File name: | 02600004 |
Full analysis: | https://app.any.run/tasks/1a59f975-ca66-4487-bdb7-cd5654dffab4 |
Verdict: | Malicious activity |
Threats: | A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices. |
Analysis date: | August 09, 2021, 23:56:38 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows |
MD5: | 1408275C2E2C8FE5E83227BA371AC6B3 |
SHA1: | DAC3D479CE4AF6D2FFD5314191E768543ACFE32D |
SHA256: | CC185105946C202D9FD0EF18423B078CD8E064B1E2A87E93ED1B3D4F2CBDB65D |
SSDEEP: | 6144:1mkhfOCMFhvKnJP1flVS3Di3DMFOJJJJJJJJ8JJJJJJJJJJJJJJJJJJJJJJJJJJY:in+lQDiwFPZg |
.dll | | | Win32 Dynamic Link Library (generic) (43.5) |
---|---|---|
.exe | | | Win32 Executable (generic) (29.8) |
.exe | | | Generic Win/DOS Executable (13.2) |
.exe | | | DOS Executable Generic (13.2) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2014:11:21 21:03:38+01:00 |
PEType: | PE32 |
LinkerVersion: | 6 |
CodeSize: | 24576 |
InitializedDataSize: | 335872 |
UninitializedDataSize: | - |
EntryPoint: | 0x6000 |
OSVersion: | 4 |
ImageVersion: | - |
SubsystemVersion: | 4 |
Subsystem: | Windows GUI |
FileVersionNumber: | 2.0.0.0 |
ProductVersionNumber: | 2.0.0.0 |
FileFlagsMask: | 0x0000 |
FileFlags: | (none) |
FileOS: | Windows NT |
ObjectFileType: | Executable application |
FileSubtype: | - |
LanguageCode: | English (U.S.) |
CharacterSet: | Windows, Latin1 |
CompanyName: | Stencyl, LLC |
FileDescription: | Stencyl 2.0 |
FileVersion: | 2 |
InternalName: | Stencyl |
LegalCopyright: | Copyright, Stencyl, LLC |
OriginalFileName: | Stencyl.exe |
ProductName: | Stencyl |
ProductVersion: | 2 |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 21-Nov-2014 20:03:38 |
Detected languages: |
|
Debug artifacts: |
|
CompanyName: | Stencyl, LLC |
FileDescription: | Stencyl 2.0 |
FileVersion: | 2.0 |
InternalName: | Stencyl |
LegalCopyright: | Copyright, Stencyl, LLC |
OriginalFilename: | Stencyl.exe |
ProductName: | Stencyl |
ProductVersion: | 2.0 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000C8 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 21-Nov-2014 20:03:38 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00005532 | 0x00006000 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 4.94189 |
.rdata | 0x00007000 | 0x00031A73 | 0x00032000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.19099 |
.data | 0x00039000 | 0x0000033C | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 1.61026 |
.reloc | 0x0003A000 | 0x00000407 | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rsrc | 0x0003B000 | 0x0001D27C | 0x0001E000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.19472 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 3.2335 | 672 | UNKNOWN | Process Default Language | RT_VERSION |
2 | 4.58513 | 67624 | UNKNOWN | Process Default Language | RT_ICON |
3 | 4.773 | 16936 | UNKNOWN | Process Default Language | RT_ICON |
4 | 4.47585 | 9640 | UNKNOWN | Process Default Language | RT_ICON |
5 | 4.61766 | 4264 | UNKNOWN | Process Default Language | RT_ICON |
6 | 4.85921 | 2440 | UNKNOWN | Process Default Language | RT_ICON |
7 | 5.02095 | 2064 | UNKNOWN | Process Default Language | RT_ICON |
8 | 5.03074 | 1128 | UNKNOWN | Process Default Language | RT_ICON |
10 | 1.79248 | 6 | UNKNOWN | Process Default Language | RT_RCDATA |
14 | 2.80735 | 7 | UNKNOWN | Process Default Language | RT_RCDATA |
KERNEL32.dll |
SHLWAPI.dll |
USER32.dll (delay-loaded) |
WINMM.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2612 | "C:\Users\admin\AppData\Local\Temp\02600004.exe" | C:\Users\admin\AppData\Local\Temp\02600004.exe | Explorer.EXE | ||||||||||||
User: admin Company: Stencyl, LLC Integrity Level: MEDIUM Description: Stencyl 2.0 Exit code: 0 Version: 2.0 Modules
| |||||||||||||||
2368 | "C:\Users\admin\AppData\Roaming\Microsoft\Ebgqylu\ebgqylu.exe" | C:\Users\admin\AppData\Roaming\Microsoft\Ebgqylu\ebgqylu.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Stencyl, LLC Integrity Level: MEDIUM Description: Stencyl 2.0 Version: 2.0 Modules
| |||||||||||||||
2484 | cmd /c ping -n 10 localhost && del "C:\Users\admin\AppData\Local\Temp\02600004.exe" | C:\Windows\system32\cmd.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
2792 | ping -n 10 localhost | C:\Windows\system32\PING.EXE | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
776 | taskeng.exe {22B6E91C-5B0B-4FB0-99A8-D59901096E38} | C:\Windows\system32\taskeng.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Task Scheduler Engine Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
600 | "C:\Windows\system32\Dwm.exe" | C:\Windows\system32\Dwm.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Desktop Window Manager Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2500 | \??\C:\Windows\system32\conhost.exe "92857863-1693453631032617958-101514155-237740995-521017290-2077688268-2067374097" | \??\C:\Windows\system32\conhost.exe | csrss.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
2132 | "C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s | C:\Windows\system32\mmc.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Management Console Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2872 | "C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s | C:\Windows\system32\mmc.exe | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Management Console Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1896 | C:\Windows\Explorer.EXE | C:\Windows\Explorer.EXE | — | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
|
(PID) Process: | (2612) 02600004.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | qxnds |
Value: "C:\Users\admin\AppData\Roaming\Microsoft\Ebgqylu\ebgqylu.exe" | |||
(PID) Process: | (2368) ebgqylu.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 |
Operation: | write | Name: | 2500 |
Value: 3 | |||
(PID) Process: | (1896) Explorer.EXE | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (1896) Explorer.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ApplicationDestinations |
Operation: | write | Name: | MaxEntries |
Value: 15 | |||
(PID) Process: | (1896) Explorer.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.msc\OpenWithProgids |
Operation: | write | Name: | MSCFile |
Value: | |||
(PID) Process: | (1896) Explorer.EXE | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E |
Operation: | write | Name: | @C:\Windows\system32\mmcbase.dll,-13351 |
Value: &Author | |||
(PID) Process: | (1896) Explorer.EXE | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E |
Operation: | write | Name: | @%windir%\system32\miguiresource.dll,-202 |
Value: Schedule computer tasks to run automatically. | |||
(PID) Process: | (1896) Explorer.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count |
Operation: | write | Name: | Zvpebfbsg.NhgbTrarengrq.{15962175-7QSP-O1Q7-O0Q1-RO4P08SSQ754} |
Value: 000000000800000004000000D3380700000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFFF0CBE7437A8DD70100000000 | |||
(PID) Process: | (1896) Explorer.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count |
Operation: | write | Name: | HRZR_PGYFRFFVBA |
Value: 000000003F0100006B020000D84611013F0000004A0000008E0F0D004D006900630072006F0073006F00660074002E0049006E007400650072006E00650074004500780070006C006F007200650072002E00440065006600610075006C007400000028003E004000A4E75102B8E651020000000000000000000000000000080274E45102000008026CE25102000000000000D26CFFFFFFFF705911750000000000000000A4E251027C900D75000400000000000008E35102FFFFFFFF38EA7000FFFFFFFF080A7400D80E740030EA7000D4E25102F7AF3D7680D0707614F05102081D3E76E4613E766820700008E351020000000071000000BBF2CB00E8E25102A1693E766820700008E351020000000014E551023F613E766820700008E3510200000400000000800400000026E4510298E351025DA5147726E45102D26E147779A51477D6794D7526E4510210E65102000100006400610072E3510226E451026F0061006D0069006E0067005C006D006900630072006F0073006F0066007400CCE351023400000080E35102DE70310033003300350033003800310030003000F8E551025A000000A0E351021DA71477D6610E02D4E351025A00000010E651025C00000011000000104F7000084F7000F8E55102C4E3510220E40000D7F3CB00D0E351025E903E7620E45102D4E3510203943E760000000064561802FCE35102A9933E7664561802A8E45102D8511802BD933E7600000000D8511802A8E4510204E45102000000007200000032AC5D004D006900630072006F0073006F00660074002E00570069006E0064006F00770073002E0043006F006E00740072006F006C00500061006E0065006C00000045003700430036004500410037004400320037007D005C0063006D0064002E0065007800650000000000D45D38760000000005000000D80B3902000000000000000000000000000000000000000000000000CB0501AD000000000000000000000000000000000000000000000000000000000000000030E69D01A8323876B8E59D01C0E59D0154E59D0100000000000000000000000000000000480B39020000000005000000D80B390200000000340C390268E59D01B0E59D010000000000000000E8B93902050000002000000000000000000000000400400000001A0098E59D0100000000000000000000000000000000040000009EE69D0110E69D015DA5B3779EE69D01D26EB37779A5B377114526769EE69D0188E89D0104000000C6E69D0138E69D015DA5B377C6E69D01D26EB37779A5B37739452676C6E69D01B0E89D0100010000E8FE1C0012E69D01C6E69D0168E69D015DA5310033003300350033003800310011000000104F1D00084F1D001AE79D018CE69D015DA5B37774E60000B777588D24E69D015E90D47674E69D0128E69D010394D47600000000D422E60250E69D01A993D476D422E602FCE69D01481EE602BD93D47600000000481EE602FCE69D0158E69D01000000007200000032AC5D004D006900630072006F0073006F00660074002E00570069006E0064006F00770073002E0043006F006E00740072006F006C00500061006E0065006C00000045003700430036004500410037004400320037007D005C0063006D0064002E0065007800650000000000D45D38760000000005000000D80B3902000000000000000000000000000000000000000000000000CB0501AD000000000000000000000000000000000000000000000000000000000000000030E69D01A8323876B8E59D01C0E59D0154E59D0100000000000000000000000000000000480B39020000000005000000D80B390200000000340C390268E59D01B0E59D010000000000000000E8B93902050000002000000000000000000000000400400000001A0098E59D0100000000000000000000000000000000040000009EE69D0110E69D015DA5B3779EE69D01D26EB37779A5B377114526769EE69D0188E89D0104000000C6E69D0138E69D015DA5B377C6E69D01D26EB37779A5B37739452676C6E69D01B0E89D0100010000E8FE1C0012E69D01C6E69D0168E69D015DA5310033003300350033003800310011000000104F1D00084F1D001AE79D018CE69D015DA5B37774E60000B777588D24E69D015E90D47674E69D0128E69D010394D47600000000D422E60250E69D01A993D476D422E602FCE69D01481EE602BD93D47600000000481EE602FCE69D0158E69D01 | |||
(PID) Process: | (1896) Explorer.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count |
Operation: | write | Name: | {0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\Gnfx Fpurqhyre.yax |
Value: 00000000080000000000000007000000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFFF0CBE7437A8DD70100000000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3612 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\social[1].css | text | |
MD5:B42B9C7E731408205B611FBB532F511F | SHA256:287E4C54269937C93EF680E0DCBAE4B5E3FF630A12698ACC7D2EB527B1598B79 | |||
3612 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\instagram[1].png | image | |
MD5:95FD424420005BCBF324E0219845C132 | SHA256:97E35ACCD166FFA4D0B84862E2F8C2C36B5B8433D7A20AF382DEE3F104087E77 | |||
3612 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63 | binary | |
MD5:FEAFBE7312EFEE12BBFC8098A52D9CB8 | SHA256:87AD745659F9E7F22C212C7BA8783E0B473CC9D29F03D79159F9C38B58BAB79F | |||
3612 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\de-71d089[1].css | text | |
MD5:E86ABE78D0A0FEA5962432DD802E6F6A | SHA256:2DD894A94053B2B9B607C420F68387F960822B374C47D2250078A0772F72C19C | |||
3612 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:9309A9769F57289B87C8BD232E5D7DE1 | SHA256:71361D7A2D127C68111E23C5D778454B141441AA6877ABB266FA165D94BF8D48 | |||
3612 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE | binary | |
MD5:30668C62F71A4D8EBA6A919D41133EA2 | SHA256:59DA73528DACD991A987FADCE5B0AD57709E856ED5289192337E860274555740 | |||
1328 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Ebgqylu\ebgqylu32.dll | binary | |
MD5:449D755623827588A9A2F8B898B23ECE | SHA256:991ACC5F42A097DB5A7D864F230597C9076F6AF7C02F9BBB562BFDE4A20F1232 | |||
3612 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\pl-pl[1].htm | html | |
MD5:4A73DDEE1635D354E0E786B97601B9F2 | SHA256:27E51056AA3F75BA5D917F603E16C8B4217FECE01B8D7719940EFDC19B575759 | |||
3612 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_AD319D6DA1A11BC83AC8B4E4D3638231 | der | |
MD5:13D6CE76B0307FA5C79A467CD6CF2044 | SHA256:996144ACCC8077E2CC00241EB9F40CFA7B6ED245F2BB87FF77013660F6981D35 | |||
3612 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63 | der | |
MD5:DBD4631E9AC8B000AF8DE27C1C4C7F91 | SHA256:7F06B412E32DCB8944F46C37878840AA6858F68D54562A0C026D7FB54AD47731 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1328 | iexplore.exe | POST | 200 | 23.217.138.108:80 | http://eldmsznfvaerygcqxeqnnra.org/sRUmecm9ZIYSpfTO4RoJnVNi.php | US | html | 407 b | malicious |
1328 | iexplore.exe | GET | 200 | 23.55.163.73:80 | http://crl.identrust.com/DSTROOTCAX3CRL.crl | US | der | 1.16 Kb | whitelisted |
3612 | iexplore.exe | GET | 302 | 104.79.89.142:80 | http://www.microsoft.com/ | US | — | — | whitelisted |
1328 | iexplore.exe | GET | 200 | 104.117.200.9:80 | http://x1.c.lencr.org/ | US | der | 717 b | whitelisted |
1328 | iexplore.exe | GET | 200 | 23.55.163.48:80 | http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgOJmhpORegA9EYQOcKkSXcmlg%3D%3D | US | der | 503 b | shared |
3612 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAtb9ltrp%2FvQiykNkEU33uA%3D | US | der | 471 b | whitelisted |
3612 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEALnkXH7gCHpP%2BLZg4NMUMA%3D | US | der | 471 b | whitelisted |
3612 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D | US | der | 471 b | whitelisted |
3612 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA9bw6F2y3ieICDHiTyBZ7Q%3D | US | der | 1.47 Kb | whitelisted |
1328 | iexplore.exe | GET | 301 | 213.186.33.5:80 | http://forumity.com/show-ip.php | FR | html | 162 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3612 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3612 | iexplore.exe | 13.107.246.45:443 | mem.gfx.ms | Microsoft Corporation | US | suspicious |
3612 | iexplore.exe | 13.107.213.45:443 | mem.gfx.ms | Microsoft Corporation | US | suspicious |
3612 | iexplore.exe | 67.26.137.254:80 | ctldl.windowsupdate.com | Level 3 Communications, Inc. | US | malicious |
3612 | iexplore.exe | 104.79.89.142:80 | www.microsoft.com | Time Warner Cable Internet LLC | US | unknown |
3612 | iexplore.exe | 104.79.89.142:443 | www.microsoft.com | Time Warner Cable Internet LLC | US | unknown |
3612 | iexplore.exe | 23.6.112.130:443 | img-prod-cms-rt-microsoft-com.akamaized.net | Akamai International B.V. | NL | unknown |
1328 | iexplore.exe | 13.107.21.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
1328 | iexplore.exe | 172.217.18.110:80 | google.com | Google Inc. | US | whitelisted |
3612 | iexplore.exe | 40.77.226.250:443 | web.vortex.data.microsoft.com | Microsoft Corporation | IE | whitelisted |
Domain | IP | Reputation |
---|---|---|
www.microsoft.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
assets.onestore.ms |
| whitelisted |
web.vortex.data.microsoft.com |
| whitelisted |
mem.gfx.ms |
| whitelisted |
img-prod-cms-rt-microsoft-com.akamaized.net |
| whitelisted |
wcpstatic.microsoft.com |
| whitelisted |
microsoftwindows.112.2o7.net |
| whitelisted |
c.s-microsoft.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |
— | — | Potentially Bad Traffic | ET INFO Observed DNS Query to .biz TLD |
— | — | Potentially Bad Traffic | ET INFO Observed DNS Query to .biz TLD |
— | — | Potentially Bad Traffic | ET INFO Observed DNS Query to .biz TLD |
— | — | Potentially Bad Traffic | ET INFO Observed DNS Query to .biz TLD |
— | — | Potentially Bad Traffic | ET INFO Observed DNS Query to .biz TLD |
— | — | Potentially Bad Traffic | ET INFO Observed DNS Query to .biz TLD |
— | — | Potentially Bad Traffic | ET INFO Observed DNS Query to .biz TLD |
— | — | Potentially Bad Traffic | ET INFO Observed DNS Query to .biz TLD |
— | — | Potentially Bad Traffic | ET INFO Observed DNS Query to .biz TLD |
Process | Message |
---|---|
mmc.exe | Constructor: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
|
mmc.exe | OnInitialize: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
|
mmc.exe | AddIcons: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
|
mmc.exe | ProcessCommandLineArguments: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
|