Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6401 | March 11, 2021, 3:42 p.m. | March 11, 2021, 3:45 p.m. |
-
-
-
cmd.exe "C:\Windows\system32\cmd.exe"
2300
-
-
-
explorer.exe C:\Windows\Explorer.EXE
1848
Name | Response | Post-Analysis Lookup |
---|---|---|
i.imgur.com | 151.101.24.193 |
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
TCP 192.168.56.101:49202 -> 151.101.40.193:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.101:49202 151.101.40.193:443 |
C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA | C=US, ST=California, L=San Francisco, O=Imgur, Inc., CN=*.imgur.com | f4:34:6e:0c:34:5f:9f:d4:b5:ef:1c:cf:a5:e9:c1:67:1b:65:2a:a7 |
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid |
request | HEAD https://i.imgur.com/V98Ta1b.png |
request | GET https://i.imgur.com/V98Ta1b.png |
file | C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\slk.lnk |
cmdline | C:\Windows\System32\cmd.exe |
url | https://nid.naver.com/login/css/global/desktop/w_20190509.css?dt=20190509 |
url | http://www.expedia.com/favicon.ico |
url | http://uk.ask.com/favicon.ico |
url | http://www.priceminister.com/ |
url | http://google.com/ |
url | http://blogimgs.naver.com/nblog/skins/wholebox/0126_f982.gif |
url | https://s.pstatic.net/dthumb.phinf/?src=%22http%3A%2F%2Fstatic.naver.net%2Fwww%2Fmobile%2Fedit%2F2020%2F0805%2FcropImg_339x222_38528621599152653.jpeg%22 |
url | http://www.iask.com/favicon.ico |
url | https://s.pstatic.net/static/www/mobile/edit/2020/0804/cropImg_728x360_38481254551659019.jpeg |
url | https://s.pstatic.net/shopping.phinf/20200805_10/f1e83251-9248-4d4e-8d2e-d1505a55bc83.jpg?type=f214_292 |
url | http://www.merlin.com.pl/favicon.ico |
url | http://www.cnet.com/favicon.ico |
url | https://ssl.pstatic.net/tveta/libs/assets/js/common/min/probe.min.js |
url | https://s.pstatic.net/dthumb.phinf/?src=%22http%3A%2F%2Fstatic1.naver.net%2Fwww%2Fmobile%2Fedit%2F2020%2F0806%2FcropImg_222x145_38626953912837677.png%22 |
url | https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct |
url | http://fpdownload.macromedia.com/pub/flashplayer/masterversion/crossdomain.xml |
url | https://ssl.pstatic.net/static/pwe/common/img_use_mobile_version.png |
url | http://www.snee.com/xml/xslt/sample.doc |
url | http://www.yceml.net/0559/10408495-1499411010011 |
url | https://s.pstatic.net/static/www/mobile/edit/2018/0206/cropImg_166x108_118371466370743504.jpeg |
url | https://s.pstatic.net/static/newsstand/up/2020/0615/nsd10319824.png |
url | https://s.pstatic.net/static/newsstand/2020/logo/light/0604/529.png |
url | https://s.pstatic.net/dthumb.phinf/?src=%22http%3A%2F%2Fstatic.naver.net%2Fwww%2Fmobile%2Fedit%2F2020%2F0805%2FcropImg_339x222_38552809772500435.jpeg%22 |
url | http://blogimgs.naver.net/nblog/mylog/post/btn_cancel3.gif |
url | https://t1.daumcdn.net/tistory_admin/blogs/plugins/tatterDesk/js/src/controls.js?_version_=9024c9023ed6ab26b00b4f2905e46ffa08aeb336 |
url | https://ssl.pstatic.net/static/pwe/nm/b.gif |
url | http://search.nifty.com/ |
url | https://castbox.shopping.naver.com/js/lazyload.js |
url | http://ns.adobe.com/exif/1.0/ |
url | https://s.pstatic.net/shopping.phinf/20200729_1/2931dd60-1842-4048-a39c-1e3389db4a0e.jpg |
url | https://ssl.pstatic.net/static/pwe/nm/spr_vertical_0d25bb77f8.png |
url | https://s.pstatic.net/dthumb.phinf/?src=%22http%3A%2F%2Fstatic.naver.net%2Fwww%2Fmobile%2Fedit%2F2020%2F0805%2Fmobile_17061525298c.jpg%22 |
url | http://www.etmall.com.tw/ |
url | https://s.pstatic.net/static/newsstand/2020/logo/light/0604/042.png |
url | https://s.pstatic.net/static/newsstand/2020/logo/light/0604/955.png |
url | https://s.pstatic.net/static/newsstand/2020/logo/light/0604/056.png |
url | https://s.pstatic.net/dthumb.phinf/?src=%22http%3A%2F%2Fstatic.naver.net%2Fwww%2Fmobile%2Fedit%2F2020%2F0804%2Fmobile_212629657646c.jpg%22 |
url | http://search.goo.ne.jp/ |
url | http://fr.wikipedia.org/favicon.ico |
url | https://t1.daumcdn.net/tistory_admin/blogs/plugins/PreventCopyContents/js/functions.js?_version_=9024c9023ed6ab26b00b4f2905e46ffa08aeb336 |
url | http://busca.estadao.com.br/favicon.ico |
url | http://search.hanafos.com/favicon.ico |
url | https://ssl.pstatic.net/tveta/libs/1298/1298853/743c01d46e807a376d99_20200730182507675.png |
url | https://tistory3.daumcdn.net/tistory/807805/skin/images/footerbg.jpg |
url | http://search.chol.com/favicon.ico |
url | https://s.pstatic.net/static/newsstand/2020/logo/light/0604/820.png |
url | http://search.livedoor.com/favicon.ico |
url | https://file-examples-com.github.io/uploads/2017/02/file-sample_1MB.doc |
url | https://ssl.pstatic.net/static/common/myarea/myInfo.gif |
url | http://amazon.fr/ |
description | Listen for incoming communication | rule | network_tcp_listen | ||||||
description | Malware can spread east-west file | rule | spreading_file | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Code injection with CreateRemoteThread in a remote process | rule | inject_thread | ||||||
description | Hijack network configuration | rule | hijack_network | ||||||
description | Create a windows service | rule | create_service | ||||||
description | Create a COM server | rule | create_com_service | ||||||
description | Communications over UDP network | rule | network_udp_sock | ||||||
description | Listen for incoming communication | rule | network_tcp_listen | ||||||
description | Communications over Toredo network | rule | network_toredo | ||||||
description | Communications over P2P network | rule | network_p2p_win | ||||||
description | Communications over HTTP | rule | network_http | ||||||
description | File downloader/dropper | rule | network_dropper | ||||||
description | Communications over FTP | rule | network_ftp | ||||||
description | Communications over RAW socket | rule | network_tcp_socket | ||||||
description | Communications use DNS | rule | network_dns | ||||||
description | Communication using dga | rule | network_dga | ||||||
description | Escalade priviledges | rule | escalate_priv | ||||||
description | Take screenshot | rule | screenshot | ||||||
description | Run a keylogger | rule | keylogger | ||||||
description | Steal credential | rule | cred_local | ||||||
description | Record Audio | rule | sniff_audio | ||||||
description | APC queue tasks migration | rule | migrate_apc | ||||||
description | Malware can spread east-west file | rule | spreading_file | ||||||
description | Malware can spread east-west using share drive | rule | spreading_share | ||||||
description | Create or check mutex | rule | win_mutex | ||||||
description | Affect system registries | rule | win_registry | ||||||
description | Affect system token | rule | win_token | ||||||
description | Affect private profile | rule | win_private_profile | ||||||
description | Affect private profile | rule | win_files_operation | ||||||
description | Match Winsock 2 API library declaration | rule | Str_Win32_Winsock2_Library | ||||||
description | Match Windows Inet API library declaration | rule | Str_Win32_Wininet_Library | ||||||
description | Match Windows Inet API call | rule | Str_Win32_Internet_API | ||||||
description | Match Windows Http API call | rule | Str_Win32_Http_API | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerCheck__RemoteAPI | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | DebuggerException__ConsoleCtrl | ||||||
description | (no description) | rule | DebuggerException__SetConsoleCtrl | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | (no description) | rule | Check_Dlls | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Anti-Sandbox checks for ThreatExpert | rule | antisb_threatExpert | ||||||
description | Bypass DEP | rule | disable_dep | ||||||
description | Affect hook table | rule | win_hook | ||||||
description | browser info stealer | rule | infoStealer_browser_Zero |
cmdline | C:\Windows\System32\ipconfig.exe |
host | 185.224.219.22 |
MicroWorld-eScan | Trojan.GenericKD.36317500 |
FireEye | Trojan.GenericKD.36317500 |
CAT-QuickHeal | Trojan.Pincav |
McAfee | Artemis!7A91E9D2643D |
Cylance | Unsafe |
Zillya | Trojan.Injector.Win32.828056 |
Sangfor | Exploit.Win32.ShellCode.ml |
CrowdStrike | win/malicious_confidence_100% (W) |
Alibaba | Trojan:Win32/Injector.5e5f68c7 |
K7GW | Trojan ( 00577a031 ) |
K7AntiVirus | Trojan ( 00577a031 ) |
Arcabit | Trojan.Generic.D22A293C |
Cyren | W32/Trojan.FDOJ-8490 |
Symantec | ML.Attribute.HighConfidence |
APEX | Malicious |
Avast | Win32:Trojan-gen |
Kaspersky | HEUR:Trojan.Win32.Pincav.gen |
BitDefender | Trojan.GenericKD.36317500 |
Paloalto | generic.ml |
AegisLab | Trojan.Win32.Pincav.4!c |
Tencent | Malware.Win32.Gencirc.11b9ed39 |
Ad-Aware | Trojan.GenericKD.36317500 |
Emsisoft | Trojan.GenericKD.36317500 (B) |
F-Secure | Heuristic.HEUR/AGEN.1139635 |
VIPRE | Trojan.Win32.Generic!BT |
TrendMicro | TROJ_GEN.R002C0WBB21 |
McAfee-GW-Edition | Artemis!Trojan |
Sophos | Mal/Generic-S |
Jiangmin | Trojan.Invader.dni |
Avira | HEUR/AGEN.1139635 |
Antiy-AVL | Trojan/Win32.Pincav |
Gridinsoft | Trojan.Win32.Downloader.sa |
Microsoft | Exploit:Win32/ShellCode!ml |
ZoneAlarm | HEUR:Trojan.Win32.Pincav.gen |
GData | Trojan.GenericKD.36317500 |
Cynet | Malicious (score: 85) |
AhnLab-V3 | Malware/Gen.Reputation.C4330334 |
ALYac | Trojan.GenericKD.36317500 |
MAX | malware (ai score=100) |
VBA32 | BScope.Trojan.Pincav |
Malwarebytes | MachineLearning/Anomalous.95% |
ESET-NOD32 | a variant of Win32/Injector.EONH |
TrendMicro-HouseCall | TROJ_GEN.R002C0WBB21 |
Rising | Exploit.ShellCode!8.2A (CLOUD) |
Yandex | Trojan.Pincav!BzrICGmRD9M |
Ikarus | Trojan.SuspectCRC |
MaxSecure | Trojan.Malware.73815410.susgen |
Fortinet | W32/Generik.IRRPDBW!tr |
Webroot | W32.Trojan.Gen |
AVG | Win32:Trojan-gen |