Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 18, 2021, 6:31 p.m.	Aug. 18, 2021, 6:53 p.m.

Size	806.2KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive
MD5	`4d2881108d102f5bdc0fc292f0d123c0`
SHA256	`c095ab547c4a1ce16be8742ab6ebbd79989a304fdabdcbfae390087d4c438592`
CRC32	`9E160888`
ssdeep	`12288:2Y20AljdZgBPfKf6LQxAogJfqsUsz0cX0jzC6YFYWBSNHn0oKjI:f20gPgFKSLQxAVBbIcXqTy/E`
PDB Path	d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb
Yara	PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) NPKI_Zero - File included NPKI

file3n.exe "C:\Users\test22\AppData\Local\Temp\file3n.exe"
1908
- wscript.exe "C:\Windows\System32\WScript.exe" "C:\REC93248209\idset\s2341.vbs" /f=CREATE_NO_WINDOW install.cmd
  2388
  - cmd.exe cmd /c ""C:\REC93248209\idset\78ml.bat" "
    1456
    - timeout.exe timeout 7
      1812
    - gugue.exe "gugue.exe" e -pgr87dbiucg99dscujhsjs2178hwhCV Spack.rar
      192
    - timeout.exe timeout 6
      1108
    - wscript.exe "C:\Windows\System32\WScript.exe" "C:\REC93248209\idset\was2ls.vbs"
      1340
      - cmd.exe cmd /c ""C:\REC93248209\idset\dhsjf72.bat" "
        2672
        
        attrib.exe attrib +s +h "C:\REC93248209"
        1632
        
        timeout.exe timeout 2
        2692
        
        cocochanel.exe cocochanel.exe /start
        2668
        
        cocochanel.exe cocochanel.exe /start
        2768
        
        taskkill.exe taskkill /f /im gugue.exe
        3016
        
        taskkill.exe taskkill /f /im gugue.exe
        2364
        
        attrib.exe attrib -s -h "C:\REC93248209\idset"
        2704
        
        timeout.exe timeout 4
        2884
    - timeout.exe timeout 8
      604

Name	Response	Post-Analysis Lookup
oltorarrar.xyz	A 212.224.105.82	212.224.105.82
api.ip.sb	CNAME api.ip.sb.cdn.cloudflare.net A 104.26.13.31 A 104.26.12.31 A 172.67.75.172	104.26.12.31

IP Address	Status	Action
104.26.12.31	Active	Moloch
164.124.101.2	Active	Moloch
212.224.105.82	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49234 -> 104.26.12.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 212.224.105.82:80 -> 192.168.56.101:49224	2221010	SURICATA HTTP unable to match response to request	Generic Protocol Command Decode

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49234 104.26.12.31:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	7d:9f:08:6e:96:fc:4c:1d:eb:94:53:45:8a:6c:7e:e7:c1:69:47:e9

Queries for the computername (14 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 18, 2021, 6:31 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2021, 6:31 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2021, 6:31 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2021, 6:31 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2021, 6:31 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2021, 6:31 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2021, 6:31 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2021, 6:31 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2021, 6:31 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2021, 6:31 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2021, 6:31 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2021, 6:31 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2021, 6:31 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 18, 2021, 6:31 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 18, 2021, 6:31 p.m.			0	0
IsDebuggerPresent Aug. 18, 2021, 6:31 p.m.			0	0

Command line console output was observed (27 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 18, 2021, 6:31 p.m.	buffer: 'ufufds' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 18, 2021, 6:31 p.m.	buffer: The batch file cannot be found. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 18, 2021, 6:31 p.m.	buffer: Waiting for 7 console_handle: 0x00000007	1	1
WriteConsoleW Aug. 18, 2021, 6:31 p.m.	buffer: seconds, press a key to continue ... console_handle: 0x00000007	1	1
WriteConsoleW Aug. 18, 2021, 6:31 p.m.	buffer: RAR 5.50 beta 1 x86 Copyright (c) 1993-2017 Alexander Roshal 12 Apr 2017 console_handle: 0x00000007	1	1
WriteConsoleW Aug. 18, 2021, 6:31 p.m.	buffer: Trial version Type 'rar -?' for help console_handle: 0x00000007	1	1
WriteConsoleW Aug. 18, 2021, 6:31 p.m.	buffer: Extracting from Spack.rar console_handle: 0x00000007	1	1
WriteConsoleW Aug. 18, 2021, 6:31 p.m.	buffer: Extracting dhsjf72.bat console_handle: 0x00000007	1	1
WriteConsoleW Aug. 18, 2021, 6:31 p.m.	buffer: OK console_handle: 0x00000007	1	1
WriteConsoleW Aug. 18, 2021, 6:31 p.m.	buffer: Extracting was2ls.vbs console_handle: 0x00000007	1	1
WriteConsoleW Aug. 18, 2021, 6:31 p.m.	buffer: OK console_handle: 0x00000007	1	1
WriteConsoleW Aug. 18, 2021, 6:31 p.m.	buffer: Extracting cocochanel.exe console_handle: 0x00000007	1	1
WriteConsoleW Aug. 18, 2021, 6:31 p.m.	buffer: OK console_handle: 0x00000007	1	1
WriteConsoleW Aug. 18, 2021, 6:31 p.m.	buffer: All OK console_handle: 0x00000007	1	1
WriteConsoleW Aug. 18, 2021, 6:31 p.m.	buffer: Waiting for 6 console_handle: 0x00000007	1	1
WriteConsoleW Aug. 18, 2021, 6:31 p.m.	buffer: seconds, press a key to continue ... console_handle: 0x00000007	1	1
WriteConsoleW Aug. 18, 2021, 6:31 p.m.	buffer: Waiting for 8 console_handle: 0x00000007	1	1
WriteConsoleW Aug. 18, 2021, 6:31 p.m.	buffer: seconds, press a key to continue ... console_handle: 0x00000007	1	1
WriteConsoleW Aug. 18, 2021, 6:31 p.m.	buffer: C:\REC93248209\idset\cocochanel.exe console_handle: 0x00000007	1	1
WriteConsoleW Aug. 18, 2021, 6:31 p.m.	buffer: Access is denied. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 18, 2021, 6:31 p.m.	buffer: The batch file cannot be found. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 18, 2021, 6:31 p.m.	buffer: Waiting for 2 console_handle: 0x00000007	1	1
WriteConsoleW Aug. 18, 2021, 6:31 p.m.	buffer: seconds, press a key to continue ... console_handle: 0x00000007	1	1
WriteConsoleW Aug. 18, 2021, 6:31 p.m.	buffer: ERROR: The process "gugue.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 18, 2021, 6:31 p.m.	buffer: ERROR: The process "gugue.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 18, 2021, 6:31 p.m.	buffer: Waiting for 4 console_handle: 0x00000007	1	1
WriteConsoleW Aug. 18, 2021, 6:31 p.m.	buffer: seconds, press a key to continue ... console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (13 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 18, 2021, 6:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008e9030 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2021, 6:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008e9458 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2021, 6:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008e9498 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2021, 6:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008e9498 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2021, 6:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008e9498 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2021, 6:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008e9498 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2021, 6:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008e9718 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2021, 6:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05e18620 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2021, 6:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05e18620 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2021, 6:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05e184e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2021, 6:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05e188a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2021, 6:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05e187e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 18, 2021, 6:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05e187e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

This executable has a PDB path (1 event)

pdb_path

d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 18, 2021, 6:31 p.m.		1	1	0

One or more processes crashed (13 events)

Time & API	Arguments	Status
__exception__ Aug. 18, 2021, 6:31 p.m.	stacktrace: 0x2259de7 0x2259d29 0x2259a52 0x2259507 0x2251d62 0x2250c24 0x2250438 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72122652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7213264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x721a1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x721a1737 mscorlib+0x2d36ad @ 0x6fe336ad mscorlib+0x308f2d @ 0x6fe68f2d 0x2250398 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72122652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7213264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x721a1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x721a1737 mscorlib+0x2d3711 @ 0x6fe33711 mscorlib+0x308f2d @ 0x6fe68f2d mscorlib+0x3133fd @ 0x6fe733fd mscorlib+0x9873b1 @ 0x704e73b1 mscorlib+0x97b352 @ 0x704db352 DllUnregisterServerInternal-0x7666 clr+0x2a8e @ 0x72122a8e DllGetClassObjectInternal+0x37c9b CorDllMainForThunk-0x54860 clr+0xfcd14 @ 0x7221cd14 0x5da062 cocochanel+0x2403 @ 0x402403 exception.instruction_r: 8b 40 04 89 45 d8 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x225a183 registers.esp: 1633560 registers.edi: 40287320 registers.eax: 0 registers.ebp: 1633604 registers.edx: 109056040 registers.ebx: 40287124 registers.esi: 0 registers.ecx: 109056564	1
__exception__ Aug. 18, 2021, 6:31 p.m.	stacktrace: 0x2259de7 0x2259d29 0x2259a52 0x2259507 0x2251d62 0x2250c24 0x2250438 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72122652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7213264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x721a1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x721a1737 mscorlib+0x2d36ad @ 0x6fe336ad mscorlib+0x308f2d @ 0x6fe68f2d 0x2250398 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72122652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7213264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x721a1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x721a1737 mscorlib+0x2d3711 @ 0x6fe33711 mscorlib+0x308f2d @ 0x6fe68f2d mscorlib+0x3133fd @ 0x6fe733fd mscorlib+0x9873b1 @ 0x704e73b1 mscorlib+0x97b352 @ 0x704db352 DllUnregisterServerInternal-0x7666 clr+0x2a8e @ 0x72122a8e DllGetClassObjectInternal+0x37c9b CorDllMainForThunk-0x54860 clr+0xfcd14 @ 0x7221cd14 0x5da062 cocochanel+0x2403 @ 0x402403 exception.instruction_r: 8b 40 04 89 45 d8 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x225a183 registers.esp: 1633560 registers.edi: 41253016 registers.eax: 0 registers.ebp: 1633604 registers.edx: 109056040 registers.ebx: 41252820 registers.esi: 0 registers.ecx: 109056564	1
__exception__ Aug. 18, 2021, 6:31 p.m.	stacktrace: 0x2259de7 0x2259d29 0x2259a52 0x2259507 0x2251d62 0x2250c24 0x2250438 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72122652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7213264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x721a1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x721a1737 mscorlib+0x2d36ad @ 0x6fe336ad mscorlib+0x308f2d @ 0x6fe68f2d 0x2250398 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72122652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7213264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x721a1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x721a1737 mscorlib+0x2d3711 @ 0x6fe33711 mscorlib+0x308f2d @ 0x6fe68f2d mscorlib+0x3133fd @ 0x6fe733fd mscorlib+0x9873b1 @ 0x704e73b1 mscorlib+0x97b352 @ 0x704db352 DllUnregisterServerInternal-0x7666 clr+0x2a8e @ 0x72122a8e DllGetClassObjectInternal+0x37c9b CorDllMainForThunk-0x54860 clr+0xfcd14 @ 0x7221cd14 0x5da062 cocochanel+0x2403 @ 0x402403 exception.instruction_r: 8b 40 04 89 45 d8 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x225a183 registers.esp: 1633560 registers.edi: 42205032 registers.eax: 0 registers.ebp: 1633604 registers.edx: 109056040 registers.ebx: 42204836 registers.esi: 0 registers.ecx: 109056564	1
__exception__ Aug. 18, 2021, 6:31 p.m.	stacktrace: 0x225b916 0x225b869 0x2259ac7 0x2259507 0x2251d62 0x2250c24 0x2250438 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72122652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7213264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x721a1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x721a1737 mscorlib+0x2d36ad @ 0x6fe336ad mscorlib+0x308f2d @ 0x6fe68f2d 0x2250398 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72122652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7213264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x721a1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x721a1737 mscorlib+0x2d3711 @ 0x6fe33711 mscorlib+0x308f2d @ 0x6fe68f2d mscorlib+0x3133fd @ 0x6fe733fd mscorlib+0x9873b1 @ 0x704e73b1 mscorlib+0x97b352 @ 0x704db352 DllUnregisterServerInternal-0x7666 clr+0x2a8e @ 0x72122a8e DllGetClassObjectInternal+0x37c9b CorDllMainForThunk-0x54860 clr+0xfcd14 @ 0x7221cd14 0x5da062 cocochanel+0x2403 @ 0x402403 exception.instruction_r: 8b 40 04 89 45 d8 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x225a183 registers.esp: 1633552 registers.edi: 43156828 registers.eax: 0 registers.ebp: 1633596 registers.edx: 109056040 registers.ebx: 43156632 registers.esi: 0 registers.ecx: 109056564	1
__exception__ Aug. 18, 2021, 6:31 p.m.	stacktrace: 0x225b916 0x225b869 0x2259ac7 0x2259507 0x2251d62 0x2250c24 0x2250438 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72122652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7213264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x721a1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x721a1737 mscorlib+0x2d36ad @ 0x6fe336ad mscorlib+0x308f2d @ 0x6fe68f2d 0x2250398 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72122652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7213264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x721a1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x721a1737 mscorlib+0x2d3711 @ 0x6fe33711 mscorlib+0x308f2d @ 0x6fe68f2d mscorlib+0x3133fd @ 0x6fe733fd mscorlib+0x9873b1 @ 0x704e73b1 mscorlib+0x97b352 @ 0x704db352 DllUnregisterServerInternal-0x7666 clr+0x2a8e @ 0x72122a8e DllGetClassObjectInternal+0x37c9b CorDllMainForThunk-0x54860 clr+0xfcd14 @ 0x7221cd14 0x5da062 cocochanel+0x2403 @ 0x402403 exception.instruction_r: 8b 40 04 89 45 d8 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x225a183 registers.esp: 1633552 registers.edi: 44120248 registers.eax: 0 registers.ebp: 1633596 registers.edx: 109056040 registers.ebx: 44120052 registers.esi: 0 registers.ecx: 109056564	1
__exception__ Aug. 18, 2021, 6:31 p.m.	stacktrace: 0x225b916 0x225b869 0x2259ac7 0x2259507 0x2251d62 0x2250c24 0x2250438 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72122652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7213264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x721a1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x721a1737 mscorlib+0x2d36ad @ 0x6fe336ad mscorlib+0x308f2d @ 0x6fe68f2d 0x2250398 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72122652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7213264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x721a1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x721a1737 mscorlib+0x2d3711 @ 0x6fe33711 mscorlib+0x308f2d @ 0x6fe68f2d mscorlib+0x3133fd @ 0x6fe733fd mscorlib+0x9873b1 @ 0x704e73b1 mscorlib+0x97b352 @ 0x704db352 DllUnregisterServerInternal-0x7666 clr+0x2a8e @ 0x72122a8e DllGetClassObjectInternal+0x37c9b CorDllMainForThunk-0x54860 clr+0xfcd14 @ 0x7221cd14 0x5da062 cocochanel+0x2403 @ 0x402403 exception.instruction_r: 8b 40 04 89 45 d8 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x225a183 registers.esp: 1633552 registers.edi: 40624440 registers.eax: 0 registers.ebp: 1633596 registers.edx: 109056040 registers.ebx: 40624244 registers.esi: 0 registers.ecx: 109056564	1
__exception__ Aug. 18, 2021, 6:31 p.m.	stacktrace: 0x225be77 0x225bdc9 0x2259b3c 0x2259507 0x2251d62 0x2250c24 0x2250438 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72122652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7213264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x721a1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x721a1737 mscorlib+0x2d36ad @ 0x6fe336ad mscorlib+0x308f2d @ 0x6fe68f2d 0x2250398 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72122652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7213264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x721a1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x721a1737 mscorlib+0x2d3711 @ 0x6fe33711 mscorlib+0x308f2d @ 0x6fe68f2d mscorlib+0x3133fd @ 0x6fe733fd mscorlib+0x9873b1 @ 0x704e73b1 mscorlib+0x97b352 @ 0x704db352 DllUnregisterServerInternal-0x7666 clr+0x2a8e @ 0x72122a8e DllGetClassObjectInternal+0x37c9b CorDllMainForThunk-0x54860 clr+0xfcd14 @ 0x7221cd14 0x5da062 cocochanel+0x2403 @ 0x402403 exception.instruction_r: 8b 40 04 89 45 d8 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x225a183 registers.esp: 1633556 registers.edi: 41587952 registers.eax: 0 registers.ebp: 1633600 registers.edx: 109056040 registers.ebx: 41587756 registers.esi: 0 registers.ecx: 109056564	1
__exception__ Aug. 18, 2021, 6:31 p.m.	stacktrace: 0x225be77 0x225bdc9 0x2259b3c 0x2259507 0x2251d62 0x2250c24 0x2250438 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72122652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7213264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x721a1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x721a1737 mscorlib+0x2d36ad @ 0x6fe336ad mscorlib+0x308f2d @ 0x6fe68f2d 0x2250398 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72122652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7213264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x721a1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x721a1737 mscorlib+0x2d3711 @ 0x6fe33711 mscorlib+0x308f2d @ 0x6fe68f2d mscorlib+0x3133fd @ 0x6fe733fd mscorlib+0x9873b1 @ 0x704e73b1 mscorlib+0x97b352 @ 0x704db352 DllUnregisterServerInternal-0x7666 clr+0x2a8e @ 0x72122a8e DllGetClassObjectInternal+0x37c9b CorDllMainForThunk-0x54860 clr+0xfcd14 @ 0x7221cd14 0x5da062 cocochanel+0x2403 @ 0x402403 exception.instruction_r: 8b 40 04 89 45 d8 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x225a183 registers.esp: 1633556 registers.edi: 42604060 registers.eax: 0 registers.ebp: 1633600 registers.edx: 109056040 registers.ebx: 42603864 registers.esi: 0 registers.ecx: 109056564	1
__exception__ Aug. 18, 2021, 6:31 p.m.	stacktrace: 0x225be77 0x225bdc9 0x2259b3c 0x2259507 0x2251d62 0x2250c24 0x2250438 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72122652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7213264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x721a1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x721a1737 mscorlib+0x2d36ad @ 0x6fe336ad mscorlib+0x308f2d @ 0x6fe68f2d 0x2250398 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72122652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7213264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x721a1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x721a1737 mscorlib+0x2d3711 @ 0x6fe33711 mscorlib+0x308f2d @ 0x6fe68f2d mscorlib+0x3133fd @ 0x6fe733fd mscorlib+0x9873b1 @ 0x704e73b1 mscorlib+0x97b352 @ 0x704db352 DllUnregisterServerInternal-0x7666 clr+0x2a8e @ 0x72122a8e DllGetClassObjectInternal+0x37c9b CorDllMainForThunk-0x54860 clr+0xfcd14 @ 0x7221cd14 0x5da062 cocochanel+0x2403 @ 0x402403 exception.instruction_r: 8b 40 04 89 45 d8 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x225a183 registers.esp: 1633556 registers.edi: 39768004 registers.eax: 0 registers.ebp: 1633600 registers.edx: 109056040 registers.ebx: 39767808 registers.esi: 0 registers.ecx: 109056564	1
__exception__ Aug. 18, 2021, 6:31 p.m.	stacktrace: 0x225c2b9 0x225c209 0x2259bad 0x2259507 0x2251d62 0x2250c24 0x2250438 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72122652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7213264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x721a1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x721a1737 mscorlib+0x2d36ad @ 0x6fe336ad mscorlib+0x308f2d @ 0x6fe68f2d 0x2250398 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72122652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7213264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x721a1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x721a1737 mscorlib+0x2d3711 @ 0x6fe33711 mscorlib+0x308f2d @ 0x6fe68f2d mscorlib+0x3133fd @ 0x6fe733fd mscorlib+0x9873b1 @ 0x704e73b1 mscorlib+0x97b352 @ 0x704db352 DllUnregisterServerInternal-0x7666 clr+0x2a8e @ 0x72122a8e DllGetClassObjectInternal+0x37c9b CorDllMainForThunk-0x54860 clr+0xfcd14 @ 0x7221cd14 0x5da062 cocochanel+0x2403 @ 0x402403 exception.instruction_r: 8b 40 04 89 45 d8 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x225a183 registers.esp: 1633552 registers.edi: 40025812 registers.eax: 0 registers.ebp: 1633596 registers.edx: 109056040 registers.ebx: 40025616 registers.esi: 0 registers.ecx: 109056564	1
__exception__ Aug. 18, 2021, 6:31 p.m.	stacktrace: 0x225c2b9 0x225c209 0x2259bad 0x2259507 0x2251d62 0x2250c24 0x2250438 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72122652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7213264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x721a1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x721a1737 mscorlib+0x2d36ad @ 0x6fe336ad mscorlib+0x308f2d @ 0x6fe68f2d 0x2250398 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72122652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7213264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x721a1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x721a1737 mscorlib+0x2d3711 @ 0x6fe33711 mscorlib+0x308f2d @ 0x6fe68f2d mscorlib+0x3133fd @ 0x6fe733fd mscorlib+0x9873b1 @ 0x704e73b1 mscorlib+0x97b352 @ 0x704db352 DllUnregisterServerInternal-0x7666 clr+0x2a8e @ 0x72122a8e DllGetClassObjectInternal+0x37c9b CorDllMainForThunk-0x54860 clr+0xfcd14 @ 0x7221cd14 0x5da062 cocochanel+0x2403 @ 0x402403 exception.instruction_r: 8b 40 04 89 45 d8 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x225a183 registers.esp: 1633552 registers.edi: 41044040 registers.eax: 0 registers.ebp: 1633596 registers.edx: 109056040 registers.ebx: 41043844 registers.esi: 0 registers.ecx: 109056564	1
__exception__ Aug. 18, 2021, 6:31 p.m.	stacktrace: 0x225c2b9 0x225c209 0x2259bad 0x2259507 0x2251d62 0x2250c24 0x2250438 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72122652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7213264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x721a1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x721a1737 mscorlib+0x2d36ad @ 0x6fe336ad mscorlib+0x308f2d @ 0x6fe68f2d 0x2250398 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72122652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7213264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x721a1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x721a1737 mscorlib+0x2d3711 @ 0x6fe33711 mscorlib+0x308f2d @ 0x6fe68f2d mscorlib+0x3133fd @ 0x6fe733fd mscorlib+0x9873b1 @ 0x704e73b1 mscorlib+0x97b352 @ 0x704db352 DllUnregisterServerInternal-0x7666 clr+0x2a8e @ 0x72122a8e DllGetClassObjectInternal+0x37c9b CorDllMainForThunk-0x54860 clr+0xfcd14 @ 0x7221cd14 0x5da062 cocochanel+0x2403 @ 0x402403 exception.instruction_r: 8b 40 04 89 45 d8 c7 45 e4 00 00 00 00 c7 45 e8 exception.instruction: mov eax, dword ptr [eax + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x225a183 registers.esp: 1633552 registers.edi: 42062268 registers.eax: 0 registers.ebp: 1633596 registers.edx: 109056040 registers.ebx: 42062072 registers.esi: 0 registers.ecx: 109056564	1
__exception__ Aug. 18, 2021, 6:31 p.m.	stacktrace: 0x225f59a 0x225f51c 0x2251d62 0x2250c24 0x2250438 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72122652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7213264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x721a1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x721a1737 mscorlib+0x2d36ad @ 0x6fe336ad mscorlib+0x308f2d @ 0x6fe68f2d 0x2250398 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72122652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7213264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x721a1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x721a1737 mscorlib+0x2d3711 @ 0x6fe33711 mscorlib+0x308f2d @ 0x6fe68f2d mscorlib+0x3133fd @ 0x6fe733fd mscorlib+0x9873b1 @ 0x704e73b1 mscorlib+0x97b352 @ 0x704db352 DllUnregisterServerInternal-0x7666 clr+0x2a8e @ 0x72122a8e DllGetClassObjectInternal+0x37c9b CorDllMainForThunk-0x54860 clr+0xfcd14 @ 0x7221cd14 0x5da062 cocochanel+0x2403 @ 0x402403 exception.instruction_r: 8b 01 8b 40 28 ff 10 8b d0 85 c0 75 06 8b 15 2c exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x225f629 registers.esp: 1633772 registers.edi: 44135136 registers.eax: 0 registers.ebp: 1633796 registers.edx: 9130520 registers.ebx: 38942644 registers.esi: 44135316 registers.ecx: 0	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	POST method with no referer header, POST method with no useragent header				suspicious_request	POST http://oltorarrar.xyz/
suspicious_features	GET method with no useragent header				suspicious_request	GET https://api.ip.sb/geoip

Performs some HTTP requests (2 events)

request	POST http://oltorarrar.xyz/
request	GET https://api.ip.sb/geoip

Sends data using the HTTP POST Method (1 event)

request

POST http://oltorarrar.xyz/

Allocates read-write-execute memory (usually to unpack itself) (50 out of 159 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 1908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 1908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72a71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 1908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72a34000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 1908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72a72000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 1908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 1908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72691000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 1908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72661000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 1908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74e51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 1908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x736e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 1908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x768d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 1908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74e21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 1908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x750f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72a71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x725d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72a34000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72a72000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x765b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x743b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72501000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72691000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d11000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74f41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75111000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x768d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74e21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x750f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72661000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74e51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x736e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 1456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ad1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 1456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72aa1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 1456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74e51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 1456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x743b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 1456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x768d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 1456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74e21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 1456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x750f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x768d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74e21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x750f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x765b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d11000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 1340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72a41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 1340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72961000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 1340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x728d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 1340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72894000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 1340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72962000 process_handle: 0xffffffff	1

Steals private information from local Internet browsers (4 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies

Creates executable files on the filesystem (6 events)

file	C:\REC93248209\idset\s2341.vbs
file	C:\REC93248209\idset\was2ls.vbs
file	C:\REC93248209\idset\dhsjf72.bat
file	C:\REC93248209\idset\78ml.bat
file	C:\REC93248209\idset\gugue.exe
file	C:\REC93248209\idset\cocochanel.exe

Drops a binary and executes it (5 events)

file	C:\REC93248209\idset\s2341.vbs
file	C:\REC93248209\idset\gugue.exe
file	C:\REC93248209\idset\was2ls.vbs
file	C:\REC93248209\idset\dhsjf72.bat
file	C:\REC93248209\idset\cocochanel.exe

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Aug. 18, 2021, 6:31 p.m.	show_type: 0 filepath_r: 78ml.bat parameters: filepath: 78ml.bat	1	1	0
ShellExecuteExW Aug. 18, 2021, 6:31 p.m.	show_type: 0 filepath_r: C:\REC93248209\idset\dhsjf72.bat parameters: filepath: C:\REC93248209\idset\dhsjf72.bat	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Aug. 18, 2021, 6:31 p.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Aug. 18, 2021, 6:31 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 18, 2021, 6:31 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 18, 2021, 6:31 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (24 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (39 events)

Time & API	Arguments	Status
RegOpenKeyExW Aug. 18, 2021, 6:31 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000748 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW Aug. 18, 2021, 6:31 p.m.	regkey_r: AddressBook base_handle: 0x00000748 key_handle: 0x00000754 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW Aug. 18, 2021, 6:31 p.m.	regkey_r: Connection Manager base_handle: 0x00000748 key_handle: 0x00000754 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW Aug. 18, 2021, 6:31 p.m.	regkey_r: DirectDrawEx base_handle: 0x00000748 key_handle: 0x00000754 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW Aug. 18, 2021, 6:31 p.m.	regkey_r: EditPlus base_handle: 0x00000748 key_handle: 0x00000754 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW Aug. 18, 2021, 6:31 p.m.	regkey_r: ENTERPRISE base_handle: 0x00000748 key_handle: 0x00000754 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExW Aug. 18, 2021, 6:31 p.m.	regkey_r: Fontcore base_handle: 0x00000748 key_handle: 0x00000754 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW Aug. 18, 2021, 6:31 p.m.	regkey_r: Google Chrome base_handle: 0x00000748 key_handle: 0x00000754 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW Aug. 18, 2021, 6:31 p.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x00000748 key_handle: 0x00000754 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW Aug. 18, 2021, 6:31 p.m.	regkey_r: IE40 base_handle: 0x00000748 key_handle: 0x00000754 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW Aug. 18, 2021, 6:31 p.m.	regkey_r: IE4Data base_handle: 0x00000748 key_handle: 0x00000754 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW Aug. 18, 2021, 6:31 p.m.	regkey_r: IE5BAKEX base_handle: 0x00000748 key_handle: 0x00000754 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW Aug. 18, 2021, 6:31 p.m.	regkey_r: IEData base_handle: 0x00000748 key_handle: 0x00000754 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW Aug. 18, 2021, 6:31 p.m.	regkey_r: MobileOptionPack base_handle: 0x00000748 key_handle: 0x00000754 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW Aug. 18, 2021, 6:31 p.m.	regkey_r: SchedulingAgent base_handle: 0x00000748 key_handle: 0x00000754 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW Aug. 18, 2021, 6:31 p.m.	regkey_r: WIC base_handle: 0x00000748 key_handle: 0x00000754 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW Aug. 18, 2021, 6:31 p.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x00000748 key_handle: 0x00000754 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW Aug. 18, 2021, 6:31 p.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x00000748 key_handle: 0x00000754 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW Aug. 18, 2021, 6:31 p.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x00000748 key_handle: 0x00000754 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW Aug. 18, 2021, 6:31 p.m.	regkey_r: {90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x00000748 key_handle: 0x00000754 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 18, 2021, 6:31 p.m.	regkey_r: {90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x00000748 key_handle: 0x00000754 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 18, 2021, 6:31 p.m.	regkey_r: {90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x00000748 key_handle: 0x00000754 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 18, 2021, 6:31 p.m.	regkey_r: {90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x00000748 key_handle: 0x00000754 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 18, 2021, 6:31 p.m.	regkey_r: {90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x00000748 key_handle: 0x00000754 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 18, 2021, 6:31 p.m.	regkey_r: {90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x00000748 key_handle: 0x00000754 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 18, 2021, 6:31 p.m.	regkey_r: {90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x00000748 key_handle: 0x00000754 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 18, 2021, 6:31 p.m.	regkey_r: {90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x00000748 key_handle: 0x00000754 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 18, 2021, 6:31 p.m.	regkey_r: {90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x00000748 key_handle: 0x00000754 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 18, 2021, 6:31 p.m.	regkey_r: {90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x00000748 key_handle: 0x00000754 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 18, 2021, 6:31 p.m.	regkey_r: {90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x00000748 key_handle: 0x00000754 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 18, 2021, 6:31 p.m.	regkey_r: {90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x00000748 key_handle: 0x00000754 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 18, 2021, 6:31 p.m.	regkey_r: {90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x00000748 key_handle: 0x00000754 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 18, 2021, 6:31 p.m.	regkey_r: {90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x00000748 key_handle: 0x00000754 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 18, 2021, 6:31 p.m.	regkey_r: {90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x00000748 key_handle: 0x00000754 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 18, 2021, 6:31 p.m.	regkey_r: {90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x00000748 key_handle: 0x00000754 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 18, 2021, 6:31 p.m.	regkey_r: {90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x00000748 key_handle: 0x00000754 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1
RegOpenKeyExW Aug. 18, 2021, 6:31 p.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x00000748 key_handle: 0x00000754 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW Aug. 18, 2021, 6:31 p.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x00000748 key_handle: 0x00000754 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExW Aug. 18, 2021, 6:31 p.m.	regkey_r: {d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x00000748 key_handle: 0x00000754 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	attrib -s -h "C:\REC93248209\idset"
cmdline	taskkill /f /im gugue.exe
cmdline	attrib +s +h "C:\REC93248209"

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	SELECT * FROM Win32_Processor

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: 181a75cf34e9691ec455d0edb5e2530a57f457a8

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2768 region_size: 212992 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000e0	1	0	0

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Executes one or more WMI queries (9 events)

wmi	SELECT * FROM Win32_VideoController
wmi	SELECT * FROM AntivirusProduct
wmi	SELECT * FROM Win32_OperatingSystem
wmi	SELECT * FROM Win32_Process Where SessionId='1'
wmi	SELECT * FROM AntiSpyWareProduct
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "gugue.exe")
wmi	SELECT * FROM FirewallProduct
wmi	SELECT * FROM Win32_DiskDrive
wmi	SELECT * FROM Win32_Processor

Potential code injection by writing to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Aug. 18, 2021, 6:31 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2768 process_handle: 0x000000e0	1	1	0

Collects information about installed applications (27 events)

Time & API	Arguments	Status
RegQueryValueExW Aug. 18, 2021, 6:31 p.m.	key_handle: 0x00000754 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Aug. 18, 2021, 6:31 p.m.	key_handle: 0x00000754 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW Aug. 18, 2021, 6:31 p.m.	key_handle: 0x00000754 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Aug. 18, 2021, 6:31 p.m.	key_handle: 0x00000754 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Aug. 18, 2021, 6:31 p.m.	key_handle: 0x00000754 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Aug. 18, 2021, 6:31 p.m.	key_handle: 0x00000754 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW Aug. 18, 2021, 6:31 p.m.	key_handle: 0x00000754 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW Aug. 18, 2021, 6:31 p.m.	key_handle: 0x00000754 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 18, 2021, 6:31 p.m.	key_handle: 0x00000754 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 18, 2021, 6:31 p.m.	key_handle: 0x00000754 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 18, 2021, 6:31 p.m.	key_handle: 0x00000754 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 18, 2021, 6:31 p.m.	key_handle: 0x00000754 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 18, 2021, 6:31 p.m.	key_handle: 0x00000754 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 18, 2021, 6:31 p.m.	key_handle: 0x00000754 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 18, 2021, 6:31 p.m.	key_handle: 0x00000754 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 18, 2021, 6:31 p.m.	key_handle: 0x00000754 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 18, 2021, 6:31 p.m.	key_handle: 0x00000754 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 18, 2021, 6:31 p.m.	key_handle: 0x00000754 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 18, 2021, 6:31 p.m.	key_handle: 0x00000754 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 18, 2021, 6:31 p.m.	key_handle: 0x00000754 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 18, 2021, 6:31 p.m.	key_handle: 0x00000754 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 18, 2021, 6:31 p.m.	key_handle: 0x00000754 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 18, 2021, 6:31 p.m.	key_handle: 0x00000754 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 18, 2021, 6:31 p.m.	key_handle: 0x00000754 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Aug. 18, 2021, 6:31 p.m.	key_handle: 0x00000754 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW Aug. 18, 2021, 6:31 p.m.	key_handle: 0x00000754 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW Aug. 18, 2021, 6:31 p.m.	key_handle: 0x00000754 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2668 called NtSetContextThread to modify thread in remote process 2768
NtSetContextThread Aug. 18, 2021, 6:31 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4246831 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000dc process_identifier: 2768	1	0	0

One or more non-whitelisted processes were created (4 events)

parent_process	wscript.exe	martian_process	78ml.bat
parent_process	wscript.exe	martian_process	"C:\REC93248209\idset\78ml.bat"
parent_process	wscript.exe	martian_process	"C:\REC93248209\idset\dhsjf72.bat"
parent_process	wscript.exe	martian_process	C:\REC93248209\idset\dhsjf72.bat

Resumed a suspended thread in a remote process potentially indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1908 resumed a thread in remote process 2388
Process injection	Process 1456 resumed a thread in remote process 1340
Process injection	Process 2668 resumed a thread in remote process 2768
NtResumeThread Aug. 18, 2021, 6:31 p.m.	thread_handle: 0x00000290 suspend_count: 1 process_identifier: 2388	1	0	0
NtResumeThread Aug. 18, 2021, 6:31 p.m.	thread_handle: 0x0000022c suspend_count: 1 process_identifier: 1340	1	0	0
NtResumeThread Aug. 18, 2021, 6:31 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2768	1	0	0

The process wscript.exe wrote an executable file to disk (1 event)

file	C:\Windows\SysWOW64\wscript.exe

File has been identified by 20 AntiVirus engines on VirusTotal as malicious (20 events)

MicroWorld-eScan	Gen:Variant.Johnnie.382872
FireEye	Generic.mg.4d2881108d102f5b
Cylance	Unsafe
K7AntiVirus	Riskware ( 0040eff71 )
K7GW	Riskware ( 0040eff71 )
CrowdStrike	win/malicious_confidence_60% (D)
APEX	Malicious
Kaspersky	UDS:Trojan-PSW.MSIL.Reline
BitDefender	Gen:Variant.Johnnie.382872
Emsisoft	Gen:Variant.Johnnie.382872 (B)
McAfee-GW-Edition	BehavesLike.Win32.Generic.cc
Sophos	Generic ML PUA (PUA)
MAX	malware (ai score=84)
Microsoft	Trojan:Script/Phonzy.C!ml
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Gen:Variant.Johnnie.382872
Cynet	Malicious (score: 100)
ALYac	Gen:Variant.Johnnie.382872
Ikarus	Trojan.Inject
Cybereason	malicious.9d3984

Executed a process and injected code into it, probably while unpacking (49 events)

Time & API	Arguments	Status	Return
NtResumeThread Aug. 18, 2021, 6:31 p.m.	thread_handle: 0x0000019c suspend_count: 1 process_identifier: 1908	1	0
CreateProcessInternalW Aug. 18, 2021, 6:31 p.m.	thread_identifier: 3024 thread_handle: 0x00000290 process_identifier: 2388 current_directory: C:\REC93248209\idset filepath: C:\Windows\System32\wscript.exe track: 1 command_line: "C:\Windows\System32\WScript.exe" "C:\REC93248209\idset\s2341.vbs" /f=CREATE_NO_WINDOW install.cmd filepath_r: C:\Windows\System32\WScript.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000298	1	1
NtResumeThread Aug. 18, 2021, 6:31 p.m.	thread_handle: 0x00000290 suspend_count: 1 process_identifier: 2388	1	0
CreateProcessInternalW Aug. 18, 2021, 6:31 p.m.	thread_identifier: 1204 thread_handle: 0x000002fc process_identifier: 1456 current_directory: C:\REC93248209\idset filepath: track: 1 command_line: "C:\REC93248209\idset\78ml.bat" filepath_r: stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002f0	1	1
CreateProcessInternalW Aug. 18, 2021, 6:31 p.m.	thread_identifier: 2760 thread_handle: 0x000000f8 process_identifier: 1812 current_directory: C:\REC93248209\idset filepath: C:\Windows\System32\timeout.exe track: 1 command_line: timeout 7 filepath_r: C:\Windows\system32\timeout.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000f4	1	1
CreateProcessInternalW Aug. 18, 2021, 6:31 p.m.	thread_identifier: 1472 thread_handle: 0x000000f8 process_identifier: 192 current_directory: C:\REC93248209\idset filepath: C:\REC93248209\idset\gugue.exe track: 1 command_line: "gugue.exe" e -pgr87dbiucg99dscujhsjs2178hwhCV Spack.rar filepath_r: C:\REC93248209\idset\gugue.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000100	1	1
CreateProcessInternalW Aug. 18, 2021, 6:31 p.m.	thread_identifier: 2232 thread_handle: 0x00000100 process_identifier: 1108 current_directory: C:\REC93248209\idset filepath: C:\Windows\System32\timeout.exe track: 1 command_line: timeout 6 filepath_r: C:\Windows\system32\timeout.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000f8	1	1
CreateProcessInternalW Aug. 18, 2021, 6:31 p.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: filepath: C:\REC93248209\idset\was2ls.vbs track: 0 command_line: was2ls.vbs filepath_r: C:\REC93248209\idset\was2ls.vbs stack_pivoted: 0 creation_flags: 525328 (CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000000		0
NtResumeThread Aug. 18, 2021, 6:31 p.m.	thread_handle: 0x00000214 suspend_count: 1 process_identifier: 1456	1	0
CreateProcessInternalW Aug. 18, 2021, 6:31 p.m.	thread_identifier: 2432 thread_handle: 0x0000022c process_identifier: 1340 current_directory: C:\REC93248209\idset filepath: C:\Windows\System32\wscript.exe track: 1 command_line: "C:\Windows\System32\WScript.exe" "C:\REC93248209\idset\was2ls.vbs" filepath_r: C:\Windows\System32\WScript.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000024c	1	1
NtResumeThread Aug. 18, 2021, 6:31 p.m.	thread_handle: 0x0000022c suspend_count: 1 process_identifier: 1340	1	0
CreateProcessInternalW Aug. 18, 2021, 6:31 p.m.	thread_identifier: 2240 thread_handle: 0x000001ec process_identifier: 604 current_directory: C:\REC93248209\idset filepath: C:\Windows\System32\timeout.exe track: 1 command_line: timeout 8 filepath_r: C:\Windows\system32\timeout.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000011c	1	1
CreateProcessInternalW Aug. 18, 2021, 6:31 p.m.	thread_identifier: 668 thread_handle: 0x000002b0 process_identifier: 2672 current_directory: C:\REC93248209\idset filepath: track: 1 command_line: "C:\REC93248209\idset\dhsjf72.bat" filepath_r: stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002a4	1	1
CreateProcessInternalW Aug. 18, 2021, 6:31 p.m.	thread_identifier: 2760 thread_handle: 0x000000f8 process_identifier: 1632 current_directory: C:\REC93248209\idset filepath: C:\Windows\System32\attrib.exe track: 1 command_line: attrib +s +h "C:\REC93248209" filepath_r: C:\Windows\system32\attrib.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000f4	1	1
CreateProcessInternalW Aug. 18, 2021, 6:31 p.m.	thread_identifier: 2040 thread_handle: 0x000000f4 process_identifier: 2692 current_directory: C:\REC93248209\idset filepath: C:\Windows\System32\timeout.exe track: 1 command_line: timeout 2 filepath_r: C:\Windows\system32\timeout.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000f8	1	1
CreateProcessInternalW Aug. 18, 2021, 6:31 p.m.	thread_identifier: 1788 thread_handle: 0x000000f8 process_identifier: 2668 current_directory: C:\REC93248209\idset filepath: C:\REC93248209\idset\cocochanel.exe track: 1 command_line: cocochanel.exe /start filepath_r: C:\REC93248209\idset\cocochanel.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000f4	1	1
CreateProcessInternalW Aug. 18, 2021, 6:31 p.m.	thread_identifier: 1304 thread_handle: 0x000000f4 process_identifier: 3016 current_directory: C:\REC93248209\idset filepath: C:\Windows\System32\taskkill.exe track: 1 command_line: taskkill /f /im gugue.exe filepath_r: C:\Windows\system32\taskkill.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000f8	1	1
CreateProcessInternalW Aug. 18, 2021, 6:31 p.m.	thread_identifier: 1976 thread_handle: 0x000000f8 process_identifier: 2364 current_directory: C:\REC93248209\idset filepath: C:\Windows\System32\taskkill.exe track: 1 command_line: taskkill /f /im gugue.exe filepath_r: C:\Windows\system32\taskkill.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000f4	1	1
CreateProcessInternalW Aug. 18, 2021, 6:31 p.m.	thread_identifier: 888 thread_handle: 0x000000f4 process_identifier: 2704 current_directory: C:\REC93248209\idset filepath: C:\Windows\System32\attrib.exe track: 1 command_line: attrib -s -h "C:\REC93248209\idset" filepath_r: C:\Windows\system32\attrib.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000f8	1	1
CreateProcessInternalW Aug. 18, 2021, 6:31 p.m.	thread_identifier: 2832 thread_handle: 0x000000f8 process_identifier: 2884 current_directory: C:\REC93248209\idset filepath: C:\Windows\System32\timeout.exe track: 1 command_line: timeout 4 filepath_r: C:\Windows\system32\timeout.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000f4	1	1
CreateProcessInternalW Aug. 18, 2021, 6:31 p.m.	thread_identifier: 2088 thread_handle: 0x000000dc process_identifier: 2768 current_directory: filepath: track: 1 command_line: cocochanel.exe /start filepath_r: stack_pivoted: 0 creation_flags: 524292 (CREATE_SUSPENDED\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000000e0	1	1
NtGetContextThread Aug. 18, 2021, 6:31 p.m.	thread_handle: 0x000000dc	1	0
NtUnmapViewOfSection Aug. 18, 2021, 6:31 p.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 2768 process_handle: 0x000000e0	1	0
NtAllocateVirtualMemory Aug. 18, 2021, 6:31 p.m.	process_identifier: 2768 region_size: 212992 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000e0	1	0
WriteProcessMemory Aug. 18, 2021, 6:31 p.m.	buffer: base_address: 0x00400000 process_identifier: 2768 process_handle: 0x000000e0	1	1
WriteProcessMemory Aug. 18, 2021, 6:31 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2768 process_handle: 0x000000e0	1	1
NtSetContextThread Aug. 18, 2021, 6:31 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4246831 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000dc process_identifier: 2768	1	0
NtResumeThread Aug. 18, 2021, 6:31 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2768	1	0
NtResumeThread Aug. 18, 2021, 6:31 p.m.	thread_handle: 0x00000160 suspend_count: 1 process_identifier: 2768	1	0
NtResumeThread Aug. 18, 2021, 6:31 p.m.	thread_handle: 0x000001d4 suspend_count: 1 process_identifier: 2768	1	0
NtResumeThread Aug. 18, 2021, 6:31 p.m.	thread_handle: 0x00000210 suspend_count: 1 process_identifier: 2768	1	0
NtResumeThread Aug. 18, 2021, 6:31 p.m.	thread_handle: 0x000003ac suspend_count: 1 process_identifier: 2768	1	0
NtResumeThread Aug. 18, 2021, 6:31 p.m.	thread_handle: 0x00000628 suspend_count: 1 process_identifier: 2768	1	0
NtResumeThread Aug. 18, 2021, 6:31 p.m.	thread_handle: 0x00000660 suspend_count: 1 process_identifier: 2768	1	0
NtResumeThread Aug. 18, 2021, 6:31 p.m.	thread_handle: 0x00000704 suspend_count: 1 process_identifier: 2768	1	0
NtResumeThread Aug. 18, 2021, 6:31 p.m.	thread_handle: 0x00000394 suspend_count: 1 process_identifier: 2768	1	0
NtResumeThread Aug. 18, 2021, 6:31 p.m.	thread_handle: 0x000006dc suspend_count: 1 process_identifier: 2768	1	0
NtResumeThread Aug. 18, 2021, 6:31 p.m.	thread_handle: 0x000006fc suspend_count: 1 process_identifier: 2768	1	0
NtResumeThread Aug. 18, 2021, 6:31 p.m.	thread_handle: 0x00000604 suspend_count: 1 process_identifier: 2768	1	0
NtResumeThread Aug. 18, 2021, 6:31 p.m.	thread_handle: 0x0000060c suspend_count: 1 process_identifier: 2768	1	0
NtResumeThread Aug. 18, 2021, 6:31 p.m.	thread_handle: 0x00000264 suspend_count: 1 process_identifier: 2768	1	0
NtResumeThread Aug. 18, 2021, 6:31 p.m.	thread_handle: 0x00000714 suspend_count: 1 process_identifier: 2768	1	0
NtResumeThread Aug. 18, 2021, 6:31 p.m.	thread_handle: 0x0000072c suspend_count: 1 process_identifier: 2768	1	0
NtResumeThread Aug. 18, 2021, 6:31 p.m.	thread_handle: 0x00000744 suspend_count: 1 process_identifier: 2768	1	0
NtResumeThread Aug. 18, 2021, 6:31 p.m.	thread_handle: 0x00000750 suspend_count: 1 process_identifier: 2768	1	0
NtResumeThread Aug. 18, 2021, 6:31 p.m.	thread_handle: 0x0000079c suspend_count: 1 process_identifier: 2768	1	0
NtGetContextThread Aug. 18, 2021, 6:31 p.m.	thread_handle: 0x00000168	1	0
NtGetContextThread Aug. 18, 2021, 6:31 p.m.	thread_handle: 0x00000168	1	0
NtResumeThread Aug. 18, 2021, 6:31 p.m.	thread_handle: 0x00000168 suspend_count: 1 process_identifier: 2768	1	0

file3n.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All