Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6401 | June 19, 2021, 9:57 a.m. | June 19, 2021, 10:02 a.m. |
-
-
-
maaacccc..exe "C:\Users\test22\AppData\Local\Temp\maaacccc..exe"
1556 -
cmd.exe C:\Windows\system32\cmd.exe /c copy "C:\Users\test22\AppData\Local\Temp\maaacccc..exe" "C:\Users\%username%\AppData\Local\Adobe Reader.exe" & REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Adobe Reader" /t REG_SZ /F /D "C:\Users\%username%\AppData\Local\Adobe Reader.exe"
2056-
reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Adobe Reader" /t REG_SZ /F /D "C:\Users\test22\AppData\Local\Adobe Reader.exe"
1048
-
-
-
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
pdb_path | E:\cplusplus\new\Adobe Acrobat\Release\Adobe Acrobat.pdb |
cmdline | C:\Windows\system32\cmd.exe /c copy "C:\Users\test22\AppData\Local\Temp\maaacccc..exe" "C:\Users\%username%\AppData\Local\Adobe Reader.exe" & REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Adobe Reader" /t REG_SZ /F /D "C:\Users\%username%\AppData\Local\Adobe Reader.exe" |
section | {u'size_of_data': u'0x00029000', u'virtual_address': u'0x0002d000', u'entropy': 7.981490441574027, u'name': u'.data', u'virtual_size': u'0x0002a120'} | entropy | 7.98149044157 | description | A section with a high entropy has been found | |||||||||
entropy | 0.475362318841 | description | Overall entropy of this PE file is high |
description | Communications use DNS | rule | Network_DNS | ||||||
description | Communications over RAW Socket | rule | Network_TCP_Socket | ||||||
description | Run a KeyLogger | rule | KeyLogger | ||||||
description | Win.Trojan.agentTesla | rule | Win_Trojan_agentTesla_Zero | ||||||
description | Code injection with CreateRemoteThread in a remote process | rule | Code_injection | ||||||
description | Google Chrome User Data Check | rule | Chrome_User_Data_Check_Zero | ||||||
description | email clients info stealer | rule | infoStealer_emailClients_Zero | ||||||
description | browser info stealer | rule | infoStealer_browser_Zero | ||||||
description | Take ScreenShot | rule | ScreenShot | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Bypass DEP | rule | disable_dep | ||||||
description | Install itself for autorun at Windows startup | rule | Persistence | ||||||
description | Code injection with CreateRemoteThread in a remote process | rule | Code_injection | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Bypass DEP | rule | disable_dep | ||||||
description | Install itself for autorun at Windows startup | rule | Persistence |
cmdline | REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Adobe Reader" /t REG_SZ /F /D "C:\Users\test22\AppData\Local\Adobe Reader.exe" |
cmdline | C:\Windows\system32\cmd.exe /c copy "C:\Users\test22\AppData\Local\Temp\maaacccc..exe" "C:\Users\%username%\AppData\Local\Adobe Reader.exe" & REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Adobe Reader" /t REG_SZ /F /D "C:\Users\%username%\AppData\Local\Adobe Reader.exe" |
host | 66.154.103.106 |
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Reader | reg_value | C:\Users\test22\AppData\Local\Adobe Reader.exe |