File name: | 02600004 |
Full analysis: | https://app.any.run/tasks/1a59f975-ca66-4487-bdb7-cd5654dffab4 |
Verdict: | Malicious activity |
Threats: | Qbot is a banking Trojan — a malware designed to collect banking information from victims. Qbot targets organizations mostly in the US. It is equipped with various sophisticated evasion and info-stealing functions and worm-like functionality, and a strong persistence mechanism. |
Analysis date: | August 09, 2021, 23:56:38 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows |
MD5: | 1408275C2E2C8FE5E83227BA371AC6B3 |
SHA1: | DAC3D479CE4AF6D2FFD5314191E768543ACFE32D |
SHA256: | CC185105946C202D9FD0EF18423B078CD8E064B1E2A87E93ED1B3D4F2CBDB65D |
SSDEEP: | 6144:1mkhfOCMFhvKnJP1flVS3Di3DMFOJJJJJJJJ8JJJJJJJJJJJJJJJJJJJJJJJJJJY:in+lQDiwFPZg |
.dll | | | Win32 Dynamic Link Library (generic) (43.5) |
---|---|---|
.exe | | | Win32 Executable (generic) (29.8) |
.exe | | | Generic Win/DOS Executable (13.2) |
.exe | | | DOS Executable Generic (13.2) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2014:11:21 21:03:38+01:00 |
PEType: | PE32 |
LinkerVersion: | 6 |
CodeSize: | 24576 |
InitializedDataSize: | 335872 |
UninitializedDataSize: | - |
EntryPoint: | 0x6000 |
OSVersion: | 4 |
ImageVersion: | - |
SubsystemVersion: | 4 |
Subsystem: | Windows GUI |
FileVersionNumber: | 2.0.0.0 |
ProductVersionNumber: | 2.0.0.0 |
FileFlagsMask: | 0x0000 |
FileFlags: | (none) |
FileOS: | Windows NT |
ObjectFileType: | Executable application |
FileSubtype: | - |
LanguageCode: | English (U.S.) |
CharacterSet: | Windows, Latin1 |
CompanyName: | Stencyl, LLC |
FileDescription: | Stencyl 2.0 |
FileVersion: | 2 |
InternalName: | Stencyl |
LegalCopyright: | Copyright, Stencyl, LLC |
OriginalFileName: | Stencyl.exe |
ProductName: | Stencyl |
ProductVersion: | 2 |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 21-Nov-2014 20:03:38 |
Detected languages: |
|
Debug artifacts: |
|
CompanyName: | Stencyl, LLC |
FileDescription: | Stencyl 2.0 |
FileVersion: | 2.0 |
InternalName: | Stencyl |
LegalCopyright: | Copyright, Stencyl, LLC |
OriginalFilename: | Stencyl.exe |
ProductName: | Stencyl |
ProductVersion: | 2.0 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000C8 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 21-Nov-2014 20:03:38 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00005532 | 0x00006000 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 4.94189 |
.rdata | 0x00007000 | 0x00031A73 | 0x00032000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.19099 |
.data | 0x00039000 | 0x0000033C | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 1.61026 |
.reloc | 0x0003A000 | 0x00000407 | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rsrc | 0x0003B000 | 0x0001D27C | 0x0001E000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.19472 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 3.2335 | 672 | UNKNOWN | Process Default Language | RT_VERSION |
2 | 4.58513 | 67624 | UNKNOWN | Process Default Language | RT_ICON |
3 | 4.773 | 16936 | UNKNOWN | Process Default Language | RT_ICON |
4 | 4.47585 | 9640 | UNKNOWN | Process Default Language | RT_ICON |
5 | 4.61766 | 4264 | UNKNOWN | Process Default Language | RT_ICON |
6 | 4.85921 | 2440 | UNKNOWN | Process Default Language | RT_ICON |
7 | 5.02095 | 2064 | UNKNOWN | Process Default Language | RT_ICON |
8 | 5.03074 | 1128 | UNKNOWN | Process Default Language | RT_ICON |
10 | 1.79248 | 6 | UNKNOWN | Process Default Language | RT_RCDATA |
14 | 2.80735 | 7 | UNKNOWN | Process Default Language | RT_RCDATA |
KERNEL32.dll |
SHLWAPI.dll |
USER32.dll (delay-loaded) |
WINMM.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2612 | "C:\Users\admin\AppData\Local\Temp\02600004.exe" | C:\Users\admin\AppData\Local\Temp\02600004.exe | Explorer.EXE | ||||||||||||
User: admin Company: Stencyl, LLC Integrity Level: MEDIUM Description: Stencyl 2.0 Exit code: 0 Version: 2.0 Modules
| |||||||||||||||
2368 | "C:\Users\admin\AppData\Roaming\Microsoft\Ebgqylu\ebgqylu.exe" | C:\Users\admin\AppData\Roaming\Microsoft\Ebgqylu\ebgqylu.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Stencyl, LLC Integrity Level: MEDIUM Description: Stencyl 2.0 Version: 2.0 Modules
| |||||||||||||||
2484 | cmd /c ping -n 10 localhost && del "C:\Users\admin\AppData\Local\Temp\02600004.exe" | C:\Windows\system32\cmd.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
2792 | ping -n 10 localhost | C:\Windows\system32\PING.EXE | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
776 | taskeng.exe {22B6E91C-5B0B-4FB0-99A8-D59901096E38} | C:\Windows\system32\taskeng.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Task Scheduler Engine Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
600 | "C:\Windows\system32\Dwm.exe" | C:\Windows\system32\Dwm.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Desktop Window Manager Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2500 | \??\C:\Windows\system32\conhost.exe "92857863-1693453631032617958-101514155-237740995-521017290-2077688268-2067374097" | \??\C:\Windows\system32\conhost.exe | csrss.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
2132 | "C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s | C:\Windows\system32\mmc.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Management Console Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2872 | "C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s | C:\Windows\system32\mmc.exe | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Management Console Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1896 | C:\Windows\Explorer.EXE | C:\Windows\Explorer.EXE | — | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
|
(PID) Process: | (2612) 02600004.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | qxnds |
Value: "C:\Users\admin\AppData\Roaming\Microsoft\Ebgqylu\ebgqylu.exe" | |||
(PID) Process: | (2368) ebgqylu.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 |
Operation: | write | Name: | 2500 |
Value: 3 | |||
(PID) Process: | (1896) Explorer.EXE | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (1896) Explorer.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ApplicationDestinations |
Operation: | write | Name: | MaxEntries |
Value: 15 | |||
(PID) Process: | (1896) Explorer.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.msc\OpenWithProgids |
Operation: | write | Name: | MSCFile |
Value: | |||
(PID) Process: | (1896) Explorer.EXE | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E |
Operation: | write | Name: | @C:\Windows\system32\mmcbase.dll,-13351 |
Value: &Author | |||
(PID) Process: | (1896) Explorer.EXE | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E |
Operation: | write | Name: | @%windir%\system32\miguiresource.dll,-202 |
Value: Schedule computer tasks to run automatically. | |||
(PID) Process: | (1896) Explorer.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count |
Operation: | write | Name: | Zvpebfbsg.NhgbTrarengrq.{15962175-7QSP-O1Q7-O0Q1-RO4P08SSQ754} |
Value: 000000000800000004000000D3380700000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFFF0CBE7437A8DD70100000000 | |||
(PID) Process: | (1896) Explorer.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count |
Operation: | write | Name: | HRZR_PGYFRFFVBA |
Value: 000000003F0100006B020000D84611013F0000004A0000008E0F0D004D006900630072006F0073006F00660074002E0049006E007400650072006E00650074004500780070006C006F007200650072002E00440065006600610075006C007400000028003E004000A4E75102B8E651020000000000000000000000000000080274E45102000008026CE25102000000000000D26CFFFFFFFF705911750000000000000000A4E251027C900D75000400000000000008E35102FFFFFFFF38EA7000FFFFFFFF080A7400D80E740030EA7000D4E25102F7AF3D7680D0707614F05102081D3E76E4613E766820700008E351020000000071000000BBF2CB00E8E25102A1693E766820700008E351020000000014E551023F613E766820700008E3510200000400000000800400000026E4510298E351025DA5147726E45102D26E147779A51477D6794D7526E4510210E65102000100006400610072E3510226E451026F0061006D0069006E0067005C006D006900630072006F0073006F0066007400CCE351023400000080E35102DE70310033003300350033003800310030003000F8E551025A000000A0E351021DA71477D6610E02D4E351025A00000010E651025C00000011000000104F7000084F7000F8E55102C4E3510220E40000D7F3CB00D0E351025E903E7620E45102D4E3510203943E760000000064561802FCE35102A9933E7664561802A8E45102D8511802BD933E7600000000D8511802A8E4510204E45102000000007200000032AC5D004D006900630072006F0073006F00660074002E00570069006E0064006F00770073002E0043006F006E00740072006F006C00500061006E0065006C00000045003700430036004500410037004400320037007D005C0063006D0064002E0065007800650000000000D45D38760000000005000000D80B3902000000000000000000000000000000000000000000000000CB0501AD000000000000000000000000000000000000000000000000000000000000000030E69D01A8323876B8E59D01C0E59D0154E59D0100000000000000000000000000000000480B39020000000005000000D80B390200000000340C390268E59D01B0E59D010000000000000000E8B93902050000002000000000000000000000000400400000001A0098E59D0100000000000000000000000000000000040000009EE69D0110E69D015DA5B3779EE69D01D26EB37779A5B377114526769EE69D0188E89D0104000000C6E69D0138E69D015DA5B377C6E69D01D26EB37779A5B37739452676C6E69D01B0E89D0100010000E8FE1C0012E69D01C6E69D0168E69D015DA5310033003300350033003800310011000000104F1D00084F1D001AE79D018CE69D015DA5B37774E60000B777588D24E69D015E90D47674E69D0128E69D010394D47600000000D422E60250E69D01A993D476D422E602FCE69D01481EE602BD93D47600000000481EE602FCE69D0158E69D01000000007200000032AC5D004D006900630072006F0073006F00660074002E00570069006E0064006F00770073002E0043006F006E00740072006F006C00500061006E0065006C00000045003700430036004500410037004400320037007D005C0063006D0064002E0065007800650000000000D45D38760000000005000000D80B3902000000000000000000000000000000000000000000000000CB0501AD000000000000000000000000000000000000000000000000000000000000000030E69D01A8323876B8E59D01C0E59D0154E59D0100000000000000000000000000000000480B39020000000005000000D80B390200000000340C390268E59D01B0E59D010000000000000000E8B93902050000002000000000000000000000000400400000001A0098E59D0100000000000000000000000000000000040000009EE69D0110E69D015DA5B3779EE69D01D26EB37779A5B377114526769EE69D0188E89D0104000000C6E69D0138E69D015DA5B377C6E69D01D26EB37779A5B37739452676C6E69D01B0E89D0100010000E8FE1C0012E69D01C6E69D0168E69D015DA5310033003300350033003800310011000000104F1D00084F1D001AE79D018CE69D015DA5B37774E60000B777588D24E69D015E90D47674E69D0128E69D010394D47600000000D422E60250E69D01A993D476D422E602FCE69D01481EE602BD93D47600000000481EE602FCE69D0158E69D01 | |||
(PID) Process: | (1896) Explorer.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count |
Operation: | write | Name: | {0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\Gnfx Fpurqhyre.yax |
Value: 00000000080000000000000007000000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFFF0CBE7437A8DD70100000000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3612 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\pl-pl[1].htm | html | |
MD5:4A73DDEE1635D354E0E786B97601B9F2 | SHA256:27E51056AA3F75BA5D917F603E16C8B4217FECE01B8D7719940EFDC19B575759 | |||
3612 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\de-71d089[1].css | text | |
MD5:E86ABE78D0A0FEA5962432DD802E6F6A | SHA256:2DD894A94053B2B9B607C420F68387F960822B374C47D2250078A0772F72C19C | |||
3612 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\social[1].css | text | |
MD5:B42B9C7E731408205B611FBB532F511F | SHA256:287E4C54269937C93EF680E0DCBAE4B5E3FF630A12698ACC7D2EB527B1598B79 | |||
1328 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Ebgqylu\ebgqylu32.dll | binary | |
MD5:449D755623827588A9A2F8B898B23ECE | SHA256:991ACC5F42A097DB5A7D864F230597C9076F6AF7C02F9BBB562BFDE4A20F1232 | |||
3612 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63 | binary | |
MD5:FEAFBE7312EFEE12BBFC8098A52D9CB8 | SHA256:87AD745659F9E7F22C212C7BA8783E0B473CC9D29F03D79159F9C38B58BAB79F | |||
3612 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_AD319D6DA1A11BC83AC8B4E4D3638231 | der | |
MD5:13D6CE76B0307FA5C79A467CD6CF2044 | SHA256:996144ACCC8077E2CC00241EB9F40CFA7B6ED245F2BB87FF77013660F6981D35 | |||
2612 | 02600004.exe | C:\Users\admin\AppData\Roaming\Microsoft\Ebgqylu\ebgqyl.dll | binary | |
MD5:F156BE0505C21A0DD0C55ED466B261F9 | SHA256:6DF95DE0301890834ECD58E4D4523320B8BCAA8C0D01DA06A44A1141ACF277F9 | |||
3612 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63 | der | |
MD5:DBD4631E9AC8B000AF8DE27C1C4C7F91 | SHA256:7F06B412E32DCB8944F46C37878840AA6858F68D54562A0C026D7FB54AD47731 | |||
3612 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE | binary | |
MD5:30668C62F71A4D8EBA6A919D41133EA2 | SHA256:59DA73528DACD991A987FADCE5B0AD57709E856ED5289192337E860274555740 | |||
3612 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE | der | |
MD5:81EC88BD8AC96D8949B0359426411F1D | SHA256:114816BA1FCBFCF278D1DDE2250341F2FF2A06E53C09380C76BCC9BF677BC725 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3612 | iexplore.exe | GET | 302 | 104.79.89.142:80 | http://www.microsoft.com/ | US | — | — | whitelisted |
3612 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2BnRyLFPYjID1ie%2Bx%2BdSjo%3D | US | der | 1.47 Kb | whitelisted |
3612 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | US | der | 471 b | whitelisted |
1328 | iexplore.exe | GET | 200 | 23.55.163.73:80 | http://crl.identrust.com/DSTROOTCAX3CRL.crl | US | der | 1.16 Kb | whitelisted |
3612 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D | US | der | 1.47 Kb | whitelisted |
3612 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEALnkXH7gCHpP%2BLZg4NMUMA%3D | US | der | 471 b | whitelisted |
3612 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAtb9ltrp%2FvQiykNkEU33uA%3D | US | der | 471 b | whitelisted |
3612 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA9bw6F2y3ieICDHiTyBZ7Q%3D | US | der | 1.47 Kb | whitelisted |
3612 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D | US | der | 471 b | whitelisted |
3612 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D | US | der | 471 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3612 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3612 | iexplore.exe | 104.79.89.142:80 | www.microsoft.com | Time Warner Cable Internet LLC | US | unknown |
3612 | iexplore.exe | 13.107.213.45:443 | mem.gfx.ms | Microsoft Corporation | US | suspicious |
3612 | iexplore.exe | 67.26.137.254:80 | ctldl.windowsupdate.com | Level 3 Communications, Inc. | US | malicious |
3612 | iexplore.exe | 13.107.246.45:443 | mem.gfx.ms | Microsoft Corporation | US | suspicious |
3612 | iexplore.exe | 104.79.89.142:443 | www.microsoft.com | Time Warner Cable Internet LLC | US | unknown |
3612 | iexplore.exe | 23.6.112.130:443 | img-prod-cms-rt-microsoft-com.akamaized.net | Akamai International B.V. | NL | unknown |
3612 | iexplore.exe | 23.47.209.178:443 | c.s-microsoft.com | NTT DOCOMO, INC. | US | unknown |
1328 | iexplore.exe | 13.107.21.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
1328 | iexplore.exe | 172.217.18.110:80 | google.com | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
www.microsoft.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
assets.onestore.ms |
| whitelisted |
web.vortex.data.microsoft.com |
| whitelisted |
mem.gfx.ms |
| whitelisted |
img-prod-cms-rt-microsoft-com.akamaized.net |
| whitelisted |
wcpstatic.microsoft.com |
| whitelisted |
microsoftwindows.112.2o7.net |
| whitelisted |
c.s-microsoft.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
1328 | iexplore.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |
— | — | Potentially Bad Traffic | ET INFO Observed DNS Query to .biz TLD |
— | — | Potentially Bad Traffic | ET INFO Observed DNS Query to .biz TLD |
— | — | Potentially Bad Traffic | ET INFO Observed DNS Query to .biz TLD |
— | — | Potentially Bad Traffic | ET INFO Observed DNS Query to .biz TLD |
— | — | Potentially Bad Traffic | ET INFO Observed DNS Query to .biz TLD |
— | — | Potentially Bad Traffic | ET INFO Observed DNS Query to .biz TLD |
— | — | Potentially Bad Traffic | ET INFO Observed DNS Query to .biz TLD |
— | — | Potentially Bad Traffic | ET INFO Observed DNS Query to .biz TLD |
— | — | Potentially Bad Traffic | ET INFO Observed DNS Query to .biz TLD |
Process | Message |
---|---|
mmc.exe | Constructor: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
|
mmc.exe | OnInitialize: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
|
mmc.exe | AddIcons: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
|
mmc.exe | ProcessCommandLineArguments: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
|