Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 23, 2021, 1:29 p.m.	Aug. 23, 2021, 1:29 p.m.

Size	1.6MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`fd496a2b10e16382abba374c4ce2fc4d`
SHA256	`23d87add58cf094c020bd57067f2cbcfdb9908682e0a60b54c0901f177afc5c9`
CRC32	`71C4B5DD`
ssdeep	`24576:BmomnXWVBb2+FX5Nrr4Oju5jdB66h/gfleR49UzIxAwYck8qDd6TZbeY:lmXWjtNrr4T5jdB68gIsxAwYckrQThe`
Yara	Plimrost_IN - Plimrost PE_Header_Zero - PE File Signature EnigmaProtector_IN - EnigmaProtector Is_DotNET_EXE - (no description) IsPE32 - (no description)

faveSQTg6lvyAQO.exe "C:\Users\test22\AppData\Local\Temp\faveSQTg6lvyAQO.exe"
1016
- cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\tmp7373.tmp.cmd""
  2256
  - timeout.exe timeout 1
    2324
  - schtasks.exe schtasks.exe /create /f /sc MINUTE /mo 1 /tn "Microsoft Edge" /tr "'C:\Users\test22\AppData\Roaming\Microsoft Edge\Microsoft Edge.exe"'
    3028

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (5 events)

Time & API	Arguments	Status	Return
GetComputerNameA Aug. 23, 2021, 1:29 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 23, 2021, 1:29 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 23, 2021, 1:29 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 23, 2021, 1:29 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 23, 2021, 1:29 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 23, 2021, 1:29 p.m.			0	0
IsDebuggerPresent Aug. 23, 2021, 1:29 p.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Aug. 23, 2021, 1:29 p.m.	buffer: The batch file cannot be found. console_handle: 0x0000000b	1	1	0
WriteConsoleW Aug. 23, 2021, 1:29 p.m.	buffer: SUCCESS: The scheduled task "Microsoft Edge" has successfully been created. console_handle: 0x00000007	1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

One or more processes crashed (28 events)

Time & API	Arguments	Status
__exception__ Aug. 23, 2021, 1:29 p.m.	stacktrace: favesqtg6lvyaqo+0x21565f @ 0x57565f favesqtg6lvyaqo+0x2143a4 @ 0x5743a4 favesqtg6lvyaqo+0x302db7 @ 0x662db7 exception.instruction_r: f7 f0 e8 44 37 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: favesqtg6lvyaqo+0x16a6d5 exception.instruction: div eax exception.module: faveSQTg6lvyAQO.exe exception.exception_code: 0xc0000094 exception.offset: 1484501 exception.address: 0x4ca6d5 registers.esp: 10811416 registers.edi: 6697200 registers.eax: 0 registers.ebp: 10811444 registers.edx: 0 registers.ebx: 4051010724 registers.esi: 4104192 registers.ecx: 38615836	1
__exception__ Aug. 23, 2021, 1:29 p.m.	stacktrace: favesqtg6lvyaqo+0x21565f @ 0x57565f favesqtg6lvyaqo+0x2143a4 @ 0x5743a4 favesqtg6lvyaqo+0x302db7 @ 0x662db7 exception.instruction_r: 0f 0b e8 19 37 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: favesqtg6lvyaqo+0x16a700 exception.instruction: ud2 exception.module: faveSQTg6lvyAQO.exe exception.exception_code: 0xc000001d exception.offset: 1484544 exception.address: 0x4ca700 registers.esp: 10811416 registers.edi: 10811416 registers.eax: 0 registers.ebp: 10811444 registers.edx: 2 registers.ebx: 5023467 registers.esi: 0 registers.ecx: 10811452	1
__exception__ Aug. 23, 2021, 1:29 p.m.	stacktrace: favesqtg6lvyaqo+0x21565f @ 0x57565f favesqtg6lvyaqo+0x2143a4 @ 0x5743a4 favesqtg6lvyaqo+0x302db7 @ 0x662db7 exception.instruction_r: f7 f0 e8 44 37 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: favesqtg6lvyaqo+0x16a6d5 exception.instruction: div eax exception.module: faveSQTg6lvyAQO.exe exception.exception_code: 0xc0000094 exception.offset: 1484501 exception.address: 0x4ca6d5 registers.esp: 10811416 registers.edi: 10811416 registers.eax: 0 registers.ebp: 10811444 registers.edx: 0 registers.ebx: 5023510 registers.esi: 0 registers.ecx: 10811452	1
__exception__ Aug. 23, 2021, 1:29 p.m.	stacktrace: favesqtg6lvyaqo+0x21565f @ 0x57565f favesqtg6lvyaqo+0x2143a4 @ 0x5743a4 favesqtg6lvyaqo+0x302db7 @ 0x662db7 exception.instruction_r: 0f 0b e8 19 37 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: favesqtg6lvyaqo+0x16a700 exception.instruction: ud2 exception.module: faveSQTg6lvyAQO.exe exception.exception_code: 0xc000001d exception.offset: 1484544 exception.address: 0x4ca700 registers.esp: 10811416 registers.edi: 10811416 registers.eax: 0 registers.ebp: 10811444 registers.edx: 2 registers.ebx: 5023467 registers.esi: 0 registers.ecx: 10811452	1
__exception__ Aug. 23, 2021, 1:29 p.m.	stacktrace: favesqtg6lvyaqo+0x21565f @ 0x57565f favesqtg6lvyaqo+0x2143a4 @ 0x5743a4 favesqtg6lvyaqo+0x302db7 @ 0x662db7 exception.instruction_r: f7 f0 e8 44 37 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: favesqtg6lvyaqo+0x16a6d5 exception.instruction: div eax exception.module: faveSQTg6lvyAQO.exe exception.exception_code: 0xc0000094 exception.offset: 1484501 exception.address: 0x4ca6d5 registers.esp: 10811416 registers.edi: 10811416 registers.eax: 0 registers.ebp: 10811444 registers.edx: 0 registers.ebx: 5023510 registers.esi: 0 registers.ecx: 10811452	1
__exception__ Aug. 23, 2021, 1:29 p.m.	stacktrace: favesqtg6lvyaqo+0x21565f @ 0x57565f favesqtg6lvyaqo+0x2143a4 @ 0x5743a4 favesqtg6lvyaqo+0x302db7 @ 0x662db7 exception.instruction_r: 0f 0b e8 19 37 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: favesqtg6lvyaqo+0x16a700 exception.instruction: ud2 exception.module: faveSQTg6lvyAQO.exe exception.exception_code: 0xc000001d exception.offset: 1484544 exception.address: 0x4ca700 registers.esp: 10811416 registers.edi: 10811416 registers.eax: 0 registers.ebp: 10811444 registers.edx: 2 registers.ebx: 5023467 registers.esi: 0 registers.ecx: 10811452	1
__exception__ Aug. 23, 2021, 1:29 p.m.	stacktrace: favesqtg6lvyaqo+0x217c4b @ 0x577c4b favesqtg6lvyaqo+0x2143bb @ 0x5743bb favesqtg6lvyaqo+0x302db7 @ 0x662db7 exception.instruction_r: f7 f0 e8 44 37 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: favesqtg6lvyaqo+0x16a6d5 exception.instruction: div eax exception.module: faveSQTg6lvyAQO.exe exception.exception_code: 0xc0000094 exception.offset: 1484501 exception.address: 0x4ca6d5 registers.esp: 10811352 registers.edi: 5491364 registers.eax: 0 registers.ebp: 10811380 registers.edx: 0 registers.ebx: 4294877184 registers.esi: 4104192 registers.ecx: 4104192	1
__exception__ Aug. 23, 2021, 1:29 p.m.	stacktrace: favesqtg6lvyaqo+0x217c4b @ 0x577c4b favesqtg6lvyaqo+0x2143bb @ 0x5743bb favesqtg6lvyaqo+0x302db7 @ 0x662db7 exception.instruction_r: f7 f0 e8 44 37 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: favesqtg6lvyaqo+0x16a6d5 exception.instruction: div eax exception.module: faveSQTg6lvyAQO.exe exception.exception_code: 0xc0000094 exception.offset: 1484501 exception.address: 0x4ca6d5 registers.esp: 10811352 registers.edi: 10811352 registers.eax: 0 registers.ebp: 10811380 registers.edx: 0 registers.ebx: 5023467 registers.esi: 0 registers.ecx: 10811388	1
__exception__ Aug. 23, 2021, 1:29 p.m.	stacktrace: favesqtg6lvyaqo+0x217c4b @ 0x577c4b favesqtg6lvyaqo+0x2143bb @ 0x5743bb favesqtg6lvyaqo+0x302db7 @ 0x662db7 exception.instruction_r: f7 f0 e8 44 37 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: favesqtg6lvyaqo+0x16a6d5 exception.instruction: div eax exception.module: faveSQTg6lvyAQO.exe exception.exception_code: 0xc0000094 exception.offset: 1484501 exception.address: 0x4ca6d5 registers.esp: 10811352 registers.edi: 10811352 registers.eax: 0 registers.ebp: 10811380 registers.edx: 0 registers.ebx: 5023467 registers.esi: 0 registers.ecx: 10811388	1
__exception__ Aug. 23, 2021, 1:29 p.m.	stacktrace: favesqtg6lvyaqo+0x217c4b @ 0x577c4b favesqtg6lvyaqo+0x2143bb @ 0x5743bb favesqtg6lvyaqo+0x302db7 @ 0x662db7 exception.instruction_r: f7 f0 e8 44 37 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: favesqtg6lvyaqo+0x16a6d5 exception.instruction: div eax exception.module: faveSQTg6lvyAQO.exe exception.exception_code: 0xc0000094 exception.offset: 1484501 exception.address: 0x4ca6d5 registers.esp: 10811352 registers.edi: 10811352 registers.eax: 0 registers.ebp: 10811380 registers.edx: 0 registers.ebx: 5023467 registers.esi: 0 registers.ecx: 10811388	1
__exception__ Aug. 23, 2021, 1:29 p.m.	stacktrace: favesqtg6lvyaqo+0x217c4b @ 0x577c4b favesqtg6lvyaqo+0x2143bb @ 0x5743bb favesqtg6lvyaqo+0x302db7 @ 0x662db7 exception.instruction_r: f7 f0 e8 44 37 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: favesqtg6lvyaqo+0x16a6d5 exception.instruction: div eax exception.module: faveSQTg6lvyAQO.exe exception.exception_code: 0xc0000094 exception.offset: 1484501 exception.address: 0x4ca6d5 registers.esp: 10811352 registers.edi: 10811352 registers.eax: 0 registers.ebp: 10811380 registers.edx: 0 registers.ebx: 5023467 registers.esi: 0 registers.ecx: 10811388	1
__exception__ Aug. 23, 2021, 1:29 p.m.	stacktrace: favesqtg6lvyaqo+0x217f20 @ 0x577f20 favesqtg6lvyaqo+0x2143bb @ 0x5743bb favesqtg6lvyaqo+0x302db7 @ 0x662db7 exception.instruction_r: f7 f0 e8 44 37 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: favesqtg6lvyaqo+0x16a6d5 exception.instruction: div eax exception.module: faveSQTg6lvyAQO.exe exception.exception_code: 0xc0000094 exception.offset: 1484501 exception.address: 0x4ca6d5 registers.esp: 10811352 registers.edi: 5491364 registers.eax: 0 registers.ebp: 10811380 registers.edx: 0 registers.ebx: 4294877184 registers.esi: 4104192 registers.ecx: 3012648501	1
__exception__ Aug. 23, 2021, 1:29 p.m.	stacktrace: favesqtg6lvyaqo+0x217f20 @ 0x577f20 favesqtg6lvyaqo+0x2143bb @ 0x5743bb favesqtg6lvyaqo+0x302db7 @ 0x662db7 exception.instruction_r: 0f 0b e8 19 37 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: favesqtg6lvyaqo+0x16a700 exception.instruction: ud2 exception.module: faveSQTg6lvyAQO.exe exception.exception_code: 0xc000001d exception.offset: 1484544 exception.address: 0x4ca700 registers.esp: 10811352 registers.edi: 10811352 registers.eax: 0 registers.ebp: 10811380 registers.edx: 2 registers.ebx: 5023467 registers.esi: 0 registers.ecx: 10811388	1
__exception__ Aug. 23, 2021, 1:29 p.m.	stacktrace: favesqtg6lvyaqo+0x217f20 @ 0x577f20 favesqtg6lvyaqo+0x2143bb @ 0x5743bb favesqtg6lvyaqo+0x302db7 @ 0x662db7 exception.instruction_r: 0f 0b e8 19 37 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: favesqtg6lvyaqo+0x16a700 exception.instruction: ud2 exception.module: faveSQTg6lvyAQO.exe exception.exception_code: 0xc000001d exception.offset: 1484544 exception.address: 0x4ca700 registers.esp: 10811352 registers.edi: 10811352 registers.eax: 0 registers.ebp: 10811380 registers.edx: 2 registers.ebx: 5023510 registers.esi: 0 registers.ecx: 10811388	1
__exception__ Aug. 23, 2021, 1:29 p.m.	stacktrace: favesqtg6lvyaqo+0x2180d2 @ 0x5780d2 favesqtg6lvyaqo+0x2143bb @ 0x5743bb favesqtg6lvyaqo+0x302db7 @ 0x662db7 exception.instruction_r: f7 f0 e8 44 37 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: favesqtg6lvyaqo+0x16a6d5 exception.instruction: div eax exception.module: faveSQTg6lvyAQO.exe exception.exception_code: 0xc0000094 exception.offset: 1484501 exception.address: 0x4ca6d5 registers.esp: 10811352 registers.edi: 5491364 registers.eax: 0 registers.ebp: 10811380 registers.edx: 0 registers.ebx: 4294877184 registers.esi: 4104192 registers.ecx: 0	1
__exception__ Aug. 23, 2021, 1:29 p.m.	stacktrace: favesqtg6lvyaqo+0x2180d2 @ 0x5780d2 favesqtg6lvyaqo+0x2143bb @ 0x5743bb favesqtg6lvyaqo+0x302db7 @ 0x662db7 exception.instruction_r: 0f 0b e8 19 37 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: favesqtg6lvyaqo+0x16a700 exception.instruction: ud2 exception.module: faveSQTg6lvyAQO.exe exception.exception_code: 0xc000001d exception.offset: 1484544 exception.address: 0x4ca700 registers.esp: 10811352 registers.edi: 10811352 registers.eax: 0 registers.ebp: 10811380 registers.edx: 2 registers.ebx: 5023467 registers.esi: 0 registers.ecx: 10811388	1
__exception__ Aug. 23, 2021, 1:29 p.m.	stacktrace: favesqtg6lvyaqo+0x2180d2 @ 0x5780d2 favesqtg6lvyaqo+0x2143bb @ 0x5743bb favesqtg6lvyaqo+0x302db7 @ 0x662db7 exception.instruction_r: f7 f0 e8 44 37 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: favesqtg6lvyaqo+0x16a6d5 exception.instruction: div eax exception.module: faveSQTg6lvyAQO.exe exception.exception_code: 0xc0000094 exception.offset: 1484501 exception.address: 0x4ca6d5 registers.esp: 10811352 registers.edi: 10811352 registers.eax: 0 registers.ebp: 10811380 registers.edx: 0 registers.ebx: 5023510 registers.esi: 0 registers.ecx: 10811388	1
__exception__ Aug. 23, 2021, 1:29 p.m.	stacktrace: favesqtg6lvyaqo+0x2180d2 @ 0x5780d2 favesqtg6lvyaqo+0x2143bb @ 0x5743bb favesqtg6lvyaqo+0x302db7 @ 0x662db7 exception.instruction_r: 0f 0b e8 19 37 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: favesqtg6lvyaqo+0x16a700 exception.instruction: ud2 exception.module: faveSQTg6lvyAQO.exe exception.exception_code: 0xc000001d exception.offset: 1484544 exception.address: 0x4ca700 registers.esp: 10811352 registers.edi: 10811352 registers.eax: 0 registers.ebp: 10811380 registers.edx: 2 registers.ebx: 5023467 registers.esi: 0 registers.ecx: 10811388	1
__exception__ Aug. 23, 2021, 1:29 p.m.	stacktrace: favesqtg6lvyaqo+0x2180d2 @ 0x5780d2 favesqtg6lvyaqo+0x2143bb @ 0x5743bb favesqtg6lvyaqo+0x302db7 @ 0x662db7 exception.instruction_r: f7 f0 e8 44 37 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: favesqtg6lvyaqo+0x16a6d5 exception.instruction: div eax exception.module: faveSQTg6lvyAQO.exe exception.exception_code: 0xc0000094 exception.offset: 1484501 exception.address: 0x4ca6d5 registers.esp: 10811352 registers.edi: 10811352 registers.eax: 0 registers.ebp: 10811380 registers.edx: 0 registers.ebx: 5023510 registers.esi: 0 registers.ecx: 10811388	1
__exception__ Aug. 23, 2021, 1:29 p.m.	stacktrace: favesqtg6lvyaqo+0x2180d2 @ 0x5780d2 favesqtg6lvyaqo+0x2143bb @ 0x5743bb favesqtg6lvyaqo+0x302db7 @ 0x662db7 exception.instruction_r: f7 f0 e8 44 37 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: favesqtg6lvyaqo+0x16a6d5 exception.instruction: div eax exception.module: faveSQTg6lvyAQO.exe exception.exception_code: 0xc0000094 exception.offset: 1484501 exception.address: 0x4ca6d5 registers.esp: 10811352 registers.edi: 10811352 registers.eax: 0 registers.ebp: 10811380 registers.edx: 0 registers.ebx: 5023467 registers.esi: 0 registers.ecx: 10811388	1
__exception__ Aug. 23, 2021, 1:29 p.m.	stacktrace: favesqtg6lvyaqo+0x2180d2 @ 0x5780d2 favesqtg6lvyaqo+0x2143bb @ 0x5743bb favesqtg6lvyaqo+0x302db7 @ 0x662db7 exception.instruction_r: f7 f0 e8 44 37 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: favesqtg6lvyaqo+0x16a6d5 exception.instruction: div eax exception.module: faveSQTg6lvyAQO.exe exception.exception_code: 0xc0000094 exception.offset: 1484501 exception.address: 0x4ca6d5 registers.esp: 10811352 registers.edi: 10811352 registers.eax: 0 registers.ebp: 10811380 registers.edx: 0 registers.ebx: 5023467 registers.esi: 0 registers.ecx: 10811388	1
__exception__ Aug. 23, 2021, 1:29 p.m.	stacktrace: favesqtg6lvyaqo+0x2180d2 @ 0x5780d2 favesqtg6lvyaqo+0x2143bb @ 0x5743bb favesqtg6lvyaqo+0x302db7 @ 0x662db7 exception.instruction_r: 0f 0b e8 19 37 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: favesqtg6lvyaqo+0x16a700 exception.instruction: ud2 exception.module: faveSQTg6lvyAQO.exe exception.exception_code: 0xc000001d exception.offset: 1484544 exception.address: 0x4ca700 registers.esp: 10811352 registers.edi: 10811352 registers.eax: 0 registers.ebp: 10811380 registers.edx: 2 registers.ebx: 5023467 registers.esi: 0 registers.ecx: 10811388	1
__exception__ Aug. 23, 2021, 1:29 p.m.	stacktrace: favesqtg6lvyaqo+0x2180d2 @ 0x5780d2 favesqtg6lvyaqo+0x2143bb @ 0x5743bb favesqtg6lvyaqo+0x302db7 @ 0x662db7 exception.instruction_r: f7 f0 e8 44 37 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: favesqtg6lvyaqo+0x16a6d5 exception.instruction: div eax exception.module: faveSQTg6lvyAQO.exe exception.exception_code: 0xc0000094 exception.offset: 1484501 exception.address: 0x4ca6d5 registers.esp: 10811352 registers.edi: 10811352 registers.eax: 0 registers.ebp: 10811380 registers.edx: 0 registers.ebx: 5023510 registers.esi: 0 registers.ecx: 10811388	1
__exception__ Aug. 23, 2021, 1:29 p.m.	stacktrace: favesqtg6lvyaqo+0x2180d2 @ 0x5780d2 favesqtg6lvyaqo+0x2143bb @ 0x5743bb favesqtg6lvyaqo+0x302db7 @ 0x662db7 exception.instruction_r: 0f 0b e8 19 37 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: favesqtg6lvyaqo+0x16a700 exception.instruction: ud2 exception.module: faveSQTg6lvyAQO.exe exception.exception_code: 0xc000001d exception.offset: 1484544 exception.address: 0x4ca700 registers.esp: 10811352 registers.edi: 10811352 registers.eax: 0 registers.ebp: 10811380 registers.edx: 2 registers.ebx: 5023467 registers.esi: 0 registers.ecx: 10811388	1
__exception__ Aug. 23, 2021, 1:29 p.m.	stacktrace: favesqtg6lvyaqo+0x2182a7 @ 0x5782a7 favesqtg6lvyaqo+0x2143bb @ 0x5743bb favesqtg6lvyaqo+0x302db7 @ 0x662db7 exception.instruction_r: 0f 0b e8 19 37 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: favesqtg6lvyaqo+0x16a700 exception.instruction: ud2 exception.module: faveSQTg6lvyAQO.exe exception.exception_code: 0xc000001d exception.offset: 1484544 exception.address: 0x4ca700 registers.esp: 10811352 registers.edi: 5491364 registers.eax: 0 registers.ebp: 10811380 registers.edx: 2 registers.ebx: 4294877184 registers.esi: 4104192 registers.ecx: 423609350	1
__exception__ Aug. 23, 2021, 1:29 p.m.	stacktrace: favesqtg6lvyaqo+0x2183b5 @ 0x5783b5 favesqtg6lvyaqo+0x2143bb @ 0x5743bb favesqtg6lvyaqo+0x302db7 @ 0x662db7 exception.instruction_r: f7 f0 e8 44 37 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: favesqtg6lvyaqo+0x16a6d5 exception.instruction: div eax exception.module: faveSQTg6lvyAQO.exe exception.exception_code: 0xc0000094 exception.offset: 1484501 exception.address: 0x4ca6d5 registers.esp: 10811352 registers.edi: 5491364 registers.eax: 0 registers.ebp: 10811380 registers.edx: 0 registers.ebx: 4294877184 registers.esi: 4104192 registers.ecx: 3638898094	1
__exception__ Aug. 23, 2021, 1:29 p.m.	stacktrace: favesqtg6lvyaqo+0x2183b5 @ 0x5783b5 favesqtg6lvyaqo+0x2143bb @ 0x5743bb favesqtg6lvyaqo+0x302db7 @ 0x662db7 exception.instruction_r: 0f 0b e8 19 37 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: favesqtg6lvyaqo+0x16a700 exception.instruction: ud2 exception.module: faveSQTg6lvyAQO.exe exception.exception_code: 0xc000001d exception.offset: 1484544 exception.address: 0x4ca700 registers.esp: 10811352 registers.edi: 10811352 registers.eax: 0 registers.ebp: 10811380 registers.edx: 2 registers.ebx: 5023467 registers.esi: 0 registers.ecx: 10811388	1
__exception__ Aug. 23, 2021, 1:29 p.m.	stacktrace: favesqtg6lvyaqo+0x2183b5 @ 0x5783b5 favesqtg6lvyaqo+0x2143bb @ 0x5743bb favesqtg6lvyaqo+0x302db7 @ 0x662db7 exception.instruction_r: 0f 0b e8 19 37 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: favesqtg6lvyaqo+0x16a700 exception.instruction: ud2 exception.module: faveSQTg6lvyAQO.exe exception.exception_code: 0xc000001d exception.offset: 1484544 exception.address: 0x4ca700 registers.esp: 10811352 registers.edi: 10811352 registers.eax: 0 registers.ebp: 10811380 registers.edx: 2 registers.ebx: 5023510 registers.esi: 0 registers.ecx: 10811388	1

Allocates read-write-execute memory (usually to unpack itself) (39 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 23, 2021, 1:29 p.m.	process_identifier: 1016 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 1:29 p.m.	process_identifier: 1016 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 1:29 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00340000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 1:29 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 1:29 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 1:29 p.m.	process_identifier: 1016 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 1:29 p.m.	process_identifier: 1016 region_size: 81920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024b4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 1:29 p.m.	process_identifier: 1016 region_size: 147456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024b4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 1:29 p.m.	process_identifier: 1016 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 1:29 p.m.	process_identifier: 1016 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 1:29 p.m.	process_identifier: 1016 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 1:29 p.m.	process_identifier: 1016 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 1:29 p.m.	process_identifier: 1016 region_size: 81920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 1:29 p.m.	process_identifier: 1016 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 1:29 p.m.	process_identifier: 1016 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 1:29 p.m.	process_identifier: 1016 region_size: 491520 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 1:29 p.m.	process_identifier: 1016 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 1:29 p.m.	process_identifier: 1016 region_size: 49152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 23, 2021, 1:29 p.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00360000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 1:29 p.m.	process_identifier: 1016 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02660000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 1:29 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02680000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 23, 2021, 1:29 p.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72641000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 23, 2021, 1:29 p.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72642000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 1:29 p.m.	process_identifier: 1016 region_size: 1376256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a60000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 1:29 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 1:29 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 1:29 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 1:29 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 1:29 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 1:29 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 1:29 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 1:29 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 1:29 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 1:29 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 1:29 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 1:29 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028c1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 1:29 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 1:29 p.m.	process_identifier: 1016 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02681000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2021, 1:29 p.m.	process_identifier: 1016 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02685000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Aug. 23, 2021, 1:29 p.m.	total_number_of_free_bytes: 13723172864 free_bytes_available: 13723172864 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\tmp7373.tmp.cmd

Creates a suspicious process (1 event)

cmdline

schtasks.exe /create /f /sc MINUTE /mo 1 /tn "Microsoft Edge" /tr "'C:\Users\test22\AppData\Roaming\Microsoft Edge\Microsoft Edge.exe"'

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Aug. 23, 2021, 1:29 p.m.	thread_identifier: 1332 thread_handle: 0x00000298 process_identifier: 2256 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\tmp7373.tmp.cmd" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000002a4	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (5 events)

section

{u'size_of_data': u'0x00075000', u'virtual_address': u'0x00002000', u'entropy': 7.999613244372898, u'name': u'', u'virtual_size': u'0x00076000'}

entropy

7.99961324437

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00000200', u'virtual_address': u'0x00080000', u'entropy': 7.508564028587192, u'name': u'', u'virtual_size': u'0x00002000'}

entropy

7.50856402859

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0002e800', u'virtual_address': u'0x0008a000', u'entropy': 7.998535413934858, u'name': u'', u'virtual_size': u'0x00292000'}

entropy

7.99853541393

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x000eb400', u'virtual_address': u'0x0031c000', u'entropy': 7.972689284704409, u'name': u'.data', u'virtual_size': u'0x000ec000'}

entropy

7.9726892847

description

A section with a high entropy has been found

entropy

0.981846153846

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 23, 2021, 1:29 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

schtasks.exe /create /f /sc MINUTE /mo 1 /tn "Microsoft Edge" /tr "'C:\Users\test22\AppData\Roaming\Microsoft Edge\Microsoft Edge.exe"'

Installs itself for autorun at Windows startup (1 event)

cmdline

schtasks.exe /create /f /sc MINUTE /mo 1 /tn "Microsoft Edge" /tr "'C:\Users\test22\AppData\Roaming\Microsoft Edge\Microsoft Edge.exe"'

A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. (4 events)

Time & API	Arguments	Status	Return
CryptHashData Aug. 23, 2021, 1:29 p.m.	buffer: 2test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x00bbb1c8 flags: 0	1	1
CryptHashData Aug. 23, 2021, 1:29 p.m.	buffer: 2test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x00bbb1c8 flags: 0	1	1
CryptHashData Aug. 23, 2021, 1:29 p.m.	buffer: 2test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x00bbb1c8 flags: 0	1	1
CryptHashData Aug. 23, 2021, 1:29 p.m.	buffer: 2test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x00bbb1c8 flags: 0	1	1

File has been identified by 39 AntiVirus engines on VirusTotal as malicious (39 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Graftor.737496
FireEye	Generic.mg.fd496a2b10e16382
McAfee	GenericRXHT-JV!FD496A2B10E1
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
Alibaba	Packed:Win32/EnigmaProtector.64ab83fb
K7GW	Trojan ( 0052a8371 )
Cybereason	malicious.b10e16
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Packed.EnigmaProtector.M suspicious
APEX	Malicious
Paloalto	generic.ml
Kaspersky	Trojan.Win32.Tasker.aqoh
BitDefender	Gen:Variant.Graftor.737496
Avast	Win32:Malware-gen
Tencent	Win32.Trojan.Tasker.Eeqz
Ad-Aware	Gen:Variant.Graftor.737496
Sophos	Mal/Generic-S
Comodo	.UnclassifiedMalware@0
DrWeb	Trojan.MulDrop18.35142
McAfee-GW-Edition	BehavesLike.Win32.Generic.tc
Emsisoft	Gen:Variant.Graftor.737496 (B)
Ikarus	Win32.Outbreak
eGambit	Unsafe.AI_Score_75%
Microsoft	Trojan:Win32/Sabsik.FL.A!ml
GData	Gen:Variant.Graftor.737496
Cynet	Malicious (score: 100)
Acronis	suspicious
BitDefenderTheta	Gen:NN.ZexaF.34088.Mz0@aO4V6kbi
MAX	malware (ai score=100)
VBA32	Trojan.Tiggre
Zoner	Probably Heur.ExeHeaderH
TrendMicro-HouseCall	TROJ_GEN.R002C0PHM21
SentinelOne	Static AI - Malicious PE
Fortinet	Riskware/Tasker
Webroot	W32.Trojan.Gen
AVG	Win32:Malware-gen
CrowdStrike	win/malicious_confidence_90% (W)

faveSQTg6lvyAQO.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All