File name: | C:\Users\admin\AppData\Local\Temp\askpwtwz.5rj\bumperWW.exe |
Full analysis: | https://app.any.run/tasks/e218a889-1ce7-46c9-860e-74b3d39693af |
Verdict: | Malicious activity |
Threats: | WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2. |
Analysis date: | January 14, 2022, 23:04:49 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 7A132B76835C9958E249E98BDAD510DB |
SHA1: | 2397BA104B77A90B55A29D2BE838914C9D1740A6 |
SHA256: | C7F2DB83E5023E93538A91B009F459E8FD9468B1AC2C2ED6D9F187C487AC8597 |
SSDEEP: | 6144:CBuJe81HMMQT0/u0agpEv1pE0EAPMrGWsWDWidF0HQszCZ2Ftppb9Y81+k7pq7FR:CAemHz/u0a9S2z+5 |
.exe | | | Win64 Executable (generic) (64.6) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (15.4) |
.exe | | | Win32 Executable (generic) (10.5) |
.exe | | | Generic Win/DOS Executable (4.6) |
.exe | | | DOS Executable Generic (4.6) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2021:10:11 09:12:28+02:00 |
PEType: | PE32 |
LinkerVersion: | 14.25 |
CodeSize: | 89088 |
InitializedDataSize: | 325632 |
UninitializedDataSize: | - |
EntryPoint: | 0x9770 |
OSVersion: | 6 |
ImageVersion: | - |
SubsystemVersion: | 6 |
Subsystem: | Windows GUI |
FileVersionNumber: | 25.15.2.5 |
ProductVersionNumber: | 25.15.2.5 |
FileFlagsMask: | 0x003f |
FileFlags: | (none) |
FileOS: | Unknown (0x50000) |
ObjectFileType: | Executable application |
FileSubtype: | - |
LanguageCode: | Unknown (0006) |
CharacterSet: | Unicode |
CompanyName: | EXEASY |
FileDescription: | EXEASY |
FileVersion: | 25.15.2.5 |
InternalName: | EXEASY.exe |
LegalCopyright: | Copyright (C) 2021 EXEASY |
OriginalFileName: | EXEASY.exe |
ProductName: | EXEASY |
ProductVersion: | 25.15.2.5 |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 11-Oct-2021 07:12:28 |
Detected languages: |
|
CompanyName: | EXEASY |
FileDescription: | EXEASY |
FileVersion: | 25.15.2.5 |
InternalName: | EXEASY.exe |
LegalCopyright: | Copyright (C) 2021 EXEASY |
OriginalFilename: | EXEASY.exe |
ProductName: | EXEASY |
ProductVersion: | 25.15.2.5 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000110 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 11-Oct-2021 07:12:28 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00015B52 | 0x00015C00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.67754 |
.rdata | 0x00017000 | 0x00006A82 | 0x00006C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.77858 |
.data | 0x0001E000 | 0x00001700 | 0x00000A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 2.43746 |
.rsrc | 0x00020000 | 0x00045D88 | 0x00045E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.80308 |
.reloc | 0x00066000 | 0x00001470 | 0x00001600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.39011 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 4.89623 | 392 | UNKNOWN | English - United States | RT_MANIFEST |
2 | 0.63378 | 67624 | UNKNOWN | UNKNOWN | RT_ICON |
3 | 0.777818 | 16936 | UNKNOWN | UNKNOWN | RT_ICON |
4 | 0.911008 | 9640 | UNKNOWN | UNKNOWN | RT_ICON |
5 | 0.983719 | 4264 | UNKNOWN | UNKNOWN | RT_ICON |
6 | 1.13797 | 1128 | UNKNOWN | UNKNOWN | RT_ICON |
101 | 2.79908 | 90 | UNKNOWN | UNKNOWN | RT_GROUP_ICON |
124 | 6.22948 | 180224 | UNKNOWN | UNKNOWN | DLL |
KERNEL32.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1056 | "C:\Users\admin\AppData\Local\Temp\bumperWW.exe" | C:\Users\admin\AppData\Local\Temp\bumperWW.exe | — | Explorer.EXE | |||||||||||
User: admin Company: EXEASY Integrity Level: MEDIUM Description: EXEASY Exit code: 3221226540 Version: 25.15.2.5 Modules
| |||||||||||||||
2064 | "C:\Users\admin\AppData\Local\Temp\bumperWW.exe" | C:\Users\admin\AppData\Local\Temp\bumperWW.exe | Explorer.EXE | ||||||||||||
User: admin Company: EXEASY Integrity Level: HIGH Description: EXEASY Exit code: 0 Version: 25.15.2.5 Modules
| |||||||||||||||
4084 | "C:\Windows\system32\taskmgr.exe" /4 | C:\Windows\system32\taskmgr.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Task Manager Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2768 | "C:\Windows\system32\useraccountcontrolsettings.exe" | C:\Windows\system32\useraccountcontrolsettings.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: UserAccountControlSettings Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2788 | C:\Windows\system32\DllHost.exe /Processid:{EA2C6B24-C590-457B-BAC8-4A0F9B13B5B8} | C:\Windows\system32\DllHost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2280 | C:\Windows\system32\DllHost.exe /Processid:{06C792F8-6212-4F39-BF70-E8C0AC965C23} | C:\Windows\system32\DllHost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3444 | "C:\Users\admin\Pictures\Adobe Films\dfBUd0ZXWhP94QhuOO7HN8Dd.exe" | C:\Users\admin\Pictures\Adobe Films\dfBUd0ZXWhP94QhuOO7HN8Dd.exe | bumperWW.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 1 Modules
| |||||||||||||||
3148 | "C:\Users\admin\Pictures\Adobe Films\9gqhoLvblcW2BC9hjHC4tkno.exe" | C:\Users\admin\Pictures\Adobe Films\9gqhoLvblcW2BC9hjHC4tkno.exe | — | bumperWW.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
2880 | "C:\Users\admin\Pictures\Adobe Films\xzN5GaKjoNlrwtkK68rT1IuA.exe" | C:\Users\admin\Pictures\Adobe Films\xzN5GaKjoNlrwtkK68rT1IuA.exe | bumperWW.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Version: 82.307.487.6152 Modules
| |||||||||||||||
3256 | "C:\Users\admin\Pictures\Adobe Films\C_IfcOV7u4j9fJtBk9dMyFqp.exe" | C:\Users\admin\Pictures\Adobe Films\C_IfcOV7u4j9fJtBk9dMyFqp.exe | bumperWW.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
|
(PID) Process: | (740) Explorer.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count |
Operation: | write | Name: | {Q65231O0-O2S1-4857-N4PR-N8R7P6RN7Q27}\gnfxzte.rkr |
Value: 00000000000000001A00000006690700000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF000000000000000000000000 | |||
(PID) Process: | (740) Explorer.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count |
Operation: | write | Name: | HRZR_PGYFRFFVBA |
Value: 00000000470100007B020000FF5A17013F0000004A0000008E0F0D004D006900630072006F0073006F00660074002E0049006E007400650072006E00650074004500780070006C006F007200650072002E00440065006600610075006C007400000028003E004000A4E75102B8E651020000000000000000000000000000080274E45102000008026CE25102000000000000D26CFFFFFFFF705911750000000000000000A4E251027C900D75000400000000000008E35102FFFFFFFF38EA7000FFFFFFFF080A7400D80E740030EA7000D4E25102F7AF3D7680D0707614F05102081D3E76E4613E766820700008E351020000000071000000BBF2CB00E8E25102A1693E766820700008E351020000000014E551023F613E766820700008E3510200000400000000800400000026E4510298E351025DA5147726E45102D26E147779A51477D6794D7526E4510210E65102000100006400610072E3510226E451026F0061006D0069006E0067005C006D006900630072006F0073006F0066007400CCE351023400000080E35102DE70310033003300350033003800310030003000F8E551025A000000A0E351021DA71477D6610E02D4E351025A00000010E651025C00000011000000104F7000084F7000F8E55102C4E3510220E40000D7F3CB00D0E351025E903E7620E45102D4E3510203943E760000000064561802FCE35102A9933E7664561802A8E45102D8511802BD933E7600000000D8511802A8E4510204E45102000000007200000032AC5D004D006900630072006F0073006F00660074002E00570069006E0064006F00770073002E0043006F006E00740072006F006C00500061006E0065006C00000045003700430036004500410037004400320037007D005C0063006D0064002E0065007800650000000000D45D38760000000005000000D80B3902000000000000000000000000000000000000000000000000CB0501AD000000000000000000000000000000000000000000000000000000000000000030E69D01A8323876B8E59D01C0E59D0154E59D0100000000000000000000000000000000480B39020000000005000000D80B390200000000340C390268E59D01B0E59D010000000000000000E8B93902050000002000000000000000000000000400400000001A0098E59D0100000000000000000000000000000000040000009EE69D0110E69D015DA5B3779EE69D01D26EB37779A5B377114526769EE69D0188E89D0104000000C6E69D0138E69D015DA5B377C6E69D01D26EB37779A5B37739452676C6E69D01B0E89D0100010000E8FE1C0012E69D01C6E69D0168E69D015DA5310033003300350033003800310011000000104F1D00084F1D001AE79D018CE69D015DA5B37774E60000B777588D24E69D015E90D47674E69D0128E69D010394D47600000000D422E60250E69D01A993D476D422E602FCE69D01481EE602BD93D47600000000481EE602FCE69D0158E69D01000000007200000032AC5D004D006900630072006F0073006F00660074002E00570069006E0064006F00770073002E0043006F006E00740072006F006C00500061006E0065006C00000045003700430036004500410037004400320037007D005C0063006D0064002E0065007800650000000000D45D38760000000005000000D80B3902000000000000000000000000000000000000000000000000CB0501AD000000000000000000000000000000000000000000000000000000000000000030E69D01A8323876B8E59D01C0E59D0154E59D0100000000000000000000000000000000480B39020000000005000000D80B390200000000340C390268E59D01B0E59D010000000000000000E8B93902050000002000000000000000000000000400400000001A0098E59D0100000000000000000000000000000000040000009EE69D0110E69D015DA5B3779EE69D01D26EB37779A5B377114526769EE69D0188E89D0104000000C6E69D0138E69D015DA5B377C6E69D01D26EB37779A5B37739452676C6E69D01B0E89D0100010000E8FE1C0012E69D01C6E69D0168E69D015DA5310033003300350033003800310011000000104F1D00084F1D001AE79D018CE69D015DA5B37774E60000B777588D24E69D015E90D47674E69D0128E69D010394D47600000000D422E60250E69D01A993D476D422E602FCE69D01481EE602BD93D47600000000481EE602FCE69D0158E69D01 | |||
(PID) Process: | (2064) bumperWW.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2064) bumperWW.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
(PID) Process: | (2064) bumperWW.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
Operation: | write | Name: | SavedLegacySettings |
Value: 460000003B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (2064) bumperWW.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (2064) bumperWW.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (2064) bumperWW.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (2064) bumperWW.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (2064) bumperWW.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: |
PID | Process | Filename | Type | |
---|---|---|---|---|
4084 | taskmgr.exe | C:\Users\admin\AppData\Local\Temp\ctfmon.DMP | — | |
MD5:— | SHA256:— | |||
860 | svchost.exe | C:\Windows\appcompat\programs\RecentFileCache.bcf | txt | |
MD5:FF57687CCEAF4CA1BE9D9262E9475E6A | SHA256:278CFFCB787B9268E2ABC3EF99897BD1498F828E38EBC0935310488A49D98A70 | |||
2064 | bumperWW.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\NiceProcessX32[1].bmp | executable | |
MD5:A89561ABD740E80AA85B8E86EFE9A210 | SHA256:E83F58825C02DB8659491FE6E3DECEC9ADA7040BAF22DE5957FA17477466CA46 | |||
2064 | bumperWW.exe | C:\Users\admin\Pictures\Adobe Films\eYIsiKXssqserPSU9_RtjYaq.exe | html | |
MD5:C8DDCE4DE7D2FD26927E6DB3D554AFD0 | SHA256:4A47941324BC9F45254B507AA228D2652064B7277C7FCB0674D1E5FE7DC68467 | |||
2064 | bumperWW.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\PL_Client[1].bmp | binary | |
MD5:57F492DB3101CA040176C4CEACCC8C5E | SHA256:9BFB00DFDF0BB2AD99D138F721260F2B3FB1BD7CDDEC20EC92291CF57EA63C4B | |||
2064 | bumperWW.exe | C:\Users\admin\Documents\T9aZunTSaNJLBVfIkgF5mtQo.dll | binary | |
MD5:57F492DB3101CA040176C4CEACCC8C5E | SHA256:9BFB00DFDF0BB2AD99D138F721260F2B3FB1BD7CDDEC20EC92291CF57EA63C4B | |||
2064 | bumperWW.exe | C:\Users\admin\Pictures\Adobe Films\aflty72GmLQYoJodaIvlaAYx.exe | html | |
MD5:C8DDCE4DE7D2FD26927E6DB3D554AFD0 | SHA256:4A47941324BC9F45254B507AA228D2652064B7277C7FCB0674D1E5FE7DC68467 | |||
2064 | bumperWW.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27 | der | |
MD5:BEAB9DA0AA8E569DD7B0DEDBA4676D02 | SHA256:7C5EE0FF5ECD229BA442C639096CFB79D50D7FC6841A8E99693393A920A70C33 | |||
2064 | bumperWW.exe | C:\Users\admin\Pictures\Adobe Films\pZai20TzGp4lX5IjfCAkBAYW.exe | html | |
MD5:978489E2DDB94E1A8F3C4842596BED8B | SHA256:222FF59C7DCD2FFE6BBFAA15DDA759C48F5F205DF0B82BCF969FAF845C1F12E2 | |||
2064 | bumperWW.exe | C:\Users\admin\Pictures\Adobe Films\dfBUd0ZXWhP94QhuOO7HN8Dd.exe | executable | |
MD5:A89561ABD740E80AA85B8E86EFE9A210 | SHA256:E83F58825C02DB8659491FE6E3DECEC9ADA7040BAF22DE5957FA17477466CA46 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2064 | bumperWW.exe | GET | — | 45.133.1.107:80 | http://45.133.1.107/server.txt | unknown | — | — | malicious |
2064 | bumperWW.exe | HEAD | 404 | 45.144.225.57:80 | http://45.144.225.57/WW/sfx_123_310.exe | unknown | — | — | malicious |
2064 | bumperWW.exe | POST | — | 2.56.59.42:80 | http://2.56.59.42/base/api/getData.php | unknown | — | — | malicious |
2064 | bumperWW.exe | POST | 200 | 2.56.59.42:80 | http://2.56.59.42/base/api/getData.php | unknown | text | 108 b | malicious |
2064 | bumperWW.exe | GET | 200 | 45.144.225.57:80 | http://45.144.225.57/download/NiceProcessX32.bmp | unknown | executable | 259 Kb | malicious |
2064 | bumperWW.exe | HEAD | 200 | 212.193.30.29:80 | http://212.193.30.29/download/Service.bmp | RU | — | — | malicious |
2064 | bumperWW.exe | HEAD | 200 | 45.144.225.57:80 | http://45.144.225.57/EU/searchEUunlim.exe | unknown | — | — | malicious |
2064 | bumperWW.exe | HEAD | 200 | 45.144.225.57:80 | http://45.144.225.57/download/NiceProcessX32.bmp | unknown | — | — | malicious |
2064 | bumperWW.exe | HEAD | 200 | 193.56.146.76:80 | http://193.56.146.76/Proxypub.exe | unknown | — | — | malicious |
2064 | bumperWW.exe | HEAD | 404 | 212.193.30.45:80 | http://212.193.30.45/WW/file8.exe | RU | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2064 | bumperWW.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2064 | bumperWW.exe | 2.56.59.42:80 | — | — | — | malicious |
2064 | bumperWW.exe | 162.159.135.233:80 | cdn.discordapp.com | Cloudflare Inc | — | shared |
2064 | bumperWW.exe | 45.133.1.107:80 | — | — | — | malicious |
2064 | bumperWW.exe | 95.140.236.128:80 | ctldl.windowsupdate.com | Limelight Networks, Inc. | GB | malicious |
2064 | bumperWW.exe | 104.23.98.190:443 | pastebin.com | Cloudflare Inc | US | malicious |
2064 | bumperWW.exe | 162.159.135.233:443 | cdn.discordapp.com | Cloudflare Inc | — | shared |
2064 | bumperWW.exe | 185.215.113.208:80 | — | Ebonyhorizon Telecomunicacoes S.A. | PT | malicious |
2064 | bumperWW.exe | 193.56.146.76:80 | — | — | — | malicious |
2064 | bumperWW.exe | 34.117.59.81:443 | ipinfo.io | — | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
pastebin.com |
| shared |
cdn.discordapp.com |
| shared |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
ipinfo.io |
| shared |
db-ip.com |
| whitelisted |
api.db-ip.com |
| shared |
xmtbsj.com |
| suspicious |
tg8.cllgxx.com |
| malicious |
stylesheet.faseaegasdfase.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2064 | bumperWW.exe | Potentially Bad Traffic | ET INFO Terse Request for .txt - Likely Hostile |
2064 | bumperWW.exe | Generic Protocol Command Decode | SURICATA Applayer Mismatch protocol both directions |
2064 | bumperWW.exe | Generic Protocol Command Decode | SURICATA Applayer Mismatch protocol both directions |
2064 | bumperWW.exe | A Network Trojan was detected | ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) |
2064 | bumperWW.exe | Potential Corporate Privacy Violation | ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io) |
2064 | bumperWW.exe | A Network Trojan was detected | ET TROJAN Win32/Unk.HRESQ! MultiDownloader Checkin |
2064 | bumperWW.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2064 | bumperWW.exe | Potentially Bad Traffic | ET INFO SUSPICIOUS Dotted Quad Host MZ Response |
2064 | bumperWW.exe | A Network Trojan was detected | AV POLICY EXE or DLL in HTTP Image Content Inbound - Likely Malicious |
2064 | bumperWW.exe | A Network Trojan was detected | ET TROJAN Win32/Unk.HRESQ! MultiDownloader Checkin |
Process | Message |
---|---|
jg1_1faf.exe | http://186.2.171.17/seemorebty/poe.php?e=jg1_1faf |
jg1_1faf.exe | |
jg1_1faf.exe | |
jg1_1faf.exe | Download failed
|
jg1_1faf.exe | <<< Exit with same app>>> |