Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 29 subscribers
  • Views 1005 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Advanced Threat Protection research

William Capeless

I am having trouble determining what is happening here.  I see the source is google dns, the destination is my internal dns server. the threat is clickmatters.biz.  How do I track this down to find out what is going on.  I checked web logs to see if anyone went to this site, nothing found.  It all happened around 2:25am while the office was closed. Thanks for any direction.



This thread was automatically locked due to age.
Parents
  • 0

    I am seeing the same behavior; however, this is on Sophos Intercept X (not the firewall). I had a hit on one endpoint (C2/Generic-A) and it said the beacon was clickmatters.biz. The process looks to be a legitimate Chrome update (signed by Google). Slightly puzzled.

    Path:
    c:\program files (x86)\google\update\install\{acae4a8e-9f07-4e67-a5bd-139f3350921a}\99.0.4844.74_99.0.4844.51_chrome_updater.exe
    Name:
    99.0.4844.74_99.0.4844.51_chrome_updater.exe
    Command line:
    "C:\Program Files (x86)\Google\Update\Install\{ACAE4A8E-9F07-4E67-A5BD-139F33509...see all
    Process ID:
    11212
    Process executed by:
    NT AUTHORITY\SYSTEM
    SHA256:
    eafb15e42bdbb43bdbba3138a8e7d47d2515b45bd89f91d5818fbc7af29bfd4d
    Start time:
    Mar 17, 2022 3:12 PM
    End time:
    Mar 17, 2022 3:12 PM
    Duration:
    35s 164ms
    Actions done to this artifact:
    None
    Actions performed by this artifact:
    10 File reads
    4 File writes
    3 File deletions
    2 Registry value sets
Reply Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?