popup

Report - File_pass1234.7z

PWS Escalate priviledges KeyLogger AntiDebug AntiVM
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.06.20 09:47 Machine s1_win7_x6402
Filename File_pass1234.7z
Type 7-zip archive data, version 0.4
AI Score Not founds Behavior Score
7.6
ZERO API file : malware
VT API (file) 8 detected (GenericKD, Artemis, ai score=81)
md5 228119ee4c65cb1007f6a059d9b9ea04
sha256 540b52866f994dc6c92ed34bb9e3d7f9ed6183ce5ad09daa9c0704da733ae060
ssdeep 98304:O3vnS3jwpt1B1ODe16f/dqDlvgYCrBBkTRuRs4hI5z:OKMnODe16f/dqZvawRuRjqz
imphash
impfuzzy
  Network IP location

Signature (16cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
watch Communicates with host for which no DNS query was performed
watch Performs a TXT record DNS lookup potentially for command and control or covert channel
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Communication to multiple IPs on high port numbers possibly indicative of a peer-to-peer (P2P) or non-standard command and control protocol
notice Creates executable files on the filesystem
notice File has been identified by 8 AntiVirus engines on VirusTotal as malicious
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Looks up the external IP address
notice Performs some HTTP requests
notice Resolves a suspicious Top Level Domain (TLD)
notice Sends data using the HTTP POST Method
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger

Rules (11cnts)

Level Name Description Collection
notice Escalate_priviledges Escalate priviledges memory
notice Generic_PWS_Memory_Zero PWS Memory memory
notice KeyLogger Run a KeyLogger memory
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (137cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://45.9.74.80/offer/toolspub2.exe
whois
Unknown 45.9.74.80 malware
http://getnoon.top/c043bcd0ba06ae1d/sqlite3.dll
whois
RU Garant-Park-Internet LLC 195.22.152.206 clean
http://hugersi.com/dl/6523.exe
whois
RU Petersburg Internet Network ltd. 91.215.85.147 32660 malware
http://116.203.166.104/
whois
DE Hetzner Online GmbH 116.203.166.104 clean
http://116.203.166.104/upload.zip
whois
DE Hetzner Online GmbH 116.203.166.104 clean
http://us.imgjeoigaa.com/sts/imagc.jpg
whois
HK HK Kwaifong Group Limited 154.221.19.146 33482 mailcious
http://getnoon.top/c043bcd0ba06ae1d/mozglue.dll
whois
RU Garant-Park-Internet LLC 195.22.152.206 clean
http://getnoon.top/c043bcd0ba06ae1d/freebl3.dll
whois
RU Garant-Park-Internet LLC 195.22.152.206 clean
http://as.imgjeoigaa.com/check/?sid=471204&key=7eee7f9860dae7a11fd31138ce88ab95
whois
HK HK Kwaifong Group Limited 39.109.117.57 clean
http://getnoon.top/c043bcd0ba06ae1d/nss3.dll
whois
RU Garant-Park-Internet LLC 195.22.152.206 clean
http://85.208.136.10/api/tracemap.php
whois
DE CMCS 85.208.136.10 32662 mailcious
http://as.imgjeoigaa.com/check/safe
whois
HK HK Kwaifong Group Limited 39.109.117.57 33483 mailcious
http://45.15.156.229/api/tracemap.php
whois
RU CJSC Kolomna-Sviaz TV 45.15.156.229 33783 mailcious
http://45.12.253.72/default/puk.php
whois
DE CMCS 45.12.253.72 clean
http://83.97.73.131/gallery/photo221.exe
whois
DE Limitless Mobile GmbH 83.97.73.131 34350 malware
http://ji.jahhaega2qq.com/m/p0aw25.exe
whois
US CLOUDFLARENET 104.21.18.146 33779 malware
http://45.9.74.80/undoo.exe
whois
Unknown 45.9.74.80 malware
http://getnoon.top/c043bcd0ba06ae1d/softokn3.dll
whois
RU Garant-Park-Internet LLC 195.22.152.206 clean
http://getnoon.top/c043bcd0ba06ae1d/msvcp140.dll
whois
RU Garant-Park-Internet LLC 195.22.152.206 clean
http://45.12.253.56/advertisting/plus.php?s=NOSUB&str=mixone&substr=mixazed
whois
DE CMCS 45.12.253.56 clean
http://85.208.136.10/api/firegate.php
whois
DE CMCS 85.208.136.10 32663 mailcious
http://77.91.68.63/doma/net/index.php
whois
RU Foton Telecom CJSC 77.91.68.63 34361 mailcious
http://as.imgjeoigaa.com/check/?sid=471022&key=35ecd06fa094e8e3f819bf02984a598e
whois
HK HK Kwaifong Group Limited 39.109.117.57 clean
http://94.142.138.131/api/tracemap.php
whois
RU Ihor Hosting LLC 94.142.138.131 28311 mailcious
http://getnoon.top/410b5129171f10ea.php
whois
RU Garant-Park-Internet LLC 195.22.152.206 clean
http://45.9.74.80/0bjdn2Z/index.php
whois
Unknown 45.9.74.80 26790 mailcious
http://194.169.175.124:3002/
whois
Unknown 194.169.175.124 34039 mailcious
http://45.12.253.72/default/stuk.php
whois
DE CMCS 45.12.253.72 clean
http://45.9.74.80/offer/setup.exe
whois
Unknown 45.9.74.80 malware
http://45.9.74.80/offer/3eef203fb515bda85f514e168abb5973.exe
whois
Unknown 45.9.74.80 malware
http://45.9.74.6/2.exe
whois
Unknown 45.9.74.6 34108 malware
http://getnoon.top/c043bcd0ba06ae1d/vcruntime140.dll
whois
RU Garant-Park-Internet LLC 195.22.152.206 clean
http://116.203.166.104/a6fcde3d4457e243dbb20bf48006aee2
whois
DE Hetzner Online GmbH 116.203.166.104 clean
http://ji.jaoaaoas11.com/m/ss41.exe
whois
HK HK Kwaifong Group Limited 154.221.19.146 clean
http://www.maxmind.com/geoip/v2.1/city/me
whois
US CLOUDFLARENET 104.17.215.67 clean
http://45.12.253.75/dll.php
whois
DE CMCS 45.12.253.75 mailcious
https://sun6-23.userapi.com/c909518/u228185173/docs/d38/ebe2315d378a/PMmp.bmp?extra=JWbYlfkMysxxc8Df5osvbr3V7v7mS9WbfKBZ9kle_TXl-aiq7gmaLn7I8Pvj4NRvhfxciCLwzkTLiWdE5ESkuz9gnFqsRNU_O2ZMCFgYWuyQYzgCLqiasyOgw9SgdsP66Rr6NXwHaMCve6dC_w
whois
RU VKontakte Ltd 95.142.206.3 clean
https://vk.com/doc228185173_661830509?hash=z77Tp2Bt5jc8CbHfC9pdvdFVpeHj77HUzJtS6jx8WZ8&dl=1eqxtSfgbXKz7M994WFagxxb8DLoZQgtZJXs62syX8T&api=1&no_preview=1#rise_test
whois
RU VKontakte Ltd 87.240.132.78 clean
https://sun6-20.userapi.com/c235031/u808950829/docs/d60/a81c4f542916/file.bmp?extra=r3bEOwW5fpcn_pszMJFzHdmrN3uCe0m8NJ49L66Bld9tJFqjgO4QxkLfMHCR8YhfpZwnmdenDBu3P-qZ8loWjPhEAZjVp8FI5P738Zxko5_6BuXGqWpVQel__0nmSYJloWs6t-bQ81m2T0eaNA
whois
RU VKontakte Ltd 95.142.206.0 clean
https://db-ip.com/demo/home.php?s=175.208.134.152
whois
US CLOUDFLARENET 104.26.5.15 clean
https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/3844DBB920174967BE7AA4A2C20430FA2/ntkrnlmp.pdb
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 204.79.197.219 clean
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#stats
whois
RU VKontakte Ltd 87.240.132.78 mailcious
https://api.ip.sb/ip
whois
US CLOUDFLARENET 172.67.75.172 clean
https://vk.com/doc228185173_661755100?hash=DqFpTzZAFcL1uykcukFWUZYHQqF9dETJFT41KF97TWw&dl=OW4FFnitxAElY7BvTyC2XM9E3mNKnhNVijdNbdZORkz&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.132.78 clean
https://vk.com/doc228185173_661824370?hash=voN0qMUYyG6idLKUN9WTq6aQoJBZOwLzZiSJPxnGnoz&dl=3UT4z4tzRL1V6VIedoxzLudkL43ZLt4otOi2TuOIPxT&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.132.78 clean
https://db-ip.com/
whois
US CLOUDFLARENET 104.26.4.15 clean
https://msdl.microsoft.com/download/symbols/index2.txt
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 204.79.197.219 clean
https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 204.79.197.219 clean
https://vk.com/doc808950829_663071592?hash=qz8Ck143JrW4Fi1WDdC97jJrmHloy8x9hmvZXd97E9s&dl=qfHkcNpgQQZ4UOrGBdZhBzTkBci2rCyiQzknyB6elo8&api=1&no_preview=1#file
whois
RU VKontakte Ltd 87.240.132.78 clean
https://sun6-21.userapi.com/c237131/u228185173/docs/d35/cba1dc576daa/RisePro_0_1_mA7L5kJnTfFOiuHxQYaS.bmp?extra=6eFX10003NmkdK20n5UdCb3WEylambZUyUim5R_OPESX2F0_moXizx4HxLPlF3bQclEN7i-gKWYRYOAEwXiW7wKnOQzR5j9q7bB9Mq3I8GYQYrBMtoqTTh3b_PeDpkJl6dJp96wredDP5e_
whois
RU VKontakte Ltd 95.142.206.1 clean
https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.132.78 mailcious
https://vsblobprodscussu5shard58.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/98A14A45856422D571CDEA18737E156B89D4C85FE7A2C03E353274FC83996DE200.blob?sv=2019-07-07&sr=b&si=1&sig=hUSrRovnIeDO4HsFluzzOEuXXYgJhXBXQrujmuo%2FfAw%3D&spr=https&se=202
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 20.150.70.36 clean
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#test
whois
RU VKontakte Ltd 87.240.132.78 mailcious
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
whois
US CLOUDFLARENET 172.67.75.166 clean
https://sun6-23.userapi.com/c235031/u228185173/docs/d2/86708e41457b/falaxy.bmp?extra=QrIHLQfHihFfoOBO9hsubnI4SNZnkrTh3ABCjFlHY8gB2CcoULfZ8kzd9QqUqKZ7VQVMoICuE450aU3XpQcl69fzFPjQdc01cZdb7tDJFwpt8YcEa8R-LOx6jdxHI1yh2H3Ii5gVjaITrI3Lcw
whois
RU VKontakte Ltd 95.142.206.3 clean
https://sun6-23.userapi.com/c909418/u228185173/docs/d27/5c0eb308c9d0/WWW1.bmp?extra=gjhLzDJWSRkwWYb9db9Qt7BAlTsoMWakHEa-g3uQI-jbiub7EVtjj6cX0PXK_mc-GZS4ELWmGQl3wImOtBZV7ocXJBluHOWEz6MFlwg4KMrre4fU7wLA_6UpnR3kemsnmM4-DWh0_Ht_xufXmA
whois
RU VKontakte Ltd 95.142.206.3 clean
https://vsblobprodscussu5shard10.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/3361580E1DAA2301EF4C62D105FB67166BD89EA03FCDE3C800EACFAF71EE01C200.blob?sv=2019-07-07&sr=b&si=1&sig=GK4CxNjf9jwHsJr9pvkhlNPddJOnR0Ftg4qcBBxqVE4%3D&spr=https&se=2023-
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 20.150.79.68 clean
https://vk.com/doc228185173_661675966?hash=WIZmJ4srelm3loy6LntaCgIGY3LmupjV3W4uezZEqWo&dl=zhVczqBPZOQpqnKDUVkAVPrl9zZlS025dfZ0dmo13KT&api=1&no_preview=1#WW1
whois
RU VKontakte Ltd 87.240.132.78 clean
db-ip.com
whois
US CLOUDFLARENET 104.26.4.15 clean
bc4ef8da-d887-49be-b429-28634ffc09c5.uuid.cdntokiog.studio
whois
BG ITL LLC 185.82.216.49 clean
as.imgjeoigaa.com
whois
HK HK Kwaifong Group Limited 39.109.117.57 mailcious
getnoon.top
whois
RU Garant-Park-Internet LLC 195.22.152.206 clean
t.me
whois
GB Telegram Messenger Inc 149.154.167.99 mailcious
ipinfo.io
whois
US GOOGLE 34.117.59.81 clean
sun6-23.userapi.com
whois
RU VKontakte Ltd 95.142.206.3 clean
steamcommunity.com
whois
US Akamai International B.V. 104.76.78.101 mailcious
iplogger.org
whois
DE Hetzner Online GmbH 148.251.234.83 mailcious
msdl.microsoft.com
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 204.79.197.219 clean
cdn.discordapp.com
whois
Unknown 162.159.135.233 malware
sun6-20.userapi.com
whois
RU VKontakte Ltd 95.142.206.0 mailcious
api.db-ip.com
whois
US CLOUDFLARENET 104.26.4.15 clean
lodar2ben.top
whois
Unknown clean
sun6-21.userapi.com
whois
RU VKontakte Ltd 95.142.206.1 mailcious
stun3.l.google.com
whois
US GOOGLE 142.251.2.127 clean
api.ip.sb
whois
US CLOUDFLARENET 172.67.75.172 clean
us.imgjeoigaa.com
whois
HK HK Kwaifong Group Limited 154.221.19.146 mailcious
bitbucket.org
whois
US ATLASSIAN PTY LTD 104.192.141.1 malware
vsblobprodscussu5shard10.blob.core.windows.net
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 20.150.70.36 clean
iplis.ru
whois
DE Hetzner Online GmbH 148.251.234.93 mailcious
hugersi.com
whois
RU Petersburg Internet Network ltd. 91.215.85.147 malware
ji.jahhaega2qq.com
whois
US CLOUDFLARENET 104.21.18.146 malware
luckytradeone.com
whois
US CLOUDFLARENET 172.67.181.198 clean
www.maxmind.com
whois
US CLOUDFLARENET 104.17.215.67 clean
server9.cdntokiog.studio
whois
BG ITL LLC 185.82.216.49 clean
ji.jaoaaoas11.com
whois
HK HK Kwaifong Group Limited 154.221.19.146 clean
vsblobprodscussu5shard58.blob.core.windows.net
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 20.150.79.68 clean
vk.com
whois
RU VKontakte Ltd 87.240.129.133 mailcious
api.myip.com
whois
US CLOUDFLARENET 104.26.8.59 clean
148.251.234.93
whois
DE Hetzner Online GmbH 148.251.234.93 mailcious
194.169.175.128
whois
Unknown 194.169.175.128 mailcious
116.203.166.104
whois
DE Hetzner Online GmbH 116.203.166.104 clean
104.17.215.67
whois
US CLOUDFLARENET 104.17.215.67 clean
83.97.73.128
whois
DE Limitless Mobile GmbH 83.97.73.128 malware
91.215.85.147
whois
RU Petersburg Internet Network ltd. 91.215.85.147 malware
20.150.70.36
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 20.150.70.36 clean
104.26.5.15
whois
US CLOUDFLARENET 104.26.5.15 clean
45.12.253.56
whois
DE CMCS 45.12.253.56 clean
79.137.204.46
whois
RU Psk-set LLC 79.137.204.46 clean
149.154.167.99
whois
GB Telegram Messenger Inc 149.154.167.99 mailcious
45.12.253.75
whois
DE CMCS 45.12.253.75 mailcious
172.67.75.166
whois
US CLOUDFLARENET 172.67.75.166 clean
45.12.253.72
whois
DE CMCS 45.12.253.72 clean
45.9.74.80
whois
Unknown 45.9.74.80 malware
104.88.222.199
whois
US AKAMAI-AS 104.88.222.199 clean
204.79.197.219
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 204.79.197.219 clean
195.22.152.206
whois
RU Garant-Park-Internet LLC 195.22.152.206 clean
87.240.132.78
whois
RU VKontakte Ltd 87.240.132.78 mailcious
157.254.164.98
whois
Unknown 157.254.164.98 mailcious
20.150.79.68
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 20.150.79.68 clean
34.117.59.81
whois
US GOOGLE 34.117.59.81 clean
95.216.249.153
whois
FI Hetzner Online GmbH 95.216.249.153 clean
172.67.182.87
whois
US CLOUDFLARENET 172.67.182.87 malware
148.251.234.83
whois
DE Hetzner Online GmbH 148.251.234.83 clean
104.26.8.59
whois
US CLOUDFLARENET 104.26.8.59 clean
162.159.130.233
whois
Unknown 162.159.130.233 malware
104.21.35.252
whois
US CLOUDFLARENET 104.21.35.252 clean
45.12.253.74
whois
DE CMCS 45.12.253.74 malware
94.142.138.131
whois
RU Ihor Hosting LLC 94.142.138.131 mailcious
104.192.141.1
whois
US ATLASSIAN PTY LTD 104.192.141.1 mailcious
154.221.19.146
whois
HK HK Kwaifong Group Limited 154.221.19.146 mailcious
185.81.68.115
whois
FI KLN-Optimum Group Ltd 185.81.68.115 mailcious
83.97.73.131
whois
DE Limitless Mobile GmbH 83.97.73.131 malware
194.169.175.124
whois
Unknown 194.169.175.124 mailcious
104.17.214.67
whois
US CLOUDFLARENET 104.17.214.67 clean
77.91.68.63
whois
RU Foton Telecom CJSC 77.91.68.63 malware
45.15.156.229
whois
RU CJSC Kolomna-Sviaz TV 45.15.156.229 mailcious
172.67.75.172
whois
US CLOUDFLARENET 172.67.75.172 mailcious
104.26.4.15
whois
US CLOUDFLARENET 104.26.4.15 clean
95.142.206.3
whois
RU VKontakte Ltd 95.142.206.3 clean
163.123.143.4
whois
Unknown 163.123.143.4 mailcious
95.142.206.1
whois
RU VKontakte Ltd 95.142.206.1 mailcious
95.142.206.0
whois
RU VKontakte Ltd 95.142.206.0 mailcious
185.82.216.49
whois
BG ITL LLC 185.82.216.49 clean
85.208.136.10
whois
DE CMCS 85.208.136.10 mailcious
45.9.74.6
whois
Unknown 45.9.74.6 malware
39.109.117.57
whois
HK HK Kwaifong Group Limited 39.109.117.57 mailcious
74.125.197.127
whois
US GOOGLE 74.125.197.127 clean

Suricata ids

ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Mismatch protocol both directions
ET INFO TLS Handshake Failure
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET MALWARE Win32/Fabookie.ek CnC Request M4 (GET)
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET MALWARE Potential GCleaner CnC Checkin
ET MALWARE GCleaner CnC Checkin M1
ET MALWARE GCleaner Payload Retrieval Attempt
ET MALWARE GCleaner Downloader - Payload Response
ET INFO EXE - Served Attached HTTP
ET DNS Query to a *.top domain - Likely Hostile
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET INFO HTTP Request to a *.top domain
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config
ET INFO Observed Telegram Domain (t .me in TLS SNI)
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with plugins Config
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET INFO Dotted Quad Host ZIP Request
ET MALWARE Win32/Stealc Submitting System Information to C2
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET HUNTING Possible EXE Download From Suspicious TLD
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M1
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
ET MALWARE Observed Glupteba CnC Domain (cdntokiog .studio in TLS SNI)
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port)
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)

Similarity measure (PE file only) - Checking for service failure