Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 23, 2021, 11:49 a.m.	Aug. 23, 2021, 11:51 a.m.

Size	1.6MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`fd496a2b10e16382abba374c4ce2fc4d`
SHA256	`23d87add58cf094c020bd57067f2cbcfdb9908682e0a60b54c0901f177afc5c9`
CRC32	`71C4B5DD`
ssdeep	`24576:BmomnXWVBb2+FX5Nrr4Oju5jdB66h/gfleR49UzIxAwYck8qDd6TZbeY:lmXWjtNrr4T5jdB68gIsxAwYckrQThe`
Yara	PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) IsPE32 - (no description)

faveSQTg6lvyAQO.exe "C:\Users\test22\AppData\Local\Temp\faveSQTg6lvyAQO.exe"
2220
- cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\tmp7354.tmp.cmd""
  2236
  - timeout.exe timeout 1
    492
  - schtasks.exe schtasks.exe /create /f /sc MINUTE /mo 1 /tn "Microsoft Edge" /tr "'C:\Users\test22\AppData\Roaming\Microsoft Edge\Microsoft Edge.exe"'
    3028

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (5 events)

Time & API	Arguments	Status	Return
GetComputerNameA Aug. 23, 2021, 11:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 23, 2021, 11:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 23, 2021, 11:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 23, 2021, 11:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 23, 2021, 11:49 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 23, 2021, 11:49 a.m.			0	0
IsDebuggerPresent Aug. 23, 2021, 11:49 a.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Aug. 23, 2021, 11:49 a.m.	buffer: The batch file cannot be found. console_handle: 0x0000000b	1	1	0
WriteConsoleW Aug. 23, 2021, 11:49 a.m.	buffer: SUCCESS: The scheduled task "Microsoft Edge" has successfully been created. console_handle: 0x00000007	1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

One or more processes crashed (14 events)

Time & API	Arguments	Status
__exception__ Aug. 23, 2021, 11:49 a.m.	stacktrace: favesqtg6lvyaqo+0x21565f @ 0x155565f favesqtg6lvyaqo+0x2143a4 @ 0x15543a4 favesqtg6lvyaqo+0x302db7 @ 0x1642db7 exception.instruction_r: f7 f0 e8 44 37 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: favesqtg6lvyaqo+0x16a6d5 exception.instruction: div eax exception.module: faveSQTg6lvyAQO.exe exception.exception_code: 0xc0000094 exception.offset: 1484501 exception.address: 0x14aa6d5 registers.esp: 3602744 registers.edi: 23343344 registers.eax: 0 registers.ebp: 3602772 registers.edx: 0 registers.ebx: 4051010724 registers.esi: 20750336 registers.ecx: 12335900	1
__exception__ Aug. 23, 2021, 11:49 a.m.	stacktrace: favesqtg6lvyaqo+0x217c4b @ 0x1557c4b favesqtg6lvyaqo+0x2143bb @ 0x15543bb favesqtg6lvyaqo+0x302db7 @ 0x1642db7 exception.instruction_r: 0f 0b e8 19 37 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: favesqtg6lvyaqo+0x16a700 exception.instruction: ud2 exception.module: faveSQTg6lvyAQO.exe exception.exception_code: 0xc000001d exception.offset: 1484544 exception.address: 0x14aa700 registers.esp: 3602680 registers.edi: 22137508 registers.eax: 0 registers.ebp: 3602708 registers.edx: 2 registers.ebx: 16556032 registers.esi: 20750336 registers.ecx: 20750336	1
__exception__ Aug. 23, 2021, 11:49 a.m.	stacktrace: favesqtg6lvyaqo+0x217f20 @ 0x1557f20 favesqtg6lvyaqo+0x2143bb @ 0x15543bb favesqtg6lvyaqo+0x302db7 @ 0x1642db7 exception.instruction_r: 0f 0b e8 19 37 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: favesqtg6lvyaqo+0x16a700 exception.instruction: ud2 exception.module: faveSQTg6lvyAQO.exe exception.exception_code: 0xc000001d exception.offset: 1484544 exception.address: 0x14aa700 registers.esp: 3602680 registers.edi: 22137508 registers.eax: 0 registers.ebp: 3602708 registers.edx: 2 registers.ebx: 16556032 registers.esi: 20750336 registers.ecx: 1270162962	1
__exception__ Aug. 23, 2021, 11:49 a.m.	stacktrace: favesqtg6lvyaqo+0x2180d2 @ 0x15580d2 favesqtg6lvyaqo+0x2143bb @ 0x15543bb favesqtg6lvyaqo+0x302db7 @ 0x1642db7 exception.instruction_r: f7 f0 e8 44 37 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: favesqtg6lvyaqo+0x16a6d5 exception.instruction: div eax exception.module: faveSQTg6lvyAQO.exe exception.exception_code: 0xc0000094 exception.offset: 1484501 exception.address: 0x14aa6d5 registers.esp: 3602680 registers.edi: 22137508 registers.eax: 0 registers.ebp: 3602708 registers.edx: 0 registers.ebx: 16556032 registers.esi: 20750336 registers.ecx: 0	1
__exception__ Aug. 23, 2021, 11:49 a.m.	stacktrace: favesqtg6lvyaqo+0x2182a7 @ 0x15582a7 favesqtg6lvyaqo+0x2143bb @ 0x15543bb favesqtg6lvyaqo+0x302db7 @ 0x1642db7 exception.instruction_r: f7 f0 e8 44 37 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: favesqtg6lvyaqo+0x16a6d5 exception.instruction: div eax exception.module: faveSQTg6lvyAQO.exe exception.exception_code: 0xc0000094 exception.offset: 1484501 exception.address: 0x14aa6d5 registers.esp: 3602680 registers.edi: 22137508 registers.eax: 0 registers.ebp: 3602708 registers.edx: 0 registers.ebx: 16556032 registers.esi: 20750336 registers.ecx: 2604413431	1
__exception__ Aug. 23, 2021, 11:49 a.m.	stacktrace: favesqtg6lvyaqo+0x2182a7 @ 0x15582a7 favesqtg6lvyaqo+0x2143bb @ 0x15543bb favesqtg6lvyaqo+0x302db7 @ 0x1642db7 exception.instruction_r: 0f 0b e8 19 37 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: favesqtg6lvyaqo+0x16a700 exception.instruction: ud2 exception.module: faveSQTg6lvyAQO.exe exception.exception_code: 0xc000001d exception.offset: 1484544 exception.address: 0x14aa700 registers.esp: 3602680 registers.edi: 3602680 registers.eax: 0 registers.ebp: 3602708 registers.edx: 2 registers.ebx: 21669611 registers.esi: 0 registers.ecx: 3602716	1
__exception__ Aug. 23, 2021, 11:49 a.m.	stacktrace: favesqtg6lvyaqo+0x2182a7 @ 0x15582a7 favesqtg6lvyaqo+0x2143bb @ 0x15543bb favesqtg6lvyaqo+0x302db7 @ 0x1642db7 exception.instruction_r: 0f 0b e8 19 37 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: favesqtg6lvyaqo+0x16a700 exception.instruction: ud2 exception.module: faveSQTg6lvyAQO.exe exception.exception_code: 0xc000001d exception.offset: 1484544 exception.address: 0x14aa700 registers.esp: 3602680 registers.edi: 3602680 registers.eax: 0 registers.ebp: 3602708 registers.edx: 2 registers.ebx: 21669654 registers.esi: 0 registers.ecx: 3602716	1
__exception__ Aug. 23, 2021, 11:49 a.m.	stacktrace: favesqtg6lvyaqo+0x2182a7 @ 0x15582a7 favesqtg6lvyaqo+0x2143bb @ 0x15543bb favesqtg6lvyaqo+0x302db7 @ 0x1642db7 exception.instruction_r: 0f 0b e8 19 37 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: favesqtg6lvyaqo+0x16a700 exception.instruction: ud2 exception.module: faveSQTg6lvyAQO.exe exception.exception_code: 0xc000001d exception.offset: 1484544 exception.address: 0x14aa700 registers.esp: 3602680 registers.edi: 3602680 registers.eax: 0 registers.ebp: 3602708 registers.edx: 2 registers.ebx: 21669654 registers.esi: 0 registers.ecx: 3602716	1
__exception__ Aug. 23, 2021, 11:49 a.m.	stacktrace: favesqtg6lvyaqo+0x2182a7 @ 0x15582a7 favesqtg6lvyaqo+0x2143bb @ 0x15543bb favesqtg6lvyaqo+0x302db7 @ 0x1642db7 exception.instruction_r: 0f 0b e8 19 37 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: favesqtg6lvyaqo+0x16a700 exception.instruction: ud2 exception.module: faveSQTg6lvyAQO.exe exception.exception_code: 0xc000001d exception.offset: 1484544 exception.address: 0x14aa700 registers.esp: 3602680 registers.edi: 3602680 registers.eax: 0 registers.ebp: 3602708 registers.edx: 2 registers.ebx: 21669654 registers.esi: 0 registers.ecx: 3602716	1
__exception__ Aug. 23, 2021, 11:49 a.m.	stacktrace: favesqtg6lvyaqo+0x2182a7 @ 0x15582a7 favesqtg6lvyaqo+0x2143bb @ 0x15543bb favesqtg6lvyaqo+0x302db7 @ 0x1642db7 exception.instruction_r: f7 f0 e8 44 37 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: favesqtg6lvyaqo+0x16a6d5 exception.instruction: div eax exception.module: faveSQTg6lvyAQO.exe exception.exception_code: 0xc0000094 exception.offset: 1484501 exception.address: 0x14aa6d5 registers.esp: 3602680 registers.edi: 3602680 registers.eax: 0 registers.ebp: 3602708 registers.edx: 0 registers.ebx: 21669654 registers.esi: 0 registers.ecx: 3602716	1
__exception__ Aug. 23, 2021, 11:49 a.m.	stacktrace: favesqtg6lvyaqo+0x2182a7 @ 0x15582a7 favesqtg6lvyaqo+0x2143bb @ 0x15543bb favesqtg6lvyaqo+0x302db7 @ 0x1642db7 exception.instruction_r: f7 f0 e8 44 37 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: favesqtg6lvyaqo+0x16a6d5 exception.instruction: div eax exception.module: faveSQTg6lvyAQO.exe exception.exception_code: 0xc0000094 exception.offset: 1484501 exception.address: 0x14aa6d5 registers.esp: 3602680 registers.edi: 3602680 registers.eax: 0 registers.ebp: 3602708 registers.edx: 0 registers.ebx: 21669611 registers.esi: 0 registers.ecx: 3602716	1
__exception__ Aug. 23, 2021, 11:49 a.m.	stacktrace: favesqtg6lvyaqo+0x2182a7 @ 0x15582a7 favesqtg6lvyaqo+0x2143bb @ 0x15543bb favesqtg6lvyaqo+0x302db7 @ 0x1642db7 exception.instruction_r: f7 f0 e8 44 37 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: favesqtg6lvyaqo+0x16a6d5 exception.instruction: div eax exception.module: faveSQTg6lvyAQO.exe exception.exception_code: 0xc0000094 exception.offset: 1484501 exception.address: 0x14aa6d5 registers.esp: 3602680 registers.edi: 3602680 registers.eax: 0 registers.ebp: 3602708 registers.edx: 0 registers.ebx: 21669611 registers.esi: 0 registers.ecx: 3602716	1
__exception__ Aug. 23, 2021, 11:49 a.m.	stacktrace: favesqtg6lvyaqo+0x2183b5 @ 0x15583b5 favesqtg6lvyaqo+0x2143bb @ 0x15543bb favesqtg6lvyaqo+0x302db7 @ 0x1642db7 exception.instruction_r: 0f 0b e8 19 37 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: favesqtg6lvyaqo+0x16a700 exception.instruction: ud2 exception.module: faveSQTg6lvyAQO.exe exception.exception_code: 0xc000001d exception.offset: 1484544 exception.address: 0x14aa700 registers.esp: 3602680 registers.edi: 22137508 registers.eax: 0 registers.ebp: 3602708 registers.edx: 2 registers.ebx: 16556032 registers.esi: 20750336 registers.ecx: 366414743	1
__exception__ Aug. 23, 2021, 11:49 a.m.	stacktrace: favesqtg6lvyaqo+0x2183b5 @ 0x15583b5 favesqtg6lvyaqo+0x2143bb @ 0x15543bb favesqtg6lvyaqo+0x302db7 @ 0x1642db7 exception.instruction_r: f7 f0 e8 44 37 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: favesqtg6lvyaqo+0x16a6d5 exception.instruction: div eax exception.module: faveSQTg6lvyAQO.exe exception.exception_code: 0xc0000094 exception.offset: 1484501 exception.address: 0x14aa6d5 registers.esp: 3602680 registers.edi: 3602680 registers.eax: 0 registers.ebp: 3602708 registers.edx: 0 registers.ebx: 21669654 registers.esi: 0 registers.ecx: 3602716	1

Allocates read-write-execute memory (usually to unpack itself) (39 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 23, 2021, 11:49 a.m.	process_identifier: 2220 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00530000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 11:49 a.m.	process_identifier: 2220 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 11:49 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00640000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 11:49 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00660000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 11:49 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 11:49 a.m.	process_identifier: 2220 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b94000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 11:49 a.m.	process_identifier: 2220 region_size: 81920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ba4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 11:49 a.m.	process_identifier: 2220 region_size: 147456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ba4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 11:49 a.m.	process_identifier: 2220 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bc4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 11:49 a.m.	process_identifier: 2220 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bd4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 11:49 a.m.	process_identifier: 2220 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bd4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 11:49 a.m.	process_identifier: 2220 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bd4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 11:49 a.m.	process_identifier: 2220 region_size: 81920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bd4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 11:49 a.m.	process_identifier: 2220 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bd4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 11:49 a.m.	process_identifier: 2220 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bd4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 11:49 a.m.	process_identifier: 2220 region_size: 491520 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bd4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 11:49 a.m.	process_identifier: 2220 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bd4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 11:49 a.m.	process_identifier: 2220 region_size: 49152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bd4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 23, 2021, 11:49 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01340000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 11:49 a.m.	process_identifier: 2220 region_size: 2097152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03480000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 11:49 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03640000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 23, 2021, 11:49 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72641000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 23, 2021, 11:49 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72642000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 11:49 a.m.	process_identifier: 2220 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02eb0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 11:49 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ef0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 11:49 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x012e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 11:49 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x012fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 11:49 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 11:49 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01315000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 11:49 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0131b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 11:49 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01317000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 11:49 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x012ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 11:49 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01306000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 11:49 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0130a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 11:49 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01307000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 11:49 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f61000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 11:49 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x012fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 11:49 a.m.	process_identifier: 2220 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03641000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 11:49 a.m.	process_identifier: 2220 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03645000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Aug. 23, 2021, 11:49 a.m.	total_number_of_free_bytes: 13723914240 free_bytes_available: 13723914240 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\tmp7354.tmp.cmd

Creates a suspicious process (1 event)

cmdline

schtasks.exe /create /f /sc MINUTE /mo 1 /tn "Microsoft Edge" /tr "'C:\Users\test22\AppData\Roaming\Microsoft Edge\Microsoft Edge.exe"'

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Aug. 23, 2021, 11:49 a.m.	thread_identifier: 1836 thread_handle: 0x000002a0 process_identifier: 2236 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\tmp7354.tmp.cmd" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000002a4	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (5 events)

section

{u'size_of_data': u'0x00075000', u'virtual_address': u'0x00002000', u'entropy': 7.999613244372898, u'name': u'', u'virtual_size': u'0x00076000'}

entropy

7.99961324437

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00000200', u'virtual_address': u'0x00080000', u'entropy': 7.508564028587192, u'name': u'', u'virtual_size': u'0x00002000'}

entropy

7.50856402859

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0002e800', u'virtual_address': u'0x0008a000', u'entropy': 7.998535413934858, u'name': u'', u'virtual_size': u'0x00292000'}

entropy

7.99853541393

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x000eb400', u'virtual_address': u'0x0031c000', u'entropy': 7.972689284704409, u'name': u'.data', u'virtual_size': u'0x000ec000'}

entropy

7.9726892847

description

A section with a high entropy has been found

entropy

0.981846153846

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 23, 2021, 11:49 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

schtasks.exe /create /f /sc MINUTE /mo 1 /tn "Microsoft Edge" /tr "'C:\Users\test22\AppData\Roaming\Microsoft Edge\Microsoft Edge.exe"'

Installs itself for autorun at Windows startup (1 event)

cmdline

schtasks.exe /create /f /sc MINUTE /mo 1 /tn "Microsoft Edge" /tr "'C:\Users\test22\AppData\Roaming\Microsoft Edge\Microsoft Edge.exe"'

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\tmp7354.tmp.cmd

A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. (4 events)

Time & API	Arguments	Status	Return
CryptHashData Aug. 23, 2021, 11:49 a.m.	buffer: 2test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x0069b1c0 flags: 0	1	1
CryptHashData Aug. 23, 2021, 11:49 a.m.	buffer: 2test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x0069b1c0 flags: 0	1	1
CryptHashData Aug. 23, 2021, 11:49 a.m.	buffer: 2test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x0069b1c0 flags: 0	1	1
CryptHashData Aug. 23, 2021, 11:49 a.m.	buffer: 2test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x0069b1c0 flags: 0	1	1

File has been identified by 39 AntiVirus engines on VirusTotal as malicious (39 events)

Lionic	Trojan.Win32.Tasker.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Graftor.737496
ALYac	Gen:Variant.Graftor.737496
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_90% (W)
Alibaba	Packed:Win32/EnigmaProtector.64ab83fb
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Packed.EnigmaProtector.M suspicious
APEX	Malicious
Paloalto	generic.ml
Kaspersky	Trojan.Win32.Tasker.aqoh
BitDefender	Gen:Variant.Graftor.737496
Ad-Aware	Gen:Variant.Graftor.737496
Emsisoft	Gen:Variant.Graftor.737496 (B)
McAfee-GW-Edition	BehavesLike.Win32.Generic.tc
FireEye	Generic.mg.fd496a2b10e16382
Sophos	Mal/Generic-S
Ikarus	Trojan.Dropper.Agent
GData	Gen:Variant.Graftor.737496
Webroot	W32.Trojan.Gen
Arcabit	Trojan.Graftor.DB40D8
ZoneAlarm	Trojan.Win32.Tasker.aqoh
Microsoft	Trojan:Win32/Sabsik.FL.A!ml
Cynet	Malicious (score: 100)
Acronis	suspicious
McAfee	GenericRXHT-JV!FD496A2B10E1
MAX	malware (ai score=87)
VBA32	Trojan.Tiggre
Malwarebytes	Malware.Heuristic.1003
Zoner	Probably Heur.ExeHeaderH
SentinelOne	Static AI - Malicious PE
eGambit	Unsafe.AI_Score_75%
Fortinet	W32/PossibleThreat
BitDefenderTheta	Gen:NN.ZexaF.34088.Mz0@aO4V6kbi
AVG	Win32:Malware-gen
Avast	Win32:Malware-gen
MaxSecure	Trojan.Malware.300983.susgen

faveSQTg6lvyAQO.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All