Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6402 | July 7, 2021, 6:42 p.m. | July 7, 2021, 6:45 p.m. |
-
java.exe "C:\Program Files (x86)\Java\jre1.8.0_131\bin\java.exe" -jar C:\Users\test22\AppData\Local\Temp\InvoicePO-03092021.jar
1240-
-
javaw.exe "C:\Program Files (x86)\Java\jre1.8.0_131\bin\javaw.exe" -jar "C:\Users\test22\AppData\Roaming\owchvlkxi.txt"
1800-
java.exe "C:\Program Files (x86)\Java\jre1.8.0_131\bin\java.exe" -jar "C:\Users\test22\owchvlkxi.txt"
2572-
cmd.exe cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\owchvlkxi.txt"
2004-
schtasks.exe schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\owchvlkxi.txt"
2692
-
-
java.exe "C:\Program Files (x86)\Java\jre1.8.0_131\bin\java.exe" -jar "C:\Users\test22\AppData\Roaming\owchvlkxi.txt"
2404-
cmd.exe cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"
3020-
WMIC.exe wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list
1308
-
-
cmd.exe cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"
1572-
WMIC.exe wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list
932
-
-
cmd.exe cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"
2188-
WMIC.exe wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list
2200
-
-
cmd.exe cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list"
2252-
WMIC.exe wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list
2328
-
-
-
-
-
-
Name | Response | Post-Analysis Lookup |
---|---|---|
github-releases.githubusercontent.com | 185.199.108.154 | |
repo1.maven.org |
CNAME
sonatype.map.fastly.net
|
199.232.196.209 |
str-master.pw | ||
github.com | 15.164.81.167 | |
ip-api.com | 208.95.112.1 |
Suricata Alerts
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLS 1.2 192.168.56.102:49164 52.78.231.108:443 |
C=US, O=DigiCert, Inc., CN=DigiCert High Assurance TLS Hybrid ECC SHA256 2020 CA1 | C=US, ST=California, L=San Francisco, O=GitHub, Inc., CN=github.com | 84:63:b3:a9:29:12:cc:fd:1d:31:47:05:98:9b:ec:13:99:37:d0:d7 |
TLS 1.2 192.168.56.102:49166 151.101.196.209:443 |
C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA | C=US, ST=Maryland, L=Fulton, O=Sonatype, Inc, CN=repo1.maven.org | 74:54:1d:15:cf:77:9e:e8:00:c2:ea:0d:77:6e:d3:02:51:0f:15:dd |
TLS 1.2 192.168.56.102:49167 151.101.196.209:443 |
C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA | C=US, ST=Maryland, L=Fulton, O=Sonatype, Inc, CN=repo1.maven.org | 74:54:1d:15:cf:77:9e:e8:00:c2:ea:0d:77:6e:d3:02:51:0f:15:dd |
TLS 1.2 192.168.56.102:49168 185.199.108.154:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA | C=US, ST=California, L=San Francisco, O=GitHub, Inc., CN=www.github.com | 70:94:de:dd:e6:c4:69:48:3a:92:70:a1:48:56:78:2d:18:64:e0:b7 |
TLS 1.2 192.168.56.102:49165 151.101.196.209:443 |
C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA | C=US, ST=Maryland, L=Fulton, O=Sonatype, Inc, CN=repo1.maven.org | 74:54:1d:15:cf:77:9e:e8:00:c2:ea:0d:77:6e:d3:02:51:0f:15:dd |
request | GET http://ip-api.com/json/ |
domain | str-master.pw | description | Palau domain TLD |
domain | ip-api.com |
file | C:\Users\test22\AppData\Local\Temp\jna--877171118\jna7019705296349932347.dll |
file | C:\Users\test22\AppData\Local\Temp\jna--877171118\jna8283762773324050760.dll |
file | C:\Users\test22\bqqnjhotkk.js |
cmdline | cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list" |
cmdline | schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\owchvlkxi.txt" |
cmdline | cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list" |
cmdline | cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list" |
cmdline | wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list |
cmdline | cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list" |
cmdline | wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list |
cmdline | wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list |
cmdline | wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list |
cmdline | cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\owchvlkxi.txt" |
file | C:\Users\test22\AppData\Local\Temp\jna--877171118\jna8283762773324050760.dll |
Cyren | JS/Agent.AUY |
Kaspersky | HEUR:Trojan.Java.Agent.gen |
NANO-Antivirus | Trojan.Script.Heuristic-js.iacgm |
McAfee-GW-Edition | BehavesLike.Downloader.cc |
Avira | EXP/JAVA.Banload.MRAF.Gen |
Cynet | Malicious (score: 99) |
cmdline | cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list" |
cmdline | schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\owchvlkxi.txt" |
cmdline | cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list" |
cmdline | cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list" |
cmdline | wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list |
cmdline | cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list" |
cmdline | wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list |
cmdline | wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list |
cmdline | wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list |
cmdline | cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\owchvlkxi.txt" |
wmi | SELECT VolumeSerialNumber FROM win32_logicaldisk |
host | 46.183.221.118 |
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\owchvlkxi | reg_value | "C:\Users\test22\AppData\Roaming\owchvlkxi.txt" | ||||||
reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\owchvlkxi | reg_value | "C:\Users\test22\AppData\Roaming\owchvlkxi.txt" | ||||||
file | C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\owchvlkxi.txt | ||||||||
file | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\owchvlkxi.txt | ||||||||
cmdline | schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\owchvlkxi.txt" | ||||||||
cmdline | cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\owchvlkxi.txt" |
wmi | SELECT Caption, OSArchitecture FROM win32_operatingsystem |
wmi | SELECT displayName FROM antivirusproduct |
wmi | SELECT VolumeSerialNumber FROM win32_logicaldisk |
wmi | SELECT Version FROM win32_operatingsystem |
parent_process | wscript.exe | martian_process | C:\Program Files (x86)\Java\jre1.8.0_131\bin\javaw.exe -jar "C:\Users\test22\AppData\Roaming\owchvlkxi.txt" | ||||||
parent_process | wscript.exe | martian_process | "C:\Program Files (x86)\Java\jre1.8.0_131\bin\javaw.exe" -jar "C:\Users\test22\AppData\Roaming\owchvlkxi.txt" |
file | C:\Windows\SysWOW64\wscript.exe |
file | C:\Program Files (x86)\Java\jre1.8.0_131\bin\javaw.exe |
file | C:\Users\test22\AppData\Local\Temp\jna--877171118\jna8283762773324050760.dll |
file | C:\Users\test22\AppData\Local\Temp\jna--877171118\jna7019705296349932347.dll |