0n1y_53r10u5.exe

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Sept. 8, 2021, 9:57 a.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Sept. 8, 2021, 9:57 a.m.	buffer: SUCCESS: The scheduled task "Azure-Update-Task" has successfully been created. console_handle: 0x00000007	1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (4 events)

section
section	.imports
section	.themida
section	.boot

One or more processes crashed (3 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 8, 2021, 9:57 a.m.	stacktrace: 0n1y_53r10u5+0x728b03 @ 0x1a08b03 0n1y_53r10u5+0x73617c @ 0x1a1617c exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 3735056 registers.edi: 19865600 registers.eax: 3735056 registers.ebp: 3735136 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 2000778283 registers.ecx: 4044029952	1	0	0
__exception__ Sept. 8, 2021, 9:57 a.m.	stacktrace: exception.instruction_r: ed e9 26 52 03 00 97 e3 29 d9 d6 63 01 00 8a 42 exception.symbol: 0n1y_53r10u5+0x75b127 exception.instruction: in eax, dx exception.module: 0n1y_53r10u5.exe exception.exception_code: 0xc0000096 exception.offset: 7713063 exception.address: 0x1a3b127 registers.esp: 3735176 registers.edi: 7680526 registers.eax: 1750617430 registers.ebp: 19865600 registers.edx: 7690326 registers.ebx: 19791872 registers.esi: 25562592 registers.ecx: 20	1	0	0
__exception__ Sept. 8, 2021, 9:57 a.m.	stacktrace: exception.instruction_r: ed e9 8c 9f 53 00 c3 e9 85 74 52 00 25 8b 14 00 exception.symbol: 0n1y_53r10u5+0x244a21 exception.instruction: in eax, dx exception.module: 0n1y_53r10u5.exe exception.exception_code: 0xc0000096 exception.offset: 2378273 exception.address: 0x1524a21 registers.esp: 3735176 registers.edi: 7680526 registers.eax: 1447909480 registers.ebp: 19865600 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 25562592 registers.ecx: 10	1	0	0

Allocates read-write-execute memory (usually to unpack itself) (6 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 8, 2021, 9:57 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7743f000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Sept. 8, 2021, 9:57 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x773b0000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Sept. 8, 2021, 9:57 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x012e3000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Sept. 8, 2021, 9:57 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x012e3000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Sept. 8, 2021, 9:57 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x012e3000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Sept. 8, 2021, 9:57 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x012e3000 process_handle: 0xffffffff	1	0	0

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Sept. 8, 2021, 9:57 a.m.	thread_identifier: 1444 thread_handle: 0x000000b8 process_identifier: 1304 current_directory: filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\test22\AppData\Roaming\Microsoft\Network\sihost.exe" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000000bc	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (5 events)

section	{u'size_of_data': u'0x000007fa', u'virtual_address': u'0x00001000', u'entropy': 7.8866421692714015, u'name': u' ', u'virtual_size': u'0x00001114'}				entropy	7.88664216927				description	A section with a high entropy has been found
section	{u'size_of_data': u'0x00000628', u'virtual_address': u'0x00003000', u'entropy': 7.832459288642404, u'name': u' ', u'virtual_size': u'0x00000c7e'}				entropy	7.83245928864				description	A section with a high entropy has been found
section	{u'size_of_data': u'0x00000243', u'virtual_address': u'0x00005000', u'entropy': 7.245576003242629, u'name': u' ', u'virtual_size': u'0x00000244'}				entropy	7.24557600324				description	A section with a high entropy has been found
section	{u'size_of_data': u'0x004ea345', u'virtual_address': u'0x007e2000', u'entropy': 7.952489186035007, u'name': u'.boot', u'virtual_size': u'0x004ea400'}				entropy	7.95248918604				description	A section with a high entropy has been found
entropy	0.991828160617				description	Overall entropy of this PE file is high

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\test22\AppData\Roaming\Microsoft\Network\sihost.exe"

Checks for the presence of known windows from debuggers and forensic tools (9 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA Sept. 8, 2021, 9:57 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 8, 2021, 9:57 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 8, 2021, 9:57 a.m.	class_name: File Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Sept. 8, 2021, 9:57 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 8, 2021, 9:57 a.m.	class_name: Process Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Sept. 8, 2021, 9:57 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Sept. 8, 2021, 9:57 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Sept. 8, 2021, 9:57 a.m.	class_name: Registry Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Sept. 8, 2021, 9:57 a.m.	class_name: 18467-41 window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Detects VirtualBox through the presence of a registry key (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Sept. 8, 2021, 9:57 a.m.	information_class: 76 (SystemFirmwareTableInformation)		3221225507	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 8, 2021, 9:57 a.m.	stacktrace: exception.instruction_r: ed e9 8c 9f 53 00 c3 e9 85 74 52 00 25 8b 14 00 exception.symbol: 0n1y_53r10u5+0x244a21 exception.instruction: in eax, dx exception.module: 0n1y_53r10u5.exe exception.exception_code: 0xc0000096 exception.offset: 2378273 exception.address: 0x1524a21 registers.esp: 3735176 registers.edi: 7680526 registers.eax: 1447909480 registers.ebp: 19865600 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 25562592 registers.ecx: 10	1	0	0

File has been identified by 40 AntiVirus engines on VirusTotal as malicious (40 events)

Bkav	W32.AIDetect.malware2
Lionic	Trojan.Win32.Razy.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Razy.639372
ALYac	Gen:Variant.Razy.639372
Cylance	Unsafe
CrowdStrike	win/malicious_confidence_100% (W)
K7GW	Trojan ( 00581f971 )
K7AntiVirus	Trojan ( 00581f971 )
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Generik.GVKCOWR
APEX	Malicious
Paloalto	generic.ml
Kaspersky	Trojan.Win32.Tasker.aqzs
BitDefender	Gen:Variant.Razy.639372
Avast	Win32:Trojan-gen
Ad-Aware	Gen:Variant.Razy.639372
Emsisoft	Gen:Variant.Razy.639372 (B)
Comodo	TrojWare.Win32.UMal.fxeug@0
McAfee-GW-Edition	BehavesLike.Win32.Trojan.rc
FireEye	Generic.mg.1a077c94c3eb2f09
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
GData	Gen:Variant.Razy.639372
Webroot	W32.Trojan.Gen
Gridinsoft	Trojan.Win32.Generic.oa
Arcabit	Trojan.Razy.D9C18C
ZoneAlarm	Trojan.Win32.Tasker.aqzs
Microsoft	Trojan:Script/Phonzy.C!ml
Cynet	Malicious (score: 100)
McAfee	Artemis!1A077C94C3EB
MAX	malware (ai score=84)
Malwarebytes	Trojan.Clipper
Rising	Trojan.Generic@ML.100 (RDMK:Q6kAMZAztWZ5fcvkAXm9Rg)
Ikarus	Trojan.SuspectCRC
eGambit	Unsafe.AI_Score_99%
Fortinet	W32/PossibleThreat
BitDefenderTheta	AI:Packer.9E4C6E451F
AVG	Win32:Trojan-gen
Panda	Trj/CI.A