download: | File.7z |
Full analysis: | https://app.any.run/tasks/b6b5ea06-9cc5-4091-910c-ab183557591a |
Verdict: | Malicious activity |
Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
Analysis date: | May 21, 2022, 06:14:05 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-7z-compressed |
File info: | 7-zip archive data, version 0.4 |
MD5: | 4BAE0558EF80F6E0522E7A0F9FC9F782 |
SHA1: | 964AA1E695069810C9A71D772FAD9A3702CBBAE7 |
SHA256: | 2278C8C48B2BF0E8080776FB52F09DF454454F4731E322174EBDC3E622D3E102 |
SSDEEP: | 1536:yppaEi4xgj05MU3xmLty9WmStMrjFhTUxSekS0sgXN+x5b2pxGg4xmQttTdMTwE:w4MwJUBmRyMEhGV0vX4Tb2pxwxmoxAl |
.7z | | | 7-Zip compressed archive (v0.4) (57.1) |
---|---|---|
.7z | | | 7-Zip compressed archive (gen) (42.8) |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2828 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\File.7z" | C:\Program Files\WinRAR\WinRAR.exe | Explorer.EXE | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
3828 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb2828.31434\File.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb2828.31434\File.exe | — | WinRAR.exe | |||||||||||
User: admin Company: ForceMin Integrity Level: MEDIUM Description: ForceMin Exit code: 3221226540 Version: 1.3.21001.2 Modules
| |||||||||||||||
2588 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb2828.31434\File.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb2828.31434\File.exe | WinRAR.exe | ||||||||||||
User: admin Company: ForceMin Integrity Level: HIGH Description: ForceMin Version: 1.3.21001.2 Modules
| |||||||||||||||
3840 | "C:\Users\admin\Pictures\Adobe Films\NiceProcessX32.bmp.exe" | C:\Users\admin\Pictures\Adobe Films\NiceProcessX32.bmp.exe | File.exe | ||||||||||||
User: admin Integrity Level: HIGH Modules
| |||||||||||||||
2592 | "C:\Users\admin\Pictures\Adobe Films\Service.bmp.exe" | C:\Users\admin\Pictures\Adobe Films\Service.bmp.exe | File.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
2672 | "C:\Users\admin\Pictures\Adobe Films\rrmix.exe.exe" | C:\Users\admin\Pictures\Adobe Films\rrmix.exe.exe | File.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
RedLine(PID) Process(2672) rrmix.exe.exe US (200) LEnvironmentogiEnvironmentn DatEnvironmenta Environment WSystem.Texteb DatSystem.Texta System.Text CoCryptographyokieCryptographys Cryptography ExtGenericension CooGenerickies Generic OFileInfopeFileInfora GFileInfoX StabFileInfole FileInfo OpLinqera GLinqX Linq ApGenericpDaGenericta\RGenericoamiGenericng\ Network Extension UNKNOWN . 1 cFileStreamredFileStreamit_cFileStreamardFileStreams FileStream \ Network\ Host Port : User Pass cookies.sqlite %USEDisposeRPROFILE%\AppDaDisposeta\LDisposeocal Dispose String.Replace String.Remove bcrFileStream.IOypt.dFileStream.IOll FileStream.IO BCrstring.EmptyyptOpestring.EmptynAlgorithmProvistring.Emptyder string.Empty BCruintyptCloseAlgorituinthmProvuintider uint BCrUnmanagedTypeyptDecrUnmanagedTypeypt UnmanagedType BCrbyte[]yptDesbyte[]troyKbyte[]ey byte[] BCpszPropertyryptGepszPropertytPropepszPropertyrty pszProperty BCEncodingryptSEncodingetPrEncodingoperEncodingty Encoding BCrbMasterKeyyptImbMasterKeyportKbMasterKeyey bMasterKey windows-1251 AES Microsoft Primitive Provider ChainingModeGCM AuthTagLength ChainingMode ObjectLength KeyDataBlob - {0} net.tcp:// / localhost 80c38cc7772c328c028b0e4f42a3fac6 Authorization ns1 UNKNWON GSYCFyEDJx0ZC11dIipaVhs2BhciLQVTGyNUUA== ARw/WwxbBVo= Trimming Yandex\YaAddon ToString asf *wallet* ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtu... _ T e l gr am ex \TeEnvironmentlegraEnvironmentm DEnvironmentesktoEnvironmentp\tdEnvironmentata String Replace string.Replace %USERPFile.WriteROFILE%\AppFile.WriteData\RoamiFile.Writeng File.Write Handler npvo* %USERPserviceInterface.ExtensionROFILE%\ApserviceInterface.ExtensionpData\LocaserviceInterface.Extensionl serviceInterface.Extension ProldCharotonVoldCharPN oldChar nSystem.CollectionspvoSystem.Collections* System.Collections ( UNIQUE cstringmstringd string /ProcessC Process Process | " Armenia Azerbaijan Belarus Kazakhstan Kyrgyzstan Moldova Tajikistan Uzbekistan Ukraine Russia gasdl94ja;sdiasdl94ja;s32 asdl94ja;s Gasdl94jlajsdetDevasdl94jlajsdiceCapasdl94jlajsds asdl94jlajsd Width Height CopyFromScreen https://api.ip.sb/ip 80 81 0.0.0.0 SELSystem.Windows.FormsECT * FRSystem.Windows.FormsOM WinSystem.Windows.Forms32_ProcSystem.Windows.Formsessor System.Windows.Forms Name NumberOfCores roSystem.Linqot\CISystem.LinqMV2 System.Linq SELSystem.LinqECT * FRSystem.LinqOM WinSystem.Linq32_VideoCoSystem.Linqntroller AdapterRAM SOFTWARE\WOW6432Node\Clients\StartMenuInternet SOFTWARE\Clients\StartMenuInternet shell\open\command Unknown Version SELESystem.ManagementCT * FRSystem.ManagementOM WiSystem.Managementn32_DisSystem.ManagementkDrivSystem.Managemente System.Management SerialNumber SELSystem.Text.RegularExpressionsECT * FRSystem.Text.RegularExpressionsOM Win32_PSystem.Text.RegularExpressionsrocess WSystem.Text.RegularExpressionshere SessSystem.Text.RegularExpressionsionId=' ' FileSystem SSystem.ELECT * FRSystem.OM WiSystem.n32_ProcSystem.ess WherSystem.e SessiSystem.onId=' System. ExecutablePath [ ] Concat0 MConcatb oConcatr Concat0 Concat SELEMemoryCT * FMemoryROM WiMemoryn32_OperMemoryatingSMemoryystem Memory {0}{1}{2} x32 x64 x86 SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductName CSDVersion Unknown _[ System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 System.Security.Cryptography.AesCryptoServiceProvider 9b0kgil4ep7.rmtpkxubprxrd9 {11111-22222-10009-11111} {11111-22222-50001-00000} GetDelegateForFunctionPointer v4wb21iq4l82.v4a44yl6tx m_ptr System.Reflection.RuntimeModule m_pData clrjit.dll System.Reflection.ReflectionContext __ file:/// Location Find ResourceA Virtual Alloc Write Process Protect Open Close Handle kernel 32.dll {11111-22222-10001-00001} {11111-22222-10001-00002} {11111-22222-20001-00001} {11111-22222-20001-00002} {11111-22222-40001-00001} {11111-22222-40001-00002} {11111-22222-50001-00001} {11111-22222-50001-00002} Auth_value80c38cc7772c328c028b0e4f42a3fac6 Err_msg BotnetRuzki C2 (1)193.233.48.58:38989 | |||||||||||||||
2844 | "C:\Users\admin\Pictures\Adobe Films\TrdngAnlzr22649.exe.exe" | C:\Users\admin\Pictures\Adobe Films\TrdngAnlzr22649.exe.exe | File.exe | ||||||||||||
User: admin Integrity Level: HIGH Modules
| |||||||||||||||
3868 | "C:\Users\admin\Pictures\Adobe Films\Offscum.exe.exe" | C:\Users\admin\Pictures\Adobe Films\Offscum.exe.exe | File.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
RedLine(PID) Process(3868) Offscum.exe.exe US (191) LEnvironmentogiEnvironmentn DatEnvironmenta Environment WSystem.Texteb DatSystem.Texta System.Text CoCryptographyokieCryptographys Cryptography ExtGenericension CooGenerickies Generic OFileInfopeFileInfora GFileInfoX StabFileInfole FileInfo OpLinqera GLinqX Linq ApGenericpDaGenericta\RGenericoamiGenericng\ Network Extension UNKNOWN . 1 cFileStreamredFileStreamit_cFileStreamardFileStreams FileStream \ Network\ Host Port : User Pass cookies.sqlite %USEDisposeRPROFILE%\AppDaDisposeta\LDisposeocal Dispose String.Replace String.Remove net.tcp:// / localhost 7ab4a4e2eae9eb7ae10f64f68df53bb3 Authorization ns1 HjcSVyoTGhs7NVIBHjc4EygDBlU6IidE NyQjHAI9Fl4= Scuffy asf *wallet* _ T e l gr am ex \TeEnvironmentlegraEnvironmentm DEnvironmentesktoEnvironmentp\tdEnvironmentata \Discord\Local Storage\leveldb *.loSystem.Collections.Genericg System.Collections.Generic String Replace string.Replace %USERPFile.WriteROFILE%\AppFile.WriteData\RoamiFile.Writeng File.Write Handler npvo* %USERPserviceInterface.ExtensionROFILE%\ApserviceInterface.ExtensionpData\LocaserviceInterface.Extensionl serviceInterface.Extension ProldCharotonVoldCharPN oldChar nSystem.CollectionspvoSystem.Collections* System.Collections Microsoft\Windоws - ToString % ( UNIQUE " bcrFileStream.IOypt.dFileStream.IOll FileStream.IO BCrstring.EmptyyptOpestring.EmptynAlgorithmProvistring.Emptyder string.Empty BCruintyptCloseAlgorituinthmProvuintider uint BCrUnmanagedTypeyptDecrUnmanagedTypeypt UnmanagedType BCrbyte[]yptDesbyte[]troyKbyte[]ey byte[] BCpszPropertyryptGepszPropertytPropepszPropertyrty pszProperty BCEncodingryptSEncodingetPrEncodingoperEncodingty Encoding BCrbMasterKeyyptImbMasterKeyportKbMasterKeyey bMasterKey windows-1251 AES Microsoft Primitive Provider ChainingModeGCM AuthTagLength ChainingMode ObjectLength KeyDataBlob {0} gasdl94ja;sdiasdl94ja;s32 asdl94ja;s Gasdl94jlajsdetDevasdl94jlajsdiceCapasdl94jlajsds asdl94jlajsd Width Height CopyFromScreen | https://api.ip.sb/ip 80 81 0.0.0.0 SELSystem.Windows.FormsECT * FRSystem.Windows.FormsOM WinSystem.Windows.Forms32_ProcSystem.Windows.Formsessor System.Windows.Forms Name NumberOfCores roSystem.Linqot\CISystem.LinqMV2 System.Linq SELSystem.LinqECT * FRSystem.LinqOM WinSystem.Linq32_VideoCoSystem.Linqntroller AdapterRAM SOFTWARE\WOW6432Node\Clients\StartMenuInternet SOFTWARE\Clients\StartMenuInternet shell\open\command Unknown Version SELESystem.ManagementCT * FRSystem.ManagementOM WiSystem.Managementn32_DisSystem.ManagementkDrivSystem.Managemente System.Management SerialNumber SELSystem.Text.RegularExpressionsECT * FRSystem.Text.RegularExpressionsOM Win32_PSystem.Text.RegularExpressionsrocess WSystem.Text.RegularExpressionshere SessSystem.Text.RegularExpressionsionId=' System.Text.RegularExpressions ' FileSystem SSystem.ELECT * FRSystem.OM WiSystem.n32_ProcSystem.ess WherSystem.e SessiSystem.onId=' System. ExecutablePath [ ] Concat0 MConcatb oConcatr Concat0 Concat SELEMemoryCT * FMemoryROM WiMemoryn32_OperMemoryatingSMemoryystem Memory {0}{1}{2} x32 x64 x86 SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductName CSDVersion Unknown _[ System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 System.Security.Cryptography.AesCryptoServiceProvider fkn3x4fm6.33nu2t4g5p0 {11111-22222-10009-11111} {11111-22222-50001-00000} GetDelegateForFunctionPointer __ System.Reflection.ReflectionContext m_ptr m_pData System.Reflection.RuntimeModule dqaq7el7.j6fb60 clrjit.dll file:/// Location Find ResourceA Virtual Alloc Write Process Protect Open Process Close Handle kernel 32.dll {11111-22222-10001-00001} {11111-22222-10001-00002} {11111-22222-20001-00001} {11111-22222-20001-00002} {11111-22222-40001-00001} {11111-22222-40001-00002} {11111-22222-50001-00001} {11111-22222-50001-00002} Auth_value7ab4a4e2eae9eb7ae10f64f68df53bb3 Err_msg Botnettest1 C2 (1)185.215.113.75:80 | |||||||||||||||
2780 | "C:\Users\admin\Pictures\Adobe Films\13.php.exe" | C:\Users\admin\Pictures\Adobe Films\13.php.exe | File.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
3264 | "C:\Users\admin\Pictures\Adobe Films\file1.exe.exe" | C:\Users\admin\Pictures\Adobe Films\file1.exe.exe | — | File.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
|
(PID) Process: | (2828) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (2828) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (2828) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2828) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface |
Operation: | write | Name: | ShowPassword |
Value: 0 | |||
(PID) Process: | (2828) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
(PID) Process: | (2828) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
(PID) Process: | (2828) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\File.7z | |||
(PID) Process: | (2828) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2828) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2828) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2828 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb2828.31434\File.exe | executable | |
MD5:D8933905DAF436FDE88523508F9F0EAE | SHA256:4AA606A0A542D44BF4AA6F7EBCDC2684BF914C65A344BFED77AA34C8C20768A2 | |||
2588 | File.exe | C:\Users\admin\Pictures\Adobe Films\NiceProcessX32.bmp.exe | executable | |
MD5:A89561ABD740E80AA85B8E86EFE9A210 | SHA256:E83F58825C02DB8659491FE6E3DECEC9ADA7040BAF22DE5957FA17477466CA46 | |||
2588 | File.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:2C74BFD0F282AF8E2034CC8B814C07FB | SHA256:A5618CA46D6187089BA401B5598F272870502B84299F333554D0FD31AE45959E | |||
2588 | File.exe | C:\Users\admin\Pictures\Adobe Films\file5.exe.exe | html | |
MD5:978489E2DDB94E1A8F3C4842596BED8B | SHA256:222FF59C7DCD2FFE6BBFAA15DDA759C48F5F205DF0B82BCF969FAF845C1F12E2 | |||
2588 | File.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27 | der | |
MD5:47020B685E77ECD74ABC9ADCE105AD13 | SHA256:558C89968EE2679A433CC03190339A000DEDD32D1E7A21B9929DD7631C4211BD | |||
2588 | File.exe | C:\Users\admin\Documents\OJ5vxl5kgcLJzMyoJFgbF.jet | binary | |
MD5:8D505656356A73B4595320989D0F263E | SHA256:4B456A4681006C12F3225BC10A460DC672A110C8FD260225AE3CC0EFD7F101E9 | |||
2588 | File.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\TrdngAnlzr22649[1].exe | executable | |
MD5:FFA1CC375E380F8F41A0B810C9B1291C | SHA256:5B1556FC720EAD9F3505BBFFA66FB38C1BD724FED4D09530A33E4B12CD300904 | |||
2588 | File.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\rrmix[1].exe | executable | |
MD5:E991A831E8EEC3638DE931550432D1B4 | SHA256:9A9D47FAE2A7BE0270D3C2DD050F11438D1F597E020B3C58E4EFF46481F5A2B3 | |||
2588 | File.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\NiceProcessX32[1].bmp | executable | |
MD5:A89561ABD740E80AA85B8E86EFE9A210 | SHA256:E83F58825C02DB8659491FE6E3DECEC9ADA7040BAF22DE5957FA17477466CA46 | |||
2588 | File.exe | C:\Users\admin\Pictures\Adobe Films\file3.exe.exe | html | |
MD5:978489E2DDB94E1A8F3C4842596BED8B | SHA256:222FF59C7DCD2FFE6BBFAA15DDA759C48F5F205DF0B82BCF969FAF845C1F12E2 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2588 | File.exe | HEAD | 200 | 45.144.225.57:80 | http://45.144.225.57/download/NiceProcessX32.bmp | unknown | — | — | malicious |
2588 | File.exe | HEAD | 200 | 193.233.48.98:80 | http://193.233.48.98/Offscum.exe | RU | — | — | suspicious |
2588 | File.exe | HEAD | — | 193.233.48.74:80 | http://193.233.48.74/rrmix.exe | RU | — | — | suspicious |
2588 | File.exe | HEAD | 200 | 45.144.225.57:80 | http://45.144.225.57/download/Service.bmp | unknown | — | — | malicious |
2588 | File.exe | HEAD | 404 | 212.193.30.29:80 | http://212.193.30.29/WW/file5.exe | RU | — | — | malicious |
2588 | File.exe | GET | — | 193.233.48.98:80 | http://193.233.48.98/Offscum.exe | RU | — | — | suspicious |
2588 | File.exe | GET | — | 45.144.225.57:80 | http://45.144.225.57/download/Service.bmp | unknown | — | — | malicious |
2588 | File.exe | HEAD | 404 | 212.193.30.29:80 | http://212.193.30.29/WW/file3.exe | RU | — | — | malicious |
2588 | File.exe | GET | 400 | 212.193.30.45:80 | http://212.193.30.45/proxies.txt | RU | html | 301 b | malicious |
2588 | File.exe | HEAD | — | 31.41.244.81:80 | http://31.41.244.81:9080/13.php | RU | — | — | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2588 | File.exe | 162.159.134.233:80 | cdn.discordapp.com | Cloudflare Inc | — | shared |
2588 | File.exe | 212.193.30.45:80 | — | — | RU | malicious |
2588 | File.exe | 45.144.225.57:80 | — | — | — | malicious |
2588 | File.exe | 212.193.30.21:80 | — | — | RU | malicious |
2588 | File.exe | 104.20.68.143:443 | pastebin.com | Cloudflare Inc | US | malicious |
2588 | File.exe | 162.159.134.233:443 | cdn.discordapp.com | Cloudflare Inc | — | shared |
2588 | File.exe | 95.140.236.128:80 | ctldl.windowsupdate.com | Limelight Networks, Inc. | GB | malicious |
— | — | 45.144.225.57:80 | — | — | — | malicious |
2588 | File.exe | 193.233.48.74:80 | — | OOO FREEnet Group | RU | suspicious |
2588 | File.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
pastebin.com |
| shared |
cdn.discordapp.com |
| shared |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
ipinfo.io |
| shared |
colgefine.at |
| malicious |
stpaulslouisville.com |
| unknown |
www.rahmancorp.com |
| unknown |
telegram.org |
| whitelisted |
twitter.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
2588 | File.exe | Potentially Bad Traffic | ET INFO Terse Request for .txt - Likely Hostile |
2588 | File.exe | Potentially Bad Traffic | ET INFO Terse Request for .txt - Likely Hostile |
2588 | File.exe | Generic Protocol Command Decode | SURICATA Applayer Mismatch protocol both directions |
2588 | File.exe | Misc activity | ET INFO Observed Discord Domain (discordapp .com in TLS SNI) |
2588 | File.exe | Generic Protocol Command Decode | SURICATA Applayer Mismatch protocol both directions |
2588 | File.exe | Misc activity | ET INFO Observed Discord Domain (discordapp .com in TLS SNI) |
2588 | File.exe | Misc activity | ET INFO Observed Discord Domain (discordapp .com in TLS SNI) |
2588 | File.exe | A Network Trojan was detected | ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) |
2588 | File.exe | Potential Corporate Privacy Violation | ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io) |
2588 | File.exe | A Network Trojan was detected | ET TROJAN Win32/Spy.Socelars.S CnC Activity M3 |