| 9166 |
2023-08-23 17:16
|
 iela2f5.exe afc2a16ccea74e30714916eb2f59a55e
Generic Malware UPX Malicious Packer PE File PE64 VirusTotal Malware PDB unpack itself Tofsee Remote Code Execution |
1
https://z.nnnaajjjgc.com/sts/imagd.jpg
|
2
z.nnnaajjjgc.com(156.236.72.121) - malware
156.236.72.121 - mailcious
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
1.8 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9167 |
2023-08-23 17:14
|
000O0oO0o0O0O0o0O0OoO0O000%23%... 0d1550017594bcc25b972623bc69994a
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic RWX flags setting exploit crash Tofsee Exploit DNS crashed |
2
http://apps.identrust.com/roots/dstrootcax3.p7c
http://192.210.175.4/receipt_232/3/receipt_231123.vbs
|
4
uploaddeimagens.com.br(172.67.215.45) - malware
192.210.175.4 - mailcious
121.254.136.27
104.21.45.138 - malware
|
2
ET INFO Dotted Quad Host VBS Request
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.0 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9168 |
2023-08-23 17:14
|
receipt.vbs fbc91d72fa61ce79b3a743219e8548b1
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/559/510/original/rump_private.jpg?1690504129
http://192.210.175.4/lime/ivr/up.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware
61.111.58.35 - malware
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.8 |
M |
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9169 |
2023-08-23 17:12
|
mtvn.vbs 1c95efddfe47d87af3d77d968d285c8c
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/563/621/original/universo_vbs.jpeg?1690931855
http://80.76.51.248/mnx.txt
|
4
uploaddeimagens.com.br(104.21.45.138) - malware
121.254.136.27
104.21.45.138 - malware
45.33.6.223
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.4 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9170 |
2023-08-23 17:12
|
 igfxEM.exe f8f39502518f5ee2cdab32a5288bc667
.NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Browser Email ComputerName Software crashed |
|
|
|
|
9.4 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9171 |
2023-08-23 17:10
|
df.vbs 047133c0c9174e63bc4a320ee8483aa6
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/559/510/original/rump_private.jpg?1690504129
http://192.210.175.4/lime/ivr/update.txt
|
3
uploaddeimagens.com.br(104.21.45.138) - malware
121.254.136.27
104.21.45.138 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.0 |
|
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9172 |
2023-08-23 17:10
|
0oO0O0O0O0Oo0o000O0O0O0O0O000%... cd6a6fc58be90a45c6baad019b482e05
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic exploit crash unpack itself Tofsee Exploit DNS crashed |
2
http://apps.identrust.com/roots/dstrootcax3.p7c
http://192.210.175.4/receipt_232/1/receipt.vbs
|
4
uploaddeimagens.com.br(104.21.45.138) - malware
192.210.175.4 - mailcious
121.254.136.27
172.67.215.45 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Dotted Quad Host VBS Request
|
|
4.0 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9173 |
2023-08-23 17:09
|
 wininit.exe 9cd889e65235a00e96a92e4304307f53
Formbook AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself DNS |
13
http://www.playcups.life/pta7/ - rule_id: 35250
http://www.cosmicearthgoddess.com/pta7/?JLMiIK=13fhjxEBwouEnUsG2Zptbc3oT5vv/DEuG4iFtfSUwau/qJ9Hv2KIb5nyZ/MG0WCg1U40rxerqpJjqyPhopVWfuMIqg+QB/xDsz3LaOk=&g5Z=wqLJTXDaxo0 - rule_id: 35248
http://www.yh66985.com/pta7/ - rule_id: 35249
http://www.yh66985.com/pta7/?JLMiIK=r0Znjcl108fWq3DW2uMZlKkUpEOS0il4WTIwHqnkDlhXNTmyDe2k/moWxs1adkJw8OOtkgeu00hRWSJDuXN3qGN9obJjMdXlYosByRw=&g5Z=wqLJTXDaxo0 - rule_id: 35249
http://www.sqlite.org/2020/sqlite-dll-win32-x86-3330000.zip
http://www.cosmicearthgoddess.com/pta7/ - rule_id: 35248
http://www.promptyum.com/pta7/ - rule_id: 35845
http://www.playcups.life/pta7/?JLMiIK=owQQ/LdvYhr1hQA44RH9bUiltN1V9/nW3nzbuZ7AnukoApd9+FtfvWC4rKSj4oUCaFCHPCKOWRRPvWiBpKGkSpFpDTHalZsc88EWemY=&g5Z=wqLJTXDaxo0 - rule_id: 35250
http://www.maytag36.com/pta7/?JLMiIK=I+8B7hWWd8/aZc0LyOI98FU2kxxJYUgzWPkNKI3Xu1M4KTmr5ikbSLVEKd5DC7LZ6l0Rcp22A4fkoHEesbNwOWp7sSOEDutN8WpeiG4=&g5Z=wqLJTXDaxo0 - rule_id: 35246
http://www.maytag36.com/pta7/ - rule_id: 35246
http://www.promptyum.com/pta7/?JLMiIK=51fXUovDvl40Gay+bBOuV4csAD2CR1Bn3rNklAoym8RSa3YWX1JZVvP1mooqhecBmHsju7ND43XQhJhW/MWm8p48YIEfLWeZ5rDjg9Q=&g5Z=wqLJTXDaxo0 - rule_id: 35845
http://www.selfstorage.koeln/pta7/?JLMiIK=nRxaeJY0qwDQ0+6frQxSN5E2QFq7X4AyNJuuilycF0k/wVU2rXenu/JIKS0/EAOQo/d8R3vVu9XtC/4/t+jNl01+sEHp/xYpCFlSqjU=&g5Z=wqLJTXDaxo0 - rule_id: 35247
http://www.selfstorage.koeln/pta7/ - rule_id: 35247
|
14
www.sisbom.online() - mailcious
www.yh66985.com(154.215.247.58) - mailcious
www.selfstorage.koeln(81.169.145.157) - mailcious
www.promptyum.com(52.20.84.62) - mailcious
www.playcups.life(203.161.58.192) - mailcious
www.cosmicearthgoddess.com(74.208.236.61) - mailcious
www.maytag36.com(76.223.26.96) - mailcious
74.208.236.61 - mailcious
52.20.84.62 - mailcious
81.169.145.157 - mailcious
154.215.247.58 - mailcious
76.223.26.96 - mailcious
45.33.6.223
203.161.58.192 - mailcious
|
2
ET INFO HTTP Request to Suspicious *.life Domain
ET INFO Observed DNS Query to .life TLD
|
12
http://www.playcups.life/pta7/
http://www.cosmicearthgoddess.com/pta7/
http://www.yh66985.com/pta7/
http://www.yh66985.com/pta7/
http://www.cosmicearthgoddess.com/pta7/
http://www.promptyum.com/pta7/
http://www.playcups.life/pta7/
http://www.maytag36.com/pta7/
http://www.maytag36.com/pta7/
http://www.promptyum.com/pta7/
http://www.selfstorage.koeln/pta7/
http://www.selfstorage.koeln/pta7/
|
9.8 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9174 |
2023-08-23 17:08
|
receipt.vbs 1004c9ac0ce57f200c38355e51e9a200
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/559/510/original/rump_private.jpg?1690504129
http://104.168.46.25/doc0/3/b1.txt
|
3
uploaddeimagens.com.br(172.67.215.45) - malware
121.254.136.27
172.67.215.45 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.4 |
|
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9175 |
2023-08-23 16:44
|
 sdf.exe e67194e6d1a28c86ee3f31ad100bfffa
Malicious Library UPX OS Processor Check PE File PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Microsoft suspicious privilege Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
|
1
|
4
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer Activity (Response)
|
|
6.2 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9176 |
2023-08-23 16:06
|
 calc.exe 3abbc9069a163b18c039db37099e3e4b
Malicious Library UPX OS Processor Check PE File PE32 VirusTotal Malware unpack itself |
|
|
|
|
2.2 |
M |
29 |
yjw
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9177 |
2023-08-23 16:04
|
 calc.exe 3abbc9069a163b18c039db37099e3e4b
Malicious Library UPX OS Processor Check PE File PE32 VirusTotal Malware unpack itself |
|
|
|
|
2.2 |
M |
29 |
yjw
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9178 |
2023-08-23 13:49
|
Setup_pass1234.7z f96a58af45e296c5946f1d3b86920876
Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Cryptocurrency Miner Malware c&c Cryptocurrency Microsoft suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself suspicious TLD IP Check PrivateLoader Tofsee Stealc Stealer Windows Browser RisePro Remote Code Execution Trojan DNS Downloader |
27
http://94.142.138.131/api/firegate.php - rule_id: 32650
http://193.233.254.61/loghub/master - rule_id: 35736
http://45.15.156.229/api/tracemap.php - rule_id: 33783
http://davidlewis.top/3886d2276f6914c4.php
http://andrewjohnson.top/calc.exe - rule_id: 35985
http://77.91.124.231/info/img0581.exe - rule_id: 35986
http://176.113.115.84:8080/4.php - rule_id: 34795
http://jjz.alie3ksgbb.com/m/iela2f5.exe
http://87.121.221.58/g.exe - rule_id: 35764
http://apps.identrust.com/roots/dstrootcax3.p7c
http://94.142.138.131/api/tracemap.php - rule_id: 28311
http://www.maxmind.com/geoip/v2.1/city/me
http://208.67.104.60/api/tracemap.php - rule_id: 28876
http://www.google.com/
https://busell.store/setup294.exe - rule_id: 35772
https://sun6-22.userapi.com/c909628/u647736509/docs/d9/5349c3386a88/crypted.bmp?extra=XfdahKnDVY9Rjj20iW_wAaWhbv7vF1N_qPZAdJ5V30r_5YjGq4XgXLViMX_Y61e_2Oct_3sHfMVLPbtWC0LRQXJnCDJYvqafm33wJi_uEbvljnfvJJXSvAJQtSOeDsUgeXOwkfLtqMPz0Cqp1A
https://sun6-22.userapi.com/c237231/u647736509/docs/d56/d82afc11631c/WWW1.bmp?extra=3LL1P9VzcHaRKpyouEe0HD154BFs4wJDNdyakWBriklTmnnWcijJ-S52tmD55rYhswM4Bh9C83JP1ZvE71yUdjqDNmKdc0GBhgUU53IHmHZq3WnhpOwsAevHxdfs5BTMJdp4act0aY_R4q16lQ
https://db-ip.com/demo/home.php?s=175.208.134.152
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://db-ip.com/
https://vk.com/doc44017378_668299763?hash=zmOOWSCCe8PEqA6JzTOimcWsBP4rczFGlKQm7u1wl5w&dl=pZKH7ORpwz4F1bj2umQkxWcLuyYZXbxgyoMtGIhzz1H&api=1&no_preview=1
https://vk.com/doc44017378_668269434?hash=1XPr8Pd2LqVjZtzSfCR5zo3pZq1l86eot1YSFyNkjxw&dl=QzxSCOyCV44wt8iKWMaApWzReJZvlShUFNdk3veg9jo&api=1&no_preview=1#start
https://sun6-21.userapi.com/c236331/u44017378/docs/d28/269a778342f3/RazerSynapsee.bmp?extra=qyL-i-FtB0cCS76kHc7poX8QT3NkwXvxzHZeb1KZlWcWP92xZVQqyGLoJd5xTSQxgcWnaB3NqpkOVKJriGMfbZ3PCDlgzXGavOzao_64Mr47JezpSv-asorYZKzb4M3yiy4irlJagF1aZxaZ
https://sun6-23.userapi.com/c909518/u44017378/docs/d35/014643b87b1a/start.bmp?extra=8qZvCvh1niuvq1_HSBv8MDAVgwzWs6jncEwfcVD4eyDCqR6XAQGBZ1VU8Zj4LQFIRS04pzZlbk9O-8PsPPCY_IB6qtSuvLDnkBq_wgmbjTMLkI7Ei9KCD08KrHd5UOaiVaFgsky842hfx_2B
https://sun6-22.userapi.com/c909228/u647736509/docs/d52/3e0be831efe1/nudik.bmp?extra=EJmw6eISKIZdqq4KKXNW0mBej8fuwZt6t2oPbD9Y27OK7nVOWJ2x_xPCkDwa-WeDrkLgSyoa83-MlKok3S0m_JZdvCnk0kM_mqe7o4TbEJdz6M7wPQWcTS_suVPGfwQrpZzCC3gI28ojRI-kBg
https://sun6-21.userapi.com/c909628/u647736509/docs/d12/0e7f2f732e2a/PMmp.bmp?extra=9qzaokku1AKCPEOWOd4kXT_oZBxwXzxPuC4tsOVrK8otj-d5mx6ImL8AaNH8Zk7s9Jvkl1WjUzhs_raxaZbuZABd1jZAsSHfV84PoVEFLAerxVGZyXBNazD9FmXAAfbvqzJuWEGSGwRQhLj_sQ
https://sun6-23.userapi.com/c909628/u647736509/docs/d6/3c2b3c219ac8/RisePro.bmp?extra=2CzOaOZMGP-wP3UQ0olk5n3RfU8f2CnE8rD0WNupCjE7kfn91c-qtK-CKCymUz_aVITS70Jfqz-Wia2sBk_1GnTc1lMz2u-IqiwRUQVEadA1OtNXe2OWC47eC9xHJI6up3MOObkY19JencEPLA
|
64
db-ip.com(104.26.4.15)
fastpool.xyz(213.91.128.133) - mailcious
vanaheim.cn(193.106.174.59) - mailcious
ipinfo.io(34.117.59.81)
sun6-23.userapi.com(95.142.206.3)
andrewjohnson.top(195.58.51.86) - malware
iplogger.org(148.251.234.83) - mailcious
z.nnnaajjjgc.com(156.236.72.121) - malware
api.db-ip.com(172.67.75.166)
sun6-21.userapi.com(95.142.206.1) - mailcious
busell.store(172.67.159.178) - malware
bitbucket.org(104.192.141.1) - malware
ns13.domaincontrol.com(97.74.106.7)
jjz.alie3ksgbb.com(172.67.200.102)
www.google.com(142.250.207.100)
api.myip.com(172.67.75.163)
davidlewis.top(195.58.51.86)
sun6-22.userapi.com(95.142.206.2)
www.maxmind.com(104.17.241.37)
vk.com(87.240.132.67) - mailcious
iplis.ru(148.251.234.93) - mailcious
148.251.234.93 - mailcious
194.169.175.128 - mailcious
104.192.141.1 - mailcious
62.122.184.92 - mailcious
208.67.104.60 - mailcious
87.121.221.58 - malware
61.111.58.34 - malware
172.67.75.166
80.66.75.4 - mailcious
172.67.75.163
193.233.254.61 - mailcious
194.26.135.162 - mailcious
195.58.51.86 - malware
34.117.59.81
176.113.115.84 - mailcious
176.113.115.85 - mailcious
148.251.234.83
104.21.90.117
104.21.9.89 - malware
176.113.115.135 - mailcious
176.113.115.136 - mailcious
45.15.156.229 - mailcious
94.142.138.131 - mailcious
176.123.9.142 - mailcious
193.106.174.59
104.17.241.37
77.91.124.231 - malware
185.225.73.32 - mailcious
149.202.0.242 - mailcious
156.236.72.121 - mailcious
45.143.201.238 - mailcious
77.91.124.73 - mailcious
95.142.206.3
163.123.143.4 - mailcious
95.142.206.1 - mailcious
142.250.204.132
97.74.106.7
85.208.136.10 - mailcious
95.142.206.2
62.122.184.58
87.240.132.72 - mailcious
213.91.128.133 - mailcious
185.244.181.112 - mailcious
|
37
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
SURICATA Applayer Mismatch protocol both directions
ET DNS Query to a *.top domain - Likely Hostile
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET INFO TLS Handshake Failure
ET DROP Spamhaus DROP Listed Traffic Inbound group 21
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING Possible EXE Download From Suspicious TLD
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET INFO EXE - Served Attached HTTP
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Get_settings)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
ET DROP Dshield Block Listed Source group 1
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET DROP Spamhaus DROP Listed Traffic Inbound group 39
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET POLICY Cryptocurrency Miner Checkin
|
10
http://94.142.138.131/api/firegate.php
http://193.233.254.61/loghub/master
http://45.15.156.229/api/tracemap.php
http://andrewjohnson.top/calc.exe
http://77.91.124.231/info/img0581.exe
http://176.113.115.84:8080/4.php
http://87.121.221.58/g.exe
http://94.142.138.131/api/tracemap.php
http://208.67.104.60/api/tracemap.php
https://busell.store/setup294.exe
|
7.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9179 |
2023-08-23 10:24
|
 mna.ico.ps1 2f25a05132eb5f32660bd2b8996cecbb
Generic Malware Antivirus VirusTotal Malware powershell Buffer PE suspicious privilege MachineGuid Check memory Checks debugger buffers extracted WMI heapspray Creates shortcut Creates executable files unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key |
|
|
|
|
8.8 |
|
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9180 |
2023-08-23 09:38
|
http://www.youtube.com bfa846eaac246b8b874b7b52a81a2afd
Downloader Create Service Socket P2P DGA Steal credential Http API Escalate priviledges PWS Hijack Network Sniff Audio HTTP DNS ScreenShot Code injection Internet API persistence FTP KeyLogger AntiDebug AntiVM PNG Format MSOffice File icon Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
15
http://www.youtube.com/
https://www.youtube.com/img/desktop/supported_browsers/firefox.png
https://www.youtube.com/favicon.ico
https://fonts.gstatic.com/s/youtubesans/v18/Qw3hZQNGEDjaO2m6tqIqX5E-AVS5_rSejo46_PCTRspJ0OosolrBEJL3HMXfxQASluL2m_dANVawBpSF.woff
https://fonts.gstatic.com/s/roboto/v30/KFOlCnqEu92Fr1MmEU9fBBc-.woff
https://www.youtube.com/img/desktop/supported_browsers/edgium.png
https://www.youtube.com/
https://www.youtube.com/img/desktop/supported_browsers/yt_logo_rgb_light.png
https://fonts.gstatic.com/s/roboto/v30/KFOmCnqEu92Fr1Mu4mxM.woff
https://www.youtube.com/img/desktop/supported_browsers/dinosaur.png
https://www.youtube.com/supported_browsers?next_url=https%3A%2F%2Fwww.youtube.com%2F
https://fonts.googleapis.com/css?family=YouTube+Sans:500
https://www.youtube.com/img/desktop/supported_browsers/chrome.png
https://www.youtube.com/img/desktop/supported_browsers/opera.png
https://fonts.googleapis.com/css?family=Roboto:400,500
|
6
fonts.gstatic.com(142.250.206.195)
www.youtube.com(172.217.25.174) - mailcious
fonts.googleapis.com(142.250.206.202)
142.250.204.74
216.58.203.78
142.250.204.67
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
5.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|