new order.scr

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW July 5, 2021, 9:30 a.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW July 5, 2021, 9:30 a.m.	buffer: SUCCESS: The scheduled task "Windows Update Check - 0x147D036F" has successfully been created. console_handle: 0x00000007	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 5, 2021, 9:30 a.m.			0	0

The executable uses a known packer (1 event)

packer

UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ July 5, 2021, 9:30 a.m.	stacktrace: LdrInitializeThunk+0x10 RtlInitializeExceptionChain-0x16 ntdll+0x39e59 @ 0x773d9e59 exception.instruction_r: c6 00 b8 c6 40 01 40 c6 40 02 00 c6 40 03 00 c6 exception.instruction: mov byte ptr [eax], -0x48 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x307bde registers.esp: 1570788 registers.edi: 1570832 registers.eax: 2000420576 registers.ebp: 1571632 registers.edx: 48 registers.ebx: 2001346668 registers.esi: 2130567208 registers.ecx: 1571616	1	0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (11 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory July 5, 2021, 9:30 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00580000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory July 5, 2021, 9:30 a.m.	process_identifier: 656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory July 5, 2021, 9:30 a.m.	process_identifier: 656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 20480 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00491000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory July 5, 2021, 9:30 a.m.	process_identifier: 3172 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 139264 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00403000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory July 5, 2021, 9:30 a.m.	process_identifier: 3172 region_size: 544768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00430000 allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory July 5, 2021, 9:30 a.m.	process_identifier: 3172 region_size: 307200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a0000 allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE) process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory July 5, 2021, 9:30 a.m.	process_identifier: 3172 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x773b0000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory July 5, 2021, 9:30 a.m.	process_identifier: 3172 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e50000 allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory July 5, 2021, 9:30 a.m.	process_identifier: 3172 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fe0000 allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory July 5, 2021, 9:30 a.m.	process_identifier: 3172 region_size: 45056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02300000 allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory July 5, 2021, 9:30 a.m.	process_identifier: 3172 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02450000 allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE) process_handle: 0xffffffff	1	0	0

Creates a suspicious process (2 events)

cmdline	schtasks.exe /CREATE /SC ONLOGON /TN "Windows Update Check - 0x147D036F" /TR "C:\ProgramData\svchost\ntibcpsaq.exe" /RL HIGHEST
cmdline	"C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x147D036F" /TR "C:\ProgramData\svchost\ntibcpsaq.exe" /RL HIGHEST

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW July 5, 2021, 9:30 a.m.	show_type: 0 filepath_r: schtasks.exe parameters: /CREATE /SC ONLOGON /TN "Windows Update Check - 0x147D036F" /TR "C:\ProgramData\svchost\ntibcpsaq.exe" /RL HIGHEST filepath: schtasks.exe	1	1	0

File has been identified by 3 AntiVirus engines on VirusTotal as malicious (3 events)

DrWeb	Trojan.Betabot.3
ESET-NOD32	a variant of Win32/Injector.AZSS
Ikarus	Trojan.Win32.Utanioz

Moves the original executable to a new location (1 event)

Time & API	Arguments	Status	Return	Repeated
MoveFileWithProgressW July 5, 2021, 9:30 a.m.	newfilepath_r: C:\ProgramData\svchost\ntibcpsaq.exe flags: 11 oldfilepath_r: C:\Users\test22\AppData\Local\Temp\new order.scr newfilepath: C:\ProgramData\svchost\ntibcpsaq.exe oldfilepath: C:\Users\test22\AppData\Local\Temp\new order.scr	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section	{u'size_of_data': u'0x00082200', u'virtual_address': u'0x000ac000', u'entropy': 7.921266625222382, u'name': u'UPX1', u'virtual_size': u'0x00083000'}				entropy	7.92126662522				description	A section with a high entropy has been found
entropy	0.94122965642				description	Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 5, 2021, 9:30 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1	0
LookupPrivilegeValueW July 5, 2021, 9:30 a.m.	system_name: privilege_name: SeBackupPrivilege	1	1	0
LookupPrivilegeValueW July 5, 2021, 9:30 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (9 events)

description	Code injection with CreateRemoteThread in a remote process				rule	Code_injection
description	(no description)				rule	DebuggerCheck__GlobalFlags
description	(no description)				rule	DebuggerCheck__QueryInfo
description	(no description)				rule	DebuggerHiding__Thread
description	(no description)				rule	DebuggerHiding__Active
description	(no description)				rule	ThreadControl__Context
description	(no description)				rule	SEH__vectored
description	Checks if being debugged				rule	anti_dbg
description	Bypass DEP				rule	disable_dep

The executable is compressed using UPX (2 events)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	schtasks.exe /CREATE /SC ONLOGON /TN "Windows Update Check - 0x147D036F" /TR "C:\ProgramData\svchost\ntibcpsaq.exe" /RL HIGHEST
cmdline	"C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x147D036F" /TR "C:\ProgramData\svchost\ntibcpsaq.exe" /RL HIGHEST

Communicates with host for which no DNS query was performed (1 event)

host	172.217.25.14

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory July 5, 2021, 9:30 a.m.	process_identifier: 3172 region_size: 155648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE) process_handle: 0x00000110	1	0	0

Attempts to identify installed AV products by registry key (50 out of 53 events)

registry	HKEY_LOCAL_MACHINE\SOFTWARE\Avira
registry	HKEY_LOCAL_MACHINE\SOFTWARE\ESET
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Symantec
registry	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\avgwd
registry	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\AVP
registry	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\avast! Antivirus
registry	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RsMgrSvc
registry	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\fshoster
registry	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cmdvirth
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVG_UI
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVG_UI
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVP
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVP
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mcui_exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mcui_exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mcpltui_exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mcpltui_exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bdagent
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bdagent
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Trend Micro Titanium
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trend Micro Titanium
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trend Micro Client Framework
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Trend Micro Client Framework
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\avast
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avast
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSC
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSC
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BullGuard
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BullGuard
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sophos AutoUpdate Monitor
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Sophos AutoUpdate Monitor
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SpIDerAgent
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SpIDerAgent
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\APVXDWIN
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\APVXDWIN
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WRSVC
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WRSVC
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\emsisoft anti-malware
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\emsisoft anti-malware
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ISTray
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ISTray
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\G Data AntiVirus Tray Application
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\G Data AntiVirus Tray Application
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\G Data AntiVirus Tray
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\G Data AntiVirus Tray
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ZoneAlarm
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ZoneAlarm
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bkav
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bkav
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\V3 Application

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Attempts to detect a virtual machine by the use of a pseudo device (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile July 5, 2021, 9:30 a.m.	create_disposition: 3 (FILE_OPEN_IF) file_handle: 0x00000000 filepath: \??\HGFS desired_access: 0x00100081 (FILE_READ_DATA|FILE_READ_ATTRIBUTES|FILE_LIST_DIRECTORY|SYNCHRONIZE) file_attributes: 0 () filepath_r: \??\HGFS create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 4294967295 () share_access: 1 (FILE_SHARE_READ)		3221225524	0

Installs itself for autorun at Windows startup (2 events)

cmdline	schtasks.exe /CREATE /SC ONLOGON /TN "Windows Update Check - 0x147D036F" /TR "C:\ProgramData\svchost\ntibcpsaq.exe" /RL HIGHEST
cmdline	"C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x147D036F" /TR "C:\ProgramData\svchost\ntibcpsaq.exe" /RL HIGHEST

Detects Bitdefender Antivirus through the presence of a library (6 events)

Time & API	Arguments	Status	Return	Repeated
LdrGetDllHandle July 5, 2021, 9:30 a.m.	module_name: avcuf32.dll module_address: 0x00000000 stack_pivoted: 0		3221225781	0
LdrGetDllHandle July 5, 2021, 9:30 a.m.	module_name: avcuf32.dll module_address: 0x00000000 stack_pivoted: 0		3221225781	0
LdrGetDllHandle July 5, 2021, 9:30 a.m.	module_name: avcuf32.dll module_address: 0x00000000 stack_pivoted: 0		3221225781	0
LdrGetDllHandle July 5, 2021, 9:30 a.m.	module_name: avcuf32.dll module_address: 0x00000000 stack_pivoted: 0		3221225781	0
LdrGetDllHandle July 5, 2021, 9:30 a.m.	module_name: avcuf32.dll module_address: 0x00000000 stack_pivoted: 0		3221225781	0
LdrGetDllHandle July 5, 2021, 9:30 a.m.	module_name: avcuf32.dll module_address: 0x00000000 stack_pivoted: 0		3221225781	0

Potential code injection by writing to the memory of another process (5 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory July 5, 2021, 9:30 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 3172 process_handle: 0x00000110	1	1	0
WriteProcessMemory July 5, 2021, 9:30 a.m.	buffer: V Ét Àt3ö+Ȋ :uF@ƒþrò3À^ÃÈÿ^ÃU‹ìƒìS3ÛSÿ @¹MZf9t3ÀëO‹H<< PEuðV‹t PƒÆðWÇEðæœîÇEôȊ%ÇEø«ÇEüÿ‹ø;óvEð‹Ïè}ÿÿÿ Àt GC;Þrì3À_^[ÉËÇë÷U‹ìƒìVW Ûtj¸MZf9u`‹C<<PEuT‹|PƒeüÇÚþÿÿÇEìŠø‚ÇEð›7ÒÇEôªØ›MÇEød¹ÌÁ‹ót&¸& f9u‹EüLEìèÿþÿÿ ÀtFÿEü9}ürÚ3À_^ÉÃh& h @VèùƒN ƒÄƒN ‹ÆëÝU‹ìƒìSW ö„„‹~ ÿt}‹Fƒeô‰Eü‹ÇÁà‰EøEôPj@W^Sjÿÿ @ ÀtT3À ÿtŠMü0@;Çrõj@h0ÿuøjjÿÿ @‰Eü Àt(‹NAQP‹Ï‹Ãè= YYƒøÿuh€jÿuüjÿÿ @3À_[ÉÃWjS荋Eü¹MZƒÄf9u‹H<<PEt h€jPëËM ÉtƋUø‰ë¿U‹ìQd¡0SV Àt€x t0ƒeüèûýÿÿ Àt#MüQ‹ðèûþÿÿ‹ØY ÛtèTþÿÿ Àtÿuüè™jÿ @ÌU‹ì‹HQÿ‰P Éu#‹HQÿ‰P Éu3À]˶A‰P‰Ç@‹P‹ÊÒÁé‰P‹Eƒá ‰3À@]ÃU‹ìQV3öFEüP‹EèŸÿÿÿY Àt(‹Eü4pEüP‹EèˆÿÿÿY Àtƒ}üuҋE‰03À@^ÉÃ3ÀëùU‹ìƒäø‹Uƒì,SV‹uW3ÿ;Ç„;ׄYÿ‰D$ ‰T$(‰t$,‰|$4‰|$‰\$$ É„ïNÿ‰L$, ö„àŠ‹\$ˆ B@‰T$(‰D$ ë‹uD$PD$$èóþÿÿY À„²ƒ|$„eD$PD$$èÑþÿÿY À„ƒ|$„ D$PD$$è¯þÿÿY À„nƒ|$t}j3ÿ^D$PD$$èŒþÿÿY À„KN‹D$<x‰|$uÛ ÿt/‹E+D$,;ø‡*‹D$,ÿL$, À„‹D$(‹L$(+NJˆ ë‹D$,ÿL$, À„ú ‹D$(ÆÿD$(éÔ ‹D$$ÿL$$ À„Ú ‹D$ ¶0ÿD$ 3ÿ‹ÆG#ǃÀÑî‰D$‰t$t=‹M+L$,;ñ‡ª ;D$,‡  )D$, Àt ‹L$(+΋\$(ŠÿD$(AHˆuð‰D$ë‰|$‹Þé] D$PD$$PèçýÿÿYY À„X ‹D$ ÿukƒøuaD$PD$$P‰\$ è½ýÿÿYY À„. +t$,;Þ‡" ‹D$;D$,‡ )D$, À„Á‹D$(+ËT$(ŠÿD$(@ÿL$ˆ uí飃èëƒè‹L$$ÿL$$ É„Ò‹L$ ¶1ÁàðÿD$ D$PD$$P‰t$ è4ýÿÿYY À„¥þ}rÿD$þrÿD$þ€sƒD$‹E+D$,;ðwu‹L$;L$,wk)L$, Ét‹D$(+Ƌ|$(ŠÿD$(@Iˆuð‰L$‹Þ3ÿGë.‹D$$ÿL$$ Àt6‹D$,ÿL$, Àt*‹D$ ‹L$(ŠÿD$(ÿD$ ˆ 3ÿƒ|$„=ýÿÿ‹D$(+EëƒÈÿ_^[‹å]ÃU‹ì·FS3É3ۍD0f;NsQWx$‹Gì Àt9‹OèH3Áu‹ö t‹FëöÂ@t‹F ë„Òy‹F$MP‹GðEPQè› ƒÄ·FCƒÇ(;Ør´_3À@[]ÃU‹ìQQƒeøƒeü öt;d¡0‰EüƒÀ‹‰Eø‹Mü Ét#‹Eø‹@‹Q Àt9Pt‹ Àuõë‰p‹Mü‰qÿUÉÃU‹ì Ûtzƒ}ttV‹s<Wj@ó‹FPh0ƒÀ Pjjÿÿ @‹ø ÿtMÿvTSWèøSWèÿþÿÿÿujSè, WWè0ƒÄ( Àuh€PWjÿÿ @ë‹G<‹D8(ÇP‹÷è1ÿÿÿY_^]ÂU‹ìƒì‹MSVW‹}‹G<Ç+H4‹¤‰Mô‹ˆ ‰Uì Étv ÒtrƒeøÏ Òtb‹Q Uø‹1ƒeüƒÂøÑê÷ Ò~@‹}ü·|y‹ßÁë Ût$ƒûuCçÿþ‰}ð‹?‹ß+X4;XPw,}ô‹]ð‰;ÿEü9Uü|Ë}‹UøI;Uìrž‹M‰H43À@_^[ÉÃ3Àë÷U‹ìQƒ}tƒ}tƒ}u3Àë*ƒeüë‹Eü@‰Eü‹Eü;Es‹EEü‹MMüŠ ˆëߋEÉÃU‹ìQƒ}tƒ}u3Àë%ƒeüë‹Eü@‰Eü‹Eü;Es ‹EEüŠMˆëä‹EÉà base_address: 0x00401000 process_identifier: 3172 process_handle: 0x00000110	1	1	0
WriteProcessMemory July 5, 2021, 9:30 a.m.	buffer: €!Ž!¢!²!Æ!& Šø‚›7Ҫ؛Md¹ÌÁdefaulth!Ø! €!Ž!¢!²!Æ! ExitProcessGetModuleHandleWíVirtualFreeExðVirtualProtectExêVirtualAllocExKERNEL32.dll base_address: 0x00402000 process_identifier: 3172 process_handle: 0x00000110	1	1	0
WriteProcessMemory July 5, 2021, 9:30 a.m.	buffer: 001k1”1Ã1T27P7 base_address: 0x00425000 process_identifier: 3172 process_handle: 0x00000110	1	1	0
WriteProcessMemory July 5, 2021, 9:30 a.m.	buffer: MZÿÿ¸@Ⱥ´ Í!¸ LÍ!This program cannot be run in DOS mode. $3vÍÆw£•w£•w£•~o0•t£•w¢•~£•lŠ•t£•lŠ>•v£•Richw£•PEL æBÏRà    @  `† @ @!(0`P .textž  `.rdataæ @@.rsrc`0@@.reloc6P&@B base_address: 0x00400000 process_identifier: 3172 process_handle: 0x00000110	1	1	0

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory July 5, 2021, 9:30 a.m.	buffer: MZÿÿ¸@Ⱥ´ Í!¸ LÍ!This program cannot be run in DOS mode. $3vÍÆw£•w£•w£•~o0•t£•w¢•~£•lŠ•t£•lŠ>•v£•Richw£•PEL æBÏRà    @  `† @ @!(0`P .textž  `.rdataæ @@.rsrc`0@@.reloc6P&@B base_address: 0x00400000 process_identifier: 3172 process_handle: 0x00000110	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Process injection	Process 656 called NtSetContextThread to modify thread in remote process 3172
Time & API	Arguments	Status	Return	Repeated
NtSetContextThread July 5, 2021, 9:30 a.m.	registers.eip: 2000355780 registers.esp: 1638384 registers.edi: 0 registers.eax: 4198922 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000010c process_identifier: 3172	1	0	0

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\ProgramData\svchost\ntibcpsaq.exe:Zone.Identifier

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Process injection	Process 656 resumed a thread in remote process 3172
Time & API	Arguments	Status	Return	Repeated
NtResumeThread July 5, 2021, 9:30 a.m.	thread_handle: 0x0000010c suspend_count: 1 process_identifier: 3172	1	0	0

Detects VirtualBox through the presence of a device (1 event)

file	\??\VBoxGuest

Detects VMWare through the presence of various files (1 event)

file

\??\HGFS

Detects VMWare through the presence of a registry key (1 event)

registry

HKEY_CURRENT_USER\Software\VMware, Inc.

Executed a process and injected code into it, probably while unpacking (15 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW July 5, 2021, 9:30 a.m.	thread_identifier: 7724 thread_handle: 0x0000010c process_identifier: 3172 current_directory: filepath: track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\new order.scr" filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000110	1	1	0
NtGetContextThread July 5, 2021, 9:30 a.m.	thread_handle: 0x0000010c	1	0	0
NtUnmapViewOfSection July 5, 2021, 9:30 a.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 3172 process_handle: 0x00000110	1	0	0
NtAllocateVirtualMemory July 5, 2021, 9:30 a.m.	process_identifier: 3172 region_size: 155648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE) process_handle: 0x00000110	1	0	0
WriteProcessMemory July 5, 2021, 9:30 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 3172 process_handle: 0x00000110	1	1	0
NtSetContextThread July 5, 2021, 9:30 a.m.	registers.eip: 2000355780 registers.esp: 1638384 registers.edi: 0 registers.eax: 4198922 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000010c process_identifier: 3172	1	0	0
WriteProcessMemory July 5, 2021, 9:30 a.m.	buffer: V Ét Àt3ö+Ȋ :uF@ƒþrò3À^ÃÈÿ^ÃU‹ìƒìS3ÛSÿ @¹MZf9t3ÀëO‹H<< PEuðV‹t PƒÆðWÇEðæœîÇEôȊ%ÇEø«ÇEüÿ‹ø;óvEð‹Ïè}ÿÿÿ Àt GC;Þrì3À_^[ÉËÇë÷U‹ìƒìVW Ûtj¸MZf9u`‹C<<PEuT‹|PƒeüÇÚþÿÿÇEìŠø‚ÇEð›7ÒÇEôªØ›MÇEød¹ÌÁ‹ót&¸& f9u‹EüLEìèÿþÿÿ ÀtFÿEü9}ürÚ3À_^ÉÃh& h @VèùƒN ƒÄƒN ‹ÆëÝU‹ìƒìSW ö„„‹~ ÿt}‹Fƒeô‰Eü‹ÇÁà‰EøEôPj@W^Sjÿÿ @ ÀtT3À ÿtŠMü0@;Çrõj@h0ÿuøjjÿÿ @‰Eü Àt(‹NAQP‹Ï‹Ãè= YYƒøÿuh€jÿuüjÿÿ @3À_[ÉÃWjS荋Eü¹MZƒÄf9u‹H<<PEt h€jPëËM ÉtƋUø‰ë¿U‹ìQd¡0SV Àt€x t0ƒeüèûýÿÿ Àt#MüQ‹ðèûþÿÿ‹ØY ÛtèTþÿÿ Àtÿuüè™jÿ @ÌU‹ì‹HQÿ‰P Éu#‹HQÿ‰P Éu3À]˶A‰P‰Ç@‹P‹ÊÒÁé‰P‹Eƒá ‰3À@]ÃU‹ìQV3öFEüP‹EèŸÿÿÿY Àt(‹Eü4pEüP‹EèˆÿÿÿY Àtƒ}üuҋE‰03À@^ÉÃ3ÀëùU‹ìƒäø‹Uƒì,SV‹uW3ÿ;Ç„;ׄYÿ‰D$ ‰T$(‰t$,‰|$4‰|$‰\$$ É„ïNÿ‰L$, ö„àŠ‹\$ˆ B@‰T$(‰D$ ë‹uD$PD$$èóþÿÿY À„²ƒ|$„eD$PD$$èÑþÿÿY À„ƒ|$„ D$PD$$è¯þÿÿY À„nƒ|$t}j3ÿ^D$PD$$èŒþÿÿY À„KN‹D$<x‰|$uÛ ÿt/‹E+D$,;ø‡*‹D$,ÿL$, À„‹D$(‹L$(+NJˆ ë‹D$,ÿL$, À„ú ‹D$(ÆÿD$(éÔ ‹D$$ÿL$$ À„Ú ‹D$ ¶0ÿD$ 3ÿ‹ÆG#ǃÀÑî‰D$‰t$t=‹M+L$,;ñ‡ª ;D$,‡  )D$, Àt ‹L$(+΋\$(ŠÿD$(AHˆuð‰D$ë‰|$‹Þé] D$PD$$PèçýÿÿYY À„X ‹D$ ÿukƒøuaD$PD$$P‰\$ è½ýÿÿYY À„. +t$,;Þ‡" ‹D$;D$,‡ )D$, À„Á‹D$(+ËT$(ŠÿD$(@ÿL$ˆ uí飃èëƒè‹L$$ÿL$$ É„Ò‹L$ ¶1ÁàðÿD$ D$PD$$P‰t$ è4ýÿÿYY À„¥þ}rÿD$þrÿD$þ€sƒD$‹E+D$,;ðwu‹L$;L$,wk)L$, Ét‹D$(+Ƌ|$(ŠÿD$(@Iˆuð‰L$‹Þ3ÿGë.‹D$$ÿL$$ Àt6‹D$,ÿL$, Àt*‹D$ ‹L$(ŠÿD$(ÿD$ ˆ 3ÿƒ|$„=ýÿÿ‹D$(+EëƒÈÿ_^[‹å]ÃU‹ì·FS3É3ۍD0f;NsQWx$‹Gì Àt9‹OèH3Áu‹ö t‹FëöÂ@t‹F ë„Òy‹F$MP‹GðEPQè› ƒÄ·FCƒÇ(;Ør´_3À@[]ÃU‹ìQQƒeøƒeü öt;d¡0‰EüƒÀ‹‰Eø‹Mü Ét#‹Eø‹@‹Q Àt9Pt‹ Àuõë‰p‹Mü‰qÿUÉÃU‹ì Ûtzƒ}ttV‹s<Wj@ó‹FPh0ƒÀ Pjjÿÿ @‹ø ÿtMÿvTSWèøSWèÿþÿÿÿujSè, WWè0ƒÄ( Àuh€PWjÿÿ @ë‹G<‹D8(ÇP‹÷è1ÿÿÿY_^]ÂU‹ìƒì‹MSVW‹}‹G<Ç+H4‹¤‰Mô‹ˆ ‰Uì Étv ÒtrƒeøÏ Òtb‹Q Uø‹1ƒeüƒÂøÑê÷ Ò~@‹}ü·|y‹ßÁë Ût$ƒûuCçÿþ‰}ð‹?‹ß+X4;XPw,}ô‹]ð‰;ÿEü9Uü|Ë}‹UøI;Uìrž‹M‰H43À@_^[ÉÃ3Àë÷U‹ìQƒ}tƒ}tƒ}u3Àë*ƒeüë‹Eü@‰Eü‹Eü;Es‹EEü‹MMüŠ ˆëߋEÉÃU‹ìQƒ}tƒ}u3Àë%ƒeüë‹Eü@‰Eü‹Eü;Es ‹EEüŠMˆëä‹EÉà base_address: 0x00401000 process_identifier: 3172 process_handle: 0x00000110	1	1	0
WriteProcessMemory July 5, 2021, 9:30 a.m.	buffer: €!Ž!¢!²!Æ!& Šø‚›7Ҫ؛Md¹ÌÁdefaulth!Ø! €!Ž!¢!²!Æ! ExitProcessGetModuleHandleWíVirtualFreeExðVirtualProtectExêVirtualAllocExKERNEL32.dll base_address: 0x00402000 process_identifier: 3172 process_handle: 0x00000110	1	1	0
WriteProcessMemory July 5, 2021, 9:30 a.m.	buffer: base_address: 0x00403000 process_identifier: 3172 process_handle: 0x00000110	1	1	0
WriteProcessMemory July 5, 2021, 9:30 a.m.	buffer: 001k1”1Ã1T27P7 base_address: 0x00425000 process_identifier: 3172 process_handle: 0x00000110	1	1	0
WriteProcessMemory July 5, 2021, 9:30 a.m.	buffer: MZÿÿ¸@Ⱥ´ Í!¸ LÍ!This program cannot be run in DOS mode. $3vÍÆw£•w£•w£•~o0•t£•w¢•~£•lŠ•t£•lŠ>•v£•Richw£•PEL æBÏRà    @  `† @ @!(0`P .textž  `.rdataæ @@.rsrc`0@@.reloc6P&@B base_address: 0x00400000 process_identifier: 3172 process_handle: 0x00000110	1	1	0
NtResumeThread July 5, 2021, 9:30 a.m.	thread_handle: 0x0000010c suspend_count: 1 process_identifier: 3172	1	0	0
NtResumeThread July 5, 2021, 9:30 a.m.	thread_handle: 0x0000015c suspend_count: 1 process_identifier: 3172	1	0	0
CreateProcessInternalW July 5, 2021, 9:30 a.m.	thread_identifier: 6676 thread_handle: 0x00000294 process_identifier: 4888 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x147D036F" /TR "C:\ProgramData\svchost\ntibcpsaq.exe" /RL HIGHEST filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000029c	1	1	0
CreateProcessInternalW July 5, 2021, 9:30 a.m.	thread_identifier: 8548 thread_handle: 0x00000208 process_identifier: 3700 current_directory: filepath: C:\Windows\SysWOW64\WerFault.exe track: 1 command_line: filepath_r: C:\Windows\SysWOW64\WerFault.exe stack_pivoted: 0 creation_flags: 16777260 (CREATE_BREAKAWAY_FROM_JOB|CREATE_SUSPENDED|DETACHED_PROCESS|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000200	1	1	0