Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 22, 2023, 5:26 p.m.	March 22, 2023, 5:32 p.m.

Size	253.0KB
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5	`9faea65cff61ad64e4bc4c3913c336be`
SHA256	`987204ca82337f0a3f28097a5d66d5f3ecb11d43d82f67cd753d0bf2ce40b7a7`
CRC32	`E3DE3B4C`
ssdeep	`6144:UYf6pfKeeeeeeuPUn+AQTGTDFNDlzZID9+K7JPF:T6pieeeeeeupIDT7II0j`
Yara	Malicious_Packer_Zero - Malicious Packer IsPE32 - (no description) PE_Header_Zero - PE File Signature

svchost.exe C:\Windows\system32\svchost.exe
2876
- svchost.exe C:\Windows\system32\svchost.exe
  2500
- svchost.exe C:\Windows\system32\svchost.exe
  2628
- svchost.exe C:\Windows\system32\svchost.exe
  1796
- svchost.exe C:\Windows\system32\svchost.exe
  1320

Name	Response	Post-Analysis Lookup
hbfuels.com	A 85.233.160.148	85.233.160.148
michiana.org
rtcasey.com	A 69.195.90.46	69.195.90.46
jabian.com	A 104.26.7.17 A 172.67.71.13 A 104.26.6.17	104.26.7.17
xinhui.net	A 43.255.29.192	43.255.29.192
wolffkran.de
riwn.org	A 198.49.23.145 A 198.185.159.144 A 198.49.23.144 A 198.185.159.145	198.49.23.144
envogen.com	A 104.21.73.149 A 172.67.163.101	104.21.73.149
tabbles.net	A 172.67.135.146 A 104.21.7.22	104.21.7.22
muhr-soehne.de	A 5.189.171.125	5.189.171.125
anduran.com	A 18.119.154.66 CNAME hdr-nlb10-d66bbad0736f8259.elb.us-east-2.amazonaws.com A 3.140.13.188 CNAME traff-6.hugedomains.com CNAME hdr-nlb5-4e815dd67a14bf7f.elb.us-east-2.amazonaws.com CNAME traff-2.hugedomains.com A 3.130.253.23 A 3.130.204.160	54.161.222.85
pleszew.policja.gov.pl	A 91.229.22.126	91.229.22.126
ossir.org	A 51.159.3.117	51.159.3.117
nt-hat.com
pro-fa.com
www.kernsafe.com	A 104.26.3.124 A 104.26.2.124 A 172.67.72.98	172.67.72.98
com
zugseil.com	A 92.42.191.38	92.42.191.38
shteeble.com	A 185.106.129.180	185.106.129.180
angework.com	A 219.94.128.87	219.94.128.87
gbmfg.com	A 151.101.194.132 A 151.101.130.132 A 151.101.66.132 A 151.101.2.132	151.101.2.132
www.mqs.com.br	A 170.82.173.30 A 170.82.174.30 CNAME www.mqs.com.br.cdn.gocache.net	170.82.173.30
www.mobilnic.net	A 154.203.14.100	154.203.14.100
www.udesign.biz
workplus.hu	A 172.67.197.24 A 104.21.92.183	104.21.92.183
www.netcr.com	CNAME hdr-nlb4-0bbd2e21834cb637.elb.us-east-2.amazonaws.com A 3.18.7.81 CNAME traff-3.hugedomains.com A 3.19.116.195	3.18.7.81
touchfam.ca	A 15.197.142.173 A 3.33.152.147	15.197.142.173
roewer.de	A 45.142.176.225	45.142.176.225
aoinko.net	A 157.7.107.38	157.7.107.38
dzm.cz	A 83.167.255.150	83.167.255.150
www.pwd.org	CNAME pwd.org A 208.109.214.162	208.109.214.162
strazynski.pl	A 85.128.196.22	85.128.196.22
www.iamdirt.com	CNAME gcdn0.wixdns.net A 34.117.168.233 CNAME td-ccm-168-233.wixdns.net	34.117.168.233
www.fnsds.org	A 34.237.200.184 CNAME comingsoon.namebright.com A 54.236.92.93 CNAME cdl-lb-1356093980.us-east-1.elb.amazonaws.com	34.237.200.184
www.pupi.cz	A 103.224.182.241	103.224.182.241
peminet.net	A 198.54.117.242	198.54.117.242
www.ottospm.com	A 104.21.63.28 A 172.67.142.169 CNAME www.ottospm.com.cdn.cloudflare.net	104.21.63.28
kewlmail.com	A 63.251.106.25	63.251.106.25
siongann.com	A 104.21.8.75 A 172.67.156.237	104.21.8.75
www.muhr-soehne.de	A 5.189.171.125	5.189.171.125
www.crcsi.org	A 165.227.252.190 CNAME crcsi.org	165.227.252.190
mail.airmail.net	A 66.226.70.66	66.226.70.66
webways.com	A 172.67.128.139 A 104.21.1.51	172.67.128.139
mail7.digitalwaves.co.nz
www.spanesi.com	A 5.196.166.214	5.196.166.214
wvs-net.de	A 172.67.181.113 A 104.21.43.163	104.21.43.163
mackusick.de	A 217.160.0.131	217.160.0.131
adeesa.net	A 104.21.77.146 A 172.67.209.11	172.67.209.11
mikihan.com	A 153.126.211.112	153.126.211.112
nrsi.com	A 76.223.35.103	76.223.35.103
www.otena.com	A 99.83.154.118	99.83.154.118
dspears.com	CNAME traff-5.hugedomains.com A 34.205.242.146 A 54.161.222.85 CNAME hdr-nlb7-aebd5d615260636b.elb.us-east-1.amazonaws.com CNAME traff-1.hugedomains.com A 52.71.57.184 A 54.209.32.212 CNAME hdr-nlb9-41371129e8304c29.elb.us-east-1.amazonaws.com	52.71.57.184
www.pohlfood.com	A 104.218.10.254 CNAME pohlfood.com	104.218.10.254
xult.org	A 65.52.128.33	65.52.128.33
htsmx.net	A 63.251.106.25	63.251.106.25
onzcda.com	A 13.248.169.48 A 76.223.54.146	13.248.169.48
vivastay.com	CNAME hdr-nlb4-0bbd2e21834cb637.elb.us-east-2.amazonaws.com A 3.18.7.81 CNAME traff-3.hugedomains.com A 3.19.116.195	3.18.7.81
shenhgts.net	A 199.59.243.220	199.59.243.220
jsaps.com	A 49.212.235.59	49.212.235.59
okashimo.com	A 203.137.75.45	203.137.75.45
www.dayvo.com	A 104.21.68.7 A 172.67.184.30	172.67.184.30
agitz.com.br
www.olras.com	A 80.93.82.33	80.93.82.33
madjek.com
www.vexcom.com	A 104.21.55.224 A 172.67.173.200	104.21.55.224
ruzee.com	A 207.180.198.201	207.180.198.201
www.findbc.com	A 76.223.65.111 A 13.248.216.40	13.248.216.40
duiops.net	A 135.125.108.170	135.125.108.170
softizer.com	A 185.163.45.187	185.163.45.187
cbaben.com	A 173.205.126.33	173.205.126.33
awal.ws	A 127.0.0.1	127.0.0.1
bigzz.by	A 178.249.70.75	178.249.70.75
unicus.jp	A 49.212.232.113	49.212.232.113
beafin.com	A 133.125.38.187	133.125.38.187
assideum.com	A 52.219.179.0 A 52.219.178.96	52.219.97.204
nlcv.bas.bg	A 195.96.252.188	195.96.252.188
x1.i.lencr.org	CNAME crl.root-x1.letsencrypt.org.edgekey.net CNAME e8652.dscx.akamaiedge.net A 104.74.211.103	104.74.211.103
fundeo.com	A 104.24.161.27 A 172.67.97.62 A 104.24.160.27	172.67.97.62
geecl.com	A 213.175.217.57	213.175.217.57
www.dgmna.com	CNAME dgmna.com A 192.124.249.20	192.124.249.20
haigh-me.com
kevyt.net	A 104.21.2.101 A 172.67.129.18	172.67.129.18
amele.com
cutchie.com	A 199.59.243.223	199.59.243.222
dwid.de	A 87.230.93.218	87.230.93.218
from30ty.com	A 157.7.231.224	157.7.231.224
yhsll.com	A 154.88.50.199	154.88.50.199
juso-gr.ch	A 104.21.50.140 A 172.67.163.173	104.21.50.140
someikan.com
hamaker.net	A 34.102.136.180	34.102.136.180
skgm.ru	A 91.201.52.102	91.201.52.102
de
www.medius.si	A 13.225.131.86 CNAME d2r2uj0bnofxxz.cloudfront.net A 13.225.131.31 A 13.225.131.76 A 13.225.131.51	18.64.8.44
cjcagent.com	A 157.112.187.75	157.112.187.75
umcor.am	A 172.67.135.11 A 104.21.6.168	172.67.135.11
plaske.ua	A 52.211.245.146	52.211.245.146
clinicasanluis.com.co	A 104.21.66.220 A 172.67.164.178	104.21.66.220
btsi.com.ph	A 69.46.30.77	69.46.30.77
hyab.se	A 172.67.199.57 A 104.21.52.126	104.21.52.126
mkm-gr.com	A 79.124.76.247	79.124.76.247
magicomm.co.uk	A 83.223.113.46	83.223.113.46
host.do	A 217.79.248.38	217.79.248.38
samtv.ro
agulatex.com	A 133.125.38.187	133.125.38.187
www.photo4b.com	A 195.78.66.50	195.78.66.50
avc.com.sa
kustnara.com	A 75.2.70.75 A 13.248.155.104 A 76.223.27.102 A 99.83.190.102	75.2.70.75
burstner.ru	A 62.122.170.171	62.122.170.171
averwin.com
fortknox.bm	A 216.177.137.32	216.177.137.32
www.xaicom.es	CNAME xaicom.es A 188.165.133.163	188.165.133.163
sinwal.com	A 172.67.206.199 A 104.21.50.138	104.21.50.138
nblewis.com	A 52.0.29.214 A 35.168.185.204 A 35.169.15.168	35.169.15.168
icd-host.com	A 192.252.159.165 A 192.252.159.116	192.252.159.116
daytonir.com	A 172.64.147.213 A 104.18.40.43	104.18.40.43
cpwpb.com
www.c9dd.com	A 188.166.152.188	188.166.152.188
nels.co.uk	A 5.134.13.210	5.134.13.210
epc.com.au	A 103.4.16.43	103.4.16.43
www.koz1.net
pers.com	A 192.124.249.3	192.124.249.3
nolaoig.org	A 54.212.145.129	54.212.145.129
isom.org	A 192.124.249.14	192.124.249.14
sidepath.com	A 34.193.69.252 A 75.2.70.75 A 99.83.190.102 A 34.193.204.92	99.83.190.102
snf.it	A 95.174.22.233	95.174.22.233
fifa-ews.com	A 172.67.189.227 A 104.21.10.34	172.67.189.227
www.11tochi.net	A 157.112.176.4	157.112.176.4
wnit.org	A 38.111.255.201	38.111.255.201
www.quadlock.com	A 70.39.251.249 CNAME quadlock.com	70.39.251.249
www.usadig.com	A 198.100.146.220	198.100.146.220
ktenergo.ru
www.pr-park.com	A 118.27.125.181	118.27.125.181
www.com-sit.com	A 104.26.10.81 A 104.26.11.81 A 172.67.70.223	172.67.70.223
www.synetik.net	CNAME synetik.net A 193.166.255.171	193.166.255.171
www.jroy.net
orlyhotel.com	A 104.21.48.207 A 172.67.156.49	172.67.156.49
gydrozo.ru	A 91.220.211.163	91.220.211.163
canmore.com
metaforacom.com	A 185.42.105.162	185.42.105.162
ssm.ch	A 93.189.66.202	93.189.66.202
banvari.com	A 23.227.38.32	23.227.38.32
sigtoa.com	A 104.21.49.75 A 172.67.160.168	104.21.49.75
www.jenco.co.uk	A 104.21.23.9 A 172.67.208.67	172.67.208.67
dayvo.com	A 104.21.68.7 A 172.67.184.30	104.21.68.7
webband.com
cqdgroup.com	A 221.132.33.88	221.132.33.88
univi.it	A 18.197.121.220	18.197.121.220
a-domani.com	A 183.90.232.24	183.90.232.24
techtrans.de	A 185.237.66.112	185.237.66.112
msl-lock.com	A 165.160.15.20 A 165.160.13.20	165.160.13.20
www.yocinc.org	A 66.94.119.160	66.94.119.160
aba.org.eg	A 192.169.149.78	192.169.149.78
amba-tc.si
smtp.sbcglobal.yahoo.com	CNAME smtp-sbc.mail.yahoo.com A 67.195.12.38 A 66.163.170.48 A 66.218.88.163 CNAME smtp1.sbc.mail.am0.yahoodns.net	66.218.88.163
chzko.ru
pccj.net	A 172.67.148.147 A 104.21.29.72	104.21.29.72
www.tyrns.com	A 62.75.216.137	62.75.216.137
keio-web.com	A 219.94.128.216	219.94.128.216
multip.hu
nts-web.net	A 49.212.235.175	49.212.235.175
notis.ru	A 185.178.208.141	185.178.208.141
gujarat.com	A 172.67.145.148 A 104.21.73.143	172.67.145.148
shesfit.com	A 104.21.74.141 A 172.67.158.251	104.21.74.141
www.yumgiskor.kz
cpmteam.com	A 172.67.188.75 A 104.21.32.240	104.21.32.240
www.holleman.us	A 51.79.51.72	51.79.51.72
flamingorecordings.com	A 35.214.171.193	35.214.171.193
www.maktraxx.com	CNAME maktraxx.com A 72.44.93.236	72.44.93.236
themark.org	A 35.172.94.1 A 100.24.208.97	35.172.94.1
www.valdal.com	A 104.26.6.221 A 172.67.73.176 A 104.26.7.221	104.26.7.221
mjrcpas.com	A 154.81.136.239	154.81.136.239
ciicsc.com
shanks.co.uk	A 217.19.254.22	217.19.254.22
insia.com	A 82.208.6.9	82.208.6.9
www.abart.pl	CNAME abart.pl A 89.161.163.246	89.161.163.246
www.pb-games.com	CNAME pb-games.com A 173.254.28.29	173.254.28.29
www.pcgrate.com	A 172.67.201.26 A 104.21.66.46	104.21.66.46
www.hyabmagneter.se	A 104.21.69.146 A 172.67.209.90	172.67.209.90
bggs.com	A 35.230.155.43	35.230.155.43
avse.hu	A 185.129.138.60	185.129.138.60
www.ora.ecnet.jp	CNAME ora.ecnet.jp A 60.43.154.138	60.43.154.138
cvswl.org
www.ftchat.com
biosolve.com	A 151.101.130.159	151.101.130.159
infotech.pl	A 79.96.32.254	79.96.32.254
deckoviny.cz	A 88.86.118.82	88.86.118.82
actmin.com
www.cel-cpa.com	A 104.196.26.65	104.196.26.65
www.nelipak.nl	A 82.201.61.230	82.201.61.230
fogra.com.pl	A 85.128.55.51	85.128.55.51
ccssinc.com	A 172.67.185.152 A 104.21.19.68	104.21.19.68
t-trust.jp	A 183.181.82.14	183.181.82.14
www.fink.com	A 69.163.218.51	69.163.218.51
cubodown.com	A 104.21.30.14 A 172.67.150.50	104.21.30.14
oh28ya.com	A 18.176.155.206 A 54.248.94.67	18.176.155.206
www.speelhal.net	A 217.19.237.54	217.19.237.54
in1.smtp.messagingengine.com	A 66.111.4.74 A 66.111.4.75 A 66.111.4.72 A 66.111.4.73 A 66.111.4.70 A 66.111.4.71	66.111.4.73
www.stnic.co.uk	A 77.68.50.105	77.68.50.105
forbin.net	A 104.21.41.152 A 172.67.148.35	172.67.148.35
arowines.com	A 104.164.117.233	104.164.117.233
zemarmot.net	A 164.132.175.106	164.132.175.106
tozzhin.com	A 202.94.166.30	202.94.166.30
apps.identrust.com	A 121.254.136.27 CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net A 121.254.136.57	23.216.159.81
akdeniz.nl	A 109.71.54.22	109.71.54.22
www.jacomfg.com	A 96.127.180.42	96.127.180.42
uster.com	A 104.20.221.29 A 104.20.220.29 A 172.67.32.172	104.20.220.29
koz1.net
hazmatt.com	A 205.178.189.131	205.178.189.131
absblast.com	A 141.193.213.20	141.193.213.20
invictus.pl	A 193.107.88.74	193.107.88.74
revoldia.net	A 45.200.235.135	45.200.235.135
portoccd.org	A 51.89.6.56	51.89.6.56
webavant.com	A 148.72.176.26	148.72.176.26
www.aevga.com	CNAME aevga.com A 108.167.164.216	108.167.164.216
www.naoi-a.com	A 202.254.236.40	202.254.236.40
www.railbook.net	A 213.227.141.97	199.115.115.119
www.t-tre.com	A 135.181.73.98	135.181.73.98
grlawcc.com
www.lrsuk.com	CNAME language-recruitment.eu-2.volcanic.cloud A 18.64.8.108 CNAME d2kt7vovxa5e81.cloudfront.net A 18.64.8.69 A 18.64.8.103 A 18.64.8.80	18.64.8.80
cbras.com	A 54.39.198.18	54.39.198.18
awfraser.com
atis-sk.ca
t-mould.com	A 81.169.145.175	81.169.145.175
www.edimart.hu	A 81.2.194.241	81.2.194.241
wanoa.com	A 164.90.244.158 A 159.89.244.183	164.90.244.158
ftmobile.com	A 199.34.228.78	199.34.228.78
kavram.com	A 104.21.89.126 A 172.67.189.68	104.21.89.126
ccrsi.org	A 198.209.253.30	198.209.253.30
biurohera.pl	A 54.36.175.146 A 79.96.161.192	79.96.161.192
dbnet.at	A 188.94.254.88	188.94.254.88
www.medisa.info
listel.co.jp	A 49.212.243.77	49.212.243.77
www.credo.edu.pl	A 62.122.190.121	62.122.190.121
www.vazir.se	A 206.191.152.37	206.191.152.37
www.fe-bauer.de	A 3.65.101.129	3.65.101.129
valselit.com	A 193.70.68.254	193.70.68.254
akr.co.id	A 104.20.123.68 A 104.20.122.68 A 172.67.33.252	104.20.123.68
www.tvtools.fi	A 172.67.152.159 A 104.21.88.198	172.67.152.159
piacton.com
www.tc17.com	A 104.21.79.244 A 172.67.150.80	172.67.150.80
com-edit.fr	A 63.251.106.25	63.251.106.25
www.sjbs.org	CNAME sjbs.org A 69.163.239.62	69.163.239.62
atb-lit.com	A 208.100.26.245	208.100.26.245
www.sclover3.com	A 157.112.182.239	157.112.182.239
dhh.la.gov	A 52.200.51.73	52.200.51.73
esmoke.net	A 204.15.134.44	204.15.134.44
rokoron.com	A 211.13.204.3	211.13.204.3
bible.org	A 172.67.33.95 A 104.20.54.214 A 104.20.55.214	104.20.55.214
impexnc.com	A 204.11.56.48	204.11.56.48
www.elpro.si	A 172.67.70.22 A 104.26.14.53 A 104.26.15.53	172.67.70.22
midap.com	A 198.49.23.145 A 198.185.159.144 A 198.49.23.144 A 198.185.159.145	198.49.23.145
ie-roi.com
mxs.mail.ru	A 217.69.139.150 A 94.100.180.31	94.100.180.31
top1oil.com	A 104.26.1.82 A 104.26.0.82 A 172.67.71.55	104.26.0.82
shztm.ru	A 62.122.170.171	62.122.170.171
smtp.live.com	CNAME a-0010.a-msedge.net A 204.79.197.212	204.79.197.212
gmail-smtp-in.l.google.com	A 74.125.203.26 A 64.233.187.27	74.125.204.27
kursavto.ru	A 31.177.76.70 A 31.177.80.70	31.177.76.70
www.snugpak.com	A 104.21.73.182 A 172.67.165.62	104.21.73.182
org
ftchat.com
www.gpthink.com	A 39.99.233.155	39.99.233.155
ikulani.com	A 157.7.107.88	157.7.107.88
rappich.de	A 89.31.143.1	89.31.143.1
gcss.com	A 35.186.238.101	35.186.238.101
www.waldi.pl	A 46.242.238.60 CNAME waldi.pl	46.242.238.60
www.pdqhomes.com	CNAME traff-1.hugedomains.com A 52.71.57.184 A 54.209.32.212 CNAME hdr-nlb9-41371129e8304c29.elb.us-east-1.amazonaws.com	52.86.6.113
nekono.net	A 202.172.28.187	202.172.28.187
www.abdg.com	A 192.252.154.18	192.252.154.18
n23china.com
uhsa.edu.ag	A 192.124.249.13	192.124.249.13
enguita.net	A 195.5.116.23	195.5.116.23
www.yoruksut.com	A 93.187.206.66	93.187.206.66
sjbmw.com	A 198.199.101.195	198.199.101.195
www.ka-mo-me.com	A 211.1.226.67	211.1.226.67
any-s.net	A 108.170.12.50	108.170.12.50
stopllc.com	A 162.241.233.114	162.241.233.114
www.stajum.com	A 103.3.1.161	103.3.1.161
www.ora-ito.com	A 213.186.33.40	213.186.33.40
www.ex-olive.com	A 210.140.73.39	210.140.73.39
refintl.org	A 198.49.23.145 A 198.185.159.144 A 198.49.23.144 A 198.185.159.145	198.49.23.145
www.baijaku.com	CNAME baijaku.com A 59.106.19.204	59.106.19.204
e-asset.net
www.wkhk.net
scip.org.uk	A 104.26.12.244 A 172.67.72.150 A 104.26.13.244	172.67.72.150
pertex.com	A 185.151.30.147	185.151.30.147
www.fnw.us	A 137.118.26.67 CNAME fnw.us	137.118.26.67
rast.se	A 89.221.250.3	89.221.250.3
e-kami.net	A 202.172.28.89	202.172.28.89
www.vitaindu.com	A 122.128.109.107	122.128.109.107
www.item-pr.com	CNAME item-pr.com A 213.186.33.17 A 185.15.129.58	185.15.129.58
jnf.at	A 136.243.147.81	136.243.147.81
web-york.com	A 219.94.129.97	219.94.129.97
ludomemo.com	A 27.0.174.59	27.0.174.59
amic.at	A 78.46.224.133	78.46.224.133
www.valselit.com	A 193.70.68.254	193.70.68.254
gbp-jp.com	A 208.80.122.2 A 208.80.123.195 A 208.80.123.104 A 208.80.122.205	208.80.123.104
ncn.de	A 46.30.60.158	46.30.60.158
h-et-l.com
www.alteor.cl	CNAME gcdn0.wixdns.net A 34.117.168.233 CNAME td-ccm-168-233.wixdns.net	34.117.168.233
bosado.com	A 5.39.75.157	5.39.75.157
websy.com
www.cokocoko.com	CNAME hdr-nlb4-0bbd2e21834cb637.elb.us-east-2.amazonaws.com A 3.18.7.81 CNAME traff-3.hugedomains.com A 3.19.116.195	34.205.242.146
www.domon.com	CNAME shops.myshopify.com CNAME meubles-domon.myshopify.com A 23.227.38.74	23.227.38.74
4locals.net	A 80.82.115.227	80.82.115.227
nme.co.jp	A 203.0.113.0	203.0.113.0
floopis.com	A 3.64.163.50	3.64.163.50
diamir.de	A 138.201.65.187	138.201.65.187
johnlyon.org	A 141.193.213.20	141.193.213.20
mijash3.com	A 198.49.23.144 A 198.185.159.144 A 198.185.159.145 A 198.49.23.145	198.49.23.144
www.nunomira.com	CNAME nunomira.com A 192.241.158.94	192.241.158.94
coxkitchensandbaths.com	A 205.149.134.32	205.149.134.32
apcotex.com	A 35.154.163.204	35.154.163.204
www.hummer.hu	CNAME hummer.hu A 185.80.51.179	185.80.51.179
www.jchysk.com	A 208.97.178.138	208.97.178.138
komie.com	A 59.106.13.181	59.106.13.181
www.wifi4all.nl	A 104.21.42.10 A 172.67.198.26	104.21.42.10
www.transsib.com	CNAME studyrussian.com CNAME www.studyrussian.com A 80.74.154.6	80.74.154.6
slower.it	A 127.0.0.11	127.0.0.11
ntc.edu.au	A 192.124.249.15	192.124.249.15
hyab.com	A 104.21.65.224 A 172.67.193.133	172.67.193.133
89gospel.com
alexpope.biz	A 76.74.184.61	76.74.184.61
cyclad.pl	A 87.98.236.253	87.98.236.253
oozkranj.com	A 212.44.102.57	212.44.102.57
ascc.org.au	A 203.210.102.34	203.210.102.34
mackusick.com	A 217.160.0.179	217.160.0.179
www.rs-ag.com	A 172.67.152.88 A 104.21.1.213	104.21.1.213
www.fcwcvt.org	A 172.67.134.134 A 104.21.25.200	172.67.134.134
www.nqks.com	A 147.154.0.23 CNAME zemonitor-websites-hibu-com.c.inregion.waas.oci.oraclecloud.net CNAME hibu34.inregion.waas.oci.oraclecloud.net CNAME hibu-4.zenedge.net CNAME live.websites.hibu.com	147.154.0.23
pcoyuncu.com	A 213.142.131.159	213.142.131.159
indonesiamedia.com	A 74.208.215.145	74.208.215.145
kumaden.com	A 49.212.180.178	49.212.180.178
www.2print.com	CNAME 2print.com A 107.180.98.101	107.180.98.101
www.owsports.ca
hyabmagneter.se	A 104.21.69.146 A 172.67.209.90	104.21.69.146
polprime.com
ramkome.com	A 62.75.216.107	62.75.216.107
adventist.ro	A 49.12.155.123	49.12.155.123
sgk.home.pl	A 89.161.136.188	89.161.136.188
www.myropcb.com	A 74.208.215.199	74.208.215.199
www.evcpa.com	A 192.124.249.10 CNAME evcpa.com	192.124.249.10
www.x0c.com	A 185.53.177.50	185.53.177.50
wahw.com.au	A 54.194.190.151	54.194.190.151
www.wnsavoy.com	A 96.91.204.114	96.91.204.114
ldh.la.gov	A 75.2.95.235	75.2.95.235
gphpedit.org	A 127.0.0.1	127.0.0.1
noblesse.be	A 5.134.4.115	5.134.4.115
www.reglera.com	A 64.125.133.18 CNAME reglera.com	64.125.133.18
www.petsfan.com	CNAME traff-4.hugedomains.com A 52.86.6.113 A 3.94.41.167 CNAME hdr-nlb8-39c51fa8696874ee.elb.us-east-1.amazonaws.com	3.130.253.23
dataform.co.uk	A 83.223.113.46	83.223.113.46
zupraha.cz	A 77.78.104.3	77.78.104.3
nettlinx.org	A 202.53.77.146	202.53.77.146
kayoaiba.com	A 154.213.117.166	154.213.117.166
www.depalo.com	A 172.217.31.19 CNAME ghs.googlehosted.com	142.250.207.115
mondopp.net	A 173.231.184.124	173.231.184.124
alt4.gmail-smtp-in.l.google.com	A 142.250.152.27	142.250.152.27
106west.com	A 148.130.4.196	148.130.4.196
toundo.net
paraski.org	A 94.130.164.242	94.130.164.242
missnue.com	A 104.21.234.121 A 104.21.234.120	104.21.234.121

IP Address	Status	Action
103.224.182.241	Active	Moloch
103.3.1.161	Active	Moloch
103.4.16.43	Active	Moloch
104.164.117.233	Active	Moloch
104.18.40.43	Active	Moloch
104.196.26.65	Active	Moloch
104.20.123.68	Active	Moloch
104.20.220.29	Active	Moloch
104.21.1.213	Active	Moloch
104.21.1.51	Active	Moloch
104.21.2.101	Active	Moloch
104.21.23.9	Active	Moloch
104.21.234.120	Active	Moloch
104.21.30.14	Active	Moloch
104.21.41.152	Active	Moloch
104.21.42.10	Active	Moloch
104.21.48.207	Active	Moloch
104.21.50.138	Active	Moloch
104.21.6.168	Active	Moloch
104.21.66.220	Active	Moloch
104.21.66.46	Active	Moloch
104.21.68.7	Active	Moloch
104.21.7.22	Active	Moloch
104.21.73.143	Active	Moloch
104.21.77.146	Active	Moloch
104.21.92.183	Active	Moloch
104.218.10.254	Active	Moloch
104.24.161.27	Active	Moloch
104.26.1.82	Active	Moloch
104.26.10.81	Active	Moloch
104.26.12.244	Active	Moloch
104.26.15.53	Active	Moloch
104.26.3.124	Active	Moloch
104.26.6.17	Active	Moloch
104.26.7.221	Active	Moloch
104.74.211.103	Active	Moloch
107.180.98.101	Active	Moloch
108.167.164.216	Active	Moloch
108.170.12.50	Active	Moloch
109.71.54.22	Active	Moloch
118.27.125.181	Active	Moloch
121.254.136.27	Active	Moloch
122.128.109.107	Active	Moloch
128.8.10.90	Active	Moloch
13.225.131.31	Active	Moloch
13.248.155.104	Active	Moloch
13.248.169.48	Active	Moloch
133.125.38.187	Active	Moloch
135.125.108.170	Active	Moloch
135.181.73.98	Active	Moloch
136.243.147.81	Active	Moloch
137.118.26.67	Active	Moloch
138.201.65.187	Active	Moloch
141.193.213.20	Active	Moloch
142.250.152.27	Active	Moloch
147.154.0.23	Active	Moloch
148.130.4.196	Active	Moloch
148.72.176.26	Active	Moloch
151.101.130.159	Active	Moloch
151.101.66.132	Active	Moloch
153.120.34.73	Active	Moloch
153.126.211.112	Active	Moloch
154.203.14.100	Active	Moloch
154.213.117.166	Active	Moloch
154.81.136.239	Active	Moloch
154.88.50.199	Active	Moloch
157.112.176.4	Active	Moloch
157.112.182.239	Active	Moloch
157.112.187.75	Active	Moloch
157.7.107.38	Active	Moloch
157.7.107.88	Active	Moloch
157.7.231.224	Active	Moloch
159.89.244.183	Active	Moloch
162.241.233.114	Active	Moloch
164.124.101.2	Active	Moloch
164.132.175.106	Active	Moloch
164.90.244.158	Active	Moloch
165.160.13.20	Active	Moloch
165.227.252.190	Active	Moloch
170.82.173.30	Active	Moloch
172.217.31.19	Active	Moloch
172.67.134.134	Active	Moloch
172.67.135.146	Active	Moloch
172.67.142.169	Active	Moloch
172.67.148.147	Active	Moloch
172.67.150.80	Active	Moloch
172.67.152.159	Active	Moloch
172.67.156.237	Active	Moloch
172.67.158.251	Active	Moloch
172.67.160.168	Active	Moloch
172.67.163.101	Active	Moloch
172.67.163.173	Active	Moloch
172.67.165.62	Active	Moloch
172.67.173.200	Active	Moloch
172.67.181.113	Active	Moloch
172.67.184.30	Active	Moloch
172.67.185.152	Active	Moloch
172.67.188.75	Active	Moloch
172.67.189.227	Active	Moloch
172.67.189.68	Active	Moloch
172.67.193.133	Active	Moloch
172.67.199.57	Active	Moloch
172.67.209.90	Active	Moloch
172.67.33.95	Active	Moloch
173.205.126.33	Active	Moloch
173.231.184.124	Active	Moloch
173.254.28.29	Active	Moloch
178.249.70.75	Active	Moloch
18.176.155.206	Active	Moloch
18.197.121.220	Active	Moloch
18.64.8.103	Active	Moloch
183.181.82.14	Active	Moloch
183.90.232.24	Active	Moloch
185.106.129.180	Active	Moloch
185.129.138.60	Active	Moloch
185.151.30.147	Active	Moloch
185.163.45.187	Active	Moloch
185.178.208.141	Active	Moloch
185.237.66.112	Active	Moloch
185.42.105.162	Active	Moloch
185.53.177.50	Active	Moloch
185.80.51.179	Active	Moloch
188.165.133.163	Active	Moloch
188.166.152.188	Active	Moloch
188.94.254.88	Active	Moloch
192.124.249.10	Active	Moloch
192.124.249.13	Active	Moloch
192.124.249.14	Active	Moloch
192.124.249.15	Active	Moloch
192.124.249.20	Active	Moloch
192.124.249.3	Active	Moloch
192.169.149.78	Active	Moloch
192.203.230.10	Active	Moloch
192.241.158.94	Active	Moloch
192.252.154.18	Active	Moloch
192.252.159.165	Active	Moloch
192.33.4.12	Active	Moloch
192.36.148.17	Active	Moloch
192.58.128.30	Active	Moloch
193.0.14.129	Active	Moloch
193.107.88.74	Active	Moloch
193.166.255.171	Active	Moloch
193.70.68.254	Active	Moloch
195.5.116.23	Active	Moloch
195.78.66.50	Active	Moloch
195.96.252.188	Active	Moloch
198.1.81.28	Active	Moloch
198.100.146.220	Active	Moloch
198.185.159.144	Active	Moloch
198.185.159.145	Active	Moloch
198.199.101.195	Active	Moloch
198.209.253.30	Active	Moloch
198.32.64.12	Active	Moloch
198.41.0.4	Active	Moloch
198.49.23.144	Active	Moloch
198.54.117.242	Active	Moloch
199.34.228.78	Active	Moloch
199.59.243.220	Active	Moloch
199.59.243.223	Active	Moloch
202.12.27.33	Active	Moloch
202.172.28.187	Active	Moloch
202.172.28.89	Active	Moloch
202.254.236.40	Active	Moloch
202.53.77.146	Active	Moloch
202.94.166.30	Active	Moloch
203.137.75.45	Active	Moloch
203.210.102.34	Active	Moloch
204.11.56.48	Active	Moloch
204.15.134.44	Active	Moloch
204.79.197.212	Active	Moloch
205.149.134.32	Active	Moloch
205.178.189.131	Active	Moloch
206.191.152.37	Active	Moloch
207.180.198.201	Active	Moloch
208.100.26.245	Active	Moloch
208.109.214.162	Active	Moloch
208.80.122.2	Active	Moloch
208.97.178.138	Active	Moloch
210.140.73.39	Active	Moloch
211.1.226.67	Active	Moloch
211.13.196.162	Active	Moloch
211.13.204.3	Active	Moloch
212.44.102.57	Active	Moloch
213.142.131.159	Active	Moloch
213.175.217.57	Active	Moloch
213.186.33.17	Active	Moloch
213.186.33.40	Active	Moloch
213.227.141.97	Active	Moloch
216.177.137.32	Active	Moloch
217.160.0.131	Active	Moloch
217.160.0.179	Active	Moloch
217.19.237.54	Active	Moloch
217.19.254.22	Active	Moloch
217.69.139.150	Active	Moloch
217.79.248.38	Active	Moloch
219.94.128.216	Active	Moloch
219.94.128.87	Active	Moloch
219.94.129.97	Active	Moloch
221.132.33.88	Active	Moloch
23.227.38.32	Active	Moloch
23.227.38.74	Active	Moloch
27.0.174.59	Active	Moloch
3.130.253.23	Active	Moloch
3.140.13.188	Active	Moloch
3.18.7.81	Active	Moloch
3.19.116.195	Active	Moloch
3.33.152.147	Active	Moloch
3.64.163.50	Active	Moloch
3.65.101.129	Active	Moloch
3.94.41.167	Active	Moloch
31.177.76.70	Active	Moloch
31.177.80.70	Active	Moloch
34.102.136.180	Active	Moloch
34.117.168.233	Active	Moloch
34.205.242.146	Active	Moloch
35.154.163.204	Active	Moloch
35.168.185.204	Active	Moloch
35.172.94.1	Active	Moloch
35.186.238.101	Active	Moloch
35.214.171.193	Active	Moloch
35.230.155.43	Active	Moloch
38.111.255.201	Active	Moloch
39.99.233.155	Active	Moloch
43.255.29.192	Active	Moloch
45.142.176.225	Active	Moloch
45.200.235.135	Active	Moloch
46.242.238.60	Active	Moloch
46.30.60.158	Active	Moloch
49.12.155.123	Active	Moloch
49.212.180.178	Active	Moloch
49.212.232.113	Active	Moloch
49.212.235.175	Active	Moloch
49.212.235.59	Active	Moloch
49.212.243.77	Active	Moloch
5.134.13.210	Active	Moloch
5.134.4.115	Active	Moloch
5.189.171.125	Active	Moloch
5.196.166.214	Active	Moloch
5.39.75.157	Active	Moloch
51.159.3.117	Active	Moloch
51.79.51.72	Active	Moloch
51.89.6.56	Active	Moloch
52.200.51.73	Active	Moloch
52.211.245.146	Active	Moloch
52.219.178.96	Active	Moloch
52.219.179.0	Active	Moloch
52.71.57.184	Active	Moloch
54.194.190.151	Active	Moloch
54.209.32.212	Active	Moloch
54.212.145.129	Active	Moloch
54.236.92.93	Active	Moloch
54.39.198.18	Active	Moloch
59.106.13.181	Active	Moloch
59.106.19.204	Active	Moloch
60.43.154.138	Active	Moloch
62.122.170.171	Active	Moloch
62.122.190.121	Active	Moloch
62.75.216.107	Active	Moloch
62.75.216.137	Active	Moloch
63.251.106.25	Active	Moloch
64.125.133.18	Active	Moloch
64.233.187.27	Active	Moloch
65.52.128.33	Active	Moloch
66.111.4.70	Active	Moloch
66.163.170.48	Active	Moloch
66.226.70.66	Active	Moloch
66.94.119.160	Active	Moloch
69.163.218.51	Active	Moloch
69.163.239.62	Active	Moloch
69.195.90.46	Active	Moloch
69.46.30.77	Active	Moloch
70.39.251.249	Active	Moloch
72.44.93.236	Active	Moloch
74.125.203.26	Active	Moloch
74.208.215.145	Active	Moloch
74.208.215.199	Active	Moloch
75.2.70.75	Active	Moloch
75.2.95.235	Active	Moloch
76.223.27.102	Active	Moloch
76.223.35.103	Active	Moloch
76.223.65.111	Active	Moloch
76.74.184.61	Active	Moloch
77.68.50.105	Active	Moloch
77.78.104.3	Active	Moloch
78.46.224.133	Active	Moloch
79.124.76.247	Active	Moloch
79.96.161.192	Active	Moloch
79.96.32.254	Active	Moloch
80.74.154.6	Active	Moloch
80.82.115.227	Active	Moloch
80.93.82.33	Active	Moloch
81.169.145.175	Active	Moloch
81.2.194.241	Active	Moloch
82.201.61.230	Active	Moloch
82.208.6.9	Active	Moloch
83.167.255.150	Active	Moloch
83.223.113.46	Active	Moloch
85.128.196.22	Active	Moloch
85.128.55.51	Active	Moloch
85.233.160.148	Active	Moloch
87.230.93.218	Active	Moloch
87.98.236.253	Active	Moloch
88.86.118.82	Active	Moloch
89.161.136.188	Active	Moloch
89.161.163.246	Active	Moloch
89.221.250.3	Active	Moloch
89.31.143.1	Active	Moloch
91.201.52.102	Active	Moloch
91.220.211.163	Active	Moloch
91.229.22.126	Active	Moloch
92.42.191.38	Active	Moloch
93.187.206.66	Active	Moloch
93.189.66.202	Active	Moloch
94.130.164.242	Active	Moloch
95.174.22.233	Active	Moloch
96.127.180.42	Active	Moloch
96.91.204.114	Active	Moloch
99.83.154.118	Active	Moloch
99.83.190.102	Active	Moloch
77.73.134.27	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49164 -> 104.21.23.9:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49171 -> 192.124.249.20:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 34.117.168.233:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 70.39.251.249:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49171 -> 192.124.249.20:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49177 -> 172.217.31.19:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49173 -> 104.26.7.221:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 172.67.152.159:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 54.209.32.212:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49181 -> 172.67.134.134:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49176 -> 62.122.190.121:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49170 -> 80.93.82.33:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49175 -> 104.26.15.53:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49181 -> 172.67.134.134:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49179 -> 104.21.42.10:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49173 -> 104.26.7.221:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49170 -> 80.93.82.33:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 70.39.251.249:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49176 -> 62.122.190.121:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49190 -> 66.94.119.160:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49175 -> 104.26.15.53:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49192 -> 185.80.51.179:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49180 -> 192.252.154.18:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49193 -> 206.191.152.37:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49187 -> 172.67.165.62:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49190 -> 66.94.119.160:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49163 -> 118.27.125.181:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49184 -> 3.94.41.167:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49178 -> 34.117.168.233:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49197 -> 122.128.109.107:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49191 -> 192.241.158.94:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49194 -> 80.74.154.6:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49189 -> 195.78.66.50:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49212 -> 185.53.177.50:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 206.191.152.37:80 -> 192.168.56.101:49193	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	A Network Trojan was detected
TCP 192.168.56.101:49191 -> 192.241.158.94:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49195 -> 170.82.173.30:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49192 -> 185.80.51.179:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
UDP 192.168.56.101:56482 -> 164.124.101.2:53	2027863	ET INFO Observed DNS Query to .biz TLD	Potentially Bad Traffic
TCP 192.168.56.101:49194 -> 80.74.154.6:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49202 -> 60.43.154.138:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49225 -> 18.64.8.103:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49195 -> 170.82.173.30:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49202 -> 60.43.154.138:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49199 -> 135.181.73.98:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49225 -> 18.64.8.103:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49198 -> 165.227.252.190:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49201 -> 193.70.68.254:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49205 -> 213.186.33.40:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49223 -> 104.21.66.46:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49204 -> 39.99.233.155:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49206 -> 82.201.61.230:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49203 -> 46.242.238.60:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49174 -> 54.209.32.212:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49199 -> 135.181.73.98:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49233 -> 103.3.1.161:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49182 -> 3.94.41.167:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49209 -> 210.140.73.39:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49207 -> 104.26.3.124:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49207 -> 104.26.3.124:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49227 -> 72.44.93.236:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49211 -> 3.18.7.81:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49235 -> 208.109.214.162:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49186 -> 213.186.33.17:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49235 -> 208.109.214.162:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49188 -> 104.21.1.213:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49215 -> 172.67.173.200:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49236 -> 3.65.101.129:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49233 -> 103.3.1.161:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49236 -> 3.65.101.129:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49196 -> 89.161.163.246:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49220 -> 69.163.239.62:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49236 -> 3.65.101.129:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49234 -> 5.196.166.214:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49200 -> 202.254.236.40:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49218 -> 3.19.116.195:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49236 -> 3.65.101.129:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49238 -> 172.67.150.80:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49217 -> 217.19.237.54:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49200 -> 202.254.236.40:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49236 -> 3.65.101.129:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49238 -> 172.67.150.80:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49220 -> 69.163.239.62:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49221 -> 3.19.116.195:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49214 -> 62.75.216.137:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49226 -> 188.166.152.188:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49245 -> 93.187.206.66:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49216 -> 81.2.194.241:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49253 -> 188.165.133.163:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49219 -> 96.127.180.42:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49253 -> 188.165.133.163:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49230 -> 104.196.26.65:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49208 -> 3.18.7.81:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49250 -> 104.26.10.81:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49258 -> 154.203.14.100:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49232 -> 104.21.68.7:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49231 -> 23.227.38.74:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49230 -> 104.196.26.65:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49237 -> 69.163.218.51:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49222 -> 76.223.65.111:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49210 -> 107.180.98.101:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49205 -> 213.186.33.40:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49237 -> 69.163.218.51:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49259 -> 103.224.182.241:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49206 -> 82.201.61.230:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49248 -> 13.225.131.31:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49219 -> 96.127.180.42:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49213 -> 51.79.51.72:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49248 -> 13.225.131.31:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49255 -> 108.167.164.216:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49224 -> 208.97.178.138:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49255 -> 108.167.164.216:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49216 -> 81.2.194.241:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49257 -> 172.67.142.169:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49224 -> 208.97.178.138:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49222 -> 76.223.65.111:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49256 -> 77.68.50.105:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49228 -> 208.97.178.138:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49264 -> 104.218.10.254:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49256 -> 77.68.50.105:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49241 -> 74.208.215.199:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49261 -> 213.227.141.97:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49266 -> 173.254.28.29:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49263 -> 54.236.92.93:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49291 -> 157.7.231.224:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49249 -> 211.1.226.67:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49272 -> 172.67.188.75:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49278 -> 198.185.159.145:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49249 -> 211.1.226.67:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49251 -> 192.124.249.10:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49301 -> 192.124.249.14:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49239 -> 69.163.218.51:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49286 -> 88.86.118.82:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49251 -> 192.124.249.10:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49240 -> 147.154.0.23:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49313 -> 172.67.148.147:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49260 -> 213.227.141.97:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49314 -> 59.106.13.181:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49283 -> 104.18.40.43:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49265 -> 157.112.176.4:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49304 -> 49.212.232.113:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49267 -> 157.112.182.239:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49280 -> 3.130.253.23:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49293 -> 211.13.204.3:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49330 -> 172.67.199.57:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49303 -> 172.67.160.168:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49276 -> 141.193.213.20:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49288 -> 104.18.40.43:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49295 -> 104.26.12.244:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49335 -> 104.21.1.51:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49310 -> 172.67.189.68:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49326 -> 78.46.224.133:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49346 -> 104.21.48.207:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49315 -> 104.21.7.22:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49384 -> 172.67.193.133:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49322 -> 202.53.77.146:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49296 -> 202.94.166.30:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49319 -> 89.31.143.1:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49340 -> 49.12.155.123:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49356 -> 173.205.126.33:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49331 -> 3.33.152.147:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49349 -> 80.82.115.227:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49348 -> 192.124.249.3:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49337 -> 148.72.176.26:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49352 -> 49.212.235.175:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49324 -> 157.7.107.38:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49377 -> 157.112.187.75:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49371 -> 195.96.252.188:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49357 -> 219.94.128.87:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49398 -> 83.167.255.150:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49309 -> 5.134.13.210:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49373 -> 49.12.155.123:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49364 -> 75.2.95.235:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49361 -> 49.212.235.175:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49388 -> 3.130.253.23:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49401 -> 198.185.159.144:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49423 -> 172.67.209.90:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49353 -> 185.106.129.180:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49374 -> 49.212.235.175:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49323 -> 202.53.77.146:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49381 -> 49.212.235.175:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49375 -> 104.26.12.244:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49428 -> 5.134.13.210:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49354 -> 103.4.16.43:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49433 -> 75.2.95.235:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49456 -> 157.7.107.88:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49413 -> 172.67.156.237:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49438 -> 202.172.28.187:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49442 -> 35.214.171.193:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49443 -> 65.52.128.33:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49452 -> 75.2.95.235:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49417 -> 75.2.95.235:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 138.201.65.187:443 -> 192.168.56.101:49468	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49383 -> 141.193.213.20:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49463 -> 75.2.95.235:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49462 -> 5.189.171.125:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49467 -> 108.170.12.50:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49410 -> 18.197.121.220:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49459 -> 93.189.66.202:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49419 -> 46.30.60.158:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49479 -> 3.19.116.195:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49309 -> 5.134.13.210:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49475 -> 35.214.171.193:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.101:55246 -> 164.124.101.2:53	2027863	ET INFO Observed DNS Query to .biz TLD	Potentially Bad Traffic
TCP 192.168.56.101:49476 -> 172.67.163.101:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49311 -> 148.72.176.26:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49474 -> 46.30.60.158:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49466 -> 172.67.209.90:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 185.237.66.112:443 -> 192.168.56.101:49481	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49489 -> 133.125.38.187:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49369 -> 151.101.66.132:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49323 -> 202.53.77.146:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49496 -> 35.214.171.193:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49328 -> 195.5.116.23:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49512 -> 83.223.113.46:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49318 -> 31.177.76.70:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49456 -> 157.7.107.88:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49365 -> 199.59.243.223:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49532 -> 35.214.171.193:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49386 -> 104.21.66.220:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49393 -> 52.211.245.146:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49493 -> 211.13.204.3:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49392 -> 49.212.235.175:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49544 -> 83.167.255.150:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49486 -> 138.201.65.187:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49385 -> 75.2.95.235:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49549 -> 35.214.171.193:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49372 -> 217.19.254.22:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49561 -> 192.124.249.13:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49495 -> 27.0.174.59:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49523 -> 185.237.66.112:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 185.237.66.112:443 -> 192.168.56.101:49541	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49565 -> 185.237.66.112:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49407 -> 185.163.45.187:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49520 -> 63.251.106.25:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49576 -> 76.223.27.102:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49411 -> 91.220.211.163:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49354 -> 103.4.16.43:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49569 -> 108.170.12.50:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49436 -> 138.201.65.187:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49419 -> 46.30.60.158:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 185.237.66.112:443 -> 192.168.56.101:49592	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 63.251.106.25:80 -> 192.168.56.101:49520	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	A Network Trojan was detected
TCP 63.251.106.25:80 -> 192.168.56.101:49520	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	A Network Trojan was detected
TCP 192.168.56.101:49399 -> 49.212.235.175:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49534 -> 92.42.191.38:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49624 -> 45.200.235.135:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49574 -> 151.101.66.132:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 35.214.171.193:443 -> 192.168.56.101:49563	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49566 -> 185.237.66.112:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49450 -> 138.201.65.187:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49426 -> 35.214.171.193:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49457 -> 198.185.159.144:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49437 -> 172.67.184.30:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 185.237.66.112:443 -> 192.168.56.101:49590	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49644 -> 81.169.145.175:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49671 -> 172.67.135.146:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49438 -> 202.172.28.187:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49582 -> 89.221.250.3:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49326 -> 78.46.224.133:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49455 -> 185.237.66.112:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 35.214.171.193:443 -> 192.168.56.101:49458	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49674 -> 202.94.166.30:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49687 -> 183.90.232.24:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49354 -> 103.4.16.43:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49405 -> 162.241.233.114:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49704 -> 185.151.30.147:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49453 -> 87.98.236.253:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49621 -> 198.199.101.195:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49504 -> 138.201.65.187:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49717 -> 192.252.159.165:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49691 -> 159.89.244.183:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49506 -> 185.237.66.112:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49700 -> 192.124.249.15:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49289 -> 104.21.6.168:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49627 -> 49.12.155.123:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49731 -> 104.21.92.183:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49551 -> 151.101.66.132:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49464 -> 212.44.102.57:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49529 -> 85.128.55.51:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49658 -> 3.19.116.195:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49731 -> 104.21.92.183:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49761 -> 192.252.159.165:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49488 -> 52.219.179.0:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 185.237.66.112:443 -> 192.168.56.101:49482	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 138.201.65.187:443 -> 192.168.56.101:49570	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49577 -> 185.237.66.112:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49483 -> 83.223.113.46:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49424 -> 91.229.22.126:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49667 -> 3.140.13.188:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49762 -> 104.26.1.82:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49580 -> 185.237.66.112:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49492 -> 69.195.90.46:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49594 -> 192.124.249.13:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49446 -> 211.13.204.3:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49624 -> 45.200.235.135:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49798 -> 198.185.159.144:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49598 -> 89.161.136.188:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49435 -> 5.189.171.125:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 35.214.171.193:443 -> 192.168.56.101:49509	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49507 -> 185.237.66.112:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 138.201.65.187:443 -> 192.168.56.101:49519	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49815 -> 192.169.149.78:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49524 -> 185.237.66.112:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49725 -> 51.89.6.56:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49454 -> 185.237.66.112:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 185.237.66.112:443 -> 192.168.56.101:49540	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49601 -> 63.251.106.25:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49737 -> 193.70.68.254:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49791 -> 216.177.137.32:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49818 -> 104.20.220.29:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49661 -> 202.53.77.146:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49572 -> 172.67.189.227:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49802 -> 192.169.149.78:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49465 -> 76.74.184.61:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49348 -> 192.124.249.3:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49834 -> 172.67.185.152:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49473 -> 133.125.38.187:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49681 -> 104.21.73.143:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49748 -> 219.94.128.216:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49813 -> 45.142.176.225:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49554 -> 141.193.213.20:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49469 -> 185.237.66.112:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49470 -> 185.237.66.112:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49689 -> 51.159.3.117:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49837 -> 5.134.4.115:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49840 -> 165.160.13.20:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49747 -> 76.223.35.103:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49497 -> 172.67.188.75:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49697 -> 198.54.117.242:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49850 -> 192.124.249.3:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49864 -> 3.19.116.195:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49702 -> 95.174.22.233:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49711 -> 192.252.159.165:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49514 -> 104.21.2.101:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49713 -> 81.169.145.175:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49543 -> 138.201.65.187:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49589 -> 34.205.242.146:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49890 -> 104.21.41.152:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49827 -> 135.125.108.170:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49560 -> 138.201.65.187:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49713 -> 81.169.145.175:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49914 -> 34.102.136.180:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49599 -> 133.125.38.187:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49555 -> 18.197.121.220:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49607 -> 172.67.33.95:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49856 -> 46.30.60.158:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49722 -> 77.78.104.3:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49588 -> 88.86.118.82:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49869 -> 183.181.82.14:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49947 -> 159.89.244.183:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49453 -> 87.98.236.253:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49391 -> 104.21.6.168:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49613 -> 159.89.244.183:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49818 -> 104.20.220.29:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49492 -> 69.195.90.46:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49750 -> 51.159.3.117:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49883 -> 5.39.75.157:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49633 -> 91.201.52.102:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:50011 -> 199.34.228.78:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49635 -> 193.107.88.74:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49909 -> 27.0.174.59:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49365 -> 199.59.243.223:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49679 -> 104.21.234.120:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:50047 -> 76.223.27.102:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49626 -> 45.142.176.225:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:50017 -> 198.49.23.144:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49812 -> 69.46.30.77:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49694 -> 151.101.130.159:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49982 -> 136.243.147.81:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:50064 -> 83.167.255.150:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49642 -> 213.142.131.159:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:50020 -> 49.212.235.59:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49708 -> 104.26.6.17:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49657 -> 35.186.238.101:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:50073 -> 35.172.94.1:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:50036 -> 49.212.243.77:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:50041 -> 159.89.244.183:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49555 -> 18.197.121.220:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:50045 -> 185.129.138.60:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49365 -> 199.59.243.223:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49770 -> 89.31.143.1:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:50054 -> 203.210.102.34:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:50067 -> 104.20.123.68:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49633 -> 91.201.52.102:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49958 -> 79.96.161.192:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49783 -> 153.126.211.112:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:50071 -> 52.219.178.96:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49988 -> 104.164.117.233:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49795 -> 219.94.129.97:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49756 -> 104.21.30.14:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49820 -> 192.169.149.78:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49758 -> 172.67.181.113:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49777 -> 35.230.155.43:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:50043 -> 63.251.106.25:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:50051 -> 173.231.184.124:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 173.231.184.124:80 -> 192.168.56.101:50051	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	A Network Trojan was detected
TCP 192.168.56.101:49796 -> 104.26.12.244:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 173.231.184.124:80 -> 192.168.56.101:50051	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	A Network Trojan was detected
TCP 192.168.56.101:49275 -> 154.213.117.166:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:50065 -> 178.249.70.75:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49931 -> 92.42.191.38:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49975 -> 217.79.248.38:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49892 -> 18.176.155.206:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49996 -> 172.67.188.75:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49908 -> 63.251.106.25:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:50038 -> 198.199.101.195:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:50039 -> 49.212.235.59:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:50044 -> 199.59.243.220:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49971 -> 185.178.208.141:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49993 -> 3.19.116.195:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:50005 -> 65.52.128.33:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:50025 -> 51.89.6.56:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:50035 -> 49.212.180.178:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:50042 -> 91.201.52.102:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49728 -> 199.34.228.78:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49956 -> 104.21.6.168:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:50076 -> 208.100.26.245:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:50075 -> 35.154.163.204:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49929 -> 154.213.117.166:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49289 -> 104.21.6.168:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49741 -> 172.67.163.173:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49858 -> 207.180.198.201:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49809 -> 85.233.160.148:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49185 -> 193.166.255.171:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49330 172.67.199.57:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	04:c9:15:e0:a1:18:74:04:16:cb:98:fd:73:56:cf:7d:99:35:cb:75
TLSv1 192.168.56.101:49303 172.67.160.168:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	39:60:5f:8a:b0:63:95:b4:7b:c1:8a:c0:a2:87:dc:a4:4d:b7:94:a6
TLSv1 192.168.56.101:49346 104.21.48.207:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	8e:eb:ad:d2:6e:53:39:1d:ea:e0:21:c4:22:9a:ee:d0:93:3d:62:6a
TLSv1 192.168.56.101:49384 172.67.193.133:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	28:54:2c:72:71:1b:3f:88:07:e2:1d:7b:6c:1b:7f:45:bc:7e:fe:1c
TLSv1 192.168.56.101:49423 172.67.209.90:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	0f:0a:0c:90:f8:6d:9f:92:6a:fc:87:76:90:56:46:b5:a5:4e:41:70
TLSv1 192.168.56.101:49462 5.189.171.125:443	None	None	None
TLSv1 192.168.56.101:49466 172.67.209.90:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	0f:0a:0c:90:f8:6d:9f:92:6a:fc:87:76:90:56:46:b5:a5:4e:41:70
TLSv1 192.168.56.101:49512 83.223.113.46:443	C=US, O=Let's Encrypt, CN=R3	CN=magicomm.co.uk	c7:bb:94:3f:a7:23:97:e0:93:f5:69:24:eb:a6:85:25:92:3b:d3:e1
TLSv1 192.168.56.101:49386 104.21.66.220:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=*.clinicasanluis.com.co	29:ac:43:1a:71:82:7f:ec:3f:09:c7:81:24:9c:1e:24:f4:10:94:b6
TLSv1 192.168.56.101:49483 83.223.113.46:443	C=US, O=Let's Encrypt, CN=R3	CN=magicomm.co.uk	c7:bb:94:3f:a7:23:97:e0:93:f5:69:24:eb:a6:85:25:92:3b:d3:e1
TLSv1 192.168.56.101:49424 91.229.22.126:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=GeoTrust RSA CA 2018	C=PL, ST=Mazowieckie, L=Warszawa, O=Komenda Glowna Policji, CN=*.policja.gov.pl	3d:fe:e4:18:9c:81:af:dd:a8:f5:e3:51:55:cb:6e:5e:89:7f:65:e2
TLSv1 192.168.56.101:49435 5.189.171.125:443	C=US, O=Let's Encrypt, CN=R3	CN=muhr-soehne.com	53:27:b3:3c:95:07:9d:ec:95:5c:07:b2:f1:75:0e:ea:5b:36:10:83

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW March 22, 2023, 5:27 p.m.	computer_name: TEST22-PC	1	1	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptGenKey March 22, 2023, 5:27 p.m.	crypto_handle: 0x0041cd80 algorithm_identifier: 0x00006801 (CALG_RC4) flags: 8388609 key: h"£&Ú; À7ªÁ3¥D¥ provider_handle: 0x0047fda8	1	1
CryptExportKey March 22, 2023, 5:27 p.m.	buffer: h"£&Ú; À7ªÁ3¥D¥ crypto_handle: 0x0041cd80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey March 22, 2023, 5:27 p.m.	buffer: h¤¾ªí{ðRúäl©yJf/°S¥¯ÄnGê'ÝJcª^Â¬Ï'ÉojÕ@VJFu8\| .®oÍc\|õ4gñr(H5P-«`[¼XãôV\|×¸+#.¾u"%ëZ!å;né=ýý¥Ätæ]ñ5f\|X crypto_handle: 0x0041cd80 flags: 0 crypto_export_handle: 0x0041cdc0 blob_type: 1	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 22, 2023, 5:27 p.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

OMT

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (50 out of 254 events)

suspicious_features	POST method with no referer header	suspicious_request	POST http://www.pr-park.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.jenco.co.uk/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.baijaku.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.quadlock.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.pdqhomes.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.tvtools.fi/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.alteor.cl/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.olras.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.dgmna.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.valdal.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.elpro.si/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.credo.edu.pl/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.depalo.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.iamdirt.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.wifi4all.nl/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.abdg.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.fcwcvt.org/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.petsfan.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.synetik.net/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.item-pr.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.snugpak.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.rs-ag.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.photo4b.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.yocinc.org/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.nunomira.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.hummer.hu/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.vazir.se/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.transsib.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.mqs.com.br/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.abart.pl/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.vitaindu.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.crcsi.org/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.t-tre.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.naoi-a.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.valselit.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.ora.ecnet.jp/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.waldi.pl/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.gpthink.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.ora-ito.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.nelipak.nl/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.kernsafe.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.cokocoko.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.ex-olive.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.2print.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.x0c.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.holleman.us/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.tyrns.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.vexcom.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.edimart.hu/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.speelhal.net/

Performs some HTTP requests (50 out of 267 events)

request	POST http://www.pr-park.com/
request	POST http://www.jenco.co.uk/
request	POST http://www.baijaku.com/
request	POST http://www.quadlock.com/
request	POST http://www.pdqhomes.com/
request	POST http://www.tvtools.fi/
request	POST http://www.alteor.cl/
request	POST http://www.olras.com/
request	POST http://www.dgmna.com/
request	POST http://www.valdal.com/
request	POST http://www.elpro.si/
request	POST http://www.credo.edu.pl/
request	POST http://www.depalo.com/
request	POST http://www.iamdirt.com/
request	POST http://www.wifi4all.nl/
request	POST http://www.abdg.com/
request	POST http://www.fcwcvt.org/
request	POST http://www.petsfan.com/
request	POST http://www.synetik.net/
request	POST http://www.item-pr.com/
request	POST http://www.snugpak.com/
request	POST http://www.rs-ag.com/
request	POST http://www.photo4b.com/
request	POST http://www.yocinc.org/
request	POST http://www.nunomira.com/
request	POST http://www.hummer.hu/
request	POST http://www.vazir.se/
request	POST http://www.transsib.com/
request	POST http://www.mqs.com.br/
request	POST http://www.abart.pl/
request	POST http://www.vitaindu.com/
request	POST http://www.crcsi.org/
request	POST http://www.t-tre.com/
request	POST http://www.naoi-a.com/
request	POST http://www.valselit.com/
request	POST http://www.ora.ecnet.jp/
request	POST http://www.waldi.pl/
request	POST http://www.gpthink.com/
request	POST http://www.ora-ito.com/
request	POST http://www.nelipak.nl/
request	POST http://www.kernsafe.com/
request	POST http://www.cokocoko.com/
request	POST http://www.ex-olive.com/
request	POST http://www.2print.com/
request	POST http://www.x0c.com/
request	POST http://www.holleman.us/
request	POST http://www.tyrns.com/
request	POST http://www.vexcom.com/
request	POST http://www.edimart.hu/
request	POST http://www.speelhal.net/

Sends data using the HTTP POST Method (50 out of 254 events)

request	POST http://www.pr-park.com/
request	POST http://www.jenco.co.uk/
request	POST http://www.baijaku.com/
request	POST http://www.quadlock.com/
request	POST http://www.pdqhomes.com/
request	POST http://www.tvtools.fi/
request	POST http://www.alteor.cl/
request	POST http://www.olras.com/
request	POST http://www.dgmna.com/
request	POST http://www.valdal.com/
request	POST http://www.elpro.si/
request	POST http://www.credo.edu.pl/
request	POST http://www.depalo.com/
request	POST http://www.iamdirt.com/
request	POST http://www.wifi4all.nl/
request	POST http://www.abdg.com/
request	POST http://www.fcwcvt.org/
request	POST http://www.petsfan.com/
request	POST http://www.synetik.net/
request	POST http://www.item-pr.com/
request	POST http://www.snugpak.com/
request	POST http://www.rs-ag.com/
request	POST http://www.photo4b.com/
request	POST http://www.yocinc.org/
request	POST http://www.nunomira.com/
request	POST http://www.hummer.hu/
request	POST http://www.vazir.se/
request	POST http://www.transsib.com/
request	POST http://www.mqs.com.br/
request	POST http://www.abart.pl/
request	POST http://www.vitaindu.com/
request	POST http://www.crcsi.org/
request	POST http://www.t-tre.com/
request	POST http://www.naoi-a.com/
request	POST http://www.valselit.com/
request	POST http://www.ora.ecnet.jp/
request	POST http://www.waldi.pl/
request	POST http://www.gpthink.com/
request	POST http://www.ora-ito.com/
request	POST http://www.nelipak.nl/
request	POST http://www.kernsafe.com/
request	POST http://www.cokocoko.com/
request	POST http://www.ex-olive.com/
request	POST http://www.2print.com/
request	POST http://www.x0c.com/
request	POST http://www.holleman.us/
request	POST http://www.tyrns.com/
request	POST http://www.vexcom.com/
request	POST http://www.edimart.hu/
request	POST http://www.speelhal.net/

Allocates read-write-execute memory (usually to unpack itself) (5 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 22, 2023, 5:26 p.m.	process_identifier: 2876 region_size: 581632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2023, 5:26 p.m.	process_identifier: 2876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04000000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2023, 5:27 p.m.	process_identifier: 2876 region_size: 12259328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2023, 5:27 p.m.	process_identifier: 2876 region_size: 28672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2023, 5:27 p.m.	process_identifier: 2876 region_size: 22347776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

svchost.exe tried to sleep 543 seconds, actually delayed analysis time by 543 seconds

Creates a suspicious process (1 event)

cmdline

C:\Windows\system32\svchost.exe

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (3 events)

Time & API	Arguments	Status	Return
Process32NextW March 22, 2023, 5:27 p.m.	snapshot_handle: 0x00000124 process_name: svchost.exe process_identifier: 2876	1	1
Process32NextW March 22, 2023, 5:27 p.m.	snapshot_handle: 0x00000124 process_name: svchost.exe process_identifier: 152	1	1
Process32NextW March 22, 2023, 5:27 p.m.	snapshot_handle: 0x00000124 process_name: svchost.exe process_identifier: 2500	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses March 22, 2023, 5:27 p.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00015800', u'virtual_address': u'0x0002e000', u'entropy': 7.784607914953358, u'name': u'.rsrc', u'virtual_size': u'0x000157d4'}

entropy

7.78460791495

description

A section with a high entropy has been found

entropy

0.34126984127

description

Overall entropy of this PE file is high

Yara rule detected in process memory (50 out of 67 events)

description	Take ScreenShot	rule	ScreenShot
description	Communications use DNS	rule	Network_DNS
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	Escalate priviledges	rule	Escalate_priviledges
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Communications use DNS	rule	Network_DNS
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	Escalate priviledges	rule	Escalate_priviledges
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications smtp	rule	network_smtp_raw
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over HTTP	rule	Network_HTTP
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Communications use DNS	rule	Network_DNS
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	Escalate priviledges	rule	Escalate_priviledges

Connects to smtp.live.com, possibly for spamming or data exfiltration (1 event)

domain

smtp.live.com

One or more of the buffers contains an embedded PE file (2 events)

buffer	Buffer with sha1: 97751a713ab1c071fe2a95e95ba6d2bd53539433
buffer	Buffer with sha1: d4c0e4a6a1a42545ce3453e7d7b56813f26a5e6b

Connects to an IRC server, possibly part of a botnet

Makes SMTP requests, possibly sending spam (45 events)

receiver

[]

sender

[]

server

66.226.70.66

receiver

[]

sender

[]

server

74.125.203.26

receiver

[]

sender

[]

server

66.163.170.48

receiver

[]

sender

[]

server

108.170.12.50

receiver

[]

sender

[]

server

219.94.128.216

receiver

[]

sender

[]

server

219.94.129.97

receiver

[]

sender

[]

server

202.172.28.89

receiver

[]

sender

[]

server

217.69.139.150

receiver

[]

sender

[]

server

217.69.139.150

receiver

[]

sender

[]

server

142.250.152.27

receiver

[]

sender

[]

server

217.69.139.150

receiver

[]

sender

[]

server

142.250.152.27

receiver

[]

sender

[]

server

64.233.187.27

receiver

[]

sender

[]

server

142.250.152.27

receiver

[]

sender

[]

server

66.111.4.70

receiver

[]

sender

[]

server

64.233.187.27

receiver

[]

sender

[]

server

64.233.187.27

receiver

[]

sender

[]

server

66.111.4.70

receiver

[]

sender

[]

server

49.212.243.77

receiver

[]

sender

[]

server

66.111.4.70

receiver

[]

sender

[]

server

49.212.180.178

receiver

[]

sender

[]

server

79.96.32.254

receiver

[]

sender

[]

server

153.120.34.73

receiver

[]

sender

[]

server

203.137.75.45

receiver

[]

sender

[]

server

192.169.149.78

receiver

[]

sender

[]

server

213.175.217.57

receiver

[]

sender

[]

server

202.172.28.187

receiver

[]

sender

[]

server

49.12.155.123

receiver

[]

sender

[]

server

162.241.233.114

receiver

[]

sender

[]

server

69.195.90.46

receiver

[]

sender

[]

server

153.126.211.112

receiver

[]

sender

[]

server

157.112.187.75

receiver

[]

sender

[]

server

109.71.54.22

receiver

[]

sender

[]

server

212.44.102.57

receiver

[]

sender

[]

server

173.205.126.33

receiver

[]

sender

[]

server

94.130.164.242

receiver

[]

sender

[]

server

173.205.126.33

receiver

[]

sender

[]

server

164.132.175.106

receiver

[]

sender

[]

server

69.195.90.46

receiver

[]

sender

[]

server

79.96.32.254

receiver

[]

sender

[]

server

219.94.128.87

receiver

[]

sender

[]

server

54.39.198.18

receiver

[]

sender

[]

server

69.46.30.77

receiver

[]

sender

[]

server

213.142.131.159

receiver

[]

sender

[]

server

193.107.88.74

Communicates with host for which no DNS query was performed (4 events)

host	153.120.34.73
host	198.1.81.28
host	211.13.196.162
host	77.73.134.27

Allocates execute permission to another process indicative of possible code injection (4 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory March 22, 2023, 5:27 p.m.	process_identifier: 2500 region_size: 12259328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000170		3221225496
NtAllocateVirtualMemory March 22, 2023, 5:27 p.m.	process_identifier: 2500 region_size: 12259328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7e3f0000 allocation_type: 1060864 (MEM_COMMIT\|MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0x00000170	1	0
NtAllocateVirtualMemory March 22, 2023, 5:27 p.m.	process_identifier: 2500 region_size: 28672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000170	1	0
NtAllocateVirtualMemory March 22, 2023, 5:27 p.m.	process_identifier: 2628 region_size: 22347776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x13140000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000180	1	0

Potential code injection by writing to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory March 22, 2023, 5:27 p.m.	buffer: ?~ base_address: 0x7efde008 process_identifier: 2500 process_handle: 0x00000170	1	1	0

Network activity contains more than one unique useragent (2 events)

process	svchost.exe				useragent
process	svchost.exe				useragent	Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2876 called NtSetContextThread to modify thread in remote process 2500
NtSetContextThread March 22, 2023, 5:27 p.m.	registers.eip: 1995571652 registers.esp: 1572536 registers.edi: 0 registers.eax: 2118081136 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000c8 process_identifier: 2500	1	0	0

Expresses interest in specific running processes (1 event)

process: potential process injection target

svchost.exe

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2876 resumed a thread in remote process 2500
NtResumeThread March 22, 2023, 5:27 p.m.	thread_handle: 0x000000c8 suspend_count: 1 process_identifier: 2500	1	0	0

Generates some ICMP traffic

File has been identified by 27 AntiVirus engines on VirusTotal as malicious (27 events)

Lionic	Trojan.Win32.Cutwail.4!c
Elastic	malicious (high confidence)
CrowdStrike	win/malicious_confidence_90% (W)
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Generik.MMRRDJE
APEX	Malicious
Paloalto	generic.ml
Kaspersky	Trojan.Win32.Cutwail.yaq
BitDefender	Trojan.GenericKD.66042498
MicroWorld-eScan	Trojan.GenericKD.66043091
Avast	Win32:Trojan-gen
Rising	Trojan.Cutwail!8.2E7D (CLOUD)
Emsisoft	Trojan.GenericKD.66042498 (B)
McAfee-GW-Edition	Artemis!Trojan
Trapmine	malicious.moderate.ml.score
FireEye	Generic.mg.9faea65cff61ad64
GData	Win32.Trojan-Dropper.Cutwail.I8NS4J
ZoneAlarm	Trojan.Win32.Cutwail.yaq
Microsoft	Trojan:Win32/Wacatac.B!ml
Google	Detected
McAfee	Artemis!9FAEA65CFF61
MAX	malware (ai score=84)
Malwarebytes	MachineLearning/Anomalous.100%
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/Malicious_Behavior.SBX
BitDefenderTheta	Gen:NN.ZexaF.36344.pOW@aKAoL1li
AVG	Win32:Trojan-gen

Executed a process and injected code into it, probably while unpacking (13 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW March 22, 2023, 5:27 p.m.	thread_identifier: 2532 thread_handle: 0x000000c8 process_identifier: 2500 current_directory: filepath: track: 1 command_line: C:\Windows\system32\svchost.exe filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000170	1	1
NtAllocateVirtualMemory March 22, 2023, 5:27 p.m.	process_identifier: 2500 region_size: 12259328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000170		3221225496
NtAllocateVirtualMemory March 22, 2023, 5:27 p.m.	process_identifier: 2500 region_size: 12259328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7e3f0000 allocation_type: 1060864 (MEM_COMMIT\|MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0x00000170	1	0
WriteProcessMemory March 22, 2023, 5:27 p.m.	buffer: base_address: 0x7e3f0000 process_identifier: 2500 process_handle: 0x00000170	1	1
NtGetContextThread March 22, 2023, 5:27 p.m.	thread_handle: 0x000000c8	1	0
WriteProcessMemory March 22, 2023, 5:27 p.m.	buffer: ?~ base_address: 0x7efde008 process_identifier: 2500 process_handle: 0x00000170	1	1
NtSetContextThread March 22, 2023, 5:27 p.m.	registers.eip: 1995571652 registers.esp: 1572536 registers.edi: 0 registers.eax: 2118081136 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000c8 process_identifier: 2500	1	0
NtResumeThread March 22, 2023, 5:27 p.m.	thread_handle: 0x000000c8 suspend_count: 1 process_identifier: 2500	1	0
NtAllocateVirtualMemory March 22, 2023, 5:27 p.m.	process_identifier: 2500 region_size: 28672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000170	1	0
WriteProcessMemory March 22, 2023, 5:27 p.m.	buffer: base_address: 0x04000000 process_identifier: 2500 process_handle: 0x00000170	1	1
CreateProcessInternalW March 22, 2023, 5:27 p.m.	thread_identifier: 2644 thread_handle: 0x0000017c process_identifier: 2628 current_directory: filepath: track: 1 command_line: C:\Windows\system32\svchost.exe filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000180	1	1
NtAllocateVirtualMemory March 22, 2023, 5:27 p.m.	process_identifier: 2628 region_size: 22347776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x13140000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000180	1	0
NtResumeThread March 22, 2023, 5:27 p.m.	thread_handle: 0x00000168 suspend_count: 1 process_identifier: 1796	1	0

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (50 out of 80 events)

dead_host	208.80.122.2:25
dead_host	204.79.197.212:25
dead_host	192.168.56.101:49595
dead_host	83.167.255.150:25
dead_host	192.168.56.101:49824
dead_host	221.132.33.88:25
dead_host	192.168.56.101:49530
dead_host	137.118.26.67:80
dead_host	76.223.35.103:25
dead_host	192.168.56.101:50061
dead_host	157.7.231.224:25
dead_host	63.251.106.25:25
dead_host	204.15.134.44:80
dead_host	35.172.94.1:25
dead_host	154.81.136.239:80
dead_host	64.125.133.18:80
dead_host	88.86.118.82:25
dead_host	192.168.56.101:49528
dead_host	172.67.158.251:25
dead_host	99.83.154.118:80
dead_host	3.64.163.50:25
dead_host	51.89.6.56:25
dead_host	5.134.4.115:25
dead_host	148.130.4.196:80
dead_host	62.122.170.171:25
dead_host	151.101.66.132:25
dead_host	99.83.190.102:25
dead_host	75.2.70.75:25
dead_host	52.71.57.184:25
dead_host	165.160.13.20:25
dead_host	211.13.196.162:25
dead_host	65.52.128.33:25
dead_host	192.168.56.101:49339
dead_host	208.100.26.245:25
dead_host	198.185.159.144:25
dead_host	52.211.245.146:25
dead_host	172.67.189.227:25
dead_host	23.227.38.32:25
dead_host	198.209.253.30:80
dead_host	34.102.136.180:25
dead_host	104.21.7.22:25
dead_host	148.72.176.26:25
dead_host	79.124.76.247:80
dead_host	185.106.129.180:25
dead_host	96.91.204.114:80
dead_host	31.177.80.70:25
dead_host	35.168.185.204:25
dead_host	192.168.56.101:50062
dead_host	38.111.255.201:25
dead_host	89.31.143.1:25

96.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All