Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6402 | July 8, 2021, 8:56 a.m. | July 8, 2021, 8:58 a.m. |
-
-
cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /pid 1728 & erase C:\Users\test22\AppData\Local\Temp\MSBuild.exe & RD /S /Q C:\\ProgramData\\836527645154986\\* & exit
1164-
taskkill.exe taskkill /pid 1728
256
-
-
-
explorer.exe C:\Windows\Explorer.EXE
1972
Name | Response | Post-Analysis Lookup |
---|---|---|
No hosts contacted. |
IP Address | Status | Action |
---|---|---|
103.153.76.164 | Active | Moloch |
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid |
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome |
suspicious_features | POST method with no referer header, POST method with no useragent header, Connection to IP address | suspicious_request | POST http://103.153.76.164/we/bles//6.jpg | ||||||
suspicious_features | POST method with no referer header, POST method with no useragent header, Connection to IP address | suspicious_request | POST http://103.153.76.164/we/bles//1.jpg | ||||||
suspicious_features | POST method with no referer header, POST method with no useragent header, Connection to IP address | suspicious_request | POST http://103.153.76.164/we/bles//2.jpg | ||||||
suspicious_features | POST method with no referer header, POST method with no useragent header, Connection to IP address | suspicious_request | POST http://103.153.76.164/we/bles//3.jpg | ||||||
suspicious_features | POST method with no referer header, POST method with no useragent header, Connection to IP address | suspicious_request | POST http://103.153.76.164/we/bles//4.jpg | ||||||
suspicious_features | POST method with no referer header, POST method with no useragent header, Connection to IP address | suspicious_request | POST http://103.153.76.164/we/bles//5.jpg | ||||||
suspicious_features | POST method with no referer header, POST method with no useragent header, Connection to IP address | suspicious_request | POST http://103.153.76.164/we/bles//7.jpg | ||||||
suspicious_features | POST method with no referer header, POST method with no useragent header, Connection to IP address | suspicious_request | POST http://103.153.76.164/we/bles//main.php | ||||||
suspicious_features | POST method with no referer header, POST method with no useragent header, Connection to IP address | suspicious_request | POST http://103.153.76.164/we/bles/ |
request | POST http://103.153.76.164/we/bles//6.jpg |
request | POST http://103.153.76.164/we/bles//1.jpg |
request | POST http://103.153.76.164/we/bles//2.jpg |
request | POST http://103.153.76.164/we/bles//3.jpg |
request | POST http://103.153.76.164/we/bles//4.jpg |
request | POST http://103.153.76.164/we/bles//5.jpg |
request | POST http://103.153.76.164/we/bles//7.jpg |
request | POST http://103.153.76.164/we/bles//main.php |
request | POST http://103.153.76.164/we/bles/ |
request | POST http://103.153.76.164/we/bles//6.jpg |
request | POST http://103.153.76.164/we/bles//1.jpg |
request | POST http://103.153.76.164/we/bles//2.jpg |
request | POST http://103.153.76.164/we/bles//3.jpg |
request | POST http://103.153.76.164/we/bles//4.jpg |
request | POST http://103.153.76.164/we/bles//5.jpg |
request | POST http://103.153.76.164/we/bles//7.jpg |
request | POST http://103.153.76.164/we/bles//main.php |
request | POST http://103.153.76.164/we/bles/ |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State |
file | C:\Users\test22\AppData\Local\Chromium\User Data\Local State |
file | C:\Users\test22\AppData\Local\Nichrome\User Data\Local State |
file | C:\ProgramData\sqlite3.dll |
file | C:\ProgramData\freebl3.dll |
file | C:\ProgramData\msvcp140.dll |
file | C:\ProgramData\nss3.dll |
file | C:\ProgramData\vcruntime140.dll |
file | C:\ProgramData\mozglue.dll |
file | C:\ProgramData\softokn3.dll |
cmdline | cmd.exe /c taskkill /pid 1728 & erase C:\Users\test22\AppData\Local\Temp\MSBuild.exe & RD /S /Q C:\\ProgramData\\836527645154986\\* & exit |
cmdline | "C:\Windows\System32\cmd.exe" /c taskkill /pid 1728 & erase C:\Users\test22\AppData\Local\Temp\MSBuild.exe & RD /S /Q C:\\ProgramData\\836527645154986\\* & exit |
file | C:\Users\test22\AppData\Local\Temp\MSBuild.exe |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( ProcessId = 1728) |