Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 10, 2023, 7:37 a.m.	Oct. 10, 2023, 7:41 a.m.

Size	288.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`f96c1d0accec84ab6ddca3c0bafc6cbc`
SHA256	`e5b9eabbf14369df477f37f566fc590f3869d82ee9884026f7fd6ed3aecd7d1d`
CRC32	`865A06C9`
ssdeep	`6144:0TdnGHRauGW2XzY8rQbmmmmmmm6n9BLNk3Bd0AlSabtwZ:idGgTKvzLz4`
Yara	Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature IsPE32 - (no description) OS_Processor_Check_Zero - OS Processor Check

svchost.exe C:\Windows\system32\svchost.exe
2640
- svchost.exe C:\Windows\system32\svchost.exe
  2832
- svchost.exe C:\Windows\system32\svchost.exe
  2900
- svchost.exe C:\Windows\system32\svchost.exe
  3036
- svchost.exe C:\Windows\system32\svchost.exe
  1752

Name	Response	Post-Analysis Lookup
www.t-tre.com	A 135.181.73.98	135.181.73.98
ns1.upc.biz	A 195.34.133.133	195.34.133.133
dji.de	MX mail-in.m-online.net	134.119.224.73
hbfuels.com	A 85.233.160.146	85.233.160.146
de
rtcasey.com	A 69.195.90.46	69.195.90.46
haigh-me.com
networkproject.it	MX mail.register.it	81.88.52.245
wolffkran.de	A 46.4.56.54	46.4.56.54
envogen.com	A 104.21.73.149 A 172.67.163.101	104.21.73.149
muhr-soehne.de	A 5.189.171.125	5.189.171.125
dns23.servidoresdns.net	A 217.76.128.156	217.76.128.156
cortipapini.it	MX aspmx.l.google.com MX alt1.aspmx.l.google.com	62.149.128.154
studiolipov.com	MX alt2.aspmx.l.google.com MX alt1.aspmx.l.google.com MX aspmx.l.google.com
yaragua.com	MX yaragua.com	198.38.86.31
noblesse.be	A 5.134.4.115	5.134.4.115
anduran.com	CNAME traff-1.hugedomains.com A 52.71.57.184 A 54.209.32.212 CNAME hdr-nlb9-41371129e8304c29.elb.us-east-1.amazonaws.com	3.94.41.167
dellacorte.it	MX it24.omnibus.net	185.31.67.137
hbsa.ru		62.122.170.171
emerson.com	MX mxb-00300601.gslb.pphosted.com MX mxa-00300601.gslb.pphosted.com	20.29.109.0
endeavour.com.au		20.213.29.215
ossir.org	A 51.159.3.117	51.159.3.117
gfaw-thueringen.de	MX mail1.tab.thueringen.de MX mail1.aufbaubank.de MX mail2.aufbaubank.de	78.46.145.170
seznam.cz	MX mx1.seznam.cz MX mx2.seznam.cz	77.75.79.222
ns1.uniregistrymarket.link	A 97.74.99.64	97.74.99.64
maksimshahov.ru
balajiship.com		172.67.128.234
clickmedia.ro		91.212.231.173
www.kernsafe.com	A 104.26.3.124 A 104.26.2.124 A 172.67.72.98	104.26.2.124
thasco.co.th
ivailo.com		79.124.76.30
s5w.com	A 192.99.226.184	192.99.226.184
zugseil.com	A 92.42.191.40	92.42.191.40
netvision.net.il	MX mx20.013net.net	192.118.28.52
shteeble.com	A 185.106.129.180	185.106.129.180
certificata.org	MX mx.pec.aruba.it	95.110.168.40
tolosaypardo.com		82.98.178.164
angework.com	A 219.94.128.87	219.94.128.87
xentrographics.be		5.134.4.190
xinonet.de		213.128.155.89
ns2clp.name.com	A 163.114.216.49	163.114.216.49
ns4.m-online.net	A 212.114.171.64	212.114.171.64
www.mobilnic.net	A 154.203.14.100	154.203.14.100
www.udesign.biz
coza1.dnsnode.net	A 194.146.106.74	194.146.106.74
bamba.lt	MX mx-a.delfi.lt MX mx-b.delfi.lt	91.234.200.110
youngpartners.com	MX youngpartners-com.mail.protection.outlook.com
www.netcr.com	CNAME traff-3.hugedomains.com CNAME hdr-nlb4-0bbd2e21834cb637.elb.us-east-2.amazonaws.com A 3.18.7.81 A 3.19.116.195	54.161.222.85
touchfam.ca	A 15.197.142.173 A 3.33.152.147	15.197.142.173
yantour.ru
leadergroup.com.tw
xcom.fr	MX mx1.hostinger.fr MX mx2.hostinger.fr	89.116.147.90
www.pwd.org	CNAME pwd.org A 208.109.214.162	208.109.214.162
strazynski.pl	A 85.128.196.22	85.128.196.22
yckg.de
gbmfg.com	A 151.101.2.132 A 151.101.66.132 A 151.101.130.132 A 151.101.194.132	151.101.2.132
www.iamdirt.com	CNAME ghs.googlehosted.com A 142.250.206.243	142.250.206.243
www.fnsds.org	CNAME expired.namebright.com CNAME cdl-lb-1356093980.us-east-1.elb.amazonaws.com A 34.239.80.18 A 3.213.224.78	3.213.224.78
redgiga.com	A 172.67.186.153 A 104.21.76.38	104.21.76.38
www.pupi.cz	A 103.224.182.241	103.224.182.241
dnsfc2.interbusiness.it	A 2.113.95.113	2.113.95.113
bunch.co		75.2.115.196
ns12.twnic.net.tw	A 104.199.237.109 A 60.199.218.234 A 211.20.231.13	60.199.218.234
nolaoig.org	A 54.212.145.129	54.212.145.129
www.muhr-soehne.de	A 5.189.171.125	5.189.171.125
jolieville.ro		80.86.106.8
eos-i.com
radio.katowice.pl		94.152.162.185
cert.legalmail.it	MX mx.cert.legalmail.it
hcm.vnn.vn
piacton.com
travelunie.nl		195.128.186.10
mail7.digitalwaves.co.nz
tuttopmi.it	MX mx.tuttopmi.it
www.spanesi.com	A 5.196.166.214	5.196.166.214
wvs-net.de	A 172.67.181.113 A 104.21.43.163	172.67.181.113
mackusick.de	A 217.160.0.131	217.160.0.131
mikihan.com	A 153.126.211.112	153.126.211.112
bumen.vnn.vn
canasil.com	A 104.26.2.14 A 172.67.68.180 A 104.26.3.14	104.26.2.14
biglist.it		89.186.73.154
ns-webde.ui-dns.de	A 217.160.80.198	217.160.80.198
www.otena.com	A 3.64.163.50	3.64.163.50
daa-bw.de	MX mxtls.expurgate.net	62.116.130.8
sanfotek.net	A 216.69.141.67	216.69.141.67
www.pohlfood.com	CNAME pohlfood.com A 104.218.10.254	104.218.10.254
nsn1.mijndomein.nl	A 156.154.64.107	156.154.64.107
maersk.com	MX maersk-com.mail.protection.outlook.com	23.11.81.39
htsmx.net	A 34.174.61.199	34.174.61.199
sokuwan.net	A 185.230.63.171 A 185.230.63.107 A 185.230.63.186	185.230.63.186
xxx.lt		91.234.200.111
vologda.ru		185.253.34.106
ya-z.ru		185.246.64.71
enesis.com	MX enesis-com.mail.eo.outlook.com	103.161.185.71
vivastay.com	CNAME traff-4.hugedomains.com A 52.86.6.113 A 3.94.41.167 CNAME hdr-nlb8-39c51fa8696874ee.elb.us-east-1.amazonaws.com CNAME hdr-nlb5-4e815dd67a14bf7f.elb.us-east-2.amazonaws.com CNAME traff-2.hugedomains.com A 3.130.253.23 A 3.130.204.160	18.119.154.66
shenhgts.net	A 199.59.243.220	199.59.243.220
xhead.it
jsaps.com	A 49.212.235.59	49.212.235.59
okashimo.com	A 203.137.75.45	203.137.75.45
tonghuarice.com		203.150.225.22
www.dayvo.com	A 172.67.184.30 A 104.21.68.7	104.21.68.7
cnti.krsn.ru	A 217.74.161.133	217.74.161.133
tiscali.it	MX etb-1.mail.tiscali.it MX imp-5.mail.tiscali.it MX etb-3.mail.tiscali.it MX etb-2.mail.tiscali.it MX etb-4.mail.tiscali.it	213.205.32.10
agitz.com.br
www.olras.com	A 80.93.82.33	80.93.82.33
madjek.com
www.vexcom.com	A 172.67.173.200 A 104.21.55.224	104.21.55.224
planet.nl		3.33.210.26
ascc.org.au	A 203.210.102.34	203.210.102.34
www.findbc.com	A 13.248.169.48 A 76.223.54.146	13.248.169.48
bumigrp.com	MX mx-biz.mail.am0.yahoodns.net	3.94.104.73
sec.mordac.de	A 185.26.156.10	185.26.156.10
ns1.eutelia.it	A 212.29.129.4	212.29.129.4
www.owsports.ca
softizer.com	A 185.163.45.187	185.163.45.187
yartelecom.ru		10.5.255.3
raistlin77.de
cpgroupsrl.com		195.110.124.133
at-shun.com	A 210.140.73.39	210.140.73.39
ns1ntw.name.com	A 163.114.216.17	163.114.216.17
dbmb.de		46.252.27.130
unicus.jp	A 49.212.232.113	49.212.232.113
beafin.com	A 133.125.38.187	133.125.38.187
rellik.de
www.domon.com	CNAME meubles-domon.myshopify.com CNAME shops.myshopify.com A 23.227.38.74	23.227.38.74
yaroons.com	MX yaroons.com	45.82.191.61
simpled.de		81.169.145.72
nlcv.bas.bg	A 195.96.252.188	195.96.252.188
gokartitalia.it		199.59.243.225
pleszew.policja.gov.pl	A 91.229.22.126	91.229.22.126
xenture.net		75.126.101.231
ns2.upc.biz	A 213.47.222.133	213.47.222.133
decimalex.it	MX mailgw02.host.it MX mailgw01.host.it	185.201.65.40
sanbum.com	MX sanbumcom.mail-avs.net MX mail.sanbum.com	182.61.162.113
x1.i.lencr.org	CNAME crl.root-x1.letsencrypt.org.edgekey.net CNAME e8652.dscx.akamaiedge.net A 104.76.70.102	104.76.70.102
fundeo.com	A 104.24.161.27 A 104.24.160.27 A 172.67.97.62	104.24.161.27
posindonesia.co.id		13.228.36.249
dns1.p05.nsone.net	A 198.51.44.5	198.51.44.5
wnit.org	A 38.111.255.201	38.111.255.201
assistudiolodi.it		62.149.128.154
yegintekstil.com		220.158.255.160
ns2.host-anycast.com	A 185.84.97.5	185.84.97.5
ymlp15.net
weber-rohrbau.de	MX mxtls.expurgate.net	92.204.33.70
avvocatovocca.it		195.110.124.188
yorsiad.org.tr	MX mx.yandex.net	31.7.35.155
likangds.com	A 156.251.140.23	156.251.140.23
user.ats.it	MX smtp-in.eutelia.it	195.62.227.1
ns3.telefonica.de	A 62.52.156.84	62.52.156.84
ns1.infomaniak.ch	A 84.16.66.66	84.16.66.66
ns1.powerweb.zone	A 85.237.66.1	85.237.66.1
ktenergo.ru
tna.com.tw	MX mg1.tna.com.tw
nettle.pl	A 195.128.140.29	195.128.140.29
dwid.de	A 87.230.93.218	87.230.93.218
from30ty.com	A 157.7.231.224	157.7.231.224
yhsll.com	A 38.36.96.76	38.36.96.76
yapiservis.com		31.210.64.39
macassar.fr	MX mail-fr.securemail.pro	213.186.33.4
icbox.it		130.61.73.241
someikan.com
x-po.de		85.215.88.37
interlandia.com		128.65.126.240
hamaker.net	A 3.33.130.190 A 15.197.148.33	3.33.130.190
oaith.ca	A 192.124.249.12	192.124.249.12
murdock.tiscali.com	A 213.205.36.90	213.205.36.90
fike.es		15.197.142.173
brandt.de	MX mx1.hc116-66.eu.iphmx.com MX mx2.hc116-66.eu.iphmx.com	91.236.122.1
www.medius.si	CNAME d2r2uj0bnofxxz.cloudfront.net A 99.86.207.30 A 99.86.207.15 A 99.86.207.125 A 99.86.207.38	99.86.207.125
feki.de		141.13.4.22
studiotrolese.it	MX mx2tps.selfip.net MX mx1tps.selfip.net	62.149.128.45
compudocter.de
umcor.am	A 172.67.135.11 A 104.21.6.168	104.21.6.168
plaske.ua	A 5.181.161.11	5.181.161.11
yaryur.com	MX alt4.aspmx.l.google.com MX alt3.aspmx.l.google.com MX aspmx.l.google.com MX alt1.aspmx.l.google.com MX alt2.aspmx.l.google.com	46.105.189.131
scopeland.de	MX mail.scopeland.de MX mail3.scopeland.de MX 2nd.powerweb.mx	104.40.210.25
bible.org	A 172.67.33.95 A 104.20.55.214 A 104.20.54.214	104.20.54.214
clinicasanluis.com.co	A 104.21.66.220 A 172.67.164.178	104.21.66.220
dns01-tld.t-online.de	A 80.157.195.90	80.157.195.90
dns1.cscdns.net	A 156.154.130.100	156.154.130.100
legalmail.it	MX mx.cert.legalmail.it	75.2.126.117
metaalunie.nl	MX metaalunie-nl.mail.protection.outlook.com	46.226.56.164
ns1.uabiznes.info	A 95.216.66.52	95.216.66.52
menamagazines.com		15.197.142.173
escala.com.ve	MX escala-com-ve.mail.protection.outlook.com
kairel.com	A 54.217.118.81	54.217.118.81
ziggo.nl		213.46.237.24
hyab.se	A 172.67.199.57 A 104.21.52.126	104.21.52.126
coachkyle.ca		35.215.100.185
magicomm.co.uk	A 83.223.113.46	83.223.113.46
yogaraum-kh.de	MX w01753f5.kasserver.com	85.13.136.34
ade-hamburg.de		212.53.207.161
dsv.de		213.160.73.223
host.do	A 217.79.248.38	217.79.248.38
tem-rs.com		154.214.122.189
yazdparsiana.com
tin.it	MX mx.tin.it	156.54.69.9
abdullah.ns.cloudflare.com	A 172.64.35.203 A 108.162.195.203 A 162.159.44.203	162.159.44.203
yaroslavka.ru		188.124.41.110
carrefour.com	MX mxa-00150901.gslb.pphosted.com MX mxb-00150901.gslb.pphosted.com	172.64.152.40
www.photo4b.com	A 195.78.66.50	195.78.66.50
namira.com.ar
avc.com.sa
kustnara.com	A 99.83.190.102 A 75.2.70.75 A 13.248.155.104 A 76.223.27.102	13.248.155.104
okna.pl		91.121.245.196
avvocatomautone.it	MX mx.avvocatomautone.it	31.11.34.13
ns1.cloud86.nl	A 45.82.188.13	45.82.188.13
amerifor.com	A 64.18.191.61	64.18.191.61
fortknox.bm	A 216.177.137.32	216.177.137.32
ivanmet.com.ar		185.199.108.153
www.xaicom.es	CNAME xaicom.es A 188.165.133.163	188.165.133.163
sinwal.com	A 172.67.206.199 A 104.21.50.138	104.21.50.138
daytonir.com	A 172.64.147.213 A 104.18.40.43	172.64.147.213
cpwpb.com
yaposha.com		172.67.177.161
yakaz.ba
hubbikes.com	A 75.2.70.75 A 99.83.190.102	75.2.70.75
yelpaze.com.tr
nels.co.uk	A 5.134.13.210	5.134.13.210
xo.pl		51.77.61.34
renaultf1.com	MX mail.renaultf1.com	92.243.0.143
leadinggarment.com		128.199.237.173
ns.second-ns.com	A 213.239.204.242	213.239.204.242
versanet.de		212.7.147.128
dns2.esprimo.com	A 89.31.200.6	89.31.200.6
www.koz1.net	A 34.94.245.237	34.94.245.237
c-drop.net
ostwerk.de		81.169.156.30
yel-safety.be	MX yelsafety-be0i.mail.protection.outlook.com	84.198.164.182
ns1.n5q.de	A 195.191.92.11	195.191.92.11
www.stnic.co.uk	A 77.68.50.105	77.68.50.105
ebok.upc.pl		81.18.192.65
tiscali.cz	MX tbx.virusfree.cz MX tcx.spamfree.cz MX tdx.spamfree.cz MX tax.virusfree.cz	109.123.210.26
dresden-tourist.de	MX mail.dresden-tourist.de	46.38.249.63
skshipping.com	MX kr1-aspmx1.worksmobile.com MX kr1-aspmx2.worksmobile.com	3.36.134.15
xjnewtimes.com
ns1.dns.com.cn	A 61.240.129.147 A 180.163.194.215	180.163.194.215
isom.org	A 192.124.249.14	192.124.249.14
ns2.dns-parking.com	A 162.159.25.42	162.159.25.42
yamakiya.ne.jp		203.137.15.66
fifa-ews.com	A 172.67.189.227 A 104.21.10.34	172.67.189.227
www.11tochi.net	A 157.112.176.4	157.112.176.4
www.dgmna.com	CNAME dgmna.com A 192.124.249.20	192.124.249.20
mijash3.com	A 198.185.159.144 A 198.49.23.145 A 198.185.159.145 A 198.49.23.144	198.185.159.144
www.quadlock.com	A 70.39.251.249 CNAME quadlock.com	70.39.251.249
www.usadig.com	A 198.100.146.220	198.100.146.220
ns2.nameself.com	A 88.212.208.183 A 95.213.146.179	88.212.208.183
mfx-systems.de	MX mail2.m-f.tech	88.99.101.251
studioventrucci.it		213.26.161.111
www.pr-park.com	A 118.27.125.181	118.27.125.181
yonotomasyon.com	MX mx.yandex.net	172.67.199.245
gdp-online.de		80.237.231.60
flamingorecordings.com	A 35.214.171.193	35.214.171.193
juso-gr.ch
www.com-sit.com	A 104.26.11.81 A 104.26.10.81 A 172.67.70.223	104.26.11.81
www.synetik.net	CNAME synetik.net A 193.166.255.171	193.166.255.171
yaliproperties.com
www.jroy.net
orlyhotel.com	A 172.67.156.49 A 104.21.48.207	104.21.48.207
yachtclub26.ru		178.208.83.55
iol.it		213.209.30.254
xstrata.com	MX alt2.aspmx.l.google.com MX aspmx2.googlemail.com MX alt1.aspmx.l.google.com MX aspmx3.googlemail.com MX aspmx.l.google.com
yesadv.it
canmore.com
metaforacom.com	A 185.42.105.162	185.42.105.162
cheapnet.it	MX mx1.mail.cheapnet.it	87.238.28.12
elenarossi.it	MX mx01.hostingtek.it MX mx02.hostingtek.it	37.187.55.46
yogyapresisi.com		203.175.8.94
ssm.ch	A 93.189.66.202	93.189.66.202
banvari.com	A 23.227.38.32	23.227.38.32
sigtoa.com	A 172.67.160.168 A 104.21.49.75	172.67.160.168
aiolos-sa.gr	A 172.67.168.72 A 104.21.26.121	104.21.26.121
yis-edu.org		198.185.159.145
www.jenco.co.uk	A 104.21.23.9 A 172.67.208.67	104.21.23.9
ns.gransy.com	A 77.78.104.149 A 95.179.136.180 A 45.76.90.43	45.76.90.43
karila.fr	A 89.107.169.125	89.107.169.125
gwynedd.gov.uk		193.39.172.111
ns-658.awsdns-18.net	A 205.251.194.146	205.251.194.146
ns2.parkingcrew.net	A 76.223.21.9	76.223.21.9
wsa.it		149.3.145.247
univi.it	A 18.197.121.220	18.197.121.220
ns1.rrpproxy.net	A 193.227.117.226	193.227.117.226
a-domani.com	A 183.90.232.24	183.90.232.24
svspexard.de		85.13.141.133
yewkee.com	MX mx.yewkee.com.cust.a.hostedemail.com	139.180.222.113
yccupa.org		92.48.105.127
eim.ae		217.165.209.27
techtrans.de	A 185.237.66.112	185.237.66.112
dyag-eng.com
xtag.es
orangemail.ch		165.160.13.20
aba.org.eg	A 192.169.149.78	192.169.149.78
student.fh-kiel.de		149.222.20.60
smtp.sbcglobal.yahoo.com	CNAME smtp-sbc.mail.yahoo.com CNAME smtp1.sbc.mail.am0.yahoodns.net A 66.163.170.48 A 66.218.88.163 A 67.195.12.38	66.163.170.48
x96.com	A 172.67.167.96 A 104.21.73.229	104.21.73.229
chzko.ru
www.tyrns.com	A 217.79.184.35	217.79.184.35
fastwebnet.it
xilabstudio.com	MX mx.serviciodecorreo.es	217.76.128.47
bynet.co.il	MX mx2.hc1463-14.c3s2.iphmx.com MX mx1.hc1463-14.c3s2.iphmx.com	185.145.252.225
depot148.dpd.de
nts-web.net	A 49.212.235.175	49.212.235.175
thiessen.net	A 62.75.251.116	62.75.251.116
studioperitale.net	MX mail.register.it	195.110.124.188
linac.co.uk	A 23.236.62.147	23.236.62.147
notis.ru	A 185.178.208.141	185.178.208.141
rediyara.com		154.31.153.91
gujarat.com	A 172.67.145.148 A 104.21.73.143	172.67.145.148
youptelecom.nl	MX youptelecom-nl.mail.protection.outlook.com	185.94.230.214
shesfit.com	A 104.21.74.141 A 172.67.158.251	104.21.74.141
barreraasesor.es
tele2.ch
xavicoke.com
posteo.de	MX mx03.posteo.de MX mx04.posteo.de MX mx01.posteo.de	185.67.36.168
ymanagement.co.za
hao123.com		39.156.68.154
freebeacon.com	MX alt4.aspmx.l.google.com MX alt3.aspmx.l.google.com MX aspmx.l.google.com MX alt2.aspmx.l.google.com MX alt1.aspmx.l.google.com	107.6.129.242
dns3.interbusiness.it	A 151.99.125.4	151.99.125.4
istar.kiev.ua		193.34.169.17
virgilio.it	MX smtp-in.virgilio.it	213.209.17.209
unisto.fr	MX ALT1.ASPMX.L.GOOGLE.COM MX mx1.hrnet.fr MX ASPMX.L.GOOGLE.COM MX ALT4.ASPMX.L.GOOGLE.COM MX ALT3.ASPMX.L.GOOGLE.COM MX ALT2.ASPMX.L.GOOGLE.COM MX mx2.hrnet.fr	5.148.183.85
themark.org	A 35.172.94.1 A 100.24.208.97	35.172.94.1
yeksangrup.com		51.38.123.32
www.valdal.com	A 104.26.6.221 A 172.67.73.176 A 104.26.7.221	104.26.6.221
topline.ro	MX topline-ro.mail.protection.outlook.com MX mx.sendgrid.net	206.189.242.158
online.ru	MX relay1.online.ru	194.67.1.14
1000champagnes.com
xploxion.com		3.130.204.160
gmail-smtp-in.l.google.com	A 142.251.170.27	142.251.170.27
ycdyje.cz	MX srv4.hostalo.cz	89.221.215.249
yanabealwadi.com
bennet.com		23.53.2.104
www.rs-ag.com	A 104.21.1.213 A 172.67.152.88	172.67.152.88
www.hummer.hu	CNAME hummer.hu A 185.80.51.179	185.80.51.179
boudreauxgroup.com		172.67.138.87
www.abart.pl	CNAME abart.pl A 89.161.163.246	89.161.163.246
dardar.co.il	MX mailmx.bezeqint.net
mikuni.co.id		84.32.84.32
www.pb-games.com	CNAME pb-games.com A 173.254.28.29	173.254.28.29
animatik.pl		2.57.137.5
studiiobressi.com
ygnetworkit.com
ygo.ru		37.143.12.27
yachtmarine.com		76.223.35.103
kia-motors.ro		45.87.122.3
www.pcgrate.com	A 172.67.201.26 A 104.21.66.46	104.21.66.46
xpressprinting.com		198.49.23.144
alice-dsl.de		85.183.254.1
bggs.com	A 35.230.155.43	35.230.155.43
d.zeit.world	A 198.51.45.77	198.51.45.77
yourfreecandy.com
mail.takas.lt	MX mail2.takas.lt
www.ora.ecnet.jp	CNAME ora.ecnet.jp A 60.43.154.138	60.43.154.138
pecancot.it	MX mail.sicurezzapostale.it	151.0.245.13
daum.net		121.53.105.193
pubint.com	MX alt1.aspmx.l.google.com MX alt2.aspmx.l.google.com MX aspmx2.googlemail.com MX aspmx3.googlemail.com MX aspmx.l.google.com	50.235.60.89
albaclub.ru		31.31.198.125
ns1.omnibus.net	A 185.31.67.105	185.31.67.105
studiotrio.it	MX mx2.forwardemail.net MX mx1.forwardemail.net
dns4.arubadns.cz	A 81.2.216.125	81.2.216.125
udns1.cscdns.net	A 204.74.66.1	204.74.66.1
yishion.net	MX mxgw.szhicom.com MX 58.254.202.34	47.106.142.197
the-afc.com	MX aspmx2.googlemail.com MX alt1.aspmx.l.google.com MX aspmx3.googlemail.com MX aspmx.l.google.com MX alt4.aspmx.l.google.com MX alt3.aspmx.l.google.com MX alt2.aspmx.l.google.com	104.18.0.249
usw1.akam.net	A 23.61.199.66	23.61.199.66
anteph.org
www.cel-cpa.com	A 104.196.26.65	104.196.26.65
dns2.technorail.com	A 95.110.136.8	95.110.136.8
www.yocinc.org	A 66.94.119.160	66.94.119.160
www.nelipak.nl	CNAME nelipak.nl A 91.210.235.23	91.210.235.23
doggybag.org	A 213.186.33.16	213.186.33.16
studiona.pl
xinkeju.com		8.129.60.213
burronib.it		89.31.76.10
dns4.interbusiness.it	A 80.22.52.130	80.22.52.130
www.fink.com	A 69.163.218.51	69.163.218.51
cubodown.com	A 172.67.212.131 A 104.21.91.80	104.21.91.80
yanaci.com		38.37.59.122
ns2.uniregistrymarket.link	A 173.201.67.64	173.201.67.64
amba-tc.si
www.speelhal.net	A 217.19.237.54	217.19.237.54
in1.smtp.messagingengine.com	A 103.168.172.221 A 103.168.172.217 A 103.168.172.216 A 103.168.172.218 A 103.168.172.219 A 103.168.172.220	103.168.172.219
www.railbook.net	A 103.224.212.212	103.224.212.212
kurlovich.ru		194.58.112.165
forbin.net	A 104.21.41.152 A 172.67.148.35	172.67.148.35
xs-chemical.com
yamaha.de	MX mail.yamaha.de	141.101.38.146
apps.identrust.com	CNAME identrust.edgesuite.net CNAME a1952.dscq.akamai.net A 23.67.53.27 A 23.67.53.17	23.67.53.27
karelia.ru	MX mx2.sampo.ru	193.232.254.141
nypop.elron.net	A 199.203.1.20	199.203.1.20
ns1.openprovider.nl	A 162.159.26.10	162.159.26.10
www.jacomfg.com	A 96.127.180.42	96.127.180.42
gtships.com		54.73.216.220
pylimas.lt		213.252.237.12
ymca.org.au		43.250.142.136
ns1.kpn.net	A 194.151.228.10	194.151.228.10
libero.it	MX smtp-in.libero.it	213.209.17.209
avvlevi.it		46.252.151.153
www.fcwcvt.org	A 104.21.25.200 A 172.67.134.134	104.21.25.200
yiseng.hk
www.crcsi.org	CNAME crcsi.org A 165.227.252.190	165.227.252.190
absblast.com	A 141.193.213.20	141.193.213.20
invictus.pl
mail.airmail.net	A 66.226.70.66	66.226.70.66
bossinst.com	A 205.178.189.131	205.178.189.131
revoldia.net	A 154.201.225.123	154.201.225.123
fkfanfic2.com		71.84.184.92
studiolanteri.com		89.31.200.13
portoccd.org	A 51.89.6.56	51.89.6.56
cjborden.com	A 15.197.142.173 A 3.33.152.147	15.197.142.173
sirnet.it	MX mail8.sirnet.it MX mail2.sirnet.it	62.149.222.200
bassilex.it		89.46.107.251
beziaud.org	MX mta-gw.infomaniak.ch	128.65.195.131
lucidmedia.com	MX lucidmedia-com.mail.eo.outlook.com	54.211.21.72
www.aevga.com	CNAME aevga.com A 108.167.164.216	108.167.164.216
yankin.ru
yangtse888.de
www.naoi-a.com	A 202.254.236.40	202.254.236.40
vbba-jugend.de	MX mail.netbeat.de	83.243.59.78
jnjtr.jnj.com	MX mx1.jnj-sd.iphmx.com MX mx2.jnj-sd.iphmx.com
atlas.cz		46.255.231.129
multip.hu
bsw-berlin.de		199.188.201.105
yolandewitman.nl		81.169.145.82
yildizhotel.com	MX mx-in04.natrohost.com MX mx-in04b.natrohost.com	94.73.147.113
www.yumgiskor.kz
ru4.com
ari.es	MX park-mx.above.com	103.224.182.251
pactech.de		217.160.0.72
cbras.com	A 54.39.198.18	54.39.198.18
dog-jog.net	A 153.122.24.177	153.122.24.177
bund.org.au		69.73.175.46
atis-sk.ca
sdns.qos.net.il	A 80.74.96.4	80.74.96.4
www.edimart.hu	A 81.2.194.241	81.2.194.241
ns5.kasserver.com	A 85.13.128.3	85.13.128.3
ns1.telekom.net	A 212.185.24.65	212.185.24.65
rievent.com		52.206.214.15
ftmobile.com	A 199.34.228.78	199.34.228.78
ccrsi.org	A 198.209.253.30	198.209.253.30
amtrustes.com		172.110.248.137
scintel.com	A 23.239.201.14	23.239.201.14
www.2print.com	CNAME 2print.com A 107.180.98.101	107.180.98.101
dbnet.at	A 188.94.254.88	188.94.254.88
tcpoa.com	A 159.89.244.183 A 164.90.244.158	164.90.244.158
www.medisa.info
xinteriors.ch
listel.co.jp	A 49.212.243.77	49.212.243.77
yachtique.it	MX ALT1.ASPMX.L.GOOGLE.COM MX mailsecurity.cybersecservices.ch MX backup-mailsecurity.cybersecservices.ch MX ASPMX.L.GOOGLE.COM MX ALT4.ASPMX.L.GOOGLE.COM MX ALT3.ASPMX.L.GOOGLE.COM MX ALT2.ASPMX.L.GOOGLE.COM	34.159.68.97
mediaform.pl		193.0.78.8
www.pdqhomes.com	CNAME hdr-nlb5-4e815dd67a14bf7f.elb.us-east-2.amazonaws.com CNAME traff-2.hugedomains.com A 3.130.253.23 A 3.130.204.160	3.18.7.81
www.credo.edu.pl	A 62.122.190.121	62.122.190.121
yasamemlak.com		54.209.32.212
yes-fitness.de
yasuma.com	A 61.200.81.21	61.200.81.21
apl.com		152.199.21.98
dns.technorail.com	A 94.177.210.13	94.177.210.13
www.maktraxx.com	CNAME maktraxx.com A 72.44.93.236	72.44.93.236
ns1.risolviamo.com	A 213.212.130.118	213.212.130.118
www.fe-bauer.de	A 3.65.101.129	3.65.101.129
yoseido.net		219.94.163.173
xterior.nl		104.21.89.38
ns2.gldn.net	A 194.67.2.109	194.67.2.109
online.de		212.227.0.72
www.ottospm.com	CNAME www.ottospm.com.cdn.cloudflare.net A 172.67.142.169 A 104.21.63.28	172.67.142.169
akr.co.id	A 104.20.122.68 A 104.20.123.68 A 172.67.33.252	104.20.123.68
www.tvtools.fi	A 172.67.152.159 A 104.21.88.198	104.21.88.198
estudiojb.com		209.126.123.11
ns15.xincache.com	A 117.89.178.173 A 129.211.176.209 A 183.47.126.178 A 1.12.0.4 A 36.155.149.180 A 112.80.181.45	117.89.178.173
www.tc17.com	A 104.21.79.244 A 172.67.150.80	104.21.79.244
walla.co.il		99.86.207.54
xktei.km.ua	MX xktei-km-ua.mail.protection.outlook.com	95.216.66.52
www.sjbs.org	CNAME sjbs.org A 69.163.239.62	69.163.239.62
msir.ro		185.248.197.86
sudestconstruct.ro
simetar.com	A 104.21.79.166 A 172.67.146.154	104.21.79.166
www.sclover3.com	A 157.112.182.239	157.112.182.239
kevyt.net	A 172.67.129.18 A 104.21.2.101	104.21.2.101
cremar.it	MX mail.h-email.net	185.53.177.51
yoprak.com.tr
pearl.de		62.159.194.66
esmoke.net	A 204.15.134.44	204.15.134.44
yetiplastic.com
rokoron.com	A 211.13.204.3	211.13.204.3
ylos.com		81.25.127.107
impexnc.com	A 208.91.197.46	208.91.197.46
nsb0.schlundtech.de	A 217.160.113.50	217.160.113.50
urp.gr
www.elpro.si	A 172.67.70.22 A 104.26.14.53 A 104.26.15.53	104.26.15.53
midap.com	A 198.185.159.145 A 198.185.159.144 A 198.49.23.145 A 198.49.23.144	198.49.23.144
pecplus.it		62.149.128.151
adventist.ro	A 49.12.155.123	49.12.155.123
cnnet.it	MX mail.cnnet.it	89.31.200.12
yeniposta.de		217.160.0.34
roewer.de	A 45.142.176.225	45.142.176.225
www.cokocoko.com	CNAME traff-2.hugedomains.com CNAME hdr-nlb5-4e815dd67a14bf7f.elb.us-east-2.amazonaws.com A 3.130.204.160 A 3.130.253.23	18.119.154.66
xyzglass.com		87.236.197.69
inwind.it	MX smtp-in.inwind.it	213.209.17.209
top1oil.com	A 104.26.0.82 A 172.67.71.55 A 104.26.1.82	172.67.71.55
pec.it	MX mx.pec.aruba.it	62.149.188.200
cpmteam.com	A 104.21.32.240 A 172.67.188.75	172.67.188.75
smtp.live.com	CNAME a-0010.a-msedge.net A 204.79.197.212	204.79.197.212
yerazfund.am		136.243.2.176
newpic.de		185.15.195.178
www.lrsuk.com	CNAME language-recruitment.eu-2.volcanic.cloud CNAME d2kt7vovxa5e81.cloudfront.net A 13.225.128.62 A 13.225.128.46 A 13.225.128.109 A 13.225.128.111	13.225.128.46
ns81.domaincontrol.com	A 97.74.101.32	97.74.101.32
granotec.com		190.110.123.245
kursavto.ru	A 31.177.76.70 A 31.177.80.70	31.177.76.70
fibertel.com.ar		200.45.2.140
www.snugpak.com	CNAME shops.myshopify.com A 23.227.38.74	23.227.38.74
emag.ro		46.174.147.16
org
tinghino.it		80.88.87.229
ftchat.com	A 172.67.140.52 A 104.21.46.148	172.67.140.52
www.holleman.us	A 51.79.51.72	51.79.51.72
www.gpthink.com	A 39.99.233.155	39.99.233.155
kumaden.com	A 49.212.180.178	49.212.180.178
ikulani.com	A 157.7.107.88	157.7.107.88
welco-ind.com		51.68.230.49
usw2.akam.net	A 184.26.161.64	184.26.161.64
studiorc.com	MX mx1.mse.messcube.it
rappich.de	A 89.31.143.1	89.31.143.1
www.x0c.com	A 185.53.177.50	185.53.177.50
gcss.com	A 15.197.204.56 A 3.33.243.145	15.197.204.56
triadworks.com		3.64.163.50
studiopenzo.com		31.11.32.107
www.waldi.pl	CNAME waldi.pl A 46.242.238.60	46.242.238.60
pellys.co.uk	A 77.72.4.226	77.72.4.226
teledue.it		104.21.23.137
rai.it		212.162.68.90
indosat.net.id		103.58.102.54
www.vazir.se	A 34.94.160.21	34.94.160.21
www.abdg.com	A 192.252.154.18	192.252.154.18
gydrozo.ru	A 91.220.211.163	91.220.211.163
ns1.argewebhosting.eu	A 31.25.98.210	31.25.98.210
n23china.com
1.dns.t-ict.net	A 185.136.96.172	185.136.96.172
alphacam.de	MX alphacam-de.mail.protection.outlook.com	185.233.54.201
hetnet.nl	MX mx.kpnmail.nl	3.33.210.26
tonioli.it		195.110.124.188
add.com.al		176.31.71.52
geecl.com	A 194.76.27.77	194.76.27.77
enguita.net	A 195.5.116.23	195.5.116.23
spdns3.cscdns.net	A 156.154.130.100	156.154.130.100
s41.shinystat.com		185.206.85.85
veronicabalzani.it
bidroll.com	A 13.56.33.8	13.56.33.8
www.yoruksut.com	A 93.187.206.66	93.187.206.66
www.ka-mo-me.com	A 211.1.226.67	211.1.226.67
yalcin.com.tr		93.89.231.4
spatex.nl	MX mx1.mailprotector.nl MX mx2.mailprotector.nl MX mx3.mailprotector.nl MX mx4.mailprotector.nl	185.206.180.130
basf.com		13.248.131.227
leserre.it	MX mx.leserre.it	89.46.109.68
www.stajum.com	A 162.43.120.128	162.43.120.128
yesilgonen.com.tr		77.245.149.4
danhostel.dk		109.238.51.68
pcimage.com.my		103.6.196.163
www.ex-olive.com	A 210.140.73.39	210.140.73.39
shiner.com	A 104.21.27.205 A 172.67.143.148	104.21.27.205
topplasts.co.id
royalbank.ch
rwe.com	MX secmail.rwe.com	128.65.211.141
leapc.com	A 35.231.13.148	35.231.13.148
agulatex.com	A 133.125.38.187	133.125.38.187
xlarge-media.de		80.237.133.67
reproar.com	A 194.143.194.23	194.143.194.23
www.baijaku.com	CNAME baijaku.com A 59.106.19.204	59.106.19.204
www.wkhk.net	A 34.94.160.21	34.94.160.21
any-s.net	A 108.170.12.50	108.170.12.50
scip.org.uk	A 104.26.12.244 A 172.67.72.150 A 104.26.13.244	172.67.72.150
tiscalinet.it	MX etb-1.mail.tiscali.it MX imp-5.mail.tiscali.it MX etb-3.mail.tiscali.it MX etb-2.mail.tiscali.it MX etb-4.mail.tiscali.it	213.205.32.10
pertex.com	A 185.151.30.147	185.151.30.147
www.fnw.us	A 137.118.26.67 CNAME fnw.us	137.118.26.67
rast.se	A 93.188.2.51	93.188.2.51
web.de	MX mx-ha03.web.de MX mx-ha02.web.de	82.165.229.138
www.vitaindu.com	A 122.128.109.107	122.128.109.107
www.item-pr.com	CNAME item-pr.com A 213.186.33.17 A 185.15.129.58	185.15.129.58
berliner-baer.de		83.169.40.234
com
studioizzi.it	MX studioizzi.it	86.107.32.40
web-york.com	A 219.94.129.97	219.94.129.97
prideofaustin.com
www.mqs.com.br	A 170.82.173.30 A 170.82.174.30 CNAME www.mqs.com.br.cdn.gocache.net	170.82.174.10
www.valselit.com	A 193.70.68.254	193.70.68.254
gbp-jp.com	A 208.80.122.205 A 208.80.123.104 A 208.80.123.195 A 208.80.122.2	208.80.123.195
ncn.de	A 46.30.60.158	46.30.60.158
acraloc.com	A 185.230.63.107	185.230.63.107
h-et-l.com
www.alteor.cl	CNAME cdn1.wixdns.net CNAME td-ccm-neg-87-45.wixdns.net A 34.149.87.45	34.149.87.45
wagner-haltern.de		5.35.245.241
www.ora-ito.com	A 213.186.33.40	213.186.33.40
alice.it	MX mx.tim.it	217.169.121.227
mundo-r.com		34.160.226.139
603888.com	CNAME num6.17986.net A 67.21.93.229	67.21.93.229
samtv.ro
xstrading.nl		3.64.163.50
kuhnhen.de		109.237.140.34
pg.com		20.88.104.223
yourmoments.gr
nme.co.jp	A 203.0.113.0	203.0.113.0
floopis.com	A 3.64.163.50	3.64.163.50
diamir.de	A 94.130.146.206	94.130.146.206
gat.de	MX gat-de.mail.protection.outlook.com	92.205.64.107
yeganegi.com
ns2.dnshigh.com	A 46.16.90.21 A 46.30.244.60	46.30.244.60
shanks.co.uk	A 217.19.254.22	217.19.254.22
pixie.co.za	MX securemail-mx3.synaq.com MX securemail-mx4.synaq.com	196.41.128.101
semuk.com	A 86.105.245.69	86.105.245.69
fr-dat.com	A 127.0.0.1	127.0.0.1
integrafuels.com
www.nunomira.com	CNAME nunomira.com A 192.241.158.94	192.241.158.94
coxkitchensandbaths.com	A 205.149.134.32	205.149.134.32
postino.it		13.248.169.48
acains.com		110.35.81.228
yachting.pl	MX mail.yachting.pl	80.72.194.155
www.jchysk.com	A 208.97.178.138	208.97.178.138
starhub.net.sg		203.116.254.40
xtd.gr	MX mail.xtd.gr	88.198.220.149
xestionboiro.com		82.223.1.108
komie.com	A 59.106.13.181	59.106.13.181
ns3.bezeqint.net	A 192.115.132.132	192.115.132.132
ns1.elithosting.com	A 31.7.34.2	31.7.34.2
www.wifi4all.nl	A 104.21.42.10 A 172.67.198.26	172.67.198.26
missnue.com	A 104.21.234.121 A 104.21.234.120	104.21.234.121
www.transsib.com	CNAME studyrussian.com CNAME www.studyrussian.com A 80.74.154.6	80.74.154.6
spss.com	MX mx0b-001b2d01.pphosted.com MX mx0a-001b2d01.pphosted.com
yogaglobe.nl	MX mx2.mijndomein.nl MX mx1.mijndomein.nl	34.240.216.169
advantech.com.cn		218.4.63.175
ntc.edu.au	A 192.124.249.15	192.124.249.15
dns1.juniperco.com	A 20.74.13.48	20.74.13.48
hyab.com	A 172.67.193.133 A 104.21.65.224	172.67.193.133
89gospel.com
www.ftchat.com	A 172.67.140.52 A 104.21.46.148	172.67.140.52
insia.com	A 82.208.6.9	82.208.6.9
cyclad.pl	A 87.98.236.253	87.98.236.253
oozkranj.com	A 212.44.102.75	212.44.102.75
ruzee.com	A 207.180.198.201	207.180.198.201
mackusick.com	A 217.160.0.179	217.160.0.179
yassimetal.com	MX mail.yassimetal.com	94.199.202.83
uster.com	A 104.20.220.29 A 172.67.32.172 A 104.20.221.29	104.20.221.29
koz1.net	A 34.94.245.237	34.94.245.237
bumfa.ru	MX mx-20.bumfa.ru MX mx-10.bumfa.ru	185.215.4.16
usadig.com	A 198.100.146.220	198.100.146.220
www.nqks.com	CNAME live.websites.hibu.com CNAME hibu-4.zenedge.net CNAME zemonitor-websites-hibu-com.c.inregion.waas.oci.oraclecloud.net CNAME hibu34.inregion.waas.oci.oraclecloud.net A 147.154.3.56	147.154.0.23
alt4.gmail-smtp-in.l.google.com	A 142.250.152.26	142.250.152.27
konzept-e.de		78.46.10.16
cgd.pt		195.234.134.131
interfree.it	MX vdomainha-if-mx.interfree.it	213.158.72.68
maffei14.it	MX maffei14-it.mail.protection.outlook.com
indonesiamedia.com	A 74.208.215.145	74.208.215.145
otenet.gr		62.103.146.102
xnsonglam.com.vn
curasan.de		116.203.247.111
dhh.la.gov	A 52.200.51.73	52.200.51.73
ramkome.com	A 145.239.5.159	145.239.5.159
yedideniz.net		94.73.151.169
mxs.mail.ru	A 217.69.139.150 A 94.100.180.31	94.100.180.31
osnanet.de
sgk.home.pl	A 89.161.136.188	89.161.136.188
yetiminsaat.com		178.210.175.20
pmenergo.info
www.myropcb.com	A 74.208.236.101	74.208.236.101
ulb.uni-bonn.de	MX esa3.rhrz.uni-bonn.de MX esa2.rhrz.uni-bonn.de MX esa1.rhrz.uni-bonn.de	131.220.250.29
www.evcpa.com	CNAME evcpa.com A 192.124.249.10	192.124.249.10
xzibit.co.za	MX alt4.aspmx.l.google.com MX alt3.aspmx.l.google.com MX aspmx.l.google.com MX alt1.aspmx.l.google.com MX alt2.aspmx.l.google.com	76.76.21.164
wahw.com.au	A 54.194.190.151	54.194.190.151
www.wnsavoy.com	A 96.91.204.114	96.91.204.114
anna.renault.fr	A 193.194.133.1	193.194.133.1
moosburg.de		5.35.225.174
www.c9dd.com	A 188.166.152.188	188.166.152.188
mnet-mail.de	MX mail-in.m-online.net
gphpedit.org	A 127.0.0.1	127.0.0.1
ldh.la.gov	A 75.2.95.235	75.2.95.235
www.reglera.com	CNAME reglera.com A 64.125.133.18	64.125.133.18
baenninger.de	MX mail.baenninger.de MX mforward.dtag.de	217.6.233.131
toundo.net
sks-uab.lt		92.62.135.13
dataform.co.uk	A 83.223.113.46	83.223.113.46
zupraha.cz	A 77.78.104.3	77.78.104.3
fdlymca.org	A 192.124.249.9	192.124.249.9
yamanlarlions.org
dns6.interbusiness.it	A 151.99.125.7	151.99.125.7
xsui.com	A 127.0.0.1	127.0.0.1
www.depalo.com	A 216.58.203.83 CNAME ghs.googlehosted.com	142.250.206.243
ptrbu.com
mondopp.net	A 34.67.9.172	34.67.9.172
xipap.com.ar		200.58.110.27
xn--etp-rothlnder-jfb.de
yabim.com		13.248.169.48
www.petsfan.com	CNAME traff-1.hugedomains.com A 52.71.57.184 A 54.209.32.212 CNAME hdr-nlb9-41371129e8304c29.elb.us-east-1.amazonaws.com	54.161.222.85
paraski.org
188.ns1.above.com	A 103.224.212.5 A 103.224.182.5	103.224.212.5
awal.ws	A 127.0.0.1	127.0.0.1

IP Address	Status	Action
103.168.172.221	Active	Moloch
103.19.179.179	Active	Moloch
103.224.182.241	Active	Moloch
103.224.212.212	Active	Moloch
103.224.212.5	Active	Moloch
104.18.40.43	Active	Moloch
104.196.26.65	Active	Moloch
104.199.237.109	Active	Moloch
104.20.122.68	Active	Moloch
104.20.220.29	Active	Moloch
104.21.1.213	Active	Moloch
104.21.10.34	Active	Moloch
104.21.23.9	Active	Moloch
104.21.234.120	Active	Moloch
104.21.234.121	Active	Moloch
104.21.25.200	Active	Moloch
104.21.27.205	Active	Moloch
104.21.32.240	Active	Moloch
104.21.41.152	Active	Moloch
104.21.42.10	Active	Moloch
104.21.46.148	Active	Moloch
104.21.73.143	Active	Moloch
104.21.73.149	Active	Moloch
104.21.74.141	Active	Moloch
104.21.76.38	Active	Moloch
104.21.79.166	Active	Moloch
104.21.79.244	Active	Moloch
104.21.88.198	Active	Moloch
104.218.10.254	Active	Moloch
104.24.161.27	Active	Moloch
104.26.0.82	Active	Moloch
104.26.11.81	Active	Moloch
104.26.12.244	Active	Moloch
104.26.15.53	Active	Moloch
104.26.2.14	Active	Moloch
104.26.3.124	Active	Moloch
104.26.3.14	Active	Moloch
104.76.70.102	Active	Moloch
107.162.197.144	Active	Moloch
107.162.197.147	Active	Moloch
107.180.98.101	Active	Moloch
108.162.192.152	Active	Moloch
108.162.192.225	Active	Moloch
108.162.193.68	Active	Moloch
108.162.194.1	Active	Moloch
108.162.194.70	Active	Moloch
108.167.164.216	Active	Moloch
108.170.12.50	Active	Moloch
109.168.109.8	Active	Moloch
110.242.68.134	Active	Moloch
117.89.178.173	Active	Moloch
118.27.125.181	Active	Moloch
122.128.109.107	Active	Moloch
128.139.35.5	Active	Moloch
128.8.10.90	Active	Moloch
13.225.128.62	Active	Moloch
13.248.169.48	Active	Moloch
13.56.33.8	Active	Moloch
131.220.14.203	Active	Moloch
133.125.38.187	Active	Moloch
135.181.73.98	Active	Moloch
137.118.26.67	Active	Moloch
141.193.213.20	Active	Moloch
142.250.152.26	Active	Moloch
142.250.206.243	Active	Moloch
142.251.170.27	Active	Moloch
145.239.5.159	Active	Moloch
147.154.3.56	Active	Moloch
148.177.130.197	Active	Moloch
15.197.142.173	Active	Moloch
15.197.204.56	Active	Moloch
151.101.2.132	Active	Moloch
151.99.125.4	Active	Moloch
151.99.125.7	Active	Moloch
153.120.34.73	Active	Moloch
153.122.24.177	Active	Moloch
153.126.211.112	Active	Moloch
154.201.225.123	Active	Moloch
154.203.14.100	Active	Moloch
156.154.130.100	Active	Moloch
156.154.132.200	Active	Moloch
156.154.133.200	Active	Moloch
156.154.64.107	Active	Moloch
156.251.140.23	Active	Moloch
157.112.176.4	Active	Moloch
157.112.182.239	Active	Moloch
157.7.107.88	Active	Moloch
157.7.231.224	Active	Moloch
159.89.244.183	Active	Moloch
162.159.25.42	Active	Moloch
162.159.26.10	Active	Moloch
162.159.26.165	Active	Moloch
162.43.120.128	Active	Moloch
163.114.216.17	Active	Moloch
163.114.216.49	Active	Moloch
164.124.101.2	Active	Moloch
165.227.252.190	Active	Moloch
170.82.173.30	Active	Moloch
172.64.147.213	Active	Moloch
172.64.35.203	Active	Moloch
172.67.129.18	Active	Moloch
172.67.135.11	Active	Moloch
172.67.142.169	Active	Moloch
172.67.145.148	Active	Moloch
172.67.156.49	Active	Moloch
172.67.160.168	Active	Moloch
172.67.164.178	Active	Moloch
172.67.167.96	Active	Moloch
172.67.168.72	Active	Moloch
172.67.173.200	Active	Moloch
172.67.181.113	Active	Moloch
172.67.184.30	Active	Moloch
172.67.193.133	Active	Moloch
172.67.199.57	Active	Moloch
172.67.201.26	Active	Moloch
172.67.206.199	Active	Moloch
172.67.212.131	Active	Moloch
172.67.33.95	Active	Moloch
172.67.73.176	Active	Moloch
173.201.67.64	Active	Moloch
173.254.28.29	Active	Moloch
178.255.242.33	Active	Moloch
18.197.121.220	Active	Moloch
183.253.57.200	Active	Moloch
183.90.232.24	Active	Moloch
184.26.161.64	Active	Moloch
185.102.43.239	Active	Moloch
185.106.129.180	Active	Moloch
185.136.96.172	Active	Moloch
185.136.96.185	Active	Moloch
185.151.30.147	Active	Moloch
185.163.45.187	Active	Moloch
185.178.208.141	Active	Moloch
185.217.28.14	Active	Moloch
185.230.63.107	Active	Moloch
185.230.63.171	Active	Moloch
185.237.66.112	Active	Moloch
185.26.156.10	Active	Moloch
185.31.67.105	Active	Moloch
185.39.208.1	Active	Moloch
185.42.105.162	Active	Moloch
185.53.177.50	Active	Moloch
185.67.36.40	Active	Moloch
185.80.51.179	Active	Moloch
185.84.97.5	Active	Moloch
188.165.133.163	Active	Moloch
188.166.152.188	Active	Moloch
188.94.254.88	Active	Moloch
192.112.36.4	Active	Moloch
192.115.132.132	Active	Moloch
192.124.249.10	Active	Moloch
192.124.249.12	Active	Moloch
192.124.249.14	Active	Moloch
192.124.249.15	Active	Moloch
192.124.249.20	Active	Moloch
192.124.249.9	Active	Moloch
192.162.16.18	Active	Moloch
192.169.149.78	Active	Moloch
192.203.230.10	Active	Moloch
192.228.79.201	Active	Moloch
192.241.158.94	Active	Moloch
192.252.154.18	Active	Moloch
192.33.4.12	Active	Moloch
192.36.148.17	Active	Moloch
192.42.93.30	Active	Moloch
192.5.5.241	Active	Moloch
192.5.6.30	Active	Moloch
192.58.128.30	Active	Moloch
192.99.226.184	Active	Moloch
193.0.14.129	Active	Moloch
193.166.255.171	Active	Moloch
193.194.133.1	Active	Moloch
193.227.117.226	Active	Moloch
193.232.128.6	Active	Moloch
193.47.99.4	Active	Moloch
193.70.68.254	Active	Moloch
194.0.0.53	Active	Moloch
194.0.12.1	Active	Moloch
194.0.16.215	Active	Moloch
194.0.25.29	Active	Moloch
194.0.28.53	Active	Moloch
194.0.6.1	Active	Moloch
194.0.9.1	Active	Moloch
194.143.194.23	Active	Moloch
194.146.106.10	Active	Moloch
194.146.106.74	Active	Moloch
194.151.228.10	Active	Moloch
194.25.0.125	Active	Moloch
194.58.197.4	Active	Moloch
194.67.2.109	Active	Moloch
194.76.27.77	Active	Moloch
195.128.140.29	Active	Moloch
195.130.35.3	Active	Moloch
195.149.112.2	Active	Moloch
195.191.92.11	Active	Moloch
195.34.133.133	Active	Moloch
195.5.116.23	Active	Moloch
195.78.66.50	Active	Moloch
195.8.218.131	Active	Moloch
195.96.252.188	Active	Moloch
196.2.16.3	Active	Moloch
196.4.160.27	Active	Moloch
198.1.81.28	Active	Moloch
198.100.146.220	Active	Moloch
198.143.130.218	Active	Moloch
198.185.159.144	Active	Moloch
198.185.159.145	Active	Moloch
198.199.101.34	Active	Moloch
198.209.253.30	Active	Moloch
198.32.64.12	Active	Moloch
198.38.86.31	Active	Moloch
198.41.0.4	Active	Moloch
198.51.44.5	Active	Moloch
198.51.45.77	Active	Moloch
198.97.190.53	Active	Moloch
199.19.56.1	Active	Moloch
199.203.1.20	Active	Moloch
199.34.228.78	Active	Moloch
199.4.144.2	Active	Moloch
199.59.243.220	Active	Moloch
199.7.91.13	Active	Moloch
199.9.14.201	Active	Moloch
2.113.95.113	Active	Moloch
20.74.13.48	Active	Moloch
200.0.68.10	Active	Moloch
200.108.145.50	Active	Moloch
202.12.27.33	Active	Moloch
202.254.236.40	Active	Moloch
202.45.188.39	Active	Moloch
203.119.25.1	Active	Moloch
203.119.44.105	Active	Moloch
203.137.75.45	Active	Moloch
203.210.102.34	Active	Moloch
203.73.24.25	Active	Moloch
204.15.134.44	Active	Moloch
204.61.217.1	Active	Moloch
204.74.66.1	Active	Moloch
204.79.197.212	Active	Moloch
205.149.134.32	Active	Moloch
205.178.189.131	Active	Moloch
205.251.194.146	Active	Moloch
207.180.198.201	Active	Moloch
208.109.214.162	Active	Moloch
208.80.122.205	Active	Moloch
208.91.197.46	Active	Moloch
208.97.178.138	Active	Moloch
210.140.73.39	Active	Moloch
211.1.226.67	Active	Moloch
211.13.196.162	Active	Moloch
211.13.204.3	Active	Moloch
212.114.171.64	Active	Moloch
212.185.24.65	Active	Moloch
212.29.129.4	Active	Moloch
212.44.102.75	Active	Moloch
212.59.0.1	Active	Moloch
212.94.223.2	Active	Moloch
213.186.33.16	Active	Moloch
213.186.33.17	Active	Moloch
213.186.33.40	Active	Moloch
213.205.36.90	Active	Moloch
213.209.27.210	Active	Moloch
213.212.130.118	Active	Moloch
213.239.204.242	Active	Moloch
213.47.222.133	Active	Moloch
216.177.137.32	Active	Moloch
216.58.203.83	Active	Moloch
216.69.141.67	Active	Moloch
217.160.0.131	Active	Moloch
217.160.0.179	Active	Moloch
217.160.113.50	Active	Moloch
217.160.80.198	Active	Moloch
217.19.237.54	Active	Moloch
217.19.254.22	Active	Moloch
217.69.139.150	Active	Moloch
217.74.161.133	Active	Moloch
217.76.128.156	Active	Moloch
217.77.52.252	Active	Moloch
217.77.53.237	Active	Moloch
217.79.184.35	Active	Moloch
217.79.248.38	Active	Moloch
218.98.111.214	Active	Moloch
219.94.128.87	Active	Moloch
219.94.129.97	Active	Moloch
220.181.27.62	Active	Moloch
23.227.38.32	Active	Moloch
23.227.38.74	Active	Moloch
23.236.62.147	Active	Moloch
23.239.201.14	Active	Moloch
23.61.199.66	Active	Moloch
23.67.53.27	Active	Moloch
3.130.204.160	Active	Moloch
3.130.253.23	Active	Moloch
3.18.7.81	Active	Moloch
3.248.2.249	Active	Moloch
3.33.130.190	Active	Moloch
3.64.163.50	Active	Moloch
3.65.101.129	Active	Moloch
31.145.139.99	Active	Moloch
31.177.80.70	Active	Moloch
31.25.98.210	Active	Moloch
31.7.34.2	Active	Moloch
34.149.87.45	Active	Moloch
34.174.61.199	Active	Moloch
34.195.51.6	Active	Moloch
34.239.80.18	Active	Moloch
34.67.9.172	Active	Moloch
34.94.160.21	Active	Moloch
34.94.245.237	Active	Moloch
35.172.94.1	Active	Moloch
35.214.171.193	Active	Moloch
35.230.155.43	Active	Moloch
35.231.13.148	Active	Moloch
37.209.196.14	Active	Moloch
37.230.110.110	Active	Moloch
38.111.255.201	Active	Moloch
38.36.96.76	Active	Moloch
39.99.233.155	Active	Moloch
45.138.106.1	Active	Moloch
45.142.176.225	Active	Moloch
45.82.188.13	Active	Moloch
46.105.189.131	Active	Moloch
46.16.90.21	Active	Moloch
46.242.238.60	Active	Moloch
46.30.60.158	Active	Moloch
46.4.56.54	Active	Moloch
49.12.155.123	Active	Moloch
49.212.180.178	Active	Moloch
49.212.232.113	Active	Moloch
49.212.235.175	Active	Moloch
49.212.235.59	Active	Moloch
49.212.243.77	Active	Moloch
5.134.13.210	Active	Moloch
5.134.4.115	Active	Moloch
5.181.161.11	Active	Moloch
5.189.171.125	Active	Moloch
5.196.166.214	Active	Moloch
5.9.190.98	Active	Moloch
51.159.3.117	Active	Moloch
51.79.51.72	Active	Moloch
51.89.6.56	Active	Moloch
52.200.51.73	Active	Moloch
52.71.57.184	Active	Moloch
52.86.6.113	Active	Moloch
54.194.190.151	Active	Moloch
54.209.32.212	Active	Moloch
54.212.145.129	Active	Moloch
54.217.118.81	Active	Moloch
54.39.198.18	Active	Moloch
59.106.13.181	Active	Moloch
59.106.19.204	Active	Moloch
60.43.154.138	Active	Moloch
61.200.81.21	Active	Moloch
61.240.129.147	Active	Moloch
62.122.190.121	Active	Moloch
62.149.222.199	Active	Moloch
62.52.156.84	Active	Moloch
62.75.251.116	Active	Moloch
63.85.51.38	Active	Moloch
64.125.133.18	Active	Moloch
64.18.191.61	Active	Moloch
64.98.148.137	Active	Moloch
65.22.196.1	Active	Moloch
66.163.170.48	Active	Moloch
66.226.70.66	Active	Moloch
66.228.38.167	Active	Moloch
66.94.119.160	Active	Moloch
67.21.93.229	Active	Moloch
69.163.218.51	Active	Moloch
69.163.239.62	Active	Moloch
69.195.90.46	Active	Moloch
70.39.251.249	Active	Moloch
72.44.93.236	Active	Moloch
74.208.215.145	Active	Moloch
74.208.236.101	Active	Moloch
75.2.70.75	Active	Moloch
75.2.95.235	Active	Moloch
76.223.21.9	Active	Moloch
77.68.50.105	Active	Moloch
77.72.229.254	Active	Moloch
77.72.4.226	Active	Moloch
77.75.75.230	Active	Moloch
77.78.104.149	Active	Moloch
77.78.104.3	Active	Moloch
78.104.145.227	Active	Moloch
80.157.195.90	Active	Moloch
80.22.52.130	Active	Moloch
80.72.194.130	Active	Moloch
80.74.154.6	Active	Moloch
80.74.96.4	Active	Moloch
80.91.55.38	Active	Moloch
80.93.82.33	Active	Moloch
81.2.194.241	Active	Moloch
81.2.216.125	Active	Moloch
82.208.6.9	Active	Moloch
83.223.113.46	Active	Moloch
84.16.66.66	Active	Moloch
85.128.196.22	Active	Moloch
85.13.128.3	Active	Moloch
85.233.160.146	Active	Moloch
85.237.66.1	Active	Moloch
86.105.245.69	Active	Moloch
87.230.93.218	Active	Moloch
87.238.28.26	Active	Moloch
87.98.236.253	Active	Moloch
88.212.208.183	Active	Moloch
89.107.169.125	Active	Moloch
89.161.136.188	Active	Moloch
89.161.163.246	Active	Moloch
89.31.143.1	Active	Moloch
89.31.200.6	Active	Moloch
91.210.235.23	Active	Moloch
91.217.21.20	Active	Moloch
91.220.149.3	Active	Moloch
91.220.211.163	Active	Moloch
91.229.22.126	Active	Moloch
91.234.200.251	Active	Moloch
92.42.191.40	Active	Moloch
93.187.206.66	Active	Moloch
93.188.2.51	Active	Moloch
93.189.66.202	Active	Moloch
94.130.146.206	Active	Moloch
94.177.210.13	Active	Moloch
94.73.183.3	Active	Moloch
95.110.136.13	Active	Moloch
95.110.136.8	Active	Moloch
95.216.66.52	Active	Moloch
96.127.180.42	Active	Moloch
96.91.204.114	Active	Moloch
97.74.100.21	Active	Moloch
97.74.101.32	Active	Moloch
97.74.103.24	Active	Moloch
97.74.99.64	Active	Moloch
99.83.190.102	Active	Moloch
99.86.207.30	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49174 -> 80.93.82.33:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 192.124.249.20:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49167 -> 70.39.251.249:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49177 -> 216.58.203.83:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 59.106.19.204:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49171 -> 172.67.73.176:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49176 -> 3.130.253.23:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49188 -> 170.82.173.30:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49167 -> 70.39.251.249:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49186 -> 192.124.249.10:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49185 -> 213.186.33.17:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49186 -> 192.124.249.10:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49182 -> 62.122.190.121:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49192 -> 46.242.238.60:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49174 -> 80.93.82.33:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49178 -> 34.94.160.21:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 192.124.249.20:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49189 -> 66.94.119.160:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49173 -> 34.149.87.45:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49188 -> 170.82.173.30:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49196 -> 142.250.206.243:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49182 -> 62.122.190.121:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49201 -> 39.99.233.155:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49175 -> 104.26.15.53:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49197 -> 60.43.154.138:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49196 -> 142.250.206.243:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49197 -> 60.43.154.138:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49179 -> 52.71.57.184:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49193 -> 192.241.158.94:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49189 -> 66.94.119.160:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49180 -> 192.252.154.18:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49183 -> 52.71.57.184:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49191 -> 89.161.163.246:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49208 -> 23.227.38.74:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49195 -> 122.128.109.107:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49200 -> 104.21.42.10:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49207 -> 77.68.50.105:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49199 -> 108.167.164.216:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49212 -> 210.140.73.39:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49193 -> 192.241.158.94:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49198 -> 80.74.154.6:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49207 -> 77.68.50.105:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49199 -> 108.167.164.216:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 34.94.160.21:80 -> 192.168.56.103:49178	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	A Network Trojan was detected
TCP 192.168.56.103:49215 -> 172.67.201.26:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49198 -> 80.74.154.6:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49209 -> 3.18.7.81:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49181 -> 3.64.163.50:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49203 -> 51.79.51.72:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49211 -> 195.78.66.50:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49187 -> 185.80.51.179:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
UDP 192.168.56.103:50089 -> 8.8.8.8:53	2027863	ET INFO Observed DNS Query to .biz TLD	Potentially Bad Traffic
TCP 192.168.56.103:49216 -> 13.225.128.62:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49224 -> 72.44.93.236:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49216 -> 13.225.128.62:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49217 -> 107.180.98.101:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49214 -> 217.79.184.35:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49190 -> 188.165.133.163:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49230 -> 147.154.3.56:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49218 -> 185.53.177.50:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49220 -> 172.67.173.200:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49255 -> 104.21.1.213:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49205 -> 81.2.194.241:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49222 -> 165.227.252.190:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49194 -> 91.210.235.23:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49205 -> 81.2.194.241:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49202 -> 104.21.25.200:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49226 -> 213.186.33.40:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49239 -> 172.67.184.30:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49226 -> 213.186.33.40:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49232 -> 74.208.236.101:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49202 -> 104.21.25.200:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49233 -> 208.97.178.138:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49233 -> 208.97.178.138:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49204 -> 193.70.68.254:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49206 -> 104.26.3.124:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49244 -> 93.187.206.66:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49223 -> 69.163.218.51:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49223 -> 69.163.218.51:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49225 -> 69.163.218.51:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49210 -> 202.254.236.40:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49262 -> 13.248.169.48:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49259 -> 3.130.204.160:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49206 -> 104.26.3.124:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49227 -> 104.196.26.65:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49260 -> 3.130.204.160:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49253 -> 103.224.212.212:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49210 -> 202.254.236.40:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49229 -> 5.196.166.214:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49213 -> 3.18.7.81:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49231 -> 154.203.14.100:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49227 -> 104.196.26.65:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49228 -> 96.127.180.42:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49221 -> 69.163.239.62:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49270 -> 104.218.10.254:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49228 -> 96.127.180.42:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49221 -> 69.163.239.62:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49235 -> 3.65.101.129:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49262 -> 13.248.169.48:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49250 -> 104.26.11.81:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49236 -> 103.224.182.241:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49254 -> 103.224.212.212:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49235 -> 3.65.101.129:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49263 -> 188.166.152.188:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49235 -> 3.65.101.129:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49264 -> 23.227.38.74:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49235 -> 3.65.101.129:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49261 -> 217.19.237.54:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49271 -> 157.112.176.4:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49235 -> 3.65.101.129:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49297 -> 104.21.41.152:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49241 -> 34.94.245.237:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49234 -> 104.21.79.244:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 34.94.245.237:80 -> 192.168.56.103:49241	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	A Network Trojan was detected
TCP 192.168.56.103:49268 -> 34.239.80.18:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49237 -> 208.97.178.138:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49272 -> 173.254.28.29:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49238 -> 103.224.182.241:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49272 -> 173.254.28.29:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49323 -> 172.67.199.57:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49249 -> 211.1.226.67:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49315 -> 172.67.33.95:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49249 -> 211.1.226.67:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49240 -> 162.43.120.128:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49240 -> 162.43.120.128:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49163 -> 104.21.46.148:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49279 -> 38.36.96.76:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49333 -> 49.212.235.175:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49314 -> 153.122.24.177:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49320 -> 199.34.228.78:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49296 -> 104.21.74.141:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49258 -> 135.181.73.98:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49258 -> 135.181.73.98:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49308 -> 204.15.134.44:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49248 -> 99.86.207.30:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49342 -> 49.212.235.175:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49248 -> 99.86.207.30:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49356 -> 172.67.156.49:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49252 -> 172.67.142.169:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49350 -> 192.169.149.78:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49256 -> 34.94.160.21:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49354 -> 183.90.232.24:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49265 -> 208.109.214.162:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49265 -> 208.109.214.162:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49273 -> 157.112.182.239:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49285 -> 38.36.96.76:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49329 -> 59.106.13.181:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49284 -> 198.185.159.144:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49368 -> 192.169.149.78:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49373 -> 172.67.156.49:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49301 -> 64.18.191.61:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49291 -> 13.56.33.8:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49292 -> 195.128.140.29:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49330 -> 49.212.180.178:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49302 -> 91.220.211.163:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49316 -> 172.67.181.113:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49392 -> 185.178.208.141:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49359 -> 172.67.193.133:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49391 -> 52.86.6.113:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49347 -> 49.212.235.175:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49362 -> 211.13.204.3:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49355 -> 49.212.235.175:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49353 -> 99.83.190.102:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49306 -> 86.105.245.69:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49339 -> 104.26.3.14:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49352 -> 89.161.136.188:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49343 -> 185.230.63.107:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49336 -> 13.56.33.8:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49385 -> 192.169.149.78:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49369 -> 49.212.235.175:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49374 -> 49.212.235.175:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49367 -> 45.142.176.225:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49366 -> 185.151.30.147:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49402 -> 75.2.95.235:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49358 -> 104.26.3.14:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49405 -> 185.237.66.112:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49393 -> 15.197.142.173:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49371 -> 34.174.61.199:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49415 -> 75.2.95.235:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49400 -> 185.237.66.112:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49403 -> 23.236.62.147:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49416 -> 185.237.66.112:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49420 -> 5.189.171.125:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49390 -> 104.18.40.43:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49429 -> 75.2.95.235:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 34.174.61.199:80 -> 192.168.56.103:49371	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	A Network Trojan was detected
TCP 34.174.61.199:80 -> 192.168.56.103:49371	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	A Network Trojan was detected
TCP 192.168.56.103:49438 -> 75.2.95.235:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49431 -> 69.195.90.46:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49447 -> 52.86.6.113:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49430 -> 46.4.56.54:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 94.130.146.206:443 -> 192.168.56.103:49434	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49451 -> 75.2.95.235:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49398 -> 157.7.231.224:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49440 -> 46.30.60.158:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49410 -> 54.209.32.212:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49461 -> 75.2.95.235:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49379 -> 35.230.155.43:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49407 -> 94.130.146.206:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49399 -> 153.126.211.112:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49408 -> 18.197.121.220:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49497 -> 153.122.24.177:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49501 -> 94.130.146.206:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49423 -> 94.130.146.206:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49422 -> 185.237.66.112:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 185.237.66.112:443 -> 192.168.56.103:49427	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 185.237.66.112:443 -> 192.168.56.103:49435	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49445 -> 185.237.66.112:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49458 -> 185.237.66.112:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49414 -> 5.181.161.11:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49471 -> 192.124.249.9:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49493 -> 185.237.66.112:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 94.130.146.206:443 -> 192.168.56.103:49479	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49502 -> 185.237.66.112:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49516 -> 210.140.73.39:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 185.237.66.112:443 -> 192.168.56.103:49520	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49514 -> 185.237.66.112:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49412 -> 185.106.129.180:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49425 -> 91.229.22.126:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49499 -> 104.21.79.166:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49521 -> 23.227.38.32:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49526 -> 38.36.96.76:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49533 -> 38.36.96.76:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 94.130.146.206:443 -> 192.168.56.103:49525	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 185.237.66.112:443 -> 192.168.56.103:49529	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49531 -> 3.33.130.190:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49576 -> 104.26.12.244:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49578 -> 77.72.4.226:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49562 -> 157.7.107.88:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49581 -> 51.89.6.56:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49566 -> 192.169.149.78:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49439 -> 5.189.171.125:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49579 -> 157.7.231.224:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49315 -> 172.67.33.95:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49606 -> 151.101.2.132:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49444 -> 54.217.118.81:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49452 -> 94.130.146.206:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49612 -> 133.125.38.187:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49621 -> 185.230.63.107:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49453 -> 185.237.66.112:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49616 -> 219.94.129.97:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49443 -> 67.21.93.229:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49619 -> 35.231.13.148:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 185.237.66.112:443 -> 192.168.56.103:49473	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49480 -> 34.67.9.172:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 34.67.9.172:80 -> 192.168.56.103:49480	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	A Network Trojan was detected
TCP 34.67.9.172:80 -> 192.168.56.103:49480	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	A Network Trojan was detected
TCP 192.168.56.103:49506 -> 185.237.66.112:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49465 -> 94.130.146.206:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49649 -> 23.239.201.14:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49560 -> 192.169.149.78:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49638 -> 61.200.81.21:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49570 -> 192.169.149.78:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49467 -> 185.237.66.112:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49641 -> 83.223.113.46:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49600 -> 104.21.73.149:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49636 -> 54.39.198.18:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 185.237.66.112:443 -> 192.168.56.103:49481	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49663 -> 77.78.104.3:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49656 -> 83.223.113.46:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49539 -> 38.36.96.76:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49664 -> 99.83.190.102:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49634 -> 219.94.128.87:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49676 -> 89.31.143.1:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49633 -> 15.197.142.173:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49697 -> 192.124.249.12:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49517 -> 203.210.102.34:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49683 -> 93.189.66.202:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49551 -> 104.20.122.68:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49505 -> 46.4.56.54:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49509 -> 216.177.137.32:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49512 -> 94.130.146.206:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49535 -> 172.67.212.131:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49537 -> 157.7.107.88:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49557 -> 92.42.191.40:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49709 -> 52.86.6.113:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49561 -> 195.128.140.29:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49675 -> 198.185.159.145:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49546 -> 217.79.248.38:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49659 -> 54.39.198.18:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49586 -> 172.67.167.96:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49535 -> 172.67.212.131:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49595 -> 104.21.234.121:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49563 -> 35.230.155.43:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49588 -> 23.239.201.14:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49552 -> 93.188.2.51:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49686 -> 210.140.73.39:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49626 -> 52.86.6.113:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49629 -> 54.39.198.18:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49643 -> 75.2.70.75:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49517 -> 203.210.102.34:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49692 -> 87.98.236.253:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49651 -> 104.21.74.141:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49658 -> 192.124.249.12:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
UDP 192.168.56.103:63206 -> 8.8.8.8:53	2027863	ET INFO Observed DNS Query to .biz TLD	Potentially Bad Traffic
TCP 192.168.56.103:49673 -> 38.111.255.201:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49657 -> 49.212.243.77:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49680 -> 104.26.0.82:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
UDP 192.168.56.103:63357 -> 8.8.8.8:53	2027870	ET INFO Observed DNS Query to .world TLD	Potentially Bad Traffic
TCP 192.168.56.103:49703 -> 211.13.204.3:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49302 -> 91.220.211.163:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49708 -> 195.96.252.188:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49785 -> 35.172.94.1:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49680 -> 104.26.0.82:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49746 -> 104.21.73.143:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49612 -> 133.125.38.187:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49702 -> 89.107.169.125:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49724 -> 192.124.249.14:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49711 -> 35.172.94.1:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49715 -> 203.210.102.34:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49827 -> 49.212.235.59:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49834 -> 185.151.30.147:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49807 -> 172.64.147.213:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
UDP 192.168.56.103:61943 -> 8.8.8.8:53	2027863	ET INFO Observed DNS Query to .biz TLD	Potentially Bad Traffic
TCP 192.168.56.103:49815 -> 192.169.149.78:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49765 -> 108.170.12.50:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49768 -> 194.143.194.23:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49805 -> 192.169.149.78:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49810 -> 192.169.149.78:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49813 -> 199.34.228.78:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49802 -> 104.26.12.244:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49823 -> 195.5.116.23:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49819 -> 133.125.38.187:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49790 -> 49.12.155.123:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49825 -> 86.105.245.69:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49809 -> 204.15.134.44:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49846 -> 172.67.168.72:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49605 -> 195.5.116.23:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49850 -> 172.67.129.18:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49303 -> 38.36.96.76:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49543 -> 104.21.46.148:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49377 -> 172.67.135.11:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49184 -> 193.166.255.171:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49519 -> 205.178.189.131:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49528 -> 205.178.189.131:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49510 -> 205.178.189.131:80	2016867	ET MALWARE Backdoor.Win32.Pushdo.s Checkin	Malware Command and Control Activity Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49323 172.67.199.57:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=hyab.se	fb:19:91:a4:cc:88:50:f4:d5:a2:13:5a:e8:fd:24:21:7d:38:11:5b
TLSv1 192.168.56.103:49356 172.67.156.49:443	C=US, O=Let's Encrypt, CN=E1	CN=*.orlyhotel.com	c7:d0:5f:93:9c:c0:bf:3e:9d:60:23:63:23:dc:e1:58:6e:3f:43:71
TLSv1 192.168.56.103:49373 172.67.156.49:443	None	None	None
TLSv1 192.168.56.103:49359 172.67.193.133:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	28:54:2c:72:71:1b:3f:88:07:e2:1d:7b:6c:1b:7f:45:bc:7e:fe:1c
TLSv1 192.168.56.103:49420 5.189.171.125:443	C=US, O=Let's Encrypt, CN=R3	CN=muhr-soehne.com	5e:23:ca:7a:19:ae:a8:c2:c8:e8:9c:83:0b:cb:23:59:ba:bb:22:8f
TLSv1 192.168.56.103:49425 91.229.22.126:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=GeoTrust RSA CA 2018	C=PL, ST=Mazowieckie, L=Warszawa, O=Komenda Glowna Policji, CN=*.policja.gov.pl	3d:fe:e4:18:9c:81:af:dd:a8:f5:e3:51:55:cb:6e:5e:89:7f:65:e2
TLSv1 192.168.56.103:49439 5.189.171.125:443	None	None	None
TLSv1 192.168.56.103:49641 83.223.113.46:443	C=US, O=Let's Encrypt, CN=R3	CN=magicomm.co.uk	34:54:cd:16:e8:4d:75:2c:f6:95:73:39:99:be:21:f9:f7:ca:8c:9a
TLSv1 192.168.56.103:49656 83.223.113.46:443	C=US, O=Let's Encrypt, CN=R3	CN=magicomm.co.uk	34:54:cd:16:e8:4d:75:2c:f6:95:73:39:99:be:21:f9:f7:ca:8c:9a

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Oct. 10, 2023, 7:38 a.m.	computer_name: TEST22-PC	1	1	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptGenKey Oct. 10, 2023, 7:38 a.m.	crypto_handle: 0x003d9c50 algorithm_identifier: 0x00006801 (CALG_RC4) flags: 8388609 key: h,Ð!O®÷¬pc©Øt/ provider_handle: 0x003eeaf0	1	1
CryptExportKey Oct. 10, 2023, 7:38 a.m.	buffer: h,Ð!O®÷¬pc©Øt/ crypto_handle: 0x003d9c50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey Oct. 10, 2023, 7:38 a.m.	buffer: h¤\gzïñXwã(bèÞxqU® ûöFõ#æü¸XüPZAV@6Òô8;±ÄB ÄÐ¨?wÔcZs,l±csóvÕ ×2¤ m Vø¤Õ6¨oÑî6ÂéY ?¿ËxÞà@«~j\|Òª·u-¼¢ ï%ÕÒP& crypto_handle: 0x003d9c50 flags: 0 crypto_export_handle: 0x003d9c90 blob_type: 1	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 10, 2023, 7:38 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.gfids

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (50 out of 210 events)

suspicious_features	POST method with no referer header	suspicious_request	POST http://www.ftchat.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.pr-park.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.jenco.co.uk/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.dgmna.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.quadlock.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.baijaku.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.pdqhomes.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.valdal.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.tvtools.fi/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.alteor.cl/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.olras.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.elpro.si/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.depalo.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.wkhk.net/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.petsfan.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.abdg.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.otena.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.credo.edu.pl/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.synetik.net/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.item-pr.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.evcpa.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.hummer.hu/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.mqs.com.br/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.yocinc.org/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.xaicom.es/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.abart.pl/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.waldi.pl/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.nunomira.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.nelipak.nl/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.vitaindu.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.iamdirt.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.ora.ecnet.jp/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.transsib.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.aevga.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.wifi4all.nl/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.gpthink.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.fcwcvt.org/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.holleman.us/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.valselit.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.edimart.hu/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.kernsafe.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.stnic.co.uk/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.snugpak.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.netcr.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.naoi-a.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.photo4b.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.ex-olive.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.tyrns.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.pcgrate.com/
suspicious_features	POST method with no referer header	suspicious_request	POST http://www.lrsuk.com/

Performs some HTTP requests (50 out of 217 events)

request	POST http://www.ftchat.com/
request	POST http://www.pr-park.com/
request	POST http://www.jenco.co.uk/
request	POST http://www.dgmna.com/
request	POST http://www.quadlock.com/
request	POST http://www.baijaku.com/
request	POST http://www.pdqhomes.com/
request	POST http://www.valdal.com/
request	POST http://www.tvtools.fi/
request	POST http://www.alteor.cl/
request	POST http://www.olras.com/
request	POST http://www.elpro.si/
request	POST http://www.depalo.com/
request	POST http://www.wkhk.net/
request	POST http://www.petsfan.com/
request	POST http://www.abdg.com/
request	POST http://www.otena.com/
request	POST http://www.credo.edu.pl/
request	POST http://www.synetik.net/
request	POST http://www.item-pr.com/
request	POST http://www.evcpa.com/
request	POST http://www.hummer.hu/
request	POST http://www.mqs.com.br/
request	POST http://www.yocinc.org/
request	POST http://www.xaicom.es/
request	POST http://www.abart.pl/
request	POST http://www.waldi.pl/
request	POST http://www.nunomira.com/
request	POST http://www.nelipak.nl/
request	POST http://www.vitaindu.com/
request	POST http://www.iamdirt.com/
request	POST http://www.ora.ecnet.jp/
request	POST http://www.transsib.com/
request	POST http://www.aevga.com/
request	POST http://www.wifi4all.nl/
request	POST http://www.gpthink.com/
request	POST http://www.fcwcvt.org/
request	POST http://www.holleman.us/
request	POST http://www.valselit.com/
request	POST http://www.edimart.hu/
request	POST http://www.kernsafe.com/
request	POST http://www.stnic.co.uk/
request	POST http://www.snugpak.com/
request	POST http://www.netcr.com/
request	POST http://www.naoi-a.com/
request	POST http://www.photo4b.com/
request	POST http://www.ex-olive.com/
request	POST http://www.tyrns.com/
request	POST http://www.pcgrate.com/
request	POST http://www.lrsuk.com/

Sends data using the HTTP POST Method (50 out of 210 events)

request	POST http://www.ftchat.com/
request	POST http://www.pr-park.com/
request	POST http://www.jenco.co.uk/
request	POST http://www.dgmna.com/
request	POST http://www.quadlock.com/
request	POST http://www.baijaku.com/
request	POST http://www.pdqhomes.com/
request	POST http://www.valdal.com/
request	POST http://www.tvtools.fi/
request	POST http://www.alteor.cl/
request	POST http://www.olras.com/
request	POST http://www.elpro.si/
request	POST http://www.depalo.com/
request	POST http://www.wkhk.net/
request	POST http://www.petsfan.com/
request	POST http://www.abdg.com/
request	POST http://www.otena.com/
request	POST http://www.credo.edu.pl/
request	POST http://www.synetik.net/
request	POST http://www.item-pr.com/
request	POST http://www.evcpa.com/
request	POST http://www.hummer.hu/
request	POST http://www.mqs.com.br/
request	POST http://www.yocinc.org/
request	POST http://www.xaicom.es/
request	POST http://www.abart.pl/
request	POST http://www.waldi.pl/
request	POST http://www.nunomira.com/
request	POST http://www.nelipak.nl/
request	POST http://www.vitaindu.com/
request	POST http://www.iamdirt.com/
request	POST http://www.ora.ecnet.jp/
request	POST http://www.transsib.com/
request	POST http://www.aevga.com/
request	POST http://www.wifi4all.nl/
request	POST http://www.gpthink.com/
request	POST http://www.fcwcvt.org/
request	POST http://www.holleman.us/
request	POST http://www.valselit.com/
request	POST http://www.edimart.hu/
request	POST http://www.kernsafe.com/
request	POST http://www.stnic.co.uk/
request	POST http://www.snugpak.com/
request	POST http://www.netcr.com/
request	POST http://www.naoi-a.com/
request	POST http://www.photo4b.com/
request	POST http://www.ex-olive.com/
request	POST http://www.tyrns.com/
request	POST http://www.pcgrate.com/
request	POST http://www.lrsuk.com/

Resolves a suspicious Top Level Domain (TLD) (22 events)

domain	mxs.mail.ru	description	Russian Federation domain TLD
domain	ya-z.ru	description	Russian Federation domain TLD
domain	yaroslavka.ru	description	Russian Federation domain TLD
domain	yankin.ru	description	Russian Federation domain TLD
domain	hbsa.ru	description	Russian Federation domain TLD
domain	yartelecom.ru	description	Russian Federation domain TLD
domain	albaclub.ru	description	Russian Federation domain TLD
domain	yachtclub26.ru	description	Russian Federation domain TLD
domain	chzko.ru	description	Russian Federation domain TLD
domain	yantour.ru	description	Russian Federation domain TLD
domain	ygo.ru	description	Russian Federation domain TLD
domain	kurlovich.ru	description	Russian Federation domain TLD
domain	maksimshahov.ru	description	Russian Federation domain TLD
domain	karelia.ru	description	Russian Federation domain TLD
domain	notis.ru	description	Russian Federation domain TLD
domain	cnti.krsn.ru	description	Russian Federation domain TLD
domain	ktenergo.ru	description	Russian Federation domain TLD
domain	kursavto.ru	description	Russian Federation domain TLD
domain	gydrozo.ru	description	Russian Federation domain TLD
domain	bumfa.ru	description	Russian Federation domain TLD
domain	vologda.ru	description	Russian Federation domain TLD
domain	online.ru	description	Russian Federation domain TLD

Allocates read-write-execute memory (usually to unpack itself) (5 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 10, 2023, 7:38 a.m.	process_identifier: 2640 region_size: 581632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 10, 2023, 7:38 a.m.	process_identifier: 2640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04000000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2023, 7:38 a.m.	process_identifier: 2640 region_size: 12259328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2023, 7:38 a.m.	process_identifier: 2640 region_size: 28672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00340000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2023, 7:38 a.m.	process_identifier: 2640 region_size: 22347776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

svchost.exe tried to sleep 319 seconds, actually delayed analysis time by 319 seconds

Creates a suspicious process (1 event)

cmdline

C:\Windows\system32\svchost.exe

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (10 events)

Time & API	Arguments	Status	Return
Process32NextW Oct. 10, 2023, 7:38 a.m.	snapshot_handle: 0x00000144 process_name: pw.exe process_identifier: 288	1	1
Process32NextW Oct. 10, 2023, 7:38 a.m.	snapshot_handle: 0x00000144 process_name: SearchProtocolHost.exe process_identifier: 1608	1	1
Process32NextW Oct. 10, 2023, 7:38 a.m.	snapshot_handle: 0x00000144 process_name: SearchFilterHost.exe process_identifier: 1268	1	1
Process32NextW Oct. 10, 2023, 7:38 a.m.	snapshot_handle: 0x00000144 process_name: 188.exe process_identifier: 1072	1	1
Process32NextW Oct. 10, 2023, 7:38 a.m.	snapshot_handle: 0x00000144 process_name: svchost.exe process_identifier: 2220	1	1
Process32NextW Oct. 10, 2023, 7:38 a.m.	snapshot_handle: 0x00000144 process_name: sppsvc.exe process_identifier: 2344	1	1
Process32NextW Oct. 10, 2023, 7:38 a.m.	snapshot_handle: 0x00000144 process_name: cmd.exe process_identifier: 2768	1	1
Process32NextW Oct. 10, 2023, 7:38 a.m.	snapshot_handle: 0x00000144 process_name: conhost.exe process_identifier: 2776	1	1
Process32NextW Oct. 10, 2023, 7:38 a.m.	snapshot_handle: 0x00000144 process_name: pw.exe process_identifier: 2800	1	1
Process32NextW Oct. 10, 2023, 7:38 a.m.	snapshot_handle: 0x00000144 process_name: svchost.exe process_identifier: 2832	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Oct. 10, 2023, 7:38 a.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0001c000', u'virtual_address': u'0x00012000', u'entropy': 7.188065592253541, u'name': u'.rdata', u'virtual_size': u'0x0001be5a'}

entropy

7.18806559225

description

A section with a high entropy has been found

entropy

0.389565217391

description

Overall entropy of this PE file is high

Yara rule detected in process memory (50 out of 67 events)

description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Communications over HTTP	rule	Network_HTTP
description	Communications smtp	rule	network_smtp_raw
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg

Connects to smtp.live.com, possibly for spamming or data exfiltration (1 event)

domain

smtp.live.com

One or more of the buffers contains an embedded PE file (2 events)

buffer	Buffer with sha1: 97751a713ab1c071fe2a95e95ba6d2bd53539433
buffer	Buffer with sha1: d4c0e4a6a1a42545ce3453e7d7b56813f26a5e6b

Connects to an IRC server, possibly part of a botnet

Makes SMTP requests, possibly sending spam (26 events)

receiver

[]

sender

[]

server

66.226.70.66

receiver

[]

sender

[]

server

66.226.70.66

receiver

[]

sender

[]

server

153.126.211.112

receiver

[]

sender

[]

server

203.137.75.45

receiver

[]

sender

[]

server

49.12.155.123

receiver

[]

sender

[]

server

217.69.139.150

receiver

[]

sender

[]

server

203.137.75.45

receiver

[]

sender

[]

server

217.69.139.150

receiver

[]

sender

[]

server

217.79.248.38

receiver

[]

sender

[]

server

217.69.139.150

receiver

[]

sender

[]

server

142.250.152.26

receiver

[]

sender

[]

server

212.44.102.75

receiver

[]

sender

[]

server

142.250.152.26

receiver

[]

sender

[]

server

142.250.152.26

receiver

[]

sender

[]

server

142.251.170.27

receiver

[]

sender

[]

server

142.251.170.27

receiver

[]

sender

[]

server

142.251.170.27

receiver

[]

sender

[]

server

103.168.172.221

receiver

[]

sender

[]

server

103.168.172.221

receiver

[]

sender

[]

server

103.168.172.221

receiver

[]

sender

[]

server

153.120.34.73

receiver

[]

sender

[]

server

192.99.226.184

receiver

[]

sender

[]

server

192.99.226.184

receiver

[]

sender

[]

server

34.174.61.199

receiver

[]

sender

[]

server

185.163.45.187

receiver

[]

sender

[]

server

194.76.27.77

Communicates with host for which no DNS query was performed (3 events)

host	153.120.34.73
host	198.1.81.28
host	211.13.196.162

Allocates execute permission to another process indicative of possible code injection (4 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory Oct. 10, 2023, 7:38 a.m.	process_identifier: 2832 region_size: 12259328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000170		3221225496
NtAllocateVirtualMemory Oct. 10, 2023, 7:38 a.m.	process_identifier: 2832 region_size: 12259328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7e3f0000 allocation_type: 1060864 (MEM_COMMIT\|MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0x00000170	1	0
NtAllocateVirtualMemory Oct. 10, 2023, 7:38 a.m.	process_identifier: 2832 region_size: 28672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000170	1	0
NtAllocateVirtualMemory Oct. 10, 2023, 7:38 a.m.	process_identifier: 2900 region_size: 22347776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x13140000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000180	1	0

Potential code injection by writing to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Oct. 10, 2023, 7:38 a.m.	buffer: ?~ base_address: 0x7efde008 process_identifier: 2832 process_handle: 0x00000170	1	1	0

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Network activity contains more than one unique useragent (2 events)

process	svchost.exe				useragent
process	svchost.exe				useragent	Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2640 called NtSetContextThread to modify thread in remote process 2832
NtSetContextThread Oct. 10, 2023, 7:38 a.m.	registers.eip: 2005598660 registers.esp: 1637944 registers.edi: 0 registers.eax: 2118081136 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000c8 process_identifier: 2832	1	0	0

Expresses interest in specific running processes (1 event)

process: potential process injection target

svchost.exe

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2640 resumed a thread in remote process 2832
NtResumeThread Oct. 10, 2023, 7:38 a.m.	thread_handle: 0x000000c8 suspend_count: 1 process_identifier: 2832	1	0	0

Generates some ICMP traffic

File has been identified by 26 AntiVirus engines on VirusTotal as malicious (26 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Cutwail.4!c
FireEye	Generic.mg.f96c1d0accec84ab
Skyhigh	BehavesLike.Win32.Infected.dh
McAfee	Artemis!F96C1D0ACCEC
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_90% (W)
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	UDS:DangerousObject.Multi.Generic
Avast	FileRepMalware [Misc]
Rising	Trojan.Generic@AI.100 (RDML:2UDhQV/rd9gHxliBLrNBzA)
Trapmine	malicious.moderate.ml.score
Sophos	Mal/Generic-S
Kingsoft	malware.kb.a.992
Microsoft	Trojan:Win32/Cutwail.ACW!MTB
ZoneAlarm	UDS:DangerousObject.Multi.Generic
BitDefenderTheta	Gen:NN.ZexaF.36738.syW@aWWv42mi
Cylance	unsafe
Panda	Trj/Chgt.AD
SentinelOne	Static AI - Malicious PE
AVG	FileRepMalware [Misc]
Cybereason	malicious.e9f558
DeepInstinct	MALICIOUS

Executed a process and injected code into it, probably while unpacking (14 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Oct. 10, 2023, 7:38 a.m.	thread_identifier: 2836 thread_handle: 0x000000c8 process_identifier: 2832 current_directory: filepath: track: 1 command_line: C:\Windows\system32\svchost.exe filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000170	1	1
NtAllocateVirtualMemory Oct. 10, 2023, 7:38 a.m.	process_identifier: 2832 region_size: 12259328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000170		3221225496
NtAllocateVirtualMemory Oct. 10, 2023, 7:38 a.m.	process_identifier: 2832 region_size: 12259328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7e3f0000 allocation_type: 1060864 (MEM_COMMIT\|MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0x00000170	1	0
WriteProcessMemory Oct. 10, 2023, 7:38 a.m.	buffer: base_address: 0x7e3f0000 process_identifier: 2832 process_handle: 0x00000170	1	1
NtGetContextThread Oct. 10, 2023, 7:38 a.m.	thread_handle: 0x000000c8	1	0
WriteProcessMemory Oct. 10, 2023, 7:38 a.m.	buffer: ?~ base_address: 0x7efde008 process_identifier: 2832 process_handle: 0x00000170	1	1
NtSetContextThread Oct. 10, 2023, 7:38 a.m.	registers.eip: 2005598660 registers.esp: 1637944 registers.edi: 0 registers.eax: 2118081136 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000c8 process_identifier: 2832	1	0
NtResumeThread Oct. 10, 2023, 7:38 a.m.	thread_handle: 0x000000c8 suspend_count: 1 process_identifier: 2832	1	0
NtAllocateVirtualMemory Oct. 10, 2023, 7:38 a.m.	process_identifier: 2832 region_size: 28672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000170	1	0
WriteProcessMemory Oct. 10, 2023, 7:38 a.m.	buffer: base_address: 0x04000000 process_identifier: 2832 process_handle: 0x00000170	1	1
CreateProcessInternalW Oct. 10, 2023, 7:38 a.m.	thread_identifier: 2904 thread_handle: 0x0000017c process_identifier: 2900 current_directory: filepath: track: 1 command_line: C:\Windows\system32\svchost.exe filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000180	1	1
NtAllocateVirtualMemory Oct. 10, 2023, 7:38 a.m.	process_identifier: 2900 region_size: 22347776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x13140000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000180	1	0
NtResumeThread Oct. 10, 2023, 7:38 a.m.	thread_handle: 0x00000164 suspend_count: 1 process_identifier: 2900	1	0
NtResumeThread Oct. 10, 2023, 7:38 a.m.	thread_handle: 0x0000015c suspend_count: 1 process_identifier: 3036	1	0

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (50 out of 51 events)

dead_host	204.79.197.212:25
dead_host	137.118.26.67:80
dead_host	62.75.251.116:80
dead_host	213.186.33.16:25
dead_host	192.168.56.103:49491
dead_host	104.21.234.120:25
dead_host	104.21.27.205:25
dead_host	198.209.253.30:80
dead_host	192.168.56.103:49559
dead_host	203.0.113.0:80
dead_host	159.89.244.183:25
dead_host	216.69.141.67:25
dead_host	64.125.133.18:80
dead_host	3.64.163.50:25
dead_host	217.74.161.133:25
dead_host	96.91.204.114:80
dead_host	211.13.196.162:25
dead_host	192.168.56.103:49299
dead_host	198.100.146.220:80
dead_host	35.231.13.148:25
dead_host	172.67.145.148:25
dead_host	192.168.56.103:49771
dead_host	217.19.254.22:25
dead_host	157.7.107.88:25
dead_host	185.230.63.171:25
dead_host	15.197.142.173:25
dead_host	87.230.93.218:80
dead_host	31.177.80.70:25
dead_host	199.34.228.78:25
dead_host	104.21.32.240:25
dead_host	85.233.160.146:25
dead_host	192.168.56.103:49646
dead_host	208.91.197.46:80
dead_host	49.212.232.113:25
dead_host	208.80.122.205:25
dead_host	192.168.56.103:49668
dead_host	172.64.147.213:25
dead_host	198.1.81.28:25
dead_host	192.168.56.103:49803
dead_host	185.151.30.147:25
dead_host	192.168.56.103:49685
dead_host	18.197.121.220:25
dead_host	154.201.225.123:80
dead_host	49.212.232.113:80
dead_host	133.125.38.187:25
dead_host	192.168.56.103:49331
dead_host	54.194.190.151:80
dead_host	54.212.145.129:80
dead_host	141.193.213.20:25
dead_host	104.24.161.27:25

188.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All