Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	May 11, 2021, 6:05 p.m.	May 11, 2021, 6:07 p.m.

Size	8.3MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`daf77956a7cbbdb2a322a8bb64e6f2b7`
SHA256	`d7fbde044475e2a1aa5c1b849840214c32de6447f57a553487936816697c578b`
CRC32	`3952FAF8`
ssdeep	`196608:QEoSlCPkBvXkiyTytcU++FiuGKBUASWW8/eyx4OB5z7cvaDmFtC:QEzl2kBff7cd+FCqTEyiOEvHI`
PDB Path	D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
Yara	OS_Processor_Check_Zero - OS Processor Check PE_Header_Zero - PE File Signature IsPE32 - (no description)

12_CNB_Programas_de_Becas-70212-em.txt "C:\Users\test22\AppData\Local\Temp\12_CNB_Programas_de_Becas-70212-em.txt"
4208
- chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --single-argument C:\Users\test22\AppData\Roaming\12_CNB_Programas_de_Becas.pdf
  3172
  - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef2cb6e00,0x7fef2cb6e10,0x7fef2cb6e20
    6116
- wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Roaming\win.vbe"
  4372
  - cmd.exe cmd /c ""C:\Users\test22\AppData\Roaming\cfx.bat" "
    4792
    - reg.exe REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Windows /t REG_SZ /d "C:\Users\test22\AppData\Roaming\System.exe" ///
      8168
    - reg.exe REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Windows /t REG_SZ /d "C:\Users\test22\AppData\Roaming\System.exe"
      4884

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
172.217.25.14	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (23 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 11, 2021, 5:58 p.m.			0	0
IsDebuggerPresent May 11, 2021, 5:58 p.m.			0	0
IsDebuggerPresent May 11, 2021, 5:58 p.m.			0	0
IsDebuggerPresent May 11, 2021, 5:58 p.m.			0	0
IsDebuggerPresent May 11, 2021, 5:58 p.m.			0	0
IsDebuggerPresent May 11, 2021, 5:58 p.m.			0	0
IsDebuggerPresent May 11, 2021, 5:58 p.m.			0	0
IsDebuggerPresent May 11, 2021, 5:58 p.m.			0	0
IsDebuggerPresent May 11, 2021, 5:58 p.m.			0	0
IsDebuggerPresent May 11, 2021, 5:58 p.m.			0	0
IsDebuggerPresent May 11, 2021, 5:58 p.m.			0	0
IsDebuggerPresent May 11, 2021, 5:58 p.m.			0	0
IsDebuggerPresent May 11, 2021, 5:58 p.m.			0	0
IsDebuggerPresent May 11, 2021, 5:58 p.m.			0	0
IsDebuggerPresent May 11, 2021, 5:58 p.m.			0	0
IsDebuggerPresent May 11, 2021, 5:58 p.m.			0	0
IsDebuggerPresent May 11, 2021, 5:58 p.m.			0	0
IsDebuggerPresent May 11, 2021, 5:59 p.m.			0	0
IsDebuggerPresent May 11, 2021, 5:59 p.m.			0	0
IsDebuggerPresent May 11, 2021, 5:59 p.m.			0	0
IsDebuggerPresent May 11, 2021, 5:58 p.m.			0	0
IsDebuggerPresent May 11, 2021, 5:58 p.m.			0	0
IsDebuggerPresent May 11, 2021, 5:58 p.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW May 11, 2021, 6:05 p.m.	buffer: ERROR: Invalid syntax. Type "REG ADD /?" for usage. console_handle: 0x0000000b	1	1	0
WriteConsoleW May 11, 2021, 6:05 p.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe\PATH

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.gfids

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

PNG

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ May 11, 2021, 5:59 p.m.	stacktrace: 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x32322e322e registers.r14: 305261784 registers.r15: 305752560 registers.rcx: 1392 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 305261040 registers.rsp: 305260744 registers.r11: 305264656 registers.r8: 1999536524 registers.r9: 0 registers.rdx: 660 registers.r12: 305261400 registers.rbp: 305260896 registers.rdi: 12080496 registers.rax: 11010048 registers.r13: 305704048	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

May 11, 2021, 5:59 p.m.

stacktrace:

0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e

exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0x32322e322e
registers.r14: 305261784
registers.r15: 305752560
registers.rcx: 1392
registers.rsi: 17302540
registers.r10: 0
registers.rbx: 305261040
registers.rsp: 305260744
registers.r11: 305264656
registers.r8: 1999536524
registers.r9: 0
registers.rdx: 660
registers.r12: 305261400
registers.rbp: 305260896
registers.rdi: 12080496
registers.rax: 11010048
registers.r13: 305704048

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 11, 2021, 6:05 p.m.	process_identifier: 4208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 11, 2021, 5:58 p.m.	process_identifier: 3172 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000735bc000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 11, 2021, 6:05 p.m.	process_identifier: 4372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 11, 2021, 5:58 p.m.	process_identifier: 6116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000735bc000 process_handle: 0xffffffffffffffff	1

An application raised an exception which may be indicative of an exploit crash (2 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process chrome.exe with pid 3172 crashed
__exception__ May 11, 2021, 5:59 p.m.	stacktrace: 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e 0x32322e322e exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x32322e322e registers.r14: 305261784 registers.r15: 305752560 registers.rcx: 1392 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 305261040 registers.rsp: 305260744 registers.r11: 305264656 registers.r8: 1999536524 registers.r9: 0 registers.rdx: 660 registers.r12: 305261400 registers.rbp: 305260896 registers.rdi: 12080496 registers.rax: 11010048 registers.r13: 305704048	1	0	0

Application Crash

Process chrome.exe with pid 3172 crashed

Time & API

Arguments

Status

Return

Repeated

__exception__

May 11, 2021, 5:59 p.m.

stacktrace:

0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e
0x32322e322e

Steals private information from local Internet browsers (22 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Version
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\reports\aedd0046-ffc5-4770-b7fe-38b467588e14.dmp
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\First Run
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\reports
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\index
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-609AC2C1-C64.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\metadata
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_0
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_3

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Roaming\12_CNB_Programas_de_Becas.pdf

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Roaming\cfx.bat
file	C:\Users\test22\AppData\Roaming\win.vbe
file	C:\Users\test22\AppData\Roaming\System.exe

Drops a binary and executes it (3 events)

file	C:\Users\test22\AppData\Roaming\12_CNB_Programas_de_Becas.pdf
file	C:\Users\test22\AppData\Roaming\win.vbe
file	C:\Users\test22\AppData\Roaming\cfx.bat

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW May 11, 2021, 6:05 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Roaming\cfx.bat parameters: filepath: C:\Users\test22\AppData\Roaming\cfx.bat	1	1	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess May 11, 2021, 5:59 p.m.	status_code: 0xc0000005 process_identifier: 3172 process_handle: 0x00000000000000bc		0	0
NtTerminateProcess May 11, 2021, 5:59 p.m.	status_code: 0xc0000005 process_identifier: 3172 process_handle: 0x00000000000000bc	1	0	0

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Windows /t REG_SZ /d "C:\Users\test22\AppData\Roaming\System.exe" ///
cmdline	REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Windows /t REG_SZ /d "C:\Users\test22\AppData\Roaming\System.exe"

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows

reg_value

C:\Users\test22\AppData\Roaming\System.exe

One or more non-whitelisted processes were created (4 events)

parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1020,2244711460136607760,4775864505368540397,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=552 /prefetch:2
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef2cb6e00,0x7fef2cb6e10,0x7fef2cb6e20
parent_process	wscript.exe	martian_process	"C:\Users\test22\AppData\Roaming\cfx.bat"
parent_process	wscript.exe	martian_process	C:\Users\test22\AppData\Roaming\cfx.bat

Resumed a suspended thread in a remote process potentially indicative of process injection (28 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 4208 resumed a thread in remote process 3172
Process injection	Process 4208 resumed a thread in remote process 4372
Process injection	Process 6116 resumed a thread in remote process 3172
NtResumeThread May 11, 2021, 6:05 p.m.	thread_handle: 0x000002ac suspend_count: 1 process_identifier: 3172	1	0	0
NtResumeThread May 11, 2021, 6:05 p.m.	thread_handle: 0x00000310 suspend_count: 1 process_identifier: 4372	1	0	0
NtResumeThread May 11, 2021, 5:59 p.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 3172	1	0	0
NtResumeThread May 11, 2021, 5:59 p.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 3172	1	0	0
NtResumeThread May 11, 2021, 5:59 p.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 3172	1	0	0
NtResumeThread May 11, 2021, 5:59 p.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 3172	1	0	0
NtResumeThread May 11, 2021, 5:59 p.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 3172	1	0	0
NtResumeThread May 11, 2021, 5:59 p.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 3172	1	0	0
NtResumeThread May 11, 2021, 5:59 p.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 3172	1	0	0
NtResumeThread May 11, 2021, 5:59 p.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 3172	1	0	0
NtResumeThread May 11, 2021, 5:59 p.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 3172	1	0	0
NtResumeThread May 11, 2021, 5:59 p.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 3172	1	0	0
NtResumeThread May 11, 2021, 5:59 p.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 3172	1	0	0
NtResumeThread May 11, 2021, 5:59 p.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 3172	1	0	0
NtResumeThread May 11, 2021, 5:59 p.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 3172	1	0	0
NtResumeThread May 11, 2021, 5:59 p.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 3172	1	0	0
NtResumeThread May 11, 2021, 5:59 p.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 3172	1	0	0
NtResumeThread May 11, 2021, 5:59 p.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 3172	1	0	0
NtResumeThread May 11, 2021, 5:59 p.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 3172	1	0	0
NtResumeThread May 11, 2021, 5:59 p.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 3172	1	0	0
NtResumeThread May 11, 2021, 5:59 p.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 3172	1	0	0
NtResumeThread May 11, 2021, 5:59 p.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 3172	1	0	0
NtResumeThread May 11, 2021, 5:59 p.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 3172	1	0	0
NtResumeThread May 11, 2021, 5:59 p.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 3172	1	0	0
NtResumeThread May 11, 2021, 5:59 p.m.	thread_handle: 0x000000000000014c suspend_count: 2 process_identifier: 3172	1	0	0

The process wscript.exe wrote an executable file to disk (1 event)

file	C:\Windows\SysWOW64\wscript.exe

File has been identified by 32 AntiVirus engines on VirusTotal as malicious (32 events)

Bkav	W32.AIDetect.malware1
MicroWorld-eScan	Gen:Variant.Graftor.713003
McAfee	Artemis!DAF77956A7CB
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_80% (W)
Arcabit	Trojan.Graftor.DAE12B
Symantec	Ransom.Wannacry
APEX	Malicious
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Gen:Variant.Graftor.713003
Paloalto	generic.ml
Ad-Aware	Gen:Variant.Graftor.713003
DrWeb	Trojan.BtcMine.308
McAfee-GW-Edition	BehavesLike.Win32.Generic.rc
FireEye	Generic.mg.daf77956a7cbbdb2
Emsisoft	Gen:Variant.Graftor.713003 (B)
Ikarus	Win32.Outbreak
Avira	TR/CoinMiner.rqgqb
MAX	malware (ai score=80)
Antiy-AVL	Trojan/Generic.ASMalwS.3113434
Gridinsoft	Trojan.Win32.Injector.ad!i
Microsoft	Trojan:Win32/Wacatac.B!ml
ViRobot	Trojan.Win32.Z.Graftor.8742467
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Gen:Variant.Graftor.713003
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.Kryptik.R353672
ALYac	Gen:Variant.Graftor.713003
TrendMicro-HouseCall	TROJ_GEN.R002H0CEA21
Fortinet	W32/PossibleThreat
Cybereason	malicious.6a7cbb
Panda	Trj/Genetic.gen

12_CNB_Programas_de_Becas-70212-em.txt

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All