Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 15, 2023, 5:25 p.m.	Sept. 15, 2023, 5:27 p.m.

Size	198.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`a64a886a695ed5fb9273e73241fec2f7`
SHA256	`563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144`
CRC32	`C2E57BBA`
ssdeep	`3072:lWgR9+o+G2K47yLk6E9EzwHxFTTDYUSNt2kLu5gf7or7wy+wXRcWfnPjt:lWu+5a4ukZSwH/TT2NE4u5gTovv`
PDB Path	D:\Mktmp\Amadey\Release\Amadey.pdb
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) Malicious_Packer_Zero - Malicious Packer OS_Processor_Check_Zero - OS Processor Check

Rocks.exe "C:\Users\test22\AppData\Local\Temp\Rocks.exe"
1440
- oneetx.exe "C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe"
  2200
  - schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe" /F
    2268
  - cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "test22:N"&&CACLS "oneetx.exe" /P "test22:R" /E&&echo Y|CACLS "..\207aa4515d" /P "test22:N"&&CACLS "..\207aa4515d" /P "test22:R" /E&&Exit
    2328
    - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      2428
    - cacls.exe CACLS "oneetx.exe" /P "test22:N"
      2468
    - cacls.exe CACLS "oneetx.exe" /P "test22:R" /E
      2520
    - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      2568
    - cacls.exe CACLS "..\207aa4515d" /P "test22:N"
      2604
    - cacls.exe CACLS "..\207aa4515d" /P "test22:R" /E
      2676
  - ss41.exe "C:\Users\test22\AppData\Local\Temp\1000468001\ss41.exe"
    2756
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
z.nnnaajjjgc.com	A 156.236.72.121	156.236.72.121

IP Address	Status	Action
156.236.72.121	Active	Moloch
164.124.101.2	Active	Moloch
5.42.65.80	Active	Moloch
95.214.27.254	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 156.236.72.121:443 -> 192.168.56.103:49182	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49175 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49198	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49180 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49192 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49209 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49194	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49213 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49204 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49208 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49212 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49214	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.103:49206	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.103:49219	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49218 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49227	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49221 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49177 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49178	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49234 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49235	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49181 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49237 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49239	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49185 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49258 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49189 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49263	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.103:49202	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49222 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49205 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49210	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49266 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49226 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49273 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49233 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49230 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49243	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49274 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49262 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49245 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49294 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49265 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49295	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49253 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49269 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49298 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49278 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49275	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49301 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49279	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49281 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49310 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49174 -> 5.42.65.80:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 156.236.72.121:443 -> 192.168.56.103:49283	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49184 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49291	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49322 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49327 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49314 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49352 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49282 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49356 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49326 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49331 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49361	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49285 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49351 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49363 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49353	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.103:49365	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49383 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49286 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49385	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49372 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49379 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49289 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49391 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49393	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49315 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49316	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49396 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49428 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49319 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49445	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49404 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49330 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49452 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49409	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49464 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49469	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49411 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49473	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.103:49421	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49423 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49348 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49427 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49441	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49475 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49480 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49448 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49485	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49463 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49355 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49492 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49468 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49493 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49484 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49357	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.103:49494	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49487 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49498	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.103:49490	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49508 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49188 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49524 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49190	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49496 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49529 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49521 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49568 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49533 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49573 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49545 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49600 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49548 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49549 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49605 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49550	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49621 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49553 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49626	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49565 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49576 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49578	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49367 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49581 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49588 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49373	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.103:49590	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49376 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49606	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49608 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49395 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49616 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49405	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.103:49622	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49408 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49633 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49419 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49429	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.103:49433	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49644 -> 5.42.65.80:80	2044623	ET MALWARE Amadey Bot Activity (POST)	A Network Trojan was detected
TCP 192.168.56.103:49666 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49674 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49629 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49651 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49703 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49652	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.103:49656	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.103:49688	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49706 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49692	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49694 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49193 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49698 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49196 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49699 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49216 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49172 -> 5.42.65.80:80	2027700	ET MALWARE Amadey CnC Check-In	Malware Command and Control Activity Detected
TCP 192.168.56.103:49172 -> 5.42.65.80:80	2044695	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M1	A Network Trojan was detected
TCP 192.168.56.103:49172 -> 5.42.65.80:80	2045751	ET MALWARE Win32/Amadey Bot Activity (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49723 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49254 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49746 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49172 -> 5.42.65.80:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49225 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49231	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49715 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49238 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49750 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49724	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 5.42.65.80:80 -> 192.168.56.103:49172	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 5.42.65.80:80 -> 192.168.56.103:49172	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 5.42.65.80:80 -> 192.168.56.103:49172	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49241 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49778 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49782 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49246 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49786 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49787 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49250 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49255	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49791 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49726 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49792	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49261 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49267	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49798 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49271	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49799 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49277 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49731 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49811 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49290 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49827 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49304	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.103:49829	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49335 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49841	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49738 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49259	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.103:49337	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.103:49341	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49347 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49359 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49743 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49368 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49369	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49371 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49375 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49747 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49384 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49387 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49388 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49754 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49389	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49399 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49403 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49407 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49758 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49412 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49431 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49437	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49440 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49768	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49451 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49456 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49461	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49488 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49287	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49770 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49297 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49312	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49318 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49339 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49340 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49343 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49775 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49796	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.103:49800	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49344 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49436 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49439 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49449	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49455 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49457	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.103:49817	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49476 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49477	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49501 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49509 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49844 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49852 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49500 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49345	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49525 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49349	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49360 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49364 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49381	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.103:49538	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49392 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49397	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49400 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49413	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.103:49417	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49420 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49459 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49460 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49471 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49472 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49483 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49502	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.103:49506	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.103:49510	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49512 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49514	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49520 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49526	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49528 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49552 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49569 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49540 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49574	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49556 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49572 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49580 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49597 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49584 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49585 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49614	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.103:49594	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.103:49618	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.103:49630	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49617 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49632 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49624 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49634	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49625 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49638	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49628 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49640 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49637 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49646 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49659 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49650 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49662 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49655 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49680	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49658 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49660	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49695 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49668	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.103:49704	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49670 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49821	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49824 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49831 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49839 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49676	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49517 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49530	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49682 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49684	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49536 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49700	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49544 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49702 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49716	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49719 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49722 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49727 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49739 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49742 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49744	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49710 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49755 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49759 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49748	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49762 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49783 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49788	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49751 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49803 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49808 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49186	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49820 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49763 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49845	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49847 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49197 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49546	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49766 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49554	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.103:49784	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49200 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49557 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49201 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49560 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49794 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49561 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49562	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.103:49223	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49564 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49795 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49566	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.103:49570	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49229 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49582	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49802 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49589 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49813	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49242 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49592 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49247	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49593 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49815 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49601 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49610	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49249 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49612 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49819 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49620 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49825	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.103:49251	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49636 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49641 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49642	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49828 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49257 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49645 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49270 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49654 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49853	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.103:49664	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49671 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49293 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49299	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49678 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49711 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49302 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49718 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49306 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49728	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49307 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49308	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49734 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49735 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49311 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49740	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.103:49320	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.103:49760	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49323 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49764	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.103:49324	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.103:49772	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.103:49328	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.103:49332	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49336 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49377	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49774 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49776	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49380 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49779 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49401	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.103:49805	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49415 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49812 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49416 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49823 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49424 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49832 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49425	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.103:49837	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49432 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49840 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49435 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49843 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49443 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49848 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49444 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49849	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49447 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49851 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49453	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.103:49465	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49467 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49479 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49481	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49497 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49504 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49505 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49513 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49516 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49518	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.103:49522	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49532 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49534	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49537 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49541 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49542	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.103:49558	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49577 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49586	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49596 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49598	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.103:49602	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49604 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49609 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49613 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49647	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49663 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49667 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49672	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49675 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49679 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49683 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49686 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49687 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49690 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49691 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49696	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49707 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49708	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.103:49712	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49714 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49720	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49730 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49732	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.103:49736	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.103:49752	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.103:49756	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49767 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49771 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49780	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49790 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49807 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49809	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49816 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:443 -> 192.168.56.103:49833	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49835 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49836 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49860 -> 156.236.72.121:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Sept. 15, 2023, 5:25 p.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (50 out of 79 events)

Time & API	Arguments	Status	Return
WriteConsoleW Sept. 15, 2023, 5:25 p.m.	buffer: SUCCESS: The scheduled task "oneetx.exe" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleA Sept. 15, 2023, 5:25 p.m.	buffer: A console_handle: 0x00000007	1	1
WriteConsoleA Sept. 15, 2023, 5:25 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Sept. 15, 2023, 5:25 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Sept. 15, 2023, 5:25 p.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA Sept. 15, 2023, 5:25 p.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Sept. 15, 2023, 5:25 p.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Sept. 15, 2023, 5:25 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Sept. 15, 2023, 5:25 p.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Sept. 15, 2023, 5:25 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Sept. 15, 2023, 5:25 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Sept. 15, 2023, 5:25 p.m.	buffer: Y console_handle: 0x00000007	1	1
WriteConsoleA Sept. 15, 2023, 5:25 p.m.	buffer: N console_handle: 0x00000007	1	1
WriteConsoleA Sept. 15, 2023, 5:25 p.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA Sept. 15, 2023, 5:25 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Sept. 15, 2023, 5:25 p.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Sept. 15, 2023, 5:25 p.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA Sept. 15, 2023, 5:25 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Sept. 15, 2023, 5:25 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Sept. 15, 2023, 5:25 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Sept. 15, 2023, 5:25 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Sept. 15, 2023, 5:25 p.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA Sept. 15, 2023, 5:25 p.m.	buffer: f console_handle: 0x00000007	1	1
WriteConsoleA Sept. 15, 2023, 5:25 p.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA Sept. 15, 2023, 5:25 p.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA Sept. 15, 2023, 5:25 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleW Sept. 15, 2023, 5:25 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe console_handle: 0x00000007	1	1
WriteConsoleA Sept. 15, 2023, 5:25 p.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA Sept. 15, 2023, 5:25 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Sept. 15, 2023, 5:25 p.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Sept. 15, 2023, 5:25 p.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA Sept. 15, 2023, 5:25 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Sept. 15, 2023, 5:25 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Sept. 15, 2023, 5:25 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Sept. 15, 2023, 5:25 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Sept. 15, 2023, 5:25 p.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA Sept. 15, 2023, 5:25 p.m.	buffer: f console_handle: 0x00000007	1	1
WriteConsoleA Sept. 15, 2023, 5:25 p.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA Sept. 15, 2023, 5:25 p.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA Sept. 15, 2023, 5:25 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleW Sept. 15, 2023, 5:25 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe console_handle: 0x00000007	1	1
WriteConsoleA Sept. 15, 2023, 5:25 p.m.	buffer: A console_handle: 0x00000007	1	1
WriteConsoleA Sept. 15, 2023, 5:25 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Sept. 15, 2023, 5:25 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Sept. 15, 2023, 5:25 p.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA Sept. 15, 2023, 5:25 p.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Sept. 15, 2023, 5:25 p.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Sept. 15, 2023, 5:25 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Sept. 15, 2023, 5:25 p.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Sept. 15, 2023, 5:25 p.m.	buffer: r console_handle: 0x00000007	1	1

This executable has a PDB path (1 event)

pdb_path

D:\Mktmp\Amadey\Release\Amadey.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 15, 2023, 5:25 p.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address				suspicious_request	POST http://5.42.65.80/8bmeVwqx/index.php
suspicious_features	GET method with no useragent header, Connection to IP address				suspicious_request	GET http://5.42.65.80/ss41.exe

Performs some HTTP requests (2 events)

request	POST http://5.42.65.80/8bmeVwqx/index.php
request	GET http://5.42.65.80/ss41.exe

Sends data using the HTTP POST Method (1 event)

request

POST http://5.42.65.80/8bmeVwqx/index.php

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 15, 2023, 5:25 p.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 15, 2023, 5:25 p.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000067f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 15, 2023, 5:25 p.m.	process_identifier: 2756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000ff695000 process_handle: 0xffffffffffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\1000468001\ss41.exe

Creates a suspicious process (4 events)

cmdline	C:\Windows\system32\cmd.exe /S /D /c" echo Y"
cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "oneetx.exe" /P "test22:N"&&CACLS "oneetx.exe" /P "test22:R" /E&&echo Y\|CACLS "..\207aa4515d" /P "test22:N"&&CACLS "..\207aa4515d" /P "test22:R" /E&&Exit
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe" /F
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe
file	C:\Users\test22\AppData\Local\Temp\1000468001\ss41.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe

A process created a hidden window (4 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Sept. 15, 2023, 5:25 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe	1	1
ShellExecuteExW Sept. 15, 2023, 5:25 p.m.	show_type: 0 filepath_r: SCHTASKS parameters: /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe" /F filepath: SCHTASKS	1	1
ShellExecuteExW Sept. 15, 2023, 5:25 p.m.	show_type: 0 filepath_r: cmd parameters: /k echo Y\|CACLS "oneetx.exe" /P "test22:N"&&CACLS "oneetx.exe" /P "test22:R" /E&&echo Y\|CACLS "..\207aa4515d" /P "test22:N"&&CACLS "..\207aa4515d" /P "test22:R" /E&&Exit filepath: cmd	1	1
ShellExecuteExW Sept. 15, 2023, 5:25 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000468001\ss41.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000468001\ss41.exe	1	1

An executable file was downloaded by the process oneetx.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile Sept. 15, 2023, 5:25 p.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $7ÉàY×ÉàY×ÉàY×ÀÝ×ÍàY×ÀÌ×ËàY×ÀÊ×ÐàY×ÉàX×càY×ÀÚ×ßàY×ÀÓ×ÃàY×ÀÍ×ÈàY×ÀÈ×ÈàY×RichÉàY×PEdÉ[Jð" ~ÌsN@ ~°ä¼ p °À.textx}~ `.dataH@À.pdata @@.rsrcÀ°¾@@.relocÌpF@BkÞ[Jxßß[J+à[Jß[Jà[J¦¾ß[J±+à[J+à[Jà[J¼à[JÆYà[JÓgÞ[JßTà[Jìà[JøADVAPI32.dllKERNEL32.dllNTDLL.DLLGDI32.dllUSER32.dllmsvcrt.dllole32.dllOLEAUT32.dllSHLWAPI.dllCOMCTL32.dllSHELL32.dllVSSAPI.DLLðóÿ ¿òÿóÿÐÂòÿÐòÿø[$zÿ &zÿÀ&zÿÜ3zÿ\|ü#zÿê&zÿP&×ÿ°5×ÿ@×ÿ@×ÿ×ÿxv×ÿà(ÔxÀSÓxÐbÓx`MÓxtÒxbÓxÆÖx°éÓxÐ\Óx°\Óx`-Ôxp,Ôx°SÓxp(Ôx ×xpÔx@)Ôxð\ÓxÀÔx°VÓx,Ôx(Ôx0åÒxàÔx bÓx`!Ôx4Ôx°±Òx°2Ôx þÓx¼Öx0»ÖxÐºÖx ÛxþÓx°ÁÖx°ÔxàÔx°ïÓxÔxÓxpêx Ùxvÿ vÿðvÿ(UxÿÀû¥xÿxÿð±xÿþtÿ$Ðtÿ,-tÿt²tÿ,tÿ$Àtÿ÷tÿ¤¬tÿ'tÿäÉx0FÃxPýÂx¨ÃxXÛÂxvÄxÐÄx°õÂx\|¦ÂxÃx¼#Ãx@8Ãxp¹ÃxðÐÂx8ÃxÁÃx°Ãx´§ÃxÄx ÃxÆÃx½ÃxpºÃx¤Ãx`ÿÂx8Ãx ÄxøÂxà{ÃxT¶ÃxÔÃxøÄxx\fyÿÜfyÿ°juÿ\|suÿsuÿpªluÿjuÿÚpuÿ`ÂnuÿðDjuÿôjuÿ@Fkuÿ4Ânuÿ nuÿ¬Pæx°±juÿ\/juÿôNluÿ@2juÿpêx ÿéxðêx°ÍéxP>ôxÀêxpbzÿLæazÿPbzÿHazÿ bzÿ bzÿÐbzÿ0p4r sÉ[J%ÐÐp-bVh`Dá¨!´Ka3ynÆsÐiªD)'RÎÚÑ _¾ºã·³MÒ²ÙÀOì*'UËBÎ5ªK¸QÀFSAGESETSAGERUNTUNEUPVERYLOWDISKLOWDISKSETUP/HELP/H/h/?-?/USAGE-H-hrunasLocal\Cleanmgr: Instance eventUSAGEcleanmgr [/SAGESET:n \| /SAGERUN:n \| TUNEUP:n \| /LOWDISK \| /VERYLOWDISK \| /SETUP]NoRemovePageUninstall%s <A HREF="">%s</A>(null)Ðmshelp://windows/?id=1264bc24-72a8-48aa-84e3-a355327139d9DISK_CLEANUP_HELP_BUTTONsrclient.dllMicrosoft.ProgramsAndFeaturesçXì¡Ù±^ V¿æîXì¡Ù±^ V¿æîbØÑÞfôM¿lV!jñSoftware\Microsoft\Windows\CurrentVersion\Explorer\VolumeCachesPropertyBagdisplayDescriptionAdvancedButtonTextPriorityStateFlags%s%04dIconPathCLSID\%s\DefaultIcon¬f(g<ggÐgC:\RSDS>@ÜíMFU@lôcleanmgr.pdb@SUVWATHì0HöuH3ÄHD$(3ÀHúE3äHoúÿÿIèHÙfDd$ D$"fD$&E ÿùöÿÿHðI;ÄtdH BúÿÿÿõÿÿA\$HcÈHNfD9 t>f8:u8HÀIÔëfù tHú}fLT HÀHÓ·fA;ÌußHL$ ÿöÿÿEé=HîùÿÿHËÿ}öÿÿHðI;ÄthH Öùÿÿÿ õÿÿ»HcÈHNfD9 t>f8:u8H\$H\| request_handle: 0x00cc000c	1	1	0

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe" /F
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

Communicates with host for which no DNS query was performed (2 events)

host	5.42.65.80
host	95.214.27.254

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Installs itself for autorun at Windows startup (2 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe" /F
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

Network activity contains more than one unique useragent (2 events)

process	oneetx.exe				useragent
process	ss41.exe				useragent	HTTPREAD

Uses suspicious command line tools or Windows utilities (6 events)

cmdline	cmd /k echo Y\|CACLS "oneetx.exe" /P "test22:N"&&CACLS "oneetx.exe" /P "test22:R" /E&&echo Y\|CACLS "..\207aa4515d" /P "test22:N"&&CACLS "..\207aa4515d" /P "test22:R" /E&&Exit
cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "oneetx.exe" /P "test22:N"&&CACLS "oneetx.exe" /P "test22:R" /E&&echo Y\|CACLS "..\207aa4515d" /P "test22:N"&&CACLS "..\207aa4515d" /P "test22:R" /E&&Exit
cmdline	CACLS "oneetx.exe" /P "test22:R" /E
cmdline	CACLS "oneetx.exe" /P "test22:N"
cmdline	CACLS "..\207aa4515d" /P "test22:R" /E
cmdline	CACLS "..\207aa4515d" /P "test22:N"

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

95.214.27.254:80

File has been identified by 60 AntiVirus engines on VirusTotal as malicious (50 out of 60 events)

Bkav	W32.Common.32BE4780
Lionic	Trojan.Win32.Convagent.4!c
Elastic	malicious (high confidence)
DrWeb	Trojan.DownLoader45.57899
MicroWorld-eScan	Gen:Variant.Doina.59562
FireEye	Generic.mg.a64a886a695ed5fb
CAT-QuickHeal	Trojan.GenericRI.S30172984
ALYac	Gen:Variant.Doina.59562
Malwarebytes	Trojan.Downloader
Zillya	Downloader.Amadey.Win32.244
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan-Downloader ( 0057994f1 )
Alibaba	TrojanSpy:Win32/Stealer.1f4ad034
K7GW	Trojan-Downloader ( 0057994f1 )
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.Doina.DE8AA
BitDefenderTheta	AI:Packer.BE64CF3F1F
VirIT	Trojan.Win32.Genus.RCU
Cyren	W32/Amadey.C1.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/TrojanDownloader.Amadey.A
Cynet	Malicious (score: 100)
APEX	Malicious
ClamAV	Win.Malware.Doina-10001799-0
Kaspersky	HEUR:Trojan-Spy.Win32.Stealer.gen
BitDefender	Gen:Variant.Doina.59562
NANO-Antivirus	Trojan.Win32.Stealer.jygpbq
Avast	Win32:BotX-gen [Trj]
Tencent	Trojan-DL.Win32.Deyma.kbw
Emsisoft	Gen:Variant.Doina.59562 (B)
F-Secure	Trojan.TR/AD.Nekark.amrbc
VIPRE	Gen:Variant.Doina.59562
TrendMicro	Trojan.Win32.AMADEY.YXDFGZ
McAfee-GW-Edition	BehavesLike.Win32.Downloader.ch
Trapmine	suspicious.low.ml.score
Sophos	Mal/Amadey-C
Ikarus	Trojan-Downloader.Win32.Amadey
Webroot	W32.Trojan.Amadey
Avira	TR/AD.Nekark.amrbc
Antiy-AVL	Trojan[Downloader]/Win32.Amadey
Gridinsoft	Ransom.Win32.Sabsik.ca
Xcitium	Malware@#2qbmiqywvx3tl
Microsoft	Trojan:Win32/Amadey!MTB
ZoneAlarm	HEUR:Trojan-Spy.Win32.Stealer.gen
GData	Win32.Trojan-Downloader.Amadey.D
Google	Detected
AhnLab-V3	Trojan/Win.Amadey.R586656
McAfee	Downloader-FCND!A64A886A695E
MAX	malware (ai score=100)
VBA32	TrojanDownloader.Deyma

Rocks.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All