Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6402 | April 26, 2021, 9:18 a.m. | April 26, 2021, 9:20 a.m. |
-
-
-
iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:8324 CREDAT:145409
8948
-
-
-
explorer.exe C:\Windows\Explorer.EXE
1848
IP Address | Status | Action |
---|---|---|
104.21.55.21 | Active | Moloch |
104.22.18.208 | Active | Moloch |
117.18.232.200 | Active | Moloch |
142.250.204.42 | Active | Moloch |
164.124.101.2 | Active | Moloch |
172.217.25.14 | Active | Moloch |
216.58.220.195 | Active | Moloch |
23.111.9.35 | Active | Moloch |
51.254.201.70 | Active | Moloch |
87.250.250.119 | Active | Moloch |
87.250.251.119 | Active | Moloch |
Suricata Alerts
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.102:49819 142.250.204.42:443 |
C=US, O=Google Trust Services, CN=GTS CA 1O1 | C=US, ST=California, L=Mountain View, O=Google LLC, CN=upload.video.google.com | c2:b5:f0:1b:46:55:3f:d3:65:b2:1d:5c:cc:56:a7:41:ac:9c:7a:22 |
TLSv1 192.168.56.102:49813 104.21.55.21:443 |
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3 | C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com | 29:14:2a:70:bc:6c:04:44:be:ab:46:dc:fa:91:03:73:a6:39:2a:da |
TLSv1 192.168.56.102:49821 142.250.204.42:443 |
C=US, O=Google Trust Services, CN=GTS CA 1O1 | C=US, ST=California, L=Mountain View, O=Google LLC, CN=upload.video.google.com | c2:b5:f0:1b:46:55:3f:d3:65:b2:1d:5c:cc:56:a7:41:ac:9c:7a:22 |
TLSv1 192.168.56.102:49814 104.21.55.21:443 |
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3 | C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com | 29:14:2a:70:bc:6c:04:44:be:ab:46:dc:fa:91:03:73:a6:39:2a:da |
TLSv1 192.168.56.102:49834 104.22.18.208:443 |
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 | C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=free-kassa.ru | 2e:f5:1e:8c:72:15:12:fd:a7:81:ff:7d:a1:e2:d2:fc:72:83:b2:5e |
TLSv1 192.168.56.102:49820 23.111.9.35:443 |
C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1 | C=US, ST=Arkansas, L=Bentonville, O=Fonticons Inc, CN=*.fontawesome.com | b3:98:5d:48:a7:9b:bc:59:47:42:5f:34:bb:d2:3d:35:f4:a6:9f:61 |
TLSv1 192.168.56.102:49826 216.58.220.195:443 |
C=US, O=Google Trust Services, CN=GTS CA 1O1 | C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.gstatic.com | 36:ae:4f:16:79:a7:78:df:85:88:67:19:ae:c4:52:de:e4:11:9d:0a |
TLSv1 192.168.56.102:49838 216.58.220.195:443 |
None | None | None |
TLSv1 192.168.56.102:49837 104.21.55.21:443 |
None | None | None |
TLSv1 192.168.56.102:49823 104.21.55.21:443 |
None | None | None |
TLSv1 192.168.56.102:49822 104.21.55.21:443 |
None | None | None |
TLSv1 192.168.56.102:49839 87.250.251.119:443 |
C=RU, O=Yandex LLC, OU=Yandex Certification Authority, CN=Yandex CA | C=RU, L=Moscow, OU=ITO, O=Yandex LLC, CN=mc.yandex.ru | ab:3d:30:32:3f:ad:2a:05:33:18:ca:75:6d:81:ab:e1:24:89:91:b8 |
TLSv1 192.168.56.102:49828 216.58.220.195:443 |
C=US, O=Google Trust Services, CN=GTS CA 1O1 | C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.gstatic.com | 36:ae:4f:16:79:a7:78:df:85:88:67:19:ae:c4:52:de:e4:11:9d:0a |
TLSv1 192.168.56.102:49829 216.58.220.195:443 |
C=US, O=Google Trust Services, CN=GTS CA 1O1 | C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.gstatic.com | 36:ae:4f:16:79:a7:78:df:85:88:67:19:ae:c4:52:de:e4:11:9d:0a |
TLSv1 192.168.56.102:49831 216.58.220.195:443 |
C=US, O=Google Trust Services, CN=GTS CA 1O1 | C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.gstatic.com | 36:ae:4f:16:79:a7:78:df:85:88:67:19:ae:c4:52:de:e4:11:9d:0a |
TLSv1 192.168.56.102:49840 87.250.251.119:443 |
C=RU, O=Yandex LLC, OU=Yandex Certification Authority, CN=Yandex CA | C=RU, L=Moscow, OU=ITO, O=Yandex LLC, CN=mc.yandex.ru | ab:3d:30:32:3f:ad:2a:05:33:18:ca:75:6d:81:ab:e1:24:89:91:b8 |
TLSv1 192.168.56.102:49827 216.58.220.195:443 |
C=US, O=Google Trust Services, CN=GTS CA 1O1 | C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.gstatic.com | 36:ae:4f:16:79:a7:78:df:85:88:67:19:ae:c4:52:de:e4:11:9d:0a |
TLSv1 192.168.56.102:49830 216.58.220.195:443 |
C=US, O=Google Trust Services, CN=GTS CA 1O1 | C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.gstatic.com | 36:ae:4f:16:79:a7:78:df:85:88:67:19:ae:c4:52:de:e4:11:9d:0a |
TLSv1 192.168.56.102:49843 51.254.201.70:443 |
C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA | CN=webmoney.ru | 82:da:d2:5d:5f:4c:5a:aa:8c:bd:5c:55:23:d7:f0:77:11:40:d0:99 |
TLSv1 192.168.56.102:49858 104.21.55.21:443 |
None | None | None |
TLSv1 192.168.56.102:49836 104.21.55.21:443 |
None | None | None |
TLSv1 192.168.56.102:49842 216.58.220.195:443 |
None | None | None |
TLSv1 192.168.56.102:49853 104.21.55.21:443 |
None | None | None |
TLSv1 192.168.56.102:49855 104.21.55.21:443 |
None | None | None |
TLSv1 192.168.56.102:49833 104.21.55.21:443 |
None | None | None |
TLSv1 192.168.56.102:49859 104.21.55.21:443 |
None | None | None |
TLSv1 192.168.56.102:49835 104.22.18.208:443 |
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 | C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=free-kassa.ru | 2e:f5:1e:8c:72:15:12:fd:a7:81:ff:7d:a1:e2:d2:fc:72:83:b2:5e |
TLSv1 192.168.56.102:49825 104.21.55.21:443 |
None | None | None |
TLSv1 192.168.56.102:49832 104.21.55.21:443 |
None | None | None |
TLSv1 192.168.56.102:49844 51.254.201.70:443 |
C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA | CN=webmoney.ru | 82:da:d2:5d:5f:4c:5a:aa:8c:bd:5c:55:23:d7:f0:77:11:40:d0:99 |
TLSv1 192.168.56.102:49845 87.250.250.119:443 |
C=RU, O=Yandex LLC, OU=Yandex Certification Authority, CN=Yandex CA | C=RU, L=Moscow, OU=ITO, O=Yandex LLC, CN=mc.yandex.ru | ab:3d:30:32:3f:ad:2a:05:33:18:ca:75:6d:81:ab:e1:24:89:91:b8 |
TLSv1 192.168.56.102:49846 87.250.250.119:443 |
C=RU, O=Yandex LLC, OU=Yandex Certification Authority, CN=Yandex CA | C=RU, L=Moscow, OU=ITO, O=Yandex LLC, CN=mc.yandex.ru | ab:3d:30:32:3f:ad:2a:05:33:18:ca:75:6d:81:ab:e1:24:89:91:b8 |
TLSv1 192.168.56.102:49852 104.21.55.21:443 |
None | None | None |
TLSv1 192.168.56.102:49854 104.21.55.21:443 |
None | None | None |
request | GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml |
request | GET https://exws.ru/downloads/ |
request | GET https://exws.ru/downloads/login.php |
request | GET https://exws.ru/downloads/usercp.php?msg=Требуется%20авторизация: |
request | GET https://exws.ru/css/bootstrap.min.css |
request | GET https://fonts.googleapis.com/css?family=Open+Sans:300,400,600%7CPoppins:300,400,500,600&subset=cyrillic |
request | GET https://exws.ru/css/style.css |
request | GET https://exws.ru/css/sparkicons.css |
request | GET https://exws.ru/css/et-line.css |
request | GET https://exws.ru/css/themify-icons.css |
request | GET https://exws.ru/css/owl.carousel.css |
request | GET https://exws.ru/css/magnific-popup.css |
request | GET https://exws.ru/downloads/templates/default/default.css |
request | GET https://use.fontawesome.com/releases/v5.0.6/js/all.js |
request | GET https://exws.ru/images/logotype/logo-white.png |
request | GET https://fonts.gstatic.com/s/opensans/v18/mem8YaGs126MiZpBA-UFUZ0d.woff |
request | GET https://fonts.gstatic.com/s/opensans/v18/mem5YaGs126MiZpBA-UNirkOVuhv.woff |
request | GET https://fonts.gstatic.com/s/poppins/v15/pxiEyp8kv8JHgFVrJJfedA.woff |
request | GET https://fonts.gstatic.com/s/opensans/v18/mem5YaGs126MiZpBA-UN_r8OVuhv.woff |
request | GET https://fonts.gstatic.com/s/poppins/v15/pxiByp8kv8JHgFVrLDz8Z1xlEw.woff |
request | GET https://exws.ru/images/logotype/logo-dark.png |
request | GET https://exws.ru/images/screen/launcher.png |
request | GET https://exws.ru/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js |
request | GET https://exws.ru/fonts/sparkicons.eot@wwjpvu |
request | GET https://exws.ru/fonts/et-line.eot@ |
request | GET https://fonts.gstatic.com/s/poppins/v15/pxiByp8kv8JHgFVrLGT9Z1xlEw.woff |
request | GET https://www.free-kassa.ru/img/fk_btn/16.png |
request | GET https://exws.ru/downloads/js/vendor/jquery-2.2.0.min.js |
request | GET https://fonts.gstatic.com/s/poppins/v15/pxiByp8kv8JHgFVrLEj6Z1xlEw.woff |
request | GET https://exws.ru/downloads/js/vendor/isotope.pkgd.min.js |
request | GET https://informer.yandex.ru/informer/36586115/3_0_202020FF_000000FF_1_pageviews |
request | GET https://www.webmoney.ru/img/icons/88x31_wm_white_blue.png |
request | GET https://mc.yandex.ru/metrika/tag.js |
request | GET https://exws.ru/downloads/js/owl.carousel.min.js |
request | GET https://exws.ru/downloads/js/smoothscroll.js |
request | GET https://mc.yandex.ru/watch/36586115?callback=_ymjsp696528223&page-url=https%3A%2F%2Fexws.ru%2Fdownloads%2Fusercp.php%3Fmsg%3D%C3%90%C2%A2%C3%91%E2%82%AC%C3%90%C2%B5%C3%90%C2%B1%C3%91%C6%92%C3%90%C2%B5%C3%91%E2%80%9A%C3%91%C2%81%C3%91%C2%8F%2520%C3%90%C2%B0%C3%90%C2%B2%C3%91%E2%80%9A%C3%90%C2%BE%C3%91%E2%82%AC%C3%90%C2%B8%C3%90%C2%B7%C3%90%C2%B0%C3%91%E2%80%A0%C3%90%C2%B8%C3%91%C2%8F%3A&charset=utf-8&browser-info=pv%3A1%3Agdpr%3A14%3Avf%3A5gv0p5rfuji4o8hq%3Afp%3A6737%3Afu%3A0%3Aen%3Autf-8%3Ala%3Ako%3Av%3A502%3Acn%3A1%3Adp%3A0%3Als%3A453733073728%3Ahid%3A839055131%3Az%3A540%3Ai%3A20210426175855%3Aet%3A1619427536%3Ac%3A1%3Arn%3A611767612%3Arqn%3A1%3Au%3A1619427536570725093%3Aw%3A1211x841%3As%3A1365x1024x24%3Aj%3A1%3Ans%3A1619427526687%3Ads%3A0%2C0%2C0%2C3%2C1%2C1%2C1%2C22%2C%2C%2C%2C%2C%3Awv%3A2%3Arqnl%3A1%3Ati%3A3%3Ast%3A1619427536%3At%3AEXWS.RU%20-%20%D0%A6%D0%B5%D0%BD%D1%82%D1%80%20%D0%B7%D0%B0%D0%B3%D1%80%D1%83%D0%B7%D0%BE%D0%BA%20%D0%B8%20%D0%BE%D0%B1%D0%BD%D0%BE%D0%B2%D0%BB%D0%B5%D0%BD%D0%B8%D0%B9&wmode=5 |
request | GET https://mc.yandex.ru/metrika/advert.gif |
request | GET https://exws.ru/downloads/js/plugins.js |
request | GET https://mc.yandex.ru/watch/36586115/1?callback=_ymjsp696528223&page-url=https%3A%2F%2Fexws.ru%2Fdownloads%2Fusercp.php%3Fmsg%3D%C3%90%C2%A2%C3%91%E2%82%AC%C3%90%C2%B5%C3%90%C2%B1%C3%91%C6%92%C3%90%C2%B5%C3%91%E2%80%9A%C3%91%C2%81%C3%91%C2%8F%2520%C3%90%C2%B0%C3%90%C2%B2%C3%91%E2%80%9A%C3%90%C2%BE%C3%91%E2%82%AC%C3%90%C2%B8%C3%90%C2%B7%C3%90%C2%B0%C3%91%E2%80%A0%C3%90%C2%B8%C3%91%C2%8F%3A&charset=utf-8&browser-info=pv%3A1%3Agdpr%3A14%3Avf%3A5gv0p5rfuji4o8hq%3Afp%3A6737%3Afu%3A0%3Aen%3Autf-8%3Ala%3Ako%3Av%3A502%3Acn%3A1%3Adp%3A0%3Als%3A453733073728%3Ahid%3A839055131%3Az%3A540%3Ai%3A20210426175855%3Aet%3A1619427536%3Ac%3A1%3Arn%3A611767612%3Arqn%3A1%3Au%3A1619427536570725093%3Aw%3A1211x841%3As%3A1365x1024x24%3Aj%3A1%3Ans%3A1619427526687%3Ads%3A0%2C0%2C0%2C3%2C1%2C1%2C1%2C22%2C%2C%2C%2C%2C%3Awv%3A2%3Arqnl%3A1%3Ati%3A3%3Ast%3A1619427536%3At%3AEXWS.RU%20-%20%D0%A6%D0%B5%D0%BD%D1%82%D1%80%20%D0%B7%D0%B0%D0%B3%D1%80%D1%83%D0%B7%D0%BE%D0%BA%20%D0%B8%20%D0%BE%D0%B1%D0%BD%D0%BE%D0%B2%D0%BB%D0%B5%D0%BD%D0%B8%D0%B9&wmode=5 |
request | GET https://exws.ru/downloads/js/jquery.magnific-popup.min.js |
request | GET https://exws.ru/downloads/js/jquery.ajaxchimp.min.js |
request | GET https://exws.ru/downloads/js/main.js |
request | GET https://exws.ru/downloads/js/placeholder.js |
request | GET https://exws.ru/downloads/js/style.changer.js |
request | GET https://exws.ru/favicon.ico |
request | GET https://mc.yandex.ru/watch/36586115?callback=_ymjsp776041626&page-url=https%3A%2F%2Fexws.ru%2Fdownloads%2Fusercp.php%3Fmsg%3D%C3%90%C2%A2%C3%91%E2%82%AC%C3%90%C2%B5%C3%90%C2%B1%C3%91%C6%92%C3%90%C2%B5%C3%91%E2%80%9A%C3%91%C2%81%C3%91%C2%8F%2520%C3%90%C2%B0%C3%90%C2%B2%C3%91%E2%80%9A%C3%90%C2%BE%C3%91%E2%82%AC%C3%90%C2%B8%C3%90%C2%B7%C3%90%C2%B0%C3%91%E2%80%A0%C3%90%C2%B8%C3%91%C2%8F%3A&charset=utf-8&browser-info=nb%3A1%3Acl%3A754%3Aar%3A1%3Agdpr%3A14%3Avf%3A5gv0p5rfuji4o8hq%3Afu%3A0%3Aen%3Autf-8%3Ala%3Ako%3Av%3A502%3Acn%3A1%3Adp%3A0%3Als%3A453733073728%3Ahid%3A839055131%3Az%3A540%3Ai%3A20210426175915%3Aet%3A1619427555%3Ac%3A1%3Arn%3A620849982%3Arqn%3A2%3Au%3A1619427536570725093%3Aw%3A1211x841%3As%3A1365x1024x24%3Aj%3A1%3Ans%3A1619427526687%3Ads%3A%2C%2C%2C%2C%2C%2C%2C%2C6%2C13572%2C13636%2C3%2C13566%3Awv%3A2%3Arqnl%3A1%3Ati%3A3%3Ast%3A1619427555&wmode=5 |
request | GET https://mc.yandex.ru/watch/36586115/1?callback=_ymjsp776041626&page-url=https%3A%2F%2Fexws.ru%2Fdownloads%2Fusercp.php%3Fmsg%3D%C3%90%C2%A2%C3%91%E2%82%AC%C3%90%C2%B5%C3%90%C2%B1%C3%91%C6%92%C3%90%C2%B5%C3%91%E2%80%9A%C3%91%C2%81%C3%91%C2%8F%2520%C3%90%C2%B0%C3%90%C2%B2%C3%91%E2%80%9A%C3%90%C2%BE%C3%91%E2%82%AC%C3%90%C2%B8%C3%90%C2%B7%C3%90%C2%B0%C3%91%E2%80%A0%C3%90%C2%B8%C3%91%C2%8F%3A&charset=utf-8&browser-info=nb%3A1%3Acl%3A754%3Aar%3A1%3Agdpr%3A14%3Avf%3A5gv0p5rfuji4o8hq%3Afu%3A0%3Aen%3Autf-8%3Ala%3Ako%3Av%3A502%3Acn%3A1%3Adp%3A0%3Als%3A453733073728%3Ahid%3A839055131%3Az%3A540%3Ai%3A20210426175915%3Aet%3A1619427555%3Ac%3A1%3Arn%3A620849982%3Arqn%3A2%3Au%3A1619427536570725093%3Aw%3A1211x841%3As%3A1365x1024x24%3Aj%3A1%3Ans%3A1619427526687%3Ads%3A%2C%2C%2C%2C%2C%2C%2C%2C6%2C13572%2C13636%2C3%2C13566%3Awv%3A2%3Arqnl%3A1%3Ati%3A3%3Ast%3A1619427555&wmode=5 |
domain | exws.ru | description | Russian Federation domain TLD | ||||||
domain | informer.yandex.ru | description | Russian Federation domain TLD | ||||||
domain | www.webmoney.ru | description | Russian Federation domain TLD | ||||||
domain | www.free-kassa.ru | description | Russian Federation domain TLD | ||||||
domain | mc.yandex.ru | description | Russian Federation domain TLD |
file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\email-decode.min[1].js |
file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\tag[1].js |
file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\all[1].js |
section | {u'size_of_data': u'0x0014e000', u'virtual_address': u'0x00388000', u'entropy': 7.931724218189861, u'name': u'UPX1', u'virtual_size': u'0x0014e000'} | entropy | 7.93172421819 | description | A section with a high entropy has been found | |||||||||
entropy | 0.983075791023 | description | Overall entropy of this PE file is high |
description | Affect system registries | rule | win_registry | ||||||
description | Affect system token | rule | win_token | ||||||
description | Affect private profile | rule | win_files_operation | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Bypass DEP | rule | disable_dep |
section | UPX0 | description | Section name indicates UPX | ||||||
section | UPX1 | description | Section name indicates UPX |
cmdline | "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome |
cmdline | "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:8324 CREDAT:145409 |
host | 117.18.232.200 | |||
host | 172.217.25.14 |
FireEye | Generic.mg.cd155fbcc108d054 |
Cylance | Unsafe |
BitDefenderTheta | AI:Packer.E8B760CD21 |
Symantec | ML.Attribute.HighConfidence |
APEX | Malicious |
Paloalto | generic.ml |
Sophos | Generic ML PUA (PUA) |
McAfee-GW-Edition | BehavesLike.Win32.Generic.tc |
SentinelOne | Static AI - Suspicious PE |
eGambit | Unsafe.AI_Score_99% |
Microsoft | Trojan:Win32/Zpevdo.B |
AegisLab | Riskware.Win32.Generic.1!c |
CrowdStrike | win/malicious_confidence_60% (D) |
Qihoo-360 | Generic/HEUR/QVM11.1.3DD8.Malware.Gen |