Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6402 | April 29, 2021, 10:19 p.m. | April 29, 2021, 10:25 p.m. |
-
-
cmd.exe "C:\Windows\sysnative\cmd" /c "C:\Users\test22\AppData\Local\Temp\FEAC.tmp\FEAD.tmp\FEAE.bat C:\Users\test22\AppData\Local\Temp\CleanApex.exe"
2352-
taskkill.exe taskkill /f /im smartscreen.exe
7032 -
taskkill.exe taskkill /f /im EasyAntiCheat.exe
8800 -
taskkill.exe taskkill /f /im dnf.exe
3700 -
taskkill.exe taskkill /f /im DNF.exe
6892 -
taskkill.exe taskkill /f /im CrossProxy.exe
4496 -
taskkill.exe taskkill /f /im tensafe_1.exe
2268 -
taskkill.exe taskkill /f /im TenSafe_1.exe
7444 -
taskkill.exe taskkill /f /im tensafe_2.exe
6596 -
taskkill.exe taskkill /f /im tencentdl.exe
2600 -
taskkill.exe taskkill /f /im TenioDL.exe
2648 -
taskkill.exe taskkill /f /im uishell.exe
9112 -
taskkill.exe taskkill /f /im BackgroundDownloader.exe
6440 -
taskkill.exe taskkill /f /im conime.exe
8156 -
taskkill.exe taskkill /f /im QQDL.EXE
2460 -
taskkill.exe taskkill /f /im qqlogin.exe
2220 -
taskkill.exe taskkill /f /im dnfchina.exe
7128 -
taskkill.exe taskkill /f /im dnfchinatest.exe
3464 -
taskkill.exe taskkill /f /im dnf.exe
7600 -
taskkill.exe taskkill /f /im txplatform.exe
4992 -
taskkill.exe taskkill /f /im TXPlatform.exe
3056 -
taskkill.exe taskkill /f /im OriginWebHelperService.exe
4428 -
taskkill.exe taskkill /f /im Origin.exe
3592 -
taskkill.exe taskkill /f /im OriginClientService.exe
2200 -
taskkill.exe taskkill /f /im OriginER.exe
2264 -
taskkill.exe taskkill /f /im OriginThinSetupInternal.exe
3420 -
taskkill.exe taskkill /f /im OriginLegacyCLI.exe
9208 -
taskkill.exe taskkill /f /im Agent.exe
108 -
taskkill.exe taskkill /f /im Client.exe
4756 -
sc.exe Sc stop EasyAntiCheat
7324
-
-
Name | Response | Post-Analysis Lookup |
---|---|---|
edgedl.me.gvt1.com | 34.104.35.123 |
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
TCP 192.168.56.102:49933 -> 142.250.199.67:443 | 906200022 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLS 1.2 192.168.56.102:49933 142.250.199.67:443 |
C=US, O=Google Trust Services, CN=GTS CA 1O1 | C=US, ST=California, L=Mountain View, O=Google LLC, CN=upload.video.google.com | c2:b5:f0:1b:46:55:3f:d3:65:b2:1d:5c:cc:56:a7:41:ac:9c:7a:22 |
section | .code |
packer | PureBasic 4.x -> Neil Hodgson |
suspicious_features | POST method with no referer header | suspicious_request | POST https://update.googleapis.com/service/update2?cup2key=10:1942235512&cup2hreq=76df63082d5596be509315cb91fc6c3c1524fe43d39e7a210b8da1c97c92aa3b |
request | HEAD http://edgedl.me.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe |
request | POST https://update.googleapis.com/service/update2?cup2key=10:1942235512&cup2hreq=76df63082d5596be509315cb91fc6c3c1524fe43d39e7a210b8da1c97c92aa3b |
request | POST https://update.googleapis.com/service/update2?cup2key=10:1942235512&cup2hreq=76df63082d5596be509315cb91fc6c3c1524fe43d39e7a210b8da1c97c92aa3b |
file | C:\Users\test22\AppData\Local\Temp\FEAC.tmp\FEAD.tmp\FEAE.bat |
file | C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe |
file | C:\Users\test22\AppData\Local\Temp\202005191702_6d173b9549ce4fe1e5ada5ab9ce0bfff5d9569f19e7fa916db5c8d4f0dace63b_setup_nwc275a_demo.exe |
file | C:\Users\test22\AppData\Local\Temp\CleanApex.exe |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "tensafe_1.exe") |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "Origin.exe") |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "CrossProxy.exe") |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "DNF.exe") |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "BackgroundDownloader.exe") |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "TenSafe_1.exe") |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "conime.exe") |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "Client.exe") |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "tensafe_2.exe") |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "OriginER.exe") |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "uishell.exe") |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "dnf.exe") |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "smartscreen.exe") |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "TXPlatform.exe") |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "Agent.exe") |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "OriginThinSetupInternal.exe") |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "dnfchina.exe") |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "txplatform.exe") |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "TenioDL.exe") |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "OriginLegacyCLI.exe") |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "OriginWebHelperService.exe") |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "QQDL.EXE") |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EasyAntiCheat.exe") |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "dnfchinatest.exe") |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "tencentdl.exe") |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "qqlogin.exe") |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "OriginClientService.exe") |
section | {u'size_of_data': u'0x00003400', u'virtual_address': u'0x00013000', u'entropy': 7.11033437290647, u'name': u'.rdata', u'virtual_size': u'0x000033a8'} | entropy | 7.11033437291 | description | A section with a high entropy has been found | |||||||||
section | {u'size_of_data': u'0x00022800', u'virtual_address': u'0x00019000', u'entropy': 7.997070343666379, u'name': u'.rsrc', u'virtual_size': u'0x00022648'} | entropy | 7.99707034367 | description | A section with a high entropy has been found | |||||||||
entropy | 0.674107142857 | description | Overall entropy of this PE file is high |
cmdline | taskkill /f /im OriginER.exe |
cmdline | taskkill /f /im tencentdl.exe |
cmdline | taskkill /f /im OriginThinSetupInternal.exe |
cmdline | taskkill /f /im dnf.exe |
cmdline | Sc stop EasyAntiCheat |
cmdline | taskkill /f /im Origin.exe |
cmdline | taskkill /f /im TXPlatform.exe |
cmdline | taskkill /f /im conime.exe |
cmdline | taskkill /f /im Agent.exe |
cmdline | "C:\Windows\sysnative\cmd" /c "C:\Users\test22\AppData\Local\Temp\FEAC.tmp\FEAD.tmp\FEAE.bat C:\Users\test22\AppData\Local\Temp\CleanApex.exe" |
cmdline | taskkill /f /im uishell.exe |
cmdline | taskkill /f /im dnfchina.exe |
cmdline | taskkill /f /im qqlogin.exe |
cmdline | taskkill /f /im TenSafe_1.exe |
cmdline | taskkill /f /im BackgroundDownloader.exe |
cmdline | taskkill /f /im txplatform.exe |
cmdline | taskkill /f /im Client.exe |
cmdline | taskkill /f /im CrossProxy.exe |
cmdline | taskkill /f /im OriginLegacyCLI.exe |
cmdline | taskkill /f /im tensafe_2.exe |
cmdline | taskkill /f /im EasyAntiCheat.exe |
cmdline | taskkill /f /im smartscreen.exe |
cmdline | taskkill /f /im OriginWebHelperService.exe |
cmdline | taskkill /f /im OriginClientService.exe |
cmdline | taskkill /f /im QQDL.EXE |
cmdline | taskkill /f /im dnfchinatest.exe |
cmdline | taskkill /f /im DNF.exe |
cmdline | taskkill /f /im tensafe_1.exe |
cmdline | taskkill /f /im TenioDL.exe |
host | 142.250.199.67 | |||
host | 172.217.25.14 |
file | C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe |
file | C:\Users\test22\AppData\Local\Temp\SetupExe(20200504224110B04).log |
file | C:\Users\test22\AppData\Local\Temp\java_install_reg.log |
file | C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000011.log |
file | C:\Users\test22\AppData\Local\Temp\dd_dotnet4.5_decompression_log.txt |
file | C:\Users\test22\AppData\Local\Temp\test email.zip |
file | C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000001.log |
file | C:\Users\test22\AppData\Local\Temp\jawshtml.html |
file | C:\Users\test22\AppData\Local\Temp\test email-3.zip |
file | C:\Users\test22\AppData\Local\Temp\ASPNETSetup_00000.log |
file | C:\Users\test22\AppData\Local\Temp\dd_vcredist_amd64_20180201144548_000_vcRuntimeMinimum_x64.log |
file | C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000013.log |
file | C:\Users\test22\AppData\Local\Temp\~DFB8537D6963ECB123.TMP |
file | C:\Users\test22\AppData\Local\Temp\FXSAPIDebugLogFile.txt |
file | C:\Users\test22\AppData\Local\Temp\dd_SetupUtility.txt |
file | C:\Users\test22\AppData\Local\Temp\ASPNETSetup_00001.log |
file | C:\Users\test22\AppData\Local\Temp\SetupExe(20180405152043A34).log |
file | C:\Users\test22\AppData\Local\Temp\dd_vcredist_amd64_20180201144548.log |
file | C:\Users\test22\AppData\Local\Temp\UserInfoSetup(2018040515215734C).log |
file | C:\Users\test22\AppData\Local\Temp\RGI1518.tmp-tmp |
file | C:\Users\test22\AppData\Local\Temp\DMI9EEF.tmp |
file | C:\Users\test22\AppData\Local\Temp\dd_dotNetFx45LP_Full_x86_x64ko_decompression_log.txt |
file | C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000017.log |
file | C:\Users\test22\AppData\Local\Temp\chrome_installer.log |
file | C:\Users\test22\AppData\Local\Temp\CleanApex.exe |
file | C:\Users\test22\AppData\Local\Temp\Microsoft .NET Framework 4.5 KOR Language Pack Setup_20200715_141443571.html |
file | C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000020.log |
file | C:\Users\test22\AppData\Local\Temp\RGIC87.tmp-tmp |
file | C:\Users\test22\AppData\Local\Temp\java_install.log |
file | C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000007.log |
file | C:\Users\test22\AppData\Local\Temp\SetupExe(20180405152131B24).log |
file | C:\Users\test22\AppData\Local\Temp\bchC68D.tmp |
file | C:\Users\test22\AppData\Local\Temp\FEAC.tmp\FEAD.tmp\FEAE.bat |
file | C:\Users\test22\AppData\Local\Temp\UserInfoSetup(20180405152131B24).log |
file | C:\Users\test22\AppData\Local\Temp\Microsoft .NET Framework 4.5 Setup_20200715_141303844.html |
file | C:\Users\test22\AppData\Local\Temp\PrinterSetup.log |
file | C:\Users\test22\AppData\Local\Temp\test email-6.zip |
file | C:\Users\test22\AppData\Local\Temp\ASPNETSetup_00002.log |
file | C:\Users\test22\AppData\Local\Temp\UserInfoSetup(201804051522349E8).log |
file | C:\Users\test22\AppData\Local\Temp\RD25B7.tmp |
file | C:\Users\test22\AppData\Local\Temp\outlook logging\firstrun.log |
file | C:\Users\test22\AppData\Local\Temp\7zO8F39374F\test.docx |
file | C:\Users\test22\AppData\Local\Temp\Outlook 로깅\test2gmailcom-Incoming-04_05_2018-14_18_32_876.log |
file | C:\Users\test22\AppData\Local\Temp\test email-5.zip |
file | C:\Users\test22\AppData\Local\Temp\Microsoft .NET Framework 4.5 Setup_20200715_141303844-MSI_netfx_Full_x64.msi.txt |
file | C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000014.log |
file | C:\Users\test22\AppData\Local\Temp\test email-4.zip |
file | C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000005.log |
file | C:\Users\test22\AppData\Local\Temp\7zO4B1094CA\test.docx |
file | C:\Users\test22\AppData\Local\Temp\dd_wcf_CA_smci_20200715_051341_086.txt |
file | C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000010.log |
Bkav | W32.AIDetect.malware1 |
Elastic | malicious (high confidence) |
Cylance | Unsafe |
Sangfor | Trojan.Win32.Save.a |
Cybereason | malicious.15ec37 |
Symantec | ML.Attribute.HighConfidence |
APEX | Malicious |
Paloalto | generic.ml |
McAfee-GW-Edition | BehavesLike.Win32.Ransom.dc |
MaxSecure | Trojan.Malware.300983.susgen |
FireEye | Generic.mg.c58d5a146655600a |
Sophos | ML/PE-A |
AegisLab | Trojan.Win32.Generic.4!c |
Microsoft | Program:Win32/Wacapew.C!ml |
Cynet | Malicious (score: 100) |
Acronis | suspicious |
McAfee | Artemis!C58D5A146655 |
Rising | Malware.Heuristic!ET#99% (RDMK:cmRtazryDxR2o4l4/vaR+osAQpOI) |
SentinelOne | Static AI - Suspicious PE |
eGambit | Unsafe.AI_Score_99% |
BitDefenderTheta | Gen:NN.ZexaF.34686.ouW@a4tVGc |
CrowdStrike | win/malicious_confidence_90% (W) |