Scribd
Upload
14 views155 pages

Unimed Ransom 2

The document provides a detailed analysis of 165 entities, including their incoming and outgoing links, categorized by type. It highlights the top entities ranked by links, such as the IPv4 address 34.117.186.192, and includes various data types like DNS names, domains, and abuse reports. Additionally, it contains WHOIS information for the IP address, indicating it is associated with Google LLC and used for cloud services.

Uploaded by

matheus.santanna
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
14 views155 pages

Unimed Ransom 2

The document provides a detailed analysis of 165 entities, including their incoming and outgoing links, categorized by type. It highlights the top entities ranked by links, such as the IPv4 address 34.117.186.192, and includes various data types like DNS names, domains, and abuse reports. Additionally, it contains WHOIS information for the IP address, indicating it is associated with Google LLC and used for cloud services.

Uploaded by

matheus.santanna
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 155

1.

Top 10 Entities
Total number of entities 165
Total number of links 193

Ranked by Incoming Links


Rank Type Value Incoming links
1 DNS Name 192.186.117.34.bc.googleusercontent.com 6
2 IPv4 Address 34.117.186.192 6
3 AS 396982 5
4 DNS Name ipinfo.io 3
5 DNS Name host.io 3
6 DNS Name maltego.ipinfo.io 2
7 Port 443 2
8 Domain ipinfo.io 2
9 DNS Name ipinfo.org 2
10 DNS Name www.host.io 2

Ranked by Outgoing Links


Rank Type Value Outgoing links
1 IPv4 Address 34.117.186.192 187
2 DNS Name 192.186.117.34.bc.googleusercontent.com 1
3 Domain ipinfo.i 1
4 Domain 192.186.117.34.bc.googleusercontent.co 1
5 Domain host.i 1
6 Domain maltego.ipinfo.i 1
7 Domain www.host.i 1
8 AS 396982 0
9 DNS Name ipinfo.io 0
10 DNS Name host.io 0

Ranked by Total Links


Rank Type Value Total links
1 IPv4 Address 34.117.186.192 193
2 DNS Name 192.186.117.34.bc.googleusercontent.com 7
3 AS 396982 5
4 DNS Name ipinfo.io 3
5 DNS Name host.io 3
6 DNS Name maltego.ipinfo.io 2
7 Port 443 2
8 Domain ipinfo.io 2
9 DNS Name ipinfo.org 2
10 DNS Name www.host.io 2

2
2. Entities by Type
A Records (14)
192.186.117.34.bc.googleusercontent.com agm-429076122901.backupdr.actifiogo.com
api-qwiklabs-gcp-02-82514146f90f.apigee-apijam.dev api-test-qwiklabs-gcp-02-82514146f90f.apigee-apijam.dev
company.io host.io
ipinfo.io ipinfo.riquitito.com
openam-imm-0fad97b25d.forgeblocks.com polybuttontrend.com
rr1---sn-11haecwz.poc.cdnfastly.net test2.cliff.tw
useragent.io www.ipinfo.io

ASs (1)
396982

AbuseIPDB IP Reports (11)


2024-06-12T17:14:47+00:00 2024-06-17T16:36:15+00:00
2024-06-18T17:34:42+00:00 2024-06-24T11:10:42+00:00
2024-06-24T11:30:23+00:00 2024-06-25T05:38:33+00:00
2024-06-29T09:25:50+00:00 2024-06-29T09:45:17+00:00
2024-07-01T13:49:44+00:00 2024-07-03T07:05:13+00:00
2024-07-08T18:46:19+00:00

AbuseIPDB Tags (1)


Data Center/Web Hosting/Transit

BannerHashes (2)
1559705222 1955952339

Banners (5)

Censys Service Details (2)


443/HTTPS 80/HTTP

Companies (7)
American Registry for Internet Numbers, Ltd. Google LLC
NetHandle NetRange
NetType RegDate
[email protected]

Countries (1)
United States of America

3
DNS Names (21)
192.186.117.34.bc.googleusercontent.com 743c55e0-a7f6-4cc7-8327-42f5d6631cea.looker.app
agm-429076122901.backupdr.actifiogo.com blocked-url.moodys.cloud
company.io dev.host.io
dev.ipinfo.io host.io
ipinfo.dev ipinfo.io
ipinfo.net ipinfo.org
ipinfo.riquitito.com ipinfoio.com
maltego.ipinfo.io rr1---sn-11haecwz.poc.cdnfastly.net
test2.cliff.tw useragent.io
website.ipinfo.io www.host.io
www.ipinfo.io

Domains (15)
192.186.117.34.bc.googleusercontent.co company.io
google.com googleusercontent.com
host.i host.io
ipinfo.dev ipinfo.i
ipinfo.io ipinfo.net
ipinfo.org ipinfoio.com
maltego.ipinfo.i useragent.io
www.host.i

Email Addresses (2)


[email protected] [email protected]

GPS Coordinates (2)


39.09973,-94.57857 39.102699279785156,39.102699279785156

Hashes (10)
6139adae368d125ed966e4595d2de997bc5894ddcafe924c0 6c8919e77ad7a2e894fb37dddd5d7a4e06dd178af9708442f1
67a0be8bdaa7428 dd19a6cee43bec
80697e9fbebeeedb8ea2a5e3352d5aa4931ae4b6c2014bc8a 9ba312b2ac1d5b6ef5be258e6acc6c29ca7ba15f0fac932bcc
9170cb63eaee8fc 2b0cdf40db3125
9dd3cb5cc099ab8731fa11094b869b0bf29f127179ec82d15fd 9e4871f70bc64e360a4fafea12d4ab5186b529e699441cd603
6ba6f0ca5e942 61f3c59151259c
c397debb344056ddc819da0970310e18a6a1c5654af1368bb d83a94f9713a4e3748e30329350dcebbff03160672be78796d
61e35d9905f4184 4ecc7ec31f3042
d96acb75834e3356c9f674e2a02f7566dbcc4790c477f4e32c eab2a5792346b8b55180359658308c54766541505b88f55cb
2364afdd8325da df86add05edffd5

HtmlHashes (1)
336196947

IPQS Tags (4)


Abuse velocity: medium Proxy
Recent Abuse Vpn

4
IPv4 Addresses (3)
34.117.186.192 34.127.255.255
34.64.0.0

ISPs (1)
Google LLC

Locations (5)
Kansas City Kansas City, Missouri (United States)
Kansas City, US Kansas City, United States
United States

Netblock CIDRs (1)


34.117.0.0/16

Netblocks (3)
34.116.0.0-34.119.255.255 34.117.186.0-34.117.186.255
34.64.0.0-34.127.255.255

Organizations (1)
Google Cloud

Phone Numbers (1)


650-253-0000

Ports (2)
443 80

SSL Certificate Hashes (2)


6e1e959cfc20083510b2641f9f9ce590be7dd13176553cab36 8cdf0cf4a330a8e079eb3823d35fc80957292573
06795cc42c850c

SSL Certificate Serials (1)


302203689575303662225367543027433592014166

SSL Certificates (9)


api-test-qwiklabs-gcp-02-82514146f90f.apigee-apijam.dev ipinfo.io
ipinfo.io ipinfo.io
ipinfo.io ipinfo.io
ipinfo.io ipinfo.io
openam-imm-0fad97b25d.forgeblocks.com

Shodan Services Details (2)


443 80

5
Shodan Tags (1)
cloud

URLs (11)
http://134.209.78.82 http://137.184.194.154
http://157.245.246.236 http://159.223.98.160
http://159.65.233.72 http://159.65.233.73
http://165.227.85.125 http://167.99.153.101
http://174.138.41.51 http://206.189.225.175
http://24.144.104.44

VirusTotal Files (16)


000a9d76483aa1375b4d4b5730db0b4ad1d62f3dbe694b842 40151005_com.dz.cjcsyx.huawei_1.0.1_huawei_20240202_
d7915d84cdd8101.exe shield.apk
HLL_BugReportUploader.exe MSBuild.exe
RageMP131.exe SULE (1).csv
WEXTRACT.EXE .MUI WEXTRACT.EXE .MUI
eve.json?id filezilla.exe
heidisql.exe heidisql.exe
libGLESv2.dll motherfuck.txt
pfirewall.log wpa.dll

WHOIS Records (5)


34.117.186.192 34.117.186.192
34.117.186.192 34.117.186.192
34.117.186.192

alphaMountain Categories (2)


Information Technology Suspicious

6
3. Entity Details
IPv4 Address
maltego.IPv4Address

34.117.186.192

7
Weight 23
IP Address 34.117.186.192
Internal false
Whitelisted false
Usage Type Data Center/Web Hosting/Transit
ISP Domain google.com
Proxy (IPQS) true
Shodan Last Update 2024-07-08T18:42:17.394076
Abuse Confidence 36

8
IP whois
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2024, American Registry for Internet Numbers, Ltd.
#

#
# Query terms are ambiguous. The query is assumed to be:
# "n 34.117.186.192"
#
# Use "?" to get help.
#

NetRange: 34.64.0.0 - 34.127.255.255


CIDR: 34.64.0.0/10
NetName: GOOGL-2
NetHandle: NET-34-64-0-0-1
Parent: NET34 (NET-34-0-0-0-0)
NetType: Direct Allocation
OriginAS:
Organization: Google LLC (GOOGL-2)
RegDate: 2018-09-28
Updated: 2018-09-28
Ref: https://rdap.arin.net/registry/ip/34.64.0.0

OrgName: Google LLC


OrgId: GOOGL-2
Address: 1600 Amphitheatre Parkway
City: Mountain View
StateProv: CA
PostalCode: 94043
Country: US
RegDate: 2006-09-29
Updated: 2019-11-01
Comment: *** The IP addresses under this Org-ID are in use by Google
Cloud customers ***
Comment:
Comment: Direct all copyright and legal complaints to
Comment: https://support.google.com/legal/go/report
Comment:
Comment: Direct all spam and abuse complaints to
Comment: https://support.google.com/code/go/gce_abuse_report
Comment:
Comment: For fastest response, use the relevant forms above.
Comment:
Comment: Complaints can also be sent to the GC Abuse desk
Comment: ([email protected])
Comment: but may have longer turnaround times.
Comment:
Comment: Complaints sent to any other POC will be ignored.
Ref: https://rdap.arin.net/registry/entity/GOOGL-2

OrgNOCHandle: GCABU-ARIN
OrgNOCName: GC Abuse
OrgNOCPhone: +1-650-253-0000
OrgNOCEmail: [email protected]
OrgNOCRef: https://rdap.arin.net/registry/entity/GCABU-ARIN

OrgTechHandle: ZG39-ARIN
OrgTechName: Google LLC
OrgTechPhone: +1-650-253-0000
OrgTechEmail: [email protected]
OrgTechRef: https://rdap.arin.net/registry/entity/ZG39-ARIN

OrgAbuseHandle: GCABU-ARIN
OrgAbuseName: GC Abuse
OrgAbusePhone: +1-650-253-0000
OrgAbuseEmail: [email protected]

9
OrgAbuseRef: https://rdap.arin.net/registry/entity/GCABU-ARIN

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2024, American Registry for Internet Numbers, Ltd.
#

Whois Date 1720148903


Total Reports 12
context 34.117.186.192
IP Version 4
AS Owner GOOGLE-CLOUD-PLATFORM
Regional Internet Registry ARIN
Fraud Score 87
Recent Abuse (IPQS) true
ISP Google LLC
Last Reported 2024-07-08T18:46:19+00:00
country_code US
AS Number 396982
Continent NA

10
Whois NetRange: 34.64.0.0 - 34.127.255.255
CIDR: 34.64.0.0/10
NetName: GOOGL-2
NetHandle: NET-34-64-0-0-1
Parent: NET34 (NET-34-0-0-0-0)
NetType: Direct Allocation
OriginAS:
Organization: Google LLC (GOOGL-2)
RegDate: 2018-09-28
Updated: 2018-09-28
Ref: https://rdap.arin.net/registry/ip/34.64.0.0
OrgName: Google LLC
OrgId: GOOGL-2
Address: 1600 Amphitheatre Parkway
City: Mountain View
StateProv: CA
PostalCode: 94043
Country: US
RegDate: 2006-09-29
Updated: 2019-11-01
Comment: *** The IP addresses under this Org-ID are in use by Google Cloud
customers ***
Comment:
Comment: Direct all copyright and legal complaints to
Comment: https://support.google.com/legal/go/report
Comment:
Comment: Direct all spam and abuse complaints to
Comment: https://support.google.com/code/go/gce_abuse_report
Comment:
Comment: For fastest response, use the relevant forms above.
Comment:
Comment: Complaints can also be sent to the GC Abuse desk
Comment: ([email protected])
Comment: but may have longer turnaround times.
Comment:
Comment: Complaints sent to any other POC will be ignored.
Ref: https://rdap.arin.net/registry/entity/GOOGL-2
OrgTechHandle: ZG39-ARIN
OrgTechName: Google LLC
OrgTechPhone: +1-650-253-0000
OrgTechEmail: [email protected]
OrgTechRef: https://rdap.arin.net/registry/entity/ZG39-ARIN
OrgNOCHandle: GCABU-ARIN
OrgNOCName: GC Abuse
OrgNOCPhone: +1-650-253-0000
OrgNOCEmail: [email protected]
OrgNOCRef: https://rdap.arin.net/registry/entity/GCABU-ARIN
OrgAbuseHandle: GCABU-ARIN
OrgAbuseName: GC Abuse
OrgAbusePhone: +1-650-253-0000
OrgAbuseEmail: [email protected]
OrgAbuseRef: https://rdap.arin.net/registry/entity/GCABU-ARIN
Vpn (IPQS) true
Country United States of America
Abuse Velocity (IPQS) medium
Country Code US
Hostnames 192.186.117.34.bc.googleusercontent.com
Subnet 34.117.0.0/16

alphaMountain Threat Report

Categories Information Technology, Suspicious

Categorization Confidence 0.71

Threat Score 7.55

Possible Typo Of

Threat Report at alphaMountain


Details at threatYeti.com

11
AbuseIPDB Abuse Score
Abuse Score: 36

AbuseIPDB Info
AbuseIPDB: https://www.abuseipdb.com/check/34.117.186.192
Abuse Confidence 36

Whitelisted false

Usage Type Data Center/Web Hosting/Transit

ISP Google LLC

ISP Domain google.com

Hostnames 192.186.117.34.bc.googleusercontent.com

Country United States of America

Country Code US

IP Version 4

Total Reports 12

Last Reported 2024-07-08T18:46:19+00:00

AbuseIPDB Details
AbuseIPDB: https://www.abuseipdb.com/check/34.117.186.192
IPQS Fraud Score

Fraud score: 87
This is an overall fraud score in the context of online user or customer screening (e.g. automated webshop checkout
validation).

According to IPQS: 'Fraud Scores >= 75 are suspicious, but not necessarily fraudulent.' IPQS recommends 'flagging or
blocking traffic with Fraud Scores >= 85.'

IPQS Tag: Proxy


Indicates this IP address is suspected to be a proxy (SOCKS, Elite, Anonymous, VPN, Tor, etc.).

IPQS Tag: Recent Abuse


This value will indicate if there has been any recently verified abuse across IPQS' network for this IP address.
Abuse could be a confirmed chargeback, compromised device, fake app install, or similar malicious behavior
within the past few days.

IPQS Tag: Vpn


Indicates this IP is suspected of being part of a VPN. This can include data center ranges which can become
active VPNs at any time. The "proxy" status will always be true when this value is true.

IPQS Tag: Abuse Velocity


Abuse velocity: medium

Google Maps
' 39.0997,-94.5786 '

12
Shodan

Organization Google LLC

Tags cloud

Ports 80, 443

IP Address Summary

VirusTotal Reputation 41

AS Number 396982

AS Number Owner GOOGLE-CLOUD-PLATFORM

Subnet 34.117.0.0/16

Country Code US

Continent NA

Regional Internet Registry ARIN

Tags

VirusTotal Analysis Summary

Aggregate Result harmless - 56 / 92

VirusTotal Analysis Stats

Analysis Type Number of Analysis

Confirmed Timeout 0

Failure 0

Harmless 56

Malicious 6

Suspicious 2

Timeout 0

Type Unsupported 0

Undetected 28

Total 92

Community Votes
Total votes cast: 52
Harmless: 5/52
Malicious: 2/52

13
Incoming (6)
DNS Name 192.186.117.34.bc.googleusercontent.com
Domain 192.186.117.34.bc.googleusercontent.co
Domain host.i
Domain ipinfo.i
Domain maltego.ipinfo.i
Domain www.host.i
Outgoing (187)
A Record 192.186.117.34.bc.googleusercontent.com
A Record agm-429076122901.backupdr.actifiogo.com
A Record api-qwiklabs-gcp-02-82514146f90f.apigee-apijam.dev
A Record api-test-qwiklabs-gcp-02-82514146f90f.apigee-apijam.dev
A Record api-test-qwiklabs-gcp-02-82514146f90f.apigee-apijam.dev
A Record company.io
A Record host.io
A Record host.io
A Record ipinfo.io
A Record ipinfo.io
A Record ipinfo.riquitito.com
A Record openam-imm-0fad97b25d.forgeblocks.com
A Record openam-imm-0fad97b25d.forgeblocks.com
A Record polybuttontrend.com
A Record rr1---sn-11haecwz.poc.cdnfastly.net
A Record test2.cliff.tw
A Record useragent.io
A Record www.ipinfo.io
AS 396982
AS 396982
AS 396982
AS 396982
AS 396982
AbuseIPDB IP Report 2024-06-12T17:14:47+00:00
AbuseIPDB IP Report 2024-06-17T16:36:15+00:00
AbuseIPDB IP Report 2024-06-18T17:34:42+00:00
AbuseIPDB IP Report 2024-06-24T11:10:42+00:00
AbuseIPDB IP Report 2024-06-24T11:30:23+00:00
AbuseIPDB IP Report 2024-06-25T05:38:33+00:00
AbuseIPDB IP Report 2024-06-29T09:25:50+00:00
AbuseIPDB IP Report 2024-06-29T09:45:17+00:00
AbuseIPDB IP Report 2024-07-01T13:49:44+00:00
AbuseIPDB IP Report 2024-07-03T07:05:13+00:00
AbuseIPDB IP Report 2024-07-08T18:46:19+00:00
AbuseIPDB Tag Data Center/Web Hosting/Transit
Banner
Banner
Banner
Banner
Banner
Banner Hash 1559705222
Banner Hash 1955952339

14
Censys Service Details 443/HTTPS
Censys Service Details 80/HTTP
Company American Registry for Internet Numbers, Ltd.
Company Google LLC
Company NetHandle
Company NetRange
Company NetType
Company RegDate
Company [email protected]
Country United States of America
DNS Name 192.186.117.34.bc.googleusercontent.com
DNS Name 192.186.117.34.bc.googleusercontent.com
DNS Name 192.186.117.34.bc.googleusercontent.com
DNS Name 192.186.117.34.bc.googleusercontent.com
DNS Name 192.186.117.34.bc.googleusercontent.com
DNS Name 192.186.117.34.bc.googleusercontent.com
DNS Name 743c55e0-a7f6-4cc7-8327-42f5d6631cea.looker.app
DNS Name agm-429076122901.backupdr.actifiogo.com
DNS Name blocked-url.moodys.cloud
DNS Name company.io
DNS Name company.io
DNS Name dev.host.io
DNS Name dev.ipinfo.io
DNS Name dev.ipinfo.io
DNS Name host.io
DNS Name host.io
DNS Name host.io
DNS Name ipinfo.dev
DNS Name ipinfo.io
DNS Name ipinfo.io
DNS Name ipinfo.io
DNS Name ipinfo.net
DNS Name ipinfo.org
DNS Name ipinfo.org
DNS Name ipinfo.riquitito.com
DNS Name ipinfoio.com
DNS Name maltego.ipinfo.io
DNS Name maltego.ipinfo.io
DNS Name rr1---sn-11haecwz.poc.cdnfastly.net
DNS Name test2.cliff.tw
DNS Name useragent.io
DNS Name useragent.io
DNS Name website.ipinfo.io
DNS Name www.host.io
DNS Name www.host.io
DNS Name www.ipinfo.io
Domain company.io
Domain google.com
Domain googleusercontent.com
Domain host.io

15
Domain ipinfo.dev
Domain ipinfo.io
Domain ipinfo.io
Domain ipinfo.net
Domain ipinfo.org
Domain ipinfoio.com
Domain useragent.io
Email Address [email protected]
Email Address [email protected]
GPS Coordinate 39.09973,-94.57857
GPS Coordinate 39.102699279785156,39.102699279785156
Hash 6139adae368d125ed966e4595d2de997bc5894ddcafe924c067a0
be8bdaa7428
Hash 6c8919e77ad7a2e894fb37dddd5d7a4e06dd178af9708442f1dd19
a6cee43bec
Hash 80697e9fbebeeedb8ea2a5e3352d5aa4931ae4b6c2014bc8a9170
cb63eaee8fc
Hash 9ba312b2ac1d5b6ef5be258e6acc6c29ca7ba15f0fac932bcc2b0cd
f40db3125
Hash 9dd3cb5cc099ab8731fa11094b869b0bf29f127179ec82d15fd6ba6
f0ca5e942
Hash 9e4871f70bc64e360a4fafea12d4ab5186b529e699441cd60361f3c
59151259c
Hash c397debb344056ddc819da0970310e18a6a1c5654af1368bb61e3
5d9905f4184
Hash d83a94f9713a4e3748e30329350dcebbff03160672be78796d4ecc
7ec31f3042
Hash d96acb75834e3356c9f674e2a02f7566dbcc4790c477f4e32c2364a
fdd8325da
Hash eab2a5792346b8b55180359658308c54766541505b88f55cbdf86a
dd05edffd5
Html Hash 336196947
IPQS Tag Abuse velocity: medium
IPQS Tag Proxy
IPQS Tag Recent Abuse
IPQS Tag Vpn
IPv4 Address 34.127.255.255
IPv4 Address 34.64.0.0
ISP Google LLC
Location Kansas City
Location Kansas City, Missouri (United States)
Location Kansas City, US
Location Kansas City, US
Location Kansas City, United States
Location United States
Netblock 34.116.0.0-34.119.255.255
Netblock 34.117.186.0-34.117.186.255
Netblock 34.64.0.0-34.127.255.255
Netblock CIDR 34.117.0.0/16
Organization Google Cloud
Phone Number 650-253-0000
Port 443
Port 443
Port 80

16
Port 80
SSL Certificate api-test-qwiklabs-gcp-02-82514146f90f.apigee-apijam.dev
SSL Certificate ipinfo.io
SSL Certificate ipinfo.io
SSL Certificate ipinfo.io
SSL Certificate ipinfo.io
SSL Certificate ipinfo.io
SSL Certificate ipinfo.io
SSL Certificate ipinfo.io
SSL Certificate ipinfo.io
SSL Certificate openam-imm-0fad97b25d.forgeblocks.com
SSL Certificate Hash 6e1e959cfc20083510b2641f9f9ce590be7dd13176553cab360679
5cc42c850c
SSL Certificate Hash 8cdf0cf4a330a8e079eb3823d35fc80957292573
SSL Certificate Serial 302203689575303662225367543027433592014166
Shodan Service Details 443
Shodan Service Details 80
Shodan Tag cloud
URL http://134.209.78.82
URL http://137.184.194.154
URL http://157.245.246.236
URL http://159.223.98.160
URL http://159.65.233.72
URL http://159.65.233.73
URL http://165.227.85.125
URL http://167.99.153.101
URL http://174.138.41.51
URL http://206.189.225.175
URL http://24.144.104.44
VirusTotal File 000a9d76483aa1375b4d4b5730db0b4ad1d62f3dbe694b842d791
5d84cdd8101.exe
VirusTotal File 40151005_com.dz.cjcsyx.huawei_1.0.1_huawei_20240202_shield
.apk
VirusTotal File HLL_BugReportUploader.exe
VirusTotal File MSBuild.exe
VirusTotal File RageMP131.exe
VirusTotal File SULE (1).csv
VirusTotal File WEXTRACT.EXE .MUI
VirusTotal File WEXTRACT.EXE .MUI
VirusTotal File eve.json?id
VirusTotal File filezilla.exe
VirusTotal File heidisql.exe
VirusTotal File heidisql.exe
VirusTotal File libGLESv2.dll
VirusTotal File motherfuck.txt
VirusTotal File pfirewall.log
VirusTotal File wpa.dll
WHOIS Record 34.117.186.192
WHOIS Record 34.117.186.192
WHOIS Record 34.117.186.192
WHOIS Record 34.117.186.192

17
WHOIS Record 34.117.186.192
alphaMountain Category Information Technology
alphaMountain Category Suspicious

DNS Name
maltego.DNSName

192.186.117.34.bc.googleusercontent.com
Weight 81
DNS Name 192.186.117.34.bc.googleusercontent.com
Image https://storage.googleapis.com/ipinfo_maltego/icon_ipinfo.png

Google Maps
' 39.0997,-94.5786 '

Censys DNS Information


Open Reverse DNS name on Censys dashboard
Resolved at: 2024-06-26T08:23:02.172566562Z
Incoming (6)
IPv4 Address 34.117.186.192
IPv4 Address 34.117.186.192
IPv4 Address 34.117.186.192
IPv4 Address 34.117.186.192
IPv4 Address 34.117.186.192
IPv4 Address 34.117.186.192
Outgoing (1)
IPv4 Address 34.117.186.192

AS
maltego.AS

396982
Weight 6
AS Number 396982
AS Owner GOOGLE-CLOUD-PLATFORM

Censys Autonomous System Number Information


GOOGLE-CLOUD-PLATFORM

AS Number 396982

Name GOOGLE-CLOUD-PLATFORM

BGP Prefix 34.116.0.0/14

Country Code US

Organization

18
Incoming (5)
IPv4 Address 34.117.186.192
IPv4 Address 34.117.186.192
IPv4 Address 34.117.186.192
IPv4 Address 34.117.186.192
IPv4 Address 34.117.186.192

DNS Name
maltego.DNSName

ipinfo.io
Weight 67757206
DNS Name ipinfo.io
DNSDB JSON Output {"count": 135514313, "time_first": 1702431335, "time_last": 1720612112,
"rrname": "ipinfo.io.", "rrtype": "A", "rdata": "34.117.186.192"}

DNSDB JSON Output


{"count": 135514313, "time_first": 1702431335, "time_last": 1720612112, "rrname": "ipinfo.io.", "rrtype": "A", "rdata":
"34.117.186.192"}

Incoming (3)
IPv4 Address 34.117.186.192
IPv4 Address 34.117.186.192
IPv4 Address 34.117.186.192

DNS Name
maltego.DNSName

host.io
Weight 44165
DNS Name host.io
DNSDB JSON Output {"count": 176560, "time_first": 1701743657, "time_last": 1720524427,
"rrname": "host.io.", "rrtype": "A", "rdata": "34.117.186.192"}
Shodan Last Update 2024-07-08T18:42:17.394076

DNSDB JSON Output


{"count": 176560, "time_first": 1701743657, "time_last": 1720524427, "rrname": "host.io.", "rrtype": "A", "rdata":
"34.117.186.192"}

Incoming (3)
IPv4 Address 34.117.186.192
IPv4 Address 34.117.186.192
IPv4 Address 34.117.186.192

DNS Name
maltego.DNSName

maltego.ipinfo.io

19
Weight 89
DNS Name maltego.ipinfo.io
DNSDB JSON Output {"count": 79, "time_first": 1703249127, "time_last": 1720401229, "rrname":
"maltego.ipinfo.io.", "rrtype": "A", "rdata": "34.117.186.192"}

DNSDB JSON Output


{"count": 79, "time_first": 1703249127, "time_last": 1720401229, "rrname": "maltego.ipinfo.io.", "rrtype": "A", "rdata":
"34.117.186.192"}

Incoming (2)
IPv4 Address 34.117.186.192
IPv4 Address 34.117.186.192

Port
maltego.Port

443
Weight 50
Port number 443
Port

Incoming (2)
IPv4 Address 34.117.186.192
IPv4 Address 34.117.186.192

Domain
maltego.Domain

ipinfo.io
Weight 0
Domain Name ipinfo.io
WHOIS Info
Shodan Last Update 2024-07-08T18:42:17.394076

AlienVault OTX Link


View in browser: https://otx.alienvault.com/indicator/domain/ipinfo.io
Incoming (2)
IPv4 Address 34.117.186.192
IPv4 Address 34.117.186.192

DNS Name
maltego.DNSName

ipinfo.org
Weight 50
DNS Name ipinfo.org
Shodan Last Update 2024-07-08T18:42:17.394076

20
Incoming (2)
IPv4 Address 34.117.186.192
IPv4 Address 34.117.186.192

DNS Name
maltego.DNSName

www.host.io
Weight 625
DNS Name www.host.io
DNSDB JSON Output {"count": 1151, "time_first": 1701922858, "time_last": 1720416256, "rrname":
"www.host.io.", "rrtype": "A", "rdata": "34.117.186.192"}

DNSDB JSON Output


{"count": 1151, "time_first": 1701922858, "time_last": 1720416256, "rrname": "www.host.io.", "rrtype": "A", "rdata":
"34.117.186.192"}

Incoming (2)
IPv4 Address 34.117.186.192
IPv4 Address 34.117.186.192

Location
maltego.Location

Kansas City, US
Weight 100
Name Kansas City, US
Country US
City Kansas City
Street Address
Area
Area Code
Country Code US
Longitude -94.5786
Latitude 39.0997
Image https://storage.googleapis.com/ipinfo_maltego/icon_ipinfo.png

Google Maps
' 39.0997,-94.5786 '

Incoming (2)
IPv4 Address 34.117.186.192
IPv4 Address 34.117.186.192

A Record
maltego.ARecord

ipinfo.io

21
Weight 0
IPv4 Address 34.117.186.192
Time to Live (TTL) 0
DNS Name ipinfo.io
Date Resolved 2023-12-15T20:47:18Z
FirstSeen 2023-12-14T04:32:39
Resolver VirusTotal
LastSeen 2024-07-10T07:55:59

AlienVault OTX Link


View in browser: https://otx.alienvault.com/indicator/hostname/ipinfo.io
Incoming (2)
IPv4 Address 34.117.186.192
IPv4 Address 34.117.186.192

A Record
maltego.ARecord

api-test-qwiklabs-gcp-02-82514146f90f.apigee-apijam.dev
Weight 0
IPv4 Address 34.117.186.192
Time to Live (TTL) 0
DNS Name api-test-qwiklabs-gcp-02-82514146f90f.apigee-apijam.dev
Date Resolved 2021-07-19T03:43:28Z
FirstSeen 2021-07-19T03:40:22
Resolver VirusTotal
LastSeen 2021-07-19T03:40:22

AlienVault OTX Link


View in browser: https://otx.alienvault.com/indicator/hostname/api-test-qwiklabs-gcp-02-
82514146f90f.apigee-apijam.dev
Incoming (2)
IPv4 Address 34.117.186.192
IPv4 Address 34.117.186.192

A Record
maltego.ARecord

openam-imm-0fad97b25d.forgeblocks.com
Weight 0
IPv4 Address 34.117.186.192
Time to Live (TTL) 0
DNS Name openam-imm-0fad97b25d.forgeblocks.com
Date Resolved 2021-11-26T16:25:13Z
FirstSeen 2021-11-26T16:33:53
Resolver VirusTotal
LastSeen 2021-11-26T17:14:32

22
AlienVault OTX Link
View in browser: https://otx.alienvault.com/indicator/hostname/openam-imm-
0fad97b25d.forgeblocks.com
Incoming (2)
IPv4 Address 34.117.186.192
IPv4 Address 34.117.186.192

A Record
maltego.ARecord

host.io
Weight 0
IPv4 Address 34.117.186.192
Time to Live (TTL) 0
DNS Name host.io
Date Resolved 2023-12-07T01:40:30Z
FirstSeen 2023-12-30T02:47:50
Resolver VirusTotal
LastSeen 2024-06-09T17:09:17

AlienVault OTX Link


View in browser: https://otx.alienvault.com/indicator/hostname/host.io
Incoming (2)
IPv4 Address 34.117.186.192
IPv4 Address 34.117.186.192

DNS Name
maltego.DNSName

dev.ipinfo.io
Weight 85
DNS Name dev.ipinfo.io
DNSDB JSON Output {"count": 70, "time_first": 1703235624, "time_last": 1718005207, "rrname":
"dev.ipinfo.io.", "rrtype": "A", "rdata": "34.117.186.192"}

DNSDB JSON Output


{"count": 70, "time_first": 1703235624, "time_last": 1718005207, "rrname": "dev.ipinfo.io.", "rrtype": "A", "rdata":
"34.117.186.192"}

Incoming (2)
IPv4 Address 34.117.186.192
IPv4 Address 34.117.186.192

DNS Name
maltego.DNSName

company.io

23
Weight 516
DNS Name company.io
DNSDB JSON Output {"count": 933, "time_first": 1701953245, "time_last": 1706439047, "rrname":
"company.io.", "rrtype": "A", "rdata": "34.117.186.192"}

DNSDB JSON Output


{"count": 933, "time_first": 1701953245, "time_last": 1706439047, "rrname": "company.io.", "rrtype": "A", "rdata":
"34.117.186.192"}

Incoming (2)
IPv4 Address 34.117.186.192
IPv4 Address 34.117.186.192

Port
maltego.Port

80
Weight 50
Port number 80
Port

Incoming (2)
IPv4 Address 34.117.186.192
IPv4 Address 34.117.186.192

DNS Name
maltego.DNSName

useragent.io
Weight 92
DNS Name useragent.io
DNSDB JSON Output {"count": 84, "time_first": 1701953245, "time_last": 1706439098, "rrname":
"useragent.io.", "rrtype": "A", "rdata": "34.117.186.192"}

DNSDB JSON Output


{"count": 84, "time_first": 1701953245, "time_last": 1706439098, "rrname": "useragent.io.", "rrtype": "A", "rdata":
"34.117.186.192"}

Incoming (2)
IPv4 Address 34.117.186.192
IPv4 Address 34.117.186.192

SSL Certificate
maltego.X509Certificate

ipinfo.io

24
Weight 0
Subject ipinfo.io
Issuer R3
Subject DN
Issuer DN
SKI 2e4d559f455e02640cae1121d0e6a8f34eb5518f
AKI
Serial 37818c981780f233055fb0a295d33874556
SAN [*.company.io, *.host.io, *.ipinfo.dev, *.ipinfo.io, *.ipinfo.net, *.ipinfo.org,
*.ipinfoio.com, *.useragent.io, company.io, host.io, ipinfo.dev, ipinfo.io,
ipinfo.net, ipinfo.org, ipinfoio.com, useragent.io]
Usage
Issuance ID
Valid From Mon Jun 03 00:00:00 GMT 2024
Valid Until Sun Sep 01 00:00:00 GMT 2024
Country
Organization

Incoming (2)
IPv4 Address 34.117.186.192
IPv4 Address 34.117.186.192

Domain
maltego.Domain

ipinfo.i
Weight 0
Domain Name ipinfo.i
WHOIS Info

Censys Domain Information


Open domain on Censys dashboard
Outgoing (1)
IPv4 Address 34.117.186.192

Domain
maltego.Domain

192.186.117.34.bc.googleusercontent.co
Weight 0
Domain Name 192.186.117.34.bc.googleusercontent.co
WHOIS Info

Censys Domain Information


Open domain on Censys dashboard
Outgoing (1)
IPv4 Address 34.117.186.192

25
Domain
maltego.Domain

host.i
Weight 0
Domain Name host.i
WHOIS Info

Censys Domain Information


Open domain on Censys dashboard
Outgoing (1)
IPv4 Address 34.117.186.192

Domain
maltego.Domain

maltego.ipinfo.i
Weight 0
Domain Name maltego.ipinfo.i
WHOIS Info

Censys Domain Information


Open domain on Censys dashboard
Outgoing (1)
IPv4 Address 34.117.186.192

Domain
maltego.Domain

www.host.i
Weight 0
Domain Name www.host.i
WHOIS Info

Censys Domain Information


Open domain on Censys dashboard
Outgoing (1)
IPv4 Address 34.117.186.192

DNS Name
maltego.DNSName

ipinfoio.com
Weight 100
DNS Name ipinfoio.com

26
Incoming (1)
IPv4 Address 34.117.186.192

WHOIS Record
maltego.WHOISRecord

34.117.186.192

27
Weight 0
Name 34.117.186.192
WHOIS Info For more information on Whois status codes, please visit https: //icann.org/epp
NOTICE: The expiration date displayed in this record is the date the
DNSSEC: unsigned
Updated Date: 2020-10-16T02:35:25-0700
Admin Organization: Google LLC
Tech Email: Select Request Email Form at
https://domains.markmonitor.com/whois/googleusercontent.com
Registrar Registration Expiration Date: 2021-11-17T00:00:00-0800
Tech Organization: Google LLC
>>> Last update of whois database: 2021-07-19T03:44:49Z <<<
by the following terms of use: You agree that you may use this Data only
Registrar IANA ID: 292
Admin Country: US
Creation Date: 2008-11-17T07:58:29-0800
Registrant Organization: Google LLC
lawful purposes and that, under no circumstances will you use this data to:
to: (1) allow, enable, or otherwise support the transmission of mass
Tech Country: US
URL of the ICANN WHOIS Data Problem Reporting System:
http://wdprs.internic.net/
https: //domains.markmonitor.com/whois
Web-based WHOIS:
TERMS OF USE: You are not authorized to access or query our Whois
Registrant Email: Select Request Email Form at
https://domains.markmonitor.com/whois/googleusercontent.com
Admin State/Province: CA
Admin Email: Select Request Email Form at
https://domains.markmonitor.com/whois/googleusercontent.com
Registrar URL: http://www.markmonitor.com
Registrar: MarkMonitor, Inc.
Registrant State/Province: CA
Registry Domain ID: 1528918319_DOMAIN_COM-VRSN
Registry Expiry Date: 2021-11-17T15:58:29Z
Name Server: Contact us at +1.8007459229 | In Europe, at +44.02032062220
| --
Registrar Abuse Contact Phone: +1.2083895770
Domain Status: clientUpdateProhibited
(https://www.icann.org/epp#clientUpdateProhibited) | clientTransferProhibited
(https://www.icann.org/epp#clientTransferProhibited) | clientDeleteProhibited
(https://www.icann.org/epp#clientDeleteProhibited) | serverUpdateProhibited
(https://www.icann.org/epp#serverUpdateProhibited) |
serverTransferProhibited
(https://www.icann.org/epp#serverTransferProhibited) | serverDeleteProhibited
(https://www.icann.org/epp#serverDeleteProhibited)
Registrar WHOIS Server: whois.markmonitor.com
Visit MarkMonitor at https: //www.markmonitor.com
URL of the ICANN Whois Inaccuracy Complaint Form:
https://www.icann.org/wicf/
For more information on WHOIS status codes, please visit:
Registrar Abuse Contact Email: [email protected]
Registrant Country: US
>>> Last update of WHOIS database: 2021-07-18T20:38:02-0700 <<<
Tech State/Province: CA
Domain Name: googleusercontent.com
Registry Domain ID 1528918319_DOMAIN_COM-VRSN
Domain Name googleusercontent.com
Created Date 2008-11-17T07:58:29-0800
Registry Expiry Date 2021-11-17T15:58:29Z
Updated Date 2020-10-16T02:35:25-0700
Transfer Date
Nameservers Contact us at +1.8007459229 | In Europe, at +44.02032062220 | --
Name Server IP Addresses
Mantainer
Created By
Updated By
DNSSEC unsigned

28
Domain Status clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited) |
clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited) |
clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited) |
serverUpdateProhibited (https://www.icann.org/epp#serverUpdateProhibited) |
serverTransferProhibited
(https://www.icann.org/epp#serverTransferProhibited) | serverDeleteProhibited
(https://www.icann.org/epp#serverDeleteProhibited)
ENS AuthId
Registry Registrant ID
Registrant Name
Registrant Organization Google LLC
Registrant Address
Registrant Street
Registrant City
Registrant State/Province CA
Registrant Country US
Registrant Country Code
Registrant Postal Code
Registrant Phone
Registrant Phone Ext
Registrant Fax
Registrant Fax Ext
Registrant Email Select Request Email Form at
https://domains.markmonitor.com/whois/googleusercontent.com
Admin ID
Admin ID
Admin Name
Admin Organization Google LLC
Admin Address
Admin Street
Admin City
Admin State/Province CA
Admin Country US
Admin Country Code
Admin Postal Code
Admin Phone
Admin Phone Ext
Admin Fax
Admin Fax Ext
Admin Email Select Request Email Form at
https://domains.markmonitor.com/whois/googleusercontent.com
Tech ID
Tech Name
Tech Organization Google LLC
Tech Address
Tech City
Tech State/Province CA
Tech Country US
Tech Postal Code
Tech Phone
Tech Phone Ext
Tech Fax
Tech Fax Ext

29
Tech Email Select Request Email Form at
https://domains.markmonitor.com/whois/googleusercontent.com
Registrar ID
Registrar IANA ID 292
Registrar MarkMonitor, Inc.
Registrar Registration Expiration 2021-11-17T00:00:00-0800
Date
Registrar URL http://www.markmonitor.com
Registrar WHOIS Server whois.markmonitor.com
Registrar Status
Registrar Address
Registrar City
Registrar State/Province
Registrar Country
Registrar Postal Code
Registrar Phone
Registrar Fax
Registrar Fax Ext
Registrar Email
Registrar Abuse Contact Email [email protected]
Registrar Abuse Contact Phone +1.2083895770
Sponsoring Registrar
For more information on Whois //icann.org/epp
status codes, please visit https
by the following terms of use You agree that you may use this Data only
https //domains.markmonitor.com/whois
TERMS OF USE You are not authorized to access or query our Whois
URL of the ICANN Whois https://www.icann.org/wicf/
Inaccuracy Complaint Form
URL of the ICANN WHOIS Data http://wdprs.internic.net/
Problem Reporting System
>>> Last update of WHOIS 2021-07-18T20:38:02-0700 <<<
database
NOTICE The expiration date displayed in this record is the date the
Visit MarkMonitor at https //www.markmonitor.com
to (1) allow, enable, or otherwise support the transmission of mass

Whois Information

Incoming (1)
IPv4 Address 34.117.186.192

GPS Coordinate
maltego.GPS

39.102699279785156,39.102699279785156
Weight 0
GPS Coordinate 39.102699279785156,39.102699279785156
Latitude 39.102699279785156
Longitude 39.102699279785156

30
Incoming (1)
IPv4 Address 34.117.186.192

WHOIS Record
maltego.WHOISRecord

34.117.186.192

31
Weight 0
Name 34.117.186.192
WHOIS Info Name Server: No match found for googleusercontent.com.
Registry Domain ID
Domain Name
Created Date
Registry Expiry Date
Updated Date
Transfer Date
Nameservers No match found for googleusercontent.com.
Name Server IP Addresses
Mantainer
Created By
Updated By
DNSSEC
Domain Status
ENS AuthId
Registry Registrant ID
Registrant Name
Registrant Organization
Registrant Address
Registrant Street
Registrant City
Registrant State/Province
Registrant Country
Registrant Country Code
Registrant Postal Code
Registrant Phone
Registrant Phone Ext
Registrant Fax
Registrant Fax Ext
Registrant Email
Admin ID
Admin ID
Admin Name
Admin Organization
Admin Address
Admin Street
Admin City
Admin State/Province
Admin Country
Admin Country Code
Admin Postal Code
Admin Phone
Admin Phone Ext
Admin Fax
Admin Fax Ext
Admin Email
Tech ID
Tech Name

32
Tech Organization
Tech Address
Tech City
Tech State/Province
Tech Country
Tech Postal Code
Tech Phone
Tech Phone Ext
Tech Fax
Tech Fax Ext
Tech Email
Registrar ID
Registrar IANA ID
Registrar
Registrar Registration Expiration
Date
Registrar URL
Registrar WHOIS Server
Registrar Status
Registrar Address
Registrar City
Registrar State/Province
Registrar Country
Registrar Postal Code
Registrar Phone
Registrar Fax
Registrar Fax Ext
Registrar Email
Registrar Abuse Contact Email
Registrar Abuse Contact Phone
Sponsoring Registrar

Whois Information

Name Server No match found for googleusercontent.com.

Incoming (1)
IPv4 Address 34.117.186.192

SSL Certificate
maltego.X509Certificate

ipinfo.io

33
Weight 0
Subject ipinfo.io
Issuer R3
Subject DN
Issuer DN
SKI 5bf01122c788c0a4dc18e9cffa79d69c86dc208a
AKI
Serial 4262744cf95058c788cc5a0a273dac120ba
SAN [*.host.io, *.ipinfo.dev, *.ipinfo.io, *.ipinfo.net, *.ipinfo.org, *.ipinfoio.com,
host.io, ipinfo.dev, ipinfo.io, ipinfo.net, ipinfo.org, ipinfoio.com]
Usage
Issuance ID
Valid From Thu Nov 02 00:00:00 GMT 2023
Valid Until Wed Jan 31 00:00:00 GMT 2024
Country
Organization

Incoming (1)
IPv4 Address 34.117.186.192

SSL Certificate
maltego.X509Certificate

ipinfo.io
Weight 0
Subject ipinfo.io
Issuer R3
Subject DN
Issuer DN
SKI 20fe6b88fcd2b294c7d77475919e8e61fa6a3838
AKI
Serial 410fa85505a6c2ea7e55cf90f66902fcba
SAN [*.company.io, *.host.io, *.ipinfo.dev, *.ipinfo.io, *.ipinfo.net, *.ipinfo.org,
*.ipinfoio.com, *.useragent.io, company.io, host.io, ipinfo.dev, ipinfo.io,
ipinfo.net, ipinfo.org, ipinfoio.com, useragent.io]
Usage
Issuance ID
Valid From Tue Mar 05 00:00:00 GMT 2024
Valid Until Mon Jun 03 00:00:00 GMT 2024
Country
Organization

Incoming (1)
IPv4 Address 34.117.186.192

SSL Certificate
maltego.X509Certificate

openam-imm-0fad97b25d.forgeblocks.com

34
Weight 0
Subject openam-imm-0fad97b25d.forgeblocks.com
Issuer GTS CA 1D4
Subject DN
Issuer DN
SKI ace2e5f13edfe64f25bb8b1a003db73da5f1b580
AKI
Serial 4e25f018940014b00900000000d87c7b
SAN [openam-imm-0fad97b25d.forgeblocks.com]
Usage
Issuance ID
Valid From Fri Nov 26 00:00:00 GMT 2021
Valid Until Thu Feb 24 00:00:00 GMT 2022
Country
Organization

Incoming (1)
IPv4 Address 34.117.186.192

DNS Name
maltego.DNSName

blocked-url.moodys.cloud
Weight 100
DNS Name blocked-url.moodys.cloud

Incoming (1)
IPv4 Address 34.117.186.192

Domain
maltego.Domain

ipinfo.org
Weight 0
Domain Name ipinfo.org
WHOIS Info
Shodan Last Update 2024-07-08T18:42:17.394076

Incoming (1)
IPv4 Address 34.117.186.192

Location
maltego.Location

Kansas City, Missouri (United States)

35
Weight 100
Name Kansas City, Missouri (United States)
Country
City
Street Address
Area Missouri
Area Code MO
Country Code US
Longitude -94.5778
Latitude 39.1027
Continent North America
Timezone America/Chicago
Postal code 64184

Info
Information retrieved from the Maxmind GeoLite2 DB.
Available Here.

Incoming (1)
IPv4 Address 34.117.186.192

Domain
maltego.Domain

googleusercontent.com
Weight 0
Domain Name googleusercontent.com
WHOIS Info
Shodan Last Update 2024-07-08T18:42:17.394076

Incoming (1)
IPv4 Address 34.117.186.192

Domain
maltego.Domain

host.io
Weight 0
Domain Name host.io
WHOIS Info
Shodan Last Update 2024-07-08T18:42:17.394076

Incoming (1)
IPv4 Address 34.117.186.192

Domain
maltego.Domain

ipinfoio.com

36
Weight 0
Domain Name ipinfoio.com
WHOIS Info
Shodan Last Update 2024-07-08T18:42:17.394076

Incoming (1)
IPv4 Address 34.117.186.192

IPQS Tag
maltego.ipqs.Tag

Recent Abuse
Weight 100
Text Recent Abuse

IPQS Info
This value will indicate if there has been any recently verified abuse across IPQS' network for this IP address.
Abuse could be a confirmed chargeback, compromised device, fake app install, or similar malicious behavior
within the past few days.

Incoming (1)
IPv4 Address 34.117.186.192

Domain
maltego.Domain

company.io
Weight 0
Domain Name company.io
WHOIS Info
Shodan Last Update 2024-07-08T18:42:17.394076

Incoming (1)
IPv4 Address 34.117.186.192

WHOIS Record
maltego.WHOISRecord

34.117.186.192

37
Weight 0
Name 34.117.186.192
WHOIS Info City: Mountain View
OrgAbusePhone: +1-650-253-0000
Updated Date: 2019-11-01
NetName: GOOGL-2
OrgTechPhone: +1-650-253-0000
OrgNOCHandle: GCABU-ARIN
OrgAbuseName: GC Abuse
OrgId: GOOGL-2
OrgNOCEmail: [email protected]
Ref: https://rdap.arin.net/registry/entity/GOOGL-2
Parent: NET34 (NET-34-0-0-0-0)
StateProv: CA
NetRange: 34.64.0.0 - 34.127.255.255
OrgTechRef: https://rdap.arin.net/registry/entity/ZG39-ARIN
RegDate: 2006-09-29
OrgTechHandle: ZG39-ARIN
NetType: Direct Allocation
Address: 1600 Amphitheatre Parkway
OrgAbuseRef: https://rdap.arin.net/registry/entity/GCABU-ARIN
OriginAS:
OrgNOCRef: https://rdap.arin.net/registry/entity/GCABU-ARIN
OrgTechName: Google LLC
OrgName: Google LLC
PostalCode: 94043
Organization: Google LLC (GOOGL-2)
CIDR: 34.64.0.0/10
Comment: *** The IP addresses under this Org-ID are in use by Google Cloud
customers *** | | Direct all copyright and legal complaints to |
https://support.google.com/legal/go/report | Direct all spam and abuse
complaints to | https://support.google.com/code/go/gce_abuse_report | For
fastest response, use the relevant forms above. | Complaints can also be sent
to the GC Abuse desk | ([email protected]) | but may
have longer turnaround times. | Complaints sent to any other POC will be
ignored.
OrgNOCPhone: +1-650-253-0000
OrgAbuseEmail: [email protected]
OrgNOCName: GC Abuse
OrgAbuseHandle: GCABU-ARIN
NetHandle: NET-34-64-0-0-1
Registrant Country: US
OrgTechEmail: [email protected]
Registry Domain ID
Domain Name
Created Date
Registry Expiry Date
Updated Date 2019-11-01
Transfer Date
Nameservers
Name Server IP Addresses
Mantainer
Created By
Updated By
DNSSEC
Domain Status
ENS AuthId
Registry Registrant ID
Registrant Name
Registrant Organization
Registrant Address
Registrant Street
Registrant City
Registrant State/Province

38
Registrant Country US
Registrant Country Code
Registrant Postal Code
Registrant Phone
Registrant Phone Ext
Registrant Fax
Registrant Fax Ext
Registrant Email
Admin ID
Admin ID
Admin Name
Admin Organization
Admin Address
Admin Street
Admin City
Admin State/Province
Admin Country
Admin Country Code
Admin Postal Code
Admin Phone
Admin Phone Ext
Admin Fax
Admin Fax Ext
Admin Email
Tech ID
Tech Name
Tech Organization
Tech Address
Tech City
Tech State/Province
Tech Country
Tech Postal Code
Tech Phone
Tech Phone Ext
Tech Fax
Tech Fax Ext
Tech Email
Registrar ID
Registrar IANA ID
Registrar
Registrar Registration Expiration
Date
Registrar URL
Registrar WHOIS Server
Registrar Status
Registrar Address
Registrar City
Registrar State/Province
Registrar Country
Registrar Postal Code

39
Registrar Phone
Registrar Fax
Registrar Fax Ext
Registrar Email
Registrar Abuse Contact Email
Registrar Abuse Contact Phone
Sponsoring Registrar
Parent NET34 (NET-34-0-0-0-0)
OrgNOCName GC Abuse
OrgAbuseHandle GCABU-ARIN
OrgAbuseEmail [email protected]
OrgTechName Google LLC
OrgAbuseName GC Abuse
OrgTechPhone +1-650-253-0000
NetRange 34.64.0.0 - 34.127.255.255
City Mountain View
OrgAbusePhone +1-650-253-0000
OrgNOCEmail [email protected]
OrgName Google LLC
CIDR 34.64.0.0/10
Address 1600 Amphitheatre Parkway
NetName GOOGL-2
Organization Google LLC (GOOGL-2)
OrgNOCHandle GCABU-ARIN
Ref https://rdap.arin.net/registry/entity/GOOGL-2
OrgNOCPhone +1-650-253-0000
NetHandle NET-34-64-0-0-1
OrgId GOOGL-2
NetType Direct Allocation
StateProv CA
PostalCode 94043
OrgTechRef https://rdap.arin.net/registry/entity/ZG39-ARIN
OrgTechEmail [email protected]
OrgNOCRef https://rdap.arin.net/registry/entity/GCABU-ARIN
OrgTechHandle ZG39-ARIN
OrgAbuseRef https://rdap.arin.net/registry/entity/GCABU-ARIN
RegDate 2006-09-29
Comment *** The IP addresses under this Org-ID are in use by Google Cloud customers
*** | | Direct all copyright and legal complaints to |
https://support.google.com/legal/go/report | Direct all spam and abuse
complaints to | https://support.google.com/code/go/gce_abuse_report | For
fastest response, use the relevant forms above. | Complaints can also be sent
to the GC Abuse desk | ([email protected]) | but may
have longer turnaround times. | Complaints sent to any other POC will be
ignored.

40
Whois Information

41
City Mountain View

OrgAbusePhone +1-650-253-0000

Updated Date 2019-11-01

NetName GOOGL-2

OrgTechPhone +1-650-253-0000

OrgNOCHandle GCABU-ARIN

OrgAbuseName GC Abuse

OrgId GOOGL-2

OrgNOCEmail [email protected]

Ref https://rdap.arin.net/registry/entity/GOOGL-2

Parent NET34 (NET-34-0-0-0-0)

StateProv CA

NetRange 34.64.0.0 - 34.127.255.255

OrgTechRef https://rdap.arin.net/registry/entity/ZG39-ARIN

RegDate 2006-09-29

OrgTechHandle ZG39-ARIN

NetType Direct Allocation

Address 1600 Amphitheatre Parkway

OrgAbuseRef https://rdap.arin.net/registry/entity/GCABU-ARIN

OriginAS

OrgNOCRef https://rdap.arin.net/registry/entity/GCABU-ARIN

OrgTechName Google LLC

OrgName Google LLC

PostalCode 94043

Organization Google LLC (GOOGL-2)

CIDR 34.64.0.0/10

42
*** The IP addresses under this Org-ID are in use
by Google Cloud customers *** | | Direct all
copyright and legal complaints to |
https://support.google.com/legal/go/report | Direct
all spam and abuse complaints to |
https://support.google.com/code/go/gce_abuse_r
Comment
eport | For fastest response, use the relevant
forms above. | Complaints can also be sent to the
GC Abuse desk | (google-cloud-
[email protected]) | but may have longer
turnaround times. | Complaints sent to any other
POC will be ignored.

OrgNOCPhone +1-650-253-0000

OrgAbuseEmail [email protected]

OrgNOCName GC Abuse

OrgAbuseHandle GCABU-ARIN

NetHandle NET-34-64-0-0-1

Registrant Country US

OrgTechEmail [email protected]

Incoming (1)
IPv4 Address 34.117.186.192

WHOIS Record
maltego.WHOISRecord

34.117.186.192

43
Weight 0
Name 34.117.186.192
WHOIS Info Socket not responding: [Errno 111] Connection refused
Registry Domain ID
Domain Name
Created Date
Registry Expiry Date
Updated Date
Transfer Date
Nameservers
Name Server IP Addresses
Mantainer
Created By
Updated By
DNSSEC
Domain Status
ENS AuthId
Registry Registrant ID
Registrant Name
Registrant Organization
Registrant Address
Registrant Street
Registrant City
Registrant State/Province
Registrant Country
Registrant Country Code
Registrant Postal Code
Registrant Phone
Registrant Phone Ext
Registrant Fax
Registrant Fax Ext
Registrant Email
Admin ID
Admin ID
Admin Name
Admin Organization
Admin Address
Admin Street
Admin City
Admin State/Province
Admin Country
Admin Country Code
Admin Postal Code
Admin Phone
Admin Phone Ext
Admin Fax
Admin Fax Ext
Admin Email
Tech ID
Tech Name

44
Tech Organization
Tech Address
Tech City
Tech State/Province
Tech Country
Tech Postal Code
Tech Phone
Tech Phone Ext
Tech Fax
Tech Fax Ext
Tech Email
Registrar ID
Registrar IANA ID
Registrar
Registrar Registration Expiration
Date
Registrar URL
Registrar WHOIS Server
Registrar Status
Registrar Address
Registrar City
Registrar State/Province
Registrar Country
Registrar Postal Code
Registrar Phone
Registrar Fax
Registrar Fax Ext
Registrar Email
Registrar Abuse Contact Email
Registrar Abuse Contact Phone
Sponsoring Registrar
Socket not responding [Errno 111] Connection refused

Whois Information

Socket not responding [Errno 111] Connection refused

Incoming (1)
IPv4 Address 34.117.186.192

Netblock CIDR
maltego.CIDR

34.117.0.0/16
Weight 0
CIDR Range 34.117.0.0/16

Incoming (1)
IPv4 Address 34.117.186.192

45
Domain
maltego.Domain

ipinfo.net
Weight 0
Domain Name ipinfo.net
WHOIS Info
Shodan Last Update 2024-07-08T18:42:17.394076

Incoming (1)
IPv4 Address 34.117.186.192

Domain
maltego.Domain

useragent.io
Weight 0
Domain Name useragent.io
WHOIS Info
Shodan Last Update 2024-07-08T18:42:17.394076

Incoming (1)
IPv4 Address 34.117.186.192

Domain
maltego.Domain

ipinfo.dev
Weight 0
Domain Name ipinfo.dev
WHOIS Info
Shodan Last Update 2024-07-08T18:42:17.394076

Incoming (1)
IPv4 Address 34.117.186.192

Hash
maltego.Hash

d83a94f9713a4e3748e30329350dcebbff03160672be78796d4
ecc7ec31f3042
Weight 0
Hash d83a94f9713a4e3748e30329350dcebbff03160672be78796d4ecc7ec31f3042
Hash Type
Detections CLAMAV: "Can't access file"

46
Detections

clamav Can't access file

AlienVault OTX Link


View in browser:
https://otx.alienvault.com/indicator/file/d83a94f9713a4e3748e30329350dcebbff03160672be78796d4
ecc7ec31f3042
Incoming (1)
IPv4 Address 34.117.186.192

Hash
maltego.Hash

9e4871f70bc64e360a4fafea12d4ab5186b529e699441cd6036
1f3c59151259c
Weight 0
Hash 9e4871f70bc64e360a4fafea12d4ab5186b529e699441cd60361f3c59151259c
Hash Type
Detections CLAMAV: "Can't access file",MSDEFENDER:
"!#SLF:Exploit:Win32/UACPathBypass.A"

Detections

clamav Can't access file

msdefender !#SLF:Exploit:Win32/UACPathBypass.A

AlienVault OTX Link


View in browser:
https://otx.alienvault.com/indicator/file/9e4871f70bc64e360a4fafea12d4ab5186b529e699441cd60361
f3c59151259c
Incoming (1)
IPv4 Address 34.117.186.192

Hash
maltego.Hash

6139adae368d125ed966e4595d2de997bc5894ddcafe924c06
7a0be8bdaa7428
Weight 0
Hash 6139adae368d125ed966e4595d2de997bc5894ddcafe924c067a0be8bdaa742
8
Hash Type
Detections CLAMAV: "Can't access file"

Detections

clamav Can't access file

47
AlienVault OTX Link
View in browser:
https://otx.alienvault.com/indicator/file/6139adae368d125ed966e4595d2de997bc5894ddcafe924c067
a0be8bdaa7428
Incoming (1)
IPv4 Address 34.117.186.192

Hash
maltego.Hash

6c8919e77ad7a2e894fb37dddd5d7a4e06dd178af9708442f1d
d19a6cee43bec
Weight 0
Hash 6c8919e77ad7a2e894fb37dddd5d7a4e06dd178af9708442f1dd19a6cee43bec
Hash Type
Detections CLAMAV: "Can't access file"

Detections

clamav Can't access file

AlienVault OTX Link


View in browser:
https://otx.alienvault.com/indicator/file/6c8919e77ad7a2e894fb37dddd5d7a4e06dd178af9708442f1d
d19a6cee43bec
Incoming (1)
IPv4 Address 34.117.186.192

Hash
maltego.Hash

d96acb75834e3356c9f674e2a02f7566dbcc4790c477f4e32c2
364afdd8325da
Weight 0
Hash d96acb75834e3356c9f674e2a02f7566dbcc4790c477f4e32c2364afdd8325da
Hash Type
Detections CLAMAV: "Can't access file"

Detections

clamav Can't access file

AlienVault OTX Link


View in browser:
https://otx.alienvault.com/indicator/file/d96acb75834e3356c9f674e2a02f7566dbcc4790c477f4e32c23
64afdd8325da
Incoming (1)
IPv4 Address 34.117.186.192

48
Hash
maltego.Hash

80697e9fbebeeedb8ea2a5e3352d5aa4931ae4b6c2014bc8a9
170cb63eaee8fc
Weight 0
Hash 80697e9fbebeeedb8ea2a5e3352d5aa4931ae4b6c2014bc8a9170cb63eaee8fc
Hash Type
Detections CLAMAV: "Win.Malware.Midie-6848630-0"

Detections

clamav Win.Malware.Midie-6848630-0

AlienVault OTX Link


View in browser:
https://otx.alienvault.com/indicator/file/80697e9fbebeeedb8ea2a5e3352d5aa4931ae4b6c2014bc8a91
70cb63eaee8fc
Incoming (1)
IPv4 Address 34.117.186.192

Hash
maltego.Hash

9ba312b2ac1d5b6ef5be258e6acc6c29ca7ba15f0fac932bcc2b
0cdf40db3125
Weight 0
Hash 9ba312b2ac1d5b6ef5be258e6acc6c29ca7ba15f0fac932bcc2b0cdf40db3125
Hash Type
Detections CLAMAV: "Can't access file",MSDEFENDER: "Trojan:Win32/Floxif.E"

Detections

clamav Can't access file

msdefender Trojan:Win32/Floxif.E

AlienVault OTX Link


View in browser:
https://otx.alienvault.com/indicator/file/9ba312b2ac1d5b6ef5be258e6acc6c29ca7ba15f0fac932bcc2b
0cdf40db3125
Incoming (1)
IPv4 Address 34.117.186.192

Hash
maltego.Hash

eab2a5792346b8b55180359658308c54766541505b88f55cbd
f86add05edffd5

49
Weight 0
Hash eab2a5792346b8b55180359658308c54766541505b88f55cbdf86add05edffd5
Hash Type
Detections CLAMAV: "Can't access file",MSDEFENDER: "Trojan:Win32/Dorv.A"

Detections

clamav Can't access file

msdefender Trojan:Win32/Dorv.A

AlienVault OTX Link


View in browser:
https://otx.alienvault.com/indicator/file/eab2a5792346b8b55180359658308c54766541505b88f55cbdf
86add05edffd5
Incoming (1)
IPv4 Address 34.117.186.192

Hash
maltego.Hash

c397debb344056ddc819da0970310e18a6a1c5654af1368bb6
1e35d9905f4184
Weight 0
Hash c397debb344056ddc819da0970310e18a6a1c5654af1368bb61e35d9905f4184
Hash Type
Detections CLAMAV: "Can't access file"

Detections

clamav Can't access file

AlienVault OTX Link


View in browser:
https://otx.alienvault.com/indicator/file/c397debb344056ddc819da0970310e18a6a1c5654af1368bb61
e35d9905f4184
Incoming (1)
IPv4 Address 34.117.186.192

Hash
maltego.Hash

9dd3cb5cc099ab8731fa11094b869b0bf29f127179ec82d15fd6
ba6f0ca5e942
Weight 0
Hash 9dd3cb5cc099ab8731fa11094b869b0bf29f127179ec82d15fd6ba6f0ca5e942
Hash Type
Detections CLAMAV: "Can't access file"

50
Detections

clamav Can't access file

AlienVault OTX Link


View in browser:
https://otx.alienvault.com/indicator/file/9dd3cb5cc099ab8731fa11094b869b0bf29f127179ec82d15fd6
ba6f0ca5e942
Incoming (1)
IPv4 Address 34.117.186.192

VirusTotal File
maltego.virustotal.File

libGLESv2.dll

51
Weight 0
MeaningfulName libGLESv2.dll
File Id 000907aef6196fbbcd5ea467e4503f734ad60aca3d07132e6ef084a74d478b52
Names firefox.exe, smss.exe, %SANDBOX_APP_1%, SgrmBroker.exe,
SCIeLgcoUDQTeLIwEBYzSgkEgSbiL.exe, MyvaXTPMlNfwOY.exe,
WinrefRuntime.exe, libGLESv2.dll
File Type PEEXE
File Type Description Win32 EXE
MD5 5ac46076070b57617493c2c9ba61a6ff
SHA-1 b21ecdf223755b7cb7ac87f53454295a76b1e22a
SHA-256 000907aef6196fbbcd5ea467e4503f734ad60aca3d07132e6ef084a74d478b52
Vhash 2850466d151512303127c2020160
Authentihash 26c7e9ee01563a6b85b49a6b253f3df5ee32dfd0d4885d378a56b98cdc78405a
SSDEEP 12288:Dmn1WvZaiPuFnRmNF5VuDRGqmsP190D9BDBI12TQBn:K1WvZaiPI
Rm35mRl19gC1gan
Magic PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
File Size 848384
Tags peexe, assembly, checks-network-adapters, calls-wmi, malware, detect-
debug-environment, long-sleeps
Capability Tags
Downloadable null
Creation Date 2022-05-04T16:03:35Z
First Submission Date 2024-06-05T05:29:46Z
Last Submission Date 2024-06-05T05:29:46Z
Last Analysis Date 2024-07-03T13:54:52Z
Total Votes - Harmless 0
Total Votes - Malicious 0
Submissions 1
Reputation 0

52
Sigma Analysis Results [{"rule_title":"Schedule system process","rule_source":"Joe Security Rule Set
(GitHub)","rule_level":"critical","rule_id":"02b55b29ddf740930b68c311ca7cd59
354f8c35ceda86d09a3fb06f08b760857","rule_author":"Joe
Security","rule_description":"Schedule system
process","match_context":[{"values":{"Product":"Microsoft\\xae Windows\\xae
Operating System","Description":"Task Scheduler Configuration
Tool","Company":"Microsoft
Corporation","Hashes":"SHA1\u003d815A050FC4BD12C6CA0B62D38D0FB6
F8A95F70A8,MD5\u003d838D346D1D28F00783B7A6C6BD03A0DA,SHA256
\u003d8BE433049CCC271F04A8E625E9FB9BD3BCF15B4EDEB63497C00B
D9CE1CD5C50E,IMPHASH\u003d7EE4BC5589713B3470B8A950256E2E69"
,"OriginalFileName":"schtasks.exe","ParentImage":"C:\\Windows\\System32\\w
bem\\WmiPrvSE.exe","FileVersion":"10.0.17134.1
(WinBuild.160101.0800)","CurrentDirectory":"C:\\Windows\\system32\\","Com
mandLine":"schtasks.exe /create /tn \"winlogonw\" /sc MINUTE /mo 10 /tr
\"\u0027C:\\Users\\Default User\\Start Menu\\Programs\\winlogon.exe\u0027\"
/f","Image":"C:\\Windows\\System32\\schtasks.exe","IntegrityLevel":"High"}},{"v
alues":{"Product":"Microsoft\\xae Windows\\xae Operating
System","Description":"Task Scheduler Configuration
Tool","Company":"Microsoft
Corporation","Hashes":"SHA1\u003d815A050FC4BD12C6CA0B62D38D0FB6
F8A95F70A8,MD5\u003d838D346D1D28F00783B7A6C6BD03A0DA,SHA256
\u003d8BE433049CCC271F04A8E625E9FB9BD3BCF15B4EDEB63497C00B
D9CE1CD5C50E,IMPHASH\u003d7EE4BC5589713B3470B8A950256E2E69"
,"OriginalFileName":"schtasks.exe","ParentImage":"C:\\Windows\\System32\\w
bem\\WmiPrvSE.exe","FileVersion":"10.0.17134.1
(WinBuild.160101.0800)","CurrentDirectory":"C:\\Windows\\system32\\","Com
mandLine":"schtasks.exe /create /tn \"winlogon\" /sc ONLOGON /tr
\"\u0027C:\\Users\\Default User\\Start Menu\\Programs\\winlogon.exe\u0027\"
/rl HIGHEST
/f","Image":"C:\\Windows\\System32\\schtasks.exe","IntegrityLevel":"High"}},{"v
alues":{"Product":"Microsoft\\xae Windows\\xae Operating
System","Description":"Task Scheduler Configuration
Tool","Company":"Microsoft
Corporation","Hashes":"SHA1\u003d815A050FC4BD12C6CA0B62D38D0FB6
F8A95F70A8,MD5\u003d838D346D1D28F00783B7A6C6BD03A0DA,SHA256
\u003d8BE433049CCC271F04A8E625E9FB9BD3BCF15B4EDEB63497C00B
D9CE1CD5C50E,IMPHASH\u003d7EE4BC5589713B3470B8A950256E2E69"
,"OriginalFileName":"schtasks.exe","ParentImage":"C:\\Windows\\System32\\w
bem\\WmiPrvSE.exe","FileVersion":"10.0.17134.1
(WinBuild.160101.0800)","CurrentDirectory":"C:\\Windows\\system32\\","Com
mandLine":"schtasks.exe /create /tn \"winlogonw\" /sc MINUTE /mo 8 /tr
\"\u0027C:\\Users\\Default User\\Start Menu\\Programs\\winlogon.exe\u0027\"
/rl HIGHEST
/f","Image":"C:\\Windows\\System32\\schtasks.exe","IntegrityLevel":"High"}},{"v
alues":{"Product":"Microsoft\\xae Windows\\xae Operating
System","Description":"Task Scheduler Configuration
Tool","Company":"Microsoft
Corporation","Hashes":"SHA1\u003d815A050FC4BD12C6CA0B62D38D0FB6
F8A95F70A8,MD5\u003d838D346D1D28F00783B7A6C6BD03A0DA,SHA256
\u003d8BE433049CCC271F04A8E625E9FB9BD3BCF15B4EDEB63497C00B
D9CE1CD5C50E,IMPHASH\u003d7EE4BC5589713B3470B8A950256E2E69"
,"OriginalFileName":"schtasks.exe","ParentImage":"C:\\Windows\\System32\\w
bem\\WmiPrvSE.exe","FileVersion":"10.0.17134.1
(WinBuild.160101.0800)","CurrentDirectory":"C:\\Windows\\system32\\","Com
mandLine":"schtasks.exe /create /tn
\"SCIeLgcoUDQTeLIwEBYzSgkEgSbiLS\" /sc MINUTE /mo 12 /tr
\"\u0027C:\\Program
Files\\WindowsPowerShell\\SCIeLgcoUDQTeLIwEBYzSgkEgSbiL.exe\u0027\"
/f","Image":"C:\\Windows\\System32\\schtasks.exe","IntegrityLevel":"High"}},{"v
alues":{"Product":"Microsoft\\xae Windows\\xae Operating
System","Description":"Task Scheduler Configuration
Tool","Company":"Microsoft
Corporation","Hashes":"SHA1\u003d815A050FC4BD12C6CA0B62D38D0FB6
F8A95F70A8,MD5\u003d838D346D1D28F00783B7A6C6BD03A0DA,SHA256
\u003d8BE433049CCC271F04A8E625E9FB9BD3BCF15B4EDEB63497C00B
D9CE1CD5C50E,IMPHASH\u003d7EE4BC5589713B3470B8A950256E2E69"
,"OriginalFileName":"schtasks.exe","ParentImage":"C:\\Windows\\System32\\w
bem\\WmiPrvSE.exe","FileVersion":"10.0.17134.1
(WinBuild.160101.0800)","CurrentDirectory":"C:\\Windows\\system32\\","Com
mandLine":"schtasks.exe /create /tn \"SCIeLgcoUDQTeLIwEBYzSgkEgSbiL\"
/sc ONLOGON /tr \"\u0027C:\\Program
Files\\WindowsPowerShell\\SCIeLgcoUDQTeLIwEBYzSgkEgSbiL.exe\u0027\"
/rl HIGHEST
/f","Image":"C:\\Windows\\System32\\schtasks.exe","IntegrityLevel":"High"}}]},{"
rule_title":"System File Execution Location Anomaly","rule_source":"Sigma
Integrated Rule Set

53
(GitHub)","rule_level":"high","rule_id":"25fc56c1bee673d7ff3edcf371e4d2a36c
0af83222da348961b87735c8efa61f","rule_author":"Florian Roth (Nextron
Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine
Bencherchali","rule_description":"Detects a Windows program executable
started from a suspicious
folder","match_context":[{"values":{"CommandLine":"\"C:\\temp\\wininit.exe\"","I
mage":"C:\\temp\\wininit.exe"}},{"values":{"CommandLine":"C:\\temp\\wininit.ex
e","Image":"C:\\temp\\wininit.exe"}}]},{"rule_title":"Windows Shell/Scripting
Processes Spawning Suspicious Programs","rule_source":"Sigma Integrated
Rule Set
(GitHub)","rule_level":"high","rule_id":"80bbf1ed6106205ab2926430c9634286f
976b2fee4357dbacddec45b979a4422","rule_author":"Florian Roth (Nextron
Systems), Tim Shelton","rule_description":"Detects suspicious child processes
of a Windows shell and scripting processes such as wscript, rundll32,
powershell, mshta...etc.","match_context":[{"values":{"Product":"Microsoft\\xae
Windows\\xae Operating System","Description":"Task Scheduler Configuration
Tool","Company":"Microsoft
Corporation","Hashes":"SHA1\u003d815A050FC4BD12C6CA0B62D38D0FB6
F8A95F70A8,MD5\u003d838D346D1D28F00783B7A6C6BD03A0DA,SHA256
\u003d8BE433049CCC271F04A8E625E9FB9BD3BCF15B4EDEB63497C00B
D9CE1CD5C50E,IMPHASH\u003d7EE4BC5589713B3470B8A950256E2E69"
,"OriginalFileName":"schtasks.exe","ParentImage":"C:\\Windows\\System32\\w
bem\\WmiPrvSE.exe","FileVersion":"10.0.17134.1
(WinBuild.160101.0800)","CurrentDirectory":"C:\\Windows\\system32\\","Com
mandLine":"schtasks.exe /create /tn \"winlogonw\" /sc MINUTE /mo 10 /tr
\"\u0027C:\\Users\\Default User\\Start Menu\\Programs\\winlogon.exe\u0027\"
/f","Image":"C:\\Windows\\System32\\schtasks.exe","IntegrityLevel":"High"}},{"v
alues":{"Product":"Microsoft\\xae Windows\\xae Operating
System","Description":"Task Scheduler Configuration
Tool","Company":"Microsoft
Corporation","Hashes":"SHA1\u003d815A050FC4BD12C6CA0B62D38D0FB6
F8A95F70A8,MD5\u003d838D346D1D28F00783B7A6C6BD03A0DA,SHA256
\u003d8BE433049CCC271F04A8E625E9FB9BD3BCF15B4EDEB63497C00B
D9CE1CD5C50E,IMPHASH\u003d7EE4BC5589713B3470B8A950256E2E69"
,"OriginalFileName":"schtasks.exe","ParentImage":"C:\\Windows\\System32\\w
bem\\WmiPrvSE.exe","FileVersion":"10.0.17134.1
(WinBuild.160101.0800)","CurrentDirectory":"C:\\Windows\\system32\\","Com
mandLine":"schtasks.exe /create /tn \"winlogon\" /sc ONLOGON /tr
\"\u0027C:\\Users\\Default User\\Start Menu\\Programs\\winlogon.exe\u0027\"
/rl HIGHEST
/f","Image":"C:\\Windows\\System32\\schtasks.exe","IntegrityLevel":"High"}},{"v
alues":{"Product":"Microsoft\\xae Windows\\xae Operating
System","Description":"Task Scheduler Configuration
Tool","Company":"Microsoft
Corporation","Hashes":"SHA1\u003d815A050FC4BD12C6CA0B62D38D0FB6
F8A95F70A8,MD5\u003d838D346D1D28F00783B7A6C6BD03A0DA,SHA256
\u003d8BE433049CCC271F04A8E625E9FB9BD3BCF15B4EDEB63497C00B
D9CE1CD5C50E,IMPHASH\u003d7EE4BC5589713B3470B8A950256E2E69"
,"OriginalFileName":"schtasks.exe","ParentImage":"C:\\Windows\\System32\\w
bem\\WmiPrvSE.exe","FileVersion":"10.0.17134.1
(WinBuild.160101.0800)","CurrentDirectory":"C:\\Windows\\system32\\","Com
mandLine":"schtasks.exe /create /tn \"winlogonw\" /sc MINUTE /mo 8 /tr
\"\u0027C:\\Users\\Default User\\Start Menu\\Programs\\winlogon.exe\u0027\"
/rl HIGHEST
/f","Image":"C:\\Windows\\System32\\schtasks.exe","IntegrityLevel":"High"}},{"v
alues":{"Product":"Microsoft\\xae Windows\\xae Operating
System","Description":"Task Scheduler Configuration
Tool","Company":"Microsoft
Corporation","Hashes":"SHA1\u003d815A050FC4BD12C6CA0B62D38D0FB6
F8A95F70A8,MD5\u003d838D346D1D28F00783B7A6C6BD03A0DA,SHA256
\u003d8BE433049CCC271F04A8E625E9FB9BD3BCF15B4EDEB63497C00B
D9CE1CD5C50E,IMPHASH\u003d7EE4BC5589713B3470B8A950256E2E69"
,"OriginalFileName":"schtasks.exe","ParentImage":"C:\\Windows\\System32\\w
bem\\WmiPrvSE.exe","FileVersion":"10.0.17134.1
(WinBuild.160101.0800)","CurrentDirectory":"C:\\Windows\\system32\\","Com
mandLine":"schtasks.exe /create /tn
\"SCIeLgcoUDQTeLIwEBYzSgkEgSbiLS\" /sc MINUTE /mo 7 /tr
\"\u0027C:\\Program Files (x86)\\windows defender\\en-
US\\SCIeLgcoUDQTeLIwEBYzSgkEgSbiL.exe\u0027\"
/f","Image":"C:\\Windows\\System32\\schtasks.exe","IntegrityLevel":"High"}},{"v
alues":{"Product":"Microsoft\\xae Windows\\xae Operating
System","Description":"Task Scheduler Configuration
Tool","Company":"Microsoft
Corporation","Hashes":"SHA1\u003d815A050FC4BD12C6CA0B62D38D0FB6
F8A95F70A8,MD5\u003d838D346D1D28F00783B7A6C6BD03A0DA,SHA256
\u003d8BE433049CCC271F04A8E625E9FB9BD3BCF15B4EDEB63497C00B
D9CE1CD5C50E,IMPHASH\u003d7EE4BC5589713B3470B8A950256E2E69"

54
,"OriginalFileName":"schtasks.exe","ParentImage":"C:\\Windows\\System32\\w
bem\\WmiPrvSE.exe","FileVersion":"10.0.17134.1
(WinBuild.160101.0800)","CurrentDirectory":"C:\\Windows\\system32\\","Com
mandLine":"schtasks.exe /create /tn \"SCIeLgcoUDQTeLIwEBYzSgkEgSbiL\"
/sc ONLOGON /tr \"\u0027C:\\Program Files (x86)\\windows defender\\en-
US\\SCIeLgcoUDQTeLIwEBYzSgkEgSbiL.exe\u0027\" /rl HIGHEST
/f","Image":"C:\\Windows\\System32\\schtasks.exe","IntegrityLevel":"High"}}]},{"
rule_title":"Use of W32tm as Timer","rule_source":"Sigma Integrated Rule Set
(GitHub)","rule_level":"high","rule_id":"c36744b5f28fd16a3d12551b5ab3040cd
a78b8771cefa8acaf2dbdd269e4af2b","rule_author":"frack113","rule_descriptio
n":"When configured with suitable command line arguments, w32tm can act as
a delay mechanism","match_context":[{"values":{"Product":"Microsoft\\xae
Windows\\xae Operating System","Description":"Windows Time Service
Diagnostic Tool","Company":"Microsoft
Corporation","Hashes":"SHA1\u003d4E65EBAC4C84829B7A7AB60F4624243
FC97DA04B,MD5\u003d71540E4248A944A8A60E80063D423608,SHA256\u
003d7636B7F51D680D055DAC3B217E2A3E33281FAEE8F8DE8F28DE7F6E
258690ABDB,IMPHASH\u003dA43DFF466615BEF3B34CE24759DE7C61","
OriginalFileName":"w32time.dll","ParentImage":"C:\\Windows\\System32\\cmd.
exe","FileVersion":"10.0.17134.1
(WinBuild.160101.0800)","CurrentDirectory":"C:\\Users\\george\\Desktop\\","C
ommandLine":"w32tm /stripchart /computer:localhost /period:5 /dataonly
/samples:2
","Image":"C:\\Windows\\System32\\w32tm.exe","IntegrityLevel":"High"}}]},{"rul
e_title":"Read Contents From Stdin Via Cmd.EXE","rule_source":"Sigma
Integrated Rule Set
(GitHub)","rule_level":"medium","rule_id":"0db9fba426142aca003830de31e38
a7318ed0a3a299852f6bc4cbe8bc905515f","rule_author":"frack113,
Nasreddine Bencherchali (Nextron Systems)","rule_description":"Detect the
use of \"\u003c\" to read and potentially execute a file via
cmd.exe","match_context":[{"values":{"CommandLine":"C:\\Windows\\System3
2\\cmd.exe /C
C:\\Users\\\u003cUSER\u003e\\AppData\\Local\\Temp\\zt3JT3T8RF.bat","Ima
ge":"C:\\Windows\\System32\\cmd.exe"}}]},{"rule_title":"WmiPrvSE Spawned A
Process","rule_source":"Sigma Integrated Rule Set
(GitHub)","rule_level":"medium","rule_id":"1429a6819ff25aad68fb09601fb0b63
c4be24919adfd25c4ad925ef8d47d8f22","rule_author":"Roberto Rodriguez
@Cyb3rWard0g","rule_description":"Detects WmiPrvSE spawning a
process","match_context":[{"values":{"Product":"Microsoft\\xae Windows\\xae
Operating System","Description":"Task Scheduler Configuration
Tool","Company":"Microsoft
Corporation","Hashes":"SHA1\u003d815A050FC4BD12C6CA0B62D38D0FB6
F8A95F70A8,MD5\u003d838D346D1D28F00783B7A6C6BD03A0DA,SHA256
\u003d8BE433049CCC271F04A8E625E9FB9BD3BCF15B4EDEB63497C00B
D9CE1CD5C50E,IMPHASH\u003d7EE4BC5589713B3470B8A950256E2E69"
,"OriginalFileName":"schtasks.exe","ParentImage":"C:\\Windows\\System32\\w
bem\\WmiPrvSE.exe","FileVersion":"10.0.17134.1
(WinBuild.160101.0800)","CurrentDirectory":"C:\\Windows\\system32\\","Com
mandLine":"schtasks.exe /create /tn \"winlogonw\" /sc MINUTE /mo 10 /tr
\"\u0027C:\\Users\\Default User\\Start Menu\\Programs\\winlogon.exe\u0027\"
/f","Image":"C:\\Windows\\System32\\schtasks.exe","IntegrityLevel":"High"}},{"v
alues":{"Product":"Microsoft\\xae Windows\\xae Operating
System","Description":"Task Scheduler Configuration
Tool","Company":"Microsoft
Corporation","Hashes":"SHA1\u003d815A050FC4BD12C6CA0B62D38D0FB6
F8A95F70A8,MD5\u003d838D346D1D28F00783B7A6C6BD03A0DA,SHA256
\u003d8BE433049CCC271F04A8E625E9FB9BD3BCF15B4EDEB63497C00B
D9CE1CD5C50E,IMPHASH\u003d7EE4BC5589713B3470B8A950256E2E69"
,"OriginalFileName":"schtasks.exe","ParentImage":"C:\\Windows\\System32\\w
bem\\WmiPrvSE.exe","FileVersion":"10.0.17134.1
(WinBuild.160101.0800)","CurrentDirectory":"C:\\Windows\\system32\\","Com
mandLine":"schtasks.exe /create /tn \"winlogon\" /sc ONLOGON /tr
\"\u0027C:\\Users\\Default User\\Start Menu\\Programs\\winlogon.exe\u0027\"
/rl HIGHEST
/f","Image":"C:\\Windows\\System32\\schtasks.exe","IntegrityLevel":"High"}},{"v
alues":{"Product":"Microsoft\\xae Windows\\xae Operating
System","Description":"Task Scheduler Configuration
Tool","Company":"Microsoft
Corporation","Hashes":"SHA1\u003d815A050FC4BD12C6CA0B62D38D0FB6
F8A95F70A8,MD5\u003d838D346D1D28F00783B7A6C6BD03A0DA,SHA256
\u003d8BE433049CCC271F04A8E625E9FB9BD3BCF15B4EDEB63497C00B
D9CE1CD5C50E,IMPHASH\u003d7EE4BC5589713B3470B8A950256E2E69"
,"OriginalFileName":"schtasks.exe","ParentImage":"C:\\Windows\\System32\\w
bem\\WmiPrvSE.exe","FileVersion":"10.0.17134.1
(WinBuild.160101.0800)","CurrentDirectory":"C:\\Windows\\system32\\","Com
mandLine":"schtasks.exe /create /tn \"winlogonw\" /sc MINUTE /mo 8 /tr
\"\u0027C:\\Users\\Default User\\Start Menu\\Programs\\winlogon.exe\u0027\"

55
/rl HIGHEST
/f","Image":"C:\\Windows\\System32\\schtasks.exe","IntegrityLevel":"High"}},{"v
alues":{"Product":"Microsoft\\xae Windows\\xae Operating
System","Description":"Task Scheduler Configuration
Tool","Company":"Microsoft
Corporation","Hashes":"SHA1\u003d815A050FC4BD12C6CA0B62D38D0FB6
F8A95F70A8,MD5\u003d838D346D1D28F00783B7A6C6BD03A0DA,SHA256
\u003d8BE433049CCC271F04A8E625E9FB9BD3BCF15B4EDEB63497C00B
D9CE1CD5C50E,IMPHASH\u003d7EE4BC5589713B3470B8A950256E2E69"
,"OriginalFileName":"schtasks.exe","ParentImage":"C:\\Windows\\System32\\w
bem\\WmiPrvSE.exe","FileVersion":"10.0.17134.1
(WinBuild.160101.0800)","CurrentDirectory":"C:\\Windows\\system32\\","Com
mandLine":"schtasks.exe /create /tn
\"SCIeLgcoUDQTeLIwEBYzSgkEgSbiLS\" /sc MINUTE /mo 7 /tr
\"\u0027C:\\Program Files (x86)\\windows defender\\en-
US\\SCIeLgcoUDQTeLIwEBYzSgkEgSbiL.exe\u0027\"
/f","Image":"C:\\Windows\\System32\\schtasks.exe","IntegrityLevel":"High"}},{"v
alues":{"Product":"Microsoft\\xae Windows\\xae Operating
System","Description":"Task Scheduler Configuration
Tool","Company":"Microsoft
Corporation","Hashes":"SHA1\u003d815A050FC4BD12C6CA0B62D38D0FB6
F8A95F70A8,MD5\u003d838D346D1D28F00783B7A6C6BD03A0DA,SHA256
\u003d8BE433049CCC271F04A8E625E9FB9BD3BCF15B4EDEB63497C00B
D9CE1CD5C50E,IMPHASH\u003d7EE4BC5589713B3470B8A950256E2E69"
,"OriginalFileName":"schtasks.exe","ParentImage":"C:\\Windows\\System32\\w
bem\\WmiPrvSE.exe","FileVersion":"10.0.17134.1
(WinBuild.160101.0800)","CurrentDirectory":"C:\\Windows\\system32\\","Com
mandLine":"schtasks.exe /create /tn \"SCIeLgcoUDQTeLIwEBYzSgkEgSbiL\"
/sc ONLOGON /tr \"\u0027C:\\Program Files (x86)\\windows defender\\en-
US\\SCIeLgcoUDQTeLIwEBYzSgkEgSbiL.exe\u0027\" /rl HIGHEST
/f","Image":"C:\\Windows\\System32\\schtasks.exe","IntegrityLevel":"High"}}]},{"
rule_title":"Suspicious DNS Query for IP Lookup Service
APIs","rule_source":"Sigma Integrated Rule Set
(GitHub)","rule_level":"medium","rule_id":"3a2766a08d32a855b604a786cddc0f
76fee13e6ccd22e01d4878150f0ef1eebc","rule_author":"Brandon George (blog
post), Thomas Patzke","rule_description":"Detects DNS queries for IP lookup
services such as \"api.ipify.org\" originating from a non browser
process.","match_context":[{"values":{}}]},{"rule_title":"Hidden Executable In
NTFS Alternate Data Stream","rule_source":"Sigma Integrated Rule Set
(GitHub)","rule_level":"medium","rule_id":"5be9da0a90b142239a3ff2819edf22
83938855da3b4c80d63d8e6db63c2c4fe7","rule_author":"Florian Roth
(Nextron Systems), @0xrawsec","rule_description":"Detects the creation of an
ADS (Alternate Data Stream) that contains an executable by looking at a non-
empty
Imphash","match_context":[{"values":{"Image":"C:\\Users\\george\\Desktop\\pr
ogram.exe"}},{"values":{"Image":"C:\\Users\\george\\Desktop\\program.exe"}},{
"values":{"Image":"C:\\Users\\george\\Desktop\\program.exe"}},{"values":{"Ima
ge":"C:\\Users\\george\\Desktop\\program.exe"}},{"values":{"Image":"C:\\Users\
\george\\Desktop\\program.exe"}}]},{"rule_title":"Suspicious Network
Connection to IP Lookup Service APIs","rule_source":"Sigma Integrated Rule
Set
(GitHub)","rule_level":"medium","rule_id":"7b06f86400ae084ca05c7e2cefe70b
8ea4910b6196d969ae516b9d5d1c99bfe5","rule_author":"Janantha
Marasinghe, Nasreddine Bencherchali (Nextron
Systems)","rule_description":"Detects external IP address lookups by non-
browser processes via services such as \"api.ipify.org\". This could be
indicative of potential post compromise internet test
activity.","match_context":[{"values":{}}]},{"rule_title":"Files With System
Process Name In Unsuspected Locations","rule_source":"Sigma Integrated
Rule Set
(GitHub)","rule_level":"medium","rule_id":"e13498937de9343f50c1e8f315ce60
2aa238e37e21f3dbb15d3403c25afafe3e","rule_author":"Sander Wiebing, Tim
Shelton, Nasreddine Bencherchali (Nextron
Systems)","rule_description":"Detects the creation of an executable with a
system process name in folders other than the system ones (System32,
SysWOW64, etc.).\nIt is highly recommended to perform an initial baseline
before using this rule in
production.\n","match_context":[{"values":{"Image":"C:\\Users\\george\\Deskto
p\\program.exe"}},{"values":{"Image":"C:\\Users\\george\\Desktop\\program.ex
e"}},{"values":{}},{"values":{}},{"values":{}}]},{"rule_title":"Suspicious Schtasks
Schedule Type With High Privileges","rule_source":"Sigma Integrated Rule Set
(GitHub)","rule_level":"medium","rule_id":"e36b579d4bc4ef49ede1d82dd08ec1
cba660d105c6f037d12ecf79b434617e88","rule_author":"Nasreddine
Bencherchali (Nextron Systems)","rule_description":"Detects scheduled task
creations or modification to be run with high privileges on a suspicious
schedule type","match_context":[{"values":{"Product":"Microsoft\\xae
Windows\\xae Operating System","Description":"Task Scheduler Configuration

56
Tool","Company":"Microsoft
Corporation","Hashes":"SHA1\u003d815A050FC4BD12C6CA0B62D38D0FB6
F8A95F70A8,MD5\u003d838D346D1D28F00783B7A6C6BD03A0DA,SHA256
\u003d8BE433049CCC271F04A8E625E9FB9BD3BCF15B4EDEB63497C00B
D9CE1CD5C50E,IMPHASH\u003d7EE4BC5589713B3470B8A950256E2E69"
,"OriginalFileName":"schtasks.exe","ParentImage":"C:\\Windows\\System32\\w
bem\\WmiPrvSE.exe","FileVersion":"10.0.17134.1
(WinBuild.160101.0800)","CurrentDirectory":"C:\\Windows\\system32\\","Com
mandLine":"schtasks.exe /create /tn \"winlogon\" /sc ONLOGON /tr
\"\u0027C:\\Users\\Default User\\Start Menu\\Programs\\winlogon.exe\u0027\"
/rl HIGHEST
/f","Image":"C:\\Windows\\System32\\schtasks.exe","IntegrityLevel":"High"}},{"v
alues":{"Product":"Microsoft\\xae Windows\\xae Operating
System","Description":"Task Scheduler Configuration
Tool","Company":"Microsoft
Corporation","Hashes":"SHA1\u003d815A050FC4BD12C6CA0B62D38D0FB6
F8A95F70A8,MD5\u003d838D346D1D28F00783B7A6C6BD03A0DA,SHA256
\u003d8BE433049CCC271F04A8E625E9FB9BD3BCF15B4EDEB63497C00B
D9CE1CD5C50E,IMPHASH\u003d7EE4BC5589713B3470B8A950256E2E69"
,"OriginalFileName":"schtasks.exe","ParentImage":"C:\\Windows\\System32\\w
bem\\WmiPrvSE.exe","FileVersion":"10.0.17134.1
(WinBuild.160101.0800)","CurrentDirectory":"C:\\Windows\\system32\\","Com
mandLine":"schtasks.exe /create /tn \"SCIeLgcoUDQTeLIwEBYzSgkEgSbiL\"
/sc ONLOGON /tr \"\u0027C:\\Program Files (x86)\\windows defender\\en-
US\\SCIeLgcoUDQTeLIwEBYzSgkEgSbiL.exe\u0027\" /rl HIGHEST
/f","Image":"C:\\Windows\\System32\\schtasks.exe","IntegrityLevel":"High"}},{"v
alues":{"Product":"Microsoft\\xae Windows\\xae Operating
System","Description":"Task Scheduler Configuration
Tool","Company":"Microsoft
Corporation","Hashes":"SHA1\u003d815A050FC4BD12C6CA0B62D38D0FB6
F8A95F70A8,MD5\u003d838D346D1D28F00783B7A6C6BD03A0DA,SHA256
\u003d8BE433049CCC271F04A8E625E9FB9BD3BCF15B4EDEB63497C00B
D9CE1CD5C50E,IMPHASH\u003d7EE4BC5589713B3470B8A950256E2E69"
,"OriginalFileName":"schtasks.exe","ParentImage":"C:\\Windows\\System32\\w
bem\\WmiPrvSE.exe","FileVersion":"10.0.17134.1
(WinBuild.160101.0800)","CurrentDirectory":"C:\\Windows\\system32\\","Com
mandLine":"schtasks.exe /create /tn \"SCIeLgcoUDQTeLIwEBYzSgkEgSbiL\"
/sc ONLOGON /tr
\"\u0027C:\\Temp\\Windows10Debloater\\SCIeLgcoUDQTeLIwEBYzSgkEgSbi
L.exe\u0027\" /rl HIGHEST
/f","Image":"C:\\Windows\\System32\\schtasks.exe","IntegrityLevel":"High"}},{"v
alues":{"Product":"Microsoft\\xae Windows\\xae Operating
System","Description":"Task Scheduler Configuration
Tool","Company":"Microsoft
Corporation","Hashes":"SHA1\u003d815A050FC4BD12C6CA0B62D38D0FB6
F8A95F70A8,MD5\u003d838D346D1D28F00783B7A6C6BD03A0DA,SHA256
\u003d8BE433049CCC271F04A8E625E9FB9BD3BCF15B4EDEB63497C00B
D9CE1CD5C50E,IMPHASH\u003d7EE4BC5589713B3470B8A950256E2E69"
,"OriginalFileName":"schtasks.exe","ParentImage":"C:\\Windows\\System32\\w
bem\\WmiPrvSE.exe","FileVersion":"10.0.17134.1
(WinBuild.160101.0800)","CurrentDirectory":"C:\\Windows\\system32\\","Com
mandLine":"schtasks.exe /create /tn \"SCIeLgcoUDQTeLIwEBYzSgkEgSbiL\"
/sc ONLOGON /tr \"\u0027C:\\Program Files
(x86)\\java\\SCIeLgcoUDQTeLIwEBYzSgkEgSbiL.exe\u0027\" /rl HIGHEST
/f","Image":"C:\\Windows\\System32\\schtasks.exe","IntegrityLevel":"High"}},{"v
alues":{"Product":"Microsoft\\xae Windows\\xae Operating
System","Description":"Task Scheduler Configuration
Tool","Company":"Microsoft
Corporation","Hashes":"SHA1\u003d815A050FC4BD12C6CA0B62D38D0FB6
F8A95F70A8,MD5\u003d838D346D1D28F00783B7A6C6BD03A0DA,SHA256
\u003d8BE433049CCC271F04A8E625E9FB9BD3BCF15B4EDEB63497C00B
D9CE1CD5C50E,IMPHASH\u003d7EE4BC5589713B3470B8A950256E2E69"
,"OriginalFileName":"schtasks.exe","ParentImage":"C:\\Windows\\System32\\w
bem\\WmiPrvSE.exe","FileVersion":"10.0.17134.1
(WinBuild.160101.0800)","CurrentDirectory":"C:\\Windows\\system32\\","Com
mandLine":"schtasks.exe /create /tn \"SCIeLgcoUDQTeLIwEBYzSgkEgSbiL\"
/sc ONLOGON /tr
\"\u0027C:\\Windows\\crx\\images\\SCIeLgcoUDQTeLIwEBYzSgkEgSbiL.exe\
u0027\" /rl HIGHEST
/f","Image":"C:\\Windows\\System32\\schtasks.exe","IntegrityLevel":"High"}}]},{"
rule_title":"Scheduled Task Creation Via Schtasks.EXE","rule_source":"Sigma
Integrated Rule Set
(GitHub)","rule_level":"low","rule_id":"3bc9d14114a6b67367a24df21134d0564
d6f08a0ad903d68f9b25e9d8b7f0790","rule_author":"Florian Roth (Nextron
Systems)","rule_description":"Detects the creation of scheduled tasks by user
accounts via the \"schtasks\"
utility.","match_context":[{"values":{"Product":"Microsoft\\xae Windows\\xae

57
Operating System","Description":"Task Scheduler Configuration
Tool","Company":"Microsoft
Corporation","Hashes":"SHA1\u003d815A050FC4BD12C6CA0B62D38D0FB6
F8A95F70A8,MD5\u003d838D346D1D28F00783B7A6C6BD03A0DA,SHA256
\u003d8BE433049CCC271F04A8E625E9FB9BD3BCF15B4EDEB63497C00B
D9CE1CD5C50E,IMPHASH\u003d7EE4BC5589713B3470B8A950256E2E69"
,"OriginalFileName":"schtasks.exe","ParentImage":"C:\\Windows\\System32\\w
bem\\WmiPrvSE.exe","FileVersion":"10.0.17134.1
(WinBuild.160101.0800)","CurrentDirectory":"C:\\Windows\\system32\\","Com
mandLine":"schtasks.exe /create /tn \"winlogonw\" /sc MINUTE /mo 10 /tr
\"\u0027C:\\Users\\Default User\\Start Menu\\Programs\\winlogon.exe\u0027\"
/f","Image":"C:\\Windows\\System32\\schtasks.exe","IntegrityLevel":"High"}},{"v
alues":{"Product":"Microsoft\\xae Windows\\xae Operating
System","Description":"Task Scheduler Configuration
Tool","Company":"Microsoft
Corporation","Hashes":"SHA1\u003d815A050FC4BD12C6CA0B62D38D0FB6
F8A95F70A8,MD5\u003d838D346D1D28F00783B7A6C6BD03A0DA,SHA256
\u003d8BE433049CCC271F04A8E625E9FB9BD3BCF15B4EDEB63497C00B
D9CE1CD5C50E,IMPHASH\u003d7EE4BC5589713B3470B8A950256E2E69"
,"OriginalFileName":"schtasks.exe","ParentImage":"C:\\Windows\\System32\\w
bem\\WmiPrvSE.exe","FileVersion":"10.0.17134.1
(WinBuild.160101.0800)","CurrentDirectory":"C:\\Windows\\system32\\","Com
mandLine":"schtasks.exe /create /tn \"winlogon\" /sc ONLOGON /tr
\"\u0027C:\\Users\\Default User\\Start Menu\\Programs\\winlogon.exe\u0027\"
/rl HIGHEST
/f","Image":"C:\\Windows\\System32\\schtasks.exe","IntegrityLevel":"High"}},{"v
alues":{"Product":"Microsoft\\xae Windows\\xae Operating
System","Description":"Task Scheduler Configuration
Tool","Company":"Microsoft
Corporation","Hashes":"SHA1\u003d815A050FC4BD12C6CA0B62D38D0FB6
F8A95F70A8,MD5\u003d838D346D1D28F00783B7A6C6BD03A0DA,SHA256
\u003d8BE433049CCC271F04A8E625E9FB9BD3BCF15B4EDEB63497C00B
D9CE1CD5C50E,IMPHASH\u003d7EE4BC5589713B3470B8A950256E2E69"
,"OriginalFileName":"schtasks.exe","ParentImage":"C:\\Windows\\System32\\w
bem\\WmiPrvSE.exe","FileVersion":"10.0.17134.1
(WinBuild.160101.0800)","CurrentDirectory":"C:\\Windows\\system32\\","Com
mandLine":"schtasks.exe /create /tn \"winlogonw\" /sc MINUTE /mo 8 /tr
\"\u0027C:\\Users\\Default User\\Start Menu\\Programs\\winlogon.exe\u0027\"
/rl HIGHEST
/f","Image":"C:\\Windows\\System32\\schtasks.exe","IntegrityLevel":"High"}},{"v
alues":{"Product":"Microsoft\\xae Windows\\xae Operating
System","Description":"Task Scheduler Configuration
Tool","Company":"Microsoft
Corporation","Hashes":"SHA1\u003d815A050FC4BD12C6CA0B62D38D0FB6
F8A95F70A8,MD5\u003d838D346D1D28F00783B7A6C6BD03A0DA,SHA256
\u003d8BE433049CCC271F04A8E625E9FB9BD3BCF15B4EDEB63497C00B
D9CE1CD5C50E,IMPHASH\u003d7EE4BC5589713B3470B8A950256E2E69"
,"OriginalFileName":"schtasks.exe","ParentImage":"C:\\Windows\\System32\\w
bem\\WmiPrvSE.exe","FileVersion":"10.0.17134.1
(WinBuild.160101.0800)","CurrentDirectory":"C:\\Windows\\system32\\","Com
mandLine":"schtasks.exe /create /tn
\"SCIeLgcoUDQTeLIwEBYzSgkEgSbiLS\" /sc MINUTE /mo 7 /tr
\"\u0027C:\\Program Files (x86)\\windows defender\\en-
US\\SCIeLgcoUDQTeLIwEBYzSgkEgSbiL.exe\u0027\"
/f","Image":"C:\\Windows\\System32\\schtasks.exe","IntegrityLevel":"High"}},{"v
alues":{"Product":"Microsoft\\xae Windows\\xae Operating
System","Description":"Task Scheduler Configuration
Tool","Company":"Microsoft
Corporation","Hashes":"SHA1\u003d815A050FC4BD12C6CA0B62D38D0FB6
F8A95F70A8,MD5\u003d838D346D1D28F00783B7A6C6BD03A0DA,SHA256
\u003d8BE433049CCC271F04A8E625E9FB9BD3BCF15B4EDEB63497C00B
D9CE1CD5C50E,IMPHASH\u003d7EE4BC5589713B3470B8A950256E2E69"
,"OriginalFileName":"schtasks.exe","ParentImage":"C:\\Windows\\System32\\w
bem\\WmiPrvSE.exe","FileVersion":"10.0.17134.1
(WinBuild.160101.0800)","CurrentDirectory":"C:\\Windows\\system32\\","Com
mandLine":"schtasks.exe /create /tn \"SCIeLgcoUDQTeLIwEBYzSgkEgSbiL\"
/sc ONLOGON /tr \"\u0027C:\\Program Files (x86)\\windows defender\\en-
US\\SCIeLgcoUDQTeLIwEBYzSgkEgSbiL.exe\u0027\" /rl HIGHEST
/f","Image":"C:\\Windows\\System32\\schtasks.exe","IntegrityLevel":"High"}}]}]
Crowdsourced YARA Results [{"description":"Identifies .NET Reactor, which offers .NET code protection
such as obfuscation, encryption and so
on.","source":"https://github.com/bartblaze/Yara-
rules","author":"@bartblaze","ruleset_name":"DotNet_Reactor","rule_name":"D
otNet_Reactor","ruleset_id":"002040d726"}]

58
Crowdsourced IDS Results [{"alert_context":[{"dest_ip":"141.8.195.33","dest_port":80,"src_port":0,"hostna
me":"a0990904.xsph.ru","url":"http://a0990904.xsph.ru/5a549f96.php?x6du385
g\u003dEpnMGn471MSdiHqVvjk53aPvZj4\u0026ptKvIjBZK\u003du7mWHkRs
PyxZHYVl7oa1w\u00263ebc66ba1b1a02b7df6acbdf799b5e3b\u003d8f56821
232fadfd2199765283df22a6b\u0026f13a5f020eb1c663597f941bf8e2047d\u00
3dgZ0kTOiVmZ2MjNxETZmBTN3QTOmljMykDZ2Q2NmBTMhFjY0YWY3gTN
\u0026x6du385g\u003dEpnMGn471MSdiHqVvjk53aPvZj4\u0026ptKvIjBZK\u0
03du7mWHkRsPyxZHYVl7oa1w"}],"alert_severity":"high","rule_category":"A
Network Trojan was detected","rule_id":"1:2034194","rule_msg":"ET
MALWARE DCRAT Activity
(GET)"},{"alert_context":[{"dest_ip":"8.8.8.8","dest_port":53,"src_port":0}],"alert
_severity":"low","rule_category":"Misc
activity","rule_id":"1:2038906","rule_msg":"ET INFO Observed DNS Query to
xsph .ru Domain"}]

View on VirusTotal
GUI Url:
https://www.virustotal.com/gui/file/000907aef6196fbbcd5ea467e4503f734ad60aca3d07132e6ef084a
74d478b52
File Summary

firefox.exe, smss.exe, %SANDBOX_APP_1%,


SgrmBroker.exe,
Names SCIeLgcoUDQTeLIwEBYzSgkEgSbiL.exe,
MyvaXTPMlNfwOY.exe, WinrefRuntime.exe,
libGLESv2.dll

File Type peexe

File Type Description Win32 EXE

peexe, assembly, checks-network-adapters,


Tags calls-wmi, malware, detect-debug-environment,
long-sleeps

Times Submitted 1

TrID - file type identification tool

File Type Probability %

Generic CIL Executable (.NET, Mono, etc.) 47.4

Win32 Executable MS Visual C++ (generic) 20.2

Windows screen saver 8.4

Win64 Executable (generic) 6.8

Win32 Dynamic Link Library (generic) 4.2

VirusTotal Analysis Summary

Aggregate Result malicious - 50 / 78

59
VirusTotal Analysis Stats

Analysis Type Number of Analysis

Confirmed Timeout 0

Failure 0

Harmless 0

Malicious 50

Suspicious 0

Timeout 0

Type Unsupported 4

Undetected 24

Total 78

Community Votes
Total votes cast: 0
Incoming (1)
IPv4 Address 34.117.186.192

Phone Number
maltego.PhoneNumber

650-253-0000
Weight 48
Phone Number 650-253-0000
Country Code
City Code
Area Code
Last Digits

Info

Relevance: 0.485409

Count: 3

Incoming (1)
IPv4 Address 34.117.186.192

VirusTotal File
maltego.virustotal.File

heidisql.exe

60
Weight 0
MeaningfulName heidisql.exe
File Id 0008f7eae6391be4487998241cf1f91fb53b4bad1b50155198e612407197a8e0
Names heidisql.exe, mpgph131.exe, RageMP131.exe, msiupdaterv131.exe,
MSIUpdaterV131.exe, MPGPH131.exe,
dttcodexgigas.5b9ac5bbcd40c9dbd8774d7ce1bf66ee27983e0a
File Type PEEXE
File Type Description Win32 EXE
MD5 b803eb3f7745b66a2597d447491aaa30
SHA-1 5b9ac5bbcd40c9dbd8774d7ce1bf66ee27983e0a
SHA-256 0008f7eae6391be4487998241cf1f91fb53b4bad1b50155198e612407197a8e0
Vhash 02607f7d7d1f1f7f5f1bz1!z
Authentihash af4398b2990c160187c15ee72d5f1eb41ab01bb031138661159db852025ce4ed
SSDEEP 49152:5fpw9w9d3WMK/LttXhLlP6GZ0jRbPHIdEy+1N59K:/Uw9kJnLlCDjRbP4
EZ/8
Magic PE32 executable (GUI) Intel 80386, for MS Windows
File Size 2328064
Tags malware, checks-cpu-name, peexe, detect-debug-environment, checks-
network-adapters, long-sleeps, checks-user-input, spreader, executes-
dropped-file, persistence, cve-2016-0101, exploit
Capability Tags
Downloadable null
Creation Date 2024-02-01T11:29:07Z
First Submission Date 2024-02-27T11:37:24Z
Last Submission Date 2024-02-27T11:37:24Z
Last Analysis Date 2024-04-17T09:50:02Z
Total Votes - Harmless 0
Total Votes - Malicious 0
Submissions 1
Reputation 0

61
Sigma Analysis Results [{"rule_title":"Pyvil RAT","rule_source":"SOC Prime Threat Detection
Marketplace","rule_level":"critical","rule_id":"1b78637b79c8dffe83e4631ca881
2c2cab4799547d30fb65df21e42f1894053f","rule_author":"Ariel
Millahuel","rule_description":"Pyvil its a new RAT that belongs to the Evilnum
group. This one was highly investigated by the Cybereason\u0027s Nocturnus
Team. Also, its important to say tha this is a python-scripted
RAT.","match_context":[{"values":{"Image":"C:\\Users\\george\\Desktop\\heidis
ql.exe"}}]},{"rule_title":"Scheduled TaskCache Change by Uncommon
Program","rule_source":"Sigma Integrated Rule Set
(GitHub)","rule_level":"high","rule_id":"d62173552d7fce98c24a7040b784edf35
cc6650d2e68ecf2d04f40c58d58cfda","rule_author":"Syed Hasan
(@syedhasan009)","rule_description":"Monitor the creation of a new key under
\u0027TaskCache\u0027 when a new scheduled task is registered by a
process that is not svchost.exe, which is
suspicious","match_context":[{"values":{}},{"values":{}},{"values":{}},{"values":{}}
,{"values":{}}]},{"rule_title":"Suspicious DNS Query for IP Lookup Service
APIs","rule_source":"Sigma Integrated Rule Set
(GitHub)","rule_level":"medium","rule_id":"3a2766a08d32a855b604a786cddc0f
76fee13e6ccd22e01d4878150f0ef1eebc","rule_author":"Brandon George (blog
post), Thomas Patzke","rule_description":"Detects DNS queries for IP lookup
services such as \"api.ipify.org\" originating from a non browser
process.","match_context":[{"values":{"Image":"C:\\Users\\george\\Desktop\\hei
disql.exe"}},{"values":{"Image":"C:\\Users\\george\\AppData\\Local\\RageMP13
1\\RageMP131.exe"}},{"values":{"Image":"C:\\Users\\george\\AppData\\Local\\
Temp\\jobA64MLqyBOZCHbNM\\JSWj30ztej5zFad_58wk.exe"}},{"values":{"Im
age":"C:\\Users\\george\\AppData\\Local\\Temp\\jobA64MLqyBOZCHbNM\\JS
Wj30ztej5zFad_58wk.exe"}},{"values":{"Image":"C:\\Users\\george\\AppData\\L
ocal\\AdobeUpdaterV131\\AdobeUpdaterV131.exe"}}]},{"rule_title":"Startup
Folder File Write","rule_source":"Sigma Integrated Rule Set
(GitHub)","rule_level":"medium","rule_id":"56b8c79acb8e444c2b00be5c9d3cb
8e33e863ccb3506d635f907a49cd053c84f","rule_author":"Roberto Rodriguez
(Cyb3rWard0g), OTR (Open Threat Research)","rule_description":"A General
detection for files being created in the Windows startup directory. This could
be an indicator of
persistence.","match_context":[{"values":{"Image":"C:\\Users\\george\\Desktop\
\heidisql.exe"}},{"values":{}}]},{"rule_title":"Hidden Executable In NTFS
Alternate Data Stream","rule_source":"Sigma Integrated Rule Set
(GitHub)","rule_level":"medium","rule_id":"5be9da0a90b142239a3ff2819edf22
83938855da3b4c80d63d8e6db63c2c4fe7","rule_author":"Florian Roth
(Nextron Systems), @0xrawsec","rule_description":"Detects the creation of an
ADS (Alternate Data Stream) that contains an executable by looking at a non-
empty
Imphash","match_context":[{"values":{"Image":"C:\\Users\\george\\Desktop\\hei
disql.exe"}},{"values":{"Image":"C:\\Users\\george\\Desktop\\heidisql.exe"}}]},{"r
ule_title":"Access To Browser Credential Files By Uncommon
Application","rule_source":"Sigma Integrated Rule Set
(GitHub)","rule_level":"medium","rule_id":"74ea3fde96df11352e7b3c70bce437f
83f170b5677efeb447c7f33d001142691","rule_author":"frack113","rule_descrip
tion":"Detects file access requests to browser credential stores by uncommon
processes.\nCould indicate potential attempt of credential stealing.\nRequires
heavy baselining before
usage\n","match_context":[{"values":{}},{"values":{}}]},{"rule_title":"Suspicious
Network Connection to IP Lookup Service APIs","rule_source":"Sigma
Integrated Rule Set
(GitHub)","rule_level":"medium","rule_id":"7b06f86400ae084ca05c7e2cefe70b
8ea4910b6196d969ae516b9d5d1c99bfe5","rule_author":"Janantha
Marasinghe, Nasreddine Bencherchali (Nextron
Systems)","rule_description":"Detects external IP address lookups by non-
browser processes via services such as \"api.ipify.org\". This could be
indicative of potential post compromise internet test
activity.","match_context":[{"values":{}},{"values":{}}]},{"rule_title":"CurrentVersi
on Autorun Keys Modification","rule_source":"Sigma Integrated Rule Set
(GitHub)","rule_level":"medium","rule_id":"8b5db9da5732dc549b0e8b56fe593
3d7c95ed760f3ac20568ab95347ef8c5bcc","rule_author":"Victor Sergeev,
Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community,
Tim Shelton, frack113 (split)","rule_description":"Detects modification of
autostart extensibility point (ASEP) in
registry.","match_context":[{"values":{"Image":"C:\\Users\\george\\Desktop\\hei
disql.exe"}},{"values":{"Image":"C:\\Users\\george\\Desktop\\heidisql.exe"}},{"va
lues":{}},{"values":{}},{"values":{}}]},{"rule_title":"Suspicious Msbuild Execution
By Uncommon Parent Process","rule_source":"Sigma Integrated Rule Set
(GitHub)","rule_level":"medium","rule_id":"99aac26486266b4916c883cf9ec793
784cff9e6617ed361b8c47f7972a4baf46","rule_author":"frack113","rule_descri
ption":"Detects suspicious execution of \u0027Msbuild.exe\u0027 by a
uncommon parent process","match_context":[{"values":{"Product":"Microsoft
.NET Framework","Description":"MSBuild.exe","Company":"Microsoft
Corporation","Hashes":"SHA1\u003d7B76890EBCA3A4985371BC285C513B2

62
D152E308A,MD5\u003d2913DCBCC554985E1628979FE82719DE,SHA256\u
003d9C58101E7000E0FD3D16E94489BA214D7C41A4BD1408F12EB03966
210039C227,IMPHASH\u003d00000000000000000000000000000000","Origi
nalFileName":"MSBuild.exe","ParentImage":"C:\\Users\\george\\Desktop\\heidi
sql.exe","FileVersion":"2.0.50727.9149","CurrentDirectory":"C:\\Users\\george\\
AppData\\Local\\Temp\\jobA64MLqyBOZCHbNM\\","CommandLine":"\"C:\\Use
rs\\george\\AppData\\Local\\Temp\\jobA64MLqyBOZCHbNM\\JSWj30ztej5zFa
d_58wk.exe\"
","Image":"C:\\Users\\george\\AppData\\Local\\Temp\\jobA64MLqyBOZCHbNM
\\JSWj30ztej5zFad_58wk.exe","IntegrityLevel":"High"}}]},{"rule_title":"Suspiciou
s Schtasks Schedule Type With High Privileges","rule_source":"Sigma
Integrated Rule Set
(GitHub)","rule_level":"medium","rule_id":"e36b579d4bc4ef49ede1d82dd08ec1
cba660d105c6f037d12ecf79b434617e88","rule_author":"Nasreddine
Bencherchali (Nextron Systems)","rule_description":"Detects scheduled task
creations or modification to be run with high privileges on a suspicious
schedule type","match_context":[{"values":{"Product":"Microsoft\\xae
Windows\\xae Operating System","Description":"Task Scheduler Configuration
Tool","Company":"Microsoft
Corporation","Hashes":"SHA1\u003dBBE6394229CE3A53ECCD2CB4CEA6E
E41134EFDA9,MD5\u003d15FF7D8324231381BAD48A052F85DF04,SHA25
6\u003d7949EDDF437FED5F45564402B26E4D457EA666D1361A7C4F07D8
30BE233A4F72,IMPHASH\u003dFC93D9248DEA161B2E724C188AECD07D
","OriginalFileName":"schtasks.exe","ParentImage":"C:\\Users\\george\\Deskto
p\\heidisql.exe","FileVersion":"10.0.17134.1
(WinBuild.160101.0800)","CurrentDirectory":"C:\\Users\\george\\Desktop\\","C
ommandLine":"schtasks /create /f /RU \"george\" /tr
\"C:\\ProgramData\\MPGPH131\\MPGPH131.exe\" /tn \"MPGPH131 LG\" /sc
ONLOGON /rl
HIGHEST","Image":"C:\\Windows\\SysWOW64\\schtasks.exe","IntegrityLevel":
"High"}},{"values":{"Product":"Microsoft\\xae Windows\\xae Operating
System","Description":"Task Scheduler Configuration
Tool","Company":"Microsoft
Corporation","Hashes":"SHA1\u003dBBE6394229CE3A53ECCD2CB4CEA6E
E41134EFDA9,MD5\u003d15FF7D8324231381BAD48A052F85DF04,SHA25
6\u003d7949EDDF437FED5F45564402B26E4D457EA666D1361A7C4F07D8
30BE233A4F72,IMPHASH\u003dFC93D9248DEA161B2E724C188AECD07D
","OriginalFileName":"schtasks.exe","ParentImage":"C:\\Users\\george\\Deskto
p\\heidisql.exe","FileVersion":"10.0.17134.1
(WinBuild.160101.0800)","CurrentDirectory":"C:\\Users\\george\\AppData\\Loc
al\\Temp\\jobA64MLqyBOZCHbNM\\","CommandLine":"schtasks /create /f /RU
\"george\" /tr \"C:\\ProgramData\\MSIUpdaterV131\\MSIUpdaterV131.exe\" /tn
\"MSIUpdaterV131 LG\" /sc ONLOGON /rl
HIGHEST","Image":"C:\\Windows\\SysWOW64\\schtasks.exe","IntegrityLevel":
"High"}}]},{"rule_title":"Access To Windows DPAPI Master Keys By Uncommon
Application","rule_source":"Sigma Integrated Rule Set
(GitHub)","rule_level":"medium","rule_id":"ec1d4770fddf21948d437ee8ade889
04c7b95601bf83cfe214687e2611dd530c","rule_author":"Nasreddine
Bencherchali (Nextron Systems)","rule_description":"Detects file access
requests to the the Windows Data Protection API Master keys by an
uncommon application.\nThis can be a sign of credential stealing. Example
case would be usage of mimikatz \"dpapi::masterkey\"
function\n","match_context":[{"values":{}},{"values":{}}]},{"rule_title":"Scheduled
Task Creation Via Schtasks.EXE","rule_source":"Sigma Integrated Rule Set
(GitHub)","rule_level":"low","rule_id":"3bc9d14114a6b67367a24df21134d0564
d6f08a0ad903d68f9b25e9d8b7f0790","rule_author":"Florian Roth (Nextron
Systems)","rule_description":"Detects the creation of scheduled tasks by user
accounts via the \"schtasks\"
utility.","match_context":[{"values":{"Product":"Microsoft\\xae Windows\\xae
Operating System","Description":"Task Scheduler Configuration
Tool","Company":"Microsoft
Corporation","Hashes":"SHA1\u003dBBE6394229CE3A53ECCD2CB4CEA6E
E41134EFDA9,MD5\u003d15FF7D8324231381BAD48A052F85DF04,SHA25
6\u003d7949EDDF437FED5F45564402B26E4D457EA666D1361A7C4F07D8
30BE233A4F72,IMPHASH\u003dFC93D9248DEA161B2E724C188AECD07D
","OriginalFileName":"schtasks.exe","ParentImage":"C:\\Users\\george\\Deskto
p\\heidisql.exe","FileVersion":"10.0.17134.1
(WinBuild.160101.0800)","CurrentDirectory":"C:\\Users\\george\\Desktop\\","C
ommandLine":"schtasks /create /f /RU \"george\" /tr
\"C:\\ProgramData\\MPGPH131\\MPGPH131.exe\" /tn \"MPGPH131 HR\" /sc
HOURLY /rl
HIGHEST","Image":"C:\\Windows\\SysWOW64\\schtasks.exe","IntegrityLevel":
"High"}},{"values":{"Product":"Microsoft\\xae Windows\\xae Operating
System","Description":"Task Scheduler Configuration
Tool","Company":"Microsoft
Corporation","Hashes":"SHA1\u003dBBE6394229CE3A53ECCD2CB4CEA6E
E41134EFDA9,MD5\u003d15FF7D8324231381BAD48A052F85DF04,SHA25

63
6\u003d7949EDDF437FED5F45564402B26E4D457EA666D1361A7C4F07D8
30BE233A4F72,IMPHASH\u003dFC93D9248DEA161B2E724C188AECD07D
","OriginalFileName":"schtasks.exe","ParentImage":"C:\\Users\\george\\Deskto
p\\heidisql.exe","FileVersion":"10.0.17134.1
(WinBuild.160101.0800)","CurrentDirectory":"C:\\Users\\george\\Desktop\\","C
ommandLine":"schtasks /create /f /RU \"george\" /tr
\"C:\\ProgramData\\MPGPH131\\MPGPH131.exe\" /tn \"MPGPH131 LG\" /sc
ONLOGON /rl
HIGHEST","Image":"C:\\Windows\\SysWOW64\\schtasks.exe","IntegrityLevel":
"High"}},{"values":{"Product":"Microsoft\\xae Windows\\xae Operating
System","Description":"Task Scheduler Configuration
Tool","Company":"Microsoft
Corporation","Hashes":"SHA1\u003dBBE6394229CE3A53ECCD2CB4CEA6E
E41134EFDA9,MD5\u003d15FF7D8324231381BAD48A052F85DF04,SHA25
6\u003d7949EDDF437FED5F45564402B26E4D457EA666D1361A7C4F07D8
30BE233A4F72,IMPHASH\u003dFC93D9248DEA161B2E724C188AECD07D
","OriginalFileName":"schtasks.exe","ParentImage":"C:\\Users\\george\\Deskto
p\\heidisql.exe","FileVersion":"10.0.17134.1
(WinBuild.160101.0800)","CurrentDirectory":"C:\\Users\\george\\AppData\\Loc
al\\Temp\\jobA64MLqyBOZCHbNM\\","CommandLine":"schtasks /create /f /RU
\"george\" /tr \"C:\\ProgramData\\MSIUpdaterV131\\MSIUpdaterV131.exe\" /tn
\"MSIUpdaterV131 HR\" /sc HOURLY /rl
HIGHEST","Image":"C:\\Windows\\SysWOW64\\schtasks.exe","IntegrityLevel":
"High"}},{"values":{"Product":"Microsoft\\xae Windows\\xae Operating
System","Description":"Task Scheduler Configuration
Tool","Company":"Microsoft
Corporation","Hashes":"SHA1\u003dBBE6394229CE3A53ECCD2CB4CEA6E
E41134EFDA9,MD5\u003d15FF7D8324231381BAD48A052F85DF04,SHA25
6\u003d7949EDDF437FED5F45564402B26E4D457EA666D1361A7C4F07D8
30BE233A4F72,IMPHASH\u003dFC93D9248DEA161B2E724C188AECD07D
","OriginalFileName":"schtasks.exe","ParentImage":"C:\\Users\\george\\Deskto
p\\heidisql.exe","FileVersion":"10.0.17134.1
(WinBuild.160101.0800)","CurrentDirectory":"C:\\Users\\george\\AppData\\Loc
al\\Temp\\jobA64MLqyBOZCHbNM\\","CommandLine":"schtasks /create /f /RU
\"george\" /tr \"C:\\ProgramData\\MSIUpdaterV131\\MSIUpdaterV131.exe\" /tn
\"MSIUpdaterV131 LG\" /sc ONLOGON /rl
HIGHEST","Image":"C:\\Windows\\SysWOW64\\schtasks.exe","IntegrityLevel":
"High"}}]}]
Crowdsourced YARA Results

64
Crowdsourced IDS Results [{"alert_context":[{"dest_port":0,"src_ip":"185.215.113.46","src_port":80}],"alert
_severity":"high","rule_category":"policy-
violation","rule_id":"1:11192","rule_msg":"FILE-EXECUTABLE download of
executable
content"},{"alert_context":[{"dest_port":0,"src_ip":"185.215.113.46","src_port":8
0}],"alert_severity":"high","rule_category":"policy-
violation","rule_id":"1:15306","rule_msg":"FILE-EXECUTABLE Portable
Executable binary file magic
detected"},{"alert_context":[{"dest_port":0,"src_ip":"193.233.132.62","src_port":
50500}],"alert_severity":"high","rule_category":"A Network Trojan was
detected","rule_id":"1:2046266","rule_msg":"ET MALWARE [ANY.RUN]
RisePro TCP
(Token)"},{"alert_context":[{"dest_port":0,"src_ip":"193.233.132.62","src_port":5
0500}],"alert_severity":"high","rule_category":"A Network Trojan was
detected","rule_id":"1:2046267","rule_msg":"ET MALWARE [ANY.RUN]
RisePro TCP (External
IP)"},{"alert_context":[{"dest_ip":"193.233.132.62","dest_port":50500,"src_port":
0}],"alert_severity":"high","rule_category":"A Network Trojan was
detected","rule_id":"1:2046269","rule_msg":"ET MALWARE [ANY.RUN]
RisePro TCP
(Activity)"},{"alert_context":[{"dest_ip":"193.233.132.62","dest_port":50500,"src
_port":0}],"alert_severity":"high","rule_category":"A Network Trojan was
detected","rule_id":"1:2046270","rule_msg":"ET MALWARE [ANY.RUN]
RisePro TCP
(Exfiltration)"},{"alert_context":[{"dest_ip":"193.233.132.62","dest_port":50500,"
src_port":0}],"alert_severity":"high","rule_category":"A Network Trojan was
detected","rule_id":"1:2049060","rule_msg":"ET MALWARE RisePro TCP
Heartbeat
Packet"},{"alert_context":[{"dest_ip":"193.233.132.62","dest_port":50500,"src_p
ort":0}],"alert_severity":"high","rule_category":"A Network Trojan was
detected","rule_id":"1:2049661","rule_msg":"ET MALWARE RisePro CnC
Activity
(Inbound)"},{"alert_context":[{"dest_port":0,"src_ip":"185.215.113.46","src_port"
:80}],"alert_severity":"high","rule_category":"attempted-
user","rule_id":"1:38124","rule_msg":"FILE-MULTIMEDIA Microsoft Windows
Transport Stream Program Map Table Heap overflow
attempt"},{"alert_context":[{"dest_ip":"185.215.113.46","dest_port":80,"src_port
":0}],"alert_severity":"high","rule_category":"policy-
violation","rule_id":"1:50447","rule_msg":"POLICY-OTHER HTTP request by
IPv4 address
attempt"},{"alert_context":[{"dest_port":0,"src_ip":"34.117.186.192","src_port":4
43}],"alert_severity":"medium","rule_category":"Device Retrieving External IP
Address Detected","rule_id":"1:2025330","rule_msg":"ET POLICY External IP
Lookup SSL Cert Observed (ipinfo
.io)"},{"alert_context":[{"dest_ip":"34.117.186.192","dest_port":443,"src_port":0}
,{"dest_ip":"34.117.186.192","dest_port":443,"src_port":0},{"dest_ip":"34.117.1
86.192","dest_port":443,"src_port":0}],"alert_severity":"medium","rule_category
":"Device Retrieving External IP Address
Detected","rule_id":"1:2025331","rule_msg":"ET POLICY Possible External IP
Lookup Domain Observed in SNI (ipinfo.
io)"},{"alert_context":[{"dest_port":0,"src_ip":"185.215.113.46","src_port":80}],"a
lert_severity":"medium","rule_category":"Misc
Attack","rule_id":"1:2400021","rule_msg":"ET DROP Spamhaus DROP Listed
Traffic Inbound group
22"},{"alert_severity":"medium","rule_category":"successful-recon-
limited","rule_id":"1:29456","rule_msg":"PROTOCOL-ICMP Unusual PING
detected"},{"alert_context":[{"dest_ip":"185.215.113.46","dest_port":80,"src_por
t":0}],"alert_severity":"low","rule_category":"unknown","rule_id":"119:279","rule
_msg":"(http_inspect) invalid status
line"},{"alert_context":[{"dest_port":0,"src_ip":"193.233.132.62","src_port":5050
0}],"alert_severity":"low","rule_category":"protocol-command-
decode","rule_id":"129:8","rule_msg":"(stream_tcp) data sent on stream after
TCP reset
sent"},{"alert_context":[{"dest_port":0,"src_ip":"185.215.113.46","src_port":80},{
"dest_port":0,"src_ip":"185.215.113.46","src_port":80,"hostname":"185.215.113
.46","url":"http://185.215.113.46/mine/plaza.exe"}],"alert_severity":"low","rule_c
ategory":"Misc activity","rule_id":"1:2014819","rule_msg":"ET INFO Packed
Executable
Download"},{"alert_context":[{"dest_ip":"185.215.113.46","dest_port":80,"src_p
ort":0,"hostname":"185.215.113.46","url":"http://185.215.113.46/mine/plaza.exe
"}],"alert_severity":"low","rule_category":"Potentially Bad
Traffic","rule_id":"1:2016141","rule_msg":"ET INFO Executable Download from
dotted-quad
Host"},{"alert_context":[{"dest_port":0,"src_ip":"185.215.113.46","src_port":80,"
hostname":"185.215.113.46","url":"http://185.215.113.46/mine/plaza.exe"}],"ale
rt_severity":"low","rule_category":"Potentially Bad
Traffic","rule_id":"1:2021076","rule_msg":"ET HUNTING SUSPICIOUS Dotted

65
Quad Host MZ
Response"},{"alert_context":[{"dest_port":0,"src_ip":"185.215.113.46","src_port
":80}],"alert_severity":"low","rule_category":"Generic Protocol Command
Decode","rule_id":"1:2210054","rule_msg":"SURICATA STREAM excessive
retransmissions"},{"alert_severity":"low","rule_category":"misc-
activity","rule_id":"1:382","rule_msg":"PROTOCOL-ICMP PING
Windows"},{"alert_severity":"low","rule_category":"misc-
activity","rule_id":"1:384","rule_msg":"PROTOCOL-ICMP
PING"},{"alert_severity":"low","rule_category":"misc-
activity","rule_id":"1:408","rule_msg":"PROTOCOL-ICMP Echo
Reply"},{"alert_context":[{"dest_ip":"34.117.186.192","dest_port":443,"src_port"
:0}],"alert_severity":"low","rule_id":"1:906200054","rule_msg":"SSLBL:
Malicious JA3 SSL-Client Fingerprint detected (Tofsee)"}]

View on VirusTotal
GUI Url:
https://www.virustotal.com/gui/file/0008f7eae6391be4487998241cf1f91fb53b4bad1b50155198e6124
07197a8e0
File Summary

heidisql.exe, mpgph131.exe, RageMP131.exe,


msiupdaterv131.exe, MSIUpdaterV131.exe,
Names MPGPH131.exe,
dttcodexgigas.5b9ac5bbcd40c9dbd8774d7ce1bf6
6ee27983e0a

File Type peexe

File Type Description Win32 EXE

malware, checks-cpu-name, peexe, detect-


debug-environment, checks-network-adapters,
Tags long-sleeps, checks-user-input, spreader,
executes-dropped-file, persistence, cve-2016-
0101, exploit

Times Submitted 1

TrID - file type identification tool

File Type Probability %

Win16 NE executable (generic) 32.3

Win32 Executable (generic) 28.9

OS/2 Executable (generic) 13.0

Generic Win/DOS Executable 12.8

DOS Executable Generic 12.8

VirusTotal Analysis Summary

Aggregate Result malicious - 56 / 76

66
VirusTotal Analysis Stats

Analysis Type Number of Analysis

Confirmed Timeout 0

Failure 0

Harmless 0

Malicious 56

Suspicious 0

Timeout 1

Type Unsupported 4

Undetected 15

Total 76

Community Votes
Total votes cast: 0
Incoming (1)
IPv4 Address 34.117.186.192

VirusTotal File
maltego.virustotal.File

000a9d76483aa1375b4d4b5730db0b4ad1d62f3dbe694b842d
7915d84cdd8101.exe

67
Weight 0
MeaningfulName 000a9d76483aa1375b4d4b5730db0b4ad1d62f3dbe694b842d7915d84cdd810
1.exe
File Id 000a9d76483aa1375b4d4b5730db0b4ad1d62f3dbe694b842d7915d84cdd810
1
Names 000a9d76483aa1375b4d4b5730db0b4ad1d62f3dbe694b842d7915d84cdd810
1,
000a9d76483aa1375b4d4b5730db0b4ad1d62f3dbe694b842d7915d84cdd810
1.exe, svchostt.exe
File Type PEEXE
File Type Description Win32 EXE
MD5 fa51d0b6731b6dbcbe1b2ddb4ee7b218
SHA-1 9485a3662391be4c65737edaf3dee4a56b2127a8
SHA-256 000a9d76483aa1375b4d4b5730db0b4ad1d62f3dbe694b842d7915d84cdd810
1
Vhash 027076655d155515755048z66nz2fz
Authentihash 433e6d072b687eb7e8cb8934591bab35efbf6e5c0015698aef912b1a7bf97165
SSDEEP 393216:UiIE7YoyjsQts3OvdqypUTLfhJjdQJlUwF3MnG3oTlCODaIB+1eZW3/8
GZ59H:t7resQtseVfUTLJRdQN3MGYwOR97U
Magic PE32+ executable (console) x86-64, for MS Windows
File Size 23027133
Tags clipboard, peexe, detect-debug-environment, overlay, long-sleeps, calls-wmi,
64bits
Capability Tags
Downloadable null
Creation Date 2024-06-27T04:13:27Z
First Submission Date 2024-06-27T04:15:11Z
Last Submission Date 2024-06-27T04:15:11Z
Last Analysis Date 2024-06-29T19:37:19Z
Total Votes - Harmless 0
Total Votes - Malicious 0
Submissions 1
Reputation 0
Sigma Analysis Results [{"rule_title":"Potential PowerShell Obfuscation Using Alias
Cmdlets","rule_source":"Sigma Integrated Rule Set
(GitHub)","rule_level":"low","rule_id":"c085cde9af85b182e783b8d7b42d66d3d
0efe08696b4fe7946da3d5d1a2cd51e","rule_author":"frack113","rule_descripti
on":"Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a
mean to obfuscate PowerShell
scripts","match_context":[{"values":{}},{"values":{}},{"values":{}},{"values":{}},{"v
alues":{}}]},{"rule_title":"Suspicious PowerShell Get Current
User","rule_source":"Sigma Integrated Rule Set
(GitHub)","rule_level":"low","rule_id":"c0ad3fd3010dc41b8f54cd4f911b4bf081d
2d195b0e7548cdc60ebcee9250ad3","rule_author":"frack113","rule_description
":"Detects the use of PowerShell to identify the current logged
user.","match_context":[{"values":{}}]}]
Crowdsourced YARA Results [{"description":"Identifies executable converted using PyInstaller. This rule by
itself does NOT necessarily mean the detected file is
malicious.","source":"https://github.com/bartblaze/Yara-
rules","author":"@bartblaze","ruleset_name":"PyInstaller","rule_name":"PyInsta
ller","ruleset_id":"002735f19d"}]
Crowdsourced IDS Results [{"alert_context":[{"dest_ip":"34.117.186.192","dest_port":443,"src_port":0}],"al
ert_severity":"medium","rule_category":"Device Retrieving External IP Address
Detected","rule_id":"1:2025331","rule_msg":"ET POLICY Possible External IP
Lookup Domain Observed in SNI (ipinfo. io)"}]

View on VirusTotal
GUI Url:
https://www.virustotal.com/gui/file/000a9d76483aa1375b4d4b5730db0b4ad1d62f3dbe694b842d7915
d84cdd8101

68
File Summary

000a9d76483aa1375b4d4b5730db0b4ad1d62f3d
be694b842d7915d84cdd8101,
Names
000a9d76483aa1375b4d4b5730db0b4ad1d62f3d
be694b842d7915d84cdd8101.exe, svchostt.exe

File Type peexe

File Type Description Win32 EXE

clipboard, peexe, detect-debug-environment,


Tags
overlay, long-sleeps, calls-wmi, 64bits

Times Submitted 1

TrID - file type identification tool

File Type Probability %

Win64 Executable (generic) 44.4

Win16 NE executable (generic) 21.3

Windows Icons Library (generic) 8.7

OS/2 Executable (generic) 8.5

Generic Win/DOS Executable 8.4

VirusTotal Analysis Summary

Aggregate Result undetected - 42 / 78

VirusTotal Analysis Stats

Analysis Type Number of Analysis

Confirmed Timeout 0

Failure 4

Harmless 0

Malicious 18

Suspicious 0

Timeout 10

Type Unsupported 4

Undetected 42

Total 78

Community Votes
Total votes cast: 0

69
Incoming (1)
IPv4 Address 34.117.186.192

VirusTotal File
maltego.virustotal.File

filezilla.exe

70
Weight 0
MeaningfulName filezilla.exe
File Id 000a645626a3a63590af8890be4d2bd3ea32490b8844a68f3ada493b97e98c4
8
Names FileZilla 3, filezilla.exe, mpgph131.exe, msiupdaterv131.exe,
MSIUpdaterV131.exe, MPGPH131.exe
File Type PEEXE
File Type Description Win32 EXE
MD5 a516ce44268d2bf97d208ccf321f3a99
SHA-1 41950e725f721c09173138f63d703e379c525cb6
SHA-256 000a645626a3a63590af8890be4d2bd3ea32490b8844a68f3ada493b97e98c4
8
Vhash 03606f7d1d1f6f1f11z17z1?z1
Authentihash 787e0619773505f5607f3ce89a6114ca0bb5539ac953dae80e3f17cac4fecbd1
SSDEEP 49152:gfkss8zyBje47r6otsEVftK7eLx604ng5r9rDD:gMgyje47+esEfK7ex6LIZ
Magic PE32 executable (GUI) Intel 80386, for MS Windows
File Size 3181568
Tags malware, peexe, spreader, persistence, checks-user-input, long-sleeps,
detect-debug-environment, checks-cpu-name, service-scan, cve-2016-2569,
exploit, checks-network-adapters
Capability Tags
Downloadable null
Creation Date 2024-03-24T15:57:25Z
First Submission Date 2024-03-24T21:50:36Z
Last Submission Date 2024-03-24T21:50:36Z
Last Analysis Date 2024-07-08T22:09:23Z
Total Votes - Harmless 0
Total Votes - Malicious 1
Submissions 1
Reputation -1

71
Sigma Analysis Results [{"rule_title":"Scheduled TaskCache Change by Uncommon
Program","rule_source":"Sigma Integrated Rule Set
(GitHub)","rule_level":"high","rule_id":"d62173552d7fce98c24a7040b784edf35
cc6650d2e68ecf2d04f40c58d58cfda","rule_author":"Syed Hasan
(@syedhasan009)","rule_description":"Monitor the creation of a new key under
\u0027TaskCache\u0027 when a new scheduled task is registered by a
process that is not svchost.exe, which is
suspicious","match_context":[{"values":{}},{"values":{}},{"values":{}},{"values":{}}
,{"values":{}}]},{"rule_title":"Chromium Browser Instance Executed With
Custom Extension","rule_source":"Sigma Integrated Rule Set
(GitHub)","rule_level":"medium","rule_id":"37d47e5fc375cac096ef3e0d98b28b
26d7e9e45f3b65373c8e1d5bb6d8e22b7e","rule_author":"Aedan Russell,
frack113, X__Junior (Nextron Systems)","rule_description":"Detects a
Chromium based browser process with the \u0027load-extension\u0027 flag to
start a instance with a custom
extension","match_context":[{"values":{"Product":"Google
Chrome","Description":"Google Chrome","Company":"Google
LLC","Hashes":"SHA1\u003d5C985DDDF74B5CC7E8A8A0E817EEC2EBC3A
EA04E,MD5\u003dB147FBDBD44374F73A763531C8D1093D,SHA256\u003d
9142FF96C6066950BA5B1253DE97080341902E1F9621E6084AE6197F8D8
E2FB8,IMPHASH\u003d891D2BAFA4260189E94CAC8FB19F369A","Original
FileName":"chrome.exe","ParentImage":"C:\\Users\\george\\AppData\\Local\\T
emp\\heidinNrJ4SSBDz2R\\WiLGfOj8tcu8noJhRFg_.exe","FileVersion":"92.0.4
515.131","CurrentDirectory":"C:\\Users\\george\\AppData\\Local\\Temp\\heidin
NrJ4SSBDz2R\\","CommandLine":"\"C:\\Program
Files\\Google\\Chrome\\Application\\chrome.exe\" --disable-
features\u003dOptimizationGuideModelDownloading,OptimizationHintsFetchin
g,OptimizationTargetPrediction,OptimizationHints --start-maximized --load-
extension\u003dC:\\Windows\\crx --single-argument
https://www.youtube.com/account","Image":"C:\\Program
Files\\Google\\Chrome\\Application\\chrome.exe","IntegrityLevel":"High"}},{"val
ues":{"Product":"Google Chrome","Description":"Google
Chrome","Company":"Google
LLC","Hashes":"SHA1\u003d5C985DDDF74B5CC7E8A8A0E817EEC2EBC3A
EA04E,MD5\u003dB147FBDBD44374F73A763531C8D1093D,SHA256\u003d
9142FF96C6066950BA5B1253DE97080341902E1F9621E6084AE6197F8D8
E2FB8,IMPHASH\u003d891D2BAFA4260189E94CAC8FB19F369A","Original
FileName":"chrome.exe","ParentImage":"C:\\Users\\george\\AppData\\Local\\A
dobeUpdaterV131_c2304190946cb37f941f9c4acb289e9f\\AdobeUpdaterV131
.exe","FileVersion":"92.0.4515.131","CurrentDirectory":"C:\\Users\\george\\App
Data\\Local\\AdobeUpdaterV131_c2304190946cb37f941f9c4acb289e9f\\","Co
mmandLine":"\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\"
--disable-
features\u003dOptimizationGuideModelDownloading,OptimizationHintsFetchin
g,OptimizationTargetPrediction,OptimizationHints --start-maximized --load-
extension\u003dC:\\Windows\\crx --single-argument
https://www.youtube.com/account","Image":"C:\\Program
Files\\Google\\Chrome\\Application\\chrome.exe","IntegrityLevel":"Medium"}}]},
{"rule_title":"Suspicious DNS Query for IP Lookup Service
APIs","rule_source":"Sigma Integrated Rule Set
(GitHub)","rule_level":"medium","rule_id":"3a2766a08d32a855b604a786cddc0f
76fee13e6ccd22e01d4878150f0ef1eebc","rule_author":"Brandon George (blog
post), Thomas Patzke","rule_description":"Detects DNS queries for IP lookup
services such as \"api.ipify.org\" originating from a non browser
process.","match_context":[{"values":{"Image":"C:\\Users\\Bruno\\AppData\\Loc
al\\Temp\\filezilla.exe"}},{"values":{"Image":"C:\\Users\\Bruno\\AppData\\Local\\
Temp\\filezilla.exe"}},{"values":{"Image":"C:\\Users\\george\\Desktop\\filezilla.e
xe"}},{"values":{"Image":"C:\\Users\\george\\Desktop\\filezilla.exe"}},{"values":{"
Image":"C:\\Users\\george\\AppData\\Local\\RageMP131\\RageMP131.exe"}}]}
,{"rule_title":"Zip A Folder With PowerShell For Staging In Temp - PowerShell
Script","rule_source":"Sigma Integrated Rule Set
(GitHub)","rule_level":"medium","rule_id":"4f19758bce122aae71a356110cf88e
95df101e099a2b95e2472e44201244475d","rule_author":"Nasreddine
Bencherchali (Nextron Systems), frack113","rule_description":"Detects
PowerShell scripts that make use of the \"Compress-Archive\" Cmdlet in order
to compress folders and files where the output is stored in a potentially
suspicious location that is used often by malware for exfiltration.\nAn
adversary might compress data (e.g., sensitive documents) that is collected
prior to exfiltration in order to make it portable and minimize the amount of
data sent over the
network.\n","match_context":[{"values":{}}]},{"rule_title":"Startup Folder File
Write","rule_source":"Sigma Integrated Rule Set
(GitHub)","rule_level":"medium","rule_id":"56b8c79acb8e444c2b00be5c9d3cb
8e33e863ccb3506d635f907a49cd053c84f","rule_author":"Roberto Rodriguez
(Cyb3rWard0g), OTR (Open Threat Research)","rule_description":"A General
detection for files being created in the Windows startup directory. This could
be an indicator of

72
persistence.","match_context":[{"values":{"Image":"C:\\Users\\Bruno\\AppData\\
Local\\Temp\\filezilla.exe","RuleName":"T1023"}},{"values":{"Image":"C:\\Users
\\george\\Desktop\\filezilla.exe"}}]},{"rule_title":"Hidden Executable In NTFS
Alternate Data Stream","rule_source":"Sigma Integrated Rule Set
(GitHub)","rule_level":"medium","rule_id":"5be9da0a90b142239a3ff2819edf22
83938855da3b4c80d63d8e6db63c2c4fe7","rule_author":"Florian Roth
(Nextron Systems), @0xrawsec","rule_description":"Detects the creation of an
ADS (Alternate Data Stream) that contains an executable by looking at a non-
empty
Imphash","match_context":[{"values":{"Image":"C:\\Users\\george\\Desktop\\file
zilla.exe"}},{"values":{"Image":"C:\\Users\\george\\Desktop\\filezilla.exe"}}]},{"rul
e_title":"Suspicious Add Scheduled Task Parent","rule_source":"Sigma
Integrated Rule Set
(GitHub)","rule_level":"medium","rule_id":"66d80afb92c9db3881829096827fca
cc7b8a697c3ceeb3318163ce83367f394b","rule_author":"Florian Roth
(Nextron Systems)","rule_description":"Detects suspicious scheduled task
creations from a parent stored in a temporary
folder","match_context":[{"values":{"Product":"Microsoft\\xae Windows\\xae
Operating System","Description":"Task Scheduler Configuration
Tool","Company":"Microsoft
Corporation","Hashes":"MD5\u003d478BEAEC1C3A9417272BC8964ADD1C
EE,SHA256\u003d9A121ACF7686D2883E524332111D5E4BCC0C1A8E8113
6486FBA4CA65CA614407,IMPHASH\u003d918DBB01101BFA7F1042CCA9
520D2A05","OriginalFileName":"schtasks.exe","ParentImage":"C:\\Users\\Brun
o\\AppData\\Local\\Temp\\filezilla.exe","FileVersion":"10.0.19041.906
(WinBuild.160101.0800)","CurrentDirectory":"C:\\Users\\Bruno\\AppData\\Local
\\Temp\\","CommandLine":"schtasks /create /f /RU \"Bruno\" /tr
\"C:\\ProgramData\\MPGPH131\\MPGPH131.exe\" /tn \"MPGPH131 LG\" /sc
ONLOGON /rl
HIGHEST","Image":"C:\\Windows\\SysWOW64\\schtasks.exe","IntegrityLevel":
"High"}},{"values":{"Product":"Microsoft\\xae Windows\\xae Operating
System","Description":"Task Scheduler Configuration
Tool","Company":"Microsoft
Corporation","Hashes":"MD5\u003d478BEAEC1C3A9417272BC8964ADD1C
EE,SHA256\u003d9A121ACF7686D2883E524332111D5E4BCC0C1A8E8113
6486FBA4CA65CA614407,IMPHASH\u003d918DBB01101BFA7F1042CCA9
520D2A05","OriginalFileName":"schtasks.exe","ParentImage":"C:\\Users\\Brun
o\\AppData\\Local\\Temp\\filezilla.exe","FileVersion":"10.0.19041.906
(WinBuild.160101.0800)","CurrentDirectory":"C:\\Users\\Bruno\\AppData\\Local
\\Temp\\heidi59wJEZJ8wfuj\\","CommandLine":"schtasks /create /f /RU
\"Bruno\" /tr
\"C:\\ProgramData\\MSIUpdaterV131_a85d7ffddf2ee5c09c761a01b187853e\\
MSIUpdaterV131.exe\" /tn
\"MSIUpdaterV131_a85d7ffddf2ee5c09c761a01b187853e HR\" /sc HOURLY
/rl
HIGHEST","Image":"C:\\Windows\\SysWOW64\\schtasks.exe","IntegrityLevel":
"High"}},{"values":{"Product":"Microsoft\\xae Windows\\xae Operating
System","Description":"Task Scheduler Configuration
Tool","Company":"Microsoft
Corporation","Hashes":"MD5\u003d478BEAEC1C3A9417272BC8964ADD1C
EE,SHA256\u003d9A121ACF7686D2883E524332111D5E4BCC0C1A8E8113
6486FBA4CA65CA614407,IMPHASH\u003d918DBB01101BFA7F1042CCA9
520D2A05","OriginalFileName":"schtasks.exe","ParentImage":"C:\\Users\\Brun
o\\AppData\\Local\\Temp\\filezilla.exe","FileVersion":"10.0.19041.906
(WinBuild.160101.0800)","CurrentDirectory":"C:\\Users\\Bruno\\AppData\\Local
\\Temp\\heidi59wJEZJ8wfuj\\","CommandLine":"schtasks /create /f /RU
\"Bruno\" /tr
\"C:\\ProgramData\\MSIUpdaterV131_a85d7ffddf2ee5c09c761a01b187853e\\
MSIUpdaterV131.exe\" /tn
\"MSIUpdaterV131_a85d7ffddf2ee5c09c761a01b187853e LG\" /sc
ONLOGON /rl
HIGHEST","Image":"C:\\Windows\\SysWOW64\\schtasks.exe","IntegrityLevel":
"High"}}]},{"rule_title":"Access To Browser Credential Files By Uncommon
Application","rule_source":"Sigma Integrated Rule Set
(GitHub)","rule_level":"medium","rule_id":"74ea3fde96df11352e7b3c70bce437f
83f170b5677efeb447c7f33d001142691","rule_author":"frack113","rule_descrip
tion":"Detects file access requests to browser credential stores by uncommon
processes.\nCould indicate potential attempt of credential stealing.\nRequires
heavy baselining before
usage\n","match_context":[{"values":{}},{"values":{}},{"values":{}},{"values":{}},{"
values":{}}]},{"rule_title":"Suspicious Network Connection to IP Lookup Service
APIs","rule_source":"Sigma Integrated Rule Set
(GitHub)","rule_level":"medium","rule_id":"7b06f86400ae084ca05c7e2cefe70b
8ea4910b6196d969ae516b9d5d1c99bfe5","rule_author":"Janantha
Marasinghe, Nasreddine Bencherchali (Nextron
Systems)","rule_description":"Detects external IP address lookups by non-
browser processes via services such as \"api.ipify.org\". This could be

73
indicative of potential post compromise internet test
activity.","match_context":[{"values":{}},{"values":{}},{"values":{}}]},{"rule_title":"
CurrentVersion Autorun Keys Modification","rule_source":"Sigma Integrated
Rule Set
(GitHub)","rule_level":"medium","rule_id":"8b5db9da5732dc549b0e8b56fe593
3d7c95ed760f3ac20568ab95347ef8c5bcc","rule_author":"Victor Sergeev,
Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community,
Tim Shelton, frack113 (split)","rule_description":"Detects modification of
autostart extensibility point (ASEP) in
registry.","match_context":[{"values":{"Image":"C:\\Users\\Bruno\\AppData\\Loc
al\\Temp\\filezilla.exe","RuleName":"T1060,RunKey"}},{"values":{"Image":"C:\\
Users\\george\\Desktop\\filezilla.exe"}},{"values":{"Image":"C:\\Users\\george\\
Desktop\\filezilla.exe"}},{"values":{"Image":"C:\\Users\\george\\Desktop\\filezilla
.exe"}},{"values":{"Image":"C:\\Users\\george\\Desktop\\filezilla.exe"}}]},{"rule_ti
tle":"Suspicious Schtasks Schedule Type With High
Privileges","rule_source":"Sigma Integrated Rule Set
(GitHub)","rule_level":"medium","rule_id":"e36b579d4bc4ef49ede1d82dd08ec1
cba660d105c6f037d12ecf79b434617e88","rule_author":"Nasreddine
Bencherchali (Nextron Systems)","rule_description":"Detects scheduled task
creations or modification to be run with high privileges on a suspicious
schedule type","match_context":[{"values":{"Product":"Microsoft\\xae
Windows\\xae Operating System","Description":"Task Scheduler Configuration
Tool","Company":"Microsoft
Corporation","Hashes":"MD5\u003d478BEAEC1C3A9417272BC8964ADD1C
EE,SHA256\u003d9A121ACF7686D2883E524332111D5E4BCC0C1A8E8113
6486FBA4CA65CA614407,IMPHASH\u003d918DBB01101BFA7F1042CCA9
520D2A05","OriginalFileName":"schtasks.exe","ParentImage":"C:\\Users\\Brun
o\\AppData\\Local\\Temp\\filezilla.exe","FileVersion":"10.0.19041.906
(WinBuild.160101.0800)","CurrentDirectory":"C:\\Users\\Bruno\\AppData\\Local
\\Temp\\","CommandLine":"schtasks /create /f /RU \"Bruno\" /tr
\"C:\\ProgramData\\MPGPH131\\MPGPH131.exe\" /tn \"MPGPH131 LG\" /sc
ONLOGON /rl
HIGHEST","Image":"C:\\Windows\\SysWOW64\\schtasks.exe","IntegrityLevel":
"High"}},{"values":{"Product":"Microsoft\\xae Windows\\xae Operating
System","Description":"Task Scheduler Configuration
Tool","Company":"Microsoft
Corporation","Hashes":"MD5\u003d478BEAEC1C3A9417272BC8964ADD1C
EE,SHA256\u003d9A121ACF7686D2883E524332111D5E4BCC0C1A8E8113
6486FBA4CA65CA614407,IMPHASH\u003d918DBB01101BFA7F1042CCA9
520D2A05","OriginalFileName":"schtasks.exe","ParentImage":"C:\\Users\\Brun
o\\AppData\\Local\\Temp\\filezilla.exe","FileVersion":"10.0.19041.906
(WinBuild.160101.0800)","CurrentDirectory":"C:\\Users\\Bruno\\AppData\\Local
\\Temp\\heidi59wJEZJ8wfuj\\","CommandLine":"schtasks /create /f /RU
\"Bruno\" /tr
\"C:\\ProgramData\\MSIUpdaterV131_a85d7ffddf2ee5c09c761a01b187853e\\
MSIUpdaterV131.exe\" /tn
\"MSIUpdaterV131_a85d7ffddf2ee5c09c761a01b187853e LG\" /sc
ONLOGON /rl
HIGHEST","Image":"C:\\Windows\\SysWOW64\\schtasks.exe","IntegrityLevel":
"High"}},{"values":{"Product":"Microsoft\\xae Windows\\xae Operating
System","Description":"Task Scheduler Configuration
Tool","Company":"Microsoft
Corporation","Hashes":"SHA1\u003dBBE6394229CE3A53ECCD2CB4CEA6E
E41134EFDA9,MD5\u003d15FF7D8324231381BAD48A052F85DF04,SHA25
6\u003d7949EDDF437FED5F45564402B26E4D457EA666D1361A7C4F07D8
30BE233A4F72,IMPHASH\u003dFC93D9248DEA161B2E724C188AECD07D
","OriginalFileName":"schtasks.exe","ParentImage":"C:\\Users\\george\\Deskto
p\\filezilla.exe","FileVersion":"10.0.17134.1
(WinBuild.160101.0800)","CurrentDirectory":"C:\\Users\\george\\Desktop\\","C
ommandLine":"schtasks /create /f /RU \"george\" /tr
\"C:\\ProgramData\\MPGPH131\\MPGPH131.exe\" /tn \"MPGPH131 LG\" /sc
ONLOGON /rl
HIGHEST","Image":"C:\\Windows\\SysWOW64\\schtasks.exe","IntegrityLevel":
"High"}},{"values":{"Product":"Microsoft\\xae Windows\\xae Operating
System","Description":"Task Scheduler Configuration
Tool","Company":"Microsoft
Corporation","Hashes":"SHA1\u003dBBE6394229CE3A53ECCD2CB4CEA6E
E41134EFDA9,MD5\u003d15FF7D8324231381BAD48A052F85DF04,SHA25
6\u003d7949EDDF437FED5F45564402B26E4D457EA666D1361A7C4F07D8
30BE233A4F72,IMPHASH\u003dFC93D9248DEA161B2E724C188AECD07D
","OriginalFileName":"schtasks.exe","ParentImage":"C:\\Users\\george\\Deskto
p\\filezilla.exe","FileVersion":"10.0.17134.1
(WinBuild.160101.0800)","CurrentDirectory":"C:\\Users\\george\\AppData\\Loc
al\\Temp\\heidinNrJ4SSBDz2R\\","CommandLine":"schtasks /create /f /RU
\"george\" /tr
\"C:\\ProgramData\\MSIUpdaterV131_a85d7ffddf2ee5c09c761a01b187853e\\
MSIUpdaterV131.exe\" /tn

74
\"MSIUpdaterV131_a85d7ffddf2ee5c09c761a01b187853e LG\" /sc
ONLOGON /rl
HIGHEST","Image":"C:\\Windows\\SysWOW64\\schtasks.exe","IntegrityLevel":
"High"}},{"values":{"Product":"Microsoft\\xae Windows\\xae Operating
System","Description":"Task Scheduler Configuration
Tool","Company":"Microsoft
Corporation","Hashes":"SHA1\u003dBBE6394229CE3A53ECCD2CB4CEA6E
E41134EFDA9,MD5\u003d15FF7D8324231381BAD48A052F85DF04,SHA25
6\u003d7949EDDF437FED5F45564402B26E4D457EA666D1361A7C4F07D8
30BE233A4F72,IMPHASH\u003dFC93D9248DEA161B2E724C188AECD07D
","OriginalFileName":"schtasks.exe","ParentImage":"C:\\Users\\george\\Deskto
p\\filezilla.exe","FileVersion":"10.0.17134.1
(WinBuild.160101.0800)","CurrentDirectory":"C:\\Users\\george\\AppData\\Loc
al\\Temp\\heidinNrJ4SSBDz2R\\","CommandLine":"schtasks /create /f /RU
\"george\" /tr
\"C:\\ProgramData\\MSIUpdaterV131_c2304190946cb37f941f9c4acb289e9f\\
MSIUpdaterV131.exe\" /tn
\"MSIUpdaterV131_c2304190946cb37f941f9c4acb289e9f LG\" /sc ONLOGON
/rl
HIGHEST","Image":"C:\\Windows\\SysWOW64\\schtasks.exe","IntegrityLevel":
"High"}}]},{"rule_title":"Scheduled Task Creation Via
Schtasks.EXE","rule_source":"Sigma Integrated Rule Set
(GitHub)","rule_level":"low","rule_id":"3bc9d14114a6b67367a24df21134d0564
d6f08a0ad903d68f9b25e9d8b7f0790","rule_author":"Florian Roth (Nextron
Systems)","rule_description":"Detects the creation of scheduled tasks by user
accounts via the \"schtasks\"
utility.","match_context":[{"values":{"Product":"Microsoft\\xae Windows\\xae
Operating System","Description":"Task Scheduler Configuration
Tool","Company":"Microsoft
Corporation","Hashes":"MD5\u003d478BEAEC1C3A9417272BC8964ADD1C
EE,SHA256\u003d9A121ACF7686D2883E524332111D5E4BCC0C1A8E8113
6486FBA4CA65CA614407,IMPHASH\u003d918DBB01101BFA7F1042CCA9
520D2A05","OriginalFileName":"schtasks.exe","ParentImage":"C:\\Users\\Brun
o\\AppData\\Local\\Temp\\filezilla.exe","FileVersion":"10.0.19041.906
(WinBuild.160101.0800)","CurrentDirectory":"C:\\Users\\Bruno\\AppData\\Local
\\Temp\\","CommandLine":"schtasks /create /f /RU \"Bruno\" /tr
\"C:\\ProgramData\\MPGPH131\\MPGPH131.exe\" /tn \"MPGPH131 LG\" /sc
ONLOGON /rl
HIGHEST","Image":"C:\\Windows\\SysWOW64\\schtasks.exe","IntegrityLevel":
"High"}},{"values":{"Product":"Microsoft\\xae Windows\\xae Operating
System","Description":"Task Scheduler Configuration
Tool","Company":"Microsoft
Corporation","Hashes":"MD5\u003d478BEAEC1C3A9417272BC8964ADD1C
EE,SHA256\u003d9A121ACF7686D2883E524332111D5E4BCC0C1A8E8113
6486FBA4CA65CA614407,IMPHASH\u003d918DBB01101BFA7F1042CCA9
520D2A05","OriginalFileName":"schtasks.exe","ParentImage":"C:\\Users\\Brun
o\\AppData\\Local\\Temp\\filezilla.exe","FileVersion":"10.0.19041.906
(WinBuild.160101.0800)","CurrentDirectory":"C:\\Users\\Bruno\\AppData\\Local
\\Temp\\heidi59wJEZJ8wfuj\\","CommandLine":"schtasks /create /f /RU
\"Bruno\" /tr
\"C:\\ProgramData\\MSIUpdaterV131_a85d7ffddf2ee5c09c761a01b187853e\\
MSIUpdaterV131.exe\" /tn
\"MSIUpdaterV131_a85d7ffddf2ee5c09c761a01b187853e HR\" /sc HOURLY
/rl
HIGHEST","Image":"C:\\Windows\\SysWOW64\\schtasks.exe","IntegrityLevel":
"High"}},{"values":{"Product":"Microsoft\\xae Windows\\xae Operating
System","Description":"Task Scheduler Configuration
Tool","Company":"Microsoft
Corporation","Hashes":"MD5\u003d478BEAEC1C3A9417272BC8964ADD1C
EE,SHA256\u003d9A121ACF7686D2883E524332111D5E4BCC0C1A8E8113
6486FBA4CA65CA614407,IMPHASH\u003d918DBB01101BFA7F1042CCA9
520D2A05","OriginalFileName":"schtasks.exe","ParentImage":"C:\\Users\\Brun
o\\AppData\\Local\\Temp\\filezilla.exe","FileVersion":"10.0.19041.906
(WinBuild.160101.0800)","CurrentDirectory":"C:\\Users\\Bruno\\AppData\\Local
\\Temp\\heidi59wJEZJ8wfuj\\","CommandLine":"schtasks /create /f /RU
\"Bruno\" /tr
\"C:\\ProgramData\\MSIUpdaterV131_a85d7ffddf2ee5c09c761a01b187853e\\
MSIUpdaterV131.exe\" /tn
\"MSIUpdaterV131_a85d7ffddf2ee5c09c761a01b187853e LG\" /sc
ONLOGON /rl
HIGHEST","Image":"C:\\Windows\\SysWOW64\\schtasks.exe","IntegrityLevel":
"High"}},{"values":{"Product":"Microsoft\\xae Windows\\xae Operating
System","Description":"Task Scheduler Configuration
Tool","Company":"Microsoft
Corporation","Hashes":"SHA1\u003dBBE6394229CE3A53ECCD2CB4CEA6E
E41134EFDA9,MD5\u003d15FF7D8324231381BAD48A052F85DF04,SHA25
6\u003d7949EDDF437FED5F45564402B26E4D457EA666D1361A7C4F07D8

75
30BE233A4F72,IMPHASH\u003dFC93D9248DEA161B2E724C188AECD07D
","OriginalFileName":"schtasks.exe","ParentImage":"C:\\Users\\george\\Deskto
p\\filezilla.exe","FileVersion":"10.0.17134.1
(WinBuild.160101.0800)","CurrentDirectory":"C:\\Users\\george\\Desktop\\","C
ommandLine":"schtasks /create /f /RU \"george\" /tr
\"C:\\ProgramData\\MPGPH131\\MPGPH131.exe\" /tn \"MPGPH131 HR\" /sc
HOURLY /rl
HIGHEST","Image":"C:\\Windows\\SysWOW64\\schtasks.exe","IntegrityLevel":
"High"}},{"values":{"Product":"Microsoft\\xae Windows\\xae Operating
System","Description":"Task Scheduler Configuration
Tool","Company":"Microsoft
Corporation","Hashes":"SHA1\u003dBBE6394229CE3A53ECCD2CB4CEA6E
E41134EFDA9,MD5\u003d15FF7D8324231381BAD48A052F85DF04,SHA25
6\u003d7949EDDF437FED5F45564402B26E4D457EA666D1361A7C4F07D8
30BE233A4F72,IMPHASH\u003dFC93D9248DEA161B2E724C188AECD07D
","OriginalFileName":"schtasks.exe","ParentImage":"C:\\Users\\george\\Deskto
p\\filezilla.exe","FileVersion":"10.0.17134.1
(WinBuild.160101.0800)","CurrentDirectory":"C:\\Users\\george\\Desktop\\","C
ommandLine":"schtasks /create /f /RU \"george\" /tr
\"C:\\ProgramData\\MPGPH131\\MPGPH131.exe\" /tn \"MPGPH131 LG\" /sc
ONLOGON /rl
HIGHEST","Image":"C:\\Windows\\SysWOW64\\schtasks.exe","IntegrityLevel":
"High"}}]},{"rule_title":"Load Of RstrtMgr.DLL By An Uncommon
Process","rule_source":"Sigma Integrated Rule Set
(GitHub)","rule_level":"low","rule_id":"7d0d3be8fa405f5e34c2e0cf9eaa345cac
d60eb5244b50b23dc54c4785bc7512","rule_author":"Luc
Génaux","rule_description":"Detects the load of RstrtMgr DLL (Restart
Manager) by an uncommon process.\nThis library has been used during
ransomware campaigns to kill processes that would prevent file encryption by
locking them (e.g. Conti ransomware, Cactus ransomware). It has also
recently been seen used by the BiBi wiper for Windows.\nIt could also be used
for anti-analysis purposes by shut downing specific
processes.\n","match_context":[{"values":{"Product":"Microsoft\\xae
Windows\\xae Operating System","Description":"Restart
Manager","Company":"Microsoft
Corporation","Hashes":"SHA1\u003d5B67E21C0CB31AFC4145D85983E060
E451B48932,MD5\u003d03E948A848EF103477E6BD87E22F7983,SHA256\u
003d02E5101433F8875F76B6D4D5722E7D5779243DA095C992CB7C3545A
7BE04093F,IMPHASH\u003dD395767DA515D32D2E437DCA7144A416","Ori
ginalFileName":"RstrtMgr.dll","FileVersion":"10.0.17134.1
(WinBuild.160101.0800)","Image":"C:\\Users\\george\\Desktop\\filezilla.exe"}},{
"values":{"Product":"Microsoft\\xae Windows\\xae Operating
System","Description":"Restart Manager","Company":"Microsoft
Corporation","Hashes":"SHA1\u003d5B67E21C0CB31AFC4145D85983E060
E451B48932,MD5\u003d03E948A848EF103477E6BD87E22F7983,SHA256\u
003d02E5101433F8875F76B6D4D5722E7D5779243DA095C992CB7C3545A
7BE04093F,IMPHASH\u003dD395767DA515D32D2E437DCA7144A416","Ori
ginalFileName":"RstrtMgr.dll","FileVersion":"10.0.17134.1
(WinBuild.160101.0800)","Image":"C:\\Users\\george\\AppData\\Local\\RageM
P131\\RageMP131.exe"}},{"values":{"Product":"Microsoft\\xae Windows\\xae
Operating System","Description":"Restart Manager","Company":"Microsoft
Corporation","Hashes":"SHA1\u003d5B67E21C0CB31AFC4145D85983E060
E451B48932,MD5\u003d03E948A848EF103477E6BD87E22F7983,SHA256\u
003d02E5101433F8875F76B6D4D5722E7D5779243DA095C992CB7C3545A
7BE04093F,IMPHASH\u003dD395767DA515D32D2E437DCA7144A416","Ori
ginalFileName":"RstrtMgr.dll","FileVersion":"10.0.17134.1
(WinBuild.160101.0800)","Image":"C:\\Users\\george\\AppData\\Local\\Temp\\
heidinNrJ4SSBDz2R\\4qeIVsu2xAJ63tjbFpzx.exe"}},{"values":{"Product":"Micr
osoft\\xae Windows\\xae Operating System","Description":"Restart
Manager","Company":"Microsoft
Corporation","Hashes":"SHA1\u003d5B67E21C0CB31AFC4145D85983E060
E451B48932,MD5\u003d03E948A848EF103477E6BD87E22F7983,SHA256\u
003d02E5101433F8875F76B6D4D5722E7D5779243DA095C992CB7C3545A
7BE04093F,IMPHASH\u003dD395767DA515D32D2E437DCA7144A416","Ori
ginalFileName":"RstrtMgr.dll","FileVersion":"10.0.17134.1
(WinBuild.160101.0800)","Image":"C:\\Users\\george\\AppData\\Local\\Adobe
UpdaterV131_a85d7ffddf2ee5c09c761a01b187853e\\AdobeUpdaterV131.exe
"}},{"values":{"Product":"Microsoft\\xae Windows\\xae Operating
System","Description":"Restart Manager","Company":"Microsoft
Corporation","Hashes":"SHA1\u003d5B67E21C0CB31AFC4145D85983E060
E451B48932,MD5\u003d03E948A848EF103477E6BD87E22F7983,SHA256\u
003d02E5101433F8875F76B6D4D5722E7D5779243DA095C992CB7C3545A
7BE04093F,IMPHASH\u003dD395767DA515D32D2E437DCA7144A416","Ori
ginalFileName":"RstrtMgr.dll","FileVersion":"10.0.17134.1
(WinBuild.160101.0800)","Image":"C:\\Users\\george\\AppData\\Local\\Temp\\
EdgeMS131_a85d7ffddf2ee5c09c761a01b187853e\\EdgeMS131.exe"}}]}]

76
Crowdsourced YARA Results [{"description":"Identifies compiled AutoIT script (as EXE). This rule by itself
does NOT necessarily mean the detected file is
malicious.","source":"https://github.com/bartblaze/Yara-
rules","author":"@bartblaze","ruleset_name":"AutoIT","rule_name":"AutoIT_Co
mpiled","ruleset_id":"0023c73876"}]

77
Crowdsourced IDS Results [{"alert_context":[{"dest_port":0,"src_ip":"193.233.132.74","src_port":58709}],"a
lert_severity":"high","rule_category":"A Network Trojan was
detected","rule_id":"1:2046266","rule_msg":"ET MALWARE [ANY.RUN]
RisePro TCP
(Token)"},{"alert_context":[{"dest_port":0,"src_ip":"193.233.132.74","src_port":5
8709}],"alert_severity":"high","rule_category":"A Network Trojan was
detected","rule_id":"1:2046267","rule_msg":"ET MALWARE [ANY.RUN]
RisePro TCP (External
IP)"},{"alert_context":[{"dest_ip":"193.233.132.74","dest_port":58709,"src_port":
0}],"alert_severity":"high","rule_category":"A Network Trojan was
detected","rule_id":"1:2046269","rule_msg":"ET MALWARE [ANY.RUN]
RisePro TCP
(Activity)"},{"alert_context":[{"dest_ip":"193.233.132.74","dest_port":58709,"src
_port":0}],"alert_severity":"high","rule_category":"A Network Trojan was
detected","rule_id":"1:2046270","rule_msg":"ET MALWARE [ANY.RUN]
RisePro TCP
(Exfiltration)"},{"alert_context":[{"dest_ip":"193.233.132.74","dest_port":58709,"
src_port":0}],"alert_severity":"high","rule_category":"A Network Trojan was
detected","rule_id":"1:2049060","rule_msg":"ET MALWARE RisePro TCP
Heartbeat
Packet"},{"alert_context":[{"dest_ip":"193.233.132.74","dest_port":58709,"src_p
ort":0}],"alert_severity":"high","rule_category":"A Network Trojan was
detected","rule_id":"1:2049661","rule_msg":"ET MALWARE RisePro CnC
Activity
(Inbound)"},{"alert_context":[{"dest_ip":"193.233.132.167","dest_port":80,"src_
port":0}],"alert_severity":"high","rule_category":"policy-
violation","rule_id":"1:50447","rule_msg":"POLICY-OTHER HTTP request by
IPv4 address
attempt"},{"alert_context":[{"dest_port":0,"src_ip":"34.117.186.192","src_port":4
43}],"alert_severity":"medium","rule_category":"Device Retrieving External IP
Address Detected","rule_id":"1:2025330","rule_msg":"ET POLICY External IP
Lookup SSL Cert Observed (ipinfo
.io)"},{"alert_context":[{"dest_ip":"34.117.186.192","dest_port":443,"src_port":0}
,{"dest_ip":"34.117.186.192","dest_port":443,"src_port":0},{"dest_ip":"34.117.1
86.192","dest_port":443,"src_port":0}],"alert_severity":"medium","rule_category
":"Device Retrieving External IP Address
Detected","rule_id":"1:2025331","rule_msg":"ET POLICY Possible External IP
Lookup Domain Observed in SNI (ipinfo.
io)"},{"alert_severity":"medium","rule_category":"successful-recon-
limited","rule_id":"1:29456","rule_msg":"PROTOCOL-ICMP Unusual PING
detected"},{"alert_context":[{"dest_port":0,"src_ip":"216.239.32.29","src_port":8
0}],"alert_severity":"medium","rule_category":"denial-of-
service","rule_id":"1:41379","rule_msg":"SERVER-OTHER Squid HTTP Vary
response header denial of service
attempt"},{"alert_context":[{"dest_ip":"193.233.132.167","dest_port":80,"src_po
rt":0}],"alert_severity":"low","rule_category":"unknown","rule_id":"119:279","rule
_msg":"(http_inspect) invalid status
line"},{"alert_context":[{"dest_port":0,"src_ip":"193.233.132.74","src_port":5870
9}],"alert_severity":"low","rule_category":"protocol-command-
decode","rule_id":"129:8","rule_msg":"(stream_tcp) data sent on stream after
TCP reset
sent"},{"alert_context":[{"dest_ip":"193.233.132.167","dest_port":80,"src_port":
0,"hostname":"193.233.132.167","url":"http://193.233.132.167/cost/lenin.exe"}],
"alert_severity":"low","rule_category":"Potentially Bad
Traffic","rule_id":"1:2016141","rule_msg":"ET INFO Executable Download from
dotted-quad
Host"},{"alert_context":[{"dest_ip":"193.233.132.167","dest_port":80,"src_port":
0,"hostname":"193.233.132.167","url":"http://193.233.132.167/cost/go.exe"}],"a
lert_severity":"low","rule_category":"Potentially Bad
Traffic","rule_id":"1:2019714","rule_msg":"ET MALWARE Terse alphanumeric
executable downloader high likelihood of being
hostile"},{"alert_context":[{"dest_port":0,"src_ip":"193.233.132.167","src_port":8
0,"hostname":"193.233.132.167","url":"http://193.233.132.167/cost/lenin.exe"}],
"alert_severity":"low","rule_category":"Potentially Bad
Traffic","rule_id":"1:2021076","rule_msg":"ET HUNTING SUSPICIOUS Dotted
Quad Host MZ Response"},{"alert_severity":"low","rule_category":"misc-
activity","rule_id":"1:382","rule_msg":"PROTOCOL-ICMP PING
Windows"},{"alert_severity":"low","rule_category":"misc-
activity","rule_id":"1:384","rule_msg":"PROTOCOL-ICMP
PING"},{"alert_severity":"low","rule_category":"misc-
activity","rule_id":"1:408","rule_msg":"PROTOCOL-ICMP Echo
Reply"},{"alert_context":[{"dest_ip":"188.114.98.234","dest_port":443,"src_port"
:0}],"alert_severity":"low","rule_id":"1:906200054","rule_msg":"SSLBL:
Malicious JA3 SSL-Client Fingerprint detected (Tofsee)"}]

78
View on VirusTotal
GUI Url:
https://www.virustotal.com/gui/file/000a645626a3a63590af8890be4d2bd3ea32490b8844a68f3ada49
3b97e98c48
File Summary

FileZilla 3, filezilla.exe, mpgph131.exe,


Names msiupdaterv131.exe, MSIUpdaterV131.exe,
MPGPH131.exe

File Type peexe

File Type Description Win32 EXE

malware, peexe, spreader, persistence, checks-


user-input, long-sleeps, detect-debug-
Tags
environment, checks-cpu-name, service-scan,
cve-2016-2569, exploit, checks-network-adapters

Times Submitted 1

TrID - file type identification tool

File Type Probability %

Win16 NE executable (generic) 32.3

Win32 Executable (generic) 28.9

OS/2 Executable (generic) 13.0

Generic Win/DOS Executable 12.8

DOS Executable Generic 12.8

VirusTotal Analysis Summary

Aggregate Result malicious - 55 / 76

79
VirusTotal Analysis Stats

Analysis Type Number of Analysis

Confirmed Timeout 0

Failure 0

Harmless 0

Malicious 55

Suspicious 0

Timeout 0

Type Unsupported 4

Undetected 17

Total 76

Community Votes
Total votes cast: 1
Harmless: 0/1
Malicious: 1/1
Incoming (1)
IPv4 Address 34.117.186.192

IPv4 Address
maltego.IPv4Address

34.127.255.255
Weight 55
IP Address 34.127.255.255
Internal false

Info

Relevance: 0.550206

Count: 1

Incoming (1)
IPv4 Address 34.117.186.192

VirusTotal File
maltego.virustotal.File

40151005_com.dz.cjcsyx.huawei_1.0.1_huawei_20240202_s
hield.apk

80
Weight 0
MeaningfulName 40151005_com.dz.cjcsyx.huawei_1.0.1_huawei_20240202_shield.apk
File Id 00008df54e82899060f54e0e84a94086a0b5dc6898b4a3124ee18f95f19248ce
Names 40151005_com.dz.cjcsyx.huawei_1.0.1_huawei_20240202_shield.apk
File Type ANDROID
File Type Description Android
MD5 7cbaae36037577ff146b1c3245fb253e
SHA-1 939e50aa0051f4dab919f1ac8a58dcf09f274404
SHA-256 00008df54e82899060f54e0e84a94086a0b5dc6898b4a3124ee18f95f19248ce
Vhash f77bf3127f2599e15bce9a2d2e805a16
Authentihash
SSDEEP 3145728:iwQAWq2xwpgzc3QZF6j4z49Q4nXy6nvRcozmuNlthu4seuhlrxLwT/q
c4qFWKkr/:DQ3CpecWF6EU9Q4XDnKtuvtwfxlwXIKe
Magic Zip archive data, at least v1.0 to extract, compression method=store
File Size 198805030
Tags apk, android, contains-pe, contains-elf, obfuscated, detect-debug-environment,
checks-gps, telephony, checks-cpu-name, checks-network-adapters, reflection
Capability Tags
Downloadable null
Creation Date
First Submission Date 2024-02-21T09:53:25Z
Last Submission Date 2024-02-21T09:53:25Z
Last Analysis Date 2024-03-23T17:47:16Z
Total Votes - Harmless 0
Total Votes - Malicious 1
Submissions 1
Reputation -34
Sigma Analysis Results
Crowdsourced YARA Results
Crowdsourced IDS Results [{"alert_context":[{"dest_port":0,"src_ip":"34.117.186.192","src_port":443}],"aler
t_severity":"medium","rule_category":"Device Retrieving External IP Address
Detected","rule_id":"1:2025330","rule_msg":"ET POLICY External IP Lookup
SSL Cert Observed (ipinfo
.io)"},{"alert_context":[{"dest_ip":"34.117.186.192","dest_port":443,"src_port":0}
],"alert_severity":"medium","rule_category":"Device Retrieving External IP
Address Detected","rule_id":"1:2025331","rule_msg":"ET POLICY Possible
External IP Lookup Domain Observed in SNI (ipinfo.
io)"},{"alert_context":[{"dest_ip":"142.251.143.195","dest_port":80,"src_port":0,"
hostname":"connectivitycheck.gstatic.com","url":"http://connectivitycheck.gstati
c.com/generate_204"}],"alert_severity":"low","rule_category":"Misc
activity","rule_id":"1:2036220","rule_msg":"ET INFO Android Device
Connectivity
Check"},{"alert_context":[{"dest_ip":"111.48.138.18","dest_port":443,"src_port":
0}],"alert_severity":"low","rule_id":"1:906200003","rule_msg":"SSLBL:
Malicious JA3 SSL-Client Fingerprint detected (Tofsee)"}]

View on VirusTotal
GUI Url:
https://www.virustotal.com/gui/file/00008df54e82899060f54e0e84a94086a0b5dc6898b4a3124ee18f9
5f19248ce

81
File Summary

40151005_com.dz.cjcsyx.huawei_1.0.1_huawei_
Names
20240202_shield.apk

File Type android

File Type Description Android

apk, android, contains-pe, contains-elf,


obfuscated, detect-debug-environment, checks-
Tags
gps, telephony, checks-cpu-name, checks-
network-adapters, reflection

Times Submitted 1

TrID - file type identification tool

File Type Probability %

Android Package 63.7

Java Archive 26.4

ZIP compressed archive 7.8

PrintFox/Pagefox bitmap (640x800) 1.9

VirusTotal Analysis Summary

Aggregate Result undetected - 62 / 76

VirusTotal Analysis Stats

Analysis Type Number of Analysis

Confirmed Timeout 0

Failure 2

Harmless 0

Malicious 1

Suspicious 0

Timeout 0

Type Unsupported 11

Undetected 62

Total 76

Community Votes
Total votes cast: 1
Harmless: 0/1
Malicious: 1/1

82
Incoming (1)
IPv4 Address 34.117.186.192

Company
maltego.Company

NetRange
Weight 55
Name NetRange

Info

Relevance: 0.556288

Count: 1

Incoming (1)
IPv4 Address 34.117.186.192

Company
maltego.Company

NetType
Weight 52
Name NetType

Info

Relevance: 0.523297

Count: 1

Incoming (1)
IPv4 Address 34.117.186.192

VirusTotal File
maltego.virustotal.File

RageMP131.exe

83
Weight 0
MeaningfulName RageMP131.exe
File Id 0006dec3b7f1b70e1a13b32f71183d93e68180c5d804eba2768fcd42660e1161
Names RageMP131.exe, murka.exe, mpgph131.exe
File Type PEEXE
File Type Description Win32 EXE
MD5 118e60d508da81191839becdc3b904a3
SHA-1 0d9e3fdfbf6748cfb1e28bf42efd92a4d5f718f6
SHA-256 0006dec3b7f1b70e1a13b32f71183d93e68180c5d804eba2768fcd42660e1161
Vhash 01608f7f7f7f7f0f1f0f7013z1011z63z11z1015z1011z1013z17z
Authentihash 1071c676c0e5d28496400675441f2e60e8c1bb8806a60658cb84617a9ff6b687
SSDEEP 24576:UiLOxWGov/csCV+SE9inpHMNnHiYA9rsHwQvN2K3yWds0JkKyVNjq
w4LmWm8h:7LqWnv/8/Tnp8CDsHl0adsLjj7n8
Magic PE32 executable (GUI) Intel 80386, for MS Windows
File Size 1324544
Tags peexe, malware, corrupt, spreader, cve-2016-2569, exploit
Capability Tags
Downloadable null
Creation Date 2024-05-21T09:27:48Z
First Submission Date 2024-06-17T08:46:28Z
Last Submission Date 2024-06-17T08:46:28Z
Last Analysis Date 2024-07-05T05:21:54Z
Total Votes - Harmless 0
Total Votes - Malicious 0
Submissions 1
Reputation 0

84
Sigma Analysis Results [{"rule_title":"System File Execution Location Anomaly","rule_source":"Sigma
Integrated Rule Set
(GitHub)","rule_level":"high","rule_id":"25fc56c1bee673d7ff3edcf371e4d2a36c
0af83222da348961b87735c8efa61f","rule_author":"Florian Roth (Nextron
Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine
Bencherchali","rule_description":"Detects a Windows program executable
started from a suspicious
folder","match_context":[{"values":{"CommandLine":"\\??\\C:\\Windows\\system
32\\conhost.exe","Image":"\\??\\C:\\Windows\\system32\\conhost.exe"}}]},{"rule
_title":"Scheduled TaskCache Change by Uncommon
Program","rule_source":"Sigma Integrated Rule Set
(GitHub)","rule_level":"high","rule_id":"d62173552d7fce98c24a7040b784edf35
cc6650d2e68ecf2d04f40c58d58cfda","rule_author":"Syed Hasan
(@syedhasan009)","rule_description":"Monitor the creation of a new key under
\u0027TaskCache\u0027 when a new scheduled task is registered by a
process that is not svchost.exe, which is
suspicious","match_context":[{"values":{}},{"values":{}},{"values":{}},{"values":{}}
,{"values":{}}]},{"rule_title":"Suspicious DNS Query for IP Lookup Service
APIs","rule_source":"Sigma Integrated Rule Set
(GitHub)","rule_level":"medium","rule_id":"3a2766a08d32a855b604a786cddc0f
76fee13e6ccd22e01d4878150f0ef1eebc","rule_author":"Brandon George (blog
post), Thomas Patzke","rule_description":"Detects DNS queries for IP lookup
services such as \"api.ipify.org\" originating from a non browser
process.","match_context":[{"values":{}},{"values":{}}]},{"rule_title":"Suspicious
Network Connection to IP Lookup Service APIs","rule_source":"Sigma
Integrated Rule Set
(GitHub)","rule_level":"medium","rule_id":"7b06f86400ae084ca05c7e2cefe70b
8ea4910b6196d969ae516b9d5d1c99bfe5","rule_author":"Janantha
Marasinghe, Nasreddine Bencherchali (Nextron
Systems)","rule_description":"Detects external IP address lookups by non-
browser processes via services such as \"api.ipify.org\". This could be
indicative of potential post compromise internet test
activity.","match_context":[{"values":{}},{"values":{}}]},{"rule_title":"CurrentVersi
on Autorun Keys Modification","rule_source":"Sigma Integrated Rule Set
(GitHub)","rule_level":"medium","rule_id":"8b5db9da5732dc549b0e8b56fe593
3d7c95ed760f3ac20568ab95347ef8c5bcc","rule_author":"Victor Sergeev,
Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community,
Tim Shelton, frack113 (split)","rule_description":"Detects modification of
autostart extensibility point (ASEP) in
registry.","match_context":[{"values":{}},{"values":{}}]},{"rule_title":"Load Of
RstrtMgr.DLL By An Uncommon Process","rule_source":"Sigma Integrated
Rule Set
(GitHub)","rule_level":"low","rule_id":"7d0d3be8fa405f5e34c2e0cf9eaa345cac
d60eb5244b50b23dc54c4785bc7512","rule_author":"Luc
Génaux","rule_description":"Detects the load of RstrtMgr DLL (Restart
Manager) by an uncommon process.\nThis library has been used during
ransomware campaigns to kill processes that would prevent file encryption by
locking them (e.g. Conti ransomware, Cactus ransomware). It has also
recently been seen used by the BiBi wiper for Windows.\nIt could also be used
for anti-analysis purposes by shut downing specific
processes.\n","match_context":[{"values":{}}]}]
Crowdsourced YARA Results [{"description":"Detects an XORed URL in an
executable","source":"https://github.com/Neo23x0/signature-
base","author":"Florian Roth (Nextron
Systems)","ruleset_name":"gen_susp_xor","rule_name":"SUSP_XORed_URL_
In_EXE","ruleset_id":"000f44c4bb"}]

85
Crowdsourced IDS Results [{"alert_context":[{"dest_port":0,"src_ip":"147.45.47.126","src_port":58709}],"al
ert_severity":"high","rule_category":"A Network Trojan was
detected","rule_id":"1:2046266","rule_msg":"ET MALWARE [ANY.RUN]
RisePro TCP
(Token)"},{"alert_context":[{"dest_port":0,"src_ip":"147.45.47.126","src_port":58
709}],"alert_severity":"high","rule_category":"A Network Trojan was
detected","rule_id":"1:2046267","rule_msg":"ET MALWARE [ANY.RUN]
RisePro TCP (External
IP)"},{"alert_context":[{"dest_ip":"147.45.47.126","dest_port":58709,"src_port":0
}],"alert_severity":"high","rule_category":"A Network Trojan was
detected","rule_id":"1:2046269","rule_msg":"ET MALWARE [ANY.RUN]
RisePro TCP
(Activity)"},{"alert_context":[{"dest_ip":"147.45.47.126","dest_port":58709,"src_
port":0}],"alert_severity":"high","rule_category":"A Network Trojan was
detected","rule_id":"1:2049060","rule_msg":"ET MALWARE RisePro TCP
Heartbeat
Packet"},{"alert_context":[{"dest_ip":"34.117.186.192","dest_port":443,"src_por
t":0}],"alert_severity":"medium","rule_category":"Device Retrieving External IP
Address Detected","rule_id":"1:2025331","rule_msg":"ET POLICY Possible
External IP Lookup Domain Observed in SNI (ipinfo.
io)"},{"alert_context":[{"dest_port":0,"src_ip":"147.45.47.126","src_port":58709}]
,"alert_severity":"medium","rule_category":"Misc
Attack","rule_id":"1:2400023","rule_msg":"ET DROP Spamhaus DROP Listed
Traffic Inbound group
24"},{"alert_severity":"medium","rule_category":"successful-recon-
limited","rule_id":"1:29456","rule_msg":"PROTOCOL-ICMP Unusual PING
detected"},{"alert_context":[{"dest_port":0,"src_ip":"216.239.32.29","src_port":8
0}],"alert_severity":"medium","rule_category":"denial-of-
service","rule_id":"1:41379","rule_msg":"SERVER-OTHER Squid HTTP Vary
response header denial of service
attempt"},{"alert_severity":"low","rule_category":"misc-
activity","rule_id":"1:382","rule_msg":"PROTOCOL-ICMP PING
Windows"},{"alert_severity":"low","rule_category":"misc-
activity","rule_id":"1:384","rule_msg":"PROTOCOL-ICMP
PING"},{"alert_severity":"low","rule_category":"misc-
activity","rule_id":"1:408","rule_msg":"PROTOCOL-ICMP Echo
Reply"},{"alert_context":[{"dest_ip":"34.117.186.192","dest_port":443,"src_port"
:0}],"alert_severity":"low","rule_id":"1:906200054","rule_msg":"SSLBL:
Malicious JA3 SSL-Client Fingerprint detected (Tofsee)"}]

View on VirusTotal
GUI Url:
https://www.virustotal.com/gui/file/0006dec3b7f1b70e1a13b32f71183d93e68180c5d804eba2768fcd4
2660e1161
File Summary

Names RageMP131.exe, murka.exe, mpgph131.exe

File Type peexe

File Type Description Win32 EXE

peexe, malware, corrupt, spreader, cve-2016-


Tags
2569, exploit

Times Submitted 1

86
TrID - file type identification tool

File Type Probability %

Win16 NE executable (generic) 32.3

Win32 Executable (generic) 28.9

OS/2 Executable (generic) 13.0

Generic Win/DOS Executable 12.8

DOS Executable Generic 12.8

VirusTotal Analysis Summary

Aggregate Result malicious - 63 / 78

VirusTotal Analysis Stats

Analysis Type Number of Analysis

Confirmed Timeout 0

Failure 0

Harmless 0

Malicious 63

Suspicious 0

Timeout 0

Type Unsupported 4

Undetected 11

Total 78

Community Votes
Total votes cast: 0
Incoming (1)
IPv4 Address 34.117.186.192

Company
maltego.Company

NetHandle
Weight 53
Name NetHandle

87
Info

Relevance: 0.537264

Count: 1

Incoming (1)
IPv4 Address 34.117.186.192

VirusTotal File
maltego.virustotal.File

wpa.dll

88
Weight 0
MeaningfulName wpa.dll
File Id 0001cecce78bbf3abb2c5dd9330de4f1c21289d2482aaed8e0f934ab8e0da47d
Names wpa.dll, nff1certjaekuj3varud.exe
File Type PEEXE
File Type Description Win32 EXE
MD5 330a1d7709546b52fa1bff174726699b
SHA-1 41c800709e7bca3915dd682e86a11e8845909d12
SHA-256 0001cecce78bbf3abb2c5dd9330de4f1c21289d2482aaed8e0f934ab8e0da47d
Vhash 02606f7d7d1f1f7f11z17z1?z1
Authentihash 689aa39b339a5e848e9be11f72db5918f3ec8f42b4f1e39953fc858fe884247f
SSDEEP 49152:QeF1xn14/vYIT6OjIAAr+W7vm+TEjtRF5+GXFC4TO0dm7eQvU:B1xn1
ATBjIzTgFxHO0dm7eQvU
Magic PE32 executable (GUI) Intel 80386, for MS Windows
File Size 2344960
Tags corrupt, peexe
Capability Tags
Downloadable null
Creation Date 2024-04-17T09:44:44Z
First Submission Date 2024-04-20T04:01:32Z
Last Submission Date 2024-04-20T04:01:32Z
Last Analysis Date 2024-07-04T12:36:40Z
Total Votes - Harmless 0
Total Votes - Malicious 1
Submissions 1
Reputation -1

89
Sigma Analysis Results [{"rule_title":"System File Execution Location Anomaly","rule_source":"Sigma
Integrated Rule Set
(GitHub)","rule_level":"high","rule_id":"25fc56c1bee673d7ff3edcf371e4d2a36c
0af83222da348961b87735c8efa61f","rule_author":"Florian Roth (Nextron
Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine
Bencherchali","rule_description":"Detects a Windows program executable
started from a suspicious
folder","match_context":[{"values":{"CommandLine":"\\??\\C:\\Windows\\system
32\\conhost.exe","Image":"\\??\\C:\\Windows\\system32\\conhost.exe"}}]},{"rule
_title":"Suspicious DNS Query for IP Lookup Service
APIs","rule_source":"Sigma Integrated Rule Set
(GitHub)","rule_level":"medium","rule_id":"3a2766a08d32a855b604a786cddc0f
76fee13e6ccd22e01d4878150f0ef1eebc","rule_author":"Brandon George (blog
post), Thomas Patzke","rule_description":"Detects DNS queries for IP lookup
services such as \"api.ipify.org\" originating from a non browser
process.","match_context":[{"values":{}},{"values":{}}]},{"rule_title":"Startup
Folder File Write","rule_source":"Sigma Integrated Rule Set
(GitHub)","rule_level":"medium","rule_id":"56b8c79acb8e444c2b00be5c9d3cb
8e33e863ccb3506d635f907a49cd053c84f","rule_author":"Roberto Rodriguez
(Cyb3rWard0g), OTR (Open Threat Research)","rule_description":"A General
detection for files being created in the Windows startup directory. This could
be an indicator of
persistence.","match_context":[{"values":{}}]},{"rule_title":"Suspicious Network
Connection to IP Lookup Service APIs","rule_source":"Sigma Integrated Rule
Set
(GitHub)","rule_level":"medium","rule_id":"7b06f86400ae084ca05c7e2cefe70b
8ea4910b6196d969ae516b9d5d1c99bfe5","rule_author":"Janantha
Marasinghe, Nasreddine Bencherchali (Nextron
Systems)","rule_description":"Detects external IP address lookups by non-
browser processes via services such as \"api.ipify.org\". This could be
indicative of potential post compromise internet test
activity.","match_context":[{"values":{}},{"values":{}}]},{"rule_title":"CurrentVersi
on Autorun Keys Modification","rule_source":"Sigma Integrated Rule Set
(GitHub)","rule_level":"medium","rule_id":"8b5db9da5732dc549b0e8b56fe593
3d7c95ed760f3ac20568ab95347ef8c5bcc","rule_author":"Victor Sergeev,
Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community,
Tim Shelton, frack113 (split)","rule_description":"Detects modification of
autostart extensibility point (ASEP) in
registry.","match_context":[{"values":{}},{"values":{}},{"values":{}},{"values":{}},{"
values":{}}]}]
Crowdsourced YARA Results
Crowdsourced IDS Results

View on VirusTotal
GUI Url:
https://www.virustotal.com/gui/file/0001cecce78bbf3abb2c5dd9330de4f1c21289d2482aaed8e0f934a
b8e0da47d
File Summary

Names wpa.dll, nff1certjaekuj3varud.exe

File Type peexe

File Type Description Win32 EXE

Tags corrupt, peexe

Times Submitted 1

90
TrID - file type identification tool

File Type Probability %

Win16 NE executable (generic) 32.3

Win32 Executable (generic) 28.9

OS/2 Executable (generic) 13.0

Generic Win/DOS Executable 12.8

DOS Executable Generic 12.8

VirusTotal Analysis Summary

Aggregate Result malicious - 61 / 78

VirusTotal Analysis Stats

Analysis Type Number of Analysis

Confirmed Timeout 0

Failure 0

Harmless 0

Malicious 61

Suspicious 0

Timeout 0

Type Unsupported 4

Undetected 13

Total 78

Community Votes
Total votes cast: 1
Harmless: 0/1
Malicious: 1/1
Incoming (1)
IPv4 Address 34.117.186.192

VirusTotal File
maltego.virustotal.File

heidisql.exe

91
Weight 0
MeaningfulName heidisql.exe
File Id 00138529a5e61e2ff309789584b89ab7d076b44369cf86ce0aaf5351f8106378
Names heidisql.exe, RageMP131.exe, mpgph131.exe, 0hzgrokb2ibev8ndxtf9.exe,
ladas[1].exe, mbokusimwfhwf1z0q8s7.exe, gvt_8su2zirbqejjuq4h.exe,
pfpwag23jup6qzpl086q.exe, ladas.exe
File Type PEEXE
File Type Description Win32 EXE
MD5 08ab0d886f050a60a522de4aceeb15df
SHA-1 823e39f14fbdda398a601a4af9013c8d1f6b3c8f
SHA-256 00138529a5e61e2ff309789584b89ab7d076b44369cf86ce0aaf5351f8106378
Vhash 02607f7d7d1f1f7f6f1bz1!z
Authentihash 2e0a0ea56f7fb7cfa1a26ecf05dd24547f72d4e2f1d22ff24b731c42d5feef8e
SSDEEP 49152:+SVK7KwNkTuVwd5CeeXG5XB0nGkdlIL1NAxWjPMyUT:+SVOKwXV
Cf1BB0tmhNOWj0yg
Magic PE32 executable (GUI) Intel 80386, for MS Windows
File Size 2346496
Tags spreader, malware, executes-dropped-file, peexe, detect-debug-environment,
cve-2016-0101, cve-2016-2569, exploit
Capability Tags
Downloadable null
Creation Date 2024-02-01T11:29:07Z
First Submission Date 2024-02-20T23:06:23Z
Last Submission Date 2024-02-20T23:06:23Z
Last Analysis Date 2024-04-22T17:45:07Z
Total Votes - Harmless 0
Total Votes - Malicious 0
Submissions 1
Reputation 0

92
Sigma Analysis Results [{"rule_title":"Scheduled TaskCache Change by Uncommon
Program","rule_source":"Sigma Integrated Rule Set
(GitHub)","rule_level":"high","rule_id":"d62173552d7fce98c24a7040b784edf35
cc6650d2e68ecf2d04f40c58d58cfda","rule_author":"Syed Hasan
(@syedhasan009)","rule_description":"Monitor the creation of a new key under
\u0027TaskCache\u0027 when a new scheduled task is registered by a
process that is not svchost.exe, which is
suspicious","match_context":[{"values":{}},{"values":{}},{"values":{}},{"values":{}}
,{"values":{}}]},{"rule_title":"Suspicious DNS Query for IP Lookup Service
APIs","rule_source":"Sigma Integrated Rule Set
(GitHub)","rule_level":"medium","rule_id":"3a2766a08d32a855b604a786cddc0f
76fee13e6ccd22e01d4878150f0ef1eebc","rule_author":"Brandon George (blog
post), Thomas Patzke","rule_description":"Detects DNS queries for IP lookup
services such as \"api.ipify.org\" originating from a non browser
process.","match_context":[{"values":{}},{"values":{}}]},{"rule_title":"Startup
Folder File Write","rule_source":"Sigma Integrated Rule Set
(GitHub)","rule_level":"medium","rule_id":"56b8c79acb8e444c2b00be5c9d3cb
8e33e863ccb3506d635f907a49cd053c84f","rule_author":"Roberto Rodriguez
(Cyb3rWard0g), OTR (Open Threat Research)","rule_description":"A General
detection for files being created in the Windows startup directory. This could
be an indicator of
persistence.","match_context":[{"values":{}}]},{"rule_title":"Access To Browser
Credential Files By Uncommon Application","rule_source":"Sigma Integrated
Rule Set
(GitHub)","rule_level":"medium","rule_id":"74ea3fde96df11352e7b3c70bce437f
83f170b5677efeb447c7f33d001142691","rule_author":"frack113","rule_descrip
tion":"Detects file access requests to browser credential stores by uncommon
processes.\nCould indicate potential attempt of credential stealing.\nRequires
heavy baselining before
usage\n","match_context":[{"values":{}},{"values":{}},{"values":{}}]},{"rule_title":"
Suspicious Network Connection to IP Lookup Service
APIs","rule_source":"Sigma Integrated Rule Set
(GitHub)","rule_level":"medium","rule_id":"7b06f86400ae084ca05c7e2cefe70b
8ea4910b6196d969ae516b9d5d1c99bfe5","rule_author":"Janantha
Marasinghe, Nasreddine Bencherchali (Nextron
Systems)","rule_description":"Detects external IP address lookups by non-
browser processes via services such as \"api.ipify.org\". This could be
indicative of potential post compromise internet test
activity.","match_context":[{"values":{}},{"values":{}}]},{"rule_title":"CurrentVersi
on Autorun Keys Modification","rule_source":"Sigma Integrated Rule Set
(GitHub)","rule_level":"medium","rule_id":"8b5db9da5732dc549b0e8b56fe593
3d7c95ed760f3ac20568ab95347ef8c5bcc","rule_author":"Victor Sergeev,
Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community,
Tim Shelton, frack113 (split)","rule_description":"Detects modification of
autostart extensibility point (ASEP) in
registry.","match_context":[{"values":{}},{"values":{}},{"values":{}}]},{"rule_title":"
Access To Windows DPAPI Master Keys By Uncommon
Application","rule_source":"Sigma Integrated Rule Set
(GitHub)","rule_level":"medium","rule_id":"ec1d4770fddf21948d437ee8ade889
04c7b95601bf83cfe214687e2611dd530c","rule_author":"Nasreddine
Bencherchali (Nextron Systems)","rule_description":"Detects file access
requests to the the Windows Data Protection API Master keys by an
uncommon application.\nThis can be a sign of credential stealing. Example
case would be usage of mimikatz \"dpapi::masterkey\"
function\n","match_context":[{"values":{}},{"values":{}}]}]
Crowdsourced YARA Results

93
Crowdsourced IDS Results [{"alert_context":[{"dest_port":0,"src_ip":"185.215.113.46","src_port":80}],"alert
_severity":"high","rule_category":"policy-
violation","rule_id":"1:11192","rule_msg":"FILE-EXECUTABLE download of
executable
content"},{"alert_context":[{"dest_port":0,"src_ip":"185.215.113.46","src_port":8
0}],"alert_severity":"high","rule_category":"policy-
violation","rule_id":"1:15306","rule_msg":"FILE-EXECUTABLE Portable
Executable binary file magic
detected"},{"alert_context":[{"dest_port":0,"src_ip":"193.233.132.62","src_port":
50500}],"alert_severity":"high","rule_category":"A Network Trojan was
detected","rule_id":"1:2046266","rule_msg":"ET MALWARE [ANY.RUN]
RisePro TCP
(Token)"},{"alert_context":[{"dest_port":0,"src_ip":"193.233.132.62","src_port":5
0500}],"alert_severity":"high","rule_category":"A Network Trojan was
detected","rule_id":"1:2046267","rule_msg":"ET MALWARE [ANY.RUN]
RisePro TCP (External
IP)"},{"alert_context":[{"dest_ip":"193.233.132.62","dest_port":50500,"src_port":
0}],"alert_severity":"high","rule_category":"A Network Trojan was
detected","rule_id":"1:2046269","rule_msg":"ET MALWARE [ANY.RUN]
RisePro TCP
(Activity)"},{"alert_context":[{"dest_ip":"193.233.132.62","dest_port":50500,"src
_port":0}],"alert_severity":"high","rule_category":"A Network Trojan was
detected","rule_id":"1:2046270","rule_msg":"ET MALWARE [ANY.RUN]
RisePro TCP
(Exfiltration)"},{"alert_context":[{"dest_ip":"193.233.132.62","dest_port":50500,"
src_port":0}],"alert_severity":"high","rule_category":"A Network Trojan was
detected","rule_id":"1:2049060","rule_msg":"ET MALWARE RisePro TCP
Heartbeat
Packet"},{"alert_context":[{"dest_ip":"193.233.132.62","dest_port":50500,"src_p
ort":0}],"alert_severity":"high","rule_category":"A Network Trojan was
detected","rule_id":"1:2049661","rule_msg":"ET MALWARE RisePro CnC
Activity
(Inbound)"},{"alert_context":[{"dest_port":0,"src_ip":"185.215.113.46","src_port"
:80}],"alert_severity":"high","rule_category":"attempted-
user","rule_id":"1:23861","rule_msg":"FILE-OTHER heapspray characters
detected -
binary"},{"alert_context":[{"dest_port":0,"src_ip":"185.215.113.46","src_port":80
}],"alert_severity":"high","rule_category":"attempted-
user","rule_id":"1:38124","rule_msg":"FILE-MULTIMEDIA Microsoft Windows
Transport Stream Program Map Table Heap overflow
attempt"},{"alert_context":[{"dest_port":0,"src_ip":"185.215.113.46","src_port":8
0}],"alert_severity":"high","rule_category":"policy-
violation","rule_id":"1:40028","rule_msg":"POLICY-OTHER AutoItv3 Aut2Exe
interpreter - compiled
script"},{"alert_context":[{"dest_ip":"185.215.113.46","dest_port":80,"src_port":0
}],"alert_severity":"high","rule_category":"policy-
violation","rule_id":"1:50447","rule_msg":"POLICY-OTHER HTTP request by
IPv4 address
attempt"},{"alert_context":[{"dest_ip":"34.117.186.192","dest_port":443,"src_po
rt":0}],"alert_severity":"medium","rule_category":"Device Retrieving External IP
Address Detected","rule_id":"1:2025331","rule_msg":"ET POLICY Possible
External IP Lookup Domain Observed in SNI (ipinfo.
io)"},{"alert_context":[{"dest_port":0,"src_ip":"185.215.113.46","src_port":80}],"a
lert_severity":"medium","rule_category":"Misc
Attack","rule_id":"1:2400021","rule_msg":"ET DROP Spamhaus DROP Listed
Traffic Inbound group
22"},{"alert_severity":"medium","rule_category":"successful-recon-
limited","rule_id":"1:29456","rule_msg":"PROTOCOL-ICMP Unusual PING
detected"},{"alert_context":[{"dest_port":0,"src_ip":"216.239.32.29","src_port":8
0}],"alert_severity":"medium","rule_category":"denial-of-
service","rule_id":"1:41379","rule_msg":"SERVER-OTHER Squid HTTP Vary
response header denial of service
attempt"},{"alert_context":[{"dest_port":0,"src_ip":"185.215.113.46","src_port":8
0,"hostname":"185.215.113.46","url":"http://185.215.113.46/mine/plaza.exe"}],"
alert_severity":"low","rule_category":"Misc
activity","rule_id":"1:2014819","rule_msg":"ET INFO Packed Executable
Download"},{"alert_context":[{"dest_ip":"185.215.113.46","dest_port":80,"src_p
ort":0,"hostname":"185.215.113.46","url":"http://185.215.113.46/cost/fu.exe"}],"
alert_severity":"low","rule_category":"Potentially Bad
Traffic","rule_id":"1:2016141","rule_msg":"ET INFO Executable Download from
dotted-quad
Host"},{"alert_context":[{"dest_ip":"185.215.113.46","dest_port":80,"src_port":0,
"hostname":"185.215.113.46","url":"http://185.215.113.46/cost/fu.exe"}],"alert_
severity":"low","rule_category":"Potentially Bad
Traffic","rule_id":"1:2019714","rule_msg":"ET MALWARE Terse alphanumeric
executable downloader high likelihood of being
hostile"},{"alert_context":[{"dest_port":0,"src_ip":"185.215.113.46","src_port":80

94
,"hostname":"185.215.113.46","url":"http://185.215.113.46/cost/fu.exe"}],"alert_
severity":"low","rule_category":"Potentially Bad
Traffic","rule_id":"1:2021076","rule_msg":"ET HUNTING SUSPICIOUS Dotted
Quad Host MZ Response"},{"alert_severity":"low","rule_category":"misc-
activity","rule_id":"1:382","rule_msg":"PROTOCOL-ICMP PING
Windows"},{"alert_severity":"low","rule_category":"misc-
activity","rule_id":"1:384","rule_msg":"PROTOCOL-ICMP
PING"},{"alert_severity":"low","rule_category":"misc-
activity","rule_id":"1:408","rule_msg":"PROTOCOL-ICMP Echo
Reply"},{"alert_context":[{"dest_ip":"34.117.186.192","dest_port":443,"src_port"
:0}],"alert_severity":"low","rule_id":"1:906200054","rule_msg":"SSLBL:
Malicious JA3 SSL-Client Fingerprint detected (Tofsee)"}]

View on VirusTotal
GUI Url:
https://www.virustotal.com/gui/file/00138529a5e61e2ff309789584b89ab7d076b44369cf86ce0aaf535
1f8106378
File Summary

heidisql.exe, RageMP131.exe, mpgph131.exe,


0hzgrokb2ibev8ndxtf9.exe, ladas[1].exe,
Names mbokusimwfhwf1z0q8s7.exe,
gvt_8su2zirbqejjuq4h.exe,
pfpwag23jup6qzpl086q.exe, ladas.exe

File Type peexe

File Type Description Win32 EXE

spreader, malware, executes-dropped-file, peexe,


Tags detect-debug-environment, cve-2016-0101, cve-
2016-2569, exploit

Times Submitted 1

TrID - file type identification tool

File Type Probability %

Win16 NE executable (generic) 32.3

Win32 Executable (generic) 28.9

OS/2 Executable (generic) 13.0

Generic Win/DOS Executable 12.8

DOS Executable Generic 12.8

VirusTotal Analysis Summary

Aggregate Result malicious - 55 / 75

95
VirusTotal Analysis Stats

Analysis Type Number of Analysis

Confirmed Timeout 0

Failure 0

Harmless 0

Malicious 55

Suspicious 0

Timeout 0

Type Unsupported 4

Undetected 16

Total 75

Community Votes
Total votes cast: 0
Incoming (1)
IPv4 Address 34.117.186.192

VirusTotal File
maltego.virustotal.File

WEXTRACT.EXE .MUI

96
Weight 0
MeaningfulName WEXTRACT.EXE .MUI
File Id 000d10e1185eaf6a010c6ce156eddca854226830add2b2881abeb851ba7990b
c
Names Wextract, WEXTRACT.EXE .MUI,
c4dd2a90edd5d6252d95a35c325c7fcc.virus
File Type PEEXE
File Type Description Win32 EXE
MD5 c4dd2a90edd5d6252d95a35c325c7fcc
SHA-1 e774008f892ee1423273d0fec0af08d1bcff150f
SHA-256 000d10e1185eaf6a010c6ce156eddca854226830add2b2881abeb851ba7990b
c
Vhash 0460566d55557560e013z1005114kz1e03dz
Authentihash bf02fc9f7a907bcd4094f234f2247117780d605e0893f9c7dde4b5ee577322e9
SSDEEP 98304:A2d9S7we1rPJRMOmTWabn7LSFVLdLUiaBeLB1XEBkgG+0+Ai:A2d9
SMeNPJRMDTL7+VN9aBebXSkgG+5
Magic PE32 executable (GUI) Intel 80386, for MS Windows
File Size 4515328
Tags malware, checks-disk-space, checks-cpu-name, peexe, detect-debug-
environment, checks-network-adapters, long-sleeps, checks-user-input,
spreader, executes-dropped-file, persistence, cve-2016-2569, cve-2016-0101,
exploit
Capability Tags
Downloadable null
Creation Date 2022-05-24T22:49:06Z
First Submission Date 2024-01-07T02:22:59Z
Last Submission Date 2024-01-07T02:22:59Z
Last Analysis Date 2024-07-05T06:28:16Z
Total Votes - Harmless 1
Total Votes - Malicious 0
Submissions 1
Reputation 1

97
Sigma Analysis Results [{"rule_title":"Suspicious Double Extension File
Execution","rule_source":"Sigma Integrated Rule Set
(GitHub)","rule_level":"critical","rule_id":"5ead81ee12f2097316af35270a1ac0f8
623db054349c52ef366fc42a4b7d2de2","rule_author":"Florian Roth (Nextron
Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron
Systems)","rule_description":"Detects suspicious use of an .exe extension
after a non-executable file extension like .pdf.exe, a set of spaces or
underlines to cloak the executable file in spear phishing
campaigns","match_context":[{"values":{"CommandLine":"\"%SAMPLEPATH%
\\WEXTRACT.EXE
.exe\"","Image":"%SAMPLEPATH%\\WEXTRACT.EXE
.exe"}}]},{"rule_title":"Scheduled TaskCache Change by Uncommon
Program","rule_source":"Sigma Integrated Rule Set
(GitHub)","rule_level":"high","rule_id":"d62173552d7fce98c24a7040b784edf35
cc6650d2e68ecf2d04f40c58d58cfda","rule_author":"Syed Hasan
(@syedhasan009)","rule_description":"Monitor the creation of a new key under
\u0027TaskCache\u0027 when a new scheduled task is registered by a
process that is not svchost.exe, which is
suspicious","match_context":[{"values":{}},{"values":{}},{"values":{}},{"values":{}}
,{"values":{}}]},{"rule_title":"Suspect Svchost Activity","rule_source":"Sigma
Integrated Rule Set
(GitHub)","rule_level":"high","rule_id":"dc04e64e69f5446c2a31920ee22415626
307d5f3d0fb73ad81b9d3301a41000a","rule_author":"David Burkett,
@signalblur","rule_description":"It is extremely abnormal for svchost.exe to
spawn without any CLI arguments and is normally observed when a malicious
process spawns the process and injects code into the process memory
space.","match_context":[{"values":{"CommandLine":"%WINDIR%\\system32\\
svchost.exe","Image":"C:\\Windows\\system32\\svchost.exe"}}]},{"rule_title":"W
ow6432Node CurrentVersion Autorun Keys Modification","rule_source":"Sigma
Integrated Rule Set
(GitHub)","rule_level":"medium","rule_id":"18842e32896dd83b8aca4d5e1ac78
c1f66b1d252479c0023cdd02f108c42c8cd","rule_author":"Victor Sergeev,
Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community,
Tim Shelton, frack113 (split)","rule_description":"Detects modification of
autostart extensibility point (ASEP) in
registry.","match_context":[{"values":{}},{"values":{}},{"values":{}},{"values":{}},{"
values":{}}]},{"rule_title":"Suspicious DNS Query for IP Lookup Service
APIs","rule_source":"Sigma Integrated Rule Set
(GitHub)","rule_level":"medium","rule_id":"3a2766a08d32a855b604a786cddc0f
76fee13e6ccd22e01d4878150f0ef1eebc","rule_author":"Brandon George (blog
post), Thomas Patzke","rule_description":"Detects DNS queries for IP lookup
services such as \"api.ipify.org\" originating from a non browser
process.","match_context":[{"values":{}},{"values":{}}]},{"rule_title":"Access To
Browser Credential Files By Uncommon Application","rule_source":"Sigma
Integrated Rule Set
(GitHub)","rule_level":"medium","rule_id":"74ea3fde96df11352e7b3c70bce437f
83f170b5677efeb447c7f33d001142691","rule_author":"frack113","rule_descrip
tion":"Detects file access requests to browser credential stores by uncommon
processes.\nCould indicate potential attempt of credential stealing.\nRequires
heavy baselining before
usage\n","match_context":[{"values":{}},{"values":{}},{"values":{}}]},{"rule_title":"
CurrentVersion Autorun Keys Modification","rule_source":"Sigma Integrated
Rule Set
(GitHub)","rule_level":"medium","rule_id":"8b5db9da5732dc549b0e8b56fe593
3d7c95ed760f3ac20568ab95347ef8c5bcc","rule_author":"Victor Sergeev,
Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community,
Tim Shelton, frack113 (split)","rule_description":"Detects modification of
autostart extensibility point (ASEP) in
registry.","match_context":[{"values":{}},{"values":{}}]},{"rule_title":"Access To
Windows DPAPI Master Keys By Uncommon
Application","rule_source":"Sigma Integrated Rule Set
(GitHub)","rule_level":"medium","rule_id":"ec1d4770fddf21948d437ee8ade889
04c7b95601bf83cfe214687e2611dd530c","rule_author":"Nasreddine
Bencherchali (Nextron Systems)","rule_description":"Detects file access
requests to the the Windows Data Protection API Master keys by an
uncommon application.\nThis can be a sign of credential stealing. Example
case would be usage of mimikatz \"dpapi::masterkey\"
function\n","match_context":[{"values":{}},{"values":{}}]}]
Crowdsourced YARA Results

98
Crowdsourced IDS Results [{"alert_context":[{"dest_port":0,"src_ip":"193.233.132.62","src_port":50500}],"a
lert_severity":"high","rule_category":"Malware Command and Control Activity
Detected","rule_id":"1:2046266","rule_msg":"ET MALWARE [ANY.RUN]
RisePro TCP v.0.x
(Token)"},{"alert_context":[{"dest_port":0,"src_ip":"193.233.132.62","src_port":5
0500}],"alert_severity":"high","rule_category":"Malware Command and Control
Activity Detected","rule_id":"1:2046267","rule_msg":"ET MALWARE
[ANY.RUN] RisePro TCP v.0.x (External
IP)"},{"alert_context":[{"dest_ip":"193.233.132.62","dest_port":50500,"src_port":
0}],"alert_severity":"high","rule_category":"Malware Command and Control
Activity Detected","rule_id":"1:2046269","rule_msg":"ET MALWARE
[ANY.RUN] RisePro TCP v.0.x
(Activity)"},{"alert_context":[{"dest_ip":"193.233.132.62","dest_port":50500,"src
_port":0}],"alert_severity":"high","rule_category":"Malware Command and
Control Activity Detected","rule_id":"1:2046270","rule_msg":"ET MALWARE
[ANY.RUN] RisePro TCP v.0.x
(Exfiltration)"},{"alert_context":[{"dest_ip":"193.233.132.62","dest_port":50500,"
src_port":0}],"alert_severity":"high","rule_category":"A Network Trojan was
detected","rule_id":"1:2049060","rule_msg":"ET MALWARE Suspected
RisePro TCP Heartbeat
Packet"},{"alert_context":[{"dest_port":0,"src_ip":"192.229.221.95","src_port":8
0}],"alert_severity":"high","rule_category":"attempted-
user","rule_id":"1:38124","rule_msg":"FILE-MULTIMEDIA Microsoft Windows
Transport Stream Program Map Table Heap overflow
attempt"},{"alert_context":[{"dest_ip":"34.117.186.192","dest_port":443,"src_po
rt":0}],"alert_severity":"medium","rule_category":"Device Retrieving External IP
Address Detected","rule_id":"1:2025331","rule_msg":"ET POLICY Possible
External IP Lookup Domain Observed in SNI (ipinfo.
io)"},{"alert_severity":"medium","rule_category":"successful-recon-
limited","rule_id":"1:29456","rule_msg":"PROTOCOL-ICMP Unusual PING
detected"},{"alert_context":[{"dest_port":0,"src_ip":"18.65.41.80","src_port":80}]
,"alert_severity":"medium","rule_category":"non-standard-
protocol","rule_id":"1:38678","rule_msg":"INDICATOR-OBFUSCATION UTF-8
evasion
attempt"},{"alert_context":[{"dest_port":0,"src_ip":"216.239.32.29","src_port":80
}],"alert_severity":"medium","rule_category":"denial-of-
service","rule_id":"1:41379","rule_msg":"SERVER-OTHER Squid HTTP Vary
response header denial of service
attempt"},{"alert_context":[{"dest_port":0,"src_ip":"18.239.15.14","src_port":80}]
,"alert_severity":"low","rule_category":"unknown","rule_id":"119:241","rule_msg
":"(http_inspect) Content-Transfer-Encoding used as HTTP
header"},{"alert_context":[{"dest_ip":"18.239.15.14","dest_port":80,"src_port":0}
],"alert_severity":"low","rule_category":"not-
suspicious","rule_id":"119:8","rule_msg":"(http_inspect) URI path contains
consecutive slash
characters"},{"alert_context":[{"dest_ip":"192.229.221.95","dest_port":80,"src_p
ort":0}],"alert_severity":"low","rule_category":"Generic Protocol Command
Decode","rule_id":"1:2210029","rule_msg":"SURICATA STREAM
ESTABLISHED invalid
ack"},{"alert_context":[{"dest_ip":"192.229.221.95","dest_port":80,"src_port":0}]
,"alert_severity":"low","rule_category":"Generic Protocol Command
Decode","rule_id":"1:2210045","rule_msg":"SURICATA STREAM Packet with
invalid ack"},{"alert_severity":"low","rule_category":"misc-
activity","rule_id":"1:382","rule_msg":"PROTOCOL-ICMP PING
Windows"},{"alert_severity":"low","rule_category":"misc-
activity","rule_id":"1:384","rule_msg":"PROTOCOL-ICMP
PING"},{"alert_severity":"low","rule_category":"misc-
activity","rule_id":"1:408","rule_msg":"PROTOCOL-ICMP Echo
Reply"},{"alert_context":[{"dest_ip":"34.117.186.192","dest_port":443,"src_port"
:0}],"alert_severity":"low","rule_id":"1:906200054","rule_msg":"SSLBL:
Malicious JA3 SSL-Client Fingerprint detected (Tofsee)"}]

View on VirusTotal
GUI Url:
https://www.virustotal.com/gui/file/000d10e1185eaf6a010c6ce156eddca854226830add2b2881abeb8
51ba7990bc

99
File Summary

Wextract, WEXTRACT.EXE .MUI,


Names
c4dd2a90edd5d6252d95a35c325c7fcc.virus

File Type peexe

File Type Description Win32 EXE

malware, checks-disk-space, checks-cpu-name,


peexe, detect-debug-environment, checks-
network-adapters, long-sleeps, checks-user-
Tags
input, spreader, executes-dropped-file,
persistence, cve-2016-2569, cve-2016-0101,
exploit

Times Submitted 1

TrID - file type identification tool

File Type Probability %

Windows Control Panel Item (generic) 41.1

Win32 Executable MS Visual C++ (generic) 22.2

Microsoft Visual C++ compiled executable


11.8
(generic)

Win64 Executable (generic) 7.5

Win32 Dynamic Link Library (generic) 4.6

VirusTotal Analysis Summary

Aggregate Result malicious - 56 / 76

100
VirusTotal Analysis Stats

Analysis Type Number of Analysis

Confirmed Timeout 0

Failure 1

Harmless 0

Malicious 56

Suspicious 0

Timeout 0

Type Unsupported 4

Undetected 15

Total 76

Community Votes
Total votes cast: 10
Harmless: 1/10
Malicious: 0/10
Incoming (1)
IPv4 Address 34.117.186.192

VirusTotal File
maltego.virustotal.File

MSBuild.exe

101
Weight 0
MeaningfulName MSBuild.exe
File Id 000acab5b32031728a99c53f23faa07a9b1290ea9d9c3009891dfc292579a1ff
Names mpgph131.exe, RageMP131.exe, MSBuild.exe,
8588959e9bcc059d908cebcba7b9760a.virus
File Type PEEXE
File Type Description Win32 EXE
MD5 8588959e9bcc059d908cebcba7b9760a
SHA-1 636e7fc9091269029912294b957d2649efa1303c
SHA-256 000acab5b32031728a99c53f23faa07a9b1290ea9d9c3009891dfc292579a1ff
Vhash 02607f7d7d1f1f7f6f1bz1!z
Authentihash 58c4351ed1530b66700fa8eaeef5607b30c1284c89880c1d4210bbc497a0f3ca
SSDEEP 49152:9ZeW+/IBCtvXRV5ufPZ2bYNyMqMtzh56NRVdMJZr46:98wEtPNuPKx
MDX6Nf+7E6
Magic PE32 executable (GUI) Intel 80386, for MS Windows
File Size 2378240
Tags malware, spreader, executes-dropped-file, peexe, detect-debug-environment,
cve-2016-0101, exploit
Capability Tags
Downloadable null
Creation Date 2024-02-24T14:57:06Z
First Submission Date 2024-03-01T21:41:55Z
Last Submission Date 2024-03-01T21:41:55Z
Last Analysis Date 2024-04-16T18:50:25Z
Total Votes - Harmless 0
Total Votes - Malicious 0
Submissions 1
Reputation 0

102
Sigma Analysis Results [{"rule_title":"System File Execution Location Anomaly","rule_source":"Sigma
Integrated Rule Set
(GitHub)","rule_level":"high","rule_id":"25fc56c1bee673d7ff3edcf371e4d2a36c
0af83222da348961b87735c8efa61f","rule_author":"Florian Roth (Nextron
Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine
Bencherchali","rule_description":"Detects a Windows program executable
started from a suspicious
folder","match_context":[{"values":{"CommandLine":"\\??\\C:\\Windows\\system
32\\conhost.exe","Image":"\\??\\C:\\Windows\\system32\\conhost.exe"}}]},{"rule
_title":"Scheduled TaskCache Change by Uncommon
Program","rule_source":"Sigma Integrated Rule Set
(GitHub)","rule_level":"high","rule_id":"d62173552d7fce98c24a7040b784edf35
cc6650d2e68ecf2d04f40c58d58cfda","rule_author":"Syed Hasan
(@syedhasan009)","rule_description":"Monitor the creation of a new key under
\u0027TaskCache\u0027 when a new scheduled task is registered by a
process that is not svchost.exe, which is
suspicious","match_context":[{"values":{}},{"values":{}},{"values":{}},{"values":{}}
,{"values":{}}]},{"rule_title":"Suspicious DNS Query for IP Lookup Service
APIs","rule_source":"Sigma Integrated Rule Set
(GitHub)","rule_level":"medium","rule_id":"3a2766a08d32a855b604a786cddc0f
76fee13e6ccd22e01d4878150f0ef1eebc","rule_author":"Brandon George (blog
post), Thomas Patzke","rule_description":"Detects DNS queries for IP lookup
services such as \"api.ipify.org\" originating from a non browser
process.","match_context":[{"values":{}},{"values":{}}]},{"rule_title":"Startup
Folder File Write","rule_source":"Sigma Integrated Rule Set
(GitHub)","rule_level":"medium","rule_id":"56b8c79acb8e444c2b00be5c9d3cb
8e33e863ccb3506d635f907a49cd053c84f","rule_author":"Roberto Rodriguez
(Cyb3rWard0g), OTR (Open Threat Research)","rule_description":"A General
detection for files being created in the Windows startup directory. This could
be an indicator of
persistence.","match_context":[{"values":{}}]},{"rule_title":"Access To Browser
Credential Files By Uncommon Application","rule_source":"Sigma Integrated
Rule Set
(GitHub)","rule_level":"medium","rule_id":"74ea3fde96df11352e7b3c70bce437f
83f170b5677efeb447c7f33d001142691","rule_author":"frack113","rule_descrip
tion":"Detects file access requests to browser credential stores by uncommon
processes.\nCould indicate potential attempt of credential stealing.\nRequires
heavy baselining before
usage\n","match_context":[{"values":{}},{"values":{}},{"values":{}}]},{"rule_title":"
Suspicious Network Connection to IP Lookup Service
APIs","rule_source":"Sigma Integrated Rule Set
(GitHub)","rule_level":"medium","rule_id":"7b06f86400ae084ca05c7e2cefe70b
8ea4910b6196d969ae516b9d5d1c99bfe5","rule_author":"Janantha
Marasinghe, Nasreddine Bencherchali (Nextron
Systems)","rule_description":"Detects external IP address lookups by non-
browser processes via services such as \"api.ipify.org\". This could be
indicative of potential post compromise internet test
activity.","match_context":[{"values":{}},{"values":{}},{"values":{}}]},{"rule_title":"
CurrentVersion Autorun Keys Modification","rule_source":"Sigma Integrated
Rule Set
(GitHub)","rule_level":"medium","rule_id":"8b5db9da5732dc549b0e8b56fe593
3d7c95ed760f3ac20568ab95347ef8c5bcc","rule_author":"Victor Sergeev,
Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community,
Tim Shelton, frack113 (split)","rule_description":"Detects modification of
autostart extensibility point (ASEP) in
registry.","match_context":[{"values":{}},{"values":{}},{"values":{}},{"values":{}},{"
values":{}}]},{"rule_title":"Access To Windows DPAPI Master Keys By
Uncommon Application","rule_source":"Sigma Integrated Rule Set
(GitHub)","rule_level":"medium","rule_id":"ec1d4770fddf21948d437ee8ade889
04c7b95601bf83cfe214687e2611dd530c","rule_author":"Nasreddine
Bencherchali (Nextron Systems)","rule_description":"Detects file access
requests to the the Windows Data Protection API Master keys by an
uncommon application.\nThis can be a sign of credential stealing. Example
case would be usage of mimikatz \"dpapi::masterkey\"
function\n","match_context":[{"values":{}},{"values":{}}]}]
Crowdsourced YARA Results

103
Crowdsourced IDS Results [{"alert_context":[{"dest_port":0,"src_ip":"185.215.113.46","src_port":80}],"alert
_severity":"high","rule_category":"policy-
violation","rule_id":"1:11192","rule_msg":"FILE-EXECUTABLE download of
executable
content"},{"alert_context":[{"dest_port":0,"src_ip":"185.215.113.46","src_port":8
0}],"alert_severity":"high","rule_category":"policy-
violation","rule_id":"1:15306","rule_msg":"FILE-EXECUTABLE Portable
Executable binary file magic
detected"},{"alert_context":[{"dest_port":0,"src_ip":"193.233.132.62","src_port":
50500}],"alert_severity":"high","rule_category":"A Network Trojan was
detected","rule_id":"1:2046266","rule_msg":"ET MALWARE [ANY.RUN]
RisePro TCP
(Token)"},{"alert_context":[{"dest_port":0,"src_ip":"193.233.132.62","src_port":5
0500}],"alert_severity":"high","rule_category":"A Network Trojan was
detected","rule_id":"1:2046267","rule_msg":"ET MALWARE [ANY.RUN]
RisePro TCP (External
IP)"},{"alert_context":[{"dest_ip":"193.233.132.62","dest_port":50500,"src_port":
0}],"alert_severity":"high","rule_category":"A Network Trojan was
detected","rule_id":"1:2046269","rule_msg":"ET MALWARE [ANY.RUN]
RisePro TCP
(Activity)"},{"alert_context":[{"dest_ip":"193.233.132.62","dest_port":50500,"src
_port":0}],"alert_severity":"high","rule_category":"A Network Trojan was
detected","rule_id":"1:2046270","rule_msg":"ET MALWARE [ANY.RUN]
RisePro TCP
(Exfiltration)"},{"alert_context":[{"dest_ip":"193.233.132.62","dest_port":50500,"
src_port":0}],"alert_severity":"high","rule_category":"A Network Trojan was
detected","rule_id":"1:2049060","rule_msg":"ET MALWARE RisePro TCP
Heartbeat
Packet"},{"alert_context":[{"dest_ip":"193.233.132.62","dest_port":50500,"src_p
ort":0}],"alert_severity":"high","rule_category":"A Network Trojan was
detected","rule_id":"1:2049661","rule_msg":"ET MALWARE RisePro CnC
Activity
(Inbound)"},{"alert_context":[{"dest_port":0,"src_ip":"193.233.132.62","src_port"
:57893}],"alert_severity":"high","rule_category":"attempted-
user","rule_id":"1:38124","rule_msg":"FILE-MULTIMEDIA Microsoft Windows
Transport Stream Program Map Table Heap overflow
attempt"},{"alert_context":[{"dest_ip":"185.215.113.46","dest_port":80,"src_port
":0}],"alert_severity":"high","rule_category":"policy-
violation","rule_id":"1:50447","rule_msg":"POLICY-OTHER HTTP request by
IPv4 address
attempt"},{"alert_context":[{"dest_ip":"34.117.186.192","dest_port":443,"src_po
rt":0}],"alert_severity":"medium","rule_category":"Device Retrieving External IP
Address Detected","rule_id":"1:2025331","rule_msg":"ET POLICY Possible
External IP Lookup Domain Observed in SNI (ipinfo.
io)"},{"alert_context":[{"dest_port":0,"src_ip":"185.215.113.46","src_port":80}],"a
lert_severity":"medium","rule_category":"Misc
Attack","rule_id":"1:2400021","rule_msg":"ET DROP Spamhaus DROP Listed
Traffic Inbound group
22"},{"alert_severity":"medium","rule_category":"successful-recon-
limited","rule_id":"1:29456","rule_msg":"PROTOCOL-ICMP Unusual PING
detected"},{"alert_context":[{"dest_port":0,"src_ip":"185.215.113.46","src_port":
80,"hostname":"185.215.113.46","url":"http://185.215.113.46/mine/plaza.exe"}],
"alert_severity":"low","rule_category":"Misc
activity","rule_id":"1:2014819","rule_msg":"ET INFO Packed Executable
Download"},{"alert_context":[{"dest_ip":"185.215.113.46","dest_port":80,"src_p
ort":0,"hostname":"185.215.113.46","url":"http://185.215.113.46/mine/plaza.exe
"}],"alert_severity":"low","rule_category":"Potentially Bad
Traffic","rule_id":"1:2016141","rule_msg":"ET INFO Executable Download from
dotted-quad
Host"},{"alert_context":[{"dest_port":0,"src_ip":"185.215.113.46","src_port":80,"
hostname":"185.215.113.46","url":"http://185.215.113.46/mine/plaza.exe"}],"ale
rt_severity":"low","rule_category":"Potentially Bad
Traffic","rule_id":"1:2021076","rule_msg":"ET HUNTING SUSPICIOUS Dotted
Quad Host MZ
Response"},{"alert_context":[{"dest_ip":"193.233.132.62","dest_port":57893,"sr
c_port":0,"hostname":"193.233.132.62","url":"http://193.233.132.62/hera/amad
ka.exe"}],"alert_severity":"low","rule_category":"Generic Protocol Command
Decode","rule_id":"1:2210054","rule_msg":"SURICATA STREAM excessive
retransmissions"},{"alert_severity":"low","rule_category":"misc-
activity","rule_id":"1:382","rule_msg":"PROTOCOL-ICMP PING
Windows"},{"alert_severity":"low","rule_category":"misc-
activity","rule_id":"1:384","rule_msg":"PROTOCOL-ICMP
PING"},{"alert_severity":"low","rule_category":"misc-
activity","rule_id":"1:408","rule_msg":"PROTOCOL-ICMP Echo
Reply"},{"alert_context":[{"dest_ip":"104.26.5.15","dest_port":443,"src_port":0}],
"alert_severity":"low","rule_id":"1:906200054","rule_msg":"SSLBL: Malicious
JA3 SSL-Client Fingerprint detected (Tofsee)"}]

104
View on VirusTotal
GUI Url:
https://www.virustotal.com/gui/file/000acab5b32031728a99c53f23faa07a9b1290ea9d9c3009891dfc2
92579a1ff
File Summary

mpgph131.exe, RageMP131.exe, MSBuild.exe,


Names
8588959e9bcc059d908cebcba7b9760a.virus

File Type peexe

File Type Description Win32 EXE

malware, spreader, executes-dropped-file, peexe,


Tags detect-debug-environment, cve-2016-0101,
exploit

Times Submitted 1

TrID - file type identification tool

File Type Probability %

Win16 NE executable (generic) 32.3

Win32 Executable (generic) 28.9

OS/2 Executable (generic) 13.0

Generic Win/DOS Executable 12.8

DOS Executable Generic 12.8

VirusTotal Analysis Summary

Aggregate Result malicious - 44 / 76

VirusTotal Analysis Stats

Analysis Type Number of Analysis

Confirmed Timeout 0

Failure 0

Harmless 0

Malicious 44

Suspicious 0

Timeout 0

Type Unsupported 4

Undetected 28

Total 76

105
Community Votes
Total votes cast: 0
Incoming (1)
IPv4 Address 34.117.186.192

Location
maltego.Location

Kansas City
Weight 100
Name Kansas City
Country
City Kansas City
Street Address
Area Missouri
Area Code
Country Code
Longitude -94.57
Latitude 39.11

Google Maps

Google Maps Link


Incoming (1)
IPv4 Address 34.117.186.192

Organization
maltego.Organization

Google Cloud
Weight 100
Name Google Cloud

Incoming (1)
IPv4 Address 34.117.186.192

VirusTotal File
maltego.virustotal.File

HLL_BugReportUploader.exe

106
Weight 0
MeaningfulName HLL_BugReportUploader.exe
File Id 00120c0a17f49a3f7fb681994ce633d0da6da624854f1860abf9663f502c939c
Names ktEUWWEXyI3QBxXa.exe, HLL_BugReportUploader.exe
File Type PEEXE
File Type Description Win32 EXE
MD5 f69d70931db018ea4ffa764bcd3baf4a
SHA-1 48d0927977160419531a90078a7da2448719c418
SHA-256 00120c0a17f49a3f7fb681994ce633d0da6da624854f1860abf9663f502c939c
Vhash 017076050d060d167d7bz1jz11z1fz
Authentihash 71502dc58a3ca5d183f1df79e6002aefb13e9285b8d9d6d1898d61b884bd557c
SSDEEP 393216:3Y2GtyOQ6A+Wv16BwCnj5BGmmLEKbx/LAPdSVUIfF8MRaOu:CI6B
WdRa5smoEKbx8dSJg
Magic PE32 executable (GUI) Intel 80386, for MS Windows
File Size 18847744
Tags peexe, spreader, executes-dropped-file
Capability Tags
Downloadable null
Creation Date 2013-06-15T16:44:28Z
First Submission Date 2024-03-23T10:22:09Z
Last Submission Date 2024-03-23T10:22:09Z
Last Analysis Date 2024-03-25T13:14:28Z
Total Votes - Harmless 0
Total Votes - Malicious 0
Submissions 1
Reputation 0
Sigma Analysis Results [{"rule_title":"Suspicious DNS Query for IP Lookup Service
APIs","rule_source":"Sigma Integrated Rule Set
(GitHub)","rule_level":"medium","rule_id":"3a2766a08d32a855b604a786cddc0f
76fee13e6ccd22e01d4878150f0ef1eebc","rule_author":"Brandon George (blog
post), Thomas Patzke","rule_description":"Detects DNS queries for IP lookup
services such as \"api.ipify.org\" originating from a non browser
process.","match_context":[{"values":{}}]},{"rule_title":"Suspicious Network
Connection to IP Lookup Service APIs","rule_source":"Sigma Integrated Rule
Set
(GitHub)","rule_level":"medium","rule_id":"7b06f86400ae084ca05c7e2cefe70b
8ea4910b6196d969ae516b9d5d1c99bfe5","rule_author":"Janantha
Marasinghe, Nasreddine Bencherchali (Nextron
Systems)","rule_description":"Detects external IP address lookups by non-
browser processes via services such as \"api.ipify.org\". This could be
indicative of potential post compromise internet test
activity.","match_context":[{"values":{}}]}]
Crowdsourced YARA Results

107
Crowdsourced IDS Results [{"alert_severity":"medium","rule_category":"successful-recon-
limited","rule_id":"1:29456","rule_msg":"PROTOCOL-ICMP Unusual PING
detected"},{"alert_severity":"medium","rule_category":"attempted-
recon","rule_id":"1:385","rule_msg":"PROTOCOL-ICMP
traceroute"},{"alert_severity":"low","rule_category":"misc-
activity","rule_id":"116:424","rule_msg":"(eth) truncated ethernet
header"},{"alert_context":[{"dest_ip":"8.8.8.8","dest_port":53,"src_port":0}],"aler
t_severity":"low","rule_category":"Potentially Bad
Traffic","rule_id":"1:2050231","rule_msg":"ET INFO Fake Game Cheat Related
Domain in DNS Lookup (keyauth
.win)"},{"alert_context":[{"dest_ip":"188.114.99.234","dest_port":443,"src_port":
0}],"alert_severity":"low","rule_category":"Potentially Bad
Traffic","rule_id":"1:2050233","rule_msg":"ET INFO Fake Game Cheat Related
Domain (keyauth .win) in TLS
SNI"},{"alert_severity":"low","rule_category":"misc-
activity","rule_id":"1:382","rule_msg":"PROTOCOL-ICMP PING
Windows"},{"alert_severity":"low","rule_category":"misc-
activity","rule_id":"1:384","rule_msg":"PROTOCOL-ICMP
PING"},{"alert_severity":"low","rule_category":"misc-
activity","rule_id":"1:401","rule_msg":"PROTOCOL-ICMP Destination
Unreachable Network
Unreachable"},{"alert_severity":"low","rule_category":"misc-
activity","rule_id":"1:408","rule_msg":"PROTOCOL-ICMP Echo
Reply"},{"alert_context":[{"dest_ip":"8.8.8.8","dest_port":53,"src_port":0}],"alert
_severity":"low","rule_category":"misc-
activity","rule_id":"1:44077","rule_msg":"INDICATOR-COMPROMISE
Suspicious .win dns query"}]

View on VirusTotal
GUI Url:
https://www.virustotal.com/gui/file/00120c0a17f49a3f7fb681994ce633d0da6da624854f1860abf9663f
502c939c
File Summary

ktEUWWEXyI3QBxXa.exe,
Names
HLL_BugReportUploader.exe

File Type peexe

File Type Description Win32 EXE

Tags peexe, spreader, executes-dropped-file

Times Submitted 1

TrID - file type identification tool

File Type Probability %

Win32 Dynamic Link Library (generic) 27.1

Win16 NE executable (generic) 20.8

Win32 Executable (generic) 18.6

Windows Icons Library (generic) 8.5

OS/2 Executable (generic) 8.3

VirusTotal Analysis Summary

Aggregate Result malicious - 36 / 76

108
VirusTotal Analysis Stats

Analysis Type Number of Analysis

Confirmed Timeout 0

Failure 0

Harmless 0

Malicious 36

Suspicious 0

Timeout 0

Type Unsupported 4

Undetected 36

Total 76

Community Votes
Total votes cast: 0
Incoming (1)
IPv4 Address 34.117.186.192

VirusTotal File
maltego.virustotal.File

WEXTRACT.EXE .MUI

109
Weight 0
MeaningfulName WEXTRACT.EXE .MUI
File Id 0011aaf4c26633e520535f8f591daea3ba65311ce42bba49e5a58342ce4b2e1c
Names Wextract, WEXTRACT.EXE .MUI,
302a9fbdac596f7541fdb1042e8756a7.virus
File Type PEEXE
File Type Description Win32 EXE
MD5 302a9fbdac596f7541fdb1042e8756a7
SHA-1 ca7ae691b09af32d8a2e50fcf632b712fa2c0ba9
SHA-256 0011aaf4c26633e520535f8f591daea3ba65311ce42bba49e5a58342ce4b2e1c
Vhash 0260566d55557560e013z1005114kz1e03dz
Authentihash 9aa5683b37ab970e44cbb22eaf80aa4171df4a6494629267b579c71ec3a966fc
SSDEEP 49152:FP6sGSL2b2ds3pgR42HP8ta2Hq2FCOFew8RDbUCPmZnQRtlgf6c:1V
LZu3pgR4yPGvgQqnBEGtlc6
Magic PE32 executable (GUI) Intel 80386, for MS Windows
File Size 2605056
Tags peexe, spreader
Capability Tags
Downloadable null
Creation Date 2022-05-24T22:49:06Z
First Submission Date 2023-12-30T10:55:21Z
Last Submission Date 2023-12-30T10:55:21Z
Last Analysis Date 2024-04-17T08:49Z
Total Votes - Harmless 0
Total Votes - Malicious 0
Submissions 1
Reputation 0

110
Sigma Analysis Results [{"rule_title":"Suspicious Double Extension File
Execution","rule_source":"Sigma Integrated Rule Set
(GitHub)","rule_level":"critical","rule_id":"5ead81ee12f2097316af35270a1ac0f8
623db054349c52ef366fc42a4b7d2de2","rule_author":"Florian Roth (Nextron
Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron
Systems)","rule_description":"Detects suspicious use of an .exe extension
after a non-executable file extension like .pdf.exe, a set of spaces or
underlines to cloak the executable file in spear phishing
campaigns","match_context":[{"values":{"CommandLine":"\"%SAMPLEPATH%
\\WEXTRACT.EXE
.exe\"","Image":"%SAMPLEPATH%\\WEXTRACT.EXE
.exe"}}]},{"rule_title":"Disable Windows Defender Functionalities Via Registry
Keys","rule_source":"Sigma Integrated Rule Set
(GitHub)","rule_level":"high","rule_id":"387844917f76d926b5dde6a796bcdb42
3a54d6df4ab736e7752fb73dc931e400","rule_author":"AlertIQ, Ján
Trenčanský, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan
Poudel","rule_description":"Detects when attackers or tools disable Windows
Defender functionalities via the Windows
registry","match_context":[{"values":{}},{"values":{}},{"values":{}},{"values":{}},{"v
alues":{}}]},{"rule_title":"Scheduled TaskCache Change by Uncommon
Program","rule_source":"Sigma Integrated Rule Set
(GitHub)","rule_level":"high","rule_id":"d62173552d7fce98c24a7040b784edf35
cc6650d2e68ecf2d04f40c58d58cfda","rule_author":"Syed Hasan
(@syedhasan009)","rule_description":"Monitor the creation of a new key under
\u0027TaskCache\u0027 when a new scheduled task is registered by a
process that is not svchost.exe, which is
suspicious","match_context":[{"values":{}},{"values":{}},{"values":{}},{"values":{}}
,{"values":{}}]},{"rule_title":"Wow6432Node CurrentVersion Autorun Keys
Modification","rule_source":"Sigma Integrated Rule Set
(GitHub)","rule_level":"medium","rule_id":"18842e32896dd83b8aca4d5e1ac78
c1f66b1d252479c0023cdd02f108c42c8cd","rule_author":"Victor Sergeev,
Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community,
Tim Shelton, frack113 (split)","rule_description":"Detects modification of
autostart extensibility point (ASEP) in
registry.","match_context":[{"values":{}},{"values":{}},{"values":{}},{"values":{}},{"
values":{}}]},{"rule_title":"Suspicious DNS Query for IP Lookup Service
APIs","rule_source":"Sigma Integrated Rule Set
(GitHub)","rule_level":"medium","rule_id":"3a2766a08d32a855b604a786cddc0f
76fee13e6ccd22e01d4878150f0ef1eebc","rule_author":"Brandon George (blog
post), Thomas Patzke","rule_description":"Detects DNS queries for IP lookup
services such as \"api.ipify.org\" originating from a non browser
process.","match_context":[{"values":{}}]},{"rule_title":"CurrentVersion Autorun
Keys Modification","rule_source":"Sigma Integrated Rule Set
(GitHub)","rule_level":"medium","rule_id":"8b5db9da5732dc549b0e8b56fe593
3d7c95ed760f3ac20568ab95347ef8c5bcc","rule_author":"Victor Sergeev,
Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community,
Tim Shelton, frack113 (split)","rule_description":"Detects modification of
autostart extensibility point (ASEP) in
registry.","match_context":[{"values":{}},{"values":{}}]},{"rule_title":"Disable
Tamper Protection on Windows Defender","rule_source":"Sigma Integrated
Rule Set
(GitHub)","rule_level":"medium","rule_id":"bf1de3b61466c6018ee71be3f901fb
544ddb30709a256ce88ddc19444b5a1ea1","rule_author":"Austin Songer
@austinsonger","rule_description":"Detects disabling Windows Defender
Tamper
Protection","match_context":[{"values":{}}]},{"rule_title":"PSScriptPolicyTest
Creation By Uncommon Process","rule_source":"Sigma Integrated Rule Set
(GitHub)","rule_level":"medium","rule_id":"d6ff8dca8c8ea9fa750972dd0325427
46369179e3aaceccc1c3f2cc2a35f5d25","rule_author":"Nasreddine
Bencherchali (Nextron Systems)","rule_description":"Detects the creation of
the \"PSScriptPolicyTest\" PowerShell script by an uncommon process. This
file is usually generated by Microsoft Powershell to test against
Applocker.","match_context":[{"values":{}},{"values":{}}]},{"rule_title":"Non
Interactive PowerShell Process Spawned","rule_source":"Sigma Integrated
Rule Set
(GitHub)","rule_level":"low","rule_id":"1c2e4db94ca79f939e94e29c04fb3b7146
7fc6f5b9c31db34fcce5a2fb3b856f","rule_author":"Roberto Rodriguez
@Cyb3rWard0g (rule), oscd.community
(improvements)","rule_description":"Detects non-interactive PowerShell
activity by looking at the \"powershell\" process with a non-user GUI process
such as \"explorer.exe\" as a
parent.","match_context":[{"values":{"CommandLine":"C:\\Windows\\SysWOW
64\\WindowsPowerShell\\v1.0\\powershell.exe","Image":"C:\\Windows\\SysWO
W64\\WindowsPowerShell\\v1.0\\powershell.exe"}}]},{"rule_title":"WMI Module
Loaded By Non Uncommon Process","rule_source":"Sigma Integrated Rule
Set
(GitHub)","rule_level":"low","rule_id":"fb092b3aee3feb316c048a1249e1ac9639

111
a63cac318318afd45bf38887b31b0c","rule_author":"Roberto Rodriguez
@Cyb3rWard0g","rule_description":"Detects a WMI modules being loaded by
an uncommon process","match_context":[{"values":{}}]}]
Crowdsourced YARA Results
Crowdsourced IDS Results

View on VirusTotal
GUI Url:
https://www.virustotal.com/gui/file/0011aaf4c26633e520535f8f591daea3ba65311ce42bba49e5a5834
2ce4b2e1c
File Summary

Wextract, WEXTRACT.EXE .MUI,


Names
302a9fbdac596f7541fdb1042e8756a7.virus

File Type peexe

File Type Description Win32 EXE

Tags peexe, spreader

Times Submitted 1

TrID - file type identification tool

File Type Probability %

Windows Control Panel Item (generic) 41.1

Win32 Executable MS Visual C++ (generic) 22.2

Microsoft Visual C++ compiled executable


11.8
(generic)

Win64 Executable (generic) 7.5

Win32 Dynamic Link Library (generic) 4.6

VirusTotal Analysis Summary

Aggregate Result malicious - 46 / 78

112
VirusTotal Analysis Stats

Analysis Type Number of Analysis

Confirmed Timeout 0

Failure 0

Harmless 0

Malicious 46

Suspicious 0

Timeout 1

Type Unsupported 4

Undetected 27

Total 78

Community Votes
Total votes cast: 0
Incoming (1)
IPv4 Address 34.117.186.192

alphaMountain Category
maltego.alphamountain.Category

Suspicious
Weight 0
alphaMountain Category Suspicious
Text

Incoming (1)
IPv4 Address 34.117.186.192

alphaMountain Category
maltego.alphamountain.Category

Information Technology
Weight 0
alphaMountain Category Information Technology
Text

Incoming (1)
IPv4 Address 34.117.186.192

113
Html Hash
maltego.shodan.HtmlHash

336196947
Weight 0
Hash 336196947
Hash Type HTML Hash

Incoming (1)
IPv4 Address 34.117.186.192

GPS Coordinate
maltego.GPS

39.09973,-94.57857
Weight 1
GPS Coordinate 39.09973,-94.57857
Latitude 39.09973
Longitude -94.57857

Shodan
This GPS Location was found on IP Address: 34.117.186.192 [Shodan Result]
Incoming (1)
IPv4 Address 34.117.186.192

A Record
maltego.ARecord

agm-429076122901.backupdr.actifiogo.com
Weight 0
IPv4 Address 34.117.186.192
Time to Live (TTL) 0
DNS Name agm-429076122901.backupdr.actifiogo.com
FirstSeen 2023-03-22T21:45:20
LastSeen 2023-03-22T21:45:20

AlienVault OTX Link


View in browser: https://otx.alienvault.com/indicator/hostname/agm-
429076122901.backupdr.actifiogo.com
Incoming (1)
IPv4 Address 34.117.186.192

114
SSL Certificate Hash
maltego.SSLCertificateHash

6e1e959cfc20083510b2641f9f9ce590be7dd13176553cab360
6795cc42c850c
Weight 0
Hash 6e1e959cfc20083510b2641f9f9ce590be7dd13176553cab3606795cc42c850c
Hash Type SHA256

Incoming (1)
IPv4 Address 34.117.186.192

SSL Certificate Hash


maltego.SSLCertificateHash

8cdf0cf4a330a8e079eb3823d35fc80957292573
Weight 0
Hash 8cdf0cf4a330a8e079eb3823d35fc80957292573
Hash Type SHA1

Incoming (1)
IPv4 Address 34.117.186.192

Banner Hash
maltego.shodan.BannerHash

1955952339
Weight 0
Hash 1955952339
Hash Type Banner Hash

Incoming (1)
IPv4 Address 34.117.186.192

WHOIS Record
maltego.WHOISRecord

34.117.186.192

115
Weight 1538092800
Name 34.117.186.192

116
WHOIS Info #
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2024, American Registry for Internet Numbers, Ltd.
#

NetRange: 34.64.0.0 - 34.127.255.255


CIDR: 34.64.0.0/10
NetName: GOOGL-2
NetHandle: NET-34-64-0-0-1
Parent: NET34 (NET-34-0-0-0-0)
NetType: Direct Allocation
OriginAS:
Organization: Google LLC (GOOGL-2)
RegDate: 2018-09-28
Updated: 2018-09-28
Ref: https://rdap.arin.net/registry/ip/34.64.0.0

OrgName: Google LLC


OrgId: GOOGL-2
Address: 1600 Amphitheatre Parkway
City: Mountain View
StateProv: CA
PostalCode: 94043
Country: US
RegDate: 2006-09-29
Updated: 2019-11-01
Comment: *** The IP addresses under this Org-ID are in use by Google
Cloud customers ***
Comment:
Comment: Direct all copyright and legal complaints to
Comment: https://support.google.com/legal/go/report
Comment:
Comment: Direct all spam and abuse complaints to
Comment: https://support.google.com/code/go/gce_abuse_report
Comment:
Comment: For fastest response, use the relevant forms above.
Comment:
Comment: Complaints can also be sent to the GC Abuse desk
Comment: ([email protected])
Comment: but may have longer turnaround times.
Comment:
Comment: Complaints sent to any other POC will be ignored.
Ref: https://rdap.arin.net/registry/entity/GOOGL-2

OrgAbuseHandle: GCABU-ARIN
OrgAbuseName: GC Abuse
OrgAbusePhone: +1-650-253-0000
OrgAbuseEmail: [email protected]
OrgAbuseRef: https://rdap.arin.net/registry/entity/GCABU-ARIN

OrgNOCHandle: GCABU-ARIN
OrgNOCName: GC Abuse
OrgNOCPhone: +1-650-253-0000
OrgNOCEmail: [email protected]
OrgNOCRef: https://rdap.arin.net/registry/entity/GCABU-ARIN

OrgTechHandle: ZG39-ARIN
OrgTechName: Google LLC
OrgTechPhone: +1-650-253-0000
OrgTechEmail: [email protected]
OrgTechRef: https://rdap.arin.net/registry/entity/ZG39-ARIN

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/

117
#
# Copyright 1997-2024, American Registry for Internet Numbers, Ltd.
#
Registry Domain ID
Domain Name 34.117.186.192
Created Date 2018-09-28 00:00:00 UTC
Registry Expiry Date
Updated Date 2018-09-28 00:00:00 UTC
Transfer Date
Nameservers
Name Server IP Addresses
Mantainer
Created By
Updated By
DNSSEC
Domain Status
ENS AuthId
Registry Registrant ID
Registrant Name
Registrant Organization Google LLC
Registrant Address
Registrant Street 1600 Amphitheatre Parkway
Registrant City Mountain View
Registrant State/Province CA
Registrant Country UNITED STATES
Registrant Country Code US
Registrant Postal Code 94043
Registrant Phone
Registrant Phone Ext
Registrant Fax
Registrant Fax Ext
Registrant Email
Admin ID
Admin ID
Admin Name
Admin Organization GC Abuse
Admin Address
Admin Street
Admin City
Admin State/Province
Admin Country
Admin Country Code
Admin Postal Code
Admin Phone 16502530000
Admin Phone Ext
Admin Fax
Admin Fax Ext
Admin Email [email protected]
Tech ID
Tech Name
Tech Organization Google LLC

118
Tech Address
Tech City
Tech State/Province
Tech Country
Tech Postal Code
Tech Phone 16502530000
Tech Phone Ext
Tech Fax
Tech Fax Ext
Tech Email [email protected]
Registrar ID
Registrar IANA ID 778
Registrar ARIN
Registrar Registration Expiration
Date
Registrar URL
Registrar WHOIS Server
Registrar Status
Registrar Address
Registrar City
Registrar State/Province
Registrar Country
Registrar Postal Code
Registrar Phone
Registrar Fax
Registrar Fax Ext
Registrar Email
Registrar Abuse Contact Email
Registrar Abuse Contact Phone
Sponsoring Registrar
netRange 34.64.0.0 - 34.127.255.255
Contact Email [email protected]
netName GOOGL-2

WhoisXML audit information


p { line-height:50% !important; }

Created Date 2024-07-10 14:06:51 UTC

Updated Date 2024-07-10 14:06:51 UTC

Domain Information
p { line-height:50% !important; }
Estimated domain age: 2112 days
Incoming (1)
IPv4 Address 34.117.186.192

119
Banner Hash
maltego.shodan.BannerHash

1559705222
Weight 0
Hash 1559705222
Hash Type Banner Hash

Incoming (1)
IPv4 Address 34.117.186.192

A Record
maltego.ARecord

api-qwiklabs-gcp-02-82514146f90f.apigee-apijam.dev
Weight 0
IPv4 Address 34.117.186.192
Time to Live (TTL) 0
DNS Name api-qwiklabs-gcp-02-82514146f90f.apigee-apijam.dev
FirstSeen 2021-07-19T03:40:22
LastSeen 2021-07-19T03:40:22

AlienVault OTX Link


View in browser: https://otx.alienvault.com/indicator/hostname/api-qwiklabs-gcp-02-
82514146f90f.apigee-apijam.dev
Incoming (1)
IPv4 Address 34.117.186.192

Netblock
maltego.Netblock

34.117.186.0-34.117.186.255
Weight 100
IP Range 34.117.186.0-34.117.186.255

Incoming (1)
IPv4 Address 34.117.186.192

Shodan Service Details


maltego.shodan.ServiceDetails

443

120
Weight 0
Protocol tcp
IP Address 34.117.186.192
CVEs
OS
Hostnames ipinfo.net, ipinfoio.com, host.io, ipinfo.io, company.io, ipinfo.org, useragent.io,
192.186.117.34.bc.googleusercontent.com, ipinfo.dev
CPE
Service Hash 1955952339
Description 443
Port 443
Service banner HTTP/1.1 404 Not Found
Content-Length: 18
content-type: text/plain
via: 1.1 google
date: Fri, 05 Jul 2024 11:25:26 GMT
Alt-Svc: h3=&quot;:443&quot;; ma=2592000,h3-29=&quot;:443&quot;;
ma=2592000

Service 443
Shodan Last Update 2024-07-05T11:25:27.241986

Shodan
This service was found running on IP Address: 34.117.186.192 [Shodan Result]
Incoming (1)
IPv4 Address 34.117.186.192

VirusTotal File
maltego.virustotal.File

eve.json?id

121
Weight 0
MeaningfulName eve.json?id
File Id eccd2c84b68745d149229466b21408d5ccf4ea8e51e1fac4e76edf88ca10239b
Names eve.json?id
File Type JSON
File Type Description JSON
MD5 ed4054bb9c639bab6a08d47f93415346
SHA-1 fbce63504fcedbda61657f6175fd5faa37a90cf9
SHA-256 eccd2c84b68745d149229466b21408d5ccf4ea8e51e1fac4e76edf88ca10239b
Vhash
Authentihash
SSDEEP 192:L7M/mjTidgS7M/mjTidgS1KMGXhXolgT4O3F/p590jQb3MFOmmDuTisuY
HGV+:/sg0sgAEtU46QbuTis7HB
Magic New Line Delimited JSON text data
File Size 12968
Tags json
Capability Tags
Downloadable null
Creation Date
First Submission Date 2024-07-02T06:16:46Z
Last Submission Date 2024-07-02T06:16:46Z
Last Analysis Date 2024-07-02T08:17:04Z
Total Votes - Harmless 0
Total Votes - Malicious 0
Submissions 1
Reputation 0
Sigma Analysis Results
Crowdsourced YARA Results [{"description":"This signature fires on the presence of Base64 encoded URI
prefixes (http:// and https://) across any file. The simple presence of such
strings is not inherently an indicator of malicious content, but is worth further
investigation.","source":"https://github.com/InQuest/yara-rules-
vt","author":"InQuest
Labs","ruleset_name":"Base64_Encoded_URL","rule_name":"Base64_Encode
d_URL","ruleset_id":"0122bae1e9"}]
Crowdsourced IDS Results

View on VirusTotal
GUI Url:
https://www.virustotal.com/gui/file/eccd2c84b68745d149229466b21408d5ccf4ea8e51e1fac4e76edf8
8ca10239b
File Summary

Names eve.json?id

File Type json

File Type Description JSON

Tags json

Times Submitted 1

122
TrID - file type identification tool

File Type Probability %

file seems to be plain text/ASCII 0.0

VirusTotal Analysis Summary

Aggregate Result undetected - 64 / 78

VirusTotal Analysis Stats

Analysis Type Number of Analysis

Confirmed Timeout 0

Failure 0

Harmless 0

Malicious 0

Suspicious 0

Timeout 0

Type Unsupported 14

Undetected 64

Total 78

Community Votes
Total votes cast: 0
Incoming (1)
IPv4 Address 34.117.186.192

Shodan Service Details


maltego.shodan.ServiceDetails

80

123
Weight 0
Protocol tcp
IP Address 34.117.186.192
CVEs
OS
Hostnames 192.186.117.34.bc.googleusercontent.com
CPE
Service Hash 1559705222
Description 80
Port 80
Service banner HTTP/1.1 404 Not Found
Content-Length: 18
content-type: text/plain
via: 1.1 google
date: Mon, 08 Jul 2024 18:42:16 GMT

Service 80
Shodan Last Update 2024-07-08T18:42:17.394076

Shodan
This service was found running on IP Address: 34.117.186.192 [Shodan Result]
Incoming (1)
IPv4 Address 34.117.186.192

Email Address
maltego.EmailAddress

[email protected]
Weight 100
Email Address [email protected]

Incoming (1)
IPv4 Address 34.117.186.192

Email Address
maltego.EmailAddress

[email protected]
Weight 100
Email Address [email protected]

Incoming (1)
IPv4 Address 34.117.186.192

IPQS Tag
maltego.ipqs.Tag

Proxy

124
Weight 100
Text Proxy

IPQS Info
Indicates this IP address is suspected to be a proxy (SOCKS, Elite, Anonymous, VPN, Tor, etc.).

Incoming (1)
IPv4 Address 34.117.186.192

VirusTotal File
maltego.virustotal.File

motherfuck.txt
Weight 0
MeaningfulName motherfuck.txt
File Id f2f2454e8e3abdf9b9dfc7d067fdf3d01d6d55e452d2d7b133eb89df3523d490
Names motherfuck.txt
File Type TEXT
File Type Description Text
MD5 86177184b874ee647e6047a335b007e7
SHA-1 812333ff54b0920920ff3e5e753910a0b3e6b616
SHA-256 f2f2454e8e3abdf9b9dfc7d067fdf3d01d6d55e452d2d7b133eb89df3523d490
Vhash
Authentihash
SSDEEP 48:YZVh2Hauk0UOlBxCGgUsXI/7KeOUplFaZ8lxlJRAAOxpLT1sPDLIb+IIbPC
6Ds1s:0VQ6uRtlTaUsXgWRUtaudTkZ3GXs6
Magic ASCII text
File Size 2709
Tags text
Capability Tags
Downloadable null
Creation Date
First Submission Date 2024-04-14T02:13:02Z
Last Submission Date 2024-04-14T02:13:02Z
Last Analysis Date 2024-06-26T14:43:59Z
Total Votes - Harmless 0
Total Votes - Malicious 0
Submissions 1
Reputation 0
Sigma Analysis Results
Crowdsourced YARA Results
Crowdsourced IDS Results

View on VirusTotal
GUI Url:
https://www.virustotal.com/gui/file/f2f2454e8e3abdf9b9dfc7d067fdf3d01d6d55e452d2d7b133eb89df3
523d490

125
File Summary

Names motherfuck.txt

File Type text

File Type Description Text

Tags text

Times Submitted 1

TrID - file type identification tool

File Type Probability %

file seems to be plain text/ASCII 0.0

VirusTotal Analysis Summary

Aggregate Result undetected - 64 / 78

VirusTotal Analysis Stats

Analysis Type Number of Analysis

Confirmed Timeout 0

Failure 0

Harmless 0

Malicious 0

Suspicious 0

Timeout 0

Type Unsupported 14

Undetected 64

Total 78

Community Votes
Total votes cast: 0
Incoming (1)
IPv4 Address 34.117.186.192

VirusTotal File
maltego.virustotal.File

pfirewall.log

126
Weight 0
MeaningfulName pfirewall.log
File Id eb01e938311f038cfc08cc28e8420e66272a0f4753dc24e4f5b30c1481420a8a
Names pfirewall.log
File Type
File Type Description unknown
MD5 0b6e8b175f2f5e827861f737cc22370e
SHA-1 80de935a1434b3470d19d8dba94f1da33b952c2f
SHA-256 eb01e938311f038cfc08cc28e8420e66272a0f4753dc24e4f5b30c1481420a8a
Vhash
Authentihash
SSDEEP 384:XhZEkca0tTNB0000AnnnnkrrrrPKKKKetnSSS9q9J9J9J9JAnnnLWWIqys
HeaSx8:XU6J2DIMl8Aq30CwPr4VZSfv
Magic data
File Size 137118
Tags
Capability Tags
Downloadable null
Creation Date
First Submission Date 2024-05-16T21:55Z
Last Submission Date 2024-05-16T21:55Z
Last Analysis Date 2024-06-07T17:04:26Z
Total Votes - Harmless 0
Total Votes - Malicious 0
Submissions 1
Reputation 0
Sigma Analysis Results
Crowdsourced YARA Results
Crowdsourced IDS Results

View on VirusTotal
GUI Url:
https://www.virustotal.com/gui/file/eb01e938311f038cfc08cc28e8420e66272a0f4753dc24e4f5b30c14
81420a8a
File Summary

Names pfirewall.log

File Type

File Type Description unknown

Tags

Times Submitted 1

VirusTotal Analysis Summary

Aggregate Result undetected - 64 / 77

127
VirusTotal Analysis Stats

Analysis Type Number of Analysis

Confirmed Timeout 0

Failure 0

Harmless 0

Malicious 0

Suspicious 0

Timeout 0

Type Unsupported 13

Undetected 64

Total 77

Community Votes
Total votes cast: 0
Incoming (1)
IPv4 Address 34.117.186.192

VirusTotal File
maltego.virustotal.File

SULE (1).csv

128
Weight 0
MeaningfulName SULE (1).csv
File Id c82edc4d349fa1da65371b5aa538a9ac2fa7ed872cad423f3fe79e2ad8f9f653
Names SULE (1).csv
File Type TEXT
File Type Description Text
MD5 366e0e3ac731044d3adce1968438b31c
SHA-1 20e89d6c6a4593921f56eac20d6923e45902bb94
SHA-256 c82edc4d349fa1da65371b5aa538a9ac2fa7ed872cad423f3fe79e2ad8f9f653
Vhash
Authentihash
SSDEEP 48:gnmFTG9oYPiy7uOMo69FfvNk1ercRO/h7DmP+++rq4TrD29C2AR3r:gYY
PiTS8NNk1erR/h7CP+++m4/D/b
Magic ASCII text, with CRLF line terminators
File Size 2118
Tags text
Capability Tags
Downloadable null
Creation Date
First Submission Date 2024-04-05T08:40:03Z
Last Submission Date 2024-04-05T08:40:03Z
Last Analysis Date 2024-04-05T10:40:20Z
Total Votes - Harmless 0
Total Votes - Malicious 0
Submissions 1
Reputation 0
Sigma Analysis Results
Crowdsourced YARA Results
Crowdsourced IDS Results

View on VirusTotal
GUI Url:
https://www.virustotal.com/gui/file/c82edc4d349fa1da65371b5aa538a9ac2fa7ed872cad423f3fe79e2a
d8f9f653
File Summary

Names SULE (1).csv

File Type text

File Type Description Text

Tags text

Times Submitted 1

TrID - file type identification tool

File Type Probability %

file seems to be plain text/ASCII 0.0

129
VirusTotal Analysis Summary

Aggregate Result undetected - 60 / 76

VirusTotal Analysis Stats

Analysis Type Number of Analysis

Confirmed Timeout 0

Failure 0

Harmless 0

Malicious 0

Suspicious 0

Timeout 0

Type Unsupported 16

Undetected 60

Total 76

Community Votes
Total votes cast: 0
Incoming (1)
IPv4 Address 34.117.186.192

URL
maltego.URL

http://159.65.233.73
Weight 0
Short title http://159.65.233.73
URL http://159.65.233.73
Title http://159.65.233.73

AlienVault OTX Link


View in browser: https://otx.alienvault.com/indicator/url/http://159.65.233.73
Incoming (1)
IPv4 Address 34.117.186.192

Netblock
maltego.Netblock

34.116.0.0-34.119.255.255

130
Weight 0
IP Range 34.116.0.0-34.119.255.255
Country US
AS 396982
First IP 34.116.0.0
Route 34.116.0.0/14
Last IP 34.119.255.255
Net Name GOOGL-2
Domain http://www.google.com
Name GOOGLE-CLOUD-PLATFORM
Source ARIN

Incoming (1)
IPv4 Address 34.117.186.192

URL
maltego.URL

http://24.144.104.44
Weight 0
Short title http://24.144.104.44
URL http://24.144.104.44
Title http://24.144.104.44

AlienVault OTX Link


View in browser: https://otx.alienvault.com/indicator/url/http://24.144.104.44
Incoming (1)
IPv4 Address 34.117.186.192

SSL Certificate
maltego.X509Certificate

ipinfo.io

131
Weight 0
Subject ipinfo.io
Issuer R3
Subject DN
Issuer DN
SKI 870c3c4ca4e6c5a8ecdcb84f262dbf7beaa525d1
AKI
Serial 46cde25fe8e2dbf2fd92a762382be722915
SAN [*.company.io, *.host.io, *.ipinfo.dev, *.ipinfo.io, *.ipinfo.net, *.ipinfo.org,
*.ipinfoio.com, *.useragent.io, company.io, host.io, ipinfo.dev, ipinfo.io,
ipinfo.net, ipinfo.org, ipinfoio.com, useragent.io]
Usage
Issuance ID
Valid From Wed Dec 06 00:00:00 GMT 2023
Valid Until Tue Mar 05 00:00:00 GMT 2024
Country
Organization

Incoming (1)
IPv4 Address 34.117.186.192

URL
maltego.URL

http://134.209.78.82
Weight 0
Short title http://134.209.78.82
URL http://134.209.78.82
Title http://134.209.78.82

AlienVault OTX Link


View in browser: https://otx.alienvault.com/indicator/url/http://134.209.78.82
Incoming (1)
IPv4 Address 34.117.186.192

URL
maltego.URL

http://159.223.98.160
Weight 0
Short title http://159.223.98.160
URL http://159.223.98.160
Title http://159.223.98.160

AlienVault OTX Link


View in browser: https://otx.alienvault.com/indicator/url/http://159.223.98.160
Incoming (1)
IPv4 Address 34.117.186.192

132
URL
maltego.URL

http://206.189.225.175
Weight 0
Short title http://206.189.225.175
URL http://206.189.225.175
Title http://206.189.225.175

AlienVault OTX Link


View in browser: https://otx.alienvault.com/indicator/url/http://206.189.225.175
Incoming (1)
IPv4 Address 34.117.186.192

SSL Certificate
maltego.X509Certificate

api-test-qwiklabs-gcp-02-82514146f90f.apigee-apijam.dev
Weight 0
Subject api-test-qwiklabs-gcp-02-82514146f90f.apigee-apijam.dev
Issuer GTS CA 1D4
Subject DN
Issuer DN
SKI 0a3973a9a7519665dc378d3ef6d85d7111aa8a8e
AKI
Serial 811181b5d43b7d760a00000000f5c8c4
SAN [api-test-qwiklabs-gcp-02-82514146f90f.apigee-apijam.dev, api-qwiklabs-gcp-
02-82514146f90f.apigee-apijam.dev]
Usage
Issuance ID
Valid From Mon Jul 19 00:00:00 GMT 2021
Valid Until Sun Oct 17 00:00:00 GMT 2021
Country
Organization

Incoming (1)
IPv4 Address 34.117.186.192

URL
maltego.URL

http://157.245.246.236
Weight 0
Short title http://157.245.246.236
URL http://157.245.246.236
Title http://157.245.246.236

133
AlienVault OTX Link
View in browser: https://otx.alienvault.com/indicator/url/http://157.245.246.236
Incoming (1)
IPv4 Address 34.117.186.192

SSL Certificate
maltego.X509Certificate

ipinfo.io
Weight 0
Subject ipinfo.io
Issuer R3
Subject DN
Issuer DN
SKI f8a5a791988f335ec9f4a8dc80e3aa9354cde9a6
AKI
Serial 4f0a6d4f9988255799aa5a1e09d83b717bd
SAN [*.company.io, *.host.io, *.ipinfo.dev, *.ipinfo.io, *.ipinfo.net, *.ipinfo.org,
*.ipinfoio.com, *.useragent.io, company.io, host.io, ipinfo.dev, ipinfo.io,
ipinfo.net, ipinfo.org, ipinfoio.com, useragent.io]
Usage
Issuance ID
Valid From Sat Jan 20 00:00:00 GMT 2024
Valid Until Fri Apr 19 00:00:00 GMT 2024
Country
Organization

Incoming (1)
IPv4 Address 34.117.186.192

URL
maltego.URL

http://165.227.85.125
Weight 0
Short title http://165.227.85.125
URL http://165.227.85.125
Title http://165.227.85.125

AlienVault OTX Link


View in browser: https://otx.alienvault.com/indicator/url/http://165.227.85.125
Incoming (1)
IPv4 Address 34.117.186.192

134
URL
maltego.URL

http://174.138.41.51
Weight 0
Short title http://174.138.41.51
URL http://174.138.41.51
Title http://174.138.41.51

AlienVault OTX Link


View in browser: https://otx.alienvault.com/indicator/url/http://174.138.41.51
Incoming (1)
IPv4 Address 34.117.186.192

SSL Certificate
maltego.X509Certificate

ipinfo.io
Weight 0
Subject ipinfo.io
Issuer R3
Subject DN
Issuer DN
SKI 6b68cc6a1d7a472f89e4787a29cee7debd6eb1d3
AKI
Serial 4b2adfd6efc5d042801485f37e1c6079d93
SAN [*.company.io, *.host.io, *.ipinfo.dev, *.ipinfo.io, *.ipinfo.net, *.ipinfo.org,
*.ipinfoio.com, *.useragent.io, company.io, host.io, ipinfo.dev, ipinfo.io,
ipinfo.net, ipinfo.org, ipinfoio.com, useragent.io]
Usage
Issuance ID
Valid From Fri Apr 19 00:00:00 GMT 2024
Valid Until Thu Jul 18 00:00:00 GMT 2024
Country
Organization

Incoming (1)
IPv4 Address 34.117.186.192

URL
maltego.URL

http://137.184.194.154
Weight 0
Short title http://137.184.194.154
URL http://137.184.194.154
Title http://137.184.194.154

135
AlienVault OTX Link
View in browser: https://otx.alienvault.com/indicator/url/http://137.184.194.154
Incoming (1)
IPv4 Address 34.117.186.192

URL
maltego.URL

http://159.65.233.72
Weight 0
Short title http://159.65.233.72
URL http://159.65.233.72
Title http://159.65.233.72

AlienVault OTX Link


View in browser: https://otx.alienvault.com/indicator/url/http://159.65.233.72
Incoming (1)
IPv4 Address 34.117.186.192

Banner
maltego.Banner

Weight 0
Text
Shodan Last Update 2024-07-08T18:42:17.394076
Full Banner HTTP/1.1 404 Not Found
Content-Length: 18
content-type: text/plain
via: 1.1 google
date: Mon, 08 Jul 2024 18:42:16 GMT

Banner Hash 1559705222


Banner HTTP/1.1 404 Not...
Banner port 80

Banner
HTTP/1.1 404 Not Found\r\nContent-Length: 18\r\ncontent-type:
text/plain\r\nvia: 1.1 google\r\ndate: Mon, 08 Jul 2024 18:42:16
GMT\r\n\r\n
Shodan
This banner was found on IP Address: 34.117.186.192 [Shodan Result]
Incoming (1)
IPv4 Address 34.117.186.192

136
URL
maltego.URL

http://167.99.153.101
Weight 0
Short title http://167.99.153.101
URL http://167.99.153.101
Title http://167.99.153.101

AlienVault OTX Link


View in browser: https://otx.alienvault.com/indicator/url/http://167.99.153.101
Incoming (1)
IPv4 Address 34.117.186.192

Banner
maltego.Banner

Weight 0
Text
Shodan Last Update 2024-07-05T11:25:27.241986
Full Banner HTTP/1.1 404 Not Found
Content-Length: 18
content-type: text/plain
via: 1.1 google
date: Fri, 05 Jul 2024 11:25:26 GMT
Alt-Svc: h3=&quot;:443&quot;; ma=2592000,h3-29=&quot;:443&quot;;
ma=2592000

Banner Hash 1955952339


Banner HTTP/1.1 404 Not...
Banner port 443

Banner
HTTP/1.1 404 Not Found\r\nContent-Length: 18\r\ncontent-type:
text/plain\r\nvia: 1.1 google\r\ndate: Fri, 05 Jul 2024 11:25:26
GMT\r\nAlt-Svc: h3=&quot;:443&quot;; ma=2592000,h3-29=&quot;:443&quot;;
ma=2592000\r\n\r\n
Shodan
This banner was found on IP Address: 34.117.186.192 [Shodan Result]
Incoming (1)
IPv4 Address 34.117.186.192

AbuseIPDB IP Report
maltego.abuseipdb.Report

2024-06-24T11:10:42+00:00

137
Weight 0
Reported At 2024-06-24T11:10:42+00:00
Comment Jun 24 08:10:35 SRC=34.117.186.192 PROTO=TCP SPT=443 DPT=46547
Jun 24 08:10:35 SRC=34.117.186.192 PROTO=TCP SPT=443 DPT=31335
SYN
Jun 24 08:10:35 SRC=34.117.186.192 PROTO=TCP SPT=443 DPT=31335
...
Categories Port Scan
Reporter Id 44299
Reporter Country Code DE
Reporter Country Name Germany

AbuseIPDB Details
Reporter: https://www.abuseipdb.com/user/44299
Incoming (1)
IPv4 Address 34.117.186.192

Censys Service Details


maltego.censys.ServiceDetails

443/HTTPS
Weight 0
IP Address 34.117.186.192
Banner Hex 485454502f312e3120343034204e6f7420466f756e640d0a436f6e74656e742d
4c656e6774683a2031380d0a636f6e74656e742d747970653a20746578742f7
06c61696e0d0a7669613a20312e3120676f6f676c650d0a646174653a20203c5
2454441435445443e0d0a416c742d5376633a2068333d223a343433223b206
d613d323539323030302c68332d32393d223a343433223b206d613d3235393
23030300d0a
Perspective ID PERSPECTIVE_TELIA
Transport Protocol TCP
Description 443/HTTPS
Port 443
Service banner HTTP/1.1 404 Not Found
Content-Length: 18
content-type: text/plain
via: 1.1 google
date: &lt;REDACTED&gt;
Alt-Svc: h3=&quot;:443&quot;; ma=2592000,h3-29=&quot;:443&quot;;
ma=2592000
Service 443:HTTPS

Censys Host Information


Open service on Censys dashboard

Extended Service Name HTTPS

Source IP 167.94.146.52

Port 443

Transport Protocol TCP

Observed At 2024-07-09T23:05:26.097549274Z

138
Incoming (1)
IPv4 Address 34.117.186.192

AbuseIPDB IP Report
maltego.abuseipdb.Report

2024-06-24T11:30:23+00:00
Weight 0
Reported At 2024-06-24T11:30:23+00:00
Comment aggressive portscan
...
Categories Port Scan
Reporter Id 62098
Reporter Country Code FR
Reporter Country Name France

AbuseIPDB Details
Reporter: https://www.abuseipdb.com/user/62098
Incoming (1)
IPv4 Address 34.117.186.192

Censys Service Details


maltego.censys.ServiceDetails

80/HTTP
Weight 0
IP Address 34.117.186.192
Banner Hex 485454502f312e3120343034204e6f7420466f756e640d0a436f6e74656e742d
4c656e6774683a2031380d0a636f6e74656e742d747970653a20746578742f7
06c61696e0d0a7669613a20312e3120676f6f676c650d0a646174653a20203c5
2454441435445443e0d0a
Perspective ID PERSPECTIVE_HE
Transport Protocol TCP
Description 80/HTTP
Port 80
Service banner HTTP/1.1 404 Not Found
Content-Length: 18
content-type: text/plain
via: 1.1 google
date: &lt;REDACTED&gt;
Service 80:HTTP

139
Censys Host Information
Open service on Censys dashboard

Extended Service Name HTTP

Source IP 162.142.125.214

Port 80

Transport Protocol TCP

Observed At 2024-07-10T07:55:55.197042592Z

Incoming (1)
IPv4 Address 34.117.186.192

AbuseIPDB IP Report
maltego.abuseipdb.Report

2024-06-17T16:36:15+00:00
Weight 0
Reported At 2024-06-17T16:36:15+00:00
Comment SSH login attempts with user root.
Categories Brute-Force,Brute-Force,Exploited Host,Exploited Host
Reporter Id 148559
Reporter Country Code US
Reporter Country Name United States of America

AbuseIPDB Details
Reporter: https://www.abuseipdb.com/user/148559
Incoming (1)
IPv4 Address 34.117.186.192

AbuseIPDB IP Report
maltego.abuseipdb.Report

2024-06-18T17:34:42+00:00
Weight 0
Reported At 2024-06-18T17:34:42+00:00
Comment SSH login attempts with user root.
Categories Brute-Force,Brute-Force,Exploited Host,Exploited Host
Reporter Id 148559
Reporter Country Code US
Reporter Country Name United States of America

AbuseIPDB Details
Reporter: https://www.abuseipdb.com/user/148559

140
Incoming (1)
IPv4 Address 34.117.186.192

AbuseIPDB IP Report
maltego.abuseipdb.Report

2024-06-29T09:45:17+00:00
Weight 0
Reported At 2024-06-29T09:45:17+00:00
Comment Jun 29 12:26:35 server UFW BLOCK SRC=34.117.186.192 DF PROTO=TCP
SPT=443
Categories Port Scan
Reporter Id 75354
Reporter Country Code RO
Reporter Country Name Romania

AbuseIPDB Details
Reporter: https://www.abuseipdb.com/user/75354
Incoming (1)
IPv4 Address 34.117.186.192

AbuseIPDB IP Report
maltego.abuseipdb.Report

2024-07-01T13:49:44+00:00
Weight 0
Reported At 2024-07-01T13:49:44+00:00
Comment SSH login attempts with user root.
Categories Brute-Force,Exploited Host
Reporter Id 148559
Reporter Country Code US
Reporter Country Name United States of America

AbuseIPDB Details
Reporter: https://www.abuseipdb.com/user/148559
Incoming (1)
IPv4 Address 34.117.186.192

AbuseIPDB IP Report
maltego.abuseipdb.Report

2024-06-25T05:38:33+00:00

141
Weight 0
Reported At 2024-06-25T05:38:33+00:00
Comment SSH login attempts with user root.
Categories Brute-Force,Exploited Host
Reporter Id 148559
Reporter Country Code US
Reporter Country Name United States of America

AbuseIPDB Details
Reporter: https://www.abuseipdb.com/user/148559
Incoming (1)
IPv4 Address 34.117.186.192

AbuseIPDB IP Report
maltego.abuseipdb.Report

2024-06-29T09:25:50+00:00
Weight 0
Reported At 2024-06-29T09:25:50+00:00
Comment Jun 29 06:25:47 SRC=34.117.186.192 PROTO=TCP SPT=443 DPT=31705
SYN
Jun 29 06:25:47 SRC=34.117.186.192 PROTO=TCP SPT=443 DPT=31705
SYN
Jun 29 06:25:49 SRC=34.117.186.192 PROTO=TCP SPT=443 DPT=31705
...
Categories Port Scan
Reporter Id 44299
Reporter Country Code IS
Reporter Country Name Iceland

AbuseIPDB Details
Reporter: https://www.abuseipdb.com/user/44299
Incoming (1)
IPv4 Address 34.117.186.192

AbuseIPDB IP Report
maltego.abuseipdb.Report

2024-06-12T17:14:47+00:00
Weight 0
Reported At 2024-06-12T17:14:47+00:00
Comment SSH login attempts with user root.
Categories Brute-Force,Exploited Host
Reporter Id 148559
Reporter Country Code US
Reporter Country Name United States of America

AbuseIPDB Details
Reporter: https://www.abuseipdb.com/user/148559

142
Incoming (1)
IPv4 Address 34.117.186.192

IPQS Tag
maltego.ipqs.Tag

Abuse velocity: medium


Weight 100
Text Abuse velocity: medium

Incoming (1)
IPv4 Address 34.117.186.192

AbuseIPDB IP Report
maltego.abuseipdb.Report

2024-07-03T07:05:13+00:00
Weight 0
Reported At 2024-07-03T07:05:13+00:00
Comment Unauthorized connection attempt
Categories Brute-Force
Reporter Id 87994
Reporter Country Code NL
Reporter Country Name Netherlands (Kingdom of the)

AbuseIPDB Details
Reporter: https://www.abuseipdb.com/user/87994
Incoming (1)
IPv4 Address 34.117.186.192

AbuseIPDB IP Report
maltego.abuseipdb.Report

2024-07-08T18:46:19+00:00
Weight 0
Reported At 2024-07-08T18:46:19+00:00
Comment Banking Trojan reported by Trend Micro researchers.
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/g/
mekotio/mekotio-banking-trojan-threatens-financial-systems-in-latin-
america.txt
Categories Fraud Orders,Phishing
Reporter Id 60806
Reporter Country Code BR
Reporter Country Name Brazil

AbuseIPDB Details
Reporter: https://www.abuseipdb.com/user/60806

143
Incoming (1)
IPv4 Address 34.117.186.192

Shodan Tag
maltego.shodan.Tag

cloud
Weight 100
Text cloud

Incoming (1)
IPv4 Address 34.117.186.192

DNS Name
maltego.DNSName

test2.cliff.tw
Weight 100
DNS Name test2.cliff.tw

Incoming (1)
IPv4 Address 34.117.186.192

SSL Certificate
maltego.X509Certificate

ipinfo.io
Weight 0
Subject ipinfo.io
Issuer R3
Subject DN CN=ipinfo.io
Issuer DN C=US, O=Let's Encrypt, CN=R3
SKI
AKI
Serial 302203689575303662225367543027433592014166
SAN [[Ljava.lang.String;@55caa918]
Usage
Issuance ID
Valid From 20240603192040Z
Valid Until 20240901192039Z
Country
Organization
Expired false

Shodan
This certificate was found on IP Address: 34.117.186.192 [Shodan Result]

144
Incoming (1)
IPv4 Address 34.117.186.192

Domain
maltego.Domain

google.com
Weight 0
Domain Name google.com
WHOIS Info

Incoming (1)
IPv4 Address 34.117.186.192

IPQS Tag
maltego.ipqs.Tag

Vpn
Weight 100
Text Vpn

IPQS Info
Indicates this IP is suspected of being part of a VPN. This can include data center ranges which can become
active VPNs at any time. The "proxy" status will always be true when this value is true.

Incoming (1)
IPv4 Address 34.117.186.192

DNS Name
maltego.DNSName

ipinfo.dev
Weight 100
DNS Name ipinfo.dev

Incoming (1)
IPv4 Address 34.117.186.192

SSL Certificate Serial


maltego.SSLCertificateSerial

302203689575303662225367543027433592014166
Weight 0
Hash 302203689575303662225367543027433592014166
Hash Type Certificate Serial

145
Incoming (1)
IPv4 Address 34.117.186.192

Banner
maltego.Banner

Weight 0
Text
Banner HTTP/1.1 404 Not Found Content Length: 18 content type: text/plain via: 1.1
google date: Sun 17 Dec 2023 16:43:35 GMT
Banner port 80

Banner
HTTP/1.1 404 Not Found Content Length: 18 content type: text/plain via:
1.1 google date: Sun 17 Dec 2023 16:43:35 GMT
Incoming (1)
IPv4 Address 34.117.186.192

Banner
maltego.Banner

Weight 0
Text
Banner fault filter abort
Banner port 80

Banner
fault filter abort
Incoming (1)
IPv4 Address 34.117.186.192

Banner
maltego.Banner

Weight 0
Text
Banner HTTP/2 404 content length: 18 content type: text/plain via: 1.1 google date:
Sun 17 Dec 2023 16:43:35 GMT alt svc: h3= :443 ma=2592000 h3 29= :443
ma=2592000
Banner port 443

Banner
HTTP/2 404 content length: 18 content type: text/plain via: 1.1 google
date: Sun 17 Dec 2023 16:43:35 GMT alt svc: h3= :443 ma=2592000 h3 29=
:443 ma=2592000

146
Incoming (1)
IPv4 Address 34.117.186.192

Company
maltego.Company

[email protected]
Weight 60
Name [email protected]

Info

Relevance: 0.608791

Count: 3

Incoming (1)
IPv4 Address 34.117.186.192

Company
maltego.Company

RegDate
Weight 83
Name RegDate

Info

Relevance: 0.835825

Count: 2

Incoming (1)
IPv4 Address 34.117.186.192

Company
maltego.Company

American Registry for Internet Numbers, Ltd.


Weight 59
Name American Registry for Internet Numbers, Ltd.

Info

Relevance: 0.596187

Count: 2

Incoming (1)
IPv4 Address 34.117.186.192

147
DNS Name
maltego.DNSName

ipinfo.riquitito.com
Weight 100
DNS Name ipinfo.riquitito.com

Incoming (1)
IPv4 Address 34.117.186.192

Company
maltego.Company

Google LLC
Weight 94
Name Google LLC

Info

Relevance: 0.943728

Count: 3

Incoming (1)
IPv4 Address 34.117.186.192

IPv4 Address
maltego.IPv4Address

34.64.0.0
Weight 94
IP Address 34.64.0.0
Internal false

Info

Relevance: 0.949713

Count: 2

Incoming (1)
IPv4 Address 34.117.186.192

Country
maltego.Country

United States of America

148
Weight 0
Country United States of America
City
Name United States of America
Street Address
Area
Area Code
Country Code US
Longitude 0.0
Latitude 0.0

Incoming (1)
IPv4 Address 34.117.186.192

DNS Name
maltego.DNSName

743c55e0-a7f6-4cc7-8327-42f5d6631cea.looker.app
Weight 3
DNS Name 743c55e0-a7f6-4cc7-8327-42f5d6631cea.looker.app
DNSDB JSON Output {"count": 3, "time_first": 1683137057, "time_last": 1683137057, "rrname":
"743c55e0-a7f6-4cc7-8327-42f5d6631cea.looker.app.", "rrtype": "A", "rdata":
"34.117.186.192"}

DNSDB JSON Output


{"count": 3, "time_first": 1683137057, "time_last": 1683137057, "rrname": "743c55e0-a7f6-4cc7-8327-
42f5d6631cea.looker.app.", "rrtype": "A", "rdata": "34.117.186.192"}

Incoming (1)
IPv4 Address 34.117.186.192

Netblock
maltego.Netblock

34.64.0.0-34.127.255.255
Weight 100
IP Range 34.64.0.0-34.127.255.255

Incoming (1)
IPv4 Address 34.117.186.192

DNS Name
maltego.DNSName

agm-429076122901.backupdr.actifiogo.com
Weight 9
DNS Name agm-429076122901.backupdr.actifiogo.com
DNSDB JSON Output {"count": 9, "time_first": 1679521459, "time_last": 1679673548, "rrname":
"agm-429076122901.backupdr.actifiogo.com.", "rrtype": "A", "rdata":
"34.117.186.192"}

149
DNSDB JSON Output
{"count": 9, "time_first": 1679521459, "time_last": 1679673548, "rrname": "agm-429076122901.backupdr.actifiogo.com.",
"rrtype": "A", "rdata": "34.117.186.192"}

Incoming (1)
IPv4 Address 34.117.186.192

DNS Name
maltego.DNSName

ipinfo.net
Weight 100
DNS Name ipinfo.net

Incoming (1)
IPv4 Address 34.117.186.192

A Record
maltego.ARecord

www.ipinfo.io
Weight 0
IPv4 Address 34.117.186.192
Time to Live (TTL) 0
DNS Name www.ipinfo.io
Date Resolved 2024-07-10T11:09:53Z
Resolver VirusTotal

Incoming (1)
IPv4 Address 34.117.186.192

AbuseIPDB Tag
maltego.abuseipdb.Tag

Data Center/Web Hosting/Transit


Weight 0
Text Data Center/Web Hosting/Transit

Incoming (1)
IPv4 Address 34.117.186.192

Location
maltego.Location

United States

150
Weight 100
Name United States
Country United States
City
Street Address
Area
Area Code
Country Code US
Longitude 0.0
Latitude 0.0
Continent North America

Info
Information retrieved from the Maxmind GeoLite2 DB.
Available Here.

Incoming (1)
IPv4 Address 34.117.186.192

A Record
maltego.ARecord

company.io
Weight 0
IPv4 Address 34.117.186.192
Time to Live (TTL) 0
DNS Name company.io
Date Resolved 2023-12-22T06:12:08Z
Resolver VirusTotal

Incoming (1)
IPv4 Address 34.117.186.192

A Record
maltego.ARecord

useragent.io
Weight 0
IPv4 Address 34.117.186.192
Time to Live (TTL) 0
DNS Name useragent.io
Date Resolved 2023-12-22T06:12:57Z
Resolver VirusTotal

Incoming (1)
IPv4 Address 34.117.186.192

151
DNS Name
maltego.DNSName

www.ipinfo.io
Weight 1
DNS Name www.ipinfo.io
DNSDB JSON Output {"count": 1, "time_first": 1720608205, "time_last": 1720608205, "rrname":
"www.ipinfo.io.", "rrtype": "A", "rdata": "34.117.186.192"}

DNSDB JSON Output


{"count": 1, "time_first": 1720608205, "time_last": 1720608205, "rrname": "www.ipinfo.io.", "rrtype": "A", "rdata":
"34.117.186.192"}

Incoming (1)
IPv4 Address 34.117.186.192

A Record
maltego.ARecord

192.186.117.34.bc.googleusercontent.com
Weight 0
IPv4 Address 34.117.186.192
Time to Live (TTL) 0
DNS Name 192.186.117.34.bc.googleusercontent.com
Date Resolved 2023-12-14T09:55:30Z
Resolver VirusTotal

Incoming (1)
IPv4 Address 34.117.186.192

ISP
maltego.ISP

Google LLC
Weight 0
Name Google LLC

Incoming (1)
IPv4 Address 34.117.186.192

DNS Name
maltego.DNSName

website.ipinfo.io
Weight 10
DNS Name website.ipinfo.io
DNSDB JSON Output {"count": 10, "time_first": 1705053450, "time_last": 1713899789, "rrname":
"website.ipinfo.io.", "rrtype": "A", "rdata": "34.117.186.192"}

152
DNSDB JSON Output
{"count": 10, "time_first": 1705053450, "time_last": 1713899789, "rrname": "website.ipinfo.io.", "rrtype": "A", "rdata":
"34.117.186.192"}

Incoming (1)
IPv4 Address 34.117.186.192

A Record
maltego.ARecord

rr1---sn-11haecwz.poc.cdnfastly.net
Weight 0
IPv4 Address 34.117.186.192
Time to Live (TTL) 0
DNS Name rr1---sn-11haecwz.poc.cdnfastly.net
Date Resolved 2024-07-04T19:59:48Z
Resolver VirusTotal

Incoming (1)
IPv4 Address 34.117.186.192

A Record
maltego.ARecord

test2.cliff.tw
Weight 0
IPv4 Address 34.117.186.192
Time to Live (TTL) 0
DNS Name test2.cliff.tw
Date Resolved 2024-07-04T20:00:04Z
Resolver VirusTotal

Incoming (1)
IPv4 Address 34.117.186.192

DNS Name
maltego.DNSName

dev.host.io
Weight 10
DNS Name dev.host.io
DNSDB JSON Output {"count": 10, "time_first": 1702715624, "time_last": 1713116966, "rrname":
"dev.host.io.", "rrtype": "A", "rdata": "34.117.186.192"}

DNSDB JSON Output


{"count": 10, "time_first": 1702715624, "time_last": 1713116966, "rrname": "dev.host.io.", "rrtype": "A", "rdata":
"34.117.186.192"}

153
Incoming (1)
IPv4 Address 34.117.186.192

A Record
maltego.ARecord

polybuttontrend.com
Weight 0
IPv4 Address 34.117.186.192
Time to Live (TTL) 0
DNS Name polybuttontrend.com
Date Resolved 2024-01-24T03:07:19Z
Resolver Georgia Institute of Technology

Incoming (1)
IPv4 Address 34.117.186.192

A Record
maltego.ARecord

ipinfo.riquitito.com
Weight 0
IPv4 Address 34.117.186.192
Time to Live (TTL) 0
DNS Name ipinfo.riquitito.com
Date Resolved 2024-07-01T18:54:34Z
Resolver VirusTotal

Incoming (1)
IPv4 Address 34.117.186.192

Location
maltego.Location

Kansas City, United States


Weight 0
Name Kansas City, United States
Country United States
City Kansas City
Street Address
Area Missouri
Area Code 64106
Country Code US
Longitude -94.57857
Latitude 39.09973

154
Censys Location Information
Open location on Censys dashboard
Incoming (1)
IPv4 Address 34.117.186.192

DNS Name
maltego.DNSName

rr1---sn-11haecwz.poc.cdnfastly.net
Weight 100
DNS Name rr1---sn-11haecwz.poc.cdnfastly.net

Incoming (1)
IPv4 Address 34.117.186.192

155

You might also like