware Malicious Library UPX Code injection Anti_VM AntiDebug PE File OS Processor Check PE32 AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 April 16, 2025, 10:35 a.m. April 16, 2025, 10:37 a.m.
Size 947.5KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 0c64c67b1ad6c90f421ffc6be27e4faf
SHA256 ee3c395cde0ef9012ba622ce15a31502baa7631496178055dff24929e6d93eaa
CRC32 DDF383B9
ssdeep 24576:0qDEvCTbMWu7rQYlBQcBiT6rprG8aG3Q:0TvC/MTQYxsWR7aG
Yara
  • PE_Header_Zero - PE File Signature
  • Malicious_Library_Zero - Malicious_Library
  • IsPE32 - (no description)
  • Generic_Malware_Zero - Generic Malware
  • OS_Processor_Check_Zero - OS Processor Check
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: ERROR: The process "firefox.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "chrome.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "msedge.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "opera.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "brave.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: SUCCESS: The process with PID 2124 (child process of PID 908) has been terminated.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: SUCCESS: The process with PID 908 (child process of PID 2548) has been terminated.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: ERROR: The process "chrome.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "msedge.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "opera.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "brave.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: SUCCESS: The process with PID 3012 (child process of PID 2960) has been terminated.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: SUCCESS: The process with PID 2960 (child process of PID 2548) has been terminated.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: ERROR: The process "chrome.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "msedge.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "opera.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "brave.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: SUCCESS: The process with PID 2884 (child process of PID 2824) has been terminated.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: SUCCESS: The process with PID 2824 (child process of PID 2548) has been terminated.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: ERROR: The process "chrome.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "msedge.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "opera.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "brave.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: SUCCESS: The process with PID 2612 (child process of PID 2104) has been terminated.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: SUCCESS: The process with PID 2104 (child process of PID 2548) has been terminated.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: ERROR: The process "chrome.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "msedge.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "opera.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "brave.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: SUCCESS: The process with PID 2800 (child process of PID 2692) has been terminated.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: SUCCESS: The process with PID 2692 (child process of PID 2548) has been terminated.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: ERROR: The process "chrome.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "msedge.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "opera.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "brave.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: SUCCESS: The process with PID 1656 (child process of PID 2684) has been terminated.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: SUCCESS: The process with PID 2684 (child process of PID 2548) has been terminated.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: ERROR: The process "chrome.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "msedge.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "opera.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "brave.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: SUCCESS: The process with PID 544 (child process of PID 1964) has been terminated.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: SUCCESS: The process with PID 1964 (child process of PID 2548) has been terminated.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: ERROR: The process "chrome.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "msedge.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "opera.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "brave.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: SUCCESS: The process with PID 3640 (child process of PID 3572) has been terminated.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: SUCCESS: The process with PID 3572 (child process of PID 2548) has been terminated.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: ERROR: The process "chrome.exe" not found.
console_handle: 0x0000000b
1 1 0
file C:\Program Files\Mozilla Firefox\api-ms-win-crt-multibyte-l1-1-0.dll
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x734c2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2124
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000c90000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2124
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076c5b000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2124
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000c90000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2124
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076c26000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2124
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000033f0000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2124
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007398d000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3012
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000c90000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3012
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076c5b000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3012
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000c90000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3012
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076c26000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3012
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002920000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3012
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007398d000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2884
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000c90000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2884
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076c5b000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2884
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000c90000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2884
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076c26000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2884
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000030a0000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2884
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007398d000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2612
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000c80000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2612
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076c5b000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2612
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000c80000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2612
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076c26000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2612
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002900000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2612
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007398d000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2800
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000b80000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2800
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076c5b000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2800
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000b80000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2800
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076c26000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2800
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000028b0000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2800
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007398d000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1656
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000c90000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1656
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076c5b000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1656
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000c90000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1656
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076c26000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1656
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000003120000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1656
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007398d000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000b80000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076c5b000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000b80000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076c26000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000029b0000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007398d000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000c90000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076c5b000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000c90000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076c26000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000003470000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007398d000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000c90000
process_handle: 0xffffffffffffffff
1 0 0
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x000001d8
process_name: SearchProtocolHost.exe
process_identifier: 936
1 1 0

Process32NextW

 snapshot_handle: 0x000001d8
process_name: SearchFilterHost.exe
process_identifier: 2000
1 1 0

Process32NextW

 snapshot_handle: 0x000001d8
process_name: mobsync.exe
process_identifier: 2280
1 1 0

Process32NextW

 snapshot_handle: 0x000001d8
process_name: pw.exe
process_identifier: 2324
1 1 0

Process32NextW

 snapshot_handle: 0x000001d8
process_name: taskhost.exe
process_identifier: 2360
1 1 0

Process32NextW

 snapshot_handle: 0x000001d8
process_name: random.exe
process_identifier: 2548
1 1 0

Process32NextW

 snapshot_handle: 0x000001d8
process_name: WmiPrvSE.exe
process_identifier: 2732
1 1 0

Process32NextW

 snapshot_handle: 0x000001ec
process_name: firefox.exe
process_identifier: 908
1 1 0

Process32NextW

 snapshot_handle: 0x000001d8
process_name: svchost.exe
process_identifier: 2228
1 1 0

Process32NextW

 snapshot_handle: 0x000001ec
process_name: firefox.exe
process_identifier: 2960
1 1 0

Process32NextW

 snapshot_handle: 0x000001ec
process_name: firefox.exe
process_identifier: 2824
1 1 0

Process32NextW

 snapshot_handle: 0x00000220
process_name: firefox.exe
process_identifier: 2104
1 1 0

Process32NextW

 snapshot_handle: 0x00000220
process_name: firefox.exe
process_identifier: 2692
1 1 0

Process32NextW

 snapshot_handle: 0x00000220
process_name: firefox.exe
process_identifier: 2684
1 1 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: taskhost.exe
process_identifier: 2536
1 1 0

Process32NextW

 snapshot_handle: 0x00000204
process_name: firefox.exe
process_identifier: 1964
1 1 0

Process32NextW

 snapshot_handle: 0x00000204
process_name: firefox.exe
process_identifier: 3572
1 1 0

Process32NextW

 snapshot_handle: 0x00000204
process_name: firefox.exe
process_identifier: 1808
1 1 0

Process32NextW

 snapshot_handle: 0x00000204
process_name: firefox.exe
process_identifier: 3760
1 1 0

Process32NextW

 snapshot_handle: 0x00000204
process_name: firefox.exe
process_identifier: 3372
1 1 0

Process32NextW

 snapshot_handle: 0x00000204
process_name: firefox.exe
process_identifier: 2168
1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2124
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x0000000000c90000
process_handle: 0xffffffffffffffff
1 0 0
section {u'size_of_data': u'0x00016400', u'virtual_address': u'0x000d4000', u'entropy': 7.171489243580687, u'name': u'.rsrc', u'virtual_size': u'0x00016390'} entropy 7.17148924358 description A section with a high entropy has been found
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x000001d8
process_name: svchost.exe
process_identifier: 2228
0 0

Process32NextW

 snapshot_handle: 0x000001d8
process_name: svchost.exe
process_identifier: 2228
0 0

Process32NextW

 snapshot_handle: 0x00000224
process_name: svchost.exe
process_identifier: 2228
0 0

Process32NextW

 snapshot_handle: 0x00000224
process_name: svchost.exe
process_identifier: 2228
0 0

Process32NextW

 snapshot_handle: 0x00000224
process_name: svchost.exe
process_identifier: 2228
0 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: taskhost.exe
process_identifier: 2536
0 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: taskhost.exe
process_identifier: 2536
0 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: taskhost.exe
process_identifier: 2536
0 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: taskhost.exe
process_identifier: 2536
0 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: taskhost.exe
process_identifier: 2536
0 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: taskhost.exe
process_identifier: 2536
0 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: taskhost.exe
process_identifier: 2536
0 0
url https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%SYSTEM_CAPABILITIES%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml
url https://crash-reports.mozilla.com/submit?id=
url https://hg.mozilla.org/releases/mozilla-release/rev/92187d03adde4b31daef292087a266f10121379c
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
Time & API Arguments Status Return Repeated

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 2124
process_handle: 0x0000018c
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 2124
process_handle: 0x0000018c
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 908
process_handle: 0x0000018c
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 908
process_handle: 0x0000018c
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 3012
process_handle: 0x0000018c
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 3012
process_handle: 0x0000018c
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 2960
process_handle: 0x0000018c
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 2960
process_handle: 0x0000018c
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 2884
process_handle: 0x0000018c
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 2884
process_handle: 0x0000018c
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 2824
process_handle: 0x0000018c
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 2824
process_handle: 0x0000018c
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 2612
process_handle: 0x0000018c
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 2612
process_handle: 0x0000018c
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 2104
process_handle: 0x0000018c
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 2104
process_handle: 0x0000018c
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 2800
process_handle: 0x0000018c
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 2800
process_handle: 0x0000018c
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 2692
process_handle: 0x0000018c
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 2692
process_handle: 0x0000018c
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 1656
process_handle: 0x0000018c
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 1656
process_handle: 0x0000018c
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 2684
process_handle: 0x0000018c
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 2684
process_handle: 0x0000018c
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 544
process_handle: 0x0000018c
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 544
process_handle: 0x0000018c
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 1964
process_handle: 0x0000018c
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 1964
process_handle: 0x0000018c
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 3640
process_handle: 0x00000190
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 3640
process_handle: 0x00000190
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 3572
process_handle: 0x00000190
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 3572
process_handle: 0x00000190
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 3184
process_handle: 0x0000018c
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 3184
process_handle: 0x0000018c
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 1808
process_handle: 0x0000018c
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 1808
process_handle: 0x0000018c
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 3576
process_handle: 0x0000018c
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 3576
process_handle: 0x0000018c
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 3760
process_handle: 0x0000018c
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 3760
process_handle: 0x0000018c
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 3376
process_handle: 0x0000018c
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 3376
process_handle: 0x0000018c
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 3372
process_handle: 0x0000018c
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 3372
process_handle: 0x0000018c
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 3280
process_handle: 0x0000018c
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 3280
process_handle: 0x0000018c
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 2168
process_handle: 0x0000018c
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 2168
process_handle: 0x0000018c
1 0 0
cmdline taskkill /F /IM opera.exe /T
cmdline taskkill /F /IM chrome.exe /T
cmdline taskkill /F /IM msedge.exe /T
cmdline taskkill /F /IM firefox.exe /T
cmdline taskkill /F /IM brave.exe /T
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2124
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076d81000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 2124
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076d57000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 3012
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076d81000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 3012
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076d57000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 2884
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076d81000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 2884
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076d57000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 2612
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076d81000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 2612
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076d57000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 2800
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076d81000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 2800
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076d57000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 1656
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076d81000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 1656
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076d57000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076d81000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076d57000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 3640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076d81000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 3640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076d57000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 3184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076d81000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 3184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076d57000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 3576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076d81000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 3576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076d57000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 3376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076d81000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 3376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076d57000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 3280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076d81000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 3280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076d57000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 3308
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076d81000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 3308
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076d57000
process_handle: 0x0000000000000050
1 0 0
Process injection Process 3104 manipulating memory of non-child process 3308
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 3308
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 4 (PAGE_READWRITE)
base_address: 0x000000013f7a2000
process_handle: 0x000000000000004c
1 0 0

NtProtectVirtualMemory

 process_identifier: 3308
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 2 (PAGE_READONLY)
base_address: 0x000000013f7a2000
process_handle: 0x000000000000004c
1 0 0

NtMapViewOfSection

 section_handle: 0x0000000000000060
process_identifier: 3308
commit_size: 0
win32_protect: 32 (PAGE_EXECUTE_READ)
buffer:
base_address: 0x0000000067cb0000
allocation_type: 0 ()
section_offset: 0
view_size: 65536
process_handle: 0x0000000000000050
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x0000000067cb0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 3308
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076d81000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 3308
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x0000000076d81000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 3308
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076d57000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 3308
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x0000000076d57000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 3308
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 4 (PAGE_READWRITE)
base_address: 0x000000013f750000
process_handle: 0x000000000000004c
1 0 0

NtProtectVirtualMemory

 process_identifier: 3308
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 2 (PAGE_READONLY)
base_address: 0x000000013f750000
process_handle: 0x000000000000004c
1 0 0

NtProtectVirtualMemory

 process_identifier: 3308
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 4 (PAGE_READWRITE)
base_address: 0x000000013f7aa000
process_handle: 0x000000000000004c
1 0 0

NtProtectVirtualMemory

 process_identifier: 3308
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 2 (PAGE_READONLY)
base_address: 0x000000013f7aa000
process_handle: 0x000000000000004c
1 0 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: 
base_address: 0x000000013fdd22b0
process_identifier: 2124
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013fde0d88
process_identifier: 2124
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: I»`#Ú?Aÿã
base_address: 0x0000000076d81590
process_identifier: 2124
process_handle: 0x0000000000000050
1 1 0

WriteProcessMemory

 buffer: 0L
base_address: 0x000000013fde0d78
process_identifier: 2124
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: I» Ú?Aÿã
base_address: 0x0000000076d57a90
process_identifier: 2124
process_handle: 0x0000000000000050
1 1 0

WriteProcessMemory

 buffer: 0L
base_address: 0x000000013fde0d70
process_identifier: 2124
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: ϝT
base_address: 0x000000013fd80108
process_identifier: 2124
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: Øv@Øv Øv@ØvØv°Øv €ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀ‚ÖvöÔv YØv2ØvVØv°Þv€“Õv€RØv ›ÕvQØvÂÕv ?ÖvP€Õv°TÕvàtÕvð„ÖvÐ1Øv™ÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv
base_address: 0x000000013fddaae8
process_identifier: 2124
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013fde0c78
process_identifier: 2124
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013f0a22b0
process_identifier: 3012
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013f0b0d88
process_identifier: 3012
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: I»`#?Aÿã
base_address: 0x0000000076d81590
process_identifier: 3012
process_handle: 0x0000000000000050
1 1 0

WriteProcessMemory

 buffer: ¬#
base_address: 0x000000013f0b0d78
process_identifier: 3012
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: I» ?Aÿã
base_address: 0x0000000076d57a90
process_identifier: 3012
process_handle: 0x0000000000000050
1 1 0

WriteProcessMemory

 buffer: ¬#
base_address: 0x000000013f0b0d70
process_identifier: 3012
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: ϝT
base_address: 0x000000013f050108
process_identifier: 3012
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: Øv@Øv Øv@ØvØv°Øv €ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀ‚ÖvöÔv YØv2ØvVØv°Þv€“Õv€RØv ›ÕvQØvÂÕv ?ÖvP€Õv°TÕvàtÕvð„ÖvÐ1Øv™ÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv
base_address: 0x000000013f0aaae8
process_identifier: 3012
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013f0b0c78
process_identifier: 3012
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013ff022b0
process_identifier: 2884
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013ff10d88
process_identifier: 2884
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: I»`#í?Aÿã
base_address: 0x0000000076d81590
process_identifier: 2884
process_handle: 0x0000000000000050
1 1 0

WriteProcessMemory

 buffer: ÐA
base_address: 0x000000013ff10d78
process_identifier: 2884
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: I» í?Aÿã
base_address: 0x0000000076d57a90
process_identifier: 2884
process_handle: 0x0000000000000050
1 1 0

WriteProcessMemory

 buffer: ÐA
base_address: 0x000000013ff10d70
process_identifier: 2884
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: ϝT
base_address: 0x000000013feb0108
process_identifier: 2884
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: Øv@Øv Øv@ØvØv°Øv €ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀ‚ÖvöÔv YØv2ØvVØv°Þv€“Õv€RØv ›ÕvQØvÂÕv ?ÖvP€Õv°TÕvàtÕvð„ÖvÐ1Øv™ÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv
base_address: 0x000000013ff0aae8
process_identifier: 2884
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013ff10c78
process_identifier: 2884
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013fb822b0
process_identifier: 2612
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013fb90d88
process_identifier: 2612
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: I»`#µ?Aÿã
base_address: 0x0000000076d81590
process_identifier: 2612
process_handle: 0x0000000000000050
1 1 0

WriteProcessMemory

 buffer: @@
base_address: 0x000000013fb90d78
process_identifier: 2612
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: I» µ?Aÿã
base_address: 0x0000000076d57a90
process_identifier: 2612
process_handle: 0x0000000000000050
1 1 0

WriteProcessMemory

 buffer: @@
base_address: 0x000000013fb90d70
process_identifier: 2612
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: ϝT
base_address: 0x000000013fb30108
process_identifier: 2612
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: Øv@Øv Øv@ØvØv°Øv €ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀ‚ÖvöÔv YØv2ØvVØv°Þv€“Õv€RØv ›ÕvQØvÂÕv ?ÖvP€Õv°TÕvàtÕvð„ÖvÐ1Øv™ÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv
base_address: 0x000000013fb8aae8
process_identifier: 2612
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013fb90c78
process_identifier: 2612
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013f6022b0
process_identifier: 2800
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013f610d88
process_identifier: 2800
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: I»`#]?Aÿã
base_address: 0x0000000076d81590
process_identifier: 2800
process_handle: 0x0000000000000050
1 1 0

WriteProcessMemory

 buffer: w3
base_address: 0x000000013f610d78
process_identifier: 2800
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: I» ]?Aÿã
base_address: 0x0000000076d57a90
process_identifier: 2800
process_handle: 0x0000000000000050
1 1 0

WriteProcessMemory

 buffer: w3
base_address: 0x000000013f610d70
process_identifier: 2800
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: ϝT
base_address: 0x000000013f5b0108
process_identifier: 2800
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: Øv@Øv Øv@ØvØv°Øv €ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀ‚ÖvöÔv YØv2ØvVØv°Þv€“Õv€RØv ›ÕvQØvÂÕv ?ÖvP€Õv°TÕvàtÕvð„ÖvÐ1Øv™ÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv
base_address: 0x000000013f60aae8
process_identifier: 2800
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013f610c78
process_identifier: 2800
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013f3c22b0
process_identifier: 1656
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013f3d0d88
process_identifier: 1656
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: I»`#9?Aÿã
base_address: 0x0000000076d81590
process_identifier: 1656
process_handle: 0x0000000000000050
1 1 0

WriteProcessMemory

 buffer: ¹a
base_address: 0x000000013f3d0d78
process_identifier: 1656
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: I» 9?Aÿã
base_address: 0x0000000076d57a90
process_identifier: 1656
process_handle: 0x0000000000000050
1 1 0
process: potential browser injection target firefox.exe
parent_process firefox.exe martian_process "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
parent_process firefox.exe martian_process "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
parent_process firefox.exe martian_process "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
parent_process firefox.exe martian_process "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
parent_process firefox.exe martian_process "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
parent_process firefox.exe martian_process "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
parent_process firefox.exe martian_process "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
parent_process firefox.exe martian_process "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
parent_process firefox.exe martian_process "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
parent_process firefox.exe martian_process "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
parent_process firefox.exe martian_process "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
parent_process firefox.exe martian_process "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
parent_process firefox.exe martian_process "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
file C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\parent.lock
file C:\Users\test22\AppData\Local\Temp\firefox\parent.lock
Process injection Process 908 resumed a thread in remote process 2124
Process injection Process 2960 resumed a thread in remote process 3012
Process injection Process 2824 resumed a thread in remote process 2884
Process injection Process 2104 resumed a thread in remote process 2612
Process injection Process 2692 resumed a thread in remote process 2800
Process injection Process 2684 resumed a thread in remote process 1656
Process injection Process 1964 resumed a thread in remote process 544
Process injection Process 3572 resumed a thread in remote process 3640
Process injection Process 1808 resumed a thread in remote process 3184
Process injection Process 3760 resumed a thread in remote process 3576
Process injection Process 3372 resumed a thread in remote process 3376
Process injection Process 2168 resumed a thread in remote process 3280
Process injection Process 3104 resumed a thread in remote process 3308
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x0000000000000044
suspend_count: 1
process_identifier: 2124
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000044
suspend_count: 1
process_identifier: 3012
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000044
suspend_count: 1
process_identifier: 2884
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000044
suspend_count: 1
process_identifier: 2612
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000044
suspend_count: 1
process_identifier: 2800
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000044
suspend_count: 1
process_identifier: 1656
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000044
suspend_count: 1
process_identifier: 544
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000044
suspend_count: 1
process_identifier: 3640
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000044
suspend_count: 1
process_identifier: 3184
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000044
suspend_count: 1
process_identifier: 3576
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000044
suspend_count: 1
process_identifier: 3376
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000044
suspend_count: 1
process_identifier: 3280
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000044
suspend_count: 1
process_identifier: 3308
1 0 0
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000194
suspend_count: 1
process_identifier: 2548
1 0 0

CreateProcessInternalW

 thread_identifier: 2652
thread_handle: 0x000001ec
process_identifier: 2648
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM firefox.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000001d8
1 1 0

CreateProcessInternalW

 thread_identifier: 2788
thread_handle: 0x000001d8
process_identifier: 2784
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM chrome.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000001ec
1 1 0

CreateProcessInternalW

 thread_identifier: 2872
thread_handle: 0x000001ec
process_identifier: 2868
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM msedge.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000001d8
1 1 0

CreateProcessInternalW

 thread_identifier: 2952
thread_handle: 0x000001d8
process_identifier: 2948
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM opera.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000001ec
1 1 0

CreateProcessInternalW

 thread_identifier: 3036
thread_handle: 0x000001ec
process_identifier: 3032
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM brave.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000001d8
1 1 0

CreateProcessInternalW

 thread_identifier: 2072
thread_handle: 0x000001d8
process_identifier: 908
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000001ec
1 1 0

CreateProcessInternalW

 thread_identifier: 2268
thread_handle: 0x000001ec
process_identifier: 2264
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM firefox.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000001d8
1 1 0

CreateProcessInternalW

 thread_identifier: 2516
thread_handle: 0x000001d8
process_identifier: 2480
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM chrome.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000001ec
1 1 0

CreateProcessInternalW

 thread_identifier: 2348
thread_handle: 0x000001ec
process_identifier: 2608
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM msedge.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000001d8
1 1 0

CreateProcessInternalW

 thread_identifier: 2652
thread_handle: 0x000001d8
process_identifier: 2704
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM opera.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000001ec
1 1 0

CreateProcessInternalW

 thread_identifier: 2820
thread_handle: 0x000001ec
process_identifier: 2788
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM brave.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000001d8
1 1 0

CreateProcessInternalW

 thread_identifier: 2980
thread_handle: 0x000001d8
process_identifier: 2960
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000001ec
1 1 0

CreateProcessInternalW

 thread_identifier: 1264
thread_handle: 0x000001ec
process_identifier: 1356
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM firefox.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000001d8
1 1 0

CreateProcessInternalW

 thread_identifier: 1520
thread_handle: 0x000001d8
process_identifier: 884
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM chrome.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000001ec
1 1 0

CreateProcessInternalW

 thread_identifier: 2120
thread_handle: 0x000001ec
process_identifier: 2508
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM msedge.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000001d8
1 1 0

CreateProcessInternalW

 thread_identifier: 1852
thread_handle: 0x000001d8
process_identifier: 2436
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM opera.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000001ec
1 1 0

CreateProcessInternalW

 thread_identifier: 2636
thread_handle: 0x000001ec
process_identifier: 2344
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM brave.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000001d8
1 1 0

CreateProcessInternalW

 thread_identifier: 2848
thread_handle: 0x000001d8
process_identifier: 2824
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000001ec
1 1 0

CreateProcessInternalW

 thread_identifier: 1152
thread_handle: 0x000001ec
process_identifier: 2052
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM firefox.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000001d8
1 1 0

CreateProcessInternalW

 thread_identifier: 1108
thread_handle: 0x00000224
process_identifier: 740
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM chrome.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000220
1 1 0

CreateProcessInternalW

 thread_identifier: 300
thread_handle: 0x00000220
process_identifier: 204
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM msedge.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000224
1 1 0

CreateProcessInternalW

 thread_identifier: 1364
thread_handle: 0x00000224
process_identifier: 1376
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM opera.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000220
1 1 0

CreateProcessInternalW

 thread_identifier: 2440
thread_handle: 0x00000220
process_identifier: 2372
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM brave.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000224
1 1 0

CreateProcessInternalW

 thread_identifier: 1812
thread_handle: 0x00000224
process_identifier: 2104
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000220
1 1 0

CreateProcessInternalW

 thread_identifier: 2928
thread_handle: 0x00000220
process_identifier: 2908
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM firefox.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000224
1 1 0

CreateProcessInternalW

 thread_identifier: 1608
thread_handle: 0x00000224
process_identifier: 2280
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM chrome.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000220
1 1 0

CreateProcessInternalW

 thread_identifier: 2084
thread_handle: 0x00000220
process_identifier: 1108
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM msedge.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000224
1 1 0

CreateProcessInternalW

 thread_identifier: 676
thread_handle: 0x00000224
process_identifier: 1456
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM opera.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000220
1 1 0

CreateProcessInternalW

 thread_identifier: 2120
thread_handle: 0x00000220
process_identifier: 2220
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM brave.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000224
1 1 0

CreateProcessInternalW

 thread_identifier: 2708
thread_handle: 0x00000224
process_identifier: 2692
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000220
1 1 0

CreateProcessInternalW

 thread_identifier: 152
thread_handle: 0x00000220
process_identifier: 1400
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM firefox.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000224
1 1 0

CreateProcessInternalW

 thread_identifier: 2084
thread_handle: 0x00000224
process_identifier: 1316
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM chrome.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000220
1 1 0

CreateProcessInternalW

 thread_identifier: 2240
thread_handle: 0x00000220
process_identifier: 2448
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM msedge.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000224
1 1 0

CreateProcessInternalW

 thread_identifier: 1976
thread_handle: 0x00000224
process_identifier: 2964
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM opera.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000220
1 1 0

CreateProcessInternalW

 thread_identifier: 2108
thread_handle: 0x00000220
process_identifier: 3016
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM brave.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000224
1 1 0

CreateProcessInternalW

 thread_identifier: 1156
thread_handle: 0x00000224
process_identifier: 2684
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000220
1 1 0

CreateProcessInternalW

 thread_identifier: 2080
thread_handle: 0x00000220
process_identifier: 2140
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM firefox.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000224
1 1 0

CreateProcessInternalW

 thread_identifier: 1796
thread_handle: 0x00000178
process_identifier: 2456
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM chrome.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000204
1 1 0

CreateProcessInternalW

 thread_identifier: 2216
thread_handle: 0x00000204
process_identifier: 2632
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM msedge.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000178
1 1 0

CreateProcessInternalW

 thread_identifier: 1512
thread_handle: 0x00000178
process_identifier: 676
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM opera.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000204
1 1 0

CreateProcessInternalW

 thread_identifier: 2620
thread_handle: 0x00000204
process_identifier: 1304
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM brave.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000178
1 1 0

CreateProcessInternalW

 thread_identifier: 2616
thread_handle: 0x00000178
process_identifier: 1964
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000204
1 1 0

CreateProcessInternalW

 thread_identifier: 3172
thread_handle: 0x00000204
process_identifier: 3168
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM firefox.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000178
1 1 0

CreateProcessInternalW

 thread_identifier: 3252
thread_handle: 0x00000178
process_identifier: 3248
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM chrome.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000204
1 1 0

CreateProcessInternalW

 thread_identifier: 3336
thread_handle: 0x00000204
process_identifier: 3332
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM msedge.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000178
1 1 0

CreateProcessInternalW

 thread_identifier: 3416
thread_handle: 0x00000178
process_identifier: 3412
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM opera.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000204
1 1 0

CreateProcessInternalW

 thread_identifier: 3496
thread_handle: 0x00000204
process_identifier: 3492
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM brave.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000178
1 1 0

CreateProcessInternalW

 thread_identifier: 3576
thread_handle: 0x00000178
process_identifier: 3572
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000204
1 1 0

CreateProcessInternalW

 thread_identifier: 3748
thread_handle: 0x00000204
process_identifier: 3744
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM firefox.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000178
1 1 0