| Category | Machine | Started | Completed |
|---|---|---|---|
| URL | s1_win7_x6402 | July 9, 2024, 9:33 p.m. | July 9, 2024, 9:35 p.m. |
| URL | https://l.facebook.com/l.php?u=https://jumpseller.s3.eu-west-1.amazonaws.com/store/store5/assets/0DlBptEf2ucAMWLVhICY.xml?3ZWnWh6lF7YOyvbrJnAH?3ZWnWh6lF7YOyvbrJnAH?u=https://app.alibaba.com/dynamiclink?medium_source=facebook&traffic_type=install&field=UG&schema=enalibaba://oneSight?biz=dpa&keyword=Cricket&product_id=10000002872855&pcate=202017804&from=cpm_fb&kpi=abrate&tagId=10000002872855&categoryId=202017804&categoryName=Cricket&traffic_type=install&field=UG&fbclid=IwAR0FLnSeScwkIjojGGpbgrP8Nb8rCjOxC_Bw_9e4HNK9YZUQ-mmn4qNfTcg&h=AT2sib1bjmYXmw0YZ7em-OROLzWKd3Cwg1n4p716uPjxfW28kE1xSaJOhB1Ki5L0jpTi9EoEFVqUTsDfbrHDqnTg1TsTQFZDFzoCEH-46GQgXIOoZ6Wno_wFX65Fw_pMqWD_v5sAr43_rtlgkvuqKQ&medium_source=facebook&channel_url=https://staticxx.-.com/connect/xd_arbiter/r/__Bz3h5RzMx.js?version=43%23cb=f2c4458ac9011a8&domain=www.-.com&origin=https://www.-.com/&h=AT01NiNROZ8p941O0N0aTu1eTEc68z48cS0k-Fomk3H3l-zlM9fzup-7MGpKVLX7ayzNVdFs6-lQLRoUAiw5DkT8cTkKxDbImOguZjIP8xADMSwjdKQfTRN4mLuIOu0yOUYKdO0mQEmLV87HEw&__tn__=R]-R&c[0]=AT3aP2k6Zb16XplKkQVQ64l2VOTR41AI18J_pwf7G868nNJ_VO3g4LelPUfwot5YbRGO5vLS8piMWZOaflLT30VoDNGCktZ8itJ_WwtaXr7cHRu1iQbNL-KPd79CxXBML7iK5I079begvW4P-Gg |
|---|
-
iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" https://l.facebook.com/l.php?u=https://jumpseller.s3.eu-west-1.amazonaws.com/store/store5/assets/0DlBptEf2ucAMWLVhICY.xml?3ZWnWh6lF7YOyvbrJnAH?3ZWnWh6lF7YOyvbrJnAH?u=https://app.alibaba.com/dynamiclink?medium_source=facebook&traffic_type=install&field=UG&schema=enalibaba://oneSight?biz=dpa&keyword=Cricket&product_id=10000002872855&pcate=202017804&from=cpm_fb&kpi=abrate&tagId=10000002872855&categoryId=202017804&categoryName=Cricket&traffic_type=install&field=UG&fbclid=IwAR0FLnSeScwkIjojGGpbgrP8Nb8rCjOxC_Bw_9e4HNK9YZUQ-mmn4qNfTcg&h=AT2sib1bjmYXmw0YZ7em-OROLzWKd3Cwg1n4p716uPjxfW28kE1xSaJOhB1Ki5L0jpTi9EoEFVqUTsDfbrHDqnTg1TsTQFZDFzoCEH-46GQgXIOoZ6Wno_wFX65Fw_pMqWD_v5sAr43_rtlgkvuqKQ&medium_source=facebook&channel_url=https://staticxx.-.com/connect/xd_arbiter/r/__Bz3h5RzMx.js?version=43%23cb=f2c4458ac9011a8&domain=www.-.com&origin=https://www.-.com/&h=AT01NiNROZ8p941O0N0aTu1eTEc68z48cS0k-Fomk3H3l-zlM9fzup-7MGpKVLX7ayzNVdFs6-lQLRoUAiw5DkT8cTkKxDbImOguZjIP8xADMSwjdKQf
2204-
iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2204 CREDAT:145409
2264
-
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| fbcdn.net | 157.240.215.35 | |
| facebook.com | 157.240.215.35 | |
| m.facebook.com | 157.240.215.35 | |
| static.xx.fbcdn.net |
CNAME
scontent.xx.fbcdn.net
|
157.240.215.14 |
| fbsbx.com | 157.240.215.35 | |
| www.facebook.com | 157.240.215.35 | |
| l.facebook.com |
CNAME
z-m.c10r.facebook.com
|
157.240.215.36 |
Suricata Alerts
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLSv1 192.168.56.102:49165 157.240.215.36:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA | C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com | 63:4c:9e:25:64:c9:8f:f3:7b:2d:d0:9e:50:51:b6:08:3a:d5:e4:f6 |
|
TLSv1 192.168.56.102:49170 157.240.215.35:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA | C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com | 63:4c:9e:25:64:c9:8f:f3:7b:2d:d0:9e:50:51:b6:08:3a:d5:e4:f6 |
|
TLSv1 192.168.56.102:49172 157.240.215.14:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA | C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com | 63:4c:9e:25:64:c9:8f:f3:7b:2d:d0:9e:50:51:b6:08:3a:d5:e4:f6 |
|
TLSv1 192.168.56.102:49164 157.240.215.36:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA | C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com | 63:4c:9e:25:64:c9:8f:f3:7b:2d:d0:9e:50:51:b6:08:3a:d5:e4:f6 |
|
TLSv1 192.168.56.102:49167 157.240.215.35:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA | C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com | 63:4c:9e:25:64:c9:8f:f3:7b:2d:d0:9e:50:51:b6:08:3a:d5:e4:f6 |
|
TLSv1 192.168.56.102:49180 157.240.215.35:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA | C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=fbcdn.net | 3e:95:2a:6e:4e:12:ce:56:7f:27:07:30:60:cd:a7:b9:5a:57:5b:2a |
|
TLSv1 192.168.56.102:49176 157.240.215.14:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA | C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com | 63:4c:9e:25:64:c9:8f:f3:7b:2d:d0:9e:50:51:b6:08:3a:d5:e4:f6 |
|
TLSv1 192.168.56.102:49179 157.240.215.35:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA | C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=fbcdn.net | 3e:95:2a:6e:4e:12:ce:56:7f:27:07:30:60:cd:a7:b9:5a:57:5b:2a |
|
TLSv1 192.168.56.102:49171 157.240.215.35:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA | C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com | 63:4c:9e:25:64:c9:8f:f3:7b:2d:d0:9e:50:51:b6:08:3a:d5:e4:f6 |
|
TLSv1 192.168.56.102:49175 157.240.215.35:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA | C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com | 63:4c:9e:25:64:c9:8f:f3:7b:2d:d0:9e:50:51:b6:08:3a:d5:e4:f6 |
|
TLSv1 192.168.56.102:49182 157.240.215.35:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA | C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=fbcdn.net | 3e:95:2a:6e:4e:12:ce:56:7f:27:07:30:60:cd:a7:b9:5a:57:5b:2a |
|
TLSv1 192.168.56.102:49173 157.240.215.14:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA | C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com | 63:4c:9e:25:64:c9:8f:f3:7b:2d:d0:9e:50:51:b6:08:3a:d5:e4:f6 |
|
TLSv1 192.168.56.102:49168 157.240.215.35:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA | C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com | 63:4c:9e:25:64:c9:8f:f3:7b:2d:d0:9e:50:51:b6:08:3a:d5:e4:f6 |
|
TLSv1 192.168.56.102:49174 157.240.215.35:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA | C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com | 63:4c:9e:25:64:c9:8f:f3:7b:2d:d0:9e:50:51:b6:08:3a:d5:e4:f6 |
|
TLSv1 192.168.56.102:49177 157.240.215.14:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA | C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com | 63:4c:9e:25:64:c9:8f:f3:7b:2d:d0:9e:50:51:b6:08:3a:d5:e4:f6 |
|
TLSv1 192.168.56.102:49181 157.240.215.35:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA | C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=fbcdn.net | 3e:95:2a:6e:4e:12:ce:56:7f:27:07:30:60:cd:a7:b9:5a:57:5b:2a |
|
TLSv1 192.168.56.102:49178 157.240.215.14:443 |
None | None | None |
| request | GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml |
| request | GET https://l.facebook.com/l.php?u=https://jumpseller.s3.eu-west-1.amazonaws.com/store/store5/assets/0DlBptEf2ucAMWLVhICY.xml?3ZWnWh6lF7YOyvbrJnAH?3ZWnWh6lF7YOyvbrJnAH?u=https://app.alibaba.com/dynamiclink?medium_source=facebook&traffic_type=install&field=UG&schema=enalibaba://oneSight?biz=dpa&keyword=Cricket&product_id=10000002872855&pcate=202017804&from=cpm_fb&kpi=abrate&tagId=10000002872855&categoryId=202017804&categoryName=Cricket&traffic_type=install&field=UG&fbclid=IwAR0FLnSeScwkIjojGGpbgrP8Nb8rCjOxC_Bw_9e4HNK9YZUQ-mmn4qNfTcg&h=AT2sib1bjmYXmw0YZ7em-OROLzWKd3Cwg1n4p716uPjxfW28kE1xSaJOhB1Ki5L0jpTi9EoEFVqUTsDfbrHDqnTg1TsTQFZDFzoCEH-46GQgXIOoZ6Wno_wFX65Fw_pMqWD_v5sAr43_rtlgkvuqKQ&medium_source=facebook&channel_url=https://staticxx.-.com/connect/xd_arbiter/r/__Bz3h5RzMx.js?version=43%23cb=f2c4458ac9011a8&domain=www.-.com&origin=https://www.-.com/&h=AT01NiNROZ8p941O0N0aTu1eTEc68z48cS0k-Fomk3H3l-zlM9fzup-7MGpKVLX7ayzNVdFs6-lQLRoUAiw5DkT8cTkKxDbImOguZjIP8xADMSwjdKQf |
| request | GET https://l.facebook.com/l.php?u=https%3A%2F%2Fjumpseller.s3.eu-west-1.amazonaws.com%2Fstore%2Fstore5%2Fassets%2F0DlBptEf2ucAMWLVhICY.xml%3F3ZWnWh6lF7YOyvbrJnAH%3F3ZWnWh6lF7YOyvbrJnAH%3Fu%3Dhttps%3A%2F%2Fapp.alibaba.com%2Fdynamiclink%3Fmedium_source%3Dfacebook&h=AT1obHn9DopNwORveXPj0XvXlunAn_I02Q6VPiWjsC-Lnn6F-4fS3j3tzMjWWTgTEYYu6pUzLUgbLz99rBSkS9sgLPTgWyT6C_F5fR_z6EbPC8dz2fpRHA |
| request | GET https://www.facebook.com/flx/warn/?u=https%3A%2F%2Fjumpseller.s3.eu-west-1.amazonaws.com%2Fstore%2Fstore5%2Fassets%2F0DlBptEf2ucAMWLVhICY.xml%3F3ZWnWh6lF7YOyvbrJnAH%3F3ZWnWh6lF7YOyvbrJnAH%3Fu%3Dhttps%3A%2F%2Fapp.alibaba.com%2Fdynamiclink%3Fmedium_source%3Dfacebook&h=AT1cKE7-ZeDsubK_dW8Y2XclCpIAD-hQSnRkfS5MsfMKzKqNxNUljBNN9BwQ_kj9GSxg2YBhKU_9WPKUPy5CnzMDLM0sEflP0jQyEFdeqdH99uFTS3c_Ww |
| request | GET https://m.facebook.com/flx/warn/?u=https%3A%2F%2Fjumpseller.s3.eu-west-1.amazonaws.com%2Fstore%2Fstore5%2Fassets%2F0DlBptEf2ucAMWLVhICY.xml%3F3ZWnWh6lF7YOyvbrJnAH%3F3ZWnWh6lF7YOyvbrJnAH%3Fu%3Dhttps%3A%2F%2Fapp.alibaba.com%2Fdynamiclink%3Fmedium_source%3Dfacebook&h=AT1cKE7-ZeDsubK_dW8Y2XclCpIAD-hQSnRkfS5MsfMKzKqNxNUljBNN9BwQ_kj9GSxg2YBhKU_9WPKUPy5CnzMDLM0sEflP0jQyEFdeqdH99uFTS3c_Ww&_rdr |
| request | GET https://static.xx.fbcdn.net/rsrc.php/v3/y8/r/k97pj8-or6s.png |
| request | GET https://static.xx.fbcdn.net/rsrc.php/v3/y6/r/l7jFXMc3gVH.png |
| request | GET https://facebook.com/security/hsts-pixel.gif?c=3.2 |
| request | GET https://static.xx.fbcdn.net/rsrc.php/v3/y2/r/Sku_Kc8l2qU.png |
| request | GET https://static.xx.fbcdn.net/rsrc.php/v3/yU/r/nUs9RS26D1m.png |
| request | GET https://static.xx.fbcdn.net/rsrc.php/v3/yc/r/ZXwOcP9E7mM.png |
| request | GET https://fbcdn.net/security/hsts-pixel.gif?c=2 |
| request | GET https://fbsbx.com/security/hsts-pixel.gif |
| request | GET https://m.facebook.com/favicon.ico |
| url | https://s.pstatic.net/static/newsstand/2020/logo/light/0604/941.png |
| url | http://www.expedia.com/favicon.ico |
| url | https://s.pstatic.net/shopping.phinf/20211101_9/6565979b-3e08-4e3d-8514-b2a585c9e46e.jpg |
| url | http://uk.ask.com/favicon.ico |
| url | http://www.priceminister.com/ |
| url | https://ssl.pstatic.net/static/pwe/common/img_use_mobile_version.png |
| url | https://googleads.g.doublecli |
| url | http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0 |
| url | https://s.pstatic.net/static/www/mobile/edit/20210930/mobile_161522481722.png |
| url | http://175.208.134.150:8282/test/test.eml |
| url | http://www.disig.sk/ca/crl/ca_disig.crl0 |
| url | http://ru.wikipedia.org/ |
| url | http://ocsp.infonotary.com/responder.cgi0V |
| url | http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0 |
| url | https://s.pstatic.net/dthumb.phinf/?src=%22https%3A%2F%2Fs.pstatic.net%2Fpost.phinf%2FMjAyMTEwMjhfODMg%2FMDAxNjM1NDI3NzQ2NzIy.2dYtsiaZ54mXegxs67agf9wcR5tmDGp1Y4ohBZFgiUwg.sAd2wiczLBiMlHpQAGWMveuOZYV34C-EKWqJcJjoopsg.PNG%2FItRl8seMrlvR8kMW8HHc2emHOvVs.jpg%22 |
| url | http://www.merlin.com.pl/favicon.ico |
| url | https://s.pstatic.net/static/newsstand/2020/logo/light/0604/477.png |
| url | http://www.cnet.com/favicon.ico |
| url | https://www.semicolonworld.com/public/editor/styles/simditor.css |
| url | http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0 |
| url | https://rcaptcha.nid.naver.com/rcaptCss?key=f2ZNjcOIuG0ASz |
| url | https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct |
| url | http://crl.oces.certifikat.dk/oces.crl0 |
| url | http://www.yceml.net/0559/10408495-1499411010011 |
| url | https://ssl.pstatic.net/tveta/libs/1364/1364526/a5068a6f44555ea499da_20211029164146193.jpg |
| url | http://t.static.blog.naver.net/mylog/versioning/JindoComponent-190469086.js |
| url | https://s.pstatic.net/static/newsstand/2020/logo/light/0604/529.png |
| url | http://blogimgs.naver.net/nblog/mylog/post/btn_cancel3.gif |
| url | https://siape.veta.naver.com/fxshow?su=SU10599 |
| url | https://s.pstatic.net/shopping.phinf/20211013_2/ee5c113b-bfae-4cf3-81e3-2ba12403fc6d.jpg |
| url | https://ssl.pstatic.net/static/pwe/nm/b.gif |
| url | http://search.nifty.com/ |
| url | https://castbox.shopping.naver.com/js/lazyload.js |
| url | https://ssl.pstatic.net/tveta/libs/1339/1339221/f1a87c541e410a8250af_20211006100906815.jpg |
| url | http://ns.adobe.com/exif/1.0/ |
| url | https://s.pstatic.net/shopping.phinf/20200729_1/2931dd60-1842-4048-a39c-1e3389db4a0e.jpg |
| url | https://ssl.pstatic.net/static/pwe/nm/spr_vertical_0d25bb77f8.png |
| url | http://www.etmall.com.tw/ |
| url | https://s.pstatic.net/static/newsstand/2020/logo/light/0604/042.png |
| url | https://s.pstatic.net/dthumb.phinf/?src=%22https%3A%2F%2Fs.pstatic.net%2Fstatic%2Fwww%2Fmobile%2Fedit%2F20211012_1095%2Fupload_1634015607233BeFLd.JPEG%22 |
| url | http://crl.chambersign.org/publicnotaryroot.crl0 |
| url | https://s.pstatic.net/static/newsstand/2020/logo/light/0604/056.png |
| url | http://search.goo.ne.jp/ |
| url | http://fr.wikipedia.org/favicon.ico |
| url | http://busca.estadao.com.br/favicon.ico |
| url | http://search.hanafos.com/favicon.ico |
| url | https://s.pstatic.net/dthumb.phinf/?src=%22https%3A%2F%2Fs.pstatic.net%2Fstatic%2Fwww%2Fmobile%2Fedit%2F20211029_1095%2Fupload_1635469564183PpB2J.jpg%22 |
| url | https://s.pstatic.net/static/newsstand/2020/logo/light/0604/038.png |
| url | http://search.chol.com/favicon.ico |
| url | https://ssl.pstatic.net/static/pwe/address/deskhome/spr_cp_loading.png |
| description | Create a windows service | rule | Create_Service | ||||||
| description | Communications over RAW Socket | rule | Network_TCP_Socket | ||||||
| description | Communication using DGA | rule | Network_DGA | ||||||
| description | Match Windows Http API call | rule | Str_Win32_Http_API | ||||||
| description | Take ScreenShot | rule | ScreenShot | ||||||
| description | Escalate priviledges | rule | Escalate_priviledges | ||||||
| description | Steal credential | rule | local_credential_Steal | ||||||
| description | PWS Memory | rule | Generic_PWS_Memory_Zero | ||||||
| description | Hijack network configuration | rule | Hijack_Network | ||||||
| description | Record Audio | rule | Sniff_Audio | ||||||
| description | Communications over HTTP | rule | Network_HTTP | ||||||
| description | Communications use DNS | rule | Network_DNS | ||||||
| description | Code injection with CreateRemoteThread in a remote process | rule | Code_injection | ||||||
| description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
| description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
| description | (no description) | rule | DebuggerCheck__RemoteAPI | ||||||
| description | (no description) | rule | DebuggerHiding__Thread | ||||||
| description | (no description) | rule | DebuggerHiding__Active | ||||||
| description | (no description) | rule | DebuggerException__ConsoleCtrl | ||||||
| description | (no description) | rule | DebuggerException__SetConsoleCtrl | ||||||
| description | (no description) | rule | ThreadControl__Context | ||||||
| description | (no description) | rule | SEH__vectored | ||||||
| description | (no description) | rule | Check_Dlls | ||||||
| description | Checks if being debugged | rule | anti_dbg | ||||||
| description | Anti-Sandbox checks for ThreatExpert | rule | antisb_threatExpert | ||||||
| description | Bypass DEP | rule | disable_dep | ||||||
| description | Affect hook table | rule | win_hook | ||||||
| description | File Downloader | rule | Network_Downloader | ||||||
| description | Match Windows Inet API call | rule | Str_Win32_Internet_API | ||||||
| description | Install itself for autorun at Windows startup | rule | Persistence | ||||||
| description | Communications over FTP | rule | Network_FTP | ||||||
| description | Run a KeyLogger | rule | KeyLogger | ||||||
| description | Communications over P2P network | rule | Network_P2P_Win | ||||||
| description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
| description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
| description | (no description) | rule | DebuggerHiding__Thread | ||||||
| description | (no description) | rule | DebuggerHiding__Active | ||||||
| description | (no description) | rule | ThreadControl__Context | ||||||
| description | (no description) | rule | SEH__vectored | ||||||
| description | Checks if being debugged | rule | anti_dbg | ||||||
| description | Bypass DEP | rule | disable_dep | ||||||
| description | Create a windows service | rule | Create_Service | ||||||
| description | Communications over RAW Socket | rule | Network_TCP_Socket | ||||||
| description | Communication using DGA | rule | Network_DGA | ||||||
| description | Match Windows Http API call | rule | Str_Win32_Http_API | ||||||
| description | Take ScreenShot | rule | ScreenShot | ||||||
| description | Escalate priviledges | rule | Escalate_priviledges | ||||||
| description | Steal credential | rule | local_credential_Steal | ||||||
| description | PWS Memory | rule | Generic_PWS_Memory_Zero | ||||||
| description | Hijack network configuration | rule | Hijack_Network | ||||||
| cmdline | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2204 CREDAT:145409 |
| host | 117.18.232.200 | |||
| url | http://175.208.134.150:8282/test/test.eml |
| url | http://175.208.134.150:8282/favicon.ico |
| url | http://192.168.3.119/ |
| url | https://192.168.3.119/ |