45151 |
2020-11-19 15:15
|
whatisthisherefor.exe 735384bc0506a27f518e04f4124a591e VirusTotal Malware MachineGuid Code Injection Check memory WMI Creates executable files unpack itself Windows utilities malicious URLs WriteConsoleW Tofsee Windows ComputerName DNS crashed |
7
http://go.microsoft.com/fwlink/?LinkID=88340 http://www.msftncsi.com/ncsi.txt http://go.microsoft.com/fwlink/?LinkID=88339 http://go.microsoft.com/fwlink/?LinkID=88338 https://activation.sls.microsoft.com/slspc/SLActivate.asmx https://activation.sls.microsoft.com/slpkc/SLCertifyProduct.asmx https://activation.sls.microsoft.com/slrac/SLCertify.asmx
|
3
activation.sls.microsoft.com(40.91.72.206) 40.91.72.206 121.254.136.49
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.6 |
M |
20 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45152 |
2020-11-19 15:14
|
upgrade.doc 346dc04c2c3627d3726c65f86ff495d0 Vulnerability VirusTotal Malware buffers extracted Creates executable files exploit crash unpack itself malicious URLs Windows Exploit crashed |
|
2
wordupdate.com(104.27.185.80) - malware 104.27.185.80 - suspicious
|
3
ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
|
|
6.2 |
M |
21 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45153 |
2020-11-19 13:49
|
sftp.exe 79f226cec7d09ef5c2b96e1870651324 VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs Windows DNS Cryptographic key DDNS crashed |
|
2
8e3d-wzr.duckdns.org(192.169.69.26) - mailcious 156.96.44.201 - suspicious
|
2
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain ET DROP Spamhaus DROP Listed Traffic Inbound group 17
|
|
14.8 |
M |
50 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45154 |
2020-11-19 13:46
|
r.exe a5b4252c8bac59ad90a543ec1f2e4a7a VirusTotal Malware Check memory Checks debugger unpack itself |
|
|
|
|
2.0 |
M |
50 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45155 |
2020-11-19 13:26
|
lol.exe aa938dc5d017dd009fe1649e61380c86 VirusTotal Malware suspicious privilege Code Injection Check memory WMI Creates executable files Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName crashed |
|
|
|
|
7.0 |
M |
17 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45156 |
2020-11-19 13:25
|
lolv2.exe db850f73090ae8108522466650c1d9ae VirusTotal Malware Creates executable files Windows utilities WriteConsoleW Windows |
|
|
|
|
3.4 |
M |
20 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45157 |
2020-11-19 10:22
|
IT4l74TKgSA7p92.exe ab2997f06c883b00764bcdae89b8b2d6 VirusTotal Malware suspicious privilege Check memory Checks debugger Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs WriteConsoleW Ransomware Windows Tor ComputerName crashed |
|
|
|
|
9.2 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45158 |
2020-11-19 10:09
|
formbook.exe bc1b1f3d1f8ffb3494f9d5b74c0294fd VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself |
|
|
|
|
2.8 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45159 |
2020-11-19 10:05
|
content.exe 9120704bbeb7458efc6491283ff5c528 VirusTotal Malware powershell AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger Creates shortcut Creates executable files unpack itself powershell.exe wrote suspicious process malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check Windows ComputerName DNS Cryptographic key |
|
2
54.235.83.248 23.82.140.14
|
|
|
11.6 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45160 |
2020-11-19 10:01
|
bitbit.exe 4383cfdf8af01edd3110a25c33763c2d ENERGETIC BEAR VirusTotal Malware suspicious privilege unpack itself malicious URLs Windows Tor DNS keylogger |
|
3
mfon.greaterfr.ml(23.105.131.165) 23.105.131.165 163.172.184.243
|
2
ET INFO DNS Query for Suspicious .ml Domain ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 247
|
|
7.6 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45161 |
2020-11-19 10:01
|
ayox.exe 21a0b271edce3702889bd4fe4205f90d Browser Info Stealer VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Ransomware Windows Browser Tor ComputerName DNS Cryptographic key crashed |
2
http://crt.comodoca.com/COMODORSAAddTrustCA.crt https://api.ipify.org/
|
9
api.ipify.org(50.19.252.36) crt.comodoca.com(91.199.212.52) 91.199.212.52 153.92.127.239 37.252.187.111 54.235.83.248 95.128.43.164 178.254.40.158 37.157.254.114
|
7
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 231 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 579 ET TOR Known Tor Exit Node Traffic group 152 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 152 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 294 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 586 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.4 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45162 |
2020-11-19 09:56
|
31.exe 0a975ab225438aa388a42fefa03555ff ENERGETIC BEAR suspicious privilege Check memory buffers extracted Creates executable files unpack itself Check virtual network interfaces AppData folder malicious URLs anti-virtualization Ransomware Windows Tor ComputerName DNS crashed keylogger |
|
6
163.172.176.167 163.172.184.243 199.249.230.64 155.4.70.10 217.12.203.242 51.38.134.104
|
6
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 444 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 247 ET TOR Known Tor Exit Node Traffic group 75 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 75 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 232 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 652
|
|
11.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45163 |
2020-11-19 09:56
|
1.exe 1c2e14b349ff275af406259a671e78b6 VirusTotal Malware suspicious privilege Check memory buffers extracted Creates executable files unpack itself Check virtual network interfaces AppData folder malicious URLs anti-virtualization Ransomware Windows Tor ComputerName DNS crashed keylogger |
|
6
153.92.127.239 37.252.187.111 62.141.38.69 95.128.43.164 178.254.40.158 37.157.254.114
|
7
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 579 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 586 ET TOR Known Tor Exit Node Traffic group 152 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 684 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 152 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 294 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 231
|
|
11.6 |
M |
57 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45164 |
2020-11-19 09:50
|
MULTAMIT8069218371.msi 77c587e712fb0e78d8f07301aaee21e6 VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself malicious URLs AntiVM_Disk VM Disk Size Check ComputerName DNS |
|
1
|
|
|
4.0 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45165 |
2020-11-19 09:49
|
MIT-MULTA9662778901.msi 4cd4cf6d8d40df274769f490bd85d6f8 VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself malicious URLs AntiVM_Disk VM Disk Size Check ComputerName |
|
1
|
|
|
3.0 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|