Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6402 | July 9, 2021, 8:17 p.m. | July 9, 2021, 8:19 p.m. |
-
java.exe "C:\Program Files (x86)\Java\jre1.8.0_131\bin\java.exe" -jar C:\Users\test22\AppData\Local\Temp\index.jar
2440-
-
javaw.exe "C:\Program Files (x86)\Java\jre1.8.0_131\bin\javaw.exe" -jar "C:\Users\test22\AppData\Roaming\hifgcrvfe.txt"
2692-
java.exe "C:\Program Files (x86)\Java\jre1.8.0_131\bin\java.exe" -jar "C:\Users\test22\hifgcrvfe.txt"
2836-
cmd.exe cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\hifgcrvfe.txt"
2932-
schtasks.exe schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\hifgcrvfe.txt"
308
-
-
java.exe "C:\Program Files (x86)\Java\jre1.8.0_131\bin\java.exe" -jar "C:\Users\test22\AppData\Roaming\hifgcrvfe.txt"
2968-
cmd.exe cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"
2300-
WMIC.exe wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list
2460
-
-
cmd.exe cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"
2484-
WMIC.exe wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list
2716
-
-
cmd.exe cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"
2800-
WMIC.exe wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list
2348
-
-
cmd.exe cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list"
2776-
WMIC.exe wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list
2964
-
-
-
-
-
-
Name | Response | Post-Analysis Lookup |
---|---|---|
repo1.maven.org |
CNAME
sonatype.map.fastly.net
|
199.232.196.209 |
github-releases.githubusercontent.com | 185.199.108.154 | |
str-master.pw | ||
github.com | 15.164.81.167 | |
ip-api.com | 208.95.112.1 |
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
request | GET http://ip-api.com/json/ |
domain | str-master.pw | description | Palau domain TLD |
domain | ip-api.com |
file | C:\Users\test22\AppData\Local\Temp\jna--877171118\jna4814416479065626540.dll |
file | C:\Users\test22\fpcksnowhu.js |
file | C:\Users\test22\AppData\Local\Temp\jna--877171118\jna9123354645941906000.dll |
cmdline | cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list" |
cmdline | cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\hifgcrvfe.txt" |
cmdline | schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\hifgcrvfe.txt" |
cmdline | wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list |
cmdline | cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list" |
cmdline | wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list |
cmdline | cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list" |
cmdline | cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list" |
cmdline | wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list |
cmdline | wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list |
file | C:\Users\test22\AppData\Local\Temp\jna--877171118\jna9123354645941906000.dll |
cmdline | cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list" |
cmdline | cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\hifgcrvfe.txt" |
cmdline | schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\hifgcrvfe.txt" |
cmdline | wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list |
cmdline | cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list" |
cmdline | wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list |
cmdline | cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list" |
cmdline | cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list" |
cmdline | wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list |
cmdline | wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list |
wmi | SELECT VolumeSerialNumber FROM win32_logicaldisk |
host | 192.3.22.76 |
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\hifgcrvfe | reg_value | "C:\Users\test22\AppData\Roaming\hifgcrvfe.txt" | ||||||
reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\hifgcrvfe | reg_value | "C:\Users\test22\AppData\Roaming\hifgcrvfe.txt" | ||||||
file | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\hifgcrvfe.txt | ||||||||
file | C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hifgcrvfe.txt | ||||||||
cmdline | cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\hifgcrvfe.txt" | ||||||||
cmdline | schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\hifgcrvfe.txt" |
wmi | SELECT Caption, OSArchitecture FROM win32_operatingsystem |
wmi | SELECT displayName FROM antivirusproduct |
wmi | SELECT VolumeSerialNumber FROM win32_logicaldisk |
wmi | SELECT Version FROM win32_operatingsystem |
MicroWorld-eScan | Trojan.GenericKD.37209696 |
FireEye | Trojan.GenericKD.37209696 |
Alibaba | Trojan:JS/Banload.7511d5eb |
Cyren | JS/Agent.AUY |
Kaspersky | Trojan.JS.Agent.eiw |
BitDefender | Trojan.GenericKD.37209696 |
NANO-Antivirus | Trojan.Script.Heuristic-js.iacgm |
Ad-Aware | Trojan.GenericKD.37209696 |
McAfee-GW-Edition | BehavesLike.Downloader.cc |
Emsisoft | Trojan.GenericKD.37209696 (B) |
Avira | EXP/JAVA.Banload.MRAF.Gen |
MAX | malware (ai score=83) |
ZoneAlarm | Trojan.JS.Agent.eiw |
Cynet | Malicious (score: 99) |
McAfee | Artemis!A53C10A1311D |
file | C:\Users\test22\Documents\Outlook 파일\Outlook.pst |
parent_process | wscript.exe | martian_process | "C:\Program Files (x86)\Java\jre1.8.0_131\bin\javaw.exe" -jar "C:\Users\test22\AppData\Roaming\hifgcrvfe.txt" | ||||||
parent_process | wscript.exe | martian_process | C:\Program Files (x86)\Java\jre1.8.0_131\bin\javaw.exe -jar "C:\Users\test22\AppData\Roaming\hifgcrvfe.txt" |
file | C:\Windows\SysWOW64\wscript.exe |
file | C:\Program Files (x86)\Java\jre1.8.0_131\bin\javaw.exe |
file | C:\Users\test22\AppData\Local\Temp\jna--877171118\jna9123354645941906000.dll |
file | C:\Users\test22\AppData\Local\Temp\jna--877171118\jna4814416479065626540.dll |