Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6401 | Sept. 2, 2024, 10:12 a.m. | Sept. 2, 2024, 10:23 a.m. |
-
66cef067bb8bb_CoinAccording.exe "C:\Users\test22\AppData\Local\Temp\66cef067bb8bb_CoinAccording.exe"
2644-
-
findstr.exe findstr /I "wrsa opssvc"
2876 -
tasklist.exe tasklist
2840 -
tasklist.exe tasklist
2988 -
findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
3024 -
cmd.exe cmd /c md 25202
1152 -
findstr.exe findstr /V "QualifyingAnswersChargesChild" Resistance
800 -
cmd.exe cmd /c copy /b ..\Mines + ..\Traveler + ..\Analyzed + ..\Go + ..\Virtue + ..\Investigation P
1356 -
Sellers.pif Sellers.pif P
2176 -
choice.exe choice /d y /t 5
2236
-
-
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
section | .ndata |
file | C:\Users\test22\AppData\Local\Temp\25202\Sellers.pif |
cmdline | "C:\Windows\System32\cmd.exe" /k move Wines Wines.bat & Wines.bat & exit |
file | C:\Users\test22\AppData\Local\Temp\25202\Sellers.pif |
file | C:\Users\test22\AppData\Local\Temp\25202\Sellers.pif |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process |
url | http://www.microsoft.com/schemas/ie8tldlistdescription/1.0 |
url | http://purl.org/rss/1.0/ |
url | http://www.passport.com |
description | Create a windows service | rule | Create_Service | ||||||
description | Communications over RAW Socket | rule | Network_TCP_Socket | ||||||
description | Communication using DGA | rule | Network_DGA | ||||||
description | Match Windows Http API call | rule | Str_Win32_Http_API | ||||||
description | Take ScreenShot | rule | ScreenShot | ||||||
description | Escalate priviledges | rule | Escalate_priviledges | ||||||
description | Steal credential | rule | local_credential_Steal | ||||||
description | PWS Memory | rule | Generic_PWS_Memory_Zero | ||||||
description | Hijack network configuration | rule | Hijack_Network | ||||||
description | Record Audio | rule | Sniff_Audio | ||||||
description | Communications over HTTP | rule | Network_HTTP | ||||||
description | Communications use DNS | rule | Network_DNS | ||||||
description | Code injection with CreateRemoteThread in a remote process | rule | Code_injection | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerCheck__RemoteAPI | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | DebuggerException__ConsoleCtrl | ||||||
description | (no description) | rule | DebuggerException__SetConsoleCtrl | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | (no description) | rule | Check_Dlls | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Anti-Sandbox checks for ThreatExpert | rule | antisb_threatExpert | ||||||
description | Bypass DEP | rule | disable_dep | ||||||
description | Affect hook table | rule | win_hook | ||||||
description | File Downloader | rule | Network_Downloader | ||||||
description | Match Windows Inet API call | rule | Str_Win32_Internet_API | ||||||
description | Install itself for autorun at Windows startup | rule | Persistence | ||||||
description | Communications over FTP | rule | Network_FTP | ||||||
description | Run a KeyLogger | rule | KeyLogger | ||||||
description | Communications over P2P network | rule | Network_P2P_Win |
cmdline | tasklist |
cmdline | "C:\Windows\System32\cmd.exe" /k move Wines Wines.bat & Wines.bat & exit |
cmdline | cmd /k move Wines Wines.bat & Wines.bat & exit |
host | 45.33.6.223 |
Elastic | malicious (high confidence) |
Cylance | Unsafe |
Symantec | Trojan.Gen.MBT |
ESET-NOD32 | NSIS/Runner.AW |
Avast | FileRepMalware [Misc] |
Kaspersky | HEUR:Backdoor.Win32.Agent.gen |
Alibaba | Backdoor:Win32/Runner.4ab5dc56 |
Sophos | Mal/Generic-S |
Kingsoft | Win32.Hack.Agent.gen |
Gridinsoft | Trojan.Win32.Agent.oa!s1 |
Microsoft | Trojan:Win32/Wacatac.B!ml |
ZoneAlarm | HEUR:Backdoor.Win32.Agent.gen |
TrendMicro-HouseCall | Trojan.Win32.PRIVATELOADER.YXEH4Z |
huorong | Trojan/Runner.ba |
AVG | FileRepMalware [Misc] |
Paloalto | generic.ml |
CrowdStrike | win/malicious_confidence_60% (W) |