Windows Analysis Report
CLNGs0rZD4.exe

Overview

General Information

Sample name: CLNGs0rZD4.exe
renamed because original name is a hash value
Original sample name: ba0db716b761edf63293ab94b5e74f0f.exe
Analysis ID: 1541865
MD5: ba0db716b761edf63293ab94b5e74f0f
SHA1: 4a21b911f4c1e9b86796377fcdaccd05e0697776
SHA256: 8c9936c01e1adef5c7a8763c8f095f0ed9053b800e212294fc29c05d683b2ea7
Tags: 64exe
Infos:

Detection

Sliver
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Sliver Implants
AI detected suspicious sample
Allocates memory in foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Writes to foreign memory regions
Creates a process in suspended mode (likely to inject code)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
PE file contains more sections than normal
PE file contains sections with non-standard names
Suricata IDS alerts with low severity for network traffic
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Sliver According to VK9 Seecurity, Sliver is a Command and Control (C2) system made for penetration testers, red teams, and advanced persistent threats. It generates implants (slivers) that can run on virtually every architecture out there, and securely manage these connections through a central server. Sliver supports multiple callback protocols including DNS, TCP, and HTTP(S) to make egress simple, even when those pesky blue teams block your domains. You can even have multiple operators (players) simultaneously commanding your sliver army. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.sliver

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: CLNGs0rZD4.exe ReversingLabs: Detection: 57%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: CLNGs0rZD4.exe Joe Sandbox ML: detected
Source: CLNGs0rZD4.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 34.22.231.73 443 Jump to behavior
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ATGS-MMD-ASUS ATGS-MMD-ASUS
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2850023 - Severity 1 - ETPRO JA3 Hash - Possible Ligolo Server/Golang Binary Response : 34.22.231.73:443 -> 192.168.2.6:55400
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: 198.187.3.20.in-addr.arpa replaycode: Name error (3)
Source: unknown TCP traffic detected without corresponding DNS query: 34.22.231.73
Source: unknown TCP traffic detected without corresponding DNS query: 34.22.231.73
Source: unknown TCP traffic detected without corresponding DNS query: 34.22.231.73
Source: unknown TCP traffic detected without corresponding DNS query: 34.22.231.73
Source: unknown TCP traffic detected without corresponding DNS query: 34.22.231.73
Source: unknown TCP traffic detected without corresponding DNS query: 34.22.231.73
Source: unknown TCP traffic detected without corresponding DNS query: 34.22.231.73
Source: unknown TCP traffic detected without corresponding DNS query: 34.22.231.73
Source: unknown TCP traffic detected without corresponding DNS query: 34.22.231.73
Source: unknown TCP traffic detected without corresponding DNS query: 34.22.231.73
Source: unknown TCP traffic detected without corresponding DNS query: 34.22.231.73
Source: unknown TCP traffic detected without corresponding DNS query: 34.22.231.73
Source: unknown TCP traffic detected without corresponding DNS query: 34.22.231.73
Source: unknown TCP traffic detected without corresponding DNS query: 34.22.231.73
Source: unknown TCP traffic detected without corresponding DNS query: 34.22.231.73
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 55400 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55400
Source: unknown Network traffic detected: HTTP traffic on port 55395 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55395
Installs a raw input device (often for capturing keystrokes)
Source: explorer.exe, 00000003.00000002.3405497706.000000C000182000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: RegisterRawInputDevices memstr_e9d2a3c7-c

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: CLNGs0rZD4.exe, type: SAMPLE Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0.0.CLNGs0rZD4.exe.7ff6e8840000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0.2.CLNGs0rZD4.exe.7ff6e8840000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000003.00000002.3404033112.0000000004B71000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
Source: 00000003.00000002.3402461880.0000000003C2F000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
Source: 00000000.00000002.2175628426.00007FF6E88F8000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000000.2159400728.00007FF6E88F8000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000003.00000002.3401343293.0000000000800000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000002.2171227596.000001A96A531000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: Process Memory Space: explorer.exe PID: 5264, type: MEMORYSTR Matched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
PE file contains more sections than normal
Source: CLNGs0rZD4.exe Static PE information: Number of sections : 19 > 10
Yara signature match
Source: CLNGs0rZD4.exe, type: SAMPLE Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0.0.CLNGs0rZD4.exe.7ff6e8840000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0.2.CLNGs0rZD4.exe.7ff6e8840000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000003.00000002.3404033112.0000000004B71000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
Source: 00000003.00000002.3402461880.0000000003C2F000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
Source: 00000000.00000002.2175628426.00007FF6E88F8000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000000.2159400728.00007FF6E88F8000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000003.00000002.3401343293.0000000000800000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000002.2171227596.000001A96A531000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: Process Memory Space: explorer.exe PID: 5264, type: MEMORYSTR Matched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
Source: classification engine Classification label: mal96.troj.evad.winEXE@4/1@1/1
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3960:120:WilError_03
Source: C:\Windows\explorer.exe File opened: C:\Windows\system32\9953560394ab05fca6ab04dd8b46ba74ee75865b8a04b4dbd463b820e163b64aAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Jump to behavior
Source: C:\Users\user\Desktop\CLNGs0rZD4.exe Process created: C:\Windows\explorer.exe
Source: C:\Users\user\Desktop\CLNGs0rZD4.exe Process created: C:\Windows\explorer.exe Jump to behavior
Source: CLNGs0rZD4.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\CLNGs0rZD4.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: CLNGs0rZD4.exe ReversingLabs: Detection: 57%
Source: unknown Process created: C:\Users\user\Desktop\CLNGs0rZD4.exe "C:\Users\user\Desktop\CLNGs0rZD4.exe"
Source: C:\Users\user\Desktop\CLNGs0rZD4.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\CLNGs0rZD4.exe Process created: C:\Windows\explorer.exe "C:\Windows\explorer.exe"
Source: C:\Users\user\Desktop\CLNGs0rZD4.exe Process created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" Jump to behavior
Source: C:\Users\user\Desktop\CLNGs0rZD4.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\CLNGs0rZD4.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\CLNGs0rZD4.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\CLNGs0rZD4.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: aepic.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: twinapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mswsock.dll Jump to behavior
Source: CLNGs0rZD4.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: CLNGs0rZD4.exe Static file information: File size 7852704 > 1048576
Source: CLNGs0rZD4.exe Static PE information: Raw size of .data is bigger than: 0x100000 < 0x53b600
Source: CLNGs0rZD4.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
PE file contains sections with non-standard names
Source: CLNGs0rZD4.exe Static PE information: section name: .xdata
Source: CLNGs0rZD4.exe Static PE information: section name: /4
Source: CLNGs0rZD4.exe Static PE information: section name: /19
Source: CLNGs0rZD4.exe Static PE information: section name: /31
Source: CLNGs0rZD4.exe Static PE information: section name: /45
Source: CLNGs0rZD4.exe Static PE information: section name: /57
Source: CLNGs0rZD4.exe Static PE information: section name: /70
Source: CLNGs0rZD4.exe Static PE information: section name: /81
Source: CLNGs0rZD4.exe Static PE information: section name: /97
Source: CLNGs0rZD4.exe Static PE information: section name: /113
Source: C:\Windows\explorer.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: explorer.exe, 00000003.00000002.3401745300.0000000000E83000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 34.22.231.73 443 Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\CLNGs0rZD4.exe Memory allocated: C:\Windows\explorer.exe base: 800000 protect: page execute and read and write Jump to behavior
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Users\user\Desktop\CLNGs0rZD4.exe Memory written: PID: 5264 base: 800000 value: E8 Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\CLNGs0rZD4.exe Thread register set: target process: 5264 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\CLNGs0rZD4.exe Memory written: C:\Windows\explorer.exe base: 800000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\CLNGs0rZD4.exe Process created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" Jump to behavior
Source: C:\Users\user\Desktop\CLNGs0rZD4.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Sliver Implants
Source: Yara match File source: 00000003.00000002.3405497706.000000C000138000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 5264, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Sliver Implants
Source: Yara match File source: 00000003.00000002.3405497706.000000C000138000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 5264, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1541865 Sample: CLNGs0rZD4.exe Startdate: 25/10/2024 Architecture: WINDOWS Score: 96 16 198.187.3.20.in-addr.arpa 2->16 20 Malicious sample detected (through community Yara rule) 2->20 22 Multi AV Scanner detection for submitted file 2->22 24 Yara detected Sliver Implants 2->24 26 2 other signatures 2->26 7 CLNGs0rZD4.exe 1 2->7         started        signatures3 process4 signatures5 28 Injects code into the Windows Explorer (explorer.exe) 7->28 30 Writes to foreign memory regions 7->30 32 Allocates memory in foreign processes 7->32 34 Modifies the context of a thread in another process (thread injection) 7->34 10 explorer.exe 7->10         started        14 conhost.exe 7->14         started        process6 dnsIp7 18 34.22.231.73, 443, 49711, 55395 ATGS-MMD-ASUS United States 10->18 36 System process connects to network (likely due to code injection or exploit) 10->36 signatures8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
34.22.231.73
 unknown United States
2686 ATGS-MMD-ASUS true

Contacted Domains

Name IP Active
198.187.3.20.in-addr.arpa unknown unknown