Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Nov. 2, 2023, 2:25 p.m.	Nov. 2, 2023, 2:28 p.m.

Size	33.4MB
Type	RAR archive data, v5
MD5	`c18fbc972354abb0fd945ffccbb93ad3`
SHA256	`0cd161ec28f585e8c49fd1fd771760614052ba6381c66ce68ea614d6b6f753d3`
CRC32	`BA7A1A3D`
ssdeep	`786432:gL66d54hnDMWlCyut1qo9Xi5BUZn9cBbk5V:AX5o4WQH/XA5BoeC`
Yara	None matched

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "fimcMxUTcH" C:\Users\test22\AppData\Local\Temp\File.rar
3032
- 7zFM.exe "C:\Program Files (x86)\7-Zip\7zFM.exe" "C:\Users\test22\AppData\Local\Temp\File.rar"
  2196

Name	Response	Post-Analysis Lookup
medfioytrkdkcodlskeej.net	A 91.215.85.209	91.215.85.209
ronaldrichards.icu	A 193.106.175.190	193.106.175.190
api.db-ip.com	A 104.26.5.15 A 104.26.4.15 A 172.67.75.166	104.26.5.15
apps.identrust.com	A 121.254.136.9 CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net A 121.254.136.18	23.67.53.27
twitter.com	A 104.244.42.1	104.244.42.129
ipinfo.io	A 34.117.59.81	34.117.59.81
zexeq.com	A 190.139.250.133 A 124.43.19.179 A 187.156.19.138 A 211.168.53.110 A 187.134.80.8 A 211.53.230.67 A 185.12.79.25 A 201.119.86.241 A 189.245.85.187 A 187.170.25.188	190.139.250.133
sso.passport.yandex.ru	A 213.180.204.24 CNAME passport.yandex.ru	213.180.204.24
sun6-23.userapi.com	A 95.142.206.3	95.142.206.3
api.ip.sb	CNAME api.ip.sb.cdn.cloudflare.net A 104.26.13.31 A 104.26.12.31 A 172.67.75.172	172.67.75.172
sun6-22.userapi.com	A 95.142.206.2	95.142.206.2
yandex.ru	A 5.255.255.77 A 77.88.55.88 A 77.88.55.60 A 5.255.255.70	5.255.255.70
dzen.ru	A 62.217.160.2	62.217.160.2
dl54-broomcleaner.icu	A 193.106.175.190	193.106.175.190
www.maxmind.com	A 104.18.146.235 A 104.18.145.235	104.18.145.235
iplis.ru	A 148.251.234.93	148.251.234.93
iplogger.com	A 148.251.234.93	148.251.234.93
telegram.org	A 149.154.167.99	149.154.167.99
vk.com	A 87.240.129.133 A 87.240.132.72 A 87.240.132.67 A 87.240.137.164 A 93.186.225.194 A 87.240.132.78	87.240.132.78
iplogger.org	A 148.251.234.83	148.251.234.83
sun6-20.userapi.com	A 95.142.206.0	95.142.206.0
fdjbgkhjrpfvsdf.online	A 104.21.87.5 A 172.67.139.27	172.67.139.27
api.2ip.ua	A 104.21.65.24 A 172.67.139.220	172.67.139.220
michaelcoleman.icu	A 193.106.175.190	193.106.175.190
sun6-21.userapi.com	A 95.142.206.1	95.142.206.1
api.myip.com	A 172.67.75.163 A 104.26.9.59 A 104.26.8.59	104.26.9.59
db-ip.com	A 104.26.5.15 A 104.26.4.15 A 172.67.75.166	104.26.5.15

IP Address	Status	Action
104.18.146.235	Active	Moloch
104.244.42.1	Active	Moloch
104.26.4.15	Active	Moloch
104.26.5.15	Active	Moloch
104.26.8.59	Active	Moloch
121.254.136.18	Active	Moloch
148.251.234.83	Active	Moloch
148.251.234.93	Active	Moloch
149.154.167.99	Active	Moloch
164.124.101.2	Active	Moloch
171.22.28.226	Active	Moloch
172.67.139.220	Active	Moloch
172.67.139.27	Active	Moloch
172.67.75.172	Active	Moloch
185.172.128.69	Active	Moloch
185.173.38.57	Active	Moloch
185.225.75.171	Active	Moloch
193.106.175.190	Active	Moloch
194.169.175.128	Active	Moloch
194.49.94.40	Active	Moloch
194.49.94.41	Active	Moloch
208.67.104.60	Active	Moloch
211.168.53.110	Active	Moloch
213.180.204.24	Active	Moloch
34.117.59.81	Active	Moloch
45.15.156.229	Active	Moloch
5.255.255.70	Active	Moloch
62.217.160.2	Active	Moloch
91.215.85.209	Active	Moloch
91.92.243.151	Active	Moloch
93.186.225.194	Active	Moloch
94.142.138.131	Active	Moloch
95.142.206.0	Active	Moloch
95.142.206.1	Active	Moloch
95.142.206.3	Active	Moloch
94.142.138.113	Active	Moloch
95.142.206.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49178 -> 104.26.8.59:443	2042969	ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49178 -> 104.26.8.59:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49176 -> 94.142.138.131:80	2045779	ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49184 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49179 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49179 -> 34.117.59.81:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49179 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49186 -> 93.186.225.194:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.102:53778 -> 164.124.101.2:53	2026888	ET INFO DNS Query for Suspicious .icu Domain	Potentially Bad Traffic
TCP 192.168.56.102:49191 -> 172.67.139.27:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49183 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 172.67.139.27:80 -> 192.168.56.102:49191	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49183 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49204 -> 172.67.139.27:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49188 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49188 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49196 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49196 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 91.215.85.209:80 -> 192.168.56.102:49205	2400006	ET DROP Spamhaus DROP Listed Traffic Inbound group 7	Misc Attack
TCP 192.168.56.102:49190 -> 91.215.85.209:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 91.215.85.209:80 -> 192.168.56.102:49190	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49202 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49205 -> 91.215.85.209:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49199 -> 172.67.139.27:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49206 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49206 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49195 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49195 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49211 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49211 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49214 -> 91.215.85.209:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49182 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49182 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49194 -> 172.67.139.27:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 172.67.139.27:80 -> 192.168.56.102:49194	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49197 -> 91.215.85.209:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49197 -> 91.215.85.209:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49219 -> 93.186.225.194:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49187 -> 171.22.28.226:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49189 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49189 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49187 -> 171.22.28.226:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49187 -> 171.22.28.226:80	2016698	ET HUNTING Suspicious services.exe in URI	Potentially Bad Traffic
TCP 193.106.175.190:80 -> 192.168.56.102:49200	2014819	ET INFO Packed Executable Download	Misc activity
TCP 192.168.56.102:49203 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 171.22.28.226:80 -> 192.168.56.102:49187	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 171.22.28.226:80 -> 192.168.56.102:49187	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 193.106.175.190:80 -> 192.168.56.102:49200	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 193.106.175.190:80 -> 192.168.56.102:49200	2023464	ET HUNTING Possible EXE Download From Suspicious TLD	Misc activity
TCP 192.168.56.102:49210 -> 93.186.225.194:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49212 -> 91.215.85.209:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49227 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49227 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 91.215.85.209:443 -> 192.168.56.102:49218	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49224 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49224 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49225 -> 95.142.206.0:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 193.106.175.190:80 -> 192.168.56.102:49198	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 193.106.175.190:80 -> 192.168.56.102:49198	2023464	ET HUNTING Possible EXE Download From Suspicious TLD	Misc activity
TCP 192.168.56.102:49228 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49217 -> 95.142.206.1:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49213 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49220 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49220 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49231 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49231 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49230 -> 95.142.206.0:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49222 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49222 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49232 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49232 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49233 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49233 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49215 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49215 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49234 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49239 -> 93.186.225.194:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49226 -> 93.186.225.194:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49229 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49229 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49235 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49240 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49240 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49241 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49241 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49242 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49247 -> 93.186.225.194:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49246 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49246 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49243 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49243 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49248 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49248 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49249 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49249 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49251 -> 95.142.206.3:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49238 -> 93.186.225.194:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49255 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49254 -> 95.142.206.3:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49256 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49256 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49259 -> 93.186.225.194:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49262 -> 93.186.225.194:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49258 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49258 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49268 -> 93.186.225.194:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49270 -> 93.186.225.194:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49271 -> 93.186.225.194:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 93.186.225.194:80 -> 192.168.56.102:49266	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49250 -> 93.186.225.194:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49252 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49260 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49260 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49277 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49277 -> 34.117.59.81:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49277 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49282 -> 104.26.4.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 194.169.175.128:50505 -> 192.168.56.102:49274	2046266	ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49275 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49274 -> 194.169.175.128:50505	2046269	ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49283 -> 104.244.42.1:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49289 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49289 -> 34.117.59.81:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49289 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49293 -> 148.251.234.93:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49261 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49291 -> 213.180.204.24:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49288 -> 62.217.160.2:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49301 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49301 -> 34.117.59.81:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49301 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49300 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.102:49300 -> 148.251.234.83:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49300 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.102:49281 -> 45.15.156.229:80	2045779	ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49306 -> 104.26.5.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49285 -> 5.255.255.70:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49318 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49311 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49286 -> 94.142.138.113:80	2045779	ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49292 -> 91.92.243.151:80	2045779	ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49264 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49304 -> 104.26.4.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.102:53208 -> 8.8.8.8:53	2027026	ET POLICY External IP Address Lookup DNS Query (2ip .ua)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49297 -> 104.26.8.59:443	2042969	ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49297 -> 104.26.8.59:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49308 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49321 -> 93.186.225.194:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49308 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.102:64317 -> 164.124.101.2:53	2035948	ET POLICY IP Check Domain (iplogger .org in DNS Lookup)	Potential Corporate Privacy Violation
UDP 192.168.56.102:64317 -> 8.8.8.8:53	2035948	ET POLICY IP Check Domain (iplogger .org in DNS Lookup)	Potential Corporate Privacy Violation
TCP 192.168.56.102:49265 -> 95.142.206.1:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 148.251.234.83:443 -> 192.168.56.102:49305	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49322 -> 172.67.139.220:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.102:49322 -> 172.67.139.220:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49310 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 93.186.225.194:80 -> 192.168.56.102:49310	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49313 -> 93.186.225.194:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49317 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49317 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 194.169.175.128:50500 -> 192.168.56.102:49319	2046266	ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49323 -> 95.142.206.2:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49319 -> 194.169.175.128:50500	2046269	ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49328 -> 194.49.94.40:21348	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.102:49329 -> 185.173.38.57:80	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.102:49329 -> 185.173.38.57:80	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49328 -> 194.49.94.40:21348	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49329 -> 185.173.38.57:80	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 192.168.56.102:49328 -> 194.49.94.40:21348	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 194.49.94.40:21348 -> 192.168.56.102:49328	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 185.173.38.57:80 -> 192.168.56.102:49329	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.102:49329 -> 185.173.38.57:80	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49328 -> 194.49.94.40:21348	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49334 -> 172.67.75.172:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49328 -> 194.49.94.40:21348	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 194.49.94.40:21348 -> 192.168.56.102:49328	2046056	ET MALWARE Redline Stealer Activity (Response)	A Network Trojan was detected
TCP 192.168.56.102:49328 -> 194.49.94.40:21348	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49329 -> 185.173.38.57:80	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49335 -> 172.67.139.220:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.102:49335 -> 172.67.139.220:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49330 -> 193.106.175.190:80	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	Malware Command and Control Activity Detected
TCP 192.168.56.102:49330 -> 193.106.175.190:80	2026887	ET INFO HTTP POST Request to Suspicious *.icu domain	Potentially Bad Traffic
TCP 192.168.56.102:49329 -> 185.173.38.57:80	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
UDP 192.168.56.102:62197 -> 8.8.8.8:53	2047719	ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)	Device Retrieving External IP Address Detected
TCP 148.251.234.93:443 -> 192.168.56.102:49340	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49340 -> 148.251.234.93:443	2047718	ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49340 -> 148.251.234.93:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49329 -> 185.173.38.57:80	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 194.49.94.41:50500 -> 192.168.56.102:49273	2046266	ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)	Malware Command and Control Activity Detected
TCP 194.49.94.41:50500 -> 192.168.56.102:49273	2046267	ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)	Malware Command and Control Activity Detected
TCP 149.154.167.99:443 -> 192.168.56.102:49276	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49273 -> 194.49.94.41:50500	2046269	ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49329 -> 185.173.38.57:80	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49287 -> 104.26.8.59:443	2042969	ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49287 -> 104.26.8.59:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49328 -> 194.49.94.40:21348	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49328 -> 194.49.94.40:21348	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49328 -> 194.49.94.40:21348	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49328 -> 194.49.94.40:21348	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 148.251.234.93:443 -> 192.168.56.102:49344	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49328 -> 194.49.94.40:21348	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49319 -> 194.169.175.128:50500	2046269	ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49328 -> 194.49.94.40:21348	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49328 -> 194.49.94.40:21348	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49328 -> 194.49.94.40:21348	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 148.251.234.93:443 -> 192.168.56.102:49345	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49328 -> 194.49.94.40:21348	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49345 -> 148.251.234.93:443	2047718	ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49345 -> 148.251.234.93:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 148.251.234.93:443 -> 192.168.56.102:49347	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49347 -> 148.251.234.93:443	2047718	ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49347 -> 148.251.234.93:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49328 -> 194.49.94.40:21348	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49328 -> 194.49.94.40:21348	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49344 -> 148.251.234.93:443	2047718	ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49344 -> 148.251.234.93:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 148.251.234.93:443 -> 192.168.56.102:49346	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49346 -> 148.251.234.93:443	2047718	ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49346 -> 148.251.234.93:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 148.251.234.93:443 -> 192.168.56.102:49294	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49273 -> 194.49.94.41:50500	2046270	ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49299 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49299 -> 34.117.59.81:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49299 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49315 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49315 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49316 -> 185.172.128.69:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49316 -> 185.172.128.69:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49338 -> 211.168.53.110:80	2002400	ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)	A Network Trojan was detected
TCP 192.168.56.102:49338 -> 211.168.53.110:80	2036334	ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key	A Network Trojan was detected
TCP 185.172.128.69:80 -> 192.168.56.102:49316	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.172.128.69:80 -> 192.168.56.102:49316	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 211.168.53.110:80 -> 192.168.56.102:49338	2036335	ET MALWARE Win32/Filecoder.STOP Variant Public Key Download	A Network Trojan was detected
TCP 192.168.56.102:49329 -> 185.173.38.57:80	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49329 -> 185.173.38.57:80	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49329 -> 185.173.38.57:80	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49329 -> 185.173.38.57:80	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49329 -> 185.173.38.57:80	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49329 -> 185.173.38.57:80	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49329 -> 185.173.38.57:80	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49329 -> 185.173.38.57:80	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49329 -> 185.173.38.57:80	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49329 -> 185.173.38.57:80	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
UDP 192.168.56.102:58632 -> 164.124.101.2:53	2027026	ET POLICY External IP Address Lookup DNS Query (2ip .ua)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49179 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49289 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49178 104.26.8.59:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	92:b4:ed:98:67:d9:db:8a:1e:bd:0e:fe:7f:22:45:e9:79:b5:78:65
TLSv1 192.168.56.102:49186 93.186.225.194:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49204 172.67.139.27:443	C=US, O=Let's Encrypt, CN=E1	CN=fdjbgkhjrpfvsdf.online	5d:a5:57:bd:11:fb:b3:4d:13:f7:4a:c5:f4:35:35:9c:e3:02:fa:11
TLSv1 192.168.56.102:49219 93.186.225.194:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49210 93.186.225.194:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49225 95.142.206.0:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com	bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1 192.168.56.102:49217 95.142.206.1:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com	bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1 192.168.56.102:49230 95.142.206.0:443	None	None	None
TLSv1 192.168.56.102:49239 93.186.225.194:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49226 93.186.225.194:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49247 93.186.225.194:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49251 95.142.206.3:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com	bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1 192.168.56.102:49238 93.186.225.194:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49254 95.142.206.3:443	None	None	None
TLSv1 192.168.56.102:49259 93.186.225.194:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49262 93.186.225.194:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49268 93.186.225.194:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49270 93.186.225.194:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49271 93.186.225.194:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49250 93.186.225.194:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49282 104.26.4.15:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1 192.168.56.102:49288 62.217.160.2:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018	C=RU, ST=Moscow, L=Moscow, O=VK LLC, CN=*.dzen.ru	6a:31:14:29:60:07:c9:c6:17:7b:d1:27:ad:53:57:ec:d8:c1:d8:d2
TLSv1 192.168.56.102:49291 213.180.204.24:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018	C=RU, ST=Moscow, L=Moscow, O=Yandex LLC, CN=sso.passport.yandex.ru	3a:82:43:a9:43:9c:c8:90:01:04:4f:74:1b:6c:cd:4b:9b:19:7d:93
TLSv1 192.168.56.102:49306 104.26.5.15:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1 192.168.56.102:49285 5.255.255.70:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign ECC OV SSL CA 2018	C=RU, ST=Moscow, L=Moscow, O=Yandex LLC, CN=*.xn--d1acpjx3f.xn--p1ai	e4:ba:b2:7f:bf:93:b8:22:10:26:70:37:9c:03:1a:9d:fb:23:17:24
TLSv1 192.168.56.102:49304 104.26.4.15:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1 192.168.56.102:49297 104.26.8.59:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	92:b4:ed:98:67:d9:db:8a:1e:bd:0e:fe:7f:22:45:e9:79:b5:78:65
TLSv1 192.168.56.102:49321 93.186.225.194:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49265 95.142.206.1:443	None	None	None
TLSv1 192.168.56.102:49322 172.67.139.220:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=2ip.ua	df:8e:38:7b:a5:b7:63:5f:01:77:75:f0:d6:4a:08:30:fa:63:46:8f
TLSv1 192.168.56.102:49313 93.186.225.194:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49323 95.142.206.2:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com	bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1 192.168.56.102:49334 172.67.75.172:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	53:56:0b:3a:91:49:7f:18:59:87:21:98:d3:7f:98:0b:b4:ae:cb:cc
TLSv1 192.168.56.102:49335 172.67.139.220:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=2ip.ua	df:8e:38:7b:a5:b7:63:5f:01:77:75:f0:d6:4a:08:30:fa:63:46:8f
TLSv1 192.168.56.102:49287 104.26.8.59:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	92:b4:ed:98:67:d9:db:8a:1e:bd:0e:fe:7f:22:45:e9:79:b5:78:65

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 2, 2023, 2:25 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 2, 2023, 2:25 p.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (13 events)

suspicious_features	Connection to IP address	suspicious_request	GET http://94.142.138.131/api/tracemap.php
suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://94.142.138.131/api/firegate.php
suspicious_features	Connection to IP address	suspicious_request	HEAD http://171.22.28.226/download/Services.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://171.22.28.226/download/Services.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://45.15.156.229/api/tracemap.php
suspicious_features	Connection to IP address	suspicious_request	GET http://94.142.138.113/api/tracemap.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://91.92.243.151/api/tracemap.php
suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://91.92.243.151/api/firecom.php
suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://45.15.156.229/api/firegate.php
suspicious_features	Connection to IP address	suspicious_request	HEAD http://185.172.128.69/newumma.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://185.172.128.69/newumma.exe
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://ronaldrichards.icu/e9c345fc99a4e67e.php
suspicious_features	GET method with no useragent header	suspicious_request	GET https://api.ip.sb/ip

Performs some HTTP requests (50 out of 54 events)

request	GET http://94.142.138.131/api/tracemap.php
request	POST http://94.142.138.131/api/firegate.php
request	HEAD http://171.22.28.226/download/Services.exe
request	HEAD http://dl54-broomcleaner.icu/InstallSetup7.exe
request	HEAD http://michaelcoleman.icu/timeSync.exe
request	GET http://171.22.28.226/download/Services.exe
request	GET http://dl54-broomcleaner.icu/InstallSetup7.exe
request	GET http://michaelcoleman.icu/timeSync.exe
request	GET http://apps.identrust.com/roots/dstrootcax3.p7c
request	GET http://45.15.156.229/api/tracemap.php
request	GET http://94.142.138.113/api/tracemap.php
request	GET http://91.92.243.151/api/tracemap.php
request	POST http://91.92.243.151/api/firecom.php
request	POST http://45.15.156.229/api/firegate.php
request	GET http://www.maxmind.com/geoip/v2.1/city/me
request	HEAD http://185.172.128.69/newumma.exe
request	GET http://185.172.128.69/newumma.exe
request	POST http://ronaldrichards.icu/e9c345fc99a4e67e.php
request	GET http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true
request	GET https://api.myip.com/
request	GET https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1
request	GET https://fdjbgkhjrpfvsdf.online/setup294.exe
request	GET https://vk.com/doc26060933_667234651?hash=Rv3y1hZYldejZNTzjJxgzdYVgzKs0azR7LT5gowzNJT&dl=fEH5j2bjnO3mwDbqODuUYTgMkVbKBYVrBOOWxCsJzJ0&api=1&no_preview=1
request	GET https://sun6-21.userapi.com/c235031/u26060933/docs/d60/aadf300fd920/BotClients.bmp?extra=WDt2JKhhn-eQrPHTN9X8R0bO_tJ9q0myEWR4olRZdoa3canBj-lmFAG5cGCHMWcveqzg7IA6SkZEgaXn7_yF1ZPOhbnbI4vHz0fiMpVF8qWL4pijOcDsVf6aNjPpO0eOG8p1J66TE-BKQC-h
request	GET https://vk.com/doc26060933_667166279?hash=ZwaE4tvZWFZCd2bm3WcrC9P0n7U9VIU9U93MzzIkiVg&dl=pnJSpAC8qJBqMfKXSgNNzjPf12azGKZWlyCFZ86hE2P&api=1&no_preview=1#risepro
request	GET https://sun6-20.userapi.com/c909218/u26060933/docs/d22/a35d812ef006/RisePro.bmp?extra=LgPIMsxlbkpwHU5tCRY0vgUUAviiE7g7nMwb1oAv7HySSrauv2XjWksVWa7ZlFA3JXksarqScqvGtt1ETuNK6vMq7PyUQYgR2vLJ_T_aOnDWK_TKXwfUgdLiFLt-hsv4qpwsSsSIRWLoQTI1
request	GET https://vk.com/doc825067038_675094078?hash=yy528d2cdSWh8Qb1vjKZzrbg9uO0tUhBgbnW8xFFc7g&dl=fzvSk2lE8vQ96mfYErqNUoJZiKQg6dRgeIDz0UiA5W8&api=1&no_preview=1
request	GET https://sun6-20.userapi.com/c237331/u825067038/docs/d49/f3d174c7d126/PL_Client.bmp?extra=XDfkwfVkwRcivpIteb_RsNhr6eqpk3Sh24NjsrJ7nR2EAq93CkJ7kmPRE49s-PptoRkiv1DlMYMm4G-EjxMy3ZKbg-9BUhc0NtHIuZM8phnB22dI5a_tz7k-BACUbK_qxxTb405WhzGYuI1t0w
request	GET https://vk.com/doc26060933_667223519?hash=4h0hZRp0TSlGi1za4NQqeUs4Z2Owa7H8HcgLzZogiBc&dl=4yZXwXXDHBqFHcM30tryxz8P1qRNU3LWlwbmQoruwmL&api=1&no_preview=1
request	GET https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#test
request	GET https://sun6-20.userapi.com/c909218/u26060933/docs/d16/6de25ac9c8b9/s2as2fad.bmp?extra=93M5T4Pa8Q3v-6wCV0cMg-imldFl3M7pP9fiQWexCQVfAHR6bOaCYNmIhblaorz2ajVnq9ITftW-KCQwspVW7DbtPyDFKCTvp9SEcQHaQMAlrKO5x90RNNH-89CyjAZ03dQGY6Leo9A9oUVa
request	GET https://vk.com/doc26060933_667218383?hash=7UW057pOa1xiEe10gtJ3QSwoTJDrSVPqZuGSbstptEH&dl=yqIEoQoYSd5j0zYFeVKTzHy16DTH1wq1kX6PBuZazRX&api=1&no_preview=1#bnf
request	GET https://vk.com/doc26060933_667226611?hash=3AOa9zwJbxnrXLo5M1UNZwTTDvxsoWSyfwgmxISqqxL&dl=HnSve9vk6MIyt0bE2UGvnGrn7uoz7zwDsDLBVNodlP4&api=1&no_preview=1#riseK
request	GET https://sun6-23.userapi.com/c236331/u26060933/docs/d36/f582a2f7d651/mggkfn.bmp?extra=kXzl1fMGvZsozKZ51_V9AIUJOViBXHnvbHtPIo-fm1QSon9y47f4eu5t1tnXJsZ-9Yn_qH0wPULruDXEJv5YPVFLCVB8tJk2Mcs-BJAZWoU6geCJmdzITbv3Y6p0_tmBtcEYUqbBEK0nsfd6
request	GET https://sun6-23.userapi.com/c909618/u26060933/docs/d4/7caf185e1947/Risepro.bmp?extra=7FXlsGxLQIPRYANXa3bqeG3hcbsNS0dKcak4PUGs8R5-_JslfV8EU9fv6FJOQdvEaI1m1FTJU93cK7oTMfBwNuFssszLscrz9Cp-PC8h5_cL92W_KwdOMx337cegLJS56Rsdw-WyUI_Npc2h
request	GET https://vk.com/doc26060933_667215509?hash=G3Jm1EaMJVztPO45r3HxRNlS4ZgetOknNtYy2avkFPw&dl=8fjE5gX9uYKwtbhjDbbqZIfJvR8v4T4lyZisCWbPlgc&api=1&no_preview=1#1
request	GET https://sun6-21.userapi.com/c909418/u26060933/docs/d20/171a1ad09e5c/crypted.bmp?extra=USOyMI-QrVD8ahA0mCuN1w-bxZzgqjcqo6Tzt3gOhGAsI0yQDB1U4gyXEOkH9dOBYLRqxIH032ISFZcZOEZ5KTf6gzdM_yJlTG3ITv6KbMFD9NzdtpVOIBX0BWIXmrNdeuJ6DUaJj52BUDaE
request	GET https://vk.com/doc26060933_667204817?hash=6lgEzCTOqGu7pXY0CjbNe2FXz4rab735i6AEdl7puVw&dl=U0RHXi4KJa141aANcboV7iQspCTlmbxFsgLwQz9bGwc&api=1&no_preview=1#maff
request	GET https://sun6-21.userapi.com/c909218/u26060933/docs/d31/c926cfacc1f4/new_go.bmp?extra=HtQcuH2QjM0315WmkJdVH1mdYBSvv064tAbEOg4LDcetY4TZLtnYzavt2XLLjq0NXXZQ-680zJ-uVhjhhGOj1dze70rfMIe3a_Ln3Lk-sWoOm4TTPqeibD4bjeVEAMiqwFd9f9Ip5nM3qbmH
request	GET https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#stats
request	GET https://vk.com/doc26060933_667223635?hash=qzxpj41H7aJKGYAkotcS9kwFdHSU9KQawZjeS9cVst4&dl=iEliVZrkZcesylYAmZs8zvhVjQpPOUAfyAIZcvJVbPH&api=1&no_preview=1#ww11
request	GET https://sun6-21.userapi.com/c235031/u26060933/docs/d17/f2f6f33ee91f/WWW11_32.bmp?extra=YkAJ9WwBghZQCvm2tl1uLbMufgtzR6Yn6c26ciwed5aKCO-Rw-yV4cJfXn8nio3l8RYZVp2QwfyPiYJ8Q8fOOfhA000eXJmSBorA7IDhKGejIp04_2OVOLLWjtHDUIjGYHzdNUwjv2l33dHB
request	GET https://vk.com/doc493219498_672804512?hash=k6gVocJtWMIGa4eR2u3BEQexXtjJzptcjPX2TpQvyHP&dl=RdWtWX0NOjUuv5jSqHuHLHgdyH9LhrvA8lQtBVZeJGP&api=1&no_preview=1#test22
request	GET https://sun6-21.userapi.com/c237031/u493219498/docs/d9/c7fc8ca88f65/file291023.bmp?extra=HJE0rWNAwxwlZMpDm0nMXfYfAV0NPcx59BCa43IG_bXuChoyS7uFn7bse_58CEa8kk12QRrnh7q-Dw-GenGfCBz-k2gxOG-kXj-MvZt78r50ec_AmOipYf-TCxGK9M1dCTfKr6B4BlweimH5oA
request	GET https://db-ip.com/demo/home.php?s=175.208.134.152
request	GET https://yandex.ru/
request	GET https://dzen.ru/?yredirect=true
request	GET https://sso.passport.yandex.ru/push?uuid=378496ab-5899-48b7-bf10-80f50778653f&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue
request	GET https://db-ip.com/
request	POST https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self

Sends data using the HTTP POST Method (5 events)

request	POST http://94.142.138.131/api/firegate.php
request	POST http://91.92.243.151/api/firecom.php
request	POST http://45.15.156.229/api/firegate.php
request	POST http://ronaldrichards.icu/e9c345fc99a4e67e.php
request	POST https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self

Resolves a suspicious Top Level Domain (TLD) (3 events)

domain	yandex.ru	description	Russian Federation domain TLD
domain	sso.passport.yandex.ru	description	Russian Federation domain TLD
domain	dzen.ru	description	Russian Federation domain TLD

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 2, 2023, 2:25 p.m.	process_identifier: 2196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74012000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Nov. 2, 2023, 2:25 p.m.	process_identifier: 2196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73913000 process_handle: 0xffffffff	1	0	0

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates executable files on the filesystem (13 events)

file	C:\Users\test22\AppData\Local\Temp\7zE498233CA\Templates\ResIL — копия.dll
file	C:\Users\test22\AppData\Local\Temp\7zE498233CA\Templates\vivoxsdk — копия.dll
file	C:\Users\test22\AppData\Local\Temp\7zE498233CA\Templates\RenoirCore.WindowsDesktop — копия.dll
file	C:\Users\test22\AppData\Local\Temp\7zE498233CA\Templates\ResIL.dll
file	C:\Users\test22\AppData\Local\Temp\7zE498233CA\Templates\aadtb.dll
file	C:\Users\test22\AppData\Local\Temp\7zE498233CA\Templates\RenoirCore.WindowsDesktop.dll
file	C:\Users\test22\AppData\Local\Temp\7zE498233CA\Templates\dbghelp.dll
file	C:\Users\test22\AppData\Local\Temp\7zE498233CA\Templates\aadtb — копия.dll
file	C:\Users\test22\AppData\Local\Temp\7zE498233CA\Templates\lgc_api — копия.dll
file	C:\Users\test22\AppData\Local\Temp\7zE498233CA\Templates\dbghelp — копия.dll
file	C:\Users\test22\AppData\Local\Temp\7zE498233CA\Templates\lgc_api.dll
file	C:\Users\test22\AppData\Local\Temp\7zE498233CA\Templates\vivoxsdk.dll
file	C:\Users\test22\AppData\Local\Temp\7zE498233CA\File.exe

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Nov. 2, 2023, 2:25 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1	0
LookupPrivilegeValueW Nov. 2, 2023, 2:26 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1	0

Yara rule detected in process memory (11 events)

description	Escalate priviledges	rule	Escalate_priviledges
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Run a KeyLogger	rule	KeyLogger

Communicates with host for which no DNS query was performed (12 events)

host	171.22.28.226
host	185.172.128.69
host	185.173.38.57
host	185.225.75.171
host	194.169.175.128
host	194.49.94.40
host	194.49.94.41
host	208.67.104.60
host	45.15.156.229
host	91.92.243.151
host	94.142.138.131
host	94.142.138.113

Generates some ICMP traffic

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (3 events)

dead_host	192.168.56.102:49280
dead_host	208.67.104.60:80
dead_host	185.225.75.171:22233

File.rar

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All