Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6401 | July 1, 2024, 10:45 a.m. | July 1, 2024, 10:45 a.m. |
-
-
netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Microsoft.Net" dir=out program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow
2632 -
netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Microsoft.Net" dir=in program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow
2684 -
netsh.exe "C:\Windows\System32\netsh.exe" ipsec static add policy name=Block
2740 -
netsh.exe "C:\Windows\System32\netsh.exe" ipsec static add filterlist name=Filter1
2796 -
netsh.exe "C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
2852 -
netsh.exe "C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
2916 -
netsh.exe "C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
2976 -
netsh.exe "C:\Windows\System32\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=block
3032 -
netsh.exe "C:\Windows\System32\netsh.exe" ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion1
2056 -
netsh.exe "C:\Windows\System32\netsh.exe" ipsec static set policy name=Block assign=y
2104
-
Name | Response | Post-Analysis Lookup |
---|---|---|
www.4i7i.com | 1.226.84.135 |
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
name | RT_VERSION | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0001f05c | size | 0x000003fc |
file | C:\Windows\Microsoft.Net\Framework\v3.5\mscorsvw.exe |
section | {u'size_of_data': u'0x0000ac00', u'virtual_address': u'0x00014000', u'entropy': 7.924912120479621, u'name': u'UPX1', u'virtual_size': u'0x0000b000'} | entropy | 7.92491212048 | description | A section with a high entropy has been found | |||||||||
entropy | 0.966292134831 | description | Overall entropy of this PE file is high |
section | UPX0 | description | Section name indicates UPX | ||||||
section | UPX1 | description | Section name indicates UPX |
cmdline | netsh.exe ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP |
cmdline | netsh.exe ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP |
cmdline | netsh.exe ipsec static add policy name=Block |
cmdline | "C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP |
cmdline | netsh.exe ipsec static add filterlist name=Filter1 |
cmdline | "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Microsoft.Net" dir=out program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow |
cmdline | netsh.exe advfirewall firewall add rule name="Microsoft.Net" dir=out program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow |
cmdline | netsh.exe ipsec static add filteraction name=FilteraAtion1 action=block |
cmdline | netsh.exe ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP |
cmdline | netsh.exe advfirewall firewall add rule name="Microsoft.Net" dir=in program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow |
cmdline | "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Microsoft.Net" dir=in program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow |
cmdline | "C:\Windows\System32\netsh.exe" ipsec static add policy name=Block |
cmdline | netsh.exe ipsec static set policy name=Block assign=y |
cmdline | "C:\Windows\System32\netsh.exe" ipsec static set policy name=Block assign=y |
cmdline | "C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP |
cmdline | netsh.exe ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion1 |
cmdline | "C:\Windows\System32\netsh.exe" ipsec static add filterlist name=Filter1 |
cmdline | "C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP |
cmdline | "C:\Windows\System32\netsh.exe" ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion1 |
cmdline | "C:\Windows\System32\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=block |
service_name | clr_optimization_v3.0.30317_32 | service_path | C:\Windows\Microsoft.Net\Framework\v3.5\mscorsvw.exe |
cmdline | "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Microsoft.Net" dir=out program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow |
cmdline | netsh.exe advfirewall firewall add rule name="Microsoft.Net" dir=out program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow |
cmdline | netsh.exe advfirewall firewall add rule name="Microsoft.Net" dir=in program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow |
cmdline | "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Microsoft.Net" dir=in program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow |
Bkav | W32.AIDetectMalware |
Lionic | Trojan.Win32.Farfli.4!c |
Elastic | malicious (moderate confidence) |
MicroWorld-eScan | Gen:Heur.Mint.Zard.30 |
CAT-QuickHeal | Trojan.Aksula.A |
Skyhigh | BehavesLike.Win32.Generic.pc |
McAfee | Artemis!3D3AEDFAEAF3 |
Cylance | Unsafe |
VIPRE | Gen:Heur.Mint.Zard.30 |
Sangfor | Suspicious.Win32.Save.a |
K7AntiVirus | Trojan ( 0040f7ad1 ) |
BitDefender | Gen:Heur.Mint.Zard.30 |
K7GW | Trojan ( 0040f7ad1 ) |
Cybereason | malicious.aeaf39 |
Arcabit | Trojan.Mint.Zard.30 |
Baidu | Win32.Trojan.Farfli.bg |
Symantec | ML.Attribute.HighConfidence |
ESET-NOD32 | a variant of Win32/Farfli.JU |
APEX | Malicious |
Avast | Win32:Evo-gen [Trj] |
Cynet | Malicious (score: 100) |
Kaspersky | UDS:Trojan.Win32.Generic |
Alibaba | Backdoor:Win32/Zegost.24e518cf |
Rising | Backdoor.Farfli!1.B6C5 (CLOUD) |
Emsisoft | Gen:Heur.Mint.Zard.30 (B) |
F-Secure | Trojan.TR/Crypt.FKM.Gen |
DrWeb | Trojan.Siggen28.63414 |
Zillya | Trojan.Farfli.Win32.91278 |
TrendMicro | TROJ_GEN.R002C0DFL24 |
McAfeeD | Real Protect-LS!3D3AEDFAEAF3 |
Trapmine | malicious.moderate.ml.score |
FireEye | Generic.mg.3d3aedfaeaf39544 |
Sophos | Mal/Behav-160 |
Ikarus | Backdoor.Win32.Zegost |
Jiangmin | Trojan.Generic.hoagb |
Detected | |
Avira | TR/Crypt.FKM.Gen |
Antiy-AVL | Trojan/Win32.Farfli |
Kingsoft | malware.kb.b.888 |
Gridinsoft | Trojan.Win32.Agent.sa |
Xcitium | Backdoor.Win32.Zegost.c@4m3x9i |
Microsoft | Backdoor:Win32/Zegost!pz |
ZoneAlarm | UDS:DangerousObject.Multi.Generic |
GData | Gen:Heur.Mint.Zard.30 |
Varist | W32/KillAV.AU.gen!Eldorado |
AhnLab-V3 | Backdoor/Win.NG.R582744 |
BitDefenderTheta | AI:Packer.BC223D901F |
DeepInstinct | MALICIOUS |
VBA32 | BScope.TrojanDDoS.Macri |
Malwarebytes | Trojan.Farfli.UPX |