Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6403_us | July 3, 2024, 7:51 a.m. | July 3, 2024, 7:55 a.m. |
-
-
-
-
-
AdobeART.exe C:\Users\test22\AppData\Roaming\AdobeART.exe
2400
-
-
-
Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
2280
-
-
Name | Response | Post-Analysis Lookup |
---|---|---|
docs.google.com | 172.217.25.174 | |
xred.mooo.com | ||
drive.usercontent.google.com | 142.250.207.97 | |
www.dropbox.com |
CNAME
www-env.dropbox-dns.com
|
162.125.84.18 |
freedns.afraid.org | 69.42.215.252 |
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
UDP 192.168.56.103:52760 -> 164.124.101.2:53 | 2015633 | ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com | Misc activity |
TCP 192.168.56.103:49176 -> 162.125.84.18:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 192.168.56.103:49177 -> 162.125.84.18:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 192.168.56.103:49175 -> 142.251.220.1:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 192.168.56.103:49174 -> 142.251.220.78:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.103:49175 142.251.220.1:443 |
C=US, O=Google Trust Services, CN=WR2 | CN=*.usercontent.google.com | 15:4e:0d:a6:4d:d4:a6:dd:fe:74:84:e2:59:43:bc:97:c9:df:4c:82 |
TLSv1 192.168.56.103:49174 142.251.220.78:443 |
C=US, O=Google Trust Services, CN=WR2 | CN=*.google.com | 5e:16:23:df:7d:42:8e:61:6e:aa:4a:cc:fb:08:1a:b9:8f:fa:e0:a2 |
file | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe |
section | CODE |
section | DATA |
section | BSS |
domain | xred.mooo.com |
request | GET http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 |
request | GET https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download |
request | GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download |
request | GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download |
request | GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download |
description | AdobeART.exe tried to sleep 215 seconds, actually delayed analysis time by 215 seconds |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\101.3.34.11\ChromeRecovery.exe |
domain | docs.google.com |
file | C:\Program Files (x86)\Mozilla Thunderbird\pingsender.exe |
file | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE15\OLicenseHeartbeat.exe |
file | C:\Program Files (x86)\Hnc\HncUtils\HncUpdate.exe |
file | C:\Program Files (x86)\Microsoft Office\Office15\ACCICONS.EXE |
file | C:\Program Files (x86)\Mozilla Thunderbird\plugin-container.exe |
file | C:\Program Files (x86)\Microsoft Office\Office15\PDFREFLOW.EXE |
file | C:\util\curl\curl.exe |
file | C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe |
file | C:\Program Files (x86)\Microsoft Office\Office15\WORDICON.EXE |
file | C:\Program Files (x86)\Java\jre1.8.0_131\bin\javaw.exe |
file | C:\Program Files (x86)\Google\Update\1.3.36.101\GoogleUpdate.exe |
file | C:\Program Files (x86)\Microsoft Office\Office15\GROOVE.EXE |
file | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe |
file | C:\Program Files (x86)\Java\jre1.8.0_131\bin\ssvagent.exe |
file | C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe |
file | C:\Program Files (x86)\Google\Update\1.3.36.101\GoogleUpdateBroker.exe |
file | C:\Windows\svchost.com |
file | C:\Python27\Scripts\easy_install.exe |
file | C:\MSOCache\All Users\{91150000-0011-0000-0000-0000000FF1CE}-C\ose.exe |
file | C:\ProgramData\Oracle\Java\javapath\java.exe |
file | C:\Program Files (x86)\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.36.102\GoogleUpdateSetup.exe |
file | C:\Program Files (x86)\Microsoft Office\Office15\CNFNOT32.EXE |
file | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE15\MSOICONS.EXE |
file | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE15\Office Setup Controller\ODeploy.exe |
file | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE15\LICLUA.EXE |
file | C:\Program Files (x86)\Google\Update\1.3.36.101\GoogleCrashHandler64.exe |
file | C:\Program Files (x86)\Hnc\Common80\HimTrayIcon.exe |
file | C:\Program Files (x86)\Java\jre1.8.0_131\bin\unpack200.exe |
file | C:\Program Files (x86)\Microsoft Office\Office15\POWERPNT.EXE |
file | C:\Program Files (x86)\Hnc\Hwp80\HwpFinder.exe |
file | C:\Program Files (x86)\Hnc\HncUtils\HncInfo.exe |
file | C:\Program Files (x86)\EditPlus\editplus.exe |
file | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE15\CSISYNCCLIENT.EXE |
file | C:\Program Files (x86)\Microsoft Office\Office15\DCF\DATABASECOMPARE.EXE |
file | C:\Python27\Lib\site-packages\pip\_vendor\distlib\t64.exe |
file | C:\MSOCache\All Users\{91150000-0011-0000-0000-0000000FF1CE}-C\setup.exe |
file | C:\Program Files (x86)\Hnc\Hwp80\HwpPrnMng.exe |
file | C:\Python27\Lib\site-packages\pip\_vendor\distlib\t32.exe |
file | C:\Program Files (x86)\Google\Chrome\Application\chrome_proxy.exe |
file | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe |
file | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE15\FLTLDR.EXE |
file | C:\Program Files (x86)\Common Files\Adobe\__ARM\1.0\AdobeARM.exe |
file | C:\Program Files (x86)\Mozilla Thunderbird\minidump-analyzer.exe |
file | C:\Program Files (x86)\Google\Update\Install\{9946EF02-26CF-4F0D-BC28-8677420F30DD}\GoogleUpdateSetup.exe |
file | C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe |
file | C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE |
file | C:\Program Files (x86)\Mozilla Thunderbird\crashreporter.exe |
file | C:\Program Files (x86)\Microsoft Office\Office15\OcPubMgr.exe |
file | C:\Program Files (x86)\Microsoft Office\Office15\misc.exe |
file | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE15\Office Setup Controller\Setup.exe |
cmdline | "C:\Windows\svchost.com" "C:\Users\test22\AppData\Roaming\AdobeART.exe" |
domain | www.dropbox.com |
file | C:\Users\test22\AppData\Local\Temp\3582-490\Build.exe |
file | C:\Users\test22\AppData\Local\Temp\._cache_Build.exe |
file | C:\Windows\svchost.com |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\101.3.34.11\ChromeRecovery.exe |
file | C:\Users\test22\AppData\Local\Temp\._cache_Build.exe |
file | C:\Users\test22\AppData\Local\Temp\3582-490\Build.exe |
host | 45.141.26.232 |
reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\(Default) | reg_value | C:\Windows\svchost.com "%1" %* | ||||||
reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\????? | reg_value | C:\ProgramData\Synaptics\Synaptics.exe | ||||||
reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\????? | reg_value | C:\ProgramData\Synaptics\Synaptics.exe | ||||||
reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeART | reg_value | C:\Users\test22\AppData\Roaming\AdobeART.exe |
mutex | IPKMutex |
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob |
process | Synaptics.exe | useragent | MyApp | ||||||
process | Synaptics.exe | useragent | Synaptics.exe |
Bkav | W32.HanGu.PE |
Lionic | Virus.Win32.Neshta.tntj |
Elastic | malicious (high confidence) |
Cynet | Malicious (score: 100) |
CAT-QuickHeal | W32.Neshta.B |
Skyhigh | BehavesLike.Win32.HLLP.ch |
ALYac | Win32.Nestha.C |
Cylance | Unsafe |
VIPRE | Win32.Nestha.C |
Sangfor | Virus.Win32.Neshta.a |
K7AntiVirus | Virus ( 00556e571 ) |
BitDefender | Win32.Nestha.C |
K7GW | Virus ( 00556e571 ) |
Cybereason | malicious.674c67 |
Arcabit | Win32.Nestha.C |
Baidu | Win32.Virus.Neshta.a |
Symantec | W32.Neshuta |
tehtris | Generic.Malware |
ESET-NOD32 | Win32/Neshta.B |
APEX | Malicious |
McAfee | W32/HLLP.41472 |
Avast | Other:Malware-gen [Trj] |
ClamAV | Win.Trojan.Emotet-9850453-0 |
Kaspersky | Virus.Win32.Neshta.b |
Alibaba | Virus:Win32/Neshta.3bb |
NANO-Antivirus | Virus.Win32.Neshta.fnxshx |
MicroWorld-eScan | Win32.Nestha.C |
Rising | Virus.Synaptics!1.E51C (CLASSIC) |
Emsisoft | Win32.Nestha.C (B) |
F-Secure | Trojan:W97M/MaliciousMacro.GEN |
DrWeb | Win32.HLLP.Neshta |
Zillya | Virus.Neshta.Win32.2 |
TrendMicro | PE_NESHTA.A |
McAfeeD | Real Protect-LS!2F6F4F9674C6 |
Trapmine | malicious.high.ml.score |
FireEye | Generic.mg.2f6f4f9674c6721b |
Sophos | W32/Neshta-D |
Ikarus | Virus.Win32.Neshta |
Jiangmin | Virus.Neshta.b |
Webroot | W32.Virus.B |
Detected | |
Avira | W32/Delf.I |
MAX | malware (ai score=86) |
Antiy-AVL | Virus/Win32.Neshta.b |
Kingsoft | Win32.Neshta.a.41472 |
Gridinsoft | Trojan.Win32.Gen.tr |
Xcitium | Win32.Neshta.B@3z07 |
Microsoft | Virus:Win32/Neshta.B |
ViRobot | Win32.Neshta.Gen.A |
ZoneAlarm | Virus.Win32.Neshta.b |
dead_host | 192.168.56.103:49193 |
dead_host | 192.168.56.103:49181 |
dead_host | 192.168.56.103:49190 |
dead_host | 192.168.56.103:49167 |
dead_host | 45.141.26.232:1337 |
dead_host | 192.168.56.103:49191 |
dead_host | 192.168.56.103:49194 |
dead_host | 192.168.56.103:49182 |
dead_host | 192.168.56.103:49187 |
dead_host | 192.168.56.103:49188 |
dead_host | 192.168.56.103:49195 |
dead_host | 192.168.56.103:49183 |
dead_host | 192.168.56.103:49184 |
dead_host | 192.168.56.103:49172 |
dead_host | 192.168.56.103:49196 |
dead_host | 192.168.56.103:49189 |
dead_host | 192.168.56.103:49192 |
dead_host | 192.168.56.103:49180 |
dead_host | 192.168.56.103:49185 |
dead_host | 192.168.56.103:49173 |