Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Nov. 10, 2023, 9:45 a.m.	Nov. 10, 2023, 9:48 a.m.

Size	12.3MB
Type	7-zip archive data, version 0.4
MD5	`bb71ffe7937155152037cdc440585d84`
SHA256	`2dbc265b5edb99752b29af6167ce9af1232d79a6fb912000809793759f70b63f`
CRC32	`F040B583`
ssdeep	`196608:tKjqJc17xDSUkpxxZLZ0hAQuH3AbIEop0+IGe3eXK28Qws:tOqK7Axx4hAQuXAb20Nd3hZrs`
Yara	None matched

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "xoKGTMAXsNXK" C:\Users\test22\AppData\Local\Temp\File.7z
3036
- 7zFM.exe "C:\Program Files (x86)\7-Zip\7zFM.exe" "C:\Users\test22\AppData\Local\Temp\File.7z"
  2208

Name	Response	Post-Analysis Lookup
api.db-ip.com	A 104.26.5.15 A 104.26.4.15 A 172.67.75.166	104.26.4.15
yandex.ru	A 5.255.255.77 A 77.88.55.88 A 77.88.55.60 A 5.255.255.70	77.88.55.60
twitter.com	A 104.244.42.129	104.244.42.65
ipinfo.io	A 34.117.59.81	34.117.59.81
learn.microsoft.com	CNAME e13636.dscb.akamaiedge.net A 23.40.45.69 CNAME learn-public.trafficmanager.net CNAME learn.microsoft.com.edgekey.net CNAME learn.microsoft.com.edgekey.net.globalredir.akadns.net	23.210.37.172
sso.passport.yandex.ru	A 213.180.204.24 CNAME passport.yandex.ru	213.180.204.24
sun6-23.userapi.com	A 95.142.206.3	95.142.206.3
sun6-21.userapi.com	A 95.142.206.1	95.142.206.1
sun6-22.userapi.com	A 95.142.206.2	95.142.206.2
apps.identrust.com	A 23.67.53.27 A 23.67.53.17 CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net	175.207.14.146
dzen.ru	A 62.217.160.2	62.217.160.2
www.maxmind.com	A 104.18.145.235 A 104.18.146.235	104.18.145.235
api.myip.com	A 172.67.75.163 A 104.26.9.59 A 104.26.8.59	104.26.9.59
telegram.org	A 149.154.167.99	149.154.167.99
vk.com	A 87.240.129.133 A 87.240.132.72 A 87.240.132.67 A 87.240.137.164 A 93.186.225.194 A 87.240.132.78	87.240.129.133
iplogger.org	A 148.251.234.83	148.251.234.83
sun6-20.userapi.com	A 95.142.206.0	95.142.206.0
sdjkvbsdjhbfws.online	A 172.67.155.121 A 104.21.7.128	104.21.7.128
api.2ip.ua	A 104.21.65.24 A 172.67.139.220	172.67.139.220
t.me	A 149.154.167.99	149.154.167.99
ironhost.io	A 104.21.57.237 A 172.67.193.129	172.67.193.129
gons13fc.top	A 193.233.193.26	193.233.193.26
arturogillotti.icu
steamcommunity.com	A 104.75.41.21	104.76.78.101
iplis.ru	A 104.21.63.150 A 172.67.147.32	104.21.63.150
db-ip.com	A 104.26.5.15 A 104.26.4.15 A 172.67.75.166	104.26.5.15

IP Address	Status	Action
104.18.146.235	Active	Moloch
104.21.57.237	Active	Moloch
104.21.65.24	Active	Moloch
104.21.7.128	Active	Moloch
104.244.42.129	Active	Moloch
104.26.5.15	Active	Moloch
104.26.8.59	Active	Moloch
104.26.9.59	Active	Moloch
104.75.41.21	Active	Moloch
116.203.6.243	Active	Moloch
148.251.234.83	Active	Moloch
149.154.167.99	Active	Moloch
164.124.101.2	Active	Moloch
172.67.147.32	Active	Moloch
172.67.75.166	Active	Moloch
185.172.128.69	Active	Moloch
185.216.70.232	Active	Moloch
193.233.193.26	Active	Moloch
193.233.255.73	Active	Moloch
194.169.175.118	Active	Moloch
194.169.175.128	Active	Moloch
194.33.191.60	Active	Moloch
194.49.94.48	Active	Moloch
194.49.94.97	Active	Moloch
213.180.204.24	Active	Moloch
23.40.45.69	Active	Moloch
23.67.53.27	Active	Moloch
34.117.59.81	Active	Moloch
45.15.156.229	Active	Moloch
5.42.92.51	Active	Moloch
5.42.92.93	Active	Moloch
62.217.160.2	Active	Moloch
77.88.55.88	Active	Moloch
87.240.132.67	Active	Moloch
87.240.132.72	Active	Moloch
91.103.252.189	Active	Moloch
91.92.243.151	Active	Moloch
94.142.138.113	Active	Moloch
94.142.138.131	Active	Moloch
95.142.206.0	Active	Moloch
95.142.206.1	Active	Moloch
95.142.206.2	Active	Moloch
95.142.206.3	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49177 -> 104.26.9.59:443	2042969	ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49177 -> 104.26.9.59:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49178 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49178 -> 34.117.59.81:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49178 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49176 -> 94.142.138.131:80	2045779	ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49178 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49184 -> 87.240.132.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49180 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49180 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49182 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49188 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49188 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49192 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49187 -> 194.49.94.97:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 87.240.132.67:80 -> 192.168.56.102:49192	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49193 -> 104.21.7.128:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 104.21.7.128:80 -> 192.168.56.102:49193	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49187 -> 194.49.94.97:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49187 -> 194.49.94.97:80	2016698	ET HUNTING Suspicious services.exe in URI	Potentially Bad Traffic
UDP 192.168.56.102:53778 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.102:49200 -> 104.21.7.128:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 194.49.94.97:80 -> 192.168.56.102:49187	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 194.49.94.97:80 -> 192.168.56.102:49187	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.102:49191 -> 5.42.92.93:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49191 -> 5.42.92.93:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49194 -> 193.233.193.26:80	2022896	ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016	A Network Trojan was detected
TCP 192.168.56.102:49194 -> 193.233.193.26:80	2023882	ET INFO HTTP Request to a *.top domain	Potentially Bad Traffic
TCP 192.168.56.102:49189 -> 194.49.94.48:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49195 -> 104.21.7.128:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 5.42.92.93:80 -> 192.168.56.102:49191	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 5.42.92.93:80 -> 192.168.56.102:49191	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.102:49181 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49181 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 104.21.7.128:80 -> 192.168.56.102:49195	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49189 -> 194.49.94.48:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 194.49.94.48:80 -> 192.168.56.102:49189	2014819	ET INFO Packed Executable Download	Misc activity
TCP 104.21.7.128:80 -> 192.168.56.102:49196	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49198 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49198 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49202 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49190 -> 194.169.175.118:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49190 -> 194.169.175.118:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49197 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49197 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 194.169.175.118:80 -> 192.168.56.102:49190	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 194.169.175.118:80 -> 192.168.56.102:49190	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 194.49.94.48:80 -> 192.168.56.102:49189	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 194.49.94.48:80 -> 192.168.56.102:49189	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.102:49206 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49206 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49207 -> 87.240.132.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49208 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49208 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 194.169.175.118:80 -> 192.168.56.102:49190	2015744	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	Misc activity
TCP 192.168.56.102:49203 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49201 -> 193.233.193.26:80	2022896	ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016	A Network Trojan was detected
TCP 193.233.193.26:80 -> 192.168.56.102:49201	2014819	ET INFO Packed Executable Download	Misc activity
TCP 192.168.56.102:49212 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49212 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49213 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49213 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49214 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49214 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49215 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49215 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 193.233.193.26:80 -> 192.168.56.102:49201	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 193.233.193.26:80 -> 192.168.56.102:49201	2023464	ET HUNTING Possible EXE Download From Suspicious TLD	Misc activity
TCP 192.168.56.102:49216 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49219 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49219 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49209 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49209 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49210 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49221 -> 87.240.132.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 87.240.132.67:80 -> 192.168.56.102:49223	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49222 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49222 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 87.240.132.67:80 -> 192.168.56.102:49217	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49224 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49224 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49229 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49230 -> 95.142.206.2:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49231 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49231 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49233 -> 87.240.132.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49234 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 87.240.132.67:80 -> 192.168.56.102:49234	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 87.240.132.67:80 -> 192.168.56.102:49235	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49237 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49237 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49238 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49240 -> 87.240.132.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49241 -> 87.240.132.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49243 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49243 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49242 -> 87.240.132.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49244 -> 95.142.206.0:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49246 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49226 -> 95.142.206.2:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49227 -> 87.240.132.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49228 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49228 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49249 -> 87.240.132.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49250 -> 87.240.132.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49248 -> 87.240.132.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49251 -> 95.142.206.3:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49255 -> 45.15.156.229:80	2045779	ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49258 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49262 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49262 -> 34.117.59.81:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49262 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49260 -> 104.26.9.59:443	2042969	ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49260 -> 104.26.9.59:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49259 -> 94.142.138.113:80	2045779	ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49264 -> 104.26.8.59:443	2042969	ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49264 -> 104.26.8.59:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49270 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.102:49270 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49270 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.102:49269 -> 193.233.255.73:80	2047625	ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)	A Network Trojan was detected
TCP 192.168.56.102:49269 -> 193.233.255.73:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic
UDP 192.168.56.102:52840 -> 164.124.101.2:53	2035948	ET POLICY IP Check Domain (iplogger .org in DNS Lookup)	Potential Corporate Privacy Violation
TCP 192.168.56.102:49281 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.102:49281 -> 148.251.234.83:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49281 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.102:49278 -> 104.75.41.21:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49290 -> 91.103.252.189:30344	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.102:49284 -> 87.240.132.72:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49284 -> 87.240.132.72:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49290 -> 91.103.252.189:30344	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49290 -> 91.103.252.189:30344	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 91.103.252.189:30344 -> 192.168.56.102:49290	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.102:49289 -> 185.216.70.232:28121	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.102:49289 -> 185.216.70.232:28121	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49289 -> 185.216.70.232:28121	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 185.216.70.232:28121 -> 192.168.56.102:49289	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 148.251.234.83:443 -> 192.168.56.102:49283	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49292 -> 87.240.132.72:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49294 -> 194.33.191.60:44675	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.102:49294 -> 194.33.191.60:44675	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 192.168.56.102:49294 -> 194.33.191.60:44675	2046105	ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)	A Network Trojan was detected
TCP 192.168.56.102:49294 -> 194.33.191.60:44675	2046105	ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)	A Network Trojan was detected
TCP 192.168.56.102:49279 -> 87.240.132.72:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49279 -> 87.240.132.72:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49245 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49245 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49286 -> 87.240.132.72:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
UDP 192.168.56.102:57203 -> 164.124.101.2:53	2027026	ET POLICY External IP Address Lookup DNS Query (2ip .ua)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49289 -> 185.216.70.232:28121	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49290 -> 91.103.252.189:30344	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49307 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49307 -> 34.117.59.81:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49307 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49252 -> 95.142.206.1:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49309 -> 104.26.5.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49311 -> 172.67.75.166:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49307 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49310 -> 87.240.132.72:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49313 -> 95.142.206.0:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 149.154.167.99:443 -> 192.168.56.102:49261	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49271 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49271 -> 34.117.59.81:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49271 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49272 -> 77.88.55.88:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49276 -> 172.67.147.32:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49295 -> 91.92.243.151:80	2045779	ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49298 -> 104.21.65.24:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.102:49298 -> 104.21.65.24:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49282 -> 116.203.6.243:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.102:49282 -> 116.203.6.243:80	2044301	ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.102:49299 -> 104.21.57.237:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49301 -> 87.240.132.72:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49301 -> 87.240.132.72:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 116.203.6.243:80 -> 192.168.56.102:49282	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.102:49303 -> 94.142.138.131:80	2045779	ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49304 -> 87.240.132.72:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49304 -> 87.240.132.72:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49267 -> 104.244.42.129:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49274 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.102:49274 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49274 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 149.154.167.99:443 -> 192.168.56.102:49275	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49280 -> 62.217.160.2:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49287 -> 213.180.204.24:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49291 -> 5.42.92.51:19057	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.102:49291 -> 5.42.92.51:19057	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49291 -> 5.42.92.51:19057	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 5.42.92.51:19057 -> 192.168.56.102:49291	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.102:49285 -> 194.169.175.128:50500	2046269	ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49300 -> 185.172.128.69:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49300 -> 185.172.128.69:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49291 -> 5.42.92.51:19057	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 185.172.128.69:80 -> 192.168.56.102:49300	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.172.128.69:80 -> 192.168.56.102:49300	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.102:49305 -> 87.240.132.72:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
UDP 192.168.56.102:51852 -> 164.124.101.2:53	2026888	ET INFO DNS Query for Suspicious .icu Domain	Potentially Bad Traffic
TCP 192.168.56.102:49289 -> 185.216.70.232:28121	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 185.216.70.232:28121 -> 192.168.56.102:49289	2046056	ET MALWARE Redline Stealer Activity (Response)	A Network Trojan was detected
TCP 192.168.56.102:49289 -> 185.216.70.232:28121	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49289 -> 185.216.70.232:28121	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49282 -> 116.203.6.243:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.102:49282 -> 116.203.6.243:80	2044303	ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.102:49289 -> 185.216.70.232:28121	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49282 -> 116.203.6.243:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.102:49282 -> 116.203.6.243:80	2044302	ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.102:49290 -> 91.103.252.189:30344	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 91.103.252.189:30344 -> 192.168.56.102:49290	2046056	ET MALWARE Redline Stealer Activity (Response)	A Network Trojan was detected
TCP 192.168.56.102:49290 -> 91.103.252.189:30344	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49290 -> 91.103.252.189:30344	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49282 -> 116.203.6.243:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.102:49290 -> 91.103.252.189:30344	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49290 -> 91.103.252.189:30344	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49290 -> 91.103.252.189:30344	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49282 -> 116.203.6.243:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.102:49282 -> 116.203.6.243:80	2044305	ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.102:49289 -> 185.216.70.232:28121	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49289 -> 185.216.70.232:28121	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49289 -> 185.216.70.232:28121	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49289 -> 185.216.70.232:28121	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49289 -> 185.216.70.232:28121	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49282 -> 116.203.6.243:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.102:49282 -> 116.203.6.243:80	2044306	ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.102:49282 -> 116.203.6.243:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.102:49282 -> 116.203.6.243:80	2044307	ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.102:49327 -> 23.40.45.69:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49326 -> 23.40.45.69:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49328 -> 23.40.45.69:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49329 -> 23.40.45.69:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 23.40.45.69:443 -> 192.168.56.102:49330	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49290 -> 91.103.252.189:30344	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49290 -> 91.103.252.189:30344	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49290 -> 91.103.252.189:30344	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49291 -> 5.42.92.51:19057	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49291 -> 5.42.92.51:19057	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49291 -> 5.42.92.51:19057	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49291 -> 5.42.92.51:19057	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49291 -> 5.42.92.51:19057	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49291 -> 5.42.92.51:19057	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49291 -> 5.42.92.51:19057	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49178 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49289 -> 185.216.70.232:28121	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49307 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 194.33.191.60:44675 -> 192.168.56.102:49294	2046056	ET MALWARE Redline Stealer Activity (Response)	A Network Trojan was detected
TCP 194.33.191.60:44675 -> 192.168.56.102:49294	2046106	ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)	A Network Trojan was detected
TCP 192.168.56.102:49333 -> 104.21.65.24:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.102:49333 -> 104.21.65.24:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49177 104.26.9.59:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	92:b4:ed:98:67:d9:db:8a:1e:bd:0e:fe:7f:22:45:e9:79:b5:78:65
TLSv1 192.168.56.102:49184 87.240.132.67:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49200 104.21.7.128:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=sdjkvbsdjhbfws.online	5c:01:12:57:16:61:04:a9:6e:9d:f5:58:f3:f6:c4:46:71:ea:05:ae
TLSv1 192.168.56.102:49207 87.240.132.67:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49221 87.240.132.67:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49230 95.142.206.2:443	None	None	None
TLSv1 192.168.56.102:49233 87.240.132.67:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49240 87.240.132.67:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49241 87.240.132.67:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49242 87.240.132.67:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49244 95.142.206.0:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com	bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1 192.168.56.102:49226 95.142.206.2:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com	bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1 192.168.56.102:49227 87.240.132.67:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49249 87.240.132.67:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49250 87.240.132.67:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49248 87.240.132.67:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49251 95.142.206.3:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com	bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1 192.168.56.102:49260 104.26.9.59:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	92:b4:ed:98:67:d9:db:8a:1e:bd:0e:fe:7f:22:45:e9:79:b5:78:65
TLSv1 192.168.56.102:49264 104.26.8.59:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	92:b4:ed:98:67:d9:db:8a:1e:bd:0e:fe:7f:22:45:e9:79:b5:78:65
TLSv1 192.168.56.102:49278 104.75.41.21:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=US, unknown=Washington, unknown=Private Organization, serialNumber=602 290 773, C=US, ST=Washington, L=Bellevue, O=Valve Corp, CN=store.steampowered.com	b1:30:5e:4c:ee:14:70:87:a7:d7:1c:77:07:b5:3c:2c:99:13:aa:c5
TLSv1 192.168.56.102:49292 87.240.132.72:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49252 95.142.206.1:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com	bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1 192.168.56.102:49309 104.26.5.15:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1 192.168.56.102:49311 172.67.75.166:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1 192.168.56.102:49310 87.240.132.72:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49313 95.142.206.0:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com	bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1 192.168.56.102:49272 77.88.55.88:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign ECC OV SSL CA 2018	C=RU, ST=Moscow, L=Moscow, O=Yandex LLC, CN=*.xn--d1acpjx3f.xn--p1ai	e4:ba:b2:7f:bf:93:b8:22:10:26:70:37:9c:03:1a:9d:fb:23:17:24
TLSv1 192.168.56.102:49276 172.67.147.32:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=iplis.ru	04:2b:ef:ab:43:60:60:33:69:03:f3:51:37:11:c8:29:26:89:a4:93
TLSv1 192.168.56.102:49298 104.21.65.24:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=2ip.ua	df:8e:38:7b:a5:b7:63:5f:01:77:75:f0:d6:4a:08:30:fa:63:46:8f
TLSv1 192.168.56.102:49299 104.21.57.237:443	C=US, O=Let's Encrypt, CN=E1	CN=ironhost.io	bf:96:55:fe:92:31:2c:3b:86:d9:a5:21:ac:2a:4c:b7:56:b7:9e:19
TLSv1 192.168.56.102:49280 62.217.160.2:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018	C=RU, ST=Moscow, L=Moscow, O=VK LLC, CN=*.dzen.ru	6a:31:14:29:60:07:c9:c6:17:7b:d1:27:ad:53:57:ec:d8:c1:d8:d2
TLSv1 192.168.56.102:49287 213.180.204.24:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018	C=RU, ST=Moscow, L=Moscow, O=Yandex LLC, CN=sso.passport.yandex.ru	3a:82:43:a9:43:9c:c8:90:01:04:4f:74:1b:6c:cd:4b:9b:19:7d:93

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 10, 2023, 9:45 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 10, 2023, 9:45 a.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (28 events)

suspicious_features	Connection to IP address	suspicious_request	GET http://94.142.138.131/api/tracemap.php
suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://94.142.138.131/api/firegate.php
suspicious_features	Connection to IP address	suspicious_request	HEAD http://194.49.94.97/download/Services.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://194.49.94.48/timeSync.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://194.169.175.118/xinchao.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://5.42.92.93/39902/from.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://5.42.92.93/39902/from.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://194.49.94.48/timeSync.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://194.169.175.118/xinchao.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://194.49.94.97/download/Services.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://45.15.156.229/api/tracemap.php
suspicious_features	Connection to IP address	suspicious_request	GET http://94.142.138.113/api/tracemap.php
suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://45.15.156.229/api/firegate.php
suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://193.233.255.73/loghub/master
suspicious_features	Connection to IP address	suspicious_request	GET http://116.203.6.243/
suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://116.203.6.243/
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://91.92.243.151/api/tracemap.php
suspicious_features	Connection to IP address	suspicious_request	HEAD http://185.172.128.69/latestumma.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://185.172.128.69/latestumma.exe
suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://94.142.138.131/api/firecom.php
suspicious_features	Connection to IP address	suspicious_request	GET http://116.203.6.243/sqlite3.dll
suspicious_features	Connection to IP address	suspicious_request	GET http://116.203.6.243/freebl3.dll
suspicious_features	Connection to IP address	suspicious_request	GET http://116.203.6.243/mozglue.dll
suspicious_features	Connection to IP address	suspicious_request	GET http://116.203.6.243/msvcp140.dll
suspicious_features	Connection to IP address	suspicious_request	GET http://116.203.6.243/nss3.dll
suspicious_features	Connection to IP address	suspicious_request	GET http://116.203.6.243/softokn3.dll
suspicious_features	Connection to IP address	suspicious_request	GET http://116.203.6.243/vcruntime140.dll
suspicious_features	GET method with no useragent header	suspicious_request	GET https://steamcommunity.com/profiles/76561199568528949

Performs some HTTP requests (50 out of 62 events)

request	GET http://94.142.138.131/api/tracemap.php
request	POST http://94.142.138.131/api/firegate.php
request	HEAD http://194.49.94.97/download/Services.exe
request	HEAD http://194.49.94.48/timeSync.exe
request	HEAD http://194.169.175.118/xinchao.exe
request	HEAD http://5.42.92.93/39902/from.exe
request	HEAD http://gons13fc.top/build.exe
request	GET http://5.42.92.93/39902/from.exe
request	GET http://194.49.94.48/timeSync.exe
request	GET http://194.169.175.118/xinchao.exe
request	GET http://194.49.94.97/download/Services.exe
request	GET http://gons13fc.top/build.exe
request	GET http://45.15.156.229/api/tracemap.php
request	GET http://94.142.138.113/api/tracemap.php
request	POST http://45.15.156.229/api/firegate.php
request	POST http://193.233.255.73/loghub/master
request	GET http://116.203.6.243/
request	POST http://116.203.6.243/
request	GET http://91.92.243.151/api/tracemap.php
request	HEAD http://185.172.128.69/latestumma.exe
request	GET http://185.172.128.69/latestumma.exe
request	GET http://apps.identrust.com/roots/dstrootcax3.p7c
request	POST http://94.142.138.131/api/firecom.php
request	GET http://www.maxmind.com/geoip/v2.1/city/me
request	GET http://116.203.6.243/sqlite3.dll
request	GET http://116.203.6.243/freebl3.dll
request	GET http://116.203.6.243/mozglue.dll
request	GET http://116.203.6.243/msvcp140.dll
request	GET http://116.203.6.243/nss3.dll
request	GET http://116.203.6.243/softokn3.dll
request	GET http://116.203.6.243/vcruntime140.dll
request	GET http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=rV_Nuhsf2eVb3XOccZ0Dj_6o.exe&platform=0009&osver=5&isServer=0
request	GET https://api.myip.com/
request	GET https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1
request	GET https://sdjkvbsdjhbfws.online/setup294.exe
request	GET https://vk.com/doc26060933_667234651?hash=Rv3y1hZYldejZNTzjJxgzdYVgzKs0azR7LT5gowzNJT&dl=fEH5j2bjnO3mwDbqODuUYTgMkVbKBYVrBOOWxCsJzJ0&api=1&no_preview=1
request	GET https://vk.com/doc26060933_667443076?hash=bDMwfuwwa4Bhfk5iGf4pMZfzUuBZI01JVp5BaGnL6ks&dl=iT71Bl3sZ2372hed0nHcWcvZK3ySxQ2nVKfHeXmS1cs&api=1&no_preview=1
request	GET https://sun6-22.userapi.com/c235131/u26060933/docs/d1/bc4668ce3db8/PL_Clientp.bmp?extra=yxXqxV6cfLE15TZudnp-v9wBapknfnd0Hp-W2fwDU6lfDkNcwtL34UFLI5ok4OWOMdav6QjlDYzLB3Oagh6N2vnUTAmM2YIPDvDXo5h_-ZSM_WC9nHsFNJDiVGq3HiLDQzeZIbseV-7GCWAq
request	GET https://vk.com/doc26060933_667528566?hash=OTCzD0QCzqeJq5SIvsXLVFRVBbH7eK1WCGsQ6mOrd5L&dl=ZJ7zWgprIslqoCmbsrQTIYQBzbXmZRVz0zSmTdxZxGc&api=1&no_preview=1#ww11
request	GET https://sun6-22.userapi.com/c235031/u26060933/docs/d42/a4b434e88a19/WWW11_32.bmp?extra=UJ87MK1fGLgOjA2PjNJKjsoLWxVEdMiK1WFqHOajY8EnCGrxhIUdfgGakh0XCFdzrYX0cTAzF6EEqbXRFjSfvaNulsvY5AovWlRekbyLHh-qEV-xyL6hRFF338U7tUv6n8KcDPs8n9KSlZfg
request	GET https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#test
request	GET https://vk.com/doc26060933_667364987?hash=BHX3WK0Px3UZYC6KUcanvJ8pCPk0aSa1CJ1a0crl1aL&dl=Y5COLZGRCC7rDCjMPJPVPA4Y0k1NZaZCa4v1PlcGmn8&api=1&no_preview=1
request	GET https://vk.com/doc26060933_667502336?hash=8gT8SKYMMUNCPoYA5YsSAka8CsUJov2CaZxzXdCttJX&dl=iAhYuqtGMoLbuDY0v4MARtzS5LoqlhCsEYijkUisGqc&api=1&no_preview=1#1
request	GET https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#stats
request	GET https://sun6-20.userapi.com/c237031/u26060933/docs/d15/577b6ea1b853/32ssh7832haf.bmp?extra=5Sj2m5N-WW1o8G60TsZw9pAKaoTklYxdyzPSSX441VMdef--VJYocLoiOx2gkVZXzTMOysKCD7OgRE7PVnMHpX6QSojeKZ-WZSXFto31F03Kuzh_kJ--ga0dMaMgZhIINT6dJ9kcHhGSS0i2
request	GET https://sun6-22.userapi.com/c909418/u26060933/docs/d56/0609e38ef0da/crypted.bmp?extra=QFlszKtMsgS-mx-G62xacL3opH89JGGB3Uz0-CW9tVXZKJ_P7btk01ima3deNDuE0gkijwpcdhB1qffooPppKi0RE-Ul_1bAYvrK1wQleUatC5ISWjd4Pe_1snTt-r2yO7UZwuz2_BAys3rN
request	GET https://vk.com/doc26060933_667462812?hash=BNWNUlhfnsvUW8vuJOkR6wETTQRQYSEXqD7FAHmgIoH&dl=Zt1uh0kla8CEullAPIbT2Uyh8Gn9CHZtt3EEdBcLJYD&api=1&no_preview=1#test22
request	GET https://vk.com/doc26060933_667523399?hash=WLuLAnlRCes7phPpFRvUbYz21GqcCKgOZOcL7Q7X7ZX&dl=aPgqyzqJ1PRYIAiSorxfbGjkWZZsshzQfAT4vTRxBiP&api=1&no_preview=1#risepro
request	GET https://sun6-20.userapi.com/c236331/u26060933/docs/d10/73936c217d6b/RisePro.bmp?extra=rXsFQn56oUAwifhelKmgeo_46KFbmPN8ZM4usH5cHO_KLOdYthEQSJRa8qQgQa3_lWUoIxf1FvO0iSrSrxZ_9Enk0KwmcJaewOdOfMC3Lrh8YA1BCpGLu-Xol31GLGu33uQ7vVKSica5OXyh
request	GET https://vk.com/doc26060933_667508201?hash=6VnuemqrvgMX7JGCKhOp7uAllSfIKzasrs7cM1fWhgL&dl=JwY775FVXYxbFspXlbElezWDzeVHhbpuZXgjGmHUTZs&api=1&no_preview=1#setup

Sends data using the HTTP POST Method (6 events)

request	POST http://94.142.138.131/api/firegate.php
request	POST http://45.15.156.229/api/firegate.php
request	POST http://193.233.255.73/loghub/master
request	POST http://116.203.6.243/
request	POST http://94.142.138.131/api/firecom.php
request	POST https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self

Communication to multiple IPs on high port numbers possibly indicative of a peer-to-peer (P2P) or non-standard command and control protocol (5 events)

ip	185.216.70.232
ip	194.169.175.128
ip	194.33.191.60
ip	5.42.92.51
ip	91.103.252.189

Resolves a suspicious Top Level Domain (TLD) (5 events)

domain	yandex.ru	description	Russian Federation domain TLD
domain	iplis.ru	description	Russian Federation domain TLD
domain	sso.passport.yandex.ru	description	Russian Federation domain TLD
domain	dzen.ru	description	Russian Federation domain TLD
domain	gons13fc.top	description	Generic top level domain TLD

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 10, 2023, 9:45 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74062000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Nov. 10, 2023, 9:45 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x737d3000 process_handle: 0xffffffff	1	0	0

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates executable files on the filesystem (11 events)

file	C:\Users\test22\AppData\Local\Temp\7zE0A8AD681\database\CrystalDecisions.Shared.dll
file	C:\Users\test22\AppData\Local\Temp\7zE0A8AD681\database\PhotoBase.dll
file	C:\Users\test22\AppData\Local\Temp\7zE0A8AD681\File.exe
file	C:\Users\test22\AppData\Local\Temp\7zE0A8AD681\database\PhotoViewer.dll
file	C:\Users\test22\AppData\Local\Temp\7zE0A8AD681\database\PhotoAcq.dll
file	C:\Users\test22\AppData\Local\Temp\7zE0A8AD681\database\msvcp.dll
file	C:\Users\test22\AppData\Local\Temp\7zE0A8AD681\database\ucrtbase.dll
file	C:\Users\test22\AppData\Local\Temp\7zE0A8AD681\database\msvcp14.dll
file	C:\Users\test22\AppData\Local\Temp\7zE0A8AD681\database\atomic_wait.dll
file	C:\Users\test22\AppData\Local\Temp\7zE0A8AD681\database\mozgl.dll
file	C:\Users\test22\AppData\Local\Temp\7zE0A8AD681\database\msvcp1.dll

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Nov. 10, 2023, 9:45 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1	0
LookupPrivilegeValueW Nov. 10, 2023, 9:46 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1	0

Yara rule detected in process memory (11 events)

description	Escalate priviledges	rule	Escalate_priviledges
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Run a KeyLogger	rule	KeyLogger

Communicates with host for which no DNS query was performed (16 events)

host	116.203.6.243
host	185.172.128.69
host	185.216.70.232
host	193.233.255.73
host	194.169.175.118
host	194.169.175.128
host	194.33.191.60
host	194.49.94.48
host	194.49.94.97
host	45.15.156.229
host	5.42.92.51
host	5.42.92.93
host	91.103.252.189
host	91.92.243.151
host	94.142.138.113
host	94.142.138.131

File.7z

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All