random.exe| Category | Machine | Started | Completed |
|---|---|---|---|
| FILE | s1_win7_x6403_us | May 3, 2025, 4:37 p.m. | May 3, 2025, 4:42 p.m. |
-
-
-
-
chcp.com chcp 65001
2364 -
reg.exe reg query "HKU\S-1-5-19"
2408 -
reg.exe reg add "HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "AppsUseLightTheme" /t reg_dword /d 0 /f
2452 -
-
-
-
chcp.com chcp 65001
2796 -
reg.exe reg query "HKU\S-1-5-19"
2840 -
reg.exe reg add "HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "AppsUseLightTheme" /t reg_dword /d 0 /f
2884 -
mode.com Mode 79,49
2940 -
cmd.exe C:\Windows\system32\cmd.exe /c ver
3040 -
reg.exe reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA"
1440 -
find.exe find /i "0x0"
2120 -
-
tasklist.exe tasklist
2288
-
-
reg.exe reg query "HKLM\System\CurrentControlSet\Services\WinDefend"
2584 -
reg.exe reg query "HKLM\System\CurrentControlSet\Services\MDCoreSvc"
2812 -
reg.exe reg query "HKLM\System\CurrentControlSet\Services\WdNisSvc"
2800 -
reg.exe reg query "HKLM\System\CurrentControlSet\Services\Sense"
2900 -
reg.exe reg query "HKLM\System\CurrentControlSet\Services\wscsvc"
3012 -
reg.exe reg query "HKLM\System\CurrentControlSet\Services\SgrmBroker"
1960 -
reg.exe reg query "HKLM\System\CurrentControlSet\Services\SecurityHealthService"
1156 -
reg.exe reg query "HKLM\System\CurrentControlSet\Services\webthreatdefsvc"
2316 -
reg.exe reg query "HKLM\System\CurrentControlSet\Services\webthreatdefusersvc"
2172 -
reg.exe reg query "HKLM\System\CurrentControlSet\Services\WdNisDrv"
1800 -
reg.exe reg query "HKLM\System\CurrentControlSet\Services\WdBoot"
2708 -
reg.exe reg query "HKLM\System\CurrentControlSet\Services\WdFilter"
2880 -
reg.exe reg query "HKLM\System\CurrentControlSet\Services\SgrmAgent"
2968 -
reg.exe reg query "HKLM\System\CurrentControlSet\Services\MsSecWfp"
2100 -
reg.exe reg query "HKLM\System\CurrentControlSet\Services\MsSecFlt"
1820 -
reg.exe reg query "HKLM\System\CurrentControlSet\Services\MsSecCore"
2356 -
reg.exe reg query HKLM\System\CurrentControlset\Services\WdFilter
1044 -
find.exe find /i "Windows 7"
3020 -
reg.exe reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v "ProductName"
2628
-
-
-
-
-
-
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 94.26.90.80:80 -> 192.168.56.103:49174 | 2400012 | ET DROP Spamhaus DROP Listed Traffic Inbound group 13 | Misc Attack |
| TCP 185.156.72.96:80 -> 192.168.56.103:49169 | 2400031 | ET DROP Spamhaus DROP Listed Traffic Inbound group 32 | Misc Attack |
Suricata TLS
No Suricata TLS
| section |
| file | C:\Users\test22\AppData\Local\Temp\Work\cecho.exe |
| file | C:\Users\test22\AppData\Local\Temp\Work\NSudoLG.exe |
| file | C:\Users\test22\AppData\Local\Temp\34.bat |
| file | C:\Users\test22\AppData\Local\Temp\Work\nircmd.exe |
| file | C:\Users\test22\AppData\Local\Temp\Work\7z.exe |
| cmdline | "C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\34.bat" any_word |
| cmdline | C:\Windows\system32\cmd.exe /c tasklist |
| cmdline | C:\Windows\system32\cmd.exe /c ver |
| file | C:\Users\test22\AppData\Local\Temp\34.bat |
| file | C:\Users\test22\AppData\Local\Temp\Work\NSudoLG.exe |
| file | C:\Users\test22\AppData\Local\Temp\Work\cecho.exe |
| file | C:\Users\test22\AppData\Local\Temp\Work\7z.exe |
| wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process |
| section | {u'size_of_data': u'0x0001be00', u'virtual_address': u'0x00001000', u'entropy': 7.996554242812834, u'name': u'', u'virtual_size': u'0x00032000'} | entropy | 7.99655424281 | description | A section with a high entropy has been found | |||||||||
| section | {u'size_of_data': u'0x00004800', u'virtual_address': u'0x00033000', u'entropy': 7.974167696749694, u'name': u'', u'virtual_size': u'0x0000b000'} | entropy | 7.97416769675 | description | A section with a high entropy has been found | |||||||||
| section | {u'size_of_data': u'0x00000800', u'virtual_address': u'0x0003e000', u'entropy': 7.4680364170402065, u'name': u'', u'virtual_size': u'0x00025000'} | entropy | 7.46803641704 | description | A section with a high entropy has been found | |||||||||
| section | {u'size_of_data': u'0x00001000', u'virtual_address': u'0x00064000', u'entropy': 7.774619272341197, u'name': u'', u'virtual_size': u'0x00005000'} | entropy | 7.77461927234 | description | A section with a high entropy has been found | |||||||||
| section | {u'size_of_data': u'0x00098200', u'virtual_address': u'0x0036b000', u'entropy': 7.937392566013668, u'name': u'.data', u'virtual_size': u'0x00099000'} | entropy | 7.93739256601 | description | A section with a high entropy has been found | |||||||||
| entropy | 0.989361702128 | description | Overall entropy of this PE file is high | |||||||||||
| description | Create a windows service | rule | Create_Service | ||||||
| description | Communications over RAW Socket | rule | Network_TCP_Socket | ||||||
| description | Communication using DGA | rule | Network_DGA | ||||||
| description | Match Windows Http API call | rule | Str_Win32_Http_API | ||||||
| description | Take ScreenShot | rule | ScreenShot | ||||||
| description | Escalate priviledges | rule | Escalate_priviledges | ||||||
| description | Steal credential | rule | local_credential_Steal | ||||||
| description | PWS Memory | rule | Generic_PWS_Memory_Zero | ||||||
| description | Record Audio | rule | Sniff_Audio | ||||||
| description | Communications over HTTP | rule | Network_HTTP | ||||||
| description | Communications use DNS | rule | Network_DNS | ||||||
| description | Code injection with CreateRemoteThread in a remote process | rule | Code_injection | ||||||
| description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
| description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
| description | (no description) | rule | DebuggerCheck__RemoteAPI | ||||||
| description | (no description) | rule | DebuggerHiding__Thread | ||||||
| description | (no description) | rule | DebuggerHiding__Active | ||||||
| description | (no description) | rule | DebuggerException__ConsoleCtrl | ||||||
| description | (no description) | rule | DebuggerException__SetConsoleCtrl | ||||||
| description | (no description) | rule | ThreadControl__Context | ||||||
| description | (no description) | rule | SEH__vectored | ||||||
| description | (no description) | rule | Check_Dlls | ||||||
| description | Checks if being debugged | rule | anti_dbg | ||||||
| description | Anti-Sandbox checks for ThreatExpert | rule | antisb_threatExpert | ||||||
| description | Bypass DEP | rule | disable_dep | ||||||
| description | Affect hook table | rule | win_hook | ||||||
| description | File Downloader | rule | Network_Downloader | ||||||
| description | Match Windows Inet API call | rule | Str_Win32_Internet_API | ||||||
| description | Communications over FTP | rule | Network_FTP | ||||||
| description | Run a KeyLogger | rule | KeyLogger | ||||||
| description | Communications over P2P network | rule | Network_P2P_Win | ||||||
| description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
| description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
| description | (no description) | rule | DebuggerHiding__Thread | ||||||
| description | (no description) | rule | DebuggerHiding__Active | ||||||
| description | (no description) | rule | DebuggerException__SetConsoleCtrl | ||||||
| description | (no description) | rule | ThreadControl__Context | ||||||
| description | (no description) | rule | SEH__vectored | ||||||
| description | Checks if being debugged | rule | anti_dbg | ||||||
| description | Bypass DEP | rule | disable_dep | ||||||
| description | Create a windows service | rule | Create_Service | ||||||
| description | Communications over RAW Socket | rule | Network_TCP_Socket | ||||||
| description | Communication using DGA | rule | Network_DGA | ||||||
| description | Match Windows Http API call | rule | Str_Win32_Http_API | ||||||
| description | Take ScreenShot | rule | ScreenShot | ||||||
| description | Escalate priviledges | rule | Escalate_priviledges | ||||||
| description | Steal credential | rule | local_credential_Steal | ||||||
| description | PWS Memory | rule | Generic_PWS_Memory_Zero | ||||||
| description | Record Audio | rule | Sniff_Audio | ||||||
| description | Communications over HTTP | rule | Network_HTTP | ||||||
| cmdline | chcp 65001 |
| cmdline | reg query "HKLM\System\CurrentControlSet\Services\MDCoreSvc" |
| cmdline | reg query "HKLM\System\CurrentControlSet\Services\WinDefend" |
| cmdline | reg query "HKLM\System\CurrentControlSet\Services\Sense" |
| cmdline | reg query "HKLM\System\CurrentControlSet\Services\WdFilter" |
| cmdline | reg add "HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "AppsUseLightTheme" /t reg_dword /d 0 /f |
| cmdline | reg query "HKLM\System\CurrentControlSet\Services\MsSecFlt" |
| cmdline | reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v "ProductName" |
| cmdline | NSudoLG -U:T -P:E -UseCurrentConsole C:\Users\test22\AppData\Local\Temp\34.bat |
| cmdline | C:\Users\test22\AppData\Local\Temp\34.bat |
| cmdline | C:\Windows\system32\cmd.exe /c tasklist |
| cmdline | tasklist |
| cmdline | reg query "HKLM\System\CurrentControlSet\Services\webthreatdefusersvc" |
| cmdline | reg query "HKLM\System\CurrentControlSet\Services\MsSecWfp" |
| cmdline | reg query "HKLM\System\CurrentControlSet\Services\SgrmBroker" |
| cmdline | reg query "HKLM\System\CurrentControlSet\Services\WdBoot" |
| cmdline | reg query "HKLM\System\CurrentControlSet\Services\MsSecCore" |
| cmdline | reg query "HKLM\System\CurrentControlSet\Services\SecurityHealthService" |
| cmdline | reg query "HKLM\System\CurrentControlSet\Services\SgrmAgent" |
| cmdline | reg query "HKLM\System\CurrentControlSet\Services\wscsvc" |
| cmdline | reg query "HKLM\System\CurrentControlSet\Services\webthreatdefsvc" |
| cmdline | reg query "HKLM\System\CurrentControlSet\Services\WdNisDrv" |
| cmdline | reg query "HKU\S-1-5-19" |
| cmdline | reg query HKLM\System\CurrentControlset\Services\WdFilter |
| cmdline | reg query "HKLM\System\CurrentControlSet\Services\WdNisSvc" |
| cmdline | reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" |
| host | 185.156.72.96 | |||
| host | 80.64.18.219 | |||
| host | 94.26.90.80 | |||
| Bkav | W32.AIDetectMalware |
| Cynet | Malicious (score: 100) |
| CAT-QuickHeal | Trojan.Ghanarava.174618820722e455 |
| Skyhigh | BehavesLike.Win32.Generic.vc |
| ALYac | Trojan.Rasftuby.Gen.14 |
| Cylance | Unsafe |
| VIPRE | Trojan.Rasftuby.Gen.14 |
| Sangfor | Suspicious.Win32.Save.ins |
| CrowdStrike | win/malicious_confidence_100% (W) |
| BitDefender | Trojan.Rasftuby.Gen.14 |
| K7GW | Trojan ( 004b8ba01 ) |
| K7AntiVirus | Trojan ( 004b8ba01 ) |
| Arcabit | Trojan.Rasftuby.Gen.14 |
| Symantec | Trojan.Gen.MBT |
| Elastic | malicious (high confidence) |
| ESET-NOD32 | a variant of Win32/Packed.Enigma.AAF |
| APEX | Malicious |
| Avast | Script:SNH-gen [Trj] |
| ClamAV | Win.Trojan.Scar-6903585-0 |
| Kaspersky | HackTool.BAT.DefenderKiller.a |
| Alibaba | HackTool:BAT/DefenderKiller.a51dfdaf |
| MicroWorld-eScan | Trojan.Rasftuby.Gen.14 |
| Emsisoft | Trojan.Rasftuby.Gen.14 (B) |
| F-Secure | Trojan.TR/Dropper.Gen |
| DrWeb | Tool.NirCmd.4 |
| TrendMicro | Trojan.Win32.AMADEY.YXFEBZ |
| McAfeeD | ti!B14707AAEBB5 |
| Trapmine | malicious.high.ml.score |
| CTX | exe.trojan.generic |
| Sophos | Generic Reputation PUA (PUA) |
| Avira | TR/Dropper.Gen |
| Antiy-AVL | Trojan[Packed]/Win32.Enigma |
| Gridinsoft | Trojan.Win32.Packed.sa |
| Microsoft | Trojan:Win32/Wacatac.B!ml |
| GData | Trojan.Rasftuby.Gen.14 |
| Varist | W32/ABApplication.JBQL-9220 |
| McAfee | Artemis!117E92EFAEB6 |
| DeepInstinct | MALICIOUS |
| VBA32 | BScope.Trojan.Bitrep |
| Malwarebytes | Generic.Malware.AI.DDS |
| Ikarus | Trojan.Win32.Scar |
| Zoner | Probably Heur.ExeHeaderL |
| TrendMicro-HouseCall | Trojan.Win32.VSX.PE04C9Z |
| Tencent | Bat.Hacktool.Defenderkiller.Zolw |
| MaxSecure | Trojan.Malware.346100561.susgen |
| Fortinet | Riskware/Application |
| AVG | Script:SNH-gen [Trj] |
| alibabacloud | HackTool:Win/Wacatac.B9nj |