Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 31, 2023, 10:19 p.m.	May 31, 2023, 10:21 p.m.

Size	533.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`6bb40ed95f770955ea7cf27e4785612e`
SHA256	`f8ef3e3b18e72eebb4b18edbc90f7f5851ab0af044473fa2856fc974f0c33d6c`
CRC32	`1A34E9E6`
ssdeep	`12288:NJsZ3dUdAz1aVlOsBfDtNK+UmDFZIdP03d0cMvNc:rsH6FvOYtNK+HrId03dEvS`
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) Generic_Malware_Zero - Generic Malware

svchost.exe C:\Windows\system32\svchost.exe
2548
- svchost.exe C:\Windows\system32\svchost.exe
  2752
- svchost.exe C:\Windows\system32\svchost.exe
  2820
- svchost.exe C:\Windows\system32\svchost.exe
  3036
- svchost.exe C:\Windows\system32\svchost.exe
  2264

Name	Response	Post-Analysis Lookup
hbfuels.com	A 85.233.160.146	85.233.160.146
pro-fa.com
xinhui.net	A 43.255.29.192	43.255.29.192
wolffkran.de
envogen.com	A 104.21.73.149 A 172.67.163.101	104.21.73.149
muhr-soehne.de	A 5.189.171.125	5.189.171.125
anduran.com	CNAME traff-5.hugedomains.com CNAME hdr-nlb7-aebd5d615260636b.elb.us-east-1.amazonaws.com A 34.205.242.146 A 54.161.222.85	34.205.242.146
pleszew.policja.gov.pl	A 91.229.22.126	91.229.22.126
com
ossir.org	A 51.159.3.117	51.159.3.117
nt-hat.com
atbauk.org	A 104.21.92.170 A 172.67.196.145	104.21.92.170
www.koz1.net
s5w.com	A 192.99.226.184	192.99.226.184
amerifor.com	A 64.18.191.61	64.18.191.61
camamat.com	A 104.21.235.32 A 104.21.235.31	104.21.235.32
shteeble.com	A 185.106.129.180	185.106.129.180
angework.com	A 219.94.128.87	219.94.128.87
gbmfg.com	A 151.101.2.132 A 151.101.66.132 A 151.101.130.132 A 151.101.194.132	151.101.2.132
ludomemo.com	A 27.0.174.59	27.0.174.59
clysma.com
www.mobilnic.net	A 154.203.14.100	154.203.14.100
www.udesign.biz
workplus.hu
www.netcr.com	A 18.119.154.66 CNAME hdr-nlb10-d66bbad0736f8259.elb.us-east-2.amazonaws.com A 3.140.13.188 CNAME traff-6.hugedomains.com	3.130.253.23
hes.pt	A 52.19.230.145	52.19.230.145
roewer.de	A 45.142.176.225	45.142.176.225
aoinko.net	A 157.7.107.38	157.7.107.38
dzm.cz	A 83.167.255.150	83.167.255.150
www.pwd.org	CNAME pwd.org A 208.109.214.162	208.109.214.162
strazynski.pl	A 85.128.196.22	85.128.196.22
www.iamdirt.com	CNAME gcdn0.wixdns.net A 34.117.168.233 CNAME td-ccm-168-233.wixdns.net	34.117.168.233
www.fnsds.org	A 34.228.163.56 CNAME cdl-lb-1356093980.us-east-1.elb.amazonaws.com A 34.197.121.219 CNAME comingsoon.namebright.com	34.197.121.219
redgiga.com	A 172.67.186.153 A 104.21.76.38	172.67.186.153
www.pupi.cz	A 103.224.182.241	103.224.182.241
peminet.net	A 198.54.117.242	198.54.117.242
www.ottospm.com	A 104.21.63.28 A 172.67.142.169 CNAME www.ottospm.com.cdn.cloudflare.net	104.21.63.28
kewlmail.com	A 63.251.106.25	63.251.106.25
araax.com	CNAME traff-5.hugedomains.com CNAME hdr-nlb7-aebd5d615260636b.elb.us-east-1.amazonaws.com A 54.161.222.85 A 34.205.242.146	54.209.32.212
siongann.com	A 104.21.8.75 A 172.67.156.237	104.21.8.75
www.crcsi.org	A 165.227.252.190 CNAME crcsi.org	165.227.252.190
eos-i.com
webways.com	A 172.67.128.139 A 104.21.1.51	172.67.128.139
mail7.digitalwaves.co.nz
www.spanesi.com	A 5.196.166.214	5.196.166.214
wvs-net.de	A 104.21.43.163 A 172.67.181.113	104.21.43.163
mackusick.de	A 217.160.0.131	217.160.0.131
adeesa.net	A 104.21.77.146 A 172.67.209.11	172.67.209.11
canasil.com	A 172.67.68.180 A 104.26.3.14 A 104.26.2.14	172.67.68.180
nrsi.com	A 76.223.35.103	76.223.35.103
www.otena.com	A 3.64.163.50	3.64.163.50
sanfotek.net	A 216.69.141.67	216.69.141.67
www.pohlfood.com	A 104.218.10.254 CNAME pohlfood.com	104.218.10.254
xult.org	A 65.52.128.33	65.52.128.33
htsmx.net	A 63.251.106.25	63.251.106.25
websy.com
jsaps.com	A 49.212.235.59	49.212.235.59
www.dayvo.com	A 104.21.68.7 A 172.67.184.30	104.21.68.7
cnti.krsn.ru	A 217.74.161.133	217.74.161.133
agitz.com.br
www.olras.com	A 80.93.82.33	80.93.82.33
www.vexcom.com	A 104.21.55.224 A 172.67.173.200	104.21.55.224
ruzee.com	A 207.180.198.201	207.180.198.201
www.findbc.com	A 13.248.169.48 A 76.223.54.146	13.248.169.48
duiops.net	A 135.125.108.170	135.125.108.170
softizer.com	A 185.163.45.187	185.163.45.187
cbaben.com	A 173.205.126.33	173.205.126.33
missnue.com	A 104.21.234.121 A 104.21.234.120	104.21.234.120
bigzz.by	A 178.249.70.75	178.249.70.75
unicus.jp	A 49.212.232.113	49.212.232.113
beafin.com	A 133.125.38.187	133.125.38.187
www.domon.com	CNAME shops.myshopify.com CNAME meubles-domon.myshopify.com A 23.227.38.74	23.227.38.74
assideum.com	A 52.219.176.112 A 52.219.142.72	52.219.177.224
fundeo.com	A 172.67.97.62 A 104.24.160.27 A 104.24.161.27	172.67.97.62
hchc.org	A 34.224.10.110 A 52.11.37.152	34.224.10.110
haigh-me.com
yoruksut.com	A 93.187.206.66	93.187.206.66
ymlp15.net
amele.com	A 85.159.66.62	85.159.66.62
cutchie.com	A 199.59.243.223	199.59.243.223
dwid.de	A 87.230.93.218	87.230.93.218
from30ty.com	A 157.7.231.224	157.7.231.224
yhsll.com	A 107.186.187.147	107.186.187.147
juso-gr.ch
someikan.com
hamaker.net	A 34.102.136.180	34.102.136.180
oaith.ca	A 192.124.249.12	192.124.249.12
skgm.ru	A 91.201.52.102	91.201.52.102
de
www.medius.si	A 99.86.207.30 A 99.86.207.15 A 99.86.207.38 CNAME d2r2uj0bnofxxz.cloudfront.net A 99.86.207.125	99.86.207.38
cjcagent.com
kallman.net	A 185.76.64.25	185.76.64.25
www.nelipak.nl	A 82.201.61.230	82.201.61.230
clinicasanluis.com.co	A 104.21.66.220 A 172.67.164.178	172.67.164.178
kairel.com	A 54.217.118.81	54.217.118.81
hyab.se	A 104.21.52.126 A 172.67.199.57	104.21.52.126
mkm-gr.com	A 79.124.76.247	79.124.76.247
magicomm.co.uk	A 83.223.113.46	83.223.113.46
host.do	A 217.79.248.38	217.79.248.38
samtv.ro
agulatex.com	A 133.125.38.187	133.125.38.187
www.photo4b.com	A 195.78.66.50	195.78.66.50
avc.com.sa
kustnara.com	A 75.2.70.75 A 99.83.190.102 A 13.248.155.104 A 76.223.27.102	75.2.70.75
averwin.com
fortknox.bm	A 216.177.137.32	216.177.137.32
www.xaicom.es	CNAME xaicom.es A 188.165.133.163	188.165.133.163
sinwal.com	A 172.67.206.199 A 104.21.50.138	172.67.206.199
nblewis.com	A 35.169.15.168 A 52.0.29.214 A 35.168.185.204	35.169.15.168
icd-host.com	A 192.252.159.165 A 192.252.159.116	192.252.159.165
daytonir.com	A 172.64.147.213 A 104.18.40.43	104.18.40.43
www.c9dd.com	A 188.166.152.188	188.166.152.188
nels.co.uk	A 5.134.13.210	5.134.13.210
nettle.pl	A 195.128.140.29	195.128.140.29
epc.com.au	A 103.4.16.43	103.4.16.43
www.kernsafe.com	A 104.26.3.124 A 104.26.2.124 A 172.67.72.98	104.26.2.124
kamptal.at	A 128.204.134.138	128.204.134.138
c-drop.net
nolaoig.org	A 54.212.145.129	54.212.145.129
isom.org	A 192.124.249.14	192.124.249.14
snf.it	A 95.174.22.233	95.174.22.233
fifa-ews.com	A 172.67.189.227 A 104.21.10.34	172.67.189.227
www.11tochi.net	A 157.112.176.4	157.112.176.4
www.dgmna.com	CNAME dgmna.com A 192.124.249.20	192.124.249.20
www.quadlock.com	A 70.39.251.249 CNAME quadlock.com	70.39.251.249
www.usadig.com	A 198.100.146.220	198.100.146.220
www.pr-park.com	A 118.27.125.181	118.27.125.181
ultibax.org
www.com-sit.com	A 104.26.10.81 A 104.26.11.81 A 172.67.70.223	104.26.11.81
www.synetik.net	CNAME synetik.net A 193.166.255.171	193.166.255.171
www.jroy.net
orlyhotel.com	A 104.21.48.207 A 172.67.156.49	104.21.48.207
www.hummer.hu	CNAME hummer.hu A 185.80.51.179	185.80.51.179
metaforacom.com	A 185.42.105.162	185.42.105.162
hubbikes.com	A 75.2.70.75 A 99.83.190.102	75.2.70.75
banvari.com	A 23.227.38.32	23.227.38.32
sigtoa.com	A 104.21.49.75 A 172.67.160.168	172.67.160.168
www.jenco.co.uk	A 104.21.23.9 A 172.67.208.67	172.67.208.67
karila.fr	A 89.107.169.125	89.107.169.125
dayvo.com	A 172.67.184.30 A 104.21.68.7	172.67.184.30
webband.com
cqdgroup.com	A 221.132.33.88	221.132.33.88
univi.it	A 18.197.121.220	18.197.121.220
a-domani.com	A 183.90.232.24	183.90.232.24
techtrans.de	A 185.237.66.112	185.237.66.112
msl-lock.com	A 165.160.13.20 A 165.160.15.20	165.160.13.20
iranytu.net	A 103.224.212.222	103.224.212.222
www.yocinc.org	A 66.94.119.160	66.94.119.160
aba.org.eg	A 192.169.149.78	192.169.149.78
amba-tc.si
smtp.sbcglobal.yahoo.com	CNAME smtp-sbc.mail.yahoo.com A 67.195.12.38 A 66.163.170.48 A 66.218.88.163 CNAME smtp1.sbc.mail.am0.yahoodns.net	67.195.12.38
pccj.net	A 172.67.148.147 A 104.21.29.72	104.21.29.72
touchfam.ca	A 15.197.142.173 A 3.33.152.147	15.197.142.173
www.tyrns.com	A 62.75.216.137	62.75.216.137
multip.hu
nts-web.net	A 49.212.235.175	49.212.235.175
thiessen.net	A 62.75.251.116	62.75.251.116
holp-ai.com	A 59.106.13.169	59.106.13.169
linac.co.uk	A 23.236.62.147	23.236.62.147
gujarat.com	A 104.21.73.143 A 172.67.145.148	104.21.73.143
lpver.com	A 92.204.129.113	92.204.129.113
shesfit.com	A 172.67.158.251 A 104.21.74.141	104.21.74.141
www.yumgiskor.kz
cpmteam.com	A 172.67.188.75 A 104.21.32.240	172.67.188.75
ifesnet.com	A 104.21.26.154 A 172.67.137.15	172.67.137.15
www.holleman.us	A 51.79.51.72	51.79.51.72
flamingorecordings.com	A 35.214.171.193	35.214.171.193
www.maktraxx.com	CNAME maktraxx.com A 72.44.93.236	72.44.93.236
themark.org	A 35.172.94.1 A 100.24.208.97	35.172.94.1
www.valdal.com	A 104.26.6.221 A 172.67.73.176 A 104.26.7.221	104.26.7.221
ciicsc.com
shanks.co.uk	A 217.19.254.22	217.19.254.22
www.rs-ag.com	A 172.67.152.88 A 104.21.1.213	172.67.152.88
insia.com	A 82.208.6.9	82.208.6.9
www.abart.pl	CNAME abart.pl A 89.161.163.246	89.161.163.246
vonparis.com	A 23.185.0.4	23.185.0.4
www.pb-games.com	CNAME pb-games.com A 173.254.28.29	173.254.28.29
skypearl.com	A 153.122.170.15	153.122.170.15
www.pcgrate.com	A 172.67.201.26 A 104.21.66.46	172.67.201.26
bggs.com	A 35.230.155.43	35.230.155.43
avse.hu	A 185.129.138.60	185.129.138.60
www.ora.ecnet.jp	CNAME ora.ecnet.jp A 60.43.154.138	60.43.154.138
www.ftchat.com
infotech.pl	A 79.96.32.254	79.96.32.254
deckoviny.cz	A 88.86.118.82	88.86.118.82
orbitgas.com	A 107.180.58.31	107.180.58.31
org
burstner.ru	A 62.122.170.171	62.122.170.171
doggybag.org	A 213.186.33.16	213.186.33.16
ccssinc.com	A 104.21.19.68 A 172.67.185.152	104.21.19.68
t-trust.jp	A 183.181.82.14	183.181.82.14
www.fink.com	A 69.163.218.51	69.163.218.51
cubodown.com	A 104.21.30.14 A 172.67.150.50	172.67.150.50
www.gpthink.com	A 39.99.233.155	39.99.233.155
in1.smtp.messagingengine.com	A 103.168.172.221 A 103.168.172.220 A 103.168.172.216 A 103.168.172.217 A 103.168.172.218 A 103.168.172.219	103.168.172.219
www.stnic.co.uk	A 77.68.50.105	77.68.50.105
forbin.net	A 172.67.148.35 A 104.21.41.152	104.21.41.152
arowines.com	A 75.2.18.233	75.2.18.233
apps.identrust.com	A 121.254.136.27 CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net	23.67.53.27
akdeniz.nl	A 109.71.54.22	109.71.54.22
www.jacomfg.com	A 96.127.180.42	96.127.180.42
mjrcpas.com	A 47.91.170.222	47.91.170.222
www.fcwcvt.org	A 172.67.134.134 A 104.21.25.200	172.67.134.134
absblast.com	A 141.193.213.20	141.193.213.20
invictus.pl
mail.airmail.net	A 66.226.70.66	66.226.70.66
bossinst.com	A 205.178.189.131	205.178.189.131
www.aevga.com	CNAME aevga.com A 108.167.164.216	108.167.164.216
www.naoi-a.com	A 202.254.236.40	202.254.236.40
www.railbook.net	A 103.224.212.221	103.224.212.221
www.t-tre.com	A 135.181.73.98	135.181.73.98
grlawcc.com
lyto.net	A 172.67.138.3 A 104.21.62.182	172.67.138.3
www.lrsuk.com	A 13.225.131.114 A 13.225.131.119 CNAME language-recruitment.eu-2.volcanic.cloud CNAME d2kt7vovxa5e81.cloudfront.net A 13.225.131.92 A 13.225.131.58	99.86.207.106
cbras.com	A 54.39.198.18	54.39.198.18
dspears.com	CNAME traff-4.hugedomains.com A 52.86.6.113 A 3.94.41.167 CNAME hdr-nlb8-39c51fa8696874ee.elb.us-east-1.amazonaws.com	3.94.41.167
dog-jog.net	A 153.122.24.177	153.122.24.177
www.edimart.hu	A 81.2.194.241	81.2.194.241
uhsa.edu.ag	A 192.124.249.13	192.124.249.13
ftmobile.com	A 199.34.228.78	199.34.228.78
kavram.com	A 104.21.89.126 A 172.67.189.68	172.67.189.68
ccrsi.org	A 198.209.253.30	198.209.253.30
biurohera.pl	A 79.96.161.192 A 54.36.175.146	79.96.161.192
scintel.com	A 23.239.201.14	23.239.201.14
dbnet.at	A 188.94.254.88	188.94.254.88
alexpope.biz	A 76.74.184.61	76.74.184.61
listel.co.jp	A 49.212.243.77	49.212.243.77
www.credo.edu.pl	A 62.122.190.121	62.122.190.121
nekono.net	A 202.172.28.187	202.172.28.187
yasuma.com	A 61.200.81.23	61.200.81.23
vfcindia.com	A 103.191.209.76	103.191.209.76
www.fe-bauer.de	A 3.65.101.129	3.65.101.129
valselit.com	A 193.70.68.254	193.70.68.254
akr.co.id	A 104.20.123.68 A 104.20.122.68 A 172.67.33.252	172.67.33.252
www.tvtools.fi	A 172.67.152.159 A 104.21.88.198	172.67.152.159
www.tc17.com	A 104.21.79.244 A 172.67.150.80	104.21.79.244
plaske.ua	A 52.211.245.146	52.211.245.146
com-edit.fr	A 63.251.106.25	63.251.106.25
www.sjbs.org	CNAME sjbs.org A 69.163.239.62	69.163.239.62
simetar.com	A 172.67.146.154 A 104.21.79.166	104.21.79.166
wanoa.com	A 159.89.244.183 A 164.90.244.158	159.89.244.183
www.sclover3.com	A 157.112.182.239	157.112.182.239
dhh.la.gov	A 52.200.51.73	52.200.51.73
esmoke.net	A 204.15.134.44	204.15.134.44
bible.org	A 104.20.54.214 A 172.67.33.95 A 104.20.55.214	172.67.33.95
impexnc.com	A 204.11.56.48	204.11.56.48
www.elpro.si	A 172.67.70.22 A 104.26.14.53 A 104.26.15.53	104.26.15.53
ie-roi.com
adventist.ro	A 49.12.155.123	49.12.155.123
shittas.com	A 43.246.117.171	43.246.117.171
top1oil.com	A 104.26.1.82 A 172.67.71.55 A 104.26.0.82	172.67.71.55
shztm.ru	A 62.122.170.171	62.122.170.171
smtp.live.com	CNAME a-0010.a-msedge.net A 204.79.197.212	204.79.197.212
popbook.com	A 47.91.167.60	47.91.167.60
gmail-smtp-in.l.google.com	A 74.125.23.27	142.251.170.26
www.snugpak.com	A 104.21.73.182 A 172.67.165.62	104.21.73.182
vdoherty.com	A 91.216.241.100	91.216.241.100
www.cel-cpa.com	A 104.196.26.65	104.196.26.65
www.speelhal.net	A 217.19.237.54	217.19.237.54
ikulani.com	A 157.7.107.88	157.7.107.88
rappich.de	A 89.31.143.1	89.31.143.1
www.waldi.pl	A 46.242.238.60 CNAME waldi.pl	46.242.238.60
pellys.co.uk	A 77.72.4.226	77.72.4.226
rkengg.com	CNAME traff-1.hugedomains.com A 52.71.57.184 A 54.209.32.212 CNAME hdr-nlb9-41371129e8304c29.elb.us-east-1.amazonaws.com	52.71.57.184
www.pdqhomes.com	CNAME hdr-nlb4-0bbd2e21834cb637.elb.us-east-2.amazonaws.com A 3.18.7.81 CNAME traff-3.hugedomains.com A 3.19.116.195	3.94.41.167
www.vazir.se	A 206.191.152.37	206.191.152.37
www.abdg.com	A 192.252.154.18	192.252.154.18
tbvlugus.nl	A 174.129.25.170	174.129.25.170
n23china.com
www.yoruksut.com	A 93.187.206.66	93.187.206.66
sjbmw.com	A 164.92.82.47	164.92.82.47
www.ka-mo-me.com	A 211.1.226.67	211.1.226.67
any-s.net	A 108.170.12.50	108.170.12.50
stopllc.com	A 162.241.233.114	162.241.233.114
www.stajum.com	A 162.43.120.128	162.43.120.128
www.ora-ito.com	A 213.186.33.40	213.186.33.40
www.ex-olive.com	A 210.140.73.39	210.140.73.39
shiner.com	A 172.67.143.148 A 104.21.27.205	172.67.143.148
reproar.com	A 194.143.194.23	194.143.194.23
www.baijaku.com	CNAME baijaku.com A 59.106.19.204	59.106.19.204
e-asset.net
www.wkhk.net
scip.org.uk	A 104.26.12.244 A 172.67.72.150 A 104.26.13.244	104.26.13.244
ldh.la.gov	A 75.2.95.235	75.2.95.235
www.fnw.us	A 137.118.26.67 CNAME fnw.us	137.118.26.67
rast.se	A 93.188.2.51	93.188.2.51
www.reglera.com	A 64.125.133.18 CNAME reglera.com	64.125.133.18
www.vitaindu.com	A 122.128.109.107	122.128.109.107
www.item-pr.com	CNAME item-pr.com A 213.186.33.17 A 185.15.129.58	213.186.33.17
jnf.at	A 136.243.147.81	136.243.147.81
web-york.com	A 219.94.129.97	219.94.129.97
www.mqs.com.br	A 170.82.173.30 A 170.82.174.30 CNAME www.mqs.com.br.cdn.gocache.net	170.82.174.30
www.valselit.com	A 193.70.68.254	193.70.68.254
gbp-jp.com	A 208.80.123.104 A 208.80.123.195 A 208.80.122.2 A 208.80.122.205	208.80.122.205
acraloc.com	A 192.64.150.164	192.64.150.164
h-et-l.com
www.alteor.cl	CNAME gcdn0.wixdns.net A 34.117.168.233 CNAME td-ccm-168-233.wixdns.net	34.117.168.233
vivastay.com	CNAME traff-5.hugedomains.com A 34.205.242.146 A 54.161.222.85 CNAME hdr-nlb7-aebd5d615260636b.elb.us-east-1.amazonaws.com A 18.119.154.66 CNAME hdr-nlb10-d66bbad0736f8259.elb.us-east-2.amazonaws.com A 3.140.13.188 CNAME traff-6.hugedomains.com	52.86.6.113
www.cokocoko.com	CNAME hdr-nlb5-4e815dd67a14bf7f.elb.us-east-2.amazonaws.com CNAME traff-2.hugedomains.com A 3.130.253.23 A 3.130.204.160	54.161.222.85
603888.com	CNAME num6.17986.net A 67.21.93.229	67.21.93.229
k-nikko.com	A 18.177.67.59	18.177.67.59
4locals.net	A 80.82.115.227	80.82.115.227
nme.co.jp	A 203.0.113.0	203.0.113.0
floopis.com	A 3.64.163.50	3.64.163.50
diamir.de	A 94.130.146.206	94.130.146.206
johnlyon.org	A 141.193.213.20	141.193.213.20
semuk.com	A 86.105.245.69	86.105.245.69
fr-dat.com	A 127.0.0.1	127.0.0.1
mijash3.com	A 198.49.23.145 A 198.185.159.144 A 198.49.23.144 A 198.185.159.145	198.49.23.144
www.nunomira.com	CNAME nunomira.com A 192.241.158.94	192.241.158.94
coxkitchensandbaths.com	A 205.149.134.32	205.149.134.32
apcotex.com	A 35.154.163.204	35.154.163.204
canmore.com
www.jchysk.com	A 208.97.178.138	208.97.178.138
kumaden.com	A 49.212.180.178	49.212.180.178
www.wifi4all.nl	A 104.21.42.10 A 172.67.198.26	172.67.198.26
www.transsib.com	CNAME studyrussian.com CNAME www.studyrussian.com A 80.74.154.6	80.74.154.6
ntc.edu.au	A 192.124.249.15	192.124.249.15
hyab.com	A 172.67.193.133 A 104.21.65.224	172.67.193.133
89gospel.com
www.medisa.info
ascc.org.au	A 203.210.102.34	203.210.102.34
mackusick.com	A 217.160.0.179	217.160.0.179
uster.com	A 104.20.221.29 A 104.20.220.29 A 172.67.32.172	172.67.32.172
koz1.net
usadig.com	A 198.100.146.220	198.100.146.220
www.nqks.com	A 147.154.3.56 CNAME zemonitor-websites-hibu-com.c.inregion.waas.oci.oraclecloud.net CNAME hibu34.inregion.waas.oci.oraclecloud.net CNAME hibu-4.zenedge.net CNAME live.websites.hibu.com	147.154.3.56
indonesiamedia.com	A 74.208.215.145	74.208.215.145
smitko.net	A 31.15.12.103	31.15.12.103
www.2print.com	CNAME 2print.com A 107.180.98.101	107.180.98.101
vvsteknik.dk	A 185.31.76.90	185.31.76.90
www.owsports.ca
polprime.com
ramkome.com	A 62.75.216.107	62.75.216.107
mcseurope.nl	A 46.19.218.80	46.19.218.80
mxs.mail.ru	A 217.69.139.150 A 94.100.180.31	94.100.180.31
sgk.home.pl	A 89.161.136.188	89.161.136.188
www.myropcb.com	A 74.208.236.101	74.208.236.101
www.evcpa.com	A 192.124.249.10 CNAME evcpa.com	192.124.249.10
www.x0c.com	A 185.53.177.50	185.53.177.50
wahw.com.au	A 54.194.190.151	54.194.190.151
www.wnsavoy.com	A 96.91.204.114	96.91.204.114
captlfix.com	A 198.49.23.145 A 198.185.159.144 A 198.49.23.144 A 198.185.159.145	198.185.159.144
pertex.com	A 185.151.30.147	185.151.30.147
e-kami.net	A 202.172.28.89	202.172.28.89
karmy.com.pl	A 185.253.212.22	185.253.212.22
zupraha.cz	A 77.78.104.3	77.78.104.3
fdlymca.org	A 192.124.249.9	192.124.249.9
nettlinx.org	A 202.53.77.146	202.53.77.146
aluminox.es	A 37.59.243.164	37.59.243.164
kayoaiba.com	A 154.213.117.166	154.213.117.166
www.depalo.com	CNAME ghs.googlehosted.com A 142.250.66.51	142.250.206.211
mondopp.net	A 173.231.184.124	173.231.184.124
alt4.gmail-smtp-in.l.google.com	A 142.250.152.27	142.250.152.26
www.petsfan.com	CNAME traff-4.hugedomains.com A 52.86.6.113 A 3.94.41.167 CNAME hdr-nlb8-39c51fa8696874ee.elb.us-east-1.amazonaws.com	18.119.154.66
xsui.com	A 127.0.0.1	127.0.0.1

IP Address	Status	Action
103.168.172.217	Active	Moloch
103.168.172.221	Active	Moloch
103.191.209.76	Active	Moloch
103.224.182.241	Active	Moloch
103.224.212.221	Active	Moloch
103.224.212.222	Active	Moloch
103.4.16.43	Active	Moloch
104.18.40.43	Active	Moloch
104.196.26.65	Active	Moloch
104.20.123.68	Active	Moloch
104.20.221.29	Active	Moloch
104.20.54.214	Active	Moloch
104.21.1.213	Active	Moloch
104.21.19.68	Active	Moloch
104.21.23.9	Active	Moloch
104.21.234.121	Active	Moloch
104.21.235.32	Active	Moloch
104.21.25.200	Active	Moloch
104.21.26.154	Active	Moloch
104.21.32.240	Active	Moloch
104.21.43.163	Active	Moloch
104.21.48.207	Active	Moloch
104.21.49.75	Active	Moloch
104.21.52.126	Active	Moloch
104.21.55.224	Active	Moloch
104.21.62.182	Active	Moloch
104.21.68.7	Active	Moloch
104.21.73.143	Active	Moloch
104.21.77.146	Active	Moloch
104.21.79.166	Active	Moloch
104.21.79.244	Active	Moloch
104.21.8.75	Active	Moloch
104.21.88.198	Active	Moloch
104.21.89.126	Active	Moloch
104.218.10.254	Active	Moloch
104.26.1.82	Active	Moloch
104.26.13.244	Active	Moloch
104.26.15.53	Active	Moloch
104.26.2.14	Active	Moloch
104.26.3.124	Active	Moloch
107.180.58.31	Active	Moloch
107.180.98.101	Active	Moloch
107.186.187.147	Active	Moloch
108.167.164.216	Active	Moloch
108.170.12.50	Active	Moloch
109.71.54.22	Active	Moloch
118.27.125.181	Active	Moloch
121.254.136.27	Active	Moloch
122.128.109.107	Active	Moloch
128.204.134.138	Active	Moloch
128.8.10.90	Active	Moloch
13.225.131.58	Active	Moloch
13.248.169.48	Active	Moloch
133.125.38.187	Active	Moloch
135.125.108.170	Active	Moloch
135.181.73.98	Active	Moloch
136.243.147.81	Active	Moloch
137.118.26.67	Active	Moloch
141.193.213.20	Active	Moloch
142.250.152.27	Active	Moloch
142.250.66.51	Active	Moloch
147.154.3.56	Active	Moloch
15.197.142.173	Active	Moloch
151.101.2.132	Active	Moloch
153.120.34.73	Active	Moloch
153.122.170.15	Active	Moloch
153.122.24.177	Active	Moloch
154.203.14.100	Active	Moloch
154.213.117.166	Active	Moloch
157.112.176.4	Active	Moloch
157.112.182.239	Active	Moloch
157.7.107.38	Active	Moloch
157.7.107.88	Active	Moloch
157.7.231.224	Active	Moloch
159.89.244.183	Active	Moloch
162.241.233.114	Active	Moloch
162.43.120.128	Active	Moloch
164.124.101.2	Active	Moloch
164.90.244.158	Active	Moloch
164.92.82.47	Active	Moloch
165.160.13.20	Active	Moloch
165.160.15.20	Active	Moloch
165.227.252.190	Active	Moloch
170.82.174.30	Active	Moloch
172.67.128.139	Active	Moloch
172.67.142.169	Active	Moloch
172.67.143.148	Active	Moloch
172.67.146.154	Active	Moloch
172.67.148.147	Active	Moloch
172.67.148.35	Active	Moloch
172.67.150.50	Active	Moloch
172.67.158.251	Active	Moloch
172.67.163.101	Active	Moloch
172.67.164.178	Active	Moloch
172.67.165.62	Active	Moloch
172.67.184.30	Active	Moloch
172.67.186.153	Active	Moloch
172.67.189.227	Active	Moloch
172.67.189.68	Active	Moloch
172.67.193.133	Active	Moloch
172.67.196.145	Active	Moloch
172.67.198.26	Active	Moloch
172.67.201.26	Active	Moloch
172.67.206.199	Active	Moloch
172.67.70.223	Active	Moloch
172.67.73.176	Active	Moloch
172.67.97.62	Active	Moloch
173.205.126.33	Active	Moloch
173.231.184.124	Active	Moloch
173.254.28.29	Active	Moloch
174.129.25.170	Active	Moloch
178.249.70.75	Active	Moloch
18.177.67.59	Active	Moloch
18.197.121.220	Active	Moloch
183.181.82.14	Active	Moloch
183.90.232.24	Active	Moloch
185.106.129.180	Active	Moloch
185.129.138.60	Active	Moloch
185.151.30.147	Active	Moloch
185.163.45.187	Active	Moloch
185.237.66.112	Active	Moloch
185.253.212.22	Active	Moloch
185.31.76.90	Active	Moloch
185.42.105.162	Active	Moloch
185.53.177.50	Active	Moloch
185.76.64.25	Active	Moloch
185.80.51.179	Active	Moloch
188.165.133.163	Active	Moloch
188.166.152.188	Active	Moloch
188.94.254.88	Active	Moloch
192.124.249.10	Active	Moloch
192.124.249.12	Active	Moloch
192.124.249.13	Active	Moloch
192.124.249.14	Active	Moloch
192.124.249.15	Active	Moloch
192.124.249.20	Active	Moloch
192.124.249.9	Active	Moloch
192.169.149.78	Active	Moloch
192.203.230.10	Active	Moloch
192.241.158.94	Active	Moloch
192.252.154.18	Active	Moloch
192.252.159.165	Active	Moloch
192.36.148.17	Active	Moloch
192.5.5.241	Active	Moloch
192.58.128.30	Active	Moloch
192.64.150.164	Active	Moloch
192.99.226.184	Active	Moloch
193.0.14.129	Active	Moloch
193.166.255.171	Active	Moloch
193.70.68.254	Active	Moloch
194.143.194.23	Active	Moloch
195.128.140.29	Active	Moloch
195.78.66.50	Active	Moloch
198.1.81.28	Active	Moloch
198.100.146.220	Active	Moloch
198.185.159.144	Active	Moloch
198.209.253.30	Active	Moloch
198.54.117.242	Active	Moloch
199.34.228.78	Active	Moloch
199.59.243.223	Active	Moloch
202.172.28.187	Active	Moloch
202.172.28.89	Active	Moloch
202.254.236.40	Active	Moloch
202.53.77.146	Active	Moloch
203.210.102.34	Active	Moloch
204.11.56.48	Active	Moloch
204.15.134.44	Active	Moloch
204.79.197.212	Active	Moloch
205.149.134.32	Active	Moloch
205.178.189.131	Active	Moloch
206.191.152.37	Active	Moloch
207.180.198.201	Active	Moloch
208.109.214.162	Active	Moloch
208.80.123.104	Active	Moloch
208.97.178.138	Active	Moloch
210.140.73.39	Active	Moloch
211.1.226.67	Active	Moloch
211.13.196.162	Active	Moloch
213.186.33.16	Active	Moloch
213.186.33.17	Active	Moloch
213.186.33.40	Active	Moloch
216.177.137.32	Active	Moloch
216.69.141.67	Active	Moloch
217.160.0.131	Active	Moloch
217.160.0.179	Active	Moloch
217.19.237.54	Active	Moloch
217.19.254.22	Active	Moloch
217.69.139.150	Active	Moloch
217.74.161.133	Active	Moloch
217.79.248.38	Active	Moloch
219.94.128.87	Active	Moloch
219.94.129.97	Active	Moloch
221.132.33.88	Active	Moloch
23.185.0.4	Active	Moloch
23.227.38.32	Active	Moloch
23.227.38.74	Active	Moloch
23.236.62.147	Active	Moloch
23.239.201.14	Active	Moloch
27.0.174.59	Active	Moloch
3.130.253.23	Active	Moloch
3.140.13.188	Active	Moloch
3.19.116.195	Active	Moloch
3.64.163.50	Active	Moloch
3.65.101.129	Active	Moloch
3.94.41.167	Active	Moloch
31.15.12.103	Active	Moloch
34.102.136.180	Active	Moloch
34.117.168.233	Active	Moloch
34.197.121.219	Active	Moloch
34.205.242.146	Active	Moloch
34.224.10.110	Active	Moloch
35.154.163.204	Active	Moloch
35.169.15.168	Active	Moloch
35.172.94.1	Active	Moloch
35.214.171.193	Active	Moloch
35.230.155.43	Active	Moloch
37.59.243.164	Active	Moloch
39.99.233.155	Active	Moloch
43.246.117.171	Active	Moloch
43.255.29.192	Active	Moloch
45.142.176.225	Active	Moloch
46.19.218.80	Active	Moloch
46.242.238.60	Active	Moloch
47.91.167.60	Active	Moloch
47.91.170.222	Active	Moloch
49.12.155.123	Active	Moloch
49.212.180.178	Active	Moloch
49.212.232.113	Active	Moloch
49.212.235.175	Active	Moloch
49.212.235.59	Active	Moloch
49.212.243.77	Active	Moloch
5.134.13.210	Active	Moloch
5.189.171.125	Active	Moloch
5.196.166.214	Active	Moloch
51.159.3.117	Active	Moloch
51.79.51.72	Active	Moloch
52.0.29.214	Active	Moloch
52.19.230.145	Active	Moloch
52.200.51.73	Active	Moloch
52.211.245.146	Active	Moloch
52.219.142.72	Active	Moloch
52.219.176.112	Active	Moloch
52.71.57.184	Active	Moloch
54.161.222.85	Active	Moloch
54.194.190.151	Active	Moloch
54.212.145.129	Active	Moloch
54.217.118.81	Active	Moloch
54.39.198.18	Active	Moloch
59.106.13.169	Active	Moloch
59.106.19.204	Active	Moloch
60.43.154.138	Active	Moloch
61.200.81.23	Active	Moloch
62.122.170.171	Active	Moloch
62.122.190.121	Active	Moloch
62.75.216.107	Active	Moloch
62.75.216.137	Active	Moloch
62.75.251.116	Active	Moloch
63.251.106.25	Active	Moloch
64.125.133.18	Active	Moloch
64.18.191.61	Active	Moloch
65.52.128.33	Active	Moloch
66.226.70.66	Active	Moloch
66.94.119.160	Active	Moloch
67.195.12.38	Active	Moloch
67.21.93.229	Active	Moloch
69.163.218.51	Active	Moloch
69.163.239.62	Active	Moloch
70.39.251.249	Active	Moloch
72.44.93.236	Active	Moloch
74.125.23.27	Active	Moloch
74.208.215.145	Active	Moloch
74.208.236.101	Active	Moloch
75.2.18.233	Active	Moloch
75.2.70.75	Active	Moloch
75.2.95.235	Active	Moloch
76.223.35.103	Active	Moloch
76.74.184.61	Active	Moloch
77.68.50.105	Active	Moloch
77.72.4.226	Active	Moloch
77.78.104.3	Active	Moloch
79.124.76.247	Active	Moloch
79.96.161.192	Active	Moloch
79.96.32.254	Active	Moloch
80.74.154.6	Active	Moloch
80.82.115.227	Active	Moloch
80.93.82.33	Active	Moloch
81.2.194.241	Active	Moloch
82.201.61.230	Active	Moloch
82.208.6.9	Active	Moloch
83.167.255.150	Active	Moloch
83.223.113.46	Active	Moloch
85.128.196.22	Active	Moloch
85.159.66.62	Active	Moloch
85.233.160.146	Active	Moloch
86.105.245.69	Active	Moloch
87.230.93.218	Active	Moloch
88.86.118.82	Active	Moloch
89.107.169.125	Active	Moloch
89.161.136.188	Active	Moloch
89.161.163.246	Active	Moloch
89.31.143.1	Active	Moloch
91.201.52.102	Active	Moloch
91.216.241.100	Active	Moloch
91.229.22.126	Active	Moloch
92.204.129.113	Active	Moloch
93.187.206.66	Active	Moloch
93.188.2.51	Active	Moloch
94.130.146.206	Active	Moloch
95.174.22.233	Active	Moloch
96.127.180.42	Active	Moloch
96.91.204.114	Active	Moloch
99.86.207.125	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49173 -> 3.19.116.195:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 172.67.73.176:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49176 -> 172.67.198.26:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 118.27.125.181:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49174 -> 104.21.88.198:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49167 -> 80.93.82.33:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49171 -> 34.117.168.233:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49192 -> 192.241.158.94:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49167 -> 80.93.82.33:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49163 -> 192.124.249.20:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49177 -> 104.21.25.200:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49163 -> 192.124.249.20:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49164 -> 104.21.23.9:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49183 -> 192.252.154.18:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 3.19.116.195:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49187 -> 104.21.1.213:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49190 -> 185.80.51.179:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49172 -> 104.26.15.53:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49200 -> 80.74.154.6:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49200 -> 80.74.154.6:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49165 -> 59.106.19.204:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49217 -> 210.140.73.39:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 172.67.73.176:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 70.39.251.249:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49179 -> 3.94.41.167:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49177 -> 104.21.25.200:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 70.39.251.249:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49178 -> 142.250.66.51:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49184 -> 172.67.165.62:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49180 -> 3.94.41.167:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49181 -> 62.122.190.121:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49196 -> 170.82.174.30:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49198 -> 66.94.119.160:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49185 -> 213.186.33.17:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49188 -> 192.124.249.10:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49193 -> 185.80.51.179:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49225 -> 13.248.169.48:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49198 -> 66.94.119.160:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49196 -> 170.82.174.30:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49188 -> 192.124.249.10:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49203 -> 135.181.73.98:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49195 -> 188.165.133.163:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49238 -> 69.163.218.51:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49238 -> 69.163.218.51:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49240 -> 69.163.218.51:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49194 -> 89.161.163.246:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49182 -> 3.64.163.50:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49195 -> 188.165.133.163:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49256 -> 211.1.226.67:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49256 -> 211.1.226.67:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49204 -> 39.99.233.155:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
UDP 192.168.56.103:53656 -> 164.124.101.2:53	2027863	ET INFO Observed DNS Query to .biz TLD	Potentially Bad Traffic
TCP 192.168.56.103:49203 -> 135.181.73.98:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49210 -> 3.130.253.23:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49192 -> 192.241.158.94:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49211 -> 104.26.3.124:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49181 -> 62.122.190.121:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49233 -> 23.227.38.74:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49191 -> 195.78.66.50:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49197 -> 206.191.152.37:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 206.191.152.37:80 -> 192.168.56.103:49197	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	A Network Trojan was detected
TCP 192.168.56.103:49272 -> 104.18.40.43:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49211 -> 104.26.3.124:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49222 -> 69.163.239.62:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49223 -> 3.140.13.188:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49227 -> 13.225.131.58:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49222 -> 69.163.239.62:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49202 -> 60.43.154.138:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49206 -> 202.254.236.40:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49290 -> 104.21.62.182:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49227 -> 13.225.131.58:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49206 -> 202.254.236.40:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49266 -> 173.254.28.29:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49293 -> 157.7.107.38:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49202 -> 60.43.154.138:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49313 -> 49.212.235.175:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49201 -> 46.242.238.60:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49205 -> 213.186.33.40:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49207 -> 108.167.164.216:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49315 -> 104.26.2.14:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49208 -> 82.201.61.230:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49310 -> 23.185.0.4:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49209 -> 122.128.109.107:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49230 -> 188.166.152.188:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49207 -> 108.167.164.216:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49234 -> 104.196.26.65:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49205 -> 213.186.33.40:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49208 -> 82.201.61.230:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49235 -> 208.97.178.138:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49216 -> 81.2.194.241:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49235 -> 208.97.178.138:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49219 -> 3.140.13.188:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49214 -> 3.130.253.23:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49236 -> 208.109.214.162:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49234 -> 104.196.26.65:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49215 -> 51.79.51.72:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49367 -> 49.212.235.175:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49218 -> 104.21.55.224:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49311 -> 37.59.243.164:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49213 -> 77.68.50.105:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49220 -> 217.19.237.54:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49221 -> 62.75.216.137:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49236 -> 208.109.214.162:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49216 -> 81.2.194.241:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49224 -> 107.180.98.101:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49317 -> 213.186.33.16:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49244 -> 162.43.120.128:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49381 -> 104.21.19.68:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49266 -> 173.254.28.29:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49330 -> 62.122.170.171:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49263 -> 34.197.121.219:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49243 -> 104.21.68.7:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49244 -> 162.43.120.128:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49264 -> 104.218.10.254:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49231 -> 72.44.93.236:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49228 -> 185.53.177.50:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49239 -> 5.196.166.214:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49287 -> 104.21.32.240:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49248 -> 74.208.236.101:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49347 -> 104.21.48.207:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49255 -> 99.86.207.125:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49255 -> 99.86.207.125:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49252 -> 93.187.206.66:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49212 -> 193.70.68.254:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
UDP 192.168.56.103:58829 -> 164.124.101.2:53	2027863	ET INFO Observed DNS Query to .biz TLD	Potentially Bad Traffic
TCP 192.168.56.103:49373 -> 172.67.150.50:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49343 -> 86.105.245.69:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49337 -> 95.174.22.233:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49213 -> 77.68.50.105:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49452 -> 91.229.22.126:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 94.130.146.206:443 -> 192.168.56.103:49457	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49229 -> 96.127.180.42:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49468 -> 172.67.143.148:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49226 -> 172.67.201.26:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49471 -> 199.59.243.223:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49229 -> 96.127.180.42:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49279 -> 67.21.93.229:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49323 -> 104.21.48.207:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49405 -> 172.67.148.147:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49304 -> 133.125.38.187:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49474 -> 185.237.66.112:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49479 -> 75.2.95.235:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49496 -> 151.101.2.132:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49491 -> 46.19.218.80:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49260 -> 103.224.212.221:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49506 -> 192.124.249.12:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49267 -> 157.112.182.239:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49512 -> 75.2.95.235:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49365 -> 91.216.241.100:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49294 -> 183.90.232.24:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49312 -> 213.186.33.16:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 198.54.117.242:80 -> 192.168.56.103:49376	2527000	ET Threatview.io High Confidence Cobalt Strike C2 IP group 1	Misc Attack
TCP 192.168.56.103:49368 -> 198.185.159.144:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49364 -> 45.142.176.225:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49376 -> 198.54.117.242:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49358 -> 63.251.106.25:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49410 -> 104.21.19.68:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49284 -> 185.76.64.25:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49332 -> 49.212.235.175:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49371 -> 185.31.76.90:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49396 -> 104.26.13.244:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49336 -> 52.71.57.184:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49363 -> 49.212.235.175:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49366 -> 104.21.32.240:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49538 -> 104.21.32.240:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 35.214.171.193:443 -> 192.168.56.103:49545	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49237 -> 208.97.178.138:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49411 -> 104.21.32.240:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49259 -> 172.67.142.169:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49348 -> 172.67.146.154:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49289 -> 75.2.70.75:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49245 -> 104.21.79.244:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49288 -> 217.79.248.38:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49241 -> 3.65.101.129:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49286 -> 173.205.126.33:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49245 -> 104.21.79.244:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49560 -> 49.212.243.77:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49241 -> 3.65.101.129:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49247 -> 103.224.182.241:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49241 -> 3.65.101.129:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49558 -> 23.236.62.147:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49241 -> 3.65.101.129:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49241 -> 3.65.101.129:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 63.251.106.25:80 -> 192.168.56.103:49358	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	A Network Trojan was detected
TCP 63.251.106.25:80 -> 192.168.56.103:49358	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	A Network Trojan was detected
TCP 192.168.56.103:49401 -> 185.237.66.112:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49370 -> 27.0.174.59:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49407 -> 204.15.134.44:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49622 -> 202.172.28.187:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49635 -> 104.21.26.154:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49257 -> 172.67.70.223:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49638 -> 37.59.243.164:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49344 -> 49.212.235.175:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
ICMP 192.168.56.103:None -> 164.124.101.2:None	2200076	SURICATA ICMPv4 invalid checksum	Generic Protocol Command Decode
TCP 192.168.56.103:49341 -> 172.67.196.145:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49449 -> 205.178.189.131:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49315 -> 104.26.2.14:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49462 -> 172.67.193.133:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49661 -> 23.185.0.4:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 185.237.66.112:443 -> 192.168.56.103:49454	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49656 -> 23.236.62.147:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49370 -> 27.0.174.59:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49477 -> 104.20.54.214:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49484 -> 35.214.171.193:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49675 -> 89.107.169.125:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49355 -> 77.78.104.3:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49716 -> 104.21.73.143:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49712 -> 89.161.136.188:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49725 -> 23.227.38.32:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49730 -> 52.71.57.184:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49265 -> 157.112.176.4:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49275 -> 35.172.94.1:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49276 -> 213.186.33.16:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49487 -> 75.2.95.235:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49301 -> 49.212.235.175:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49302 -> 198.185.159.144:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49299 -> 67.21.93.229:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49742 -> 204.15.134.44:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49435 -> 185.237.66.112:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49530 -> 192.64.150.164:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 94.130.146.206:443 -> 192.168.56.103:49554	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49450 -> 75.2.95.235:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 35.214.171.193:443 -> 192.168.56.103:49448	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49565 -> 104.21.43.163:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49456 -> 104.20.221.29:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49602 -> 75.2.70.75:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49451 -> 164.92.82.47:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49599 -> 23.239.201.14:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49613 -> 172.67.128.139:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49321 -> 135.125.108.170:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49395 -> 62.122.170.171:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49608 -> 89.31.143.1:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49605 -> 178.249.70.75:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49469 -> 133.125.38.187:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49624 -> 104.21.89.126:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49661 -> 23.185.0.4:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49379 -> 172.67.148.35:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49630 -> 104.21.234.121:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49643 -> 91.201.52.102:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49755 -> 103.224.212.222:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49654 -> 103.4.16.43:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49667 -> 23.236.62.147:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49465 -> 135.125.108.170:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49481 -> 172.67.186.153:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49698 -> 62.122.170.171:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49338 -> 95.174.22.233:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49737 -> 216.177.137.32:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49796 -> 108.170.12.50:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49360 -> 91.216.241.100:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49318 -> 104.21.26.154:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49345 -> 219.94.129.97:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49380 -> 192.124.249.15:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49387 -> 104.21.62.182:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49361 -> 18.197.121.220:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49406 -> 104.21.89.126:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49412 -> 172.67.164.178:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49393 -> 3.94.41.167:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49415 -> 94.130.146.206:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49745 -> 49.212.235.59:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49420 -> 172.67.148.147:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 185.237.66.112:443 -> 192.168.56.103:49482	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49441 -> 104.21.52.126:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49475 -> 104.21.43.163:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49428 -> 3.94.41.167:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49375 -> 109.71.54.22:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49426 -> 35.214.171.193:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49630 -> 104.21.234.121:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49759 -> 45.142.176.225:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49488 -> 52.211.245.146:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49445 -> 128.204.134.138:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49781 -> 27.0.174.59:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49716 -> 104.21.73.143:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49464 -> 59.106.13.169:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49504 -> 75.2.95.235:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49391 -> 35.214.171.193:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49403 -> 3.64.163.50:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49411 -> 104.21.32.240:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49434 -> 157.7.107.88:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49873 -> 89.31.143.1:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49509 -> 208.80.123.104:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49446 -> 216.69.141.67:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49442 -> 94.130.146.206:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49447 -> 185.253.212.22:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49876 -> 108.170.12.50:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49875 -> 162.241.233.114:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49453 -> 185.237.66.112:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49511 -> 52.19.230.145:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49380 -> 192.124.249.15:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49467 -> 185.237.66.112:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49408 -> 75.2.18.233:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49486 -> 185.237.66.112:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49492 -> 79.96.161.192:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49489 -> 94.130.146.206:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49424 -> 172.67.150.50:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49501 -> 185.237.66.112:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49429 -> 104.21.26.154:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 94.130.146.206:443 -> 192.168.56.103:49502	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49421 -> 76.74.184.61:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49885 -> 64.18.191.61:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49515 -> 35.214.171.193:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49414 -> 195.128.140.29:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49461 -> 75.2.95.235:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49698 -> 62.122.170.171:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49470 -> 35.214.171.193:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49476 -> 94.130.146.206:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49943 -> 49.212.180.178:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49278 -> 199.34.228.78:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 185.237.66.112:443 -> 192.168.56.103:49500	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49957 -> 202.172.28.187:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49516 -> 151.101.2.132:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49983 -> 172.67.143.148:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49514 -> 185.237.66.112:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49525 -> 94.130.146.206:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 185.237.66.112:443 -> 192.168.56.103:49528	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49508 -> 93.188.2.51:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49544 -> 192.124.249.15:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49539 -> 94.130.146.206:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49552 -> 103.191.209.76:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49550 -> 185.237.66.112:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 185.237.66.112:443 -> 192.168.56.103:49551	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49546 -> 193.70.68.254:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49937 -> 49.12.155.123:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49529 -> 35.214.171.193:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49523 -> 31.15.12.103:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49946 -> 198.54.117.242:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49533 -> 31.15.12.103:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49555 -> 135.125.108.170:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49561 -> 52.211.245.146:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49485 -> 89.31.143.1:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 35.214.171.193:443 -> 192.168.56.103:49497	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 185.237.66.112:443 -> 192.168.56.103:49579	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49521 -> 185.237.66.112:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49593 -> 172.67.184.30:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49535 -> 185.237.66.112:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49598 -> 133.125.38.187:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49606 -> 104.21.235.32:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49429 -> 104.21.26.154:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49566 -> 185.237.66.112:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49604 -> 46.19.218.80:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49272 -> 104.18.40.43:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49571 -> 37.59.243.164:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49403 -> 3.64.163.50:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49621 -> 34.224.10.110:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49575 -> 23.236.62.147:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49612 -> 192.124.249.15:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49627 -> 88.86.118.82:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49584 -> 172.67.158.251:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49578 -> 35.172.94.1:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49640 -> 34.102.136.180:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49368 -> 198.185.159.144:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49634 -> 54.217.118.81:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49617 -> 136.243.147.81:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49585 -> 165.160.15.20:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49595 -> 35.230.155.43:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49619 -> 79.96.32.254:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49627 -> 88.86.118.82:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49625 -> 76.223.35.103:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49652 -> 92.204.129.113:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49655 -> 162.241.233.114:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49683 -> 203.210.102.34:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49690 -> 34.205.242.146:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49642 -> 62.122.170.171:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49650 -> 104.20.123.68:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49658 -> 63.251.106.25:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49341 -> 172.67.196.145:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49648 -> 172.67.97.62:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49587 -> 23.236.62.147:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49709 -> 219.94.128.87:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49609 -> 153.122.170.15:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49669 -> 52.19.230.145:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49677 -> 23.236.62.147:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49692 -> 104.26.1.82:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49685 -> 217.19.254.22:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49700 -> 198.185.159.144:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49702 -> 173.231.184.124:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49722 -> 174.129.25.170:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49727 -> 173.205.126.33:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49632 -> 95.174.22.233:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49741 -> 172.67.148.147:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49748 -> 159.89.244.183:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49663 -> 61.200.81.23:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49275 -> 35.172.94.1:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 173.231.184.124:80 -> 192.168.56.103:49702	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	A Network Trojan was detected
TCP 173.231.184.124:80 -> 192.168.56.103:49702	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	A Network Trojan was detected
TCP 192.168.56.103:49782 -> 103.191.209.76:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49785 -> 104.21.19.68:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49674 -> 47.91.167.60:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49800 -> 104.21.43.163:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49707 -> 136.243.147.81:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49825 -> 172.67.143.148:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49687 -> 104.21.8.75:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49717 -> 153.122.24.177:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49863 -> 77.72.4.226:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49729 -> 192.124.249.13:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49880 -> 104.21.79.166:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49697 -> 185.163.45.187:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49815 -> 202.172.28.89:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49764 -> 172.67.97.62:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49766 -> 172.67.148.35:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49931 -> 59.106.13.169:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49799 -> 89.161.136.188:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49891 -> 172.67.184.30:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49729 -> 192.124.249.13:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49836 -> 54.161.222.85:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49921 -> 104.26.1.82:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49883 -> 185.253.212.22:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49292 -> 154.213.117.166:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49736 -> 157.7.107.88:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49779 -> 15.197.142.173:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49794 -> 183.181.82.14:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49838 -> 104.21.77.146:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49839 -> 80.82.115.227:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49904 -> 172.67.158.251:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49903 -> 3.94.41.167:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49909 -> 192.124.249.9:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49508 -> 93.188.2.51:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49920 -> 54.39.198.18:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49964 -> 63.251.106.25:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49898 -> 85.159.66.62:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49911 -> 89.31.143.1:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49648 -> 172.67.97.62:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49938 -> 104.21.19.68:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49951 -> 205.178.189.131:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49459 -> 154.213.117.166:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49824 -> 154.213.117.166:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49986 -> 3.140.13.188:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49956 -> 199.34.228.78:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49189 -> 193.166.255.171:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49427 -> 205.178.189.131:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49971 -> 107.186.187.147:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49987 -> 164.92.82.47:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49425 -> 43.246.117.171:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49572 -> 85.159.66.62:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49636 -> 207.180.198.201:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49963 -> 154.213.117.166:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49974 -> 185.129.138.60:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49347 104.21.48.207:443	C=US, O=Let's Encrypt, CN=E1	CN=orlyhotel.com	e2:6a:a3:38:06:70:1a:37:9d:5b:43:8b:8b:80:2a:ca:c9:d1:f5:80
TLSv1 192.168.56.103:49452 91.229.22.126:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=GeoTrust RSA CA 2018	C=PL, ST=Mazowieckie, L=Warszawa, O=Komenda Glowna Policji, CN=*.policja.gov.pl	3d:fe:e4:18:9c:81:af:dd:a8:f5:e3:51:55:cb:6e:5e:89:7f:65:e2
TLSv1 192.168.56.103:49323 104.21.48.207:443	C=US, O=Let's Encrypt, CN=E1	CN=orlyhotel.com	e2:6a:a3:38:06:70:1a:37:9d:5b:43:8b:8b:80:2a:ca:c9:d1:f5:80
TLSv1 192.168.56.103:49462 172.67.193.133:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	28:54:2c:72:71:1b:3f:88:07:e2:1d:7b:6c:1b:7f:45:bc:7e:fe:1c
TLSv1 192.168.56.103:49412 172.67.164.178:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=clinicasanluis.com.co	2c:9b:70:ca:8b:31:34:df:fc:f9:d8:75:89:12:7f:09:c3:66:60:80
TLSv1 192.168.56.103:49441 104.21.52.126:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	04:c9:15:e0:a1:18:74:04:16:cb:98:fd:73:56:cf:7d:99:35:cb:75

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW May 31, 2023, 10:21 p.m.	computer_name: TEST22-PC	1	1	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptGenKey May 31, 2023, 10:21 p.m.	crypto_handle: 0x006135c0 algorithm_identifier: 0x00006801 (CALG_RC4) flags: 8388609 key: hõvy$Ö`ð¹;R provider_handle: 0x0066e9e8	1	1
CryptExportKey May 31, 2023, 10:21 p.m.	buffer: hõvy$Ö`ð¹;R crypto_handle: 0x006135c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey May 31, 2023, 10:21 p.m.	buffer: h¤âÛÖó\|ë÷4zÕ)ó0}lêöû¡+ly7È"wöçè¼ëîOêe»-ðÏ2VØÖ :d¶=&ÍÛ~©Ì¶gôD»\*I'nëf¥²³Ioáº!ò)m·bVå\|qnyë°§08 eûÕK crypto_handle: 0x006135c0 flags: 0 crypto_export_handle: 0x00613600 blob_type: 1	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 31, 2023, 10:21 p.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

None

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (50 out of 255 events)

suspicious_features	POST method with no referer header	suspicious_request	POST http://www.quadlock.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.dgmna.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.jenco.co.uk/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.baijaku.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.pdqhomes.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.olras.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.pr-park.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.valdal.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.alteor.cl/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.elpro.si/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.tvtools.fi/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.iamdirt.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.wifi4all.nl/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.fcwcvt.org/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.depalo.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.petsfan.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.credo.edu.pl/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.otena.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.abdg.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.snugpak.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.item-pr.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.rs-ag.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.evcpa.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.synetik.net/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.hummer.hu/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.photo4b.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.nunomira.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.abart.pl/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.xaicom.es/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.mqs.com.br/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.vazir.se/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.yocinc.org/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.crcsi.org/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.transsib.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.waldi.pl/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.ora.ecnet.jp/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.t-tre.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.gpthink.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.ora-ito.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.naoi-a.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.aevga.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.nelipak.nl/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.vitaindu.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.cokocoko.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.kernsafe.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.valselit.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.stnic.co.uk/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.holleman.us/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.edimart.hu/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.ex-olive.com/

Performs some HTTP requests (50 out of 260 events)

request	POST http://www.quadlock.com/
request	POST http://www.dgmna.com/
request	POST http://www.jenco.co.uk/
request	POST http://www.baijaku.com/
request	POST http://www.pdqhomes.com/
request	POST http://www.olras.com/
request	POST http://www.pr-park.com/
request	POST http://www.valdal.com/
request	POST http://www.alteor.cl/
request	POST http://www.elpro.si/
request	POST http://www.tvtools.fi/
request	POST http://www.iamdirt.com/
request	POST http://www.wifi4all.nl/
request	POST http://www.fcwcvt.org/
request	POST http://www.depalo.com/
request	POST http://www.petsfan.com/
request	POST http://www.credo.edu.pl/
request	POST http://www.otena.com/
request	POST http://www.abdg.com/
request	POST http://www.snugpak.com/
request	POST http://www.item-pr.com/
request	POST http://www.rs-ag.com/
request	POST http://www.evcpa.com/
request	POST http://www.synetik.net/
request	POST http://www.hummer.hu/
request	POST http://www.photo4b.com/
request	POST http://www.nunomira.com/
request	POST http://www.abart.pl/
request	POST http://www.xaicom.es/
request	POST http://www.mqs.com.br/
request	POST http://www.vazir.se/
request	POST http://www.yocinc.org/
request	POST http://www.crcsi.org/
request	POST http://www.transsib.com/
request	POST http://www.waldi.pl/
request	POST http://www.ora.ecnet.jp/
request	POST http://www.t-tre.com/
request	POST http://www.gpthink.com/
request	POST http://www.ora-ito.com/
request	POST http://www.naoi-a.com/
request	POST http://www.aevga.com/
request	POST http://www.nelipak.nl/
request	POST http://www.vitaindu.com/
request	POST http://www.cokocoko.com/
request	POST http://www.kernsafe.com/
request	POST http://www.valselit.com/
request	POST http://www.stnic.co.uk/
request	POST http://www.holleman.us/
request	POST http://www.edimart.hu/
request	POST http://www.ex-olive.com/

Sends data using the HTTP POST Method (50 out of 255 events)

request	POST http://www.quadlock.com/
request	POST http://www.dgmna.com/
request	POST http://www.jenco.co.uk/
request	POST http://www.baijaku.com/
request	POST http://www.pdqhomes.com/
request	POST http://www.olras.com/
request	POST http://www.pr-park.com/
request	POST http://www.valdal.com/
request	POST http://www.alteor.cl/
request	POST http://www.elpro.si/
request	POST http://www.tvtools.fi/
request	POST http://www.iamdirt.com/
request	POST http://www.wifi4all.nl/
request	POST http://www.fcwcvt.org/
request	POST http://www.depalo.com/
request	POST http://www.petsfan.com/
request	POST http://www.credo.edu.pl/
request	POST http://www.otena.com/
request	POST http://www.abdg.com/
request	POST http://www.snugpak.com/
request	POST http://www.item-pr.com/
request	POST http://www.rs-ag.com/
request	POST http://www.evcpa.com/
request	POST http://www.synetik.net/
request	POST http://www.hummer.hu/
request	POST http://www.photo4b.com/
request	POST http://www.nunomira.com/
request	POST http://www.abart.pl/
request	POST http://www.xaicom.es/
request	POST http://www.mqs.com.br/
request	POST http://www.vazir.se/
request	POST http://www.yocinc.org/
request	POST http://www.crcsi.org/
request	POST http://www.transsib.com/
request	POST http://www.waldi.pl/
request	POST http://www.ora.ecnet.jp/
request	POST http://www.t-tre.com/
request	POST http://www.gpthink.com/
request	POST http://www.ora-ito.com/
request	POST http://www.naoi-a.com/
request	POST http://www.aevga.com/
request	POST http://www.nelipak.nl/
request	POST http://www.vitaindu.com/
request	POST http://www.cokocoko.com/
request	POST http://www.kernsafe.com/
request	POST http://www.valselit.com/
request	POST http://www.stnic.co.uk/
request	POST http://www.holleman.us/
request	POST http://www.edimart.hu/
request	POST http://www.ex-olive.com/

Resolves a suspicious Top Level Domain (TLD) (6 events)

domain	bigzz.by	description	Belarus domain TLD
domain	skgm.ru	description	Russian Federation domain TLD
domain	cnti.krsn.ru	description	Russian Federation domain TLD
domain	shztm.ru	description	Russian Federation domain TLD
domain	mxs.mail.ru	description	Russian Federation domain TLD
domain	burstner.ru	description	Russian Federation domain TLD

Allocates read-write-execute memory (usually to unpack itself) (5 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 31, 2023, 10:20 p.m.	process_identifier: 2548 region_size: 581632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 31, 2023, 10:20 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04000000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2023, 10:21 p.m.	process_identifier: 2548 region_size: 12259328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02740000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2023, 10:21 p.m.	process_identifier: 2548 region_size: 28672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00350000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2023, 10:21 p.m.	process_identifier: 2548 region_size: 22347776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02740000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

svchost.exe tried to sleep 436 seconds, actually delayed analysis time by 436 seconds

Creates a suspicious process (1 event)

cmdline

C:\Windows\system32\svchost.exe

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (40 events)

Time & API	Arguments	Status	Return
Process32FirstW May 31, 2023, 10:21 p.m.	snapshot_handle: 0x00000130 process_name: [System Process] process_identifier: 0	1	1
Process32NextW May 31, 2023, 10:21 p.m.	snapshot_handle: 0x00000130 process_name: System process_identifier: 4	1	1
Process32NextW May 31, 2023, 10:21 p.m.	snapshot_handle: 0x00000130 process_name: smss.exe process_identifier: 232	1	1
Process32NextW May 31, 2023, 10:21 p.m.	snapshot_handle: 0x00000130 process_name: csrss.exe process_identifier: 308	1	1
Process32NextW May 31, 2023, 10:21 p.m.	snapshot_handle: 0x00000130 process_name: wininit.exe process_identifier: 344	1	1
Process32NextW May 31, 2023, 10:21 p.m.	snapshot_handle: 0x00000130 process_name: csrss.exe process_identifier: 356	1	1
Process32NextW May 31, 2023, 10:21 p.m.	snapshot_handle: 0x00000130 process_name: winlogon.exe process_identifier: 392	1	1
Process32NextW May 31, 2023, 10:21 p.m.	snapshot_handle: 0x00000130 process_name: services.exe process_identifier: 436	1	1
Process32NextW May 31, 2023, 10:21 p.m.	snapshot_handle: 0x00000130 process_name: lsass.exe process_identifier: 452	1	1
Process32NextW May 31, 2023, 10:21 p.m.	snapshot_handle: 0x00000130 process_name: lsm.exe process_identifier: 460	1	1
Process32NextW May 31, 2023, 10:21 p.m.	snapshot_handle: 0x00000130 process_name: svchost.exe process_identifier: 560	1	1
Process32NextW May 31, 2023, 10:21 p.m.	snapshot_handle: 0x00000130 process_name: svchost.exe process_identifier: 636	1	1
Process32NextW May 31, 2023, 10:21 p.m.	snapshot_handle: 0x00000130 process_name: svchost.exe process_identifier: 716	1	1
Process32NextW May 31, 2023, 10:21 p.m.	snapshot_handle: 0x00000130 process_name: svchost.exe process_identifier: 780	1	1
Process32NextW May 31, 2023, 10:21 p.m.	snapshot_handle: 0x00000130 process_name: svchost.exe process_identifier: 824	1	1
Process32NextW May 31, 2023, 10:21 p.m.	snapshot_handle: 0x00000130 process_name: audiodg.exe process_identifier: 896	1	1
Process32NextW May 31, 2023, 10:21 p.m.	snapshot_handle: 0x00000130 process_name: svchost.exe process_identifier: 984	1	1
Process32NextW May 31, 2023, 10:21 p.m.	snapshot_handle: 0x00000130 process_name: svchost.exe process_identifier: 340	1	1
Process32NextW May 31, 2023, 10:21 p.m.	snapshot_handle: 0x00000130 process_name: spoolsv.exe process_identifier: 1060	1	1
Process32NextW May 31, 2023, 10:21 p.m.	snapshot_handle: 0x00000130 process_name: taskhost.exe process_identifier: 1112	1	1
Process32NextW May 31, 2023, 10:21 p.m.	snapshot_handle: 0x00000130 process_name: svchost.exe process_identifier: 1120	1	1
Process32NextW May 31, 2023, 10:21 p.m.	snapshot_handle: 0x00000130 process_name: dwm.exe process_identifier: 1192	1	1
Process32NextW May 31, 2023, 10:21 p.m.	snapshot_handle: 0x00000130 process_name: explorer.exe process_identifier: 1236	1	1
Process32NextW May 31, 2023, 10:21 p.m.	snapshot_handle: 0x00000130 process_name: svchost.exe process_identifier: 1744	1	1
Process32NextW May 31, 2023, 10:21 p.m.	snapshot_handle: 0x00000130 process_name: pw.exe process_identifier: 1888	1	1
Process32NextW May 31, 2023, 10:21 p.m.	snapshot_handle: 0x00000130 process_name: SearchIndexer.exe process_identifier: 1652	1	1
Process32NextW May 31, 2023, 10:21 p.m.	snapshot_handle: 0x00000130 process_name: pw.exe process_identifier: 1688	1	1
Process32NextW May 31, 2023, 10:21 p.m.	snapshot_handle: 0x00000130 process_name: taskhost.exe process_identifier: 804	1	1
Process32NextW May 31, 2023, 10:21 p.m.	snapshot_handle: 0x00000130 process_name: SearchProtocolHost.exe process_identifier: 652	1	1
Process32NextW May 31, 2023, 10:21 p.m.	snapshot_handle: 0x00000130 process_name: SearchFilterHost.exe process_identifier: 300	1	1
Process32NextW May 31, 2023, 10:21 p.m.	snapshot_handle: 0x00000130 process_name: 141.exe process_identifier: 1072	1	1
Process32NextW May 31, 2023, 10:21 p.m.	snapshot_handle: 0x00000130 process_name: mscorsvw.exe process_identifier: 2204	1	1
Process32NextW May 31, 2023, 10:21 p.m.	snapshot_handle: 0x00000130 process_name: svchost.exe process_identifier: 2228	1	1
Process32NextW May 31, 2023, 10:21 p.m.	snapshot_handle: 0x00000130 process_name: mscorsvw.exe process_identifier: 2284	1	1
Process32NextW May 31, 2023, 10:21 p.m.	snapshot_handle: 0x00000130 process_name: sppsvc.exe process_identifier: 2464	1	1
Process32NextW May 31, 2023, 10:21 p.m.	snapshot_handle: 0x00000130 process_name: svchost.exe process_identifier: 2548	1	1
Process32NextW May 31, 2023, 10:21 p.m.	snapshot_handle: 0x00000130 process_name: cmd.exe process_identifier: 2704	1	1
Process32NextW May 31, 2023, 10:21 p.m.	snapshot_handle: 0x00000130 process_name: conhost.exe process_identifier: 2712	1	1
Process32NextW May 31, 2023, 10:21 p.m.	snapshot_handle: 0x00000130 process_name: pw.exe process_identifier: 2736	1	1
Process32NextW May 31, 2023, 10:21 p.m.	snapshot_handle: 0x00000130 process_name: svchost.exe process_identifier: 2752	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses May 31, 2023, 10:21 p.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x00017c00', u'virtual_address': u'0x00069000', u'entropy': 7.475869441617574, u'name': u'.data', u'virtual_size': u'0x00019b40'}

entropy

7.47586944162

description

A section with a high entropy has been found

Yara rule detected in process memory (50 out of 67 events)

description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Escalate priviledges	rule	Escalate_priviledges
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications smtp	rule	network_smtp_raw
description	Communications over HTTP	rule	Network_HTTP
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Escalate priviledges	rule	Escalate_priviledges
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg

Connects to smtp.live.com, possibly for spamming or data exfiltration (1 event)

domain

smtp.live.com

One or more of the buffers contains an embedded PE file (2 events)

buffer	Buffer with sha1: 97751a713ab1c071fe2a95e95ba6d2bd53539433
buffer	Buffer with sha1: d4c0e4a6a1a42545ce3453e7d7b56813f26a5e6b

Makes SMTP requests, possibly sending spam (35 events)

receiver

[]

sender

[]

server

66.226.70.66

receiver

[]

sender

[]

server

67.195.12.38

receiver

[]

sender

[]

server

91.216.241.100

receiver

[]

sender

[]

server

93.187.206.66

receiver

[]

sender

[]

server

77.72.4.226

receiver

[]

sender

[]

server

217.69.139.150

receiver

[]

sender

[]

server

192.252.159.165

receiver

[]

sender

[]

server

217.69.139.150

receiver

[]

sender

[]

server

23.239.201.14

receiver

[]

sender

[]

server

142.250.152.27

receiver

[]

sender

[]

server

217.69.139.150

receiver

[]

sender

[]

server

142.250.152.27

receiver

[]

sender

[]

server

202.53.77.146

receiver

[]

sender

[]

server

49.212.180.178

receiver

[]

sender

[]

server

74.125.23.27

receiver

[]

sender

[]

server

142.250.152.27

receiver

[]

sender

[]

server

74.125.23.27

receiver

[]

sender

[]

server

103.168.172.217

receiver

[]

sender

[]

server

74.125.23.27

receiver

[]

sender

[]

server

103.168.172.221

receiver

[]

sender

[]

server

103.168.172.221

receiver

[]

sender

[]

server

153.122.24.177

receiver

[]

sender

[]

server

153.120.34.73

receiver

[]

sender

[]

server

192.252.159.165

receiver

[]

sender

[]

server

103.4.16.43

receiver

[]

sender

[]

server

107.180.58.31

receiver

[]

sender

[]

server

89.161.136.188

receiver

[]

sender

[]

server

109.71.54.22

receiver

[]

sender

[]

server

108.170.12.50

receiver

[]

sender

[]

server

185.76.64.25

receiver

[]

sender

[]

server

59.106.13.169

receiver

[]

sender

[]

server

192.169.149.78

receiver

[]

sender

[]

server

173.205.126.33

receiver

[]

sender

[]

server

192.99.226.184

receiver

[]

sender

[]

server

185.163.45.187

Communicates with host for which no DNS query was performed (3 events)

host	153.120.34.73
host	198.1.81.28
host	211.13.196.162

Allocates execute permission to another process indicative of possible code injection (4 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory May 31, 2023, 10:21 p.m.	process_identifier: 2752 region_size: 12259328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000170		3221225496
NtAllocateVirtualMemory May 31, 2023, 10:21 p.m.	process_identifier: 2752 region_size: 12259328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7e3f0000 allocation_type: 1060864 (MEM_COMMIT\|MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0x00000170	1	0
NtAllocateVirtualMemory May 31, 2023, 10:21 p.m.	process_identifier: 2752 region_size: 28672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000170	1	0
NtAllocateVirtualMemory May 31, 2023, 10:21 p.m.	process_identifier: 2820 region_size: 22347776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x13140000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000180	1	0

Potential code injection by writing to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory May 31, 2023, 10:21 p.m.	buffer: ?~ base_address: 0x7efde008 process_identifier: 2752 process_handle: 0x00000170	1	1	0

File has been identified by 17 AntiVirus engines on VirusTotal as malicious (17 events)

Bkav	W32.AIDetectMalware
Elastic	malicious (high confidence)
CrowdStrike	win/malicious_confidence_100% (W)
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	UDS:Trojan.Win32.Cutwail.gen
NANO-Antivirus	Virus.Win32.Gen.ccmw
Avast	FileRepMalware [Misc]
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.6bb40ed95f770955
ZoneAlarm	UDS:Trojan.Win32.Cutwail.gen
Microsoft	Trojan:Win32/TrickbotCrypt.SS!MTB
BitDefenderTheta	Gen:NN.ZexaF.36250.HuW@aK3RHxbi
VBA32	suspected of Trojan.Waledac
AVG	FileRepMalware [Misc]
Cybereason	malicious.f6bdeb
DeepInstinct	MALICIOUS

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Network activity contains more than one unique useragent (2 events)

process	svchost.exe				useragent
process	svchost.exe				useragent	Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2548 called NtSetContextThread to modify thread in remote process 2752
NtSetContextThread May 31, 2023, 10:21 p.m.	registers.eip: 2005598660 registers.esp: 2554424 registers.edi: 0 registers.eax: 2118081136 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000c8 process_identifier: 2752	1	0	0

Expresses interest in specific running processes (1 event)

process: potential process injection target

svchost.exe

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2548 resumed a thread in remote process 2752
NtResumeThread May 31, 2023, 10:21 p.m.	thread_handle: 0x000000c8 suspend_count: 1 process_identifier: 2752	1	0	0

Generates some ICMP traffic

Executed a process and injected code into it, probably while unpacking (15 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW May 31, 2023, 10:21 p.m.	thread_identifier: 2756 thread_handle: 0x000000c8 process_identifier: 2752 current_directory: filepath: track: 1 command_line: C:\Windows\system32\svchost.exe filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000170	1	1
NtAllocateVirtualMemory May 31, 2023, 10:21 p.m.	process_identifier: 2752 region_size: 12259328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000170		3221225496
NtAllocateVirtualMemory May 31, 2023, 10:21 p.m.	process_identifier: 2752 region_size: 12259328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7e3f0000 allocation_type: 1060864 (MEM_COMMIT\|MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0x00000170	1	0
WriteProcessMemory May 31, 2023, 10:21 p.m.	buffer: base_address: 0x7e3f0000 process_identifier: 2752 process_handle: 0x00000170	1	1
NtGetContextThread May 31, 2023, 10:21 p.m.	thread_handle: 0x000000c8	1	0
WriteProcessMemory May 31, 2023, 10:21 p.m.	buffer: ?~ base_address: 0x7efde008 process_identifier: 2752 process_handle: 0x00000170	1	1
NtSetContextThread May 31, 2023, 10:21 p.m.	registers.eip: 2005598660 registers.esp: 2554424 registers.edi: 0 registers.eax: 2118081136 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000c8 process_identifier: 2752	1	0
NtResumeThread May 31, 2023, 10:21 p.m.	thread_handle: 0x000000c8 suspend_count: 1 process_identifier: 2752	1	0
NtAllocateVirtualMemory May 31, 2023, 10:21 p.m.	process_identifier: 2752 region_size: 28672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000170	1	0
WriteProcessMemory May 31, 2023, 10:21 p.m.	buffer: base_address: 0x04000000 process_identifier: 2752 process_handle: 0x00000170	1	1
CreateProcessInternalW May 31, 2023, 10:21 p.m.	thread_identifier: 2824 thread_handle: 0x0000017c process_identifier: 2820 current_directory: filepath: track: 1 command_line: C:\Windows\system32\svchost.exe filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000180	1	1
NtAllocateVirtualMemory May 31, 2023, 10:21 p.m.	process_identifier: 2820 region_size: 22347776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x13140000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000180	1	0
NtResumeThread May 31, 2023, 10:21 p.m.	thread_handle: 0x0000015c suspend_count: 1 process_identifier: 2820	1	0
NtResumeThread May 31, 2023, 10:21 p.m.	thread_handle: 0x00000124 suspend_count: 1 process_identifier: 3036	1	0
NtResumeThread May 31, 2023, 10:21 p.m.	thread_handle: 0x000001c0 suspend_count: 1 process_identifier: 2264	1	0

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (50 out of 66 events)

dead_host	204.79.197.212:25
dead_host	54.212.145.129:25
dead_host	137.118.26.67:80
dead_host	62.75.251.116:80
dead_host	198.209.253.30:80
dead_host	157.7.231.224:25
dead_host	63.251.106.25:25
dead_host	192.168.56.103:49285
dead_host	34.224.10.110:25
dead_host	192.124.249.12:25
dead_host	198.209.253.30:25
dead_host	192.124.249.14:25
dead_host	221.132.33.88:80
dead_host	192.168.56.103:49280
dead_host	3.64.163.50:25
dead_host	172.67.97.62:25
dead_host	79.124.76.247:80
dead_host	104.21.79.166:25
dead_host	157.7.107.88:25
dead_host	172.67.186.153:25
dead_host	51.159.3.117:25
dead_host	62.75.251.116:25
dead_host	198.100.146.220:25
dead_host	211.13.196.162:25
dead_host	65.52.128.33:25
dead_host	23.185.0.4:25
dead_host	192.168.56.103:49925
dead_host	198.100.146.220:80
dead_host	172.67.189.227:25
dead_host	47.91.170.222:25
dead_host	192.168.56.103:49662
dead_host	192.168.56.103:49499
dead_host	217.19.254.22:25
dead_host	173.231.184.124:25
dead_host	52.219.176.112:25
dead_host	34.205.242.146:25
dead_host	87.230.93.218:80
dead_host	35.154.163.204:25
dead_host	3.94.41.167:25
dead_host	192.168.56.103:49283
dead_host	104.21.32.240:25
dead_host	185.253.212.22:25
dead_host	85.159.66.62:25
dead_host	185.129.138.60:25
dead_host	49.212.232.113:25
dead_host	96.91.204.114:80
dead_host	203.0.113.0:25
dead_host	35.169.15.168:80
dead_host	165.160.13.20:25
dead_host	185.151.30.147:25

141.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All