Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6402 | Aug. 5, 2024, 3:18 p.m. | Aug. 5, 2024, 3:20 p.m. |
IP Address | Status | Action |
---|---|---|
104.21.32.226 | Active | Moloch |
104.26.8.59 | Active | Moloch |
125.253.92.50 | Active | Moloch |
142.250.206.206 | Active | Moloch |
142.250.206.227 | Active | Moloch |
142.250.207.99 | Active | Moloch |
142.250.76.132 | Active | Moloch |
147.45.44.104 | Active | Moloch |
149.154.167.99 | Active | Moloch |
162.159.135.233 | Active | Moloch |
164.124.101.2 | Active | Moloch |
168.119.176.241 | Active | Moloch |
172.67.132.113 | Active | Moloch |
176.111.174.109 | Active | Moloch |
176.111.174.92 | Active | Moloch |
176.113.115.135 | Active | Moloch |
176.113.115.136 | Active | Moloch |
176.113.115.84 | Active | Moloch |
178.63.100.241 | Active | Moloch |
184.26.241.154 | Active | Moloch |
185.215.113.16 | Active | Moloch |
185.215.113.19 | Active | Moloch |
185.215.113.24 | Active | Moloch |
185.225.200.214 | Active | Moloch |
193.143.1.5 | Active | Moloch |
194.58.114.223 | Active | Moloch |
213.226.112.95 | Active | Moloch |
34.107.221.82 | Active | Moloch |
34.107.243.93 | Active | Moloch |
34.117.188.166 | Active | Moloch |
34.117.59.81 | Active | Moloch |
34.120.158.37 | Active | Moloch |
34.149.100.209 | Active | Moloch |
34.160.144.191 | Active | Moloch |
35.244.181.201 | Active | Moloch |
44.239.110.200 | Active | Moloch |
45.143.201.238 | Active | Moloch |
62.122.184.58 | Active | Moloch |
64.233.187.84 | Active | Moloch |
77.105.164.24 | Active | Moloch |
Suricata Alerts
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.102:49176 104.26.8.59:443 |
C=US, O=Google Trust Services, CN=WR1 | CN=myip.com | b3:80:cf:15:df:f5:53:6f:d4:e4:88:68:de:87:c0:e1:f8:3b:2c:02 |
TLSv1 192.168.56.102:49199 104.21.32.226:443 |
C=US, O=Google Trust Services, CN=WE1 | CN=pinefootsteps.com | 94:d4:d9:15:b2:17:0c:8c:cc:a8:86:9a:61:07:7c:ad:25:20:05:26 |
TLSv1 192.168.56.102:49211 184.26.241.154:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA | unknown=US, unknown=Washington, unknown=Private Organization, serialNumber=602 290 773, C=US, ST=Washington, L=Bellevue, O=Valve Corp, CN=store.steampowered.com | 10:20:2b:ee:30:69:cc:b6:ac:5e:47:04:71:ca:b0:75:78:51:58:f5 |
TLSv1 192.168.56.102:49208 172.67.132.113:443 |
C=US, O=Google Trust Services, CN=WE1 | CN=iplogger.org | 08:dd:39:df:d9:24:0d:d7:6f:12:c0:8e:bc:78:4a:76:c1:28:90:07 |
TLSv1 192.168.56.102:49222 184.26.241.154:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA | unknown=US, unknown=Washington, unknown=Private Organization, serialNumber=602 290 773, C=US, ST=Washington, L=Bellevue, O=Valve Corp, CN=store.steampowered.com | 10:20:2b:ee:30:69:cc:b6:ac:5e:47:04:71:ca:b0:75:78:51:58:f5 |
TLS 1.3 192.168.56.102:49244 34.117.188.166:443 |
None | None | None |
TLS 1.2 192.168.56.102:49250 34.149.100.209:443 |
C=US, O=Let's Encrypt, CN=R10 | CN=remote-settings.mozilla.org | f1:2b:12:34:f0:1c:73:d9:bb:9e:78:06:b4:44:db:f5:eb:ad:4b:29 |
TLS 1.3 192.168.56.102:49246 64.233.187.84:443 |
None | None | None |
TLS 1.2 192.168.56.102:49247 44.239.110.200:443 |
C=US, O=Let's Encrypt, CN=R10 | CN=*.services.mozilla.com | ed:8b:e0:ef:78:83:a1:95:a7:db:bf:4f:dd:5a:9a:5e:59:99:10:7f |
TLS 1.3 192.168.56.102:49255 142.250.207.99:443 |
None | None | None |
TLS 1.3 192.168.56.102:49249 34.149.100.209:443 |
None | None | None |
TLS 1.3 192.168.56.102:49252 142.250.206.227:443 |
None | None | None |
TLS 1.3 192.168.56.102:49257 34.120.158.37:443 |
None | None | None |
TLS 1.3 192.168.56.102:49262 142.250.76.132:443 |
None | None | None |
TLS 1.2 192.168.56.102:49279 35.244.181.201:443 |
C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA | C=US, ST=California, L=San Francisco, O=Mozilla Corporation, CN=aus5.mozilla.org | 4e:55:6c:d2:85:cd:87:bf:8a:91:21:6f:05:74:e4:6e:30:ba:2f:2e |
TLS 1.3 192.168.56.102:49224 125.253.92.50:443 |
None | None | None |
TLS 1.2 192.168.56.102:49245 34.160.144.191:443 |
C=US, O=Let's Encrypt, CN=R10 | CN=content-signature-2.cdn.mozilla.net | 75:83:22:ea:ae:d7:a3:f9:6e:ae:fd:c8:cd:f9:c9:a3:32:d1:e2:9d |
TLS 1.2 192.168.56.102:49243 35.244.181.201:443 |
C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA | C=US, ST=California, L=San Francisco, O=Mozilla Corporation, CN=aus5.mozilla.org | 4e:55:6c:d2:85:cd:87:bf:8a:91:21:6f:05:74:e4:6e:30:ba:2f:2e |
TLS 1.3 192.168.56.102:49254 34.120.158.37:443 |
None | None | None |
TLS 1.3 192.168.56.102:49248 34.107.243.93:443 |
None | None | None |
TLS 1.3 192.168.56.102:49258 142.250.206.206:443 |
None | None | None |
TLS 1.3 192.168.56.102:49261 142.250.206.206:443 |
None | None | None |
TLS 1.3 192.168.56.102:49251 34.120.158.37:443 |
None | None | None |
TLS 1.3 192.168.56.102:49256 142.250.207.99:443 |
None | None | None |
TLS 1.3 192.168.56.102:49260 142.250.206.206:443 |
None | None | None |
suspicious_features | Connection to IP address | suspicious_request | GET http://185.225.200.214/api/crazyfish.php | ||||||
suspicious_features | POST method with no referer header, Connection to IP address | suspicious_request | POST http://185.225.200.214/api/twofish.php | ||||||
suspicious_features | Connection to IP address | suspicious_request | HEAD http://147.45.44.104/lopsa/66af4e35e761b_doz.exe#mene | ||||||
suspicious_features | Connection to IP address | suspicious_request | HEAD http://147.45.44.104/prog/66ade58a5e39e_tgertert.exe | ||||||
suspicious_features | Connection to IP address | suspicious_request | HEAD http://194.58.114.223/d/525403 | ||||||
suspicious_features | Connection to IP address | suspicious_request | HEAD http://185.215.113.16/nemo/herso.exe | ||||||
suspicious_features | Connection to IP address | suspicious_request | HEAD http://176.111.174.109/socker | ||||||
suspicious_features | Connection to IP address | suspicious_request | GET http://176.111.174.109/socker | ||||||
suspicious_features | Connection to IP address | suspicious_request | GET http://194.58.114.223/d/525403 | ||||||
suspicious_features | Connection to IP address | suspicious_request | HEAD http://147.45.44.104/prog/66af531b832ee_main.exe#space | ||||||
suspicious_features | Connection to IP address | suspicious_request | HEAD http://147.45.44.104/prog/66af45d13a3cb_xincz.exe#xin | ||||||
suspicious_features | Connection to IP address | suspicious_request | GET http://185.215.113.16/nemo/herso.exe | ||||||
suspicious_features | Connection to IP address | suspicious_request | HEAD http://147.45.44.104/prog/66af31c75d213_123p.exe | ||||||
suspicious_features | Connection to IP address | suspicious_request | GET http://147.45.44.104/lopsa/66af4e35e761b_doz.exe#mene | ||||||
suspicious_features | Connection to IP address | suspicious_request | GET http://147.45.44.104/prog/66ade58a5e39e_tgertert.exe | ||||||
suspicious_features | Connection to IP address | suspicious_request | GET http://147.45.44.104/prog/66af531b832ee_main.exe#space | ||||||
suspicious_features | Connection to IP address | suspicious_request | GET http://147.45.44.104/prog/66af45d13a3cb_xincz.exe#xin | ||||||
suspicious_features | Connection to IP address | suspicious_request | GET http://147.45.44.104/prog/66af31c75d213_123p.exe | ||||||
suspicious_features | POST method with no referer header, POST method with no useragent header, Connection to IP address | suspicious_request | POST http://185.215.113.19/Vi9leo/index.php | ||||||
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://185.215.113.16/steam/random.exe | ||||||
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://185.215.113.16/well/random.exe | ||||||
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://185.215.113.24/ | ||||||
suspicious_features | POST method with no referer header, POST method with no useragent header, Connection to IP address | suspicious_request | POST http://185.215.113.24/e2b1563c6670f193.php | ||||||
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://185.215.113.24/0d60be0de163924d/sqlite3.dll | ||||||
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://185.215.113.24/0d60be0de163924d/freebl3.dll | ||||||
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://185.215.113.24/0d60be0de163924d/mozglue.dll | ||||||
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://185.215.113.24/0d60be0de163924d/msvcp140.dll | ||||||
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://185.215.113.24/0d60be0de163924d/nss3.dll | ||||||
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://185.215.113.24/0d60be0de163924d/softokn3.dll | ||||||
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://185.215.113.24/0d60be0de163924d/vcruntime140.dll | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://steamcommunity.com/profiles/76561199747278259 |
request | GET http://185.225.200.214/api/crazyfish.php |
request | POST http://185.225.200.214/api/twofish.php |
request | HEAD http://147.45.44.104/lopsa/66af4e35e761b_doz.exe#mene |
request | HEAD http://147.45.44.104/prog/66ade58a5e39e_tgertert.exe |
request | HEAD http://194.58.114.223/d/525403 |
request | HEAD http://185.215.113.16/nemo/herso.exe |
request | HEAD http://176.111.174.109/socker |
request | GET http://176.111.174.109/socker |
request | GET http://194.58.114.223/d/525403 |
request | HEAD http://147.45.44.104/prog/66af531b832ee_main.exe#space |
request | HEAD http://147.45.44.104/prog/66af45d13a3cb_xincz.exe#xin |
request | GET http://185.215.113.16/nemo/herso.exe |
request | HEAD http://147.45.44.104/prog/66af31c75d213_123p.exe |
request | GET http://147.45.44.104/lopsa/66af4e35e761b_doz.exe#mene |
request | GET http://147.45.44.104/prog/66ade58a5e39e_tgertert.exe |
request | GET http://147.45.44.104/prog/66af531b832ee_main.exe#space |
request | GET http://147.45.44.104/prog/66af45d13a3cb_xincz.exe#xin |
request | GET http://147.45.44.104/prog/66af31c75d213_123p.exe |
request | POST http://185.215.113.19/Vi9leo/index.php |
request | GET http://185.215.113.16/steam/random.exe |
request | GET http://185.215.113.16/well/random.exe |
request | GET http://185.215.113.24/ |
request | POST http://185.215.113.24/e2b1563c6670f193.php |
request | GET http://185.215.113.24/0d60be0de163924d/sqlite3.dll |
request | GET http://185.215.113.24/0d60be0de163924d/freebl3.dll |
request | GET http://185.215.113.24/0d60be0de163924d/mozglue.dll |
request | GET http://185.215.113.24/0d60be0de163924d/msvcp140.dll |
request | GET http://185.215.113.24/0d60be0de163924d/nss3.dll |
request | GET http://185.215.113.24/0d60be0de163924d/softokn3.dll |
request | GET http://185.215.113.24/0d60be0de163924d/vcruntime140.dll |
request | GET http://detectportal.firefox.com/canonical.html |
request | GET http://detectportal.firefox.com/success.txt?ipv4 |
request | GET http://www.google.com/ |
request | GET https://api.myip.com/ |
request | GET https://stan.pinefootsteps.com/ssl/crt.exe |
request | GET https://iplogger.org/1nhuM4.js |
request | GET https://steamcommunity.com/profiles/76561199747278259 |
request | POST http://185.225.200.214/api/twofish.php |
request | POST http://185.215.113.19/Vi9leo/index.php |
request | POST http://185.215.113.24/e2b1563c6670f193.php |
domain | ipinfo.io |
file | C:\Users\test22\AppData\Local\Temp\7zE8386E054\updates\updates\ILU.dll |
file | C:\Users\test22\AppData\Local\Temp\7zE8386E054\updates\Cache_Data\CbsCore.dll |
file | C:\Users\test22\AppData\Local\Temp\7zE8386E054\updates\WsmSvc.dll |
file | C:\Users\test22\AppData\Local\Temp\7zE8386E054\updates\Cache_Data\AudioEng.dll |
file | C:\Users\test22\AppData\Local\Temp\7zE8386E054\updates\updates\Uninstall\unins000.exe |
file | C:\Users\test22\AppData\Local\Temp\7zE8386E054\updates\dll\System.AddIn.dll |
file | C:\Users\test22\AppData\Local\Temp\7zE8386E054\updates\Windows.Networking.Vpn.dll |
file | C:\Users\test22\AppData\Local\Temp\7zE8386E054\updates\dll\sppinst.dll |
file | C:\Users\test22\AppData\Local\Temp\7zE8386E054\updates\res_mods\GdiPlus.dll |
file | C:\Users\test22\AppData\Local\Temp\7zE8386E054\updates\Cache_Data\clr.dll |
file | C:\Users\test22\AppData\Local\Temp\7zE8386E054\updates\Cache_Data\mfmp4srcsnk.dll |
file | C:\Users\test22\AppData\Local\Temp\7zE8386E054\updates\dll\System.Web.DynamicData.Design.dll |
file | C:\Users\test22\AppData\Local\Temp\7zE8386E054\updates\dll\ServiceModelPerformanceCounters.dll |
file | C:\Users\test22\AppData\Local\Temp\7zE8386E054\updates\dll\System.Transactions.dll |
file | C:\Users\test22\AppData\Local\Temp\7zE8386E054\updates\dll\msvcr90.dll |
file | C:\Users\test22\AppData\Local\Temp\7zE8386E054\Setup.exe |
file | C:\Users\test22\AppData\Local\Temp\7zE8386E054\updates\dll\System.Speech.dll |
file | C:\Users\test22\AppData\Local\Temp\7zE8386E054\updates\dll\webengine.dll |
file | C:\Users\test22\AppData\Local\Temp\7zE8386E054\updates\dll\WindowsBase.resources.dll |
file | C:\Users\test22\AppData\Local\Temp\7zE8386E054\updates\dll\InstallUtilLib.dll |
file | C:\Users\test22\AppData\Local\Temp\7zE8386E054\updates\dll\PrimitiveTransformers.dll |
file | C:\Users\test22\AppData\Local\Temp\7zE8386E054\updates\dll\SettingsHandlers_OneDriveBackup.dll |
file | C:\Users\test22\AppData\Local\Temp\7zE8386E054\updates\dll\Aspnet_perf.dll |
file | C:\Users\test22\AppData\Local\Temp\7zE8386E054\updates\Cache_Data\Microsoft.Uev.AppAgent.dll |
file | C:\Users\test22\AppData\Local\Temp\7zE8386E054\updates\wpfgfx_v0400.dll |
file | C:\Users\test22\AppData\Local\Temp\7zE8386E054\updates\wsp_health.dll |
file | C:\Users\test22\AppData\Local\Temp\7zE8386E054\updates\dll\WMINet_Utils.dll |
file | C:\Users\test22\AppData\Local\Temp\7zE8386E054\updates\dll\PenIMC_v0400.dll |
file | C:\Users\test22\AppData\Local\Temp\7zE8386E054\updates\dll\PresentationNative_v0400.dll |
file | C:\Users\test22\AppData\Local\Temp\7zE8386E054\updates\Cache_Data\certmgr.dll |
file | C:\Users\test22\AppData\Local\Temp\7zE8386E054\updates\msxml6.dll |
description | Escalate priviledges | rule | Escalate_priviledges | ||||||
description | PWS Memory | rule | Generic_PWS_Memory_Zero | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Bypass DEP | rule | disable_dep | ||||||
description | Run a KeyLogger | rule | KeyLogger |
host | 147.45.44.104 | |||
host | 168.119.176.241 | |||
host | 176.111.174.109 | |||
host | 176.111.174.92 | |||
host | 176.113.115.135 | |||
host | 176.113.115.136 | |||
host | 176.113.115.84 | |||
host | 185.215.113.16 | |||
host | 185.215.113.19 | |||
host | 185.215.113.24 | |||
host | 185.225.200.214 | |||
host | 193.143.1.5 | |||
host | 194.58.114.223 | |||
host | 45.143.201.238 | |||
host | 62.122.184.58 | |||
host | 77.105.164.24 |