clip.exe

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW April 23, 2021, 10 a.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW April 23, 2021, 10 a.m.	buffer: SUCCESS: The scheduled task "Azure-Update-Task" has successfully been created. console_handle: 0x00000007	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 23, 2021, 9:53 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 23, 2021, 9:53 a.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x728d2000 process_handle: 0xffffffff	1	0	0

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Roaming\BorisEyrichSoft\Artweaver\documentation.pdf

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Roaming\BorisEyrichSoft\Artweaver\vnz_217.exe
file	C:\Users\test22\AppData\Roaming\BorisEyrichSoft\Artweaver\PcUtility.exe
file	C:\Users\test22\AppData\Roaming\BorisEyrichSoft\Artweaver\libinfer3.dll

Creates a suspicious process (1 event)

cmdline

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\test22\AppData\Roaming\Microsoft\Network\sqlcmd.exe"

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Roaming\BorisEyrichSoft\Artweaver\PcUtility.exe
file	C:\Users\test22\AppData\Roaming\BorisEyrichSoft\Artweaver\vnz_217.exe
file	C:\Users\test22\AppData\Roaming\BorisEyrichSoft\Artweaver\libinfer3.dll

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW April 23, 2021, 9:54 a.m.	thread_identifier: 2612 thread_handle: 0x0000010c process_identifier: 888 current_directory: filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\test22\AppData\Roaming\Microsoft\Network\sqlcmd.exe" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000110	1	1	0

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\test22\AppData\Roaming\Microsoft\Network\sqlcmd.exe"

File has been identified by 40 AntiVirus engines on VirusTotal as malicious (40 events)

Bkav	W32.AIDetect.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Fugrafa.858
FireEye	Generic.mg.24b6fa846f9d1e06
McAfee	Cobalt-EVTS!9DB2E8CC47A2
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 005624dc1 )
K7GW	Trojan ( 005624dc1 )
Cybereason	malicious.46f9d1
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	multiple detections
APEX	Malicious
Avast	Win32:Trojan-gen
ClamAV	Win.Trojan.CobaltStrike-7899872-1
Kaspersky	HEUR:Trojan.Win32.Generic
BitDefender	Gen:Variant.Fugrafa.858
NANO-Antivirus	Trojan.Win32.Rozena.hpcmlv
Sophos	ATK/Cobalt-A
DrWeb	BackDoor.Siggen2.247
TrendMicro	Trojan.Win32.COBALT.SM
McAfee-GW-Edition	BehavesLike.Win32.Generic.tc
Emsisoft	Gen:Variant.Fugrafa.858 (B)
SentinelOne	Static AI - Suspicious PE
eGambit	Unsafe.AI_Score_94%
Avira	TR/Crypt.ZPACK.Gen
MAX	malware (ai score=83)
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Gen:Variant.Fugrafa.858
Cynet	Malicious (score: 100)
BitDefenderTheta	Gen:NN.ZexaF.34678.yqW@am7KLfci
ALYac	Gen:Variant.Fugrafa.858
VBA32	BScope.Trojan.Cometer
Malwarebytes	Backdoor.Rozena
TrendMicro-HouseCall	Trojan.Win32.COBALT.SM
Rising	Malware.Heuristic!ET#84% (RDMK:cmRtazrz+3x/4ZXmHMN1/OnQytf/)
Yandex	Trojan.GenAsa!/C5jzoNrl5s
Ikarus	Trojan.Win32.Rozena
Fortinet	W32/Generic.AP.118EACE!tr
AVG	Win32:Trojan-gen