popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

zip1_09.7z

KeyLogger PWS Escalate priviledges AntiVM AntiDebug
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 Oct. 11, 2023, 3:38 p.m. Oct. 11, 2023, 3:40 p.m.
Size 6.1MB
Type 7-zip archive data, version 0.4
MD5 cc7af56986cf3d93d33a92bd4a2962f1
SHA256 86b8a2eae14557ea665017a7eabd63022aa907f4dace3e18911922c0edafb62a
CRC32 D6B3FEF2
ssdeep 196608:ACWste93k4cAQwbIDiM4lHVJ3+4DZVMscLt7GFH6DdJ:CuAzyIVJO49VMscVbJ
Yara None matched

Name Response Post-Analysis Lookup
zexeq.com
A 187.212.189.11
A 211.171.233.126
A 190.187.52.42
A 186.50.122.240
A 211.168.53.110
A 201.119.100.130
A 211.119.84.111
A 109.175.29.39
A 123.213.233.131
A 168.149.79.116
109.175.29.39
api.db-ip.com
A 104.26.5.15
A 104.26.4.15
A 172.67.75.166
104.26.5.15
yandex.ru
A 5.255.255.77
A 77.88.55.88
A 77.88.55.60
A 5.255.255.70
5.255.255.70
twitter.com
A 104.244.42.65
104.244.42.1
ipinfo.io
A 34.117.59.81
34.117.59.81
sso.passport.yandex.ru
A 213.180.204.24
CNAME passport.yandex.ru
213.180.204.24
colisumy.com
A 190.12.87.61
A 14.33.209.147
A 181.170.86.159
A 186.147.159.149
A 211.53.230.67
A 109.175.29.39
A 175.120.254.9
A 95.158.162.200
A 2.88.121.8
A 168.149.79.116
2.88.121.8
schematize.pw
A 172.67.152.98
A 104.21.32.142
104.21.32.142
sun6-23.userapi.com
A 95.142.206.3
95.142.206.3
69d9414d-87e8-4ca5-945d-204bdc8124d9.uuid.zaoshanghao.su 185.82.216.48
onualituyrs.org
A 91.215.85.209
91.215.85.209
sun6-22.userapi.com
A 95.142.206.2
95.142.206.2
dzen.ru
A 62.217.160.2
62.217.160.2
www.maxmind.com
A 104.18.145.235
A 104.18.146.235
104.18.145.235
api.myip.com
A 172.67.75.163
A 104.26.9.59
A 104.26.8.59
104.26.9.59
telegram.org
A 149.154.167.99
149.154.167.99
vk.com
A 87.240.129.133
A 87.240.132.72
A 87.240.132.67
A 87.240.137.164
A 93.186.225.194
A 87.240.132.78
87.240.129.133
iplogger.org
A 148.251.234.83
148.251.234.83
sun6-20.userapi.com
A 95.142.206.0
95.142.206.0
api.2ip.ua
A 104.21.65.24
A 172.67.139.220
172.67.139.220
t.me
A 149.154.167.99
149.154.167.99
watson.microsoft.com
A 104.208.16.93
CNAME legacywatson.trafficmanager.net
CNAME onedsblobprdcus07.centralus.cloudapp.azure.com
104.208.16.93
sun6-21.userapi.com
A 95.142.206.1
95.142.206.1
vanaheim.cn
A 193.106.174.220
193.106.174.220
bytecloudasa.website
A 104.21.61.162
A 172.67.212.39
172.67.212.39
www.google.com
A 142.250.204.100
142.250.76.132
steamcommunity.com
A 104.76.78.101
104.75.41.21
iplis.ru
A 148.251.234.93
148.251.234.93
db-ip.com
A 104.26.5.15
A 104.26.4.15
A 172.67.75.166
104.26.5.15
IP Address Status Action
104.18.146.235 Active Moloch
104.208.16.93 Active Moloch
104.21.61.162 Active Moloch
104.21.65.24 Active Moloch
104.244.42.65 Active Moloch
104.26.4.15 Active Moloch
104.26.8.59 Active Moloch
104.76.78.101 Active Moloch
142.250.204.100 Active Moloch
148.251.234.83 Active Moloch
148.251.234.93 Active Moloch
149.154.167.99 Active Moloch
164.124.101.2 Active Moloch
171.22.28.226 Active Moloch
171.22.28.212 Active Moloch
172.67.152.98 Active Moloch
172.67.75.166 Active Moloch
172.86.98.101 Active Moloch
176.113.115.135 Active Moloch
176.113.115.136 Active Moloch
176.113.115.84 Active Moloch
176.113.115.85 Active Moloch
176.123.9.142 Active Moloch
185.225.75.171 Active Moloch
193.106.174.220 Active Moloch
193.42.32.118 Active Moloch
194.169.175.128 Active Moloch
194.169.175.232 Active Moloch
2.88.121.8 Active Moloch
211.119.84.111 Active Moloch
213.180.204.24 Active Moloch
34.117.59.81 Active Moloch
45.15.156.229 Active Moloch
45.9.74.80 Active Moloch
51.255.152.132 Active Moloch
62.122.184.58 Active Moloch
62.217.160.2 Active Moloch
77.88.55.60 Active Moloch
77.91.68.249 Active Moloch
87.240.132.72 Active Moloch
91.215.85.209 Active Moloch
94.142.138.131 Active Moloch
95.142.206.0 Active Moloch
95.142.206.1 Active Moloch
95.142.206.2 Active Moloch
95.142.206.3 Active Moloch
45.143.201.238 Active Moloch
62.122.184.92 Active Moloch
80.66.75.4 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.102:49174 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49173 -> 104.26.8.59:443 2042969 ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49174 -> 34.117.59.81:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49173 -> 104.26.8.59:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49171 -> 94.142.138.131:80 2045779 ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49174 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49174 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49177 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49177 -> 87.240.132.72:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
UDP 192.168.56.102:53778 -> 164.124.101.2:53 2016778 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic
TCP 192.168.56.102:49178 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 176.113.115.84:80 -> 192.168.56.102:49187 2400018 ET DROP Spamhaus DROP Listed Traffic Inbound group 19 Misc Attack
TCP 192.168.56.102:49191 -> 172.67.152.98:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 172.67.152.98:80 -> 192.168.56.102:49191 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 172.67.152.98:80 -> 192.168.56.102:49192 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49180 -> 87.240.132.72:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 91.215.85.209:80 -> 192.168.56.102:49190 2400006 ET DROP Spamhaus DROP Listed Traffic Inbound group 7 Misc Attack
TCP 192.168.56.102:49194 -> 172.67.152.98:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49183 -> 171.22.28.226:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.102:49183 -> 171.22.28.226:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.102:49183 -> 171.22.28.226:80 2016698 ET HUNTING Suspicious services.exe in URI Potentially Bad Traffic
TCP 192.168.56.102:49190 -> 91.215.85.209:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 91.215.85.209:80 -> 192.168.56.102:49190 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 171.22.28.226:80 -> 192.168.56.102:49183 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 171.22.28.226:80 -> 192.168.56.102:49183 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.102:49200 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49176 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49176 -> 87.240.132.72:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49189 -> 172.67.152.98:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 172.67.152.98:80 -> 192.168.56.102:49189 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49196 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49196 -> 87.240.132.72:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49185 -> 171.22.28.212:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.102:49203 -> 91.215.85.209:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49185 -> 171.22.28.212:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.102:49184 -> 194.169.175.232:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.102:49198 -> 91.215.85.209:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49182 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49182 -> 87.240.132.72:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49188 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49188 -> 87.240.132.72:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49186 -> 77.91.68.249:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.102:49197 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49197 -> 87.240.132.72:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49184 -> 194.169.175.232:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.102:49186 -> 77.91.68.249:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.102:49208 -> 87.240.132.72:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 194.169.175.232:80 -> 192.168.56.102:49184 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 194.169.175.232:80 -> 192.168.56.102:49184 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 176.113.115.84:8080 -> 192.168.56.102:49202 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 176.113.115.84:8080 -> 192.168.56.102:49202 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 176.113.115.84:8080 -> 192.168.56.102:49202 2014520 ET INFO EXE - Served Attached HTTP Misc activity
TCP 171.22.28.212:80 -> 192.168.56.102:49185 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 171.22.28.212:80 -> 192.168.56.102:49185 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.102:49211 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49211 -> 87.240.132.72:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49213 -> 95.142.206.0:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 77.91.68.249:80 -> 192.168.56.102:49186 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 77.91.68.249:80 -> 192.168.56.102:49186 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.102:49216 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49216 -> 87.240.132.72:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49217 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49217 -> 87.240.132.72:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49219 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49219 -> 87.240.132.72:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49195 -> 91.215.85.209:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49195 -> 91.215.85.209:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49199 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 87.240.132.72:80 -> 192.168.56.102:49222 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49207 -> 91.215.85.209:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 91.215.85.209:443 -> 192.168.56.102:49209 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49214 -> 95.142.206.0:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49215 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49215 -> 87.240.132.72:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49221 -> 87.240.132.72:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49206 -> 87.240.132.72:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49225 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49225 -> 87.240.132.72:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49228 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49228 -> 87.240.132.72:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49229 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49232 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49236 -> 95.142.206.1:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49238 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49226 -> 95.142.206.3:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49240 -> 87.240.132.72:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49218 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49241 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49241 -> 87.240.132.72:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49239 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49239 -> 87.240.132.72:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49227 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49227 -> 87.240.132.72:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49212 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49212 -> 87.240.132.72:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49230 -> 87.240.132.72:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49233 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49233 -> 87.240.132.72:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49235 -> 87.240.132.72:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49243 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49246 -> 87.240.132.72:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49248 -> 87.240.132.72:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49224 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49224 -> 87.240.132.72:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49249 -> 87.240.132.72:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49250 -> 95.142.206.2:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49237 -> 87.240.132.72:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 87.240.132.72:80 -> 192.168.56.102:49237 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49255 -> 45.15.156.229:80 2045779 ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) Malware Command and Control Activity Detected
TCP 149.154.167.99:443 -> 192.168.56.102:49257 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49260 -> 104.244.42.65:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49267 -> 148.251.234.93:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49270 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49270 -> 87.240.132.72:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49264 -> 77.88.55.60:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49273 -> 148.251.234.83:443 2035949 ET POLICY IP Check Domain (iplogger .org in TLS SNI) Potential Corporate Privacy Violation
TCP 192.168.56.102:49273 -> 148.251.234.83:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49273 -> 148.251.234.83:443 2035949 ET POLICY IP Check Domain (iplogger .org in TLS SNI) Potential Corporate Privacy Violation
TCP 192.168.56.102:49266 -> 62.217.160.2:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49272 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 148.251.234.83:443 -> 192.168.56.102:49274 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49282 -> 51.255.152.132:36011 2043233 ET INFO Microsoft net.tcp Connection Initialization Activity Potentially Bad Traffic
TCP 148.251.234.93:443 -> 192.168.56.102:49269 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49282 -> 51.255.152.132:36011 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49282 -> 51.255.152.132:36011 2046045 ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) A Network Trojan was detected
TCP 192.168.56.102:49278 -> 176.123.9.142:37637 2043233 ET INFO Microsoft net.tcp Connection Initialization Activity Potentially Bad Traffic
TCP 51.255.152.132:36011 -> 192.168.56.102:49282 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response A Network Trojan was detected
TCP 192.168.56.102:49279 -> 185.225.75.171:22233 2043233 ET INFO Microsoft net.tcp Connection Initialization Activity Potentially Bad Traffic
TCP 192.168.56.102:49278 -> 176.123.9.142:37637 2046045 ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) A Network Trojan was detected
TCP 192.168.56.102:49278 -> 176.123.9.142:37637 2046105 ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound) A Network Trojan was detected
TCP 192.168.56.102:49286 -> 45.9.74.80:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.102:49279 -> 185.225.75.171:22233 2046045 ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) A Network Trojan was detected
TCP 192.168.56.102:49279 -> 185.225.75.171:22233 2046105 ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound) A Network Trojan was detected
TCP 192.168.56.102:49278 -> 176.123.9.142:37637 2046105 ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound) A Network Trojan was detected
TCP 192.168.56.102:49279 -> 185.225.75.171:22233 2046105 ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound) A Network Trojan was detected
TCP 176.123.9.142:37637 -> 192.168.56.102:49278 2046056 ET MALWARE Redline Stealer Activity (Response) A Network Trojan was detected
TCP 192.168.56.102:49286 -> 45.9.74.80:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.102:49293 -> 172.67.75.166:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49285 -> 45.9.74.80:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.102:49285 -> 45.9.74.80:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 45.9.74.80:80 -> 192.168.56.102:49285 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 45.9.74.80:80 -> 192.168.56.102:49285 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.102:49271 -> 213.180.204.24:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49276 -> 87.240.132.72:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49294 -> 104.26.4.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49289 -> 194.169.175.232:45451 2043233 ET INFO Microsoft net.tcp Connection Initialization Activity Potentially Bad Traffic
TCP 192.168.56.102:49289 -> 194.169.175.232:45451 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49289 -> 194.169.175.232:45451 2046045 ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) A Network Trojan was detected
TCP 192.168.56.102:49291 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49291 -> 34.117.59.81:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49291 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 194.169.175.232:45451 -> 192.168.56.102:49289 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response A Network Trojan was detected
TCP 192.168.56.102:49282 -> 51.255.152.132:36011 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 51.255.152.132:36011 -> 192.168.56.102:49282 2046056 ET MALWARE Redline Stealer Activity (Response) A Network Trojan was detected
TCP 192.168.56.102:49242 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49289 -> 194.169.175.232:45451 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49259 -> 104.26.8.59:443 2042969 ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49259 -> 104.26.8.59:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49259 -> 104.26.8.59:443 2042969 ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49262 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49262 -> 34.117.59.81:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49262 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
UDP 192.168.56.102:65488 -> 164.124.101.2:53 2027026 ET POLICY External IP Address Lookup DNS Query (2ip .ua) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49281 -> 104.21.65.24:443 2033214 ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) Potentially Bad Traffic
TCP 192.168.56.102:49281 -> 104.21.65.24:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49284 -> 94.142.138.131:80 2045779 ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49287 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49287 -> 87.240.132.72:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49296 -> 87.240.132.72:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49300 -> 171.22.28.226:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.102:49300 -> 171.22.28.226:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 171.22.28.226:80 -> 192.168.56.102:49300 2014819 ET INFO Packed Executable Download Misc activity
TCP 192.168.56.102:49301 -> 172.86.98.101:80 2027265 ET INFO Dotted Quad Host PDF Request Potentially Bad Traffic
TCP 171.22.28.226:80 -> 192.168.56.102:49300 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 171.22.28.226:80 -> 192.168.56.102:49300 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 194.169.175.128:50505 -> 192.168.56.102:49254 2046266 ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token) Malware Command and Control Activity Detected
TCP 192.168.56.102:49256 -> 149.154.167.99:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49254 -> 194.169.175.128:50505 2046269 ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity) Malware Command and Control Activity Detected
TCP 192.168.56.102:49268 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49268 -> 87.240.132.72:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
UDP 192.168.56.102:55774 -> 164.124.101.2:53 2035948 ET POLICY IP Check Domain (iplogger .org in DNS Lookup) Potential Corporate Privacy Violation
TCP 192.168.56.102:49288 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49288 -> 87.240.132.72:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49290 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49299 -> 95.142.206.0:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49289 -> 194.169.175.232:45451 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49282 -> 51.255.152.132:36011 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 194.169.175.232:45451 -> 192.168.56.102:49289 2046056 ET MALWARE Redline Stealer Activity (Response) A Network Trojan was detected
UDP 192.168.56.102:63564 -> 164.124.101.2:53 2027026 ET POLICY External IP Address Lookup DNS Query (2ip .ua) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49289 -> 194.169.175.232:45451 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49305 -> 104.21.65.24:443 2033214 ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) Potentially Bad Traffic
TCP 192.168.56.102:49305 -> 104.21.65.24:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49282 -> 51.255.152.132:36011 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49282 -> 51.255.152.132:36011 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49282 -> 51.255.152.132:36011 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49282 -> 51.255.152.132:36011 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49282 -> 51.255.152.132:36011 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49282 -> 51.255.152.132:36011 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49282 -> 51.255.152.132:36011 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49282 -> 51.255.152.132:36011 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49282 -> 51.255.152.132:36011 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49282 -> 51.255.152.132:36011 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49282 -> 51.255.152.132:36011 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49282 -> 51.255.152.132:36011 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49282 -> 51.255.152.132:36011 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49282 -> 51.255.152.132:36011 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49282 -> 51.255.152.132:36011 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49282 -> 51.255.152.132:36011 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49282 -> 51.255.152.132:36011 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49306 -> 2.88.121.8:80 2002400 ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer) A Network Trojan was detected
TCP 192.168.56.102:49306 -> 2.88.121.8:80 2020826 ET MALWARE Potential Dridex.Maldoc Minimal Executable Request A Network Trojan was detected
TCP 192.168.56.102:49306 -> 2.88.121.8:80 2036333 ET MALWARE Win32/Vodkagats Loader Requesting Payload A Network Trojan was detected
TCP 2.88.121.8:80 -> 192.168.56.102:49306 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 192.168.56.102:49317 -> 211.119.84.111:80 2002400 ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer) A Network Trojan was detected
TCP 192.168.56.102:49317 -> 211.119.84.111:80 2020826 ET MALWARE Potential Dridex.Maldoc Minimal Executable Request A Network Trojan was detected
TCP 192.168.56.102:49317 -> 211.119.84.111:80 2036333 ET MALWARE Win32/Vodkagats Loader Requesting Payload A Network Trojan was detected
TCP 211.119.84.111:80 -> 192.168.56.102:49317 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 176.113.115.135:431 -> 192.168.56.102:49324 2400018 ET DROP Spamhaus DROP Listed Traffic Inbound group 19 Misc Attack
TCP 176.113.115.136:431 -> 192.168.56.102:49325 2400018 ET DROP Spamhaus DROP Listed Traffic Inbound group 19 Misc Attack
UDP 192.168.56.102:60335 -> 164.124.101.2:53 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related Potentially Bad Traffic
TCP 192.168.56.102:49334 -> 149.154.167.99:443 2041933 ET INFO Observed Telegram Domain (t .me in TLS SNI) Misc activity
TCP 192.168.56.102:49334 -> 149.154.167.99:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49334 -> 149.154.167.99:443 2041933 ET INFO Observed Telegram Domain (t .me in TLS SNI) Misc activity
TCP 192.168.56.102:49282 -> 51.255.152.132:36011 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49282 -> 51.255.152.132:36011 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 149.154.167.99:443 -> 192.168.56.102:49336 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49341 -> 104.76.78.101:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49335 -> 149.154.167.99:443 2041933 ET INFO Observed Telegram Domain (t .me in TLS SNI) Misc activity
TCP 192.168.56.102:49335 -> 149.154.167.99:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49335 -> 149.154.167.99:443 2041933 ET INFO Observed Telegram Domain (t .me in TLS SNI) Misc activity
TCP 192.168.56.102:49307 -> 211.119.84.111:80 2036334 ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key A Network Trojan was detected
TCP 211.119.84.111:80 -> 192.168.56.102:49307 2036335 ET MALWARE Win32/Filecoder.STOP Variant Public Key Download A Network Trojan was detected
TCP 185.225.75.171:22233 -> 192.168.56.102:49279 2046056 ET MALWARE Redline Stealer Activity (Response) A Network Trojan was detected
TCP 185.225.75.171:22233 -> 192.168.56.102:49279 2046106 ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response) A Network Trojan was detected
TCP 176.113.115.85:431 -> 192.168.56.102:49326 2400018 ET DROP Spamhaus DROP Listed Traffic Inbound group 19 Misc Attack
TCP 192.168.56.102:49334 -> 149.154.167.99:443 2041933 ET INFO Observed Telegram Domain (t .me in TLS SNI) Misc activity
TCP 192.168.56.102:49273 -> 148.251.234.83:443 2035949 ET POLICY IP Check Domain (iplogger .org in TLS SNI) Potential Corporate Privacy Violation
TCP 192.168.56.102:49174 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49319 -> 104.21.61.162:80 2048093 ET MALWARE [ANY.RUN] Win32/Lumma Stealer Check-In Malware Command and Control Activity Detected

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.102:49173
104.26.8.59:443 		C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com 92:b4:ed:98:67:d9:db:8a:1e:bd:0e:fe:7f:22:45:e9:79:b5:78:65
TLSv1
192.168.56.102:49180
87.240.132.72:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49194
172.67.152.98:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1P5 CN=schematize.pw 07:2c:fc:75:7b:e8:19:a1:55:bd:3e:40:23:6d:51:73:14:7f:49:a9
TLSv1
192.168.56.102:49208
87.240.132.72:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49213
95.142.206.0:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1
192.168.56.102:49214
95.142.206.0:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1
192.168.56.102:49221
87.240.132.72:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49206
87.240.132.72:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49236
95.142.206.1:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1
192.168.56.102:49226
95.142.206.3:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1
192.168.56.102:49240
87.240.132.72:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49230
87.240.132.72:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49235
87.240.132.72:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49246
87.240.132.72:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49248
87.240.132.72:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49249
87.240.132.72:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49250
95.142.206.2:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1
192.168.56.102:49264
77.88.55.60:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign ECC OV SSL CA 2018 C=RU, ST=Moscow, L=Moscow, O=Yandex LLC, CN=*.xn--d1acpjx3f.xn--p1ai e4:ba:b2:7f:bf:93:b8:22:10:26:70:37:9c:03:1a:9d:fb:23:17:24
TLSv1
192.168.56.102:49266
62.217.160.2:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018 C=RU, ST=Moscow, L=Moscow, O=VK LLC, CN=*.dzen.ru 6a:31:14:29:60:07:c9:c6:17:7b:d1:27:ad:53:57:ec:d8:c1:d8:d2
TLSv1
192.168.56.102:49293
172.67.75.166:443 		C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com 03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1
192.168.56.102:49271
213.180.204.24:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018 C=RU, ST=Moscow, L=Moscow, O=Yandex LLC, CN=sso.passport.yandex.ru 3a:82:43:a9:43:9c:c8:90:01:04:4f:74:1b:6c:cd:4b:9b:19:7d:93
TLSv1
192.168.56.102:49276
87.240.132.72:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49294
104.26.4.15:443 		C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com 03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1
192.168.56.102:49259
104.26.8.59:443 		C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com 92:b4:ed:98:67:d9:db:8a:1e:bd:0e:fe:7f:22:45:e9:79:b5:78:65
TLSv1
192.168.56.102:49281
104.21.65.24:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1P5 CN=*.2ip.ua 89:d4:db:86:86:4b:66:21:04:8f:0e:6c:cc:a5:4a:d5:67:73:3c:c9
TLSv1
192.168.56.102:49296
87.240.132.72:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49299
95.142.206.0:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1
192.168.56.102:49305
104.21.65.24:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1P5 CN=*.2ip.ua 89:d4:db:86:86:4b:66:21:04:8f:0e:6c:cc:a5:4a:d5:67:73:3c:c9
TLSv1
192.168.56.102:49341
104.76.78.101:443 		C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA unknown=US, unknown=Washington, unknown=Private Organization, serialNumber=602 290 773, C=US, ST=Washington, L=Bellevue, O=Valve Corp, CN=store.steampowered.com b1:30:5e:4c:ee:14:70:87:a7:d7:1c:77:07:b5:3c:2c:99:13:aa:c5

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
suspicious_features Connection to IP address suspicious_request GET http://94.142.138.131/api/tracemap.php
suspicious_features POST method with no referer header, Connection to IP address suspicious_request POST http://94.142.138.131/api/firegate.php
suspicious_features Connection to IP address suspicious_request HEAD http://171.22.28.226/download/Services.exe
suspicious_features Connection to IP address suspicious_request HEAD http://194.169.175.232/autorun.exe
suspicious_features Connection to IP address suspicious_request HEAD http://171.22.28.212/carryspend.exe
suspicious_features Connection to IP address suspicious_request HEAD http://77.91.68.249/navi/kur90.exe
suspicious_features Connection to IP address suspicious_request GET http://171.22.28.212/carryspend.exe
suspicious_features Connection to IP address suspicious_request GET http://171.22.28.226/download/Services.exe
suspicious_features Connection to IP address suspicious_request GET http://194.169.175.232/autorun.exe
suspicious_features Connection to IP address suspicious_request GET http://77.91.68.249/navi/kur90.exe
suspicious_features Connection to IP address suspicious_request GET http://176.113.115.84:8080/4.php
suspicious_features Connection to IP address suspicious_request GET http://45.15.156.229/api/tracemap.php
suspicious_features POST method with no referer header, Connection to IP address suspicious_request POST http://45.15.156.229/api/firegate.php
suspicious_features Connection to IP address suspicious_request HEAD http://45.9.74.80/zinda.exe
suspicious_features Connection to IP address suspicious_request HEAD http://45.9.74.80/super.exe
suspicious_features POST method with no referer header, Connection to IP address suspicious_request POST http://94.142.138.131/api/firecom.php
suspicious_features Connection to IP address suspicious_request GET http://45.9.74.80/super.exe
suspicious_features Connection to IP address suspicious_request GET http://45.9.74.80/zinda.exe
suspicious_features Connection to IP address suspicious_request HEAD http://171.22.28.226/download/WWW14_64.exe
suspicious_features Connection to IP address suspicious_request GET http://171.22.28.226/download/WWW14_64.exe
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://172.86.98.101/xs12pro/Vdthrdd.pdf
suspicious_features POST method with no referer header suspicious_request POST http://bytecloudasa.website/api
request GET http://94.142.138.131/api/tracemap.php
request POST http://94.142.138.131/api/firegate.php
request HEAD http://171.22.28.226/download/Services.exe
request HEAD http://194.169.175.232/autorun.exe
request HEAD http://171.22.28.212/carryspend.exe
request HEAD http://77.91.68.249/navi/kur90.exe
request GET http://171.22.28.212/carryspend.exe
request GET http://171.22.28.226/download/Services.exe
request GET http://194.169.175.232/autorun.exe
request GET http://77.91.68.249/navi/kur90.exe
request GET http://176.113.115.84:8080/4.php
request GET http://45.15.156.229/api/tracemap.php
request POST http://45.15.156.229/api/firegate.php
request HEAD http://45.9.74.80/zinda.exe
request HEAD http://45.9.74.80/super.exe
request POST http://94.142.138.131/api/firecom.php
request GET http://45.9.74.80/super.exe
request GET http://45.9.74.80/zinda.exe
request GET http://www.maxmind.com/geoip/v2.1/city/me
request HEAD http://171.22.28.226/download/WWW14_64.exe
request GET http://171.22.28.226/download/WWW14_64.exe
request GET http://172.86.98.101/xs12pro/Vdthrdd.pdf
request GET http://colisumy.com/dl/build2.exe
request GET http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true
request GET http://zexeq.com/files/1/build3.exe
request POST http://bytecloudasa.website/api
request GET http://www.google.com/
request GET https://api.myip.com/
request GET https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1
request GET https://schematize.pw/setup294.exe
request GET https://vk.com/doc52355237_666778887?hash=MsypGwgfzH9k8tAFuGqJl0MJgVVDiak3EKsK8zRZBXP&dl=zbnEaURFd1h1t5v6QgcpBauCKgnVbU0YGtRdWYWulE8&api=1&no_preview=1
request GET https://vk.com/doc52355237_666668172?hash=wwfZZzZZokN7qGd0uT31zdZN97zwBwUnQptWvOtzuj0&dl=CVnxQYTnwznuyYRMd8eUICnCWdIJZdojYQtP4hgKiGs&api=1&no_preview=1
request GET https://sun6-20.userapi.com/c909228/u52355237/docs/d13/a82d91b97f12/s328sadfg.bmp?extra=6xWrrlo6Cv0Gdb_7Fs8AohN3jYPbW7Anu6IsH5tYR28Bazoiwle7XANsbcn_ojgZepaG3C3V7-EO8tfU3sUEWyzpTTMiOhD3f_RKBRuB6cEngZu5y8U_bC5GVV3LMEZpPK42aJxtw0YqR8a7
request GET https://sun6-20.userapi.com/c909418/u52355237/docs/d49/157bd218c256/Bot_Clien.bmp?extra=WUvO1XI1uqSHPkWtf0VHtIzTVHgGyRARItFKI-Nkl-RCUrue3bu_n5dnWoMdYi-uNjIibwh_8pnJLTQMpb6Q6CoOijCEVVGotsDlH9yz4k_iRnCQH75ndCjMFugsVh7Hldwu1lHUjEssXTAV
request GET https://vk.com/doc52355237_666718867?hash=rZYzbFYXXCWmOqgw03u9u3XToWkECzsXfTtsULQ1lTo&dl=tC2Kp75zzEgipXGxgSUDWzlqSeDLzQjiUXjIFZBV8gc&api=1&no_preview=1#test22
request GET https://sun6-23.userapi.com/c235131/u52355237/docs/d48/3398ce617636/test22.bmp?extra=lo5VKmrOf36tyYmGEcwOwY2zpfSYN7fGQ2yXdt90r_7u24cra1AqPMMLmZLxPp4rZZJiTArlHuqGw__SdvVcgrgz1C5fLKEivr7XNn8u1qzJAN2TrvJhzqfyAbrB3AF-DLwMdohQlTY21hLG
request GET https://vk.com/doc52355237_666756864?hash=6DFeRVc5RezUEATw70eLHr8HvfHAogkWHkFr13KIngP&dl=VWkHxUBsFZ3HkLZ5PiRwJi45M39XiIm0Y75Z3olHyw0&api=1&no_preview=1#kk
request GET https://sun6-21.userapi.com/c237331/u52355237/docs/d51/1bd250750449/51.bmp?extra=NuQ59cemfVjpdbicEDrrfsVJcohTmO0y7-2ttyR96xIzm_w-N1Tb_oIiG5fNJLWDleJMcediI2xJAYmUxsli3TdNhgqUp4Z7uXyPxh030Az7OK_mZTvfLw-7sBSGpkSUZ2zaDqxVcAGn4TCN
request GET https://vk.com/doc52355237_666778810?hash=a0C18Yh08hANR7cCctmCh90MT3krBIkk4s3AR7nGkB4&dl=AUlI6iExE9qVYw6mhta9PECgosFse5VMWbDYzR3ISkL&api=1&no_preview=1#1
request GET https://sun6-20.userapi.com/c235031/u52355237/docs/d44/f1da833abf33/crypted.bmp?extra=2XY-uciChBIpPgYdT6Wh5rOVAqndE6E26Wl3HlTrZVbWUUvG8hWvWDsSa4_aAiOD3O8c0QwQyXspglH2XZUCpChASve6HqKl5wNA7qTO5nYs0cfUPaT83_ObjaFQepb-p8krkTffz9kq27hz
request GET https://vk.com/doc52355237_666723616?hash=ZC4RFT6HYu0N5BMvznxOuSILUiBeo5z2g1xHHcrldpw&dl=zwWXc0xksFhKkzynWxdvo03M0BMI9Y0XCitbIZ8FVKc&api=1&no_preview=1
request GET https://sun6-20.userapi.com/c909228/u52355237/docs/d55/79524fc6ee6e/PL_Client.bmp?extra=Kde4pa27E6nTlThwI1jPmz7Zxa08aZBfOrc_9NSCYxoaYt0MmEt10PQTDujcbtrYFCSTWMZpCLN1MkqZEdJP0UnKAj8m4QVyFvvzeY5GGcGgWlZ5ldPy5SVg89O6jgA587BEQuCjUOJ_mYqg
request GET https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#stats
request GET https://vk.com/doc52355237_666772349?hash=hYVRMj3VXZEN6TuoRIyuNJBsp1uaaX2imFKbcIG1Vfg&dl=9cyMlTApKcbHG0TjdzdQvAAFPBW96Jc1btF9S5guV48&api=1&no_preview=1#rise
request GET https://sun6-22.userapi.com/c236331/u52355237/docs/d18/ba602f90184f/RisePro.bmp?extra=ZGSHOj1SUKWsH9ciwC-NMNEuCzdk89-6fYkmfW9tGEmTbEfaM_j2y3Qp0FbpJdu5JJekdSeKyhjyXDKHi20ulCqEs8RYDPqp8q5FMnmauoNbcTgxiior7j1_0fqQ6mBVUqbACDeY8atU2Czs
request GET https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#test
request GET https://yandex.ru/
request GET https://dzen.ru/?yredirect=true
request GET https://sso.passport.yandex.ru/push?uuid=b09af16e-2e62-4304-9cf5-7f2d1c90ff55&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue
request GET https://api.2ip.ua/geo.json
request POST http://94.142.138.131/api/firegate.php
request POST http://45.15.156.229/api/firegate.php
request POST http://94.142.138.131/api/firecom.php
request POST http://bytecloudasa.website/api
request POST https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
ip 176.113.115.84
ip 176.123.9.142
ip 185.225.75.171
ip 194.169.175.232
ip 51.255.152.132
domain 69d9414d-87e8-4ca5-945d-204bdc8124d9.uuid.zaoshanghao.su description Soviet Union domain TLD
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2204
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74002000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2204
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73913000
process_handle: 0xffffffff
1 0 0
domain ipinfo.io
file C:\Users\test22\AppData\Local\Temp\7zEC98B1618\Setup.exe
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeRestorePrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeSecurityPrivilege
1 1 0
description Escalate priviledges rule Escalate_priviledges
description PWS Memory rule Generic_PWS_Memory_Zero
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Run a KeyLogger rule KeyLogger
domain 69d9414d-87e8-4ca5-945d-204bdc8124d9.uuid.zaoshanghao.su
host 171.22.28.226
host 171.22.28.212
host 172.86.98.101
host 176.113.115.135
host 176.113.115.136
host 176.113.115.84
host 176.113.115.85
host 176.123.9.142
host 185.225.75.171
host 193.42.32.118
host 194.169.175.128
host 194.169.175.232
host 45.15.156.229
host 45.9.74.80
host 51.255.152.132
host 62.122.184.58
host 77.91.68.249
host 94.142.138.131
host 45.143.201.238
host 62.122.184.92
host 80.66.75.4
dead_host 192.168.56.102:49187
dead_host 176.113.115.84:80
dead_host 104.208.16.93:80