Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6402 | Sept. 13, 2023, 4:55 p.m. | Sept. 13, 2023, 4:58 p.m. |
IP Address | Status | Action |
---|---|---|
104.192.141.1 | Active | Moloch |
104.21.13.218 | Active | Moloch |
104.21.84.222 | Active | Moloch |
104.21.90.117 | Active | Moloch |
104.26.5.15 | Active | Moloch |
104.26.8.59 | Active | Moloch |
104.75.33.236 | Active | Moloch |
116.203.7.16 | Active | Moloch |
144.76.136.153 | Active | Moloch |
148.251.234.83 | Active | Moloch |
148.251.234.93 | Active | Moloch |
149.154.167.99 | Active | Moloch |
156.236.72.121 | Active | Moloch |
162.0.217.254 | Active | Moloch |
164.124.101.2 | Active | Moloch |
171.22.28.208 | Active | Moloch |
176.113.115.84 | Active | Moloch |
181.214.31.34 | Active | Moloch |
182.162.106.33 | Active | Moloch |
184.30.187.53 | Active | Moloch |
184.50.42.33 | Active | Moloch |
185.225.73.32 | Active | Moloch |
185.39.205.39 | Active | Moloch |
194.169.175.128 | Active | Moloch |
31.41.244.27 | Active | Moloch |
34.117.59.81 | Active | Moloch |
45.15.156.229 | Active | Moloch |
5.42.92.211 | Active | Moloch |
51.250.21.16 | Active | Moloch |
51.38.95.107 | Active | Moloch |
77.91.68.238 | Active | Moloch |
87.121.221.58 | Active | Moloch |
87.240.132.72 | Active | Moloch |
87.240.132.78 | Active | Moloch |
91.215.85.147 | Active | Moloch |
94.142.138.131 | Active | Moloch |
95.142.206.0 | Active | Moloch |
95.142.206.1 | Active | Moloch |
95.142.206.3 | Active | Moloch |
201.124.224.61 | Active | Moloch |
211.181.24.133 | Active | Moloch |
23.67.53.27 | Active | Moloch |
45.9.74.80 | Active | Moloch |
94.156.35.76 | Active | Moloch |
Suricata Alerts
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.102:49169 104.26.8.59:443 |
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 | C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com | 92:b4:ed:98:67:d9:db:8a:1e:bd:0e:fe:7f:22:45:e9:79:b5:78:65 |
TLSv1 192.168.56.102:49177 87.240.132.72:443 |
C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 | C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com | 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09 |
TLSv1 192.168.56.102:49193 104.21.84.222:443 |
C=US, O=Let's Encrypt, CN=E1 | CN=preconcert.pw | 60:b2:a3:3e:2f:80:57:cd:6f:c1:a3:e9:b3:c6:cb:95:41:83:4a:64 |
TLSv1 192.168.56.102:49227 87.240.132.72:443 |
C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 | C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com | 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09 |
TLSv1 192.168.56.102:49228 87.240.132.72:443 |
C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 | C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com | 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09 |
TLSv1 192.168.56.102:49230 95.142.206.1:443 |
C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 | C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com | bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24 |
TLSv1 192.168.56.102:49233 95.142.206.0:443 |
C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 | C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com | bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24 |
TLSv1 192.168.56.102:49248 87.240.132.72:443 |
C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 | C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com | 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09 |
TLSv1 192.168.56.102:49229 87.240.132.72:443 |
C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 | C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com | 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09 |
TLSv1 192.168.56.102:49252 87.240.132.72:443 |
C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 | C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com | 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09 |
TLSv1 192.168.56.102:49253 87.240.132.72:443 |
C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 | C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com | 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09 |
TLSv1 192.168.56.102:49256 95.142.206.3:443 |
C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 | C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com | bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24 |
TLSv1 192.168.56.102:49257 87.240.132.72:443 |
C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 | C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com | 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09 |
TLSv1 192.168.56.102:49258 95.142.206.3:443 |
None | None | None |
TLSv1 192.168.56.102:49254 87.240.132.72:443 |
C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 | C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com | 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09 |
TLSv1 192.168.56.102:49263 87.240.132.72:443 |
C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 | C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com | 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09 |
TLSv1 192.168.56.102:49294 104.26.5.15:443 |
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 | C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com | 03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5 |
TLSv1 192.168.56.102:49374 87.240.132.78:443 |
C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 | C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com | 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09 |
TLSv1 192.168.56.102:49460 87.240.132.78:443 |
C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 | C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com | 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09 |
TLSv1 192.168.56.102:49260 87.240.132.72:443 |
C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 | C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com | 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09 |
TLSv1 192.168.56.102:49282 104.26.8.59:443 |
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 | C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com | 92:b4:ed:98:67:d9:db:8a:1e:bd:0e:fe:7f:22:45:e9:79:b5:78:65 |
TLSv1 192.168.56.102:49515 184.50.42.33:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA | unknown=US, unknown=Washington, unknown=Private Organization, serialNumber=602 290 773, C=US, ST=Washington, L=Bellevue, O=Valve Corp, CN=store.steampowered.com | b1:30:5e:4c:ee:14:70:87:a7:d7:1c:77:07:b5:3c:2c:99:13:aa:c5 |
TLS 1.2 192.168.56.102:49655 144.76.136.153:443 |
C=US, O=Let's Encrypt, CN=R3 | CN=transfer.sh | 4b:77:1f:b2:fe:8e:4f:93:e4:34:20:28:f2:b6:7a:3a:ff:0f:d1:f6 |
suspicious_features | Connection to IP address | suspicious_request | GET http://94.142.138.131/api/tracemap.php | ||||||
suspicious_features | POST method with no referer header, Connection to IP address | suspicious_request | POST http://94.142.138.131/api/firegate.php | ||||||
suspicious_features | Connection to IP address | suspicious_request | HEAD http://171.22.28.208/download/Services.exe | ||||||
suspicious_features | Connection to IP address | suspicious_request | HEAD http://87.121.221.58/g.exe | ||||||
suspicious_features | Connection to IP address | suspicious_request | HEAD http://77.91.68.238/love/no230.exe | ||||||
suspicious_features | Connection to IP address | suspicious_request | GET http://171.22.28.208/download/Services.exe | ||||||
suspicious_features | Connection to IP address | suspicious_request | GET http://87.121.221.58/g.exe | ||||||
suspicious_features | Connection to IP address | suspicious_request | GET http://77.91.68.238/love/no230.exe | ||||||
suspicious_features | Connection to IP address | suspicious_request | GET http://176.113.115.84:8080/4.php | ||||||
suspicious_features | Connection to IP address | suspicious_request | GET http://45.15.156.229/api/tracemap.php | ||||||
suspicious_features | POST method with no referer header, Connection to IP address | suspicious_request | POST http://5.42.92.211/loghub/master | ||||||
suspicious_features | POST method with no referer header, POST method with no useragent header | suspicious_request | POST http://charlesjones.top/e9c345fc99a4e67e.php | ||||||
suspicious_features | POST method with no referer header, POST method with no useragent header | suspicious_request | POST http://worldtopnews.fun/c2conf | ||||||
suspicious_features | POST method with no referer header, Connection to IP address | suspicious_request | POST http://45.15.156.229/api/firegate.php | ||||||
suspicious_features | Connection to IP address | suspicious_request | HEAD http://45.9.74.80/super.exe | ||||||
suspicious_features | Connection to IP address | suspicious_request | HEAD http://45.9.74.80/ummaa.exe | ||||||
suspicious_features | Connection to IP address | suspicious_request | GET http://45.9.74.80/super.exe | ||||||
suspicious_features | Connection to IP address | suspicious_request | GET http://45.9.74.80/ummaa.exe | ||||||
suspicious_features | POST method with no referer header, POST method with no useragent header, Connection to IP address | suspicious_request | POST http://45.9.74.80/0bjdn2Z/index.php | ||||||
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://45.9.74.80/opaa37.exe | ||||||
suspicious_features | Connection to IP address | suspicious_request | GET http://116.203.7.16/7b01483643983171e949f923c5bc80e7 | ||||||
suspicious_features | Connection to IP address | suspicious_request | GET http://116.203.7.16/htdocs.zip | ||||||
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://45.9.74.80/toolspub2.exe | ||||||
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://45.9.74.80/31839b57a4f11171d6abc8bbc4451ee4.exe | ||||||
suspicious_features | POST method with no referer header, Connection to IP address | suspicious_request | POST http://116.203.7.16/ | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://transfer.sh/get/uTWorMyudp/hgjjhlkgkl.exe |
request | GET http://94.142.138.131/api/tracemap.php |
request | POST http://94.142.138.131/api/firegate.php |
request | HEAD http://171.22.28.208/download/Services.exe |
request | HEAD http://87.121.221.58/g.exe |
request | HEAD http://77.91.68.238/love/no230.exe |
request | HEAD http://ji.alie3ksgbb.com/m/ela205.exe |
request | HEAD http://williecampbell.top/calc2.exe |
request | GET http://ji.alie3ksgbb.com/m/ela205.exe |
request | GET http://171.22.28.208/download/Services.exe |
request | GET http://apps.identrust.com/roots/dstrootcax3.p7c |
request | GET http://williecampbell.top/calc2.exe |
request | GET http://87.121.221.58/g.exe |
request | GET http://77.91.68.238/love/no230.exe |
request | HEAD http://hugersi.com/dl/6523.exe |
request | GET http://hugersi.com/dl/6523.exe |
request | GET http://176.113.115.84:8080/4.php |
request | GET http://45.15.156.229/api/tracemap.php |
request | GET http://worldtopnews.fun/ |
request | POST http://5.42.92.211/loghub/master |
request | POST http://charlesjones.top/e9c345fc99a4e67e.php |
request | GET http://worldtopnews.fun/login |
request | POST http://worldtopnews.fun/c2conf |
request | POST http://45.15.156.229/api/firegate.php |
request | HEAD http://45.9.74.80/super.exe |
request | HEAD http://45.9.74.80/ummaa.exe |
request | GET http://45.9.74.80/super.exe |
request | GET http://45.9.74.80/ummaa.exe |
request | HEAD http://230907161118223.nmr.xrm42.top/f/fikim0907223.exe |
request | GET http://230907161118223.nmr.xrm42.top/f/fikim0907223.exe |
request | GET http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true |
request | GET http://colisumy.com/dl/build2.exe |
request | GET http://zexeq.com/files/1/build3.exe |
request | POST http://45.9.74.80/0bjdn2Z/index.php |
request | GET http://45.9.74.80/opaa37.exe |
request | GET http://116.203.7.16/7b01483643983171e949f923c5bc80e7 |
request | GET http://116.203.7.16/htdocs.zip |
request | GET http://45.9.74.80/toolspub2.exe |
request | GET http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=LHNMv561Ao9oyPaxqTAOF0Ae.exe&platform=0009&osver=5&isServer=0 |
request | GET http://45.9.74.80/31839b57a4f11171d6abc8bbc4451ee4.exe |
request | POST http://116.203.7.16/ |
request | GET https://api.myip.com/ |
request | GET https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1 |
request | GET https://preconcert.pw/setup294.exe |
request | GET https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#stats |
request | GET https://vk.com/doc17799268_667301259?hash=mz2nLKvo6dt1uE06v4jRORCgXO1tbK1pSlJhEfMFJco&dl=vkt89M90dzWpJZ9hvFWUTeZuZHqaxeSpP8mP7ffY8Z0&api=1&no_preview=1 |
request | GET https://sun6-21.userapi.com/c235131/u17799268/docs/d34/20a2f6c4d3f4/d3232adg.bmp?extra=suUcIL34C8tZuA415Q8lnsWylAKtf3SORQHWwTtRCAhor9Xh31vJ6M2BmK67YddRXGwiLAW0jvq_FoA4Id_CzGfizeXTtd7lsFd1NrUnyhtFzoxZ9_XyQPBa1ZY9ol22CvDvWfKJysaOOqpn |
request | GET https://vk.com/doc17799268_667281004?hash=xOqcu1ZGarivubW5PP3sEBGynm7PLhU3P4kzSjNpUgz&dl=BDGaIhRFJdbZh0HkjSHVN3oPAh2dusZaaZGmKdcx4h8&api=1&no_preview=1#1 |
request | GET https://sun6-20.userapi.com/c237331/u17799268/docs/d32/20d06de2d171/crypted.bmp?extra=Ix6P6PHPTaU-Y3IcBr-4XYzVARL6dIIfwVgGD1PgAHnQ8YE8I6mxpzvBb8ZC-5spd3ReZ1Yx-dQbztud3MKZLNEYdKKzb49L34FiqbZHziCi8D6pAzz-wEYZ9qJs6eJrhDDttVXq_XHjBjXh |
request | GET https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#test |
request | GET https://vk.com/doc44017378_669136690?hash=E5ro6HNAOZHVOgZiTIDkvKctXbILQ0zBBx6f8KGt5e8&dl=qG39A2bhq4t9EZmEY5oWbCHZP2L9kp7Offbq4R5FDD0&api=1&no_preview=1#test2 |
request | POST http://94.142.138.131/api/firegate.php |
request | POST http://5.42.92.211/loghub/master |
request | POST http://charlesjones.top/e9c345fc99a4e67e.php |
request | POST http://worldtopnews.fun/c2conf |
request | POST http://45.15.156.229/api/firegate.php |
request | POST http://45.9.74.80/0bjdn2Z/index.php |
request | POST http://116.203.7.16/ |
domain | preconcert.pw | description | Palau domain TLD | ||||||
domain | iplis.ru | description | Russian Federation domain TLD | ||||||
domain | charlesjones.top | description | Generic top level domain TLD | ||||||
domain | williecampbell.top | description | Generic top level domain TLD | ||||||
domain | 230907161118223.nmr.xrm42.top | description | Generic top level domain TLD |
domain | ipinfo.io |
host | 116.203.7.16 | |||
host | 171.22.28.208 | |||
host | 176.113.115.84 | |||
host | 184.30.187.53 | |||
host | 185.225.73.32 | |||
host | 194.169.175.128 | |||
host | 31.41.244.27 | |||
host | 45.15.156.229 | |||
host | 5.42.92.211 | |||
host | 51.38.95.107 | |||
host | 77.91.68.238 | |||
host | 87.121.221.58 | |||
host | 94.142.138.131 | |||
host | 45.9.74.80 |
dead_host | 192.168.56.102:49414 |
dead_host | 192.168.56.102:49988 |
dead_host | 192.168.56.102:49427 |
dead_host | 192.168.56.102:49455 |
dead_host | 192.168.56.102:49607 |
dead_host | 192.168.56.102:49905 |
dead_host | 192.168.56.102:49629 |
dead_host | 192.168.56.102:49441 |
dead_host | 192.168.56.102:49734 |
dead_host | 192.168.56.102:50011 |
dead_host | 192.168.56.102:49348 |
dead_host | 192.168.56.102:49336 |
dead_host | 192.168.56.102:49777 |
dead_host | 192.168.56.102:49392 |
dead_host | 192.168.56.102:49482 |
dead_host | 192.168.56.102:49967 |
dead_host | 192.168.56.102:49883 |
dead_host | 192.168.56.102:49510 |
dead_host | 192.168.56.102:49470 |
dead_host | 192.168.56.102:50044 |
dead_host | 192.168.56.102:49670 |
dead_host | 192.168.56.102:49692 |
dead_host | 192.168.56.102:49756 |
dead_host | 192.168.56.102:49587 |
dead_host | 185.39.205.39:443 |
dead_host | 192.168.56.102:49326 |
dead_host | 192.168.56.102:49927 |
dead_host | 192.168.56.102:49404 |
dead_host | 192.168.56.102:49381 |
dead_host | 192.168.56.102:49840 |
dead_host | 192.168.56.102:49535 |
dead_host | 192.168.56.102:49564 |
dead_host | 176.113.115.84:80 |
dead_host | 192.168.56.102:49819 |
dead_host | 31.41.244.27:41140 |
dead_host | 192.168.56.102:49713 |
dead_host | 192.168.56.102:49946 |
dead_host | 192.168.56.102:49496 |
dead_host | 192.168.56.102:49648 |
dead_host | 192.168.56.102:49524 |
dead_host | 192.168.56.102:49184 |
dead_host | 192.168.56.102:49799 |
dead_host | 192.168.56.102:49861 |
dead_host | 192.168.56.102:49307 |
dead_host | 192.168.56.102:50032 |
dead_host | 192.168.56.102:49366 |