| URL: | https://infor.webex.com/webappng/sites/infor/meeting/download/64493d7d36b30bbea63e8f6f87528840 |
| Full analysis: | https://app.any.run/tasks/ba231c97-3456-4401-85bb-0f0899018f6c |
| Verdict: | Malicious activity |
| Analysis date: | March 17, 2020, 14:32:03 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MD5: | 7F2219D087C3C1EB67494CE5D0E3F91B |
| SHA1: | 97EA57A7AF2F9D8A7C19CAAD03CF60898117015D |
| SHA256: | 8A0C15EDE3F42884DCFF2337F772669D33D6FD5E2D021AD5BAB57D549C226E33 |
| SSDEEP: | 3:N8e4AkDClM3a4mTUWfEadeTVn:2e4nel3XfEieTVn |
MALICIOUS
Application was dropped or rewritten from another process
- webex.exe (PID: 3292)
- atmgr.exe (PID: 3516)
- atcliun.exe (PID: 3932)
- WEBEXA~1.EXE (PID: 2568)
- webex.exe (PID: 1740)
- WebExAppLauncher.exe (PID: 2440)
- WebExAppLauncher.exe (PID: 348)
- WebExAppLauncher.exe (PID: 3888)
- WebExAppLauncher.exe (PID: 2596)
- webex.exe (PID: 3372)
Loads dropped or rewritten executable
- atmgr.exe (PID: 3516)
- webex.exe (PID: 3292)
SUSPICIOUS
Reads Internet Cache Settings
- webex.exe (PID: 3292)
- atmgr.exe (PID: 3516)
Changes IE settings (feature browser emulation)
- atmgr.exe (PID: 3516)
Executable content was dropped or overwritten
- iexplore.exe (PID: 3924)
- iexplore.exe (PID: 3528)
- webex.exe (PID: 3292)
- atmgr.exe (PID: 3516)
Creates COM task schedule object
- atmgr.exe (PID: 3516)
Creates files in the user directory
- atmgr.exe (PID: 3516)
Modifies the open verb of a shell class
- webex.exe (PID: 1740)
Creates a software uninstall entry
- atcliun.exe (PID: 3932)
INFO
Reads Internet Cache Settings
- iexplore.exe (PID: 3924)
- iexplore.exe (PID: 3528)
Application launched itself
- iexplore.exe (PID: 3924)
Changes internet zones settings
- iexplore.exe (PID: 3924)
Modifies the phishing filter of IE
- iexplore.exe (PID: 3924)
Reads internet explorer settings
- iexplore.exe (PID: 3528)
Creates files in the user directory
- iexplore.exe (PID: 3528)
- iexplore.exe (PID: 3924)
Dropped object may contain Bitcoin addresses
- atmgr.exe (PID: 3516)
Reads settings of System Certificates
- iexplore.exe (PID: 3528)
- iexplore.exe (PID: 3924)
- atmgr.exe (PID: 3516)
Changes settings of System certificates
- iexplore.exe (PID: 3924)
Adds / modifies Windows certificates
- iexplore.exe (PID: 3924)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
50
Monitored processes
12
Malicious processes
5
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 348 | /meetingend PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPERhdGE+PE1lZXRpbmdSYW5kb20+MTU4NDQ1NTU4PC9NZWV0aW5nUmFuZG9tPjxBdXRvUG9wPjE8L0F1dG9Qb3A+PEF1dG9Qb3BGb3JHdWVzdD4xPC9BdXRvUG9wRm9yR3Vlc3Q+PFRva2VuPjxDcmVkZW50aWFsPjwvQ3JlZGVudGlhbD48VHlwZT48L1R5cGU+PEV4cGlyZXNBdD48L0V4cGlyZXNBdD48b25lVGltZVRva2VuPjwvb25lVGltZVRva2VuPjwvVG9rZW4+PFByb2ZpbGU+PFVzZXJSb2xlPjwvVXNlclJvbGU+PERpc3BsYXlOYW1lPjwvRGlzcGxheU5hbWU+PFVzZXJJRD48L1VzZXJJRD48RW1haWw+PC9FbWFpbD48TGFuZ3VhZ2U+MTwvTGFuZ3VhZ2U+PC9Qcm9maWxlPjxTaXRlPjxGdWxsVVJMPmh0dHBzOi8vaW5mb3Iud2ViZXguY29tPC9GdWxsVVJMPjxDZG5VUkw+YWthbWFpY2RuLndlYmV4LmNvbTwvQ2RuVVJMPjxQYWdlVkVSPlQzM0w8L1BhZ2VWRVI+PENsaWVudFZFUj5UMzNMPC9DbGllbnRWRVI+PExvY2tWRVI+PC9Mb2NrVkVSPjwvU2l0ZT48VGVsZU1ldHJ5SW5mbz48TWV0cmljc0VuYWJsZT4xPC9NZXRyaWNzRW5hYmxlPjxNZXRyaWNzVVJMPmh0dHBzOi8vdHNhLndlYmV4LmNvbS9tZXRyaWMvdjE/YXBwaWQ9RTlDRDdGNDYtN0QyMi00M0Y3LUFCNjItOUU4MEU3RUE4MTA3PC9NZXRyaWNzVVJMPjxNZXRyaWNzUGFyYW1ldGVycz48TWV0cmljc1RpY2tldD48L01ldHJpY3NUaWNrZXQ+PENvbmZJRD48L0NvbmZJRD48U2l0ZUlEPjM2MDgwMzI8L1NpdGVJRD48VGltZVN0YW1wPjwvVGltZVN0YW1wPjxBUFBOYW1lPlNlc3Npb25LZXk8L0FQUE5hbWU+PC9NZXRyaWNzUGFyYW1ldGVycz48L1RlbGVNZXRyeUluZm8+PC9EYXRhPg== | C:\Users\admin\AppData\Local\WebEx\WebExAppLauncher.exe | atmgr.exe | ||||||||||||
User: admin Company: Cisco WebEx LLC Integrity Level: MEDIUM Description: WebEx Productivity Tools Application Exit code: 0 Version: 3911,0,2001,1600 Modules
| |||||||||||||||
| 1740 | "C:\Users\admin\appdata\local\webex\webex.exe" /r | C:\Users\admin\appdata\local\webex\webex.exe | atmgr.exe | ||||||||||||
User: admin Company: Cisco Webex LLC Integrity Level: MEDIUM Description: Cisco Webex Meeting Exit code: 1 Version: 10050,2,2020,0228 Modules
| |||||||||||||||
| 2440 | /meetingend PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPERhdGE+PE1lZXRpbmdSYW5kb20+MTU4NDQ1NTU4PC9NZWV0aW5nUmFuZG9tPjxBdXRvUG9wPjE8L0F1dG9Qb3A+PEF1dG9Qb3BGb3JHdWVzdD4xPC9BdXRvUG9wRm9yR3Vlc3Q+PFRva2VuPjxDcmVkZW50aWFsPjwvQ3JlZGVudGlhbD48VHlwZT48L1R5cGU+PEV4cGlyZXNBdD48L0V4cGlyZXNBdD48b25lVGltZVRva2VuPjwvb25lVGltZVRva2VuPjwvVG9rZW4+PFByb2ZpbGU+PFVzZXJSb2xlPjwvVXNlclJvbGU+PERpc3BsYXlOYW1lPjwvRGlzcGxheU5hbWU+PFVzZXJJRD48L1VzZXJJRD48RW1haWw+PC9FbWFpbD48TGFuZ3VhZ2U+MTwvTGFuZ3VhZ2U+PC9Qcm9maWxlPjxTaXRlPjxGdWxsVVJMPmh0dHBzOi8vaW5mb3Iud2ViZXguY29tPC9GdWxsVVJMPjxDZG5VUkw+YWthbWFpY2RuLndlYmV4LmNvbTwvQ2RuVVJMPjxQYWdlVkVSPlQzM0w8L1BhZ2VWRVI+PENsaWVudFZFUj5UMzNMPC9DbGllbnRWRVI+PExvY2tWRVI+PC9Mb2NrVkVSPjwvU2l0ZT48VGVsZU1ldHJ5SW5mbz48TWV0cmljc0VuYWJsZT4xPC9NZXRyaWNzRW5hYmxlPjxNZXRyaWNzVVJMPmh0dHBzOi8vdHNhLndlYmV4LmNvbS9tZXRyaWMvdjE/YXBwaWQ9RTlDRDdGNDYtN0QyMi00M0Y3LUFCNjItOUU4MEU3RUE4MTA3PC9NZXRyaWNzVVJMPjxNZXRyaWNzUGFyYW1ldGVycz48TWV0cmljc1RpY2tldD48L01ldHJpY3NUaWNrZXQ+PENvbmZJRD48L0NvbmZJRD48U2l0ZUlEPjM2MDgwMzI8L1NpdGVJRD48VGltZVN0YW1wPjwvVGltZVN0YW1wPjxBUFBOYW1lPlNlc3Npb25LZXk8L0FQUE5hbWU+PC9NZXRyaWNzUGFyYW1ldGVycz48L1RlbGVNZXRyeUluZm8+PC9EYXRhPg== | C:\Users\admin\AppData\Local\WebEx\WebExAppLauncher.exe | atmgr.exe | ||||||||||||
User: admin Company: Cisco WebEx LLC Integrity Level: MEDIUM Description: WebEx Productivity Tools Application Exit code: 0 Version: 3911,0,2001,1600 Modules
| |||||||||||||||
| 2568 | "C:\Users\admin\appdata\local\webex\WEBEXA~1.EXE" /r | C:\Users\admin\appdata\local\webex\WEBEXA~1.EXE | atmgr.exe | ||||||||||||
User: admin Company: Cisco WebEx LLC Integrity Level: MEDIUM Description: WebEx Productivity Tools Application Exit code: 0 Version: 3911,0,2001,1600 Modules
| |||||||||||||||
| 2596 | /meetingend PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPERhdGE+PE1lZXRpbmdSYW5kb20+MTU4NDQ1NTU4PC9NZWV0aW5nUmFuZG9tPjxBdXRvUG9wPjE8L0F1dG9Qb3A+PEF1dG9Qb3BGb3JHdWVzdD4xPC9BdXRvUG9wRm9yR3Vlc3Q+PFRva2VuPjxDcmVkZW50aWFsPjwvQ3JlZGVudGlhbD48VHlwZT48L1R5cGU+PEV4cGlyZXNBdD48L0V4cGlyZXNBdD48b25lVGltZVRva2VuPjwvb25lVGltZVRva2VuPjwvVG9rZW4+PFByb2ZpbGU+PFVzZXJSb2xlPjwvVXNlclJvbGU+PERpc3BsYXlOYW1lPjwvRGlzcGxheU5hbWU+PFVzZXJJRD48L1VzZXJJRD48RW1haWw+PC9FbWFpbD48TGFuZ3VhZ2U+MTwvTGFuZ3VhZ2U+PC9Qcm9maWxlPjxTaXRlPjxGdWxsVVJMPmh0dHBzOi8vaW5mb3Iud2ViZXguY29tPC9GdWxsVVJMPjxDZG5VUkw+YWthbWFpY2RuLndlYmV4LmNvbTwvQ2RuVVJMPjxQYWdlVkVSPlQzM0w8L1BhZ2VWRVI+PENsaWVudFZFUj5UMzNMPC9DbGllbnRWRVI+PExvY2tWRVI+PC9Mb2NrVkVSPjwvU2l0ZT48VGVsZU1ldHJ5SW5mbz48TWV0cmljc0VuYWJsZT4xPC9NZXRyaWNzRW5hYmxlPjxNZXRyaWNzVVJMPmh0dHBzOi8vdHNhLndlYmV4LmNvbS9tZXRyaWMvdjE/YXBwaWQ9RTlDRDdGNDYtN0QyMi00M0Y3LUFCNjItOUU4MEU3RUE4MTA3PC9NZXRyaWNzVVJMPjxNZXRyaWNzUGFyYW1ldGVycz48TWV0cmljc1RpY2tldD48L01ldHJpY3NUaWNrZXQ+PENvbmZJRD48L0NvbmZJRD48U2l0ZUlEPjM2MDgwMzI8L1NpdGVJRD48VGltZVN0YW1wPjwvVGltZVN0YW1wPjxBUFBOYW1lPlNlc3Npb25LZXk8L0FQUE5hbWU+PC9NZXRyaWNzUGFyYW1ldGVycz48L1RlbGVNZXRyeUluZm8+PC9EYXRhPg== | C:\Users\admin\AppData\Local\WebEx\WebExAppLauncher.exe | atmgr.exe | ||||||||||||
User: admin Company: Cisco WebEx LLC Integrity Level: MEDIUM Description: WebEx Productivity Tools Application Exit code: 0 Version: 3911,0,2001,1600 Modules
| |||||||||||||||
| 3292 | "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\webex.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\webex.exe | iexplore.exe | ||||||||||||
User: admin Company: Cisco Webex LLC Integrity Level: MEDIUM Description: Cisco Webex Meeting Exit code: 1 Version: 10050,2,2020,0228 Modules
| |||||||||||||||
| 3372 | C:\Users\admin\AppData\Local\WebEx\webex.exe /delete:C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\webex.exe | C:\Users\admin\AppData\Local\WebEx\webex.exe | webex.exe | ||||||||||||
User: admin Company: Cisco Webex LLC Integrity Level: MEDIUM Description: Cisco Webex Meeting Exit code: 1 Version: 10050,2,2020,0228 Modules
| |||||||||||||||
| 3516 | /mcstd "C:\Users\admin\AppData\LocalLow\WebEx" | C:\Users\admin\AppData\Local\WebEx\WebEx\Meetings\atmgr.exe | webex.exe | ||||||||||||
User: admin Company: Cisco Webex LLC Integrity Level: MEDIUM Description: Cisco Webex Service Exit code: 3 Version: 4002.0000.2001.1800 Modules
| |||||||||||||||
| 3528 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3924 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
| 3888 | /meetingend PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPERhdGE+PE1lZXRpbmdSYW5kb20+MTU4NDQ1NTU4PC9NZWV0aW5nUmFuZG9tPjxBdXRvUG9wPjE8L0F1dG9Qb3A+PEF1dG9Qb3BGb3JHdWVzdD4xPC9BdXRvUG9wRm9yR3Vlc3Q+PFRva2VuPjxDcmVkZW50aWFsPjwvQ3JlZGVudGlhbD48VHlwZT48L1R5cGU+PEV4cGlyZXNBdD48L0V4cGlyZXNBdD48b25lVGltZVRva2VuPjwvb25lVGltZVRva2VuPjwvVG9rZW4+PFByb2ZpbGU+PFVzZXJSb2xlPjwvVXNlclJvbGU+PERpc3BsYXlOYW1lPjwvRGlzcGxheU5hbWU+PFVzZXJJRD48L1VzZXJJRD48RW1haWw+PC9FbWFpbD48TGFuZ3VhZ2U+MTwvTGFuZ3VhZ2U+PC9Qcm9maWxlPjxTaXRlPjxGdWxsVVJMPmh0dHBzOi8vaW5mb3Iud2ViZXguY29tPC9GdWxsVVJMPjxDZG5VUkw+YWthbWFpY2RuLndlYmV4LmNvbTwvQ2RuVVJMPjxQYWdlVkVSPlQzM0w8L1BhZ2VWRVI+PENsaWVudFZFUj5UMzNMPC9DbGllbnRWRVI+PExvY2tWRVI+PC9Mb2NrVkVSPjwvU2l0ZT48VGVsZU1ldHJ5SW5mbz48TWV0cmljc0VuYWJsZT4xPC9NZXRyaWNzRW5hYmxlPjxNZXRyaWNzVVJMPmh0dHBzOi8vdHNhLndlYmV4LmNvbS9tZXRyaWMvdjE/YXBwaWQ9RTlDRDdGNDYtN0QyMi00M0Y3LUFCNjItOUU4MEU3RUE4MTA3PC9NZXRyaWNzVVJMPjxNZXRyaWNzUGFyYW1ldGVycz48TWV0cmljc1RpY2tldD48L01ldHJpY3NUaWNrZXQ+PENvbmZJRD48L0NvbmZJRD48U2l0ZUlEPjM2MDgwMzI8L1NpdGVJRD48VGltZVN0YW1wPjwvVGltZVN0YW1wPjxBUFBOYW1lPlNlc3Npb25LZXk8L0FQUE5hbWU+PC9NZXRyaWNzUGFyYW1ldGVycz48L1RlbGVNZXRyeUluZm8+PC9EYXRhPg== | C:\Users\admin\AppData\Local\WebEx\WebExAppLauncher.exe | atmgr.exe | ||||||||||||
User: admin Company: Cisco WebEx LLC Integrity Level: MEDIUM Description: WebEx Productivity Tools Application Exit code: 0 Version: 3911,0,2001,1600 Modules
| |||||||||||||||
Total events
9 628
Read events
3 447
Write events
4 198
Delete events
1 983
Modification events
| (PID) Process: | (3528) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (3528) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (3528) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (3924) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager |
| Operation: | write | Name: | NextCheckForUpdateLowDateTime |
Value: 3999531500 | |||
| (PID) Process: | (3924) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager |
| Operation: | write | Name: | NextCheckForUpdateHighDateTime |
Value: 30801000 | |||
| (PID) Process: | (3924) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (3924) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (3924) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (3924) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main |
| Operation: | write | Name: | CompatibilityFlags |
Value: 0 | |||
| (PID) Process: | (3924) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
Executable files
203
Suspicious files
225
Text files
103
Unknown types
15
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3528 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\Cab70A4.tmp | — | |
MD5:— | SHA256:— | |||
| 3528 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\Tar70A5.tmp | — | |
MD5:— | SHA256:— | |||
| 3924 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
| 3528 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\64493d7d36b30bbea63e8f6f87528840[1].htm | html | |
MD5:— | SHA256:— | |||
| 3528 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2EE749B7E1A15635422518BB5EBFD338_2BE9BBF30BBE030BE7B79471EABFE00A | binary | |
MD5:— | SHA256:— | |||
| 3528 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\wbx.799b9f40[1].css | text | |
MD5:— | SHA256:— | |||
| 3528 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\X7GO6VZI\infor.webex[1].xml | text | |
MD5:— | SHA256:— | |||
| 3528 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\localization_en_US[1].js | html | |
MD5:— | SHA256:— | |||
| 3528 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\thinClientSupportAPI[1].js | text | |
MD5:— | SHA256:— | |||
| 3528 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\meeting.14cb9f2b[1].js | text | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
106
DNS requests
30
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3528 | iexplore.exe | GET | 200 | 35.158.10.169:80 | http://ocsp.quovadisglobal.com/MFUwUzBRME8wTTAJBgUrDgMCGgUABBTyhcKR1A4XhQLFZRt5u%2BT8TDsYdQQUGoRivEhMMyUE1O7Q9gPEGUbRlGsCFHUXFneD0EN%2BtVbDV5RuRWO469Os | DE | der | 1.78 Kb | whitelisted |
3528 | iexplore.exe | GET | 200 | 52.219.72.158:80 | http://crl.quovadisglobal.com/qvrca2.crl | DE | der | 1.50 Kb | shared |
3924 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D | US | der | 1.47 Kb | whitelisted |
3528 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o%2BtuynXIiEOLckvPvJE%3D | US | der | 471 b | whitelisted |
3528 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o%2BtuynXIiEOLckvPvJE%3D | US | der | 471 b | whitelisted |
3924 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D | US | der | 1.47 Kb | whitelisted |
1052 | svchost.exe | GET | 200 | 104.18.25.243:80 | http://ocsp.msocsp.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIGkp0%2Fv9GUvNUu1EP06Tu7%2BChyAQUkZ47RGw9V5xCdyo010%2FRzEqXLNoCEyAAASWxwt68EQiA3cUAAAABJbE%3D | US | der | 1.79 Kb | whitelisted |
3924 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D | US | der | 1.47 Kb | whitelisted |
3924 | iexplore.exe | GET | 200 | 104.18.11.39:80 | http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt | US | der | 1.30 Kb | whitelisted |
3924 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
3528 | iexplore.exe | 52.219.72.158:80 | crl.quovadisglobal.com | Amazon.com, Inc. | DE | unknown |
3924 | iexplore.exe | 209.197.193.97:443 | infor.webex.com | Cisco Webex LLC | US | suspicious |
3924 | iexplore.exe | 152.199.19.161:443 | iecvlist.microsoft.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3924 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3292 | webex.exe | 209.197.193.97:443 | infor.webex.com | Cisco Webex LLC | US | suspicious |
3292 | webex.exe | 2.20.130.109:443 | akamaicdn.webex.com | Akamai Technologies, Inc. | — | unknown |
3516 | atmgr.exe | 209.197.193.97:443 | infor.webex.com | Cisco Webex LLC | US | suspicious |
3516 | atmgr.exe | 64.68.121.153:443 | ed1sjcbmm10.webex.com | Cisco Webex LLC | US | unknown |
3516 | atmgr.exe | 2.20.130.109:443 | akamaicdn.webex.com | Akamai Technologies, Inc. | — | unknown |
3924 | iexplore.exe | 204.79.197.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
infor.webex.com |
| suspicious |
ocsp.quovadisglobal.com |
| whitelisted |
akamaicdn.webex.com |
| whitelisted |
nebulas.webex.com |
| suspicious |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
crl.quovadisglobal.com |
| shared |
iecvlist.microsoft.com |
| whitelisted |
r20swj13mr.microsoft.com |
| whitelisted |
cacerts.digicert.com |
| whitelisted |
Threats
Process | Message |
|---|---|
webex.exe | WbxMapViewOfFile szMapFileName=WBX_TRACE_MAPVIEW_MAP_NAME_PRE_3292
|
webex.exe | WbxMapViewOfFile new lpBaseAddress=33685504
|
webex.exe | WbxMapViewOfFile
|
webex.exe | WbxMapViewOfFile szMapFileName=WBX_TRACE_MAPVIEW_MAP_NAME_PRE_3292
|
webex.exe | WbxMapViewOfFile AddMapFileRef=1 lpBaseAddress=33685504
|
webex.exe | WbxMapViewOfFile reuse lpBaseAddress=33685504
|
webex.exe | WbxMapViewOfFile
|
webex.exe | WbxMapViewOfFile AddMapFileRef data.dwRefCount=2
|
atmgr.exe | Install_Exception_Handler, meeting id = 0, session id = ******, meeting type = 0, langid = 0
|
atmgr.exe | logserver =
|