Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 6, 2023, 1:53 p.m.	Sept. 6, 2023, 1:56 p.m.

Size	6.4MB
Type	7-zip archive data, version 0.4
MD5	`1860765426cb420e321b2511a3c2652d`
SHA256	`834853673e1e591db871c7219900aa38081ac22502c43d93d884f2a640afc772`
CRC32	`33B75F42`
ssdeep	`196608:Fwf+yFSvNqMN4XqlxxInjA20Vzd558TLeHEl:OgOi+n3E5Kpl`
Yara	None matched

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "cskhoxfkhlJcR" C:\Users\test22\AppData\Local\Temp\setup_pass.7z
3016
- 7zFM.exe "C:\Program Files (x86)\7-Zip\7zFM.exe" "C:\Users\test22\AppData\Local\Temp\setup_pass.7z"
  2204

Name	Response	Post-Analysis Lookup
preconcert.pw	A 104.21.84.222 A 172.67.197.101	104.21.84.222
api.db-ip.com	A 104.26.5.15 A 104.26.4.15 A 172.67.75.166	104.26.5.15
yandex.ru	A 5.255.255.77 A 77.88.55.88 A 77.88.55.60 A 5.255.255.70	77.88.55.88
twitter.com	A 104.244.42.193	104.244.42.129
ipinfo.io	A 34.117.59.81	34.117.59.81
hugersi.com	A 91.215.85.147	91.215.85.147
sso.passport.yandex.ru	A 213.180.204.24 CNAME passport.yandex.ru	213.180.204.24
telegram.org	A 149.154.167.99	149.154.167.99
agsnv.com	A 181.214.31.34	181.214.31.34
sun6-21.userapi.com	A 95.142.206.1	95.142.206.1
ralphkors.top	A 89.223.65.127	89.223.65.127
sun6-22.userapi.com	A 95.142.206.2	95.142.206.2
apps.identrust.com	A 121.254.136.9 CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net A 121.254.136.18	23.67.53.27
sun6-23.userapi.com	A 95.142.206.3	95.142.206.3
dzen.ru	A 62.217.160.2	62.217.160.2
www.maxmind.com	A 104.18.145.235 A 104.18.146.235	104.18.145.235
iplis.ru	A 148.251.234.93	148.251.234.93
bitbucket.org	A 104.192.141.1	104.192.141.1
myfilebest.com	A 104.21.56.98 A 172.67.183.191	104.21.56.98
vk.com	A 87.240.129.133 A 87.240.132.72 A 87.240.132.78 A 87.240.137.164 A 93.186.225.194 A 87.240.132.67	87.240.137.164
iplogger.org	A 148.251.234.83	148.251.234.83
sun6-20.userapi.com	A 95.142.206.0	95.142.206.0
ironhost.io	A 104.21.57.237 A 172.67.193.129	104.21.57.237
230809204625331.nes.dtf99.top	A 179.43.158.2	94.156.35.76
api.myip.com	A 172.67.75.163 A 104.26.9.59 A 104.26.8.59	172.67.75.163
db-ip.com	A 104.26.5.15 A 104.26.4.15 A 172.67.75.166	104.26.5.15
cdn.discordapp.com	A 162.159.135.233 A 162.159.134.233 A 162.159.129.233 A 162.159.130.233 A 162.159.133.233	162.159.133.233

IP Address	Status	Action
104.18.145.235	Active	Moloch
104.192.141.1	Active	Moloch
104.21.56.98	Active	Moloch
104.21.84.222	Active	Moloch
104.244.42.193	Active	Moloch
104.26.4.15	Active	Moloch
104.26.5.15	Active	Moloch
121.254.136.18	Active	Moloch
148.251.234.83	Active	Moloch
148.251.234.93	Active	Moloch
149.154.167.99	Active	Moloch
162.159.129.233	Active	Moloch
164.124.101.2	Active	Moloch
172.67.193.129	Active	Moloch
172.67.75.163	Active	Moloch
172.67.75.166	Active	Moloch
176.123.9.142	Active	Moloch
179.43.158.2	Active	Moloch
181.214.31.34	Active	Moloch
185.225.73.32	Active	Moloch
193.42.32.118	Active	Moloch
194.169.175.128	Active	Moloch
194.169.175.232	Active	Moloch
213.180.204.24	Active	Moloch
34.117.59.81	Active	Moloch
45.15.156.229	Active	Moloch
45.9.74.80	Active	Moloch
5.255.255.77	Active	Moloch
51.89.253.22	Active	Moloch
62.217.160.2	Active	Moloch
77.91.68.238	Active	Moloch
87.121.221.58	Active	Moloch
87.240.132.67	Active	Moloch
87.240.132.78	Active	Moloch
89.223.65.127	Active	Moloch
91.215.85.147	Active	Moloch
94.142.138.113	Active	Moloch
94.142.138.131	Active	Moloch
94.156.253.187	Active	Moloch
95.142.206.0	Active	Moloch
95.142.206.1	Active	Moloch
95.142.206.2	Active	Moloch
95.142.206.3	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49174 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49179 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49173 -> 172.67.75.163:443	2042969	ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49173 -> 172.67.75.163:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.102:65226 -> 164.124.101.2:53	2016778	ET DNS Query to a *.pw domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.102:49174 -> 34.117.59.81:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49174 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
UDP 192.168.56.102:50014 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
TCP 162.159.129.233:80 -> 192.168.56.102:49192	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
UDP 192.168.56.102:58521 -> 164.124.101.2:53	2035466	ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)	Misc activity
TCP 104.21.84.222:80 -> 192.168.56.102:49202	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49199 -> 104.21.84.222:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49199 -> 104.21.84.222:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49172 -> 94.142.138.113:80	2045779	ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49178 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49178 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49181 -> 87.240.132.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49205 -> 104.21.84.222:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49184 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49184 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49177 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49177 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49190 -> 104.192.141.1:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 104.192.141.1:80 -> 192.168.56.102:49190	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49200 -> 89.223.65.127:80	2022896	ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016	A Network Trojan was detected
TCP 192.168.56.102:49200 -> 89.223.65.127:80	2023882	ET INFO HTTP Request to a *.top domain	Potentially Bad Traffic
TCP 192.168.56.102:49186 -> 87.121.221.58:80	2018581	ET MALWARE Single char EXE direct download likely trojan (multiple families)	A Network Trojan was detected
TCP 192.168.56.102:49186 -> 87.121.221.58:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49186 -> 87.121.221.58:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 192.168.56.102:49188 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 87.240.132.67:80 -> 192.168.56.102:49188	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49189 -> 162.159.129.233:80	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49194 -> 162.159.129.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49189 -> 162.159.129.233:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49194 -> 162.159.129.233:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49194 -> 162.159.129.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 162.159.129.233:80 -> 192.168.56.102:49189	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49189 -> 162.159.129.233:80	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49195 -> 162.159.129.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49195 -> 162.159.129.233:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49191 -> 162.159.129.233:80	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49191 -> 162.159.129.233:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 162.159.129.233:80 -> 192.168.56.102:49191	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49208 -> 89.223.65.127:80	2022896	ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016	A Network Trojan was detected
TCP 192.168.56.102:49186 -> 87.121.221.58:80	2018581	ET MALWARE Single char EXE direct download likely trojan (multiple families)	A Network Trojan was detected
TCP 192.168.56.102:49186 -> 87.121.221.58:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49186 -> 87.121.221.58:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 192.168.56.102:49210 -> 181.214.31.34:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49210 -> 181.214.31.34:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49195 -> 162.159.129.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 87.121.221.58:80 -> 192.168.56.102:49186	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 87.121.221.58:80 -> 192.168.56.102:49186	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 89.223.65.127:80 -> 192.168.56.102:49208	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 89.223.65.127:80 -> 192.168.56.102:49208	2023464	ET HUNTING Possible EXE Download From Suspicious TLD	Misc activity
TCP 104.21.56.98:80 -> 192.168.56.102:49196	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 104.21.56.98:80 -> 192.168.56.102:49196	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 192.168.56.102:49183 -> 94.156.253.187:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 104.192.141.1:443 -> 192.168.56.102:49218	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49218 -> 104.192.141.1:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49183 -> 94.156.253.187:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49183 -> 94.156.253.187:80	2016698	ET HUNTING Suspicious services.exe in URI	Potentially Bad Traffic
TCP 192.168.56.102:49191 -> 162.159.129.233:80	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 94.156.253.187:80 -> 192.168.56.102:49183	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 94.156.253.187:80 -> 192.168.56.102:49183	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.102:49213 -> 181.214.31.34:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49201 -> 104.21.84.222:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49201 -> 104.21.84.222:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49194 -> 162.159.129.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49203 -> 181.214.31.34:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49203 -> 181.214.31.34:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49209 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49209 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 104.192.141.1:443 -> 192.168.56.102:49227	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49185 -> 77.91.68.238:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 181.214.31.34:443 -> 192.168.56.102:49228	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49226 -> 87.240.132.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49187 -> 194.169.175.232:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49215 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49220 -> 181.214.31.34:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49231 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49231 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 91.215.85.147:80 -> 192.168.56.102:49214	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.102:49236 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49236 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49224 -> 181.214.31.34:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49235 -> 95.142.206.0:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49233 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49233 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49225 -> 87.240.132.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49206 -> 104.192.141.1:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 104.192.141.1:80 -> 192.168.56.102:49206	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49211 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49211 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49216 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49232 -> 95.142.206.3:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49238 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49238 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49240 -> 87.240.132.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49185 -> 77.91.68.238:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49187 -> 194.169.175.232:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 104.192.141.1:80 -> 192.168.56.102:49212	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 77.91.68.238:80 -> 192.168.56.102:49185	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 77.91.68.238:80 -> 192.168.56.102:49185	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 194.169.175.232:80 -> 192.168.56.102:49187	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 194.169.175.232:80 -> 192.168.56.102:49187	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 104.192.141.1:443 -> 192.168.56.102:49222	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49222 -> 104.192.141.1:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49249 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49248 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49248 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49234 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49234 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49243 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49253 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49237 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49256 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49256 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49242 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49242 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49245 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49245 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49251 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49251 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49252 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 87.240.132.67:80 -> 192.168.56.102:49252	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49254 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49254 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49267 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49267 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49264 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49241 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49241 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49259 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49247 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49247 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49271 -> 95.142.206.1:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49275 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49246 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49246 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49273 -> 87.240.132.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49286 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49286 -> 34.117.59.81:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49286 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49296 -> 176.123.9.142:14845	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.102:49274 -> 95.142.206.2:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49296 -> 176.123.9.142:14845	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49296 -> 176.123.9.142:14845	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 176.123.9.142:14845 -> 192.168.56.102:49296	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.102:49297 -> 51.89.253.22:31098	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.102:49297 -> 51.89.253.22:31098	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49297 -> 51.89.253.22:31098	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 51.89.253.22:31098 -> 192.168.56.102:49297	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.102:49279 -> 104.244.42.193:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49282 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49282 -> 34.117.59.81:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49282 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49284 -> 104.26.5.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49308 -> 87.240.132.78:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 87.240.132.78:80 -> 192.168.56.102:49308	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49299 -> 62.217.160.2:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 148.251.234.83:443 -> 192.168.56.102:49312	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49297 -> 51.89.253.22:31098	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 51.89.253.22:31098 -> 192.168.56.102:49297	2046056	ET MALWARE Redline Stealer Activity (Response)	A Network Trojan was detected
TCP 192.168.56.102:49302 -> 104.18.145.235:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49304 -> 148.251.234.93:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49296 -> 176.123.9.142:14845	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 176.123.9.142:14845 -> 192.168.56.102:49296	2046056	ET MALWARE Redline Stealer Activity (Response)	A Network Trojan was detected
TCP 148.251.234.93:443 -> 192.168.56.102:49307	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49257 -> 87.240.132.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49263 -> 87.240.132.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49316 -> 172.67.193.129:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49313 -> 193.42.32.118:80	2045779	ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49297 -> 51.89.253.22:31098	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49297 -> 51.89.253.22:31098	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49297 -> 51.89.253.22:31098	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49318 -> 94.142.138.131:80	2045779	ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49319 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49319 -> 87.240.132.78:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49296 -> 176.123.9.142:14845	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49326 -> 179.43.158.2:80	2022896	ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016	A Network Trojan was detected
TCP 192.168.56.102:49326 -> 179.43.158.2:80	2023882	ET INFO HTTP Request to a *.top domain	Potentially Bad Traffic
TCP 192.168.56.102:49320 -> 45.9.74.80:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49296 -> 176.123.9.142:14845	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49326 -> 179.43.158.2:80	2022896	ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016	A Network Trojan was detected
TCP 192.168.56.102:49320 -> 45.9.74.80:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49334 -> 87.240.132.78:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 45.9.74.80:80 -> 192.168.56.102:49320	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 45.9.74.80:80 -> 192.168.56.102:49320	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.102:49332 -> 104.18.145.235:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49337 -> 94.156.253.187:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49296 -> 176.123.9.142:14845	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49337 -> 94.156.253.187:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 94.156.253.187:80 -> 192.168.56.102:49337	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 94.156.253.187:80 -> 192.168.56.102:49337	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.102:49296 -> 176.123.9.142:14845	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49297 -> 51.89.253.22:31098	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49297 -> 51.89.253.22:31098	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49297 -> 51.89.253.22:31098	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49297 -> 51.89.253.22:31098	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49297 -> 51.89.253.22:31098	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49336 -> 95.142.206.1:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49297 -> 51.89.253.22:31098	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49296 -> 176.123.9.142:14845	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49297 -> 51.89.253.22:31098	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49296 -> 176.123.9.142:14845	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49296 -> 176.123.9.142:14845	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49296 -> 176.123.9.142:14845	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49258 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49261 -> 87.240.132.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49266 -> 87.240.132.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49269 -> 87.240.132.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49268 -> 87.240.132.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49270 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 194.169.175.128:50500 -> 192.168.56.102:49276	2046266	ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)	Malware Command and Control Activity Detected
TCP 149.154.167.99:443 -> 192.168.56.102:49277	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 194.169.175.128:50500 -> 192.168.56.102:49276	2046267	ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49281 -> 172.67.75.163:443	2042969	ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49281 -> 172.67.75.163:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49276 -> 194.169.175.128:50500	2046268	ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Get_settings)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49289 -> 94.142.138.131:80	2045779	ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49276 -> 194.169.175.128:50500	2046269	ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49292 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49292 -> 34.117.59.81:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49292 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49292 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49276 -> 194.169.175.128:50500	2046270	ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49296 -> 176.123.9.142:14845	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49296 -> 176.123.9.142:14845	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49296 -> 176.123.9.142:14845	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49297 -> 51.89.253.22:31098	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49285 -> 5.255.255.77:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49278 -> 45.15.156.229:80	2045779	ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49298 -> 185.225.73.32:44973	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.102:49298 -> 185.225.73.32:44973	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 192.168.56.102:49298 -> 185.225.73.32:44973	2046105	ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)	A Network Trojan was detected
TCP 192.168.56.102:49298 -> 185.225.73.32:44973	2046105	ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)	A Network Trojan was detected
TCP 192.168.56.102:49294 -> 104.26.5.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49295 -> 194.169.175.232:45450	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.102:49306 -> 213.180.204.24:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 87.240.132.78:80 -> 192.168.56.102:49309	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49310 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.102:49295 -> 194.169.175.232:45450	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49310 -> 148.251.234.83:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49295 -> 194.169.175.232:45450	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 192.168.56.102:49310 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.102:49297 -> 51.89.253.22:31098	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49300 -> 172.67.75.166:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49314 -> 87.240.132.78:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 194.169.175.232:45450 -> 192.168.56.102:49295	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.102:49305 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49305 -> 87.240.132.78:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.102:62197 -> 164.124.101.2:53	2035948	ET POLICY IP Check Domain (iplogger .org in DNS Lookup)	Potential Corporate Privacy Violation
TCP 192.168.56.102:49295 -> 194.169.175.232:45450	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
UDP 192.168.56.102:51010 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.102:49295 -> 194.169.175.232:45450	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49297 -> 51.89.253.22:31098	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49325 -> 104.26.4.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 194.169.175.232:45450 -> 192.168.56.102:49295	2046056	ET MALWARE Redline Stealer Activity (Response)	A Network Trojan was detected
TCP 192.168.56.102:49295 -> 194.169.175.232:45450	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49295 -> 194.169.175.232:45450	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49328 -> 172.67.75.166:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49295 -> 194.169.175.232:45450	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49322 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49322 -> 34.117.59.81:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49322 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49295 -> 194.169.175.232:45450	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49295 -> 194.169.175.232:45450	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49321 -> 45.9.74.80:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49295 -> 194.169.175.232:45450	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49295 -> 194.169.175.232:45450	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49295 -> 194.169.175.232:45450	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49295 -> 194.169.175.232:45450	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49324 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49324 -> 87.240.132.78:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49295 -> 194.169.175.232:45450	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49321 -> 45.9.74.80:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49327 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49292 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49194 -> 162.159.129.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49174 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 185.225.73.32:44973 -> 192.168.56.102:49298	2046056	ET MALWARE Redline Stealer Activity (Response)	A Network Trojan was detected
TCP 185.225.73.32:44973 -> 192.168.56.102:49298	2046106	ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)	A Network Trojan was detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49173 172.67.75.163:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	92:b4:ed:98:67:d9:db:8a:1e:bd:0e:fe:7f:22:45:e9:79:b5:78:65
TLSv1 192.168.56.102:49181 87.240.132.67:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49205 104.21.84.222:443	C=US, O=Let's Encrypt, CN=E1	CN=preconcert.pw	60:b2:a3:3e:2f:80:57:cd:6f:c1:a3:e9:b3:c6:cb:95:41:83:4a:64
TLSv1 192.168.56.102:49226 87.240.132.67:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49235 95.142.206.0:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com	bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1 192.168.56.102:49225 87.240.132.67:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49232 95.142.206.3:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com	bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1 192.168.56.102:49240 87.240.132.67:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49271 95.142.206.1:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com	bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1 192.168.56.102:49273 87.240.132.67:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49274 95.142.206.2:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com	bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1 192.168.56.102:49284 104.26.5.15:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1 192.168.56.102:49299 62.217.160.2:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018	C=RU, ST=Moscow, L=Moscow, O=VK LLC, CN=*.dzen.ru	6a:31:14:29:60:07:c9:c6:17:7b:d1:27:ad:53:57:ec:d8:c1:d8:d2
TLSv1 192.168.56.102:49257 87.240.132.67:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49263 87.240.132.67:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49316 172.67.193.129:443	C=US, O=Let's Encrypt, CN=E1	CN=ironhost.io	1f:0b:7a:47:6b:7f:71:b9:9c:82:0e:4f:f5:e8:7c:05:28:03:e7:8e
TLSv1 192.168.56.102:49334 87.240.132.78:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49336 95.142.206.1:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com	bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1 192.168.56.102:49261 87.240.132.67:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49266 87.240.132.67:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49269 87.240.132.67:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49268 87.240.132.67:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49281 172.67.75.163:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	92:b4:ed:98:67:d9:db:8a:1e:bd:0e:fe:7f:22:45:e9:79:b5:78:65
TLSv1 192.168.56.102:49285 5.255.255.77:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign ECC OV SSL CA 2018	C=RU, ST=Moscow, L=Moscow, O=Yandex LLC, CN=*.xn--d1acpjx3f.xn--p1ai	e4:ba:b2:7f:bf:93:b8:22:10:26:70:37:9c:03:1a:9d:fb:23:17:24
TLSv1 192.168.56.102:49294 104.26.5.15:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1 192.168.56.102:49306 213.180.204.24:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018	C=RU, ST=Moscow, L=Moscow, O=Yandex LLC, CN=sso.passport.yandex.ru	f0:52:26:54:41:65:2b:6a:37:7b:c1:5b:de:9c:e9:d4:41:c6:81:2d
TLSv1 192.168.56.102:49300 172.67.75.166:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1 192.168.56.102:49314 87.240.132.78:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49325 104.26.4.15:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1 192.168.56.102:49328 172.67.75.166:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 6, 2023, 1:53 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 6, 2023, 1:53 p.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (21 events)

suspicious_features	Connection to IP address	suspicious_request	GET http://94.142.138.113/api/tracemap.php
suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://94.142.138.113/api/firegate.php
suspicious_features	Connection to IP address	suspicious_request	HEAD http://94.156.253.187/download/Services.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://77.91.68.238/info/fotos894.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://87.121.221.58/g.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://194.169.175.232/autorun.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://94.156.253.187/download/Services.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://87.121.221.58/g.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://77.91.68.238/info/fotos894.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://194.169.175.232/autorun.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://45.15.156.229/api/tracemap.php
suspicious_features	Connection to IP address	suspicious_request	GET http://94.142.138.131/api/tracemap.php
suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://45.15.156.229/api/firegate.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://193.42.32.118/api/tracemap.php
suspicious_features	Connection to IP address	suspicious_request	HEAD http://45.9.74.80/ummaa.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://45.9.74.80/super.exe
suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://94.142.138.131/api/firecom.php
suspicious_features	Connection to IP address	suspicious_request	GET http://45.9.74.80/super.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://45.9.74.80/ummaa.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://94.156.253.187/download/WWW14_n.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://94.156.253.187/download/WWW14_n.exe

Performs some HTTP requests (50 out of 60 events)

request	GET http://94.142.138.113/api/tracemap.php
request	POST http://94.142.138.113/api/firegate.php
request	HEAD http://94.156.253.187/download/Services.exe
request	HEAD http://77.91.68.238/info/fotos894.exe
request	HEAD http://87.121.221.58/g.exe
request	HEAD http://194.169.175.232/autorun.exe
request	HEAD http://myfilebest.com/order/set17.exe
request	HEAD http://ralphkors.top/calc2.exe
request	GET http://myfilebest.com/order/set17.exe
request	GET http://apps.identrust.com/roots/dstrootcax3.p7c
request	GET http://ralphkors.top/calc2.exe
request	GET http://94.156.253.187/download/Services.exe
request	GET http://87.121.221.58/g.exe
request	GET http://77.91.68.238/info/fotos894.exe
request	GET http://194.169.175.232/autorun.exe
request	HEAD http://hugersi.com/dl/6523.exe
request	GET http://hugersi.com/dl/6523.exe
request	GET http://45.15.156.229/api/tracemap.php
request	GET http://94.142.138.131/api/tracemap.php
request	POST http://45.15.156.229/api/firegate.php
request	GET http://www.maxmind.com/geoip/v2.1/city/me
request	GET http://193.42.32.118/api/tracemap.php
request	HEAD http://45.9.74.80/ummaa.exe
request	HEAD http://45.9.74.80/super.exe
request	POST http://94.142.138.131/api/firecom.php
request	GET http://45.9.74.80/super.exe
request	GET http://45.9.74.80/ummaa.exe
request	HEAD http://230809204625331.nes.dtf99.top/f/fikim0809331.exe
request	GET http://230809204625331.nes.dtf99.top/f/fikim0809331.exe
request	HEAD http://94.156.253.187/download/WWW14_n.exe
request	GET http://94.156.253.187/download/WWW14_n.exe
request	GET https://api.myip.com/
request	GET https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1
request	GET https://preconcert.pw/setup294.exe
request	GET https://vk.com/doc44017378_668841700?hash=B7naXG9fPpueUKaZxzbzFzqgThiLopd9A232GVSoLbD&dl=VDCn0RuU4RRcIuzpA6hHZu4JCvVt7UCUAmWFRORbSKs&api=1&no_preview=1
request	GET https://vk.com/doc44017378_668679037?hash=6lxdrm9NUkSryZCfzYZn4zR2sOTXzaKgfQIcVCaPnvX&dl=FLqYTpktPSSWsXhtSyyzRawRyuZZexn7WIKXiXEZBv4&api=1&no_preview=1
request	GET https://sun6-23.userapi.com/c909618/u44017378/docs/d58/7bf5e3bbbea6/Synapse.bmp?extra=mzMMk3WSUR9nXjlWZ6cDWS8uZXnpeH5HFoj4k-neSMlSwedoZanNxQoG3h1Fl180ZYqPy_dIeBEOfQRiGTKUc2qv1mDlwQ6hq_BjfKmI04Adw-GHS1o0utmIeVwn4vFkEZ17GUfHoBCOUPhw
request	GET https://sun6-20.userapi.com/c909618/u44017378/docs/d36/4045d7e5e2af/PL_Client.bmp?extra=41RYXiYdonWnWPYwQIzl_E40YzLt9e-a585sYDB48TJ1guOgXM82khcH113VcyDUy1qRwuEub4FUsSEnl5OfhF82khtCO4eGvfgR1-OEX6MePbBwA6qux-eLDXjut3NIGwniEJcDMP8LnpSO
request	GET https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#test
request	GET https://vk.com/doc44017378_668916923?hash=sOYzznQFdvahBVyVjkbZnzPi3TCGlZg6RM6IHhJTZtL&dl=WPCbPohX0oULQzTqTTGTJNQWxrKyDARUvPHJcYJtGbP&api=1&no_preview=1#qq
request	GET https://sun6-23.userapi.com/c909218/u44017378/docs/d31/28287d82e701/3.bmp?extra=Eia0Z52O_QfMzxBphvQv2mAhSnbUD5gztBKz2S-85eW2DofIDB-aCKBuZ393oBZW0tDYKH9h7atpaV_aJBQybspAkUHNC-pEe72vNCg8Kk1iD_XA5Um1USzPPozdvJvAOg3vHT-D_AIed8L2
request	GET https://vk.com/doc44017378_668916984?hash=z1dD7zDOKf4ZPQJxQGiBgAjggkhOTKzwGcbzPqETlMz&dl=qmY4pwWN7rzbugtcn7O1yC8XQAj2CqQOYWt2YS9MT9s&api=1&no_preview=1#9f
request	GET https://sun6-23.userapi.com/c240331/u44017378/docs/d3/12830610f737/ResortedMetaphrase.bmp?extra=sJUz3R5N8E8T2U3-Oy6z6Gn4gPEMsBChQOzEqvJr5tl3sIwCWpIO_HTic5PfalDQbPCyxepzGd0O1Iq1W9y2aLpy91N7vAjZoAHfJCxaGS8jPoJgoJhoYvMfs3Q9JUjLDkS7cpeHQl7ZgZOs
request	GET https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#stats
request	GET https://vk.com/doc44017378_668805679?hash=Pq8nRu8IL2bYqDVs2GPjMvpAFMOm04kusdFGQmRlGY0&dl=ns6C3Wug8h8cGKJrvWC9ONCmtSXnbVIqzmpprkB3Voz&api=1&no_preview=1#rise
request	GET https://sun6-20.userapi.com/c909228/u44017378/docs/d21/7ad101a96b02/RisePro_0_5_eM6kP0V0t0TJM31LPkFZ.bmp?extra=XXZOHqfnMq17vouPpzTFs3JuQrmoHXmTSMlflvAzh2GLImsRHfMz9eBd4CuMjz8ELbdw9smSs0DnbidzeGfroV0r-b9IgDwMl_TlfFZuryV19PDmHTTp_h0wGXPgYU4pHWQ3GNoEpMFPQLfl
request	GET https://vk.com/doc44017378_668790441?hash=ZAKf3wtiDekEKOwL5zOUpKlhs3NsBThU4THBbA9UjZ0&dl=tGcv3oqIrQKDSR0z8GXJxfn9P4s1HZm2ci3UQevYE7w&api=1&no_preview=1#test2
request	GET https://sun6-23.userapi.com/c240331/u44017378/docs/d40/efd676633f21/test2.bmp?extra=7Tl2Y-CX-JxiRCYulouwERP3ItXHBJDXxyoPj0iVEHSIa9hZ7xvFnG2fGentCZSFBhCQxO-UxYGoZHq-WfhVsGNzMCnfmCbfx4QRc17JBaevHEahprxnIt83DzE8XokOPOHZg2UjY8lhxjkL
request	GET https://vk.com/doc44017378_668685574?hash=2Z9kWDMxHv9Bg52ieOFMjjyZlIe2LzZhpXJtbJfi2jD&dl=MckLSTrLnFqxzbDQcQsY8zw8KxvNLWnEyU8AMbhyK6s&api=1&no_preview=1#WW1
request	GET https://sun6-21.userapi.com/c909628/u44017378/docs/d11/1a3013098cbf/WWW1.bmp?extra=xgcuwlyssMW5fhehD936AqhRSGL9n6WAhvJJzjwcFZ3WMiE8xWxO3qKhr9_8jnDUTj1l3e5eKgd9DPl2hGHNRQsMstXoksgW-4kZoEzSOKif1Txq8PmSgC4s2KKLAdrZ-IWl7XcwtYoplwO1

Sends data using the HTTP POST Method (4 events)

request	POST http://94.142.138.113/api/firegate.php
request	POST http://45.15.156.229/api/firegate.php
request	POST http://94.142.138.131/api/firecom.php
request	POST https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self

Communication to multiple IPs on high port numbers possibly indicative of a peer-to-peer (P2P) or non-standard command and control protocol (5 events)

ip	176.123.9.142
ip	185.225.73.32
ip	194.169.175.128
ip	194.169.175.232
ip	51.89.253.22

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

ralphkors.top

description

Generic top level domain TLD

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 6, 2023, 1:53 p.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74002000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Sept. 6, 2023, 1:53 p.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73913000 process_handle: 0xffffffff	1	0	0

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\7zEC98A7B2B\File.exe

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 6, 2023, 1:53 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1	0
LookupPrivilegeValueW Sept. 6, 2023, 1:53 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1	0

Yara rule detected in process memory (11 events)

description	Escalate priviledges	rule	Escalate_priviledges
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Run a KeyLogger	rule	KeyLogger

Communicates with host for which no DNS query was performed (13 events)

host	176.123.9.142
host	185.225.73.32
host	193.42.32.118
host	194.169.175.128
host	194.169.175.232
host	45.15.156.229
host	45.9.74.80
host	51.89.253.22
host	77.91.68.238
host	87.121.221.58
host	94.142.138.113
host	94.142.138.131
host	94.156.253.187

setup_pass.7z

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All