Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6401 | April 13, 2021, 11:24 a.m. | April 13, 2021, 11:25 a.m. |
-
-
wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\updateW\delete.vbs"
2388-
-
WMIC.exe wmic process where ExecutablePath='C:\\Windows (x86)\\explorer.exe' delete
1812 -
WMIC.exe wmic process where name='regedit.exe' delete
1456 -
WMIC.exe wmic process where name='taskhist.exe' delete
2952 -
WMIC.exe wmic process where name='taskIist.exe' delete
2768 -
taskkill.exe taskkill /f /im regedit.exe
540 -
taskkill.exe taskkill /f /im taskhist.exe
1436 -
taskkill.exe taskkill /f /im taskIist.exe
2876 -
WMIC.exe wmic process where name='regedit.exe' delete
556 -
WMIC.exe wmic process where name='taskhist.exe' delete
852 -
WMIC.exe wmic process where name='taskIist.exe' delete
1408 -
taskkill.exe taskkill /f /im regedit.exe
1016 -
taskkill.exe taskkill /f /im taskhist.exe
2036 -
taskkill.exe taskkill /f /im taskIist.exe
2256 -
WMIC.exe wmic process where name='xmrig.exe' delete
2044 -
WMIC.exe wmic process where name='xmrig.exe' delete
2332 -
WMIC.exe wmic process where name='cmd.exe' delete
2208
-
-
-
Name | Response | Post-Analysis Lookup |
---|---|---|
No hosts contacted. |
IP Address | Status | Action |
---|---|---|
164.124.101.2 | Active | Moloch |
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
pdb_path | D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb |
section | .gfids |
resource name | PNG |
file | C:\Users\test22\AppData\Local\Temp\updateW\delete.vbs |
file | C:\Users\test22\AppData\Local\Temp\updateW\delete.bat |
cmdline | wmic process where name='regedit.exe' delete |
cmdline | wmic process where name='taskhist.exe' delete |
cmdline | wmic process where name='taskIist.exe' delete |
cmdline | wmic process where ExecutablePath='C:\\Windows (x86)\\explorer.exe' delete |
cmdline | wmic process where name='xmrig.exe' delete |
cmdline | wmic process where name='cmd.exe' delete |
file | C:\Users\test22\AppData\Local\Temp\updateW\delete.vbs |
file | C:\Users\test22\AppData\Local\Temp\updateW\delete.bat |
wmi | SELECT * FROM Win32_Process WHERE ExecutablePath='C:\\Windows (x86)\\explorer.exe' |
wmi | SELECT * FROM Win32_Process WHERE name='taskIist.exe' |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "taskIist.exe") |
wmi | SELECT * FROM Win32_Process WHERE name='taskhist.exe' |
wmi | SELECT * FROM Win32_Process WHERE name='cmd.exe' |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "regedit.exe") |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "taskhist.exe") |
wmi | SELECT * FROM Win32_Process WHERE name='xmrig.exe' |
wmi | SELECT * FROM Win32_Process WHERE name='regedit.exe' |
description | Affect system registries | rule | win_registry | ||||||
description | Affect system token | rule | win_token | ||||||
description | Affect private profile | rule | win_private_profile | ||||||
description | Affect private profile | rule | win_files_operation | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Bypass DEP | rule | disable_dep |
cmdline | wmic process where name='regedit.exe' delete |
cmdline | wmic process where name='taskhist.exe' delete |
cmdline | wmic process where name='taskIist.exe' delete |
cmdline | taskkill /f /im regedit.exe |
cmdline | wmic process where ExecutablePath='C:\\Windows (x86)\\explorer.exe' delete |
cmdline | wmic process where name='xmrig.exe' delete |
cmdline | taskkill /f /im taskIist.exe |
cmdline | taskkill /f /im taskhist.exe |
cmdline | wmic process where name='cmd.exe' delete |
cmdline | wmic process where name='xmrig.exe' delete |
parent_process | wscript.exe | martian_process | C:\Users\test22\AppData\Local\Temp\updateW\delete.bat | ||||||
parent_process | wscript.exe | martian_process | "C:\Users\test22\AppData\Local\Temp\updateW\delete.bat" |
file | C:\Windows\SysWOW64\wscript.exe |
Bkav | W32.AIDetect.malware2 |
MicroWorld-eScan | Trojan.GenericKD.36678712 |
FireEye | Trojan.GenericKD.36678712 |
McAfee | RDN/Generic.dx |
VIPRE | Trojan.Win32.Generic!BT |
K7AntiVirus | Trojan ( 0057a8f71 ) |
Alibaba | Trojan:Win32/AutoitInject.cfdb3488 |
K7GW | Trojan ( 0057a8f71 ) |
Arcabit | Trojan.Generic.D22FAC38 |
Symantec | Trojan.Gen.MBT |
ESET-NOD32 | VBS/Runner.NPA |
APEX | Malicious |
Avast | Win32:Trojan-gen |
BitDefender | Trojan.GenericKD.36678712 |
AegisLab | Trojan.Win32.Generic.4!c |
Ad-Aware | Trojan.GenericKD.36678712 |
Emsisoft | Trojan.GenericKD.36678712 (B) |
Comodo | Malware@#35reii56ldzw3 |
McAfee-GW-Edition | BehavesLike.Win32.Dropper.dh |
Sophos | Mal/Generic-S |
Avira | VBS/Runner.BA |
MAX | malware (ai score=99) |
Gridinsoft | Trojan.Win32.Downloader.oa |
Microsoft | Trojan:Win32/AutoitInject.BI!MTB |
GData | Script.Trojan.Agent.3OH3EN |
Cynet | Malicious (score: 99) |
ALYac | Trojan.GenericKD.36678712 |
TrendMicro-HouseCall | TROJ_GEN.R002H01D921 |
Rising | Trojan.Ursnif!8.A22D (TOPIS:E0:IppsxHr5zYE) |
Ikarus | Trojan.VBS.Runner |
MaxSecure | Win.MxResIcn.Heur.Gen |
AVG | Win32:Trojan-gen |
Panda | Trj/CI.A |
CrowdStrike | win/malicious_confidence_60% (W) |
Qihoo-360 | Win32/Heur.Generic.HwYDegIA |