ConsoleApp1.exe| Category | Machine | Started | Completed |
|---|---|---|---|
| FILE | s1_win7_x6401 | May 26, 2021, 8:54 a.m. | May 26, 2021, 9:24 a.m. |
-
-
665688680962.exe "C:\ProgramData\665688680962.exe"
1940 -
cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /pid 200 & erase C:\Users\test22\AppData\Local\Temp\ConsoleApp1.exe & RD /S /Q C:\\ProgramData\\866957695521655\\* & exit
1684-
taskkill.exe taskkill /pid 200
2680
-
-
-
explorer.exe C:\Windows\Explorer.EXE
1848
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| ieaspk.com | 67.220.184.98 |
Suricata Alerts
Suricata TLS
No Suricata TLS
| registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid |
| registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome |
| suspicious_features | POST method with no referer header, POST method with no useragent header, Connection to IP address | suspicious_request | POST http://45.133.1.47/6.jpg | ||||||
| suspicious_features | POST method with no referer header, POST method with no useragent header, Connection to IP address | suspicious_request | POST http://45.133.1.47/1.jpg | ||||||
| suspicious_features | POST method with no referer header, POST method with no useragent header, Connection to IP address | suspicious_request | POST http://45.133.1.47/2.jpg | ||||||
| suspicious_features | POST method with no referer header, POST method with no useragent header, Connection to IP address | suspicious_request | POST http://45.133.1.47/3.jpg | ||||||
| suspicious_features | POST method with no referer header, POST method with no useragent header, Connection to IP address | suspicious_request | POST http://45.133.1.47/4.jpg | ||||||
| suspicious_features | POST method with no referer header, POST method with no useragent header, Connection to IP address | suspicious_request | POST http://45.133.1.47/5.jpg | ||||||
| suspicious_features | POST method with no referer header, POST method with no useragent header, Connection to IP address | suspicious_request | POST http://45.133.1.47/7.jpg | ||||||
| suspicious_features | POST method with no referer header, POST method with no useragent header, Connection to IP address | suspicious_request | POST http://45.133.1.47/main.php | ||||||
| suspicious_features | POST method with no referer header, POST method with no useragent header, Connection to IP address | suspicious_request | POST http://45.133.1.47/ | ||||||
| suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://46.101.81.223/t.exe | ||||||
| suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://46.101.81.223/origin.exe | ||||||
| request | POST http://45.133.1.47/6.jpg |
| request | POST http://45.133.1.47/1.jpg |
| request | POST http://45.133.1.47/2.jpg |
| request | POST http://45.133.1.47/3.jpg |
| request | POST http://45.133.1.47/4.jpg |
| request | POST http://45.133.1.47/5.jpg |
| request | POST http://45.133.1.47/7.jpg |
| request | POST http://45.133.1.47/main.php |
| request | POST http://45.133.1.47/ |
| request | GET http://46.101.81.223/t.exe |
| request | GET http://46.101.81.223/origin.exe |
| request | POST http://45.133.1.47/6.jpg |
| request | POST http://45.133.1.47/1.jpg |
| request | POST http://45.133.1.47/2.jpg |
| request | POST http://45.133.1.47/3.jpg |
| request | POST http://45.133.1.47/4.jpg |
| request | POST http://45.133.1.47/5.jpg |
| request | POST http://45.133.1.47/7.jpg |
| request | POST http://45.133.1.47/main.php |
| request | POST http://45.133.1.47/ |
| file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State |
| file | C:\Users\test22\AppData\Local\Chromium\User Data\Local State |
| file | C:\Users\test22\AppData\Local\Nichrome\User Data\Local State |
| file | C:\ProgramData\sqlite3.dll |
| file | C:\ProgramData\freebl3.dll |
| file | C:\ProgramData\msvcp140.dll |
| file | C:\ProgramData\nss3.dll |
| file | C:\ProgramData\665688680962.exe |
| file | C:\ProgramData\vcruntime140.dll |
| file | C:\ProgramData\mozglue.dll |
| file | C:\ProgramData\softokn3.dll |
| cmdline | cmd.exe /c taskkill /pid 200 & erase C:\Users\test22\AppData\Local\Temp\ConsoleApp1.exe & RD /S /Q C:\\ProgramData\\866957695521655\\* & exit |
| cmdline | "C:\Windows\System32\cmd.exe" /c taskkill /pid 200 & erase C:\Users\test22\AppData\Local\Temp\ConsoleApp1.exe & RD /S /Q C:\\ProgramData\\866957695521655\\* & exit |
| file | C:\ProgramData\665688680962.exe |
| file | C:\Users\test22\AppData\Local\Temp\ConsoleApp1.exe |
| wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( ProcessId = 200) |
| section | {u'size_of_data': u'0x00032600', u'virtual_address': u'0x00002000', u'entropy': 7.875698214960207, u'name': u'.text', u'virtual_size': u'0x00032464'} | entropy | 7.87569821496 | description | A section with a high entropy has been found | |||||||||
| entropy | 0.915909090909 | description | Overall entropy of this PE file is high | |||||||||||
| description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
| description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
| description | (no description) | rule | DebuggerHiding__Thread | ||||||
| description | (no description) | rule | DebuggerHiding__Active | ||||||
| description | (no description) | rule | ThreadControl__Context | ||||||
| description | (no description) | rule | SEH__vectored | ||||||
| description | Checks if being debugged | rule | anti_dbg | ||||||
| description | Bypass DEP | rule | disable_dep | ||||||
| cmdline | taskkill /pid 200 |
| cmdline | cmd.exe /c taskkill /pid 200 & erase C:\Users\test22\AppData\Local\Temp\ConsoleApp1.exe & RD /S /Q C:\\ProgramData\\866957695521655\\* & exit |
| cmdline | "C:\Windows\System32\cmd.exe" /c taskkill /pid 200 & erase C:\Users\test22\AppData\Local\Temp\ConsoleApp1.exe & RD /S /Q C:\\ProgramData\\866957695521655\\* & exit |
| host | 45.133.1.47 | |||
| host | 46.101.81.223 | |||
| registry | HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString |
| file | C:\Users\test22\AppData\Roaming\Bitcoin\ |
| file | C:\Users\test22\AppData\Roaming\Electrum\wallets\ |
| file | C:\Users\test22\AppData\Roaming\Litecoin\ |
| file | C:\Users\test22\AppData\Roaming\Namecoin\ |
| file | C:\Users\test22\AppData\Roaming\Terracoin\ |
| file | C:\Users\test22\AppData\Roaming\Primecoin\ |
| file | C:\Users\test22\AppData\Roaming\Freicoin\ |
| file | C:\Users\test22\AppData\Roaming\devcoin\ |
| file | C:\Users\test22\AppData\Roaming\Franko\ |
| file | C:\Users\test22\AppData\Roaming\Megacoin\ |
| file | C:\Users\test22\AppData\Roaming\Infinitecoin\ |
| file | C:\Users\test22\AppData\Roaming\Ixcoin\ |
| file | C:\Users\test22\AppData\Roaming\Anoncoin\ |
| file | C:\Users\test22\AppData\Roaming\BBQCoin\ |
| file | C:\Users\test22\AppData\Roaming\digitalcoin\ |
| file | C:\Users\test22\AppData\Roaming\Mincoin\ |
| file | C:\Users\test22\AppData\Roaming\GoldCoin (GLD)\ |
| file | C:\Users\test22\AppData\Roaming\YACoin\ |
| file | C:\Users\test22\AppData\Roaming\Florincoin\ |
| file | C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini |
| registry | HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\00000004 |
| registry | HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 |
| registry | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 |
| Elastic | malicious (high confidence) |
| MicroWorld-eScan | Gen:Variant.Ursu.118857 |
| FireEye | Generic.mg.17b32d5270a778ba |
| Cylance | Unsafe |
| Sangfor | Trojan.Win32.Save.a |
| BitDefender | Gen:Variant.Ursu.118857 |
| BitDefenderTheta | Gen:NN.ZemsilCO.34690.nm0@aiHGjyl |
| Cyren | W32/MSIL_Kryptik.EIC.gen!Eldorado |
| APEX | Malicious |
| Ad-Aware | Gen:Variant.Ursu.118857 |
| Emsisoft | Gen:Variant.Ursu.118857 (B) |
| SentinelOne | Static AI - Malicious PE |
| Avira | HEUR/AGEN.1118537 |
| MAX | malware (ai score=82) |
| Microsoft | Program:Win32/Wacapew.C!ml |
| GData | Gen:Variant.Ursu.118857 |
| Cynet | Malicious (score: 100) |
| ALYac | Gen:Variant.Ursu.118857 |
| Malwarebytes | Malware.AI.2476155152 |
| Ikarus | not-a-virus:Hacktool.ICBypass |
| Cybereason | malicious.270a77 |
| Paloalto | generic.ml |