popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

random.exe

Generic Malware Malicious Library UPX Code injection AntiDebug PE File OS Processor Check PE32 AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us May 3, 2025, 4:35 p.m. May 3, 2025, 4:38 p.m.
Size 950.5KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 648796e2ffded6ceb4acfcb29ea952ee
SHA256 c75595a1eef552c72d18f84a31b30084179f7b1f2e8fa5fa930421d475b5e5ab
CRC32 E6BDE3F4
ssdeep 24576:dqDEvCTbMWu7rQYlBQcBiT6rprG8aKoP:dTvC/MTQYxsWR7aKo
Yara
  • PE_Header_Zero - PE File Signature
  • Malicious_Library_Zero - Malicious_Library
  • IsPE32 - (no description)
  • Generic_Malware_Zero - Generic Malware
  • OS_Processor_Check_Zero - OS Processor Check
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: ERROR: The process "firefox.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "chrome.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "msedge.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "opera.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "brave.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: SUCCESS: The process with PID 2652 (child process of PID 2608) has been terminated.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: SUCCESS: The process with PID 2608 (child process of PID 1044) has been terminated.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: ERROR: The process "chrome.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "msedge.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "opera.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "brave.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: SUCCESS: The process with PID 2620 (child process of PID 2556) has been terminated.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: SUCCESS: The process with PID 2556 (child process of PID 1044) has been terminated.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: ERROR: The process "chrome.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "msedge.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "opera.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "brave.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: SUCCESS: The process with PID 2696 (child process of PID 2596) has been terminated.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: SUCCESS: The process with PID 2596 (child process of PID 1044) has been terminated.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: ERROR: The process "chrome.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "msedge.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "opera.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "brave.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: SUCCESS: The process with PID 2200 (child process of PID 2920) has been terminated.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: SUCCESS: The process with PID 2920 (child process of PID 1044) has been terminated.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: ERROR: The process "chrome.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "msedge.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "opera.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "brave.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: SUCCESS: The process with PID 2912 (child process of PID 2740) has been terminated.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: SUCCESS: The process with PID 2740 (child process of PID 1044) has been terminated.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: ERROR: The process "chrome.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "msedge.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "opera.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "brave.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: SUCCESS: The process with PID 2276 (child process of PID 2720) has been terminated.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: SUCCESS: The process with PID 2720 (child process of PID 1044) has been terminated.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: ERROR: The process "chrome.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "msedge.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "opera.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "brave.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: SUCCESS: The process with PID 2540 (child process of PID 1868) has been terminated.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: SUCCESS: The process with PID 1868 (child process of PID 1044) has been terminated.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: ERROR: The process "chrome.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "msedge.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "opera.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "brave.exe" not found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: SUCCESS: The process with PID 3132 (child process of PID 3088) has been terminated.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: SUCCESS: The process with PID 3088 (child process of PID 1044) has been terminated.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: ERROR: The process "chrome.exe" not found.
console_handle: 0x0000000b
1 1 0
file C:\Program Files\Mozilla Firefox\api-ms-win-crt-multibyte-l1-1-0.dll
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
0xcd1f04
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30

exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69
exception.instruction: cmp dword ptr [rip + 0x2d18d], 0
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xcd1f04
registers.r14: 9236872
registers.r15: 139433584
registers.rcx: 48
registers.rsi: 139365248
registers.r10: 0
registers.rbx: 0
registers.rsp: 9236504
registers.r11: 9239888
registers.r8: 2004779404
registers.r9: 0
registers.rdx: 8796092887632
registers.r12: 14915136
registers.rbp: 9236624
registers.rdi: 372354368
registers.rax: 13442816
registers.r13: 9237464
1 0 0

__exception__

 stacktrace: 
0xcd1f04
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030

exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69
exception.instruction: cmp dword ptr [rip + 0x2d18d], 0
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xcd1f04
registers.r14: 10547896
registers.r15: 8791424669296
registers.rcx: 48
registers.rsi: 8791424600960
registers.r10: 0
registers.rbx: 0
registers.rsp: 10547528
registers.r11: 10550912
registers.r8: 2004779404
registers.r9: 0
registers.rdx: 8796092887632
registers.r12: 14906704
registers.rbp: 10547648
registers.rdi: 209821728
registers.rax: 13442816
registers.r13: 10548488
1 0 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2652
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000c90000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2652
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007700b000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2652
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000c90000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2652
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076fd6000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2652
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000030e0000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2652
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000749ad000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000c90000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007700b000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000c90000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076fd6000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000028e0000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000749ad000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2696
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000c90000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2696
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007700b000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2696
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000c90000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2696
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076fd6000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2696
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 85934080
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000003161000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2696
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 15130624
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000008355000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2696
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 2252800
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000009313000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2696
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000009539000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2696
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000000953a000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2696
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000000953b000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2696
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 12288
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000000a399000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2696
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 765952
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000000a39c000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2696
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000026c0000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2696
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000749ad000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2200
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000b50000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2200
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007700b000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2200
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000b50000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2200
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076fd6000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2200
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000027c0000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2200
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000749ad000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000c90000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007700b000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000c90000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076fd6000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 85934080
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000031d1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 15130624
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000083c5000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 2252800
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000009383000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000095a9000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000095aa000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000095ab000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 12288
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000000a409000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 765952
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000000a40c000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000028f0000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000749ad000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2276
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000c90000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2276
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007700b000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2276
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000c90000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2276
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076fd6000
process_handle: 0xffffffffffffffff
1 0 0
Application Crash Process firefox.exe with pid 2540 crashed
Application Crash Process firefox.exe with pid 3200 crashed
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
0xcd1f04
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30

exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69
exception.instruction: cmp dword ptr [rip + 0x2d18d], 0
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xcd1f04
registers.r14: 9236872
registers.r15: 139433584
registers.rcx: 48
registers.rsi: 139365248
registers.r10: 0
registers.rbx: 0
registers.rsp: 9236504
registers.r11: 9239888
registers.r8: 2004779404
registers.r9: 0
registers.rdx: 8796092887632
registers.r12: 14915136
registers.rbp: 9236624
registers.rdi: 372354368
registers.rax: 13442816
registers.r13: 9237464
1 0 0

__exception__

 stacktrace: 
0xcd1f04
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030

exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69
exception.instruction: cmp dword ptr [rip + 0x2d18d], 0
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xcd1f04
registers.r14: 10547896
registers.r15: 8791424669296
registers.rcx: 48
registers.rsi: 8791424600960
registers.r10: 0
registers.rbx: 0
registers.rsp: 10547528
registers.r11: 10550912
registers.r8: 2004779404
registers.r9: 0
registers.rdx: 8796092887632
registers.r12: 14906704
registers.rbp: 10547648
registers.rdi: 209821728
registers.rax: 13442816
registers.r13: 10548488
1 0 0
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x000001d0
process_name: pw.exe
process_identifier: 1904
1 1 0

Process32NextW

 snapshot_handle: 0x000001d0
process_name: taskhost.exe
process_identifier: 2040
1 1 0

Process32NextW

 snapshot_handle: 0x000001d0
process_name: SearchProtocolHost.exe
process_identifier: 1720
1 1 0

Process32NextW

 snapshot_handle: 0x000001d0
process_name: conhost.exe
process_identifier: 1492
1 1 0

Process32NextW

 snapshot_handle: 0x000001d0
process_name: SearchFilterHost.exe
process_identifier: 808
1 1 0

Process32NextW

 snapshot_handle: 0x000001d0
process_name: random.exe
process_identifier: 1044
1 1 0

Process32NextW

 snapshot_handle: 0x000001e4
process_name: firefox.exe
process_identifier: 2608
1 1 0

Process32NextW

 snapshot_handle: 0x000001d0
process_name: mscorsvw.exe
process_identifier: 2980
1 1 0

Process32NextW

 snapshot_handle: 0x000001d0
process_name: sppsvc.exe
process_identifier: 1740
1 1 0

Process32NextW

 snapshot_handle: 0x000001e4
process_name: firefox.exe
process_identifier: 2596
1 1 0

Process32NextW

 snapshot_handle: 0x0000021c
process_name: cmd.exe
process_identifier: 1608
1 1 0

Process32NextW

 snapshot_handle: 0x0000021c
process_name: pw.exe
process_identifier: 2932
1 1 0

Process32NextW

 snapshot_handle: 0x00000218
process_name: firefox.exe
process_identifier: 2920
1 1 0

Process32NextW

 snapshot_handle: 0x0000021c
process_name: cmd.exe
process_identifier: 1228
1 1 0

Process32NextW

 snapshot_handle: 0x0000021c
process_name: conhost.exe
process_identifier: 2648
1 1 0

Process32NextW

 snapshot_handle: 0x0000021c
process_name: pw.exe
process_identifier: 2400
1 1 0

Process32NextW

 snapshot_handle: 0x00000170
process_name: firefox.exe
process_identifier: 2720
1 1 0

Process32NextW

 snapshot_handle: 0x00000170
process_name: firefox.exe
process_identifier: 1868
1 1 0

Process32NextW

 snapshot_handle: 0x0000021c
process_name: cmd.exe
process_identifier: 2844
1 1 0

Process32NextW

 snapshot_handle: 0x0000021c
process_name: conhost.exe
process_identifier: 932
1 1 0

Process32NextW

 snapshot_handle: 0x0000021c
process_name: pw.exe
process_identifier: 2004
1 1 0

Process32NextW

 snapshot_handle: 0x00000170
process_name: firefox.exe
process_identifier: 3088
1 1 0

Process32NextW

 snapshot_handle: 0x00000170
process_name: firefox.exe
process_identifier: 3636
1 1 0

Process32NextW

 snapshot_handle: 0x0000021c
process_name: cmd.exe
process_identifier: 3768
1 1 0

Process32NextW

 snapshot_handle: 0x0000021c
process_name: conhost.exe
process_identifier: 3776
1 1 0

Process32NextW

 snapshot_handle: 0x0000021c
process_name: pw.exe
process_identifier: 3800
1 1 0

Process32NextW

 snapshot_handle: 0x00000170
process_name: firefox.exe
process_identifier: 2168
1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2200
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x00000000027c0000
process_handle: 0xffffffffffffffff
1 0 0
section {u'size_of_data': u'0x00017000', u'virtual_address': u'0x000d4000', u'entropy': 7.2108141687092955, u'name': u'.rsrc', u'virtual_size': u'0x00016fb0'} entropy 7.21081416871 description A section with a high entropy has been found
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x000001d0
process_name: sppsvc.exe
process_identifier: 1740
0 0

Process32NextW

 snapshot_handle: 0x000001d0
process_name: sppsvc.exe
process_identifier: 1740
0 0

Process32NextW

 snapshot_handle: 0x0000021c
process_name: pw.exe
process_identifier: 2932
0 0

Process32NextW

 snapshot_handle: 0x0000021c
process_name: sppsvc.exe
process_identifier: 1740
0 0

Process32NextW

 snapshot_handle: 0x0000021c
process_name: pw.exe
process_identifier: 2400
0 0

Process32NextW

 snapshot_handle: 0x0000021c
process_name: sppsvc.exe
process_identifier: 1740
0 0

Process32NextW

 snapshot_handle: 0x0000021c
process_name: pw.exe
process_identifier: 2004
0 0

Process32NextW

 snapshot_handle: 0x0000021c
process_name: sppsvc.exe
process_identifier: 1740
0 0

Process32NextW

 snapshot_handle: 0x0000021c
process_name: pw.exe
process_identifier: 3800
0 0
url https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%SYSTEM_CAPABILITIES%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml
url https://crash-reports.mozilla.com/submit?id=
url https://hg.mozilla.org/releases/mozilla-release/rev/92187d03adde4b31daef292087a266f10121379c
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
Time & API Arguments Status Return Repeated

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 2652
process_handle: 0x00000188
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 2652
process_handle: 0x00000188
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 2608
process_handle: 0x00000188
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 2608
process_handle: 0x00000188
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 2620
process_handle: 0x00000188
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 2620
process_handle: 0x00000188
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 2556
process_handle: 0x00000188
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 2556
process_handle: 0x00000188
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 2696
process_handle: 0x0000018c
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 2696
process_handle: 0x0000018c
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 2596
process_handle: 0x0000018c
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 2596
process_handle: 0x0000018c
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 2200
process_handle: 0x00000188
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 2200
process_handle: 0x00000188
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 2920
process_handle: 0x00000188
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 2920
process_handle: 0x00000188
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 2912
process_handle: 0x00000188
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 2912
process_handle: 0x00000188
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 2740
process_handle: 0x00000188
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 2740
process_handle: 0x00000188
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 2276
process_handle: 0x00000188
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 2276
process_handle: 0x00000188
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 2720
process_handle: 0x00000188
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 2720
process_handle: 0x00000188
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 2540
process_handle: 0x0000018c
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 2540
process_handle: 0x0000018c
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 1868
process_handle: 0x0000018c
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 1868
process_handle: 0x0000018c
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 3132
process_handle: 0x00000188
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 3132
process_handle: 0x00000188
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 3088
process_handle: 0x00000188
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 3088
process_handle: 0x00000188
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 3680
process_handle: 0x00000188
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 3680
process_handle: 0x00000188
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 3636
process_handle: 0x00000188
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 3636
process_handle: 0x00000188
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 3200
process_handle: 0x0000018c
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 3200
process_handle: 0x0000018c
1 0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 2168
process_handle: 0x0000018c
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 2168
process_handle: 0x0000018c
1 0 0
cmdline taskkill /F /IM opera.exe /T
cmdline taskkill /F /IM chrome.exe /T
cmdline taskkill /F /IM msedge.exe /T
cmdline taskkill /F /IM firefox.exe /T
cmdline taskkill /F /IM brave.exe /T
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2652
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077711000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 2652
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000776e7000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077711000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000776e7000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 2696
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077711000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 2696
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000776e7000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 2200
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077711000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 2200
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000776e7000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 2912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077711000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 2912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000776e7000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 2276
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077711000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 2276
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000776e7000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 2540
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077711000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 2540
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000776e7000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 3132
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077711000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 3132
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000776e7000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 3680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077711000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 3680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000776e7000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 3200
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077711000
process_handle: 0x0000000000000050
1 0 0

NtProtectVirtualMemory

 process_identifier: 3200
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000776e7000
process_handle: 0x0000000000000050
1 0 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: 
base_address: 0x000000013fb822b0
process_identifier: 2652
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013fb90d88
process_identifier: 2652
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: I»`#µ?Aÿã
base_address: 0x0000000077711590
process_identifier: 2652
process_handle: 0x0000000000000050
1 1 0

WriteProcessMemory

 buffer: ;
base_address: 0x000000013fb90d78
process_identifier: 2652
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: I» µ?Aÿã
base_address: 0x00000000776e7a90
process_identifier: 2652
process_handle: 0x0000000000000050
1 1 0

WriteProcessMemory

 buffer: ;
base_address: 0x000000013fb90d70
process_identifier: 2652
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: ϝT
base_address: 0x000000013fb30108
process_identifier: 2652
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: qw@qw qw@qwqw°qw €nwàTnw 3qwqwÀ´lw`,qwÀ‚owömw Yqw2qwVqw°ww€“nw€Rqw ›nwQqwÂnw ?owP€nw°Tnwàtnwð„owÐ1qw™mwÐOmw`êpwÐæpwÐæpwÐ.qw
base_address: 0x000000013fb8aae8
process_identifier: 2652
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013fb90c78
process_identifier: 2652
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013f7722b0
process_identifier: 2620
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013f780d88
process_identifier: 2620
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: I»`#t?Aÿã
base_address: 0x0000000077711590
process_identifier: 2620
process_handle: 0x0000000000000050
1 1 0

WriteProcessMemory

 buffer: C
base_address: 0x000000013f780d78
process_identifier: 2620
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: I» t?Aÿã
base_address: 0x00000000776e7a90
process_identifier: 2620
process_handle: 0x0000000000000050
1 1 0

WriteProcessMemory

 buffer: C
base_address: 0x000000013f780d70
process_identifier: 2620
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: ϝT
base_address: 0x000000013f720108
process_identifier: 2620
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: qw@qw qw@qwqw°qw €nwàTnw 3qwqwÀ´lw`,qwÀ‚owömw Yqw2qwVqw°ww€“nw€Rqw ›nwQqwÂnw ?owP€nw°Tnwàtnwð„owÐ1qw™mwÐOmw`êpwÐæpwÐæpwÐ.qw
base_address: 0x000000013f77aae8
process_identifier: 2620
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013f780c78
process_identifier: 2620
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013f4a22b0
process_identifier: 2696
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013f4b0d88
process_identifier: 2696
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: I»`#G?Aÿã
base_address: 0x0000000077711590
process_identifier: 2696
process_handle: 0x0000000000000050
1 1 0

WriteProcessMemory

 buffer: Ï=
base_address: 0x000000013f4b0d78
process_identifier: 2696
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: I» G?Aÿã
base_address: 0x00000000776e7a90
process_identifier: 2696
process_handle: 0x0000000000000050
1 1 0

WriteProcessMemory

 buffer: Ï=
base_address: 0x000000013f4b0d70
process_identifier: 2696
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: ϝT
base_address: 0x000000013f450108
process_identifier: 2696
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: qw@qw qw@qwqw°qw €nwàTnw 3qwqwÀ´lw`,qwÀ‚owömw Yqw2qwVqw°ww€“nw€Rqw ›nwQqwÂnw ?owP€nw°Tnwàtnwð„owÐ1qw™mwÐOmw`êpwÐæpwÐæpwÐ.qw
base_address: 0x000000013f4aaae8
process_identifier: 2696
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013f4b0c78
process_identifier: 2696
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x00000001400422b0
process_identifier: 2200
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x0000000140050d88
process_identifier: 2200
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: I»`#@Aÿã
base_address: 0x0000000077711590
process_identifier: 2200
process_handle: 0x0000000000000050
1 1 0

WriteProcessMemory

 buffer: ¼{
base_address: 0x0000000140050d78
process_identifier: 2200
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: I» @Aÿã
base_address: 0x00000000776e7a90
process_identifier: 2200
process_handle: 0x0000000000000050
1 1 0

WriteProcessMemory

 buffer: ¼{
base_address: 0x0000000140050d70
process_identifier: 2200
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: ϝT
base_address: 0x000000013fff0108
process_identifier: 2200
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: qw@qw qw@qwqw°qw €nwàTnw 3qwqwÀ´lw`,qwÀ‚owömw Yqw2qwVqw°ww€“nw€Rqw ›nwQqwÂnw ?owP€nw°Tnwàtnwð„owÐ1qw™mwÐOmw`êpwÐæpwÐæpwÐ.qw
base_address: 0x000000014004aae8
process_identifier: 2200
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x0000000140050c78
process_identifier: 2200
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013faf22b0
process_identifier: 2912
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013fb00d88
process_identifier: 2912
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: I»`#¬?Aÿã
base_address: 0x0000000077711590
process_identifier: 2912
process_handle: 0x0000000000000050
1 1 0

WriteProcessMemory

 buffer: †U
base_address: 0x000000013fb00d78
process_identifier: 2912
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: I» ¬?Aÿã
base_address: 0x00000000776e7a90
process_identifier: 2912
process_handle: 0x0000000000000050
1 1 0

WriteProcessMemory

 buffer: †U
base_address: 0x000000013fb00d70
process_identifier: 2912
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: ϝT
base_address: 0x000000013faa0108
process_identifier: 2912
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: qw@qw qw@qwqw°qw €nwàTnw 3qwqwÀ´lw`,qwÀ‚owömw Yqw2qwVqw°ww€“nw€Rqw ›nwQqwÂnw ?owP€nw°Tnwàtnwð„owÐ1qw™mwÐOmw`êpwÐæpwÐæpwÐ.qw
base_address: 0x000000013fafaae8
process_identifier: 2912
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013fb00c78
process_identifier: 2912
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013fe822b0
process_identifier: 2276
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x000000013fe90d88
process_identifier: 2276
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: I»`#å?Aÿã
base_address: 0x0000000077711590
process_identifier: 2276
process_handle: 0x0000000000000050
1 1 0

WriteProcessMemory

 buffer: ñw
base_address: 0x000000013fe90d78
process_identifier: 2276
process_handle: 0x000000000000004c
1 1 0

WriteProcessMemory

 buffer: I» å?Aÿã
base_address: 0x00000000776e7a90
process_identifier: 2276
process_handle: 0x0000000000000050
1 1 0
process: potential browser injection target firefox.exe
parent_process firefox.exe martian_process "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
parent_process firefox.exe martian_process "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
parent_process firefox.exe martian_process "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
parent_process firefox.exe martian_process "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
parent_process firefox.exe martian_process "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
parent_process firefox.exe martian_process "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
parent_process firefox.exe martian_process "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
parent_process firefox.exe martian_process "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
parent_process firefox.exe martian_process "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
parent_process firefox.exe martian_process "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
file C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\1pfa5s83.default-release\parent.lock
file C:\Users\test22\AppData\Local\Temp\firefox\parent.lock
Process injection Process 2608 resumed a thread in remote process 2652
Process injection Process 2556 resumed a thread in remote process 2620
Process injection Process 2596 resumed a thread in remote process 2696
Process injection Process 2920 resumed a thread in remote process 2200
Process injection Process 2740 resumed a thread in remote process 2912
Process injection Process 2720 resumed a thread in remote process 2276
Process injection Process 1868 resumed a thread in remote process 2540
Process injection Process 3088 resumed a thread in remote process 3132
Process injection Process 3636 resumed a thread in remote process 3680
Process injection Process 2168 resumed a thread in remote process 3200
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x0000000000000044
suspend_count: 1
process_identifier: 2652
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000044
suspend_count: 1
process_identifier: 2620
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000044
suspend_count: 1
process_identifier: 2696
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000044
suspend_count: 1
process_identifier: 2200
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000044
suspend_count: 1
process_identifier: 2912
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000044
suspend_count: 1
process_identifier: 2276
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000044
suspend_count: 1
process_identifier: 2540
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000044
suspend_count: 1
process_identifier: 3132
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000044
suspend_count: 1
process_identifier: 3680
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000044
suspend_count: 1
process_identifier: 3200
1 0 0
Cynet Malicious (score: 99)
Skyhigh BehavesLike.Win32.Formbook.dh
Cylance Unsafe
Sangfor Virus.Win32.Save.a
CrowdStrike win/malicious_confidence_70% (W)
VirIT Trojan.Win32.AutoIt_Heur.L
Elastic malicious (high confidence)
ESET-NOD32 a variant of Win32/HackTool.Silentall.N potentially unsafe
Kaspersky HEUR:Trojan.Script.Agent.gen
Rising HackTool.Silentall/Autoit!1.106C3 (CLASSIC)
F-Secure Trojan.TR/ATRAPS.Gen
DrWeb Trojan.Siggen30.19657
McAfeeD ti!C75595A1EEF5
Avira TR/ATRAPS.Gen
Microsoft Program:Win32/Wacapew.C!ml
Malwarebytes Malware.AI.3317982698
Ikarus PUA.HackTool.Silentall
Tencent Unk.Win32.Script.404958
huorong TrojanDownloader/AutoIT.Agent.d
Fortinet Riskware/Silentall
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x0000018c
suspend_count: 1
process_identifier: 1044
1 0 0

CreateProcessInternalW

 thread_identifier: 2132
thread_handle: 0x000001e4
process_identifier: 2128
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM firefox.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000001d0
1 1 0

CreateProcessInternalW

 thread_identifier: 2288
thread_handle: 0x000001d0
process_identifier: 2284
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM chrome.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000001e4
1 1 0

CreateProcessInternalW

 thread_identifier: 2372
thread_handle: 0x000001e4
process_identifier: 2368
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM msedge.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000001d0
1 1 0

CreateProcessInternalW

 thread_identifier: 2452
thread_handle: 0x000001d0
process_identifier: 2448
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM opera.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000001e4
1 1 0

CreateProcessInternalW

 thread_identifier: 2532
thread_handle: 0x000001e4
process_identifier: 2528
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM brave.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000001d0
1 1 0

CreateProcessInternalW

 thread_identifier: 2612
thread_handle: 0x000001d0
process_identifier: 2608
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000001e4
1 1 0

CreateProcessInternalW

 thread_identifier: 2824
thread_handle: 0x000001e4
process_identifier: 2820
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM firefox.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000001d0
1 1 0

CreateProcessInternalW

 thread_identifier: 2140
thread_handle: 0x000001d0
process_identifier: 2144
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM chrome.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000001e4
1 1 0

CreateProcessInternalW

 thread_identifier: 1156
thread_handle: 0x000001e4
process_identifier: 2188
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM msedge.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000001d0
1 1 0

CreateProcessInternalW

 thread_identifier: 2340
thread_handle: 0x000001d0
process_identifier: 2344
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM opera.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000001e4
1 1 0

CreateProcessInternalW

 thread_identifier: 2460
thread_handle: 0x000001e4
process_identifier: 2468
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM brave.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000001d0
1 1 0

CreateProcessInternalW

 thread_identifier: 2568
thread_handle: 0x000001d0
process_identifier: 2556
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000001e4
1 1 0

CreateProcessInternalW

 thread_identifier: 2884
thread_handle: 0x000001e4
process_identifier: 2896
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM firefox.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000001d0
1 1 0

CreateProcessInternalW

 thread_identifier: 2792
thread_handle: 0x000001d0
process_identifier: 2796
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM chrome.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000001e4
1 1 0

CreateProcessInternalW

 thread_identifier: 2196
thread_handle: 0x000001e4
process_identifier: 2176
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM msedge.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000001d0
1 1 0

CreateProcessInternalW

 thread_identifier: 2288
thread_handle: 0x000001d0
process_identifier: 2348
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM opera.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000001e4
1 1 0

CreateProcessInternalW

 thread_identifier: 2424
thread_handle: 0x000001e4
process_identifier: 2340
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM brave.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000001d0
1 1 0

CreateProcessInternalW

 thread_identifier: 2604
thread_handle: 0x000001d0
process_identifier: 2596
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000001e4
1 1 0

CreateProcessInternalW

 thread_identifier: 2924
thread_handle: 0x00000218
process_identifier: 2884
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM firefox.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x0000021c
1 1 0

CreateProcessInternalW

 thread_identifier: 2264
thread_handle: 0x0000021c
process_identifier: 516
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM chrome.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000218
1 1 0

CreateProcessInternalW

 thread_identifier: 2304
thread_handle: 0x00000218
process_identifier: 1156
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM msedge.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x0000021c
1 1 0

CreateProcessInternalW

 thread_identifier: 2508
thread_handle: 0x0000021c
process_identifier: 2460
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM opera.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000218
1 1 0

CreateProcessInternalW

 thread_identifier: 2092
thread_handle: 0x00000218
process_identifier: 2744
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM brave.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x0000021c
1 1 0

CreateProcessInternalW

 thread_identifier: 2212
thread_handle: 0x0000021c
process_identifier: 2920
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000218
1 1 0

CreateProcessInternalW

 thread_identifier: 2524
thread_handle: 0x00000218
process_identifier: 2504
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM firefox.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x0000021c
1 1 0

CreateProcessInternalW

 thread_identifier: 2508
thread_handle: 0x0000021c
process_identifier: 1284
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM chrome.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000218
1 1 0

CreateProcessInternalW

 thread_identifier: 2792
thread_handle: 0x00000218
process_identifier: 288
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM msedge.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x0000021c
1 1 0

CreateProcessInternalW

 thread_identifier: 2400
thread_handle: 0x0000021c
process_identifier: 2408
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM opera.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000218
1 1 0

CreateProcessInternalW

 thread_identifier: 1208
thread_handle: 0x00000218
process_identifier: 2680
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM brave.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x0000021c
1 1 0

CreateProcessInternalW

 thread_identifier: 2900
thread_handle: 0x0000021c
process_identifier: 2740
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000218
1 1 0

CreateProcessInternalW

 thread_identifier: 2544
thread_handle: 0x00000218
process_identifier: 2124
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM firefox.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x0000021c
1 1 0

CreateProcessInternalW

 thread_identifier: 2184
thread_handle: 0x0000021c
process_identifier: 2280
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM chrome.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000218
1 1 0

CreateProcessInternalW

 thread_identifier: 2944
thread_handle: 0x00000218
process_identifier: 2948
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM msedge.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x0000021c
1 1 0

CreateProcessInternalW

 thread_identifier: 652
thread_handle: 0x0000021c
process_identifier: 2792
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM opera.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000218
1 1 0

CreateProcessInternalW

 thread_identifier: 1340
thread_handle: 0x00000218
process_identifier: 2888
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM brave.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x0000021c
1 1 0

CreateProcessInternalW

 thread_identifier: 652
thread_handle: 0x0000021c
process_identifier: 2720
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000170
1 1 0

CreateProcessInternalW

 thread_identifier: 2168
thread_handle: 0x00000170
process_identifier: 2716
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM firefox.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x0000021c
1 1 0

CreateProcessInternalW

 thread_identifier: 2004
thread_handle: 0x0000021c
process_identifier: 792
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM chrome.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000170
1 1 0

CreateProcessInternalW

 thread_identifier: 1960
thread_handle: 0x00000170
process_identifier: 2928
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM msedge.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x0000021c
1 1 0

CreateProcessInternalW

 thread_identifier: 1480
thread_handle: 0x0000021c
process_identifier: 2516
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM opera.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000170
1 1 0

CreateProcessInternalW

 thread_identifier: 1476
thread_handle: 0x00000170
process_identifier: 1076
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM brave.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x0000021c
1 1 0

CreateProcessInternalW

 thread_identifier: 916
thread_handle: 0x0000021c
process_identifier: 1868
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000170
1 1 0

CreateProcessInternalW

 thread_identifier: 1340
thread_handle: 0x00000170
process_identifier: 2400
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM firefox.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x0000021c
1 1 0

CreateProcessInternalW

 thread_identifier: 2000
thread_handle: 0x0000021c
process_identifier: 3036
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM chrome.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000170
1 1 0

CreateProcessInternalW

 thread_identifier: 1232
thread_handle: 0x00000170
process_identifier: 2024
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM msedge.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x0000021c
1 1 0

CreateProcessInternalW

 thread_identifier: 1520
thread_handle: 0x0000021c
process_identifier: 916
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM opera.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000170
1 1 0

CreateProcessInternalW

 thread_identifier: 2000
thread_handle: 0x00000170
process_identifier: 1340
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM brave.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x0000021c
1 1 0

CreateProcessInternalW

 thread_identifier: 3092
thread_handle: 0x0000021c
process_identifier: 3088
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000170
1 1 0

CreateProcessInternalW

 thread_identifier: 3224
thread_handle: 0x00000170
process_identifier: 3220
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: taskkill /F /IM firefox.exe /T
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x0000021c
1 1 0