Summary | ZeroBOX

File_pass1234.7z

KeyLogger PWS Escalate priviledges AntiVM AntiDebug
Category Machine Started Completed
FILE s1_win7_x6402 July 24, 2023, 8:57 a.m. July 24, 2023, 8:59 a.m.
Size 5.3MB
Type 7-zip archive data, version 0.4
MD5 4d25d513d85869b1c08713a0f9c11718
SHA256 d52b575c7e7fe5c2b858413a4f1a1121cec7d7a4649a1569e716112773cc8c5e
CRC32 A2138A33
ssdeep 98304:rmHG1MVLMNvQwRfWx/UIJqWejOIoYLM99hfPPAHpAuv3JTXxVPItZtaGqrlfjJdv:r91AMNZWx8TjKYWhfPPAJAuvLRINaGO1
Yara None matched

Name Response Post-Analysis Lookup
api.db-ip.com 172.67.75.166
apps.identrust.com 23.67.53.17
aa.imgjeoogbb.com 154.221.26.108
ipinfo.io 34.117.59.81
hugersi.com 91.215.85.147
ip-api.com 208.95.112.1
fastpool.xyz 213.91.128.133
us.imgjeoigaa.com 103.100.211.218
sun6-22.userapi.com 95.142.206.2
transfer.sh 144.76.136.153
hooligapps.site 104.21.6.229
www.maxmind.com 104.17.214.67
api.myip.com 104.26.8.59
bitbucket.org 104.192.141.1
152.134.208.175.in-addr.arpa
vk.com 87.240.132.78
iplogger.org 148.251.234.83
sun6-21.userapi.com 95.142.206.1
vanaheim.cn 193.106.175.66
zzz.fhauiehgha.com 156.236.72.121
www.google.com 142.250.76.132
iplis.ru 148.251.234.93
www.microsoft.com 59.151.173.138
db-ip.com 104.26.4.15
IP Address Status Action
103.100.211.218 Active Moloch
104.17.215.67 Active Moloch
104.192.141.1 Active Moloch
104.26.4.15 Active Moloch
104.26.5.15 Active Moloch
104.26.8.59 Active Moloch
121.254.136.27 Active Moloch
142.251.220.100 Active Moloch
144.76.136.153 Active Moloch
148.251.234.83 Active Moloch
148.251.234.93 Active Moloch
149.202.8.114 Active Moloch
154.221.26.108 Active Moloch
156.236.72.121 Active Moloch
157.254.164.98 Active Moloch
163.123.143.4 Active Moloch
164.124.101.2 Active Moloch
172.67.135.110 Active Moloch
172.67.75.166 Active Moloch
176.113.115.135 Active Moloch
176.113.115.136 Active Moloch
176.113.115.84 Active Moloch
176.113.115.85 Active Moloch
185.159.129.168 Active Moloch
193.106.175.66 Active Moloch
194.169.175.142 Active Moloch
194.26.135.162 Active Moloch
208.67.104.60 Active Moloch
208.95.112.1 Active Moloch
213.91.128.133 Active Moloch
23.67.53.17 Active Moloch
34.117.59.81 Active Moloch
45.12.253.74 Active Moloch
45.143.201.238 Active Moloch
45.15.156.229 Active Moloch
59.151.173.138 Active Moloch
62.122.184.92 Active Moloch
77.91.124.47 Active Moloch
77.91.68.3 Active Moloch
77.91.68.68 Active Moloch
80.66.75.254 Active Moloch
80.66.75.4 Active Moloch
87.120.88.198 Active Moloch
87.240.132.67 Active Moloch
91.215.85.147 Active Moloch
94.142.138.131 Active Moloch
95.142.206.1 Active Moloch
95.142.206.2 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.102:49174 -> 104.26.8.59:443 2042969 ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49180 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49174 -> 104.26.8.59:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49178 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49173 -> 94.142.138.131:80 2045779 ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) Malware Command and Control Activity Detected
TCP 87.240.132.67:80 -> 192.168.56.102:49178 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49175 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49175 -> 34.117.59.81:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49175 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49175 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49179 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 87.240.132.67:80 -> 192.168.56.102:49179 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49182 -> 87.240.132.67:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49201 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 87.240.132.67:80 -> 192.168.56.102:49201 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49200 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49193 -> 172.67.135.110:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49200 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 172.67.135.110:80 -> 192.168.56.102:49193 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49194 -> 172.67.135.110:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49194 -> 172.67.135.110:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49192 -> 104.192.141.1:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49192 -> 104.192.141.1:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 172.67.135.110:80 -> 192.168.56.102:49195 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 176.113.115.84:80 -> 192.168.56.102:49190 2400021 ET DROP Spamhaus DROP Listed Traffic Inbound group 22 Misc Attack
TCP 192.168.56.102:49191 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 87.240.132.67:80 -> 192.168.56.102:49191 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 104.192.141.1:443 -> 192.168.56.102:49205 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49205 -> 104.192.141.1:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49188 -> 77.91.124.47:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 156.236.72.121:80 -> 192.168.56.102:49206 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 192.168.56.102:49198 -> 104.192.141.1:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49198 -> 104.192.141.1:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49197 -> 172.67.135.110:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49188 -> 77.91.124.47:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.102:49202 -> 104.192.141.1:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49211 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49189 -> 87.120.88.198:80 2018581 ET MALWARE Single char EXE direct download likely trojan (multiple families) A Network Trojan was detected
TCP 192.168.56.102:49189 -> 87.120.88.198:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.102:49189 -> 87.120.88.198:80 2019714 ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile Potentially Bad Traffic
TCP 192.168.56.102:49184 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49184 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49214 -> 194.169.175.142:3002 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 87.240.132.67:80 -> 192.168.56.102:49211 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 77.91.124.47:80 -> 192.168.56.102:49188 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 77.91.124.47:80 -> 192.168.56.102:49188 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.102:49189 -> 87.120.88.198:80 2018581 ET MALWARE Single char EXE direct download likely trojan (multiple families) A Network Trojan was detected
TCP 192.168.56.102:49189 -> 87.120.88.198:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.102:49189 -> 87.120.88.198:80 2019714 ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile Potentially Bad Traffic
TCP 192.168.56.102:49215 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 87.240.132.67:80 -> 192.168.56.102:49215 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 194.169.175.142:3002 -> 192.168.56.102:49214 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 192.168.56.102:49217 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 194.169.175.142:3002 -> 192.168.56.102:49214 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.102:49217 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 194.169.175.142:3002 -> 192.168.56.102:49214 2014520 ET INFO EXE - Served Attached HTTP Misc activity
TCP 87.120.88.198:80 -> 192.168.56.102:49189 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 87.120.88.198:80 -> 192.168.56.102:49189 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.102:49208 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49207 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49224 -> 87.240.132.67:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49227 -> 87.240.132.67:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49220 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 104.192.141.1:443 -> 192.168.56.102:49213 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 91.215.85.147:80 -> 192.168.56.102:49203 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 192.168.56.102:49230 -> 87.240.132.67:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49223 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49223 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49226 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49218 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49218 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49235 -> 87.240.132.67:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49219 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49234 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49234 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49225 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49225 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49232 -> 87.240.132.67:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49233 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49233 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49238 -> 95.142.206.1:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49239 -> 87.240.132.67:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 104.192.141.1:443 -> 192.168.56.102:49209 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49209 -> 104.192.141.1:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 176.113.115.84:8080 -> 192.168.56.102:49210 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 176.113.115.84:8080 -> 192.168.56.102:49210 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 176.113.115.84:8080 -> 192.168.56.102:49210 2014520 ET INFO EXE - Served Attached HTTP Misc activity
TCP 192.168.56.102:49228 -> 95.142.206.2:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 208.67.104.60:80 -> 192.168.56.102:49246 2400039 ET DROP Spamhaus DROP Listed Traffic Inbound group 40 Misc Attack
TCP 194.26.135.162:2920 -> 192.168.56.102:49247 2400026 ET DROP Spamhaus DROP Listed Traffic Inbound group 27 Misc Attack
TCP 192.168.56.102:49247 -> 194.26.135.162:2920 2043233 ET MALWARE RedLine Stealer TCP CnC net.tcp Init A Network Trojan was detected
TCP 192.168.56.102:49246 -> 208.67.104.60:80 2045779 ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49248 -> 154.221.26.108:80 2045057 ET MALWARE Win32/Fabookie.ek CnC Request M4 (GET) A Network Trojan was detected
TCP 192.168.56.102:49251 -> 104.26.4.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49261 -> 104.17.215.67:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 148.251.234.93:443 -> 192.168.56.102:49268 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49252 -> 157.254.164.98:28449 2043233 ET MALWARE RedLine Stealer TCP CnC net.tcp Init A Network Trojan was detected
TCP 192.168.56.102:49252 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49253 -> 149.202.8.114:26642 2043233 ET MALWARE RedLine Stealer TCP CnC net.tcp Init A Network Trojan was detected
TCP 157.254.164.98:28449 -> 192.168.56.102:49252 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response A Network Trojan was detected
TCP 192.168.56.102:49257 -> 104.26.4.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49253 -> 149.202.8.114:26642 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49274 -> 77.91.68.68:19071 2043233 ET MALWARE RedLine Stealer TCP CnC net.tcp Init A Network Trojan was detected
TCP 192.168.56.102:49264 -> 104.17.215.67:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49274 -> 77.91.68.68:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 149.202.8.114:26642 -> 192.168.56.102:49253 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response A Network Trojan was detected
TCP 192.168.56.102:49236 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 77.91.68.68:19071 -> 192.168.56.102:49274 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response A Network Trojan was detected
TCP 192.168.56.102:49253 -> 149.202.8.114:26642 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49253 -> 149.202.8.114:26642 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49270 -> 148.251.234.83:443 2035949 ET POLICY IP Check Domain (iplogger .org in TLS SNI) Potential Corporate Privacy Violation
TCP 192.168.56.102:49270 -> 148.251.234.83:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49270 -> 148.251.234.83:443 2035949 ET POLICY IP Check Domain (iplogger .org in TLS SNI) Potential Corporate Privacy Violation
TCP 192.168.56.102:49276 -> 77.91.68.3:80 2027700 ET MALWARE Amadey CnC Check-In Malware Command and Control Activity Detected
TCP 192.168.56.102:49276 -> 77.91.68.3:80 2045751 ET MALWARE Win32/Amadey Bot Activity (POST) M2 A Network Trojan was detected
TCP 192.168.56.102:49252 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49252 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49252 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49252 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49252 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49252 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49252 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49252 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49274 -> 77.91.68.68:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49274 -> 77.91.68.68:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49249 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49249 -> 34.117.59.81:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49249 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49249 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49245 -> 45.15.156.229:80 2045779 ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49255 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49255 -> 34.117.59.81:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49274 -> 77.91.68.68:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49255 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49274 -> 77.91.68.68:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49274 -> 77.91.68.68:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49274 -> 77.91.68.68:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49259 -> 104.26.5.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49255 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
UDP 192.168.56.102:65168 -> 164.124.101.2:53 2035948 ET POLICY IP Check Domain (iplogger .org in DNS Lookup) Potential Corporate Privacy Violation
TCP 176.113.115.85:431 -> 192.168.56.102:49285 2400021 ET DROP Spamhaus DROP Listed Traffic Inbound group 22 Misc Attack
TCP 192.168.56.102:49274 -> 77.91.68.68:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49274 -> 77.91.68.68:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49274 -> 77.91.68.68:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49274 -> 77.91.68.68:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49274 -> 77.91.68.68:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49274 -> 77.91.68.68:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49274 -> 77.91.68.68:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49274 -> 77.91.68.68:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49274 -> 77.91.68.68:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49274 -> 77.91.68.68:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49274 -> 77.91.68.68:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49274 -> 77.91.68.68:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49274 -> 77.91.68.68:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
UDP 192.168.56.102:53208 -> 164.124.101.2:53 2034316 ET POLICY Observed DNS Query to File Transfer Service Domain (transfer .sh) Potentially Bad Traffic
UDP 192.168.56.102:53208 -> 164.124.101.2:53 2035139 ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in DNS Lookup) Misc activity
TCP 192.168.56.102:49293 -> 144.76.136.153:443 2035145 ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI) Misc activity
TCP 192.168.56.102:49293 -> 144.76.136.153:443 906200022 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49293 -> 144.76.136.153:443 2035145 ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI) Misc activity
TCP 144.76.136.153:443 -> 192.168.56.102:49293 2033076 ET POLICY Observed File Transfer Service SSL/TLS Certificate (transfer .sh) Potential Corporate Privacy Violation
TCP 192.168.56.102:49278 -> 213.91.128.133:10060 2024792 ET POLICY Cryptocurrency Miner Checkin Potential Corporate Privacy Violation
TCP 192.168.56.102:49297 -> 208.95.112.1:80 2022082 ET POLICY External IP Lookup ip-api.com Device Retrieving External IP Address Detected
TCP 192.168.56.102:49253 -> 149.202.8.114:26642 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49253 -> 149.202.8.114:26642 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49253 -> 149.202.8.114:26642 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49253 -> 149.202.8.114:26642 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49253 -> 149.202.8.114:26642 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49253 -> 149.202.8.114:26642 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49253 -> 149.202.8.114:26642 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49253 -> 149.202.8.114:26642 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49253 -> 149.202.8.114:26642 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49253 -> 149.202.8.114:26642 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49253 -> 149.202.8.114:26642 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 176.113.115.136:431 -> 192.168.56.102:49284 2400021 ET DROP Spamhaus DROP Listed Traffic Inbound group 22 Misc Attack
TCP 176.113.115.135:431 -> 192.168.56.102:49283 2400021 ET DROP Spamhaus DROP Listed Traffic Inbound group 22 Misc Attack
TCP 192.168.56.102:49253 -> 149.202.8.114:26642 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49253 -> 149.202.8.114:26642 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49253 -> 149.202.8.114:26642 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49253 -> 149.202.8.114:26642 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49253 -> 149.202.8.114:26642 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49252 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49252 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49252 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49252 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49252 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49252 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49252 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49252 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49252 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49252 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49252 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49252 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49253 -> 149.202.8.114:26642 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49253 -> 149.202.8.114:26642 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49253 -> 149.202.8.114:26642 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49258 -> 172.67.75.166:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49267 -> 148.251.234.93:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 148.251.234.83:443 -> 192.168.56.102:49271 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 62.122.184.92:431 -> 192.168.56.102:49279 2402000 ET DROP Dshield Block Listed Source group 1 Misc Attack
UDP 192.168.56.102:53208 -> 8.8.8.8:53 2034316 ET POLICY Observed DNS Query to File Transfer Service Domain (transfer .sh) Potentially Bad Traffic
UDP 192.168.56.102:53208 -> 8.8.8.8:53 2035139 ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in DNS Lookup) Misc activity
TCP 192.168.56.102:49278 -> 213.91.128.133:10060 2024792 ET POLICY Cryptocurrency Miner Checkin Potential Corporate Privacy Violation
TCP 192.168.56.102:49255 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49175 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49249 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 59.151.173.138:80 -> 192.168.56.102:49296 2012692 ET POLICY Microsoft user-agent automated process response to automated request Misc activity

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.102:49174
104.26.8.59:443
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com 92:b4:ed:98:67:d9:db:8a:1e:bd:0e:fe:7f:22:45:e9:79:b5:78:65
TLSv1
192.168.56.102:49182
87.240.132.67:443
C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49197
172.67.135.110:443
C=US, O=Let's Encrypt, CN=E1 CN=hooligapps.site e0:04:b0:c8:b0:f0:b8:36:2e:1f:17:88:45:cf:0b:90:17:42:42:2b
TLSv1
192.168.56.102:49224
87.240.132.67:443
C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49227
87.240.132.67:443
C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49230
87.240.132.67:443
C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49235
87.240.132.67:443
C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49232
87.240.132.67:443
C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49238
95.142.206.1:443
C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1
192.168.56.102:49239
87.240.132.67:443
C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49228
95.142.206.2:443
C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1
192.168.56.102:49251
104.26.4.15:443
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com 03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1
192.168.56.102:49257
104.26.4.15:443
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com 03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1
192.168.56.102:49259
104.26.5.15:443
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com 03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLS 1.2
192.168.56.102:49293
144.76.136.153:443
C=US, O=Let's Encrypt, CN=R3 CN=transfer.sh a7:89:64:18:ce:56:53:c8:db:2d:45:3c:9f:cf:98:1a:40:91:1c:e2
TLSv1
192.168.56.102:49258
172.67.75.166:443
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com 03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5

Time & API Arguments Status Return Repeated

IsDebuggerPresent

0 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

1 1 0
suspicious_features Connection to IP address suspicious_request GET http://94.142.138.131/api/tracemap.php
suspicious_features POST method with no referer header, Connection to IP address suspicious_request POST http://94.142.138.131/api/firegate.php
suspicious_features Connection to IP address suspicious_request HEAD http://77.91.124.47/info/photo220.exe
suspicious_features Connection to IP address suspicious_request HEAD http://87.120.88.198/g.exe
suspicious_features Connection to IP address suspicious_request GET http://87.120.88.198/g.exe
suspicious_features Connection to IP address suspicious_request GET http://77.91.124.47/info/photo220.exe
suspicious_features Connection to IP address suspicious_request GET http://176.113.115.84:8080/4.php
suspicious_features Connection to IP address suspicious_request GET http://45.15.156.229/api/tracemap.php
suspicious_features Connection to IP address suspicious_request GET http://208.67.104.60/api/tracemap.php
suspicious_features POST method with no referer header suspicious_request POST http://aa.imgjeoogbb.com/check/?sid=264684&key=159175a7edd0b25e9c835df79aa00f9e
suspicious_features POST method with no referer header, POST method with no useragent header, Connection to IP address suspicious_request POST http://77.91.68.3/home/love/index.php
suspicious_features GET method with no useragent header suspicious_request GET https://transfer.sh/get/g41szIYKqo/kgec63hr0ubmn.exe
suspicious_features GET method with no useragent header suspicious_request GET https://transfer.sh/get/1YKo4A8Wqj/12.exe
request GET http://94.142.138.131/api/tracemap.php
request POST http://94.142.138.131/api/firegate.php
request HEAD http://77.91.124.47/info/photo220.exe
request HEAD http://87.120.88.198/g.exe
request GET http://apps.identrust.com/roots/dstrootcax3.p7c
request GET http://87.120.88.198/g.exe
request GET http://77.91.124.47/info/photo220.exe
request HEAD http://hugersi.com/dl/6523.exe
request HEAD http://zzz.fhauiehgha.com/m/okka25.exe
request GET http://zzz.fhauiehgha.com/m/okka25.exe
request GET http://176.113.115.84:8080/4.php
request GET http://hugersi.com/dl/6523.exe
request GET http://us.imgjeoigaa.com/sts/imagc.jpg
request GET http://45.15.156.229/api/tracemap.php
request GET http://208.67.104.60/api/tracemap.php
request GET http://aa.imgjeoogbb.com/check/safe
request POST http://aa.imgjeoogbb.com/check/?sid=264684&key=159175a7edd0b25e9c835df79aa00f9e
request GET http://www.maxmind.com/geoip/v2.1/city/me
request POST http://77.91.68.3/home/love/index.php
request GET http://www.google.com/
request GET http://www.microsoft.com/
request GET http://ip-api.com/json/?fields=query,status,countryCode,city,timezone
request GET https://api.myip.com/
request GET https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1
request GET https://hooligapps.site/setup294.exe
request GET https://vk.com/doc801981293_666823296?hash=IkJXfnuRw7ihxGiXRSyiY2Z66FKnxYargchJZwaWxKw&dl=zHJ4ClZYwxBgGwgirt2pehVBbUfVD7lazG0pZS1wCZ8&api=1&no_preview=1
request GET https://sun6-22.userapi.com/c235131/u801981293/docs/d11/116f9d602a25/siddharthabuddh4_4.bmp?extra=zkyMG_R3qc33Emr1Cl3mpi0mF28Gk_cCLAcfZBeum5io9FHkKTy5Dp0PqaVi7M96RtGK1_UnwA0QvZVpqzqZ9_t7r791eyVCkWLSzwl5GMtGh_rRKvTXCnT_6j85oh-liVkYZ8uBjvH_DJhClg
request GET https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#test
request GET https://vk.com/doc808950829_664295976?hash=wWP2uKSW6vc2Zwh4dERWVq2558nuK0zAmie4S5babxg&dl=fnVWutUVH5EHCOnwUxAqrClRC7zCIeOyomm4pfSrZFc&api=1&no_preview=1#rise_test
request GET https://vk.com/doc801981293_666823290?hash=C40VUqDqCeh9PmntwYoL5pVZTrUVqPDt6gbkO0YPVBz&dl=5eyzOvvEImXidOsKxS45wfidN1CDlCKKPGBOYBev5Ag&api=1&no_preview=1
request GET https://sun6-22.userapi.com/c909218/u801981293/docs/d17/e63cac1f34e6/PMmp.bmp?extra=JSZmi3lRDlLBvysi7G2k0PMnw9wqHxLMnf7FARS6kST7q2QTR68L9KPweJ8Zi9G-6y5u2B-wJYgU5SaiapXpmw6Nf-IZX5N0WtS04aL89D3vS04WsInzdw1JZeA7GgJoIh0rWvy-av1wdDU0vg
request GET https://vk.com/doc801981293_666878057?hash=1cohXPp9aLK2Xz7H2hezj89drs50PYuLRBoirKPj3B8&dl=vMZbPrQFZIXfQgzBVvuUmx7NUXxKHs9ZVFMOgU7roi0&api=1&no_preview=1#WW1
request GET https://sun6-21.userapi.com/c237031/u801981293/docs/d45/afe6b4201ea0/WWW1.bmp?extra=Ahkwb4X7D03MOVnuohrOn5GaJOSm-ySjjpWB8o4YjiTyV8BFSKMzX0zWOGJyn2lzCKP7OAgybf4Y4BKzWFlfqax1i0ppeQp_MKFC8eWfoIneuuU7UXGOzuUqVHnBRBKxF8M01xk8Dy4jZd7MpA
request GET https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#stats
request GET https://db-ip.com/
request POST https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
request GET https://transfer.sh/get/g41szIYKqo/kgec63hr0ubmn.exe
request GET https://transfer.sh/get/1YKo4A8Wqj/12.exe
request POST http://94.142.138.131/api/firegate.php
request POST http://aa.imgjeoogbb.com/check/?sid=264684&key=159175a7edd0b25e9c835df79aa00f9e
request POST http://77.91.68.3/home/love/index.php
request POST https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
ip 149.202.8.114
ip 157.254.164.98
ip 176.113.115.84
ip 194.169.175.142
ip 194.26.135.162
ip 213.91.128.133
ip 77.91.68.68
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 2200
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74002000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2200
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x737e3000
process_handle: 0xffffffff
1 0 0
domain ipinfo.io
domain ip-api.com
file C:\Users\test22\AppData\Local\Temp\7zE8987FA46\File.exe
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

system_name:
privilege_name: SeRestorePrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeSecurityPrivilege
1 1 0
description Escalate priviledges rule Escalate_priviledges
description PWS Memory rule Generic_PWS_Memory_Zero
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Run a KeyLogger rule KeyLogger
host 149.202.8.114
host 157.254.164.98
host 163.123.143.4
host 176.113.115.135
host 176.113.115.136
host 176.113.115.84
host 176.113.115.85
host 185.159.129.168
host 194.169.175.142
host 194.26.135.162
host 208.67.104.60
host 45.12.253.74
host 45.143.201.238
host 45.15.156.229
host 62.122.184.92
host 77.91.124.47
host 77.91.68.3
host 77.91.68.68
host 80.66.75.254
host 80.66.75.4
host 87.120.88.198
host 94.142.138.131
dead_host 192.168.56.102:49187
dead_host 45.12.253.74:80
dead_host 176.113.115.84:80
dead_host 194.169.175.142:80
dead_host 192.168.56.102:49190
dead_host 163.123.143.4:80