SonicALERT
Search

Sonicwall Signatures

 

Go to All Categories list.


  Behav_21
Behav_21 is a Trojan. A Trojan is a program that pretends to have a valid use, but in fact modifies the user's computer in malicious way. Trojans do not replicate or spread to other computers.

      Process Related Changes
      It creates the following mutex(es):
      • "SmartScreen_ClientId_Mutex"
      • "MSIMGSIZECacheMutex"
      • "{1B655094-FE2A-433c-A877-FF9793445069}"
      • "SmartScreen_UrsCacheMutex_2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2High_S-1-5-21-239287854-1939494589-2009181562-1001"
      • "ConnHashTable<3404>_HashTable_Mutex"
      • "IESQMMUTEX_0_208"
      • "DBWinMutex"

      It creates the following process(es):
      • C:\Program Files\Internet Explorer\iexplore.exe

      Network Activity
      It attempts to connect to the following remote servers:
      • cs163.wac.edgecastcdn.net:80 (72.21.xxxxxx)
      • googleapis.l.google.com:443 (74.125xxxxxx)
      • ghs.l.google.com:80 (74.125.xxxxxx)
      • blogger.l.google.com:80 (74.125.xxxxxx)
      • certrevoc.vo.msecnd.net:80 (157.56.xxxxxx)
      • googleapis.l.google.com:80 (74.125xxxxxx)
      • goo.gl:80 (74.125.xxxxxx)
      • urs.microsoft.com.nsatc.net:443 (157.56.xxxxxx)
      • w-09.th.seeweb.it:80 (217.64.xxxxxx)
      • clients.l.google.com:80 (74.125.xxxxxx)
      • smartphonenation.com:80 (70.32.xxxxxx)
      • clients.l.google.com:443 (74.125.xxxxxx)
      • star.c10r.facebook.com:80 (31.13.xxxxxx)
      • ocsp.verisign.net:80 (199.7.xxxxxx)
      • i30.tinypic.com:80 (209.17.xxxxxx)
      • dl-balancer.x.dropbox.com:80 (23.21xxxxxx)
      • cdp1.public-trust.com:80 (64.18.xxxxxx)
      • duc-balancer.x.dropbox.com:80 (23.23.1xxxxxx)
      • mystatus.skype.com:80 (78.141.xxxxxx)
      • cs107.wac.edgecastcdn.net:80 (93.184.xxxxxx)
      • wpaudioplayer.com:80 (95.211xxxxxx)
      • crl.omniroot.com:80 (194.7.xxxxxx)
      • geoisp.virgilio.it:80 (212.48.xxxxxx)
      • jc.revolvermaps.com:80 (80.237.xxxxxx)
      • www4.l.google.com:80 (74.125.xxxxxx)
      • i32.tinypic.com:80 (209.17.xxxxxx)
      • sierrawireless.com:80 (69.10.1xxxxxx)
      • plus.l.google.com:443 (74.125.xxxxxx)
      • pagead46.l.doubleclick.net:80 (74.125.xxxxxx)
      • www3.l.google.com:80 (74.125.xxxxxx)

      We observed the following DNS query/queries:
      • widgets.twimg.com
      • mystatus.skype.com
      • img1.blogblog.com
      • geoisp.virgilio.it
      • dl.dropbox.com
      • wpaudioplayer.com
      • s7.addthis.com
      • static.ak.fbcdn.net
      • static.ak.facebook.com
      • i32.tinypic.com
      • www.blogger.com
      • pagead2.googlesyndication.com
      • gtglobal-ocsp.geotrust.com
      • www.zambrini.it
      • clients1.google.com
      • cdp1.public-trust.com
      • translate.google.com
      • www.zibri.org
      • i30.tinypic.com
      • dl.dropboxusercontent.com
      • smartphonenation.com
      • s-static.ak.facebook.com
      • googleads.g.doubleclick.net
      • crl.omniroot.com
      • www.facebook.com
      • goo.gl
      • feeds.feedburner.com
      • connect.facebook.net
      • download.skype.com
      • apis.google.com
      • fonts.googleapis.com
      • jc.revolvermaps.com
      • mscrl.microsoft.com
      • crl.geotrust.com
      • clients4.google.com
      • www.download.windowsupdate.com
      • chart.googleapis.com
      • urs.microsoft.com
      • platform.twitter.com
      • www.sierrawireless.com


      Relevant Information


      © SonicWall 2020 | Privacy Policy | Conditions for use Version: 10.0