popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

File.7z

Amadey PWS Escalate priviledges KeyLogger AntiDebug AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 Oct. 25, 2023, 6:13 p.m. Oct. 25, 2023, 6:16 p.m.
Size 4.4MB
Type 7-zip archive data, version 0.4
MD5 86f0e6986a754d96179b2c20d8db49b6
SHA256 a629ff0522350c326908979f35420dd76ce0da6dd9e7d5315838e68861a74000
CRC32 C0E70A72
ssdeep 98304:hRFV90SneeSS7EBH2iQyXHOaGfLlm4ULUJD0b4/KInSm0SL0+30Y80:h3Tne4gBWiQyX8TwNE0b4SIe+EG
Yara None matched

Name Response Post-Analysis Lookup
telegram.org
A 149.154.167.99
149.154.167.99
zexeq.com
A 37.234.244.168
A 211.40.39.251
A 181.170.86.159
A 190.141.134.150
A 123.140.161.243
A 196.188.169.138
A 211.53.230.67
A 201.119.69.112
A 123.213.233.131
A 211.171.233.129
123.213.233.131
pastebin.com
A 104.20.67.143
A 172.67.34.170
A 104.20.68.143
104.20.67.143
api.db-ip.com
A 104.26.5.15
A 104.26.4.15
A 172.67.75.166
172.67.75.166
www.sivasdescalzo.com
A 104.18.232.222
A 104.18.233.222
104.18.233.222
apps.identrust.com
A 121.254.136.9
CNAME a1952.dscq.akamai.net
CNAME identrust.edgesuite.net
A 121.254.136.18
A 23.200.75.26
A 23.200.75.28
23.200.75.26
twitter.com
A 104.244.42.129
104.244.42.129
colisumy.com
A 190.12.87.61
A 14.33.209.147
A 151.233.51.166
A 181.170.86.159
A 186.147.159.149
A 211.171.233.126
A 123.140.161.243
A 201.119.69.112
A 185.12.79.25
A 211.181.24.132
A 175.126.109.15
A 115.88.24.200
A 190.219.136.87
A 211.171.233.129
A 196.188.169.138
A 211.119.84.111
A 187.134.58.59
A 195.158.3.162
181.170.86.159
ipinfo.io
A 34.117.59.81
34.117.59.81
experiment.pw
A 104.21.34.37
A 172.67.167.220
104.21.34.37
gobo04fc.top
A 85.143.220.63
85.143.220.63
sso.passport.yandex.ru
A 213.180.204.24
CNAME passport.yandex.ru
213.180.204.24
net.geo.opera.com
A 107.167.110.211
A 107.167.110.216
CNAME lati.lb.opera.technology
CNAME us.net.opera.com
107.167.110.216
msdl.microsoft.com
CNAME msdl.microsoft.akadns.net
CNAME msdl-microsoft-com.a-0016.a-msedge.net
CNAME a-0016.a-msedge.net
A 204.79.197.219
204.79.197.219
sun6-23.userapi.com
A 95.142.206.3
95.142.206.3
octocrabs.com
A 104.21.21.189
A 172.67.200.10
104.21.21.189
flyawayaero.net
A 104.21.93.225
A 172.67.216.81
172.67.216.81
galandskiyher5.com
A 95.214.26.34
95.214.26.34
api.ip.sb
CNAME api.ip.sb.cdn.cloudflare.net
A 104.26.13.31
A 104.26.12.31
A 172.67.75.172
172.67.75.172
sun6-22.userapi.com
A 95.142.206.2
95.142.206.2
pool.hashvault.pro
A 131.153.76.130
A 125.253.92.50
131.153.76.130
yandex.ru
A 5.255.255.77
A 77.88.55.88
A 77.88.55.60
A 5.255.255.70
5.255.255.70
ssl.gstatic.com
A 142.250.204.35
142.250.206.227
server13.thestatsfiles.ru
A 185.82.216.96
185.82.216.96
a8b8fc1f-3586-4658-b72f-0e583b0d00e8.uuid.thestatsfiles.ru 185.82.216.96
stun2.l.google.com
A 74.125.197.127
74.125.197.127
lycheepanel.info
A 104.21.32.208
A 172.67.187.122
104.21.32.208
neuralshit.net
A 104.21.6.10
A 172.67.134.35
104.21.6.10
grabyourpizza.com
A 104.21.90.82
A 172.67.197.174
172.67.197.174
api.myip.com
A 172.67.75.163
A 104.26.9.59
A 104.26.8.59
104.26.8.59
152.134.208.175.in-addr.arpa
iplogger.com
A 148.251.234.93
148.251.234.93
dzen.ru
A 62.217.160.2
62.217.160.2
lrefjviufewmcd.org
A 91.215.85.209
91.215.85.209
vk.com
A 87.240.129.133
A 87.240.132.72
A 87.240.132.67
A 87.240.137.164
A 93.186.225.194
A 87.240.132.78
87.240.132.67
iplogger.org
A 148.251.234.83
148.251.234.83
yip.su
A 104.21.79.77
A 172.67.169.89
172.67.169.89
sun6-20.userapi.com
A 95.142.206.0
95.142.206.0
www.maxmind.com
A 104.18.145.235
A 104.18.146.235
104.18.145.235
laubenstein.space
api.2ip.ua
A 104.21.65.24
A 172.67.139.220
104.21.65.24
t.me
A 149.154.167.99
149.154.167.99
diplodoka.net
A 104.21.78.56
A 172.67.217.52
172.67.217.52
www.nakedcph.com
A 104.16.128.120
A 104.16.129.120
104.16.129.120
sun6-21.userapi.com
A 95.142.206.1
95.142.206.1
gons3fc.top
A 85.143.220.63
85.143.220.63
potatogoose.com
A 104.21.35.235
A 172.67.180.173
104.21.35.235
insuport.com
A 69.90.162.0
69.90.162.0
walkinglate.com
A 104.21.23.184
A 172.67.212.188
104.21.23.184
accounts.google.com
A 142.251.130.13
142.250.206.205
vanaheim.cn
A 84.201.152.220
84.201.152.220
vsblobprodscussu5shard58.blob.core.windows.net
CNAME blob.SAT09PrdStrz08A.trafficmanager.net
CNAME blob.sat09prdstrz08a.store.core.windows.net
A 20.150.79.68
A 20.150.70.36
A 20.150.38.228
20.150.70.36
jamesjordan.top
www.google.com
A 142.250.76.132
142.250.76.132
steamcommunity.com
A 104.75.41.21
104.75.41.21
www.snipes.com
CNAME www.snipes.com.cdn.cloudflare.net
A 104.16.222.69
A 104.16.223.69
104.16.223.69
iplis.ru
A 148.251.234.93
148.251.234.93
db-ip.com
A 104.26.5.15
A 104.26.4.15
A 172.67.75.166
104.26.4.15
lakuiksong.known.co.ke
A 146.59.70.14
146.59.70.14
vsblobprodscussu5shard10.blob.core.windows.net
CNAME blob.SAT09PrdStrz08A.trafficmanager.net
CNAME blob.sat09prdstrz08a.store.core.windows.net
A 20.150.79.68
A 20.150.38.228
A 20.150.70.36
20.150.70.36
cdn.discordapp.com
A 162.159.135.233
A 162.159.130.233
A 162.159.133.233
A 162.159.134.233
A 162.159.129.233
162.159.135.233
IP Address Status Action
104.16.128.120 Active Moloch
104.16.222.69 Active Moloch
104.18.145.235 Active Moloch
104.18.233.222 Active Moloch
104.20.67.143 Active Moloch
104.20.68.143 Active Moloch
104.21.23.184 Active Moloch
104.21.21.189 Active Moloch
104.21.6.10 Active Moloch
104.21.32.208 Active Moloch
104.21.34.37 Active Moloch
104.21.35.235 Active Moloch
104.21.65.24 Active Moloch
104.21.78.56 Active Moloch
104.21.79.77 Active Moloch
104.21.90.82 Active Moloch
104.21.93.225 Active Moloch
104.244.42.129 Active Moloch
104.26.12.31 Active Moloch
104.26.5.15 Active Moloch
104.26.8.59 Active Moloch
104.75.41.21 Active Moloch
107.167.110.211 Active Moloch
109.107.182.2 Active Moloch
121.254.136.9 Active Moloch
123.213.233.131 Active Moloch
142.250.76.132 Active Moloch
131.153.76.130 Active Moloch
142.250.204.35 Active Moloch
146.59.70.14 Active Moloch
142.251.130.13 Active Moloch
148.251.234.83 Active Moloch
148.251.234.93 Active Moloch
149.154.167.99 Active Moloch
162.159.135.233 Active Moloch
171.22.28.213 Active Moloch
171.22.28.221 Active Moloch
164.124.101.2 Active Moloch
171.22.28.226 Active Moloch
171.22.28.236 Active Moloch
172.67.139.220 Active Moloch
172.67.167.220 Active Moloch
172.67.187.122 Active Moloch
172.67.197.174 Active Moloch
172.67.216.81 Active Moloch
172.67.217.52 Active Moloch
172.67.75.163 Active Moloch
176.113.115.135 Active Moloch
176.113.115.136 Active Moloch
176.113.115.84 Active Moloch
185.82.216.96 Active Moloch
181.170.86.159 Active Moloch
185.172.128.69 Active Moloch
185.225.75.171 Active Moloch
193.233.255.73 Active Moloch
193.42.32.118 Active Moloch
194.169.175.128 Active Moloch
213.180.204.24 Active Moloch
34.117.59.81 Active Moloch
45.15.156.229 Active Moloch
5.255.255.70 Active Moloch
62.217.160.2 Active Moloch
69.90.162.0 Active Moloch
77.232.38.234 Active Moloch
85.143.220.63 Active Moloch
85.217.144.143 Active Moloch
87.240.129.133 Active Moloch
87.240.132.67 Active Moloch
91.103.252.189 Active Moloch
91.215.85.209 Active Moloch
95.142.206.0 Active Moloch
95.142.206.1 Active Moloch
95.142.206.2 Active Moloch
95.142.206.3 Active Moloch
95.214.26.34 Active Moloch
194.169.175.233 Active Moloch
20.150.70.36 Active Moloch
20.150.79.68 Active Moloch
204.79.197.219 Active Moloch
208.67.104.60 Active Moloch
23.200.75.26 Active Moloch
77.91.124.1 Active Moloch
77.91.124.86 Active Moloch
80.66.75.77 Active Moloch
84.201.152.220 Active Moloch
87.240.132.78 Active Moloch
94.142.138.113 Active Moloch
45.143.201.238 Active Moloch
5.42.65.101 Active Moloch
62.122.184.92 Active Moloch
74.125.197.127 Active Moloch
80.66.75.4 Active Moloch
83.97.73.44 Active Moloch
23.200.75.28 Active Moloch
49.12.116.189 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.102:49172 -> 193.42.32.118:80 2045779 ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49173 -> 172.67.75.163:443 2042969 ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49173 -> 172.67.75.163:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 176.113.115.84:80 -> 192.168.56.102:49186 2400018 ET DROP Spamhaus DROP Listed Traffic Inbound group 19 Misc Attack
TCP 192.168.56.102:49176 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49176 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49180 -> 87.240.132.67:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49174 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49174 -> 34.117.59.81:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49183 -> 171.22.28.226:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.102:49174 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49174 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49178 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 104.21.34.37:80 -> 192.168.56.102:49191 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
UDP 192.168.56.102:65226 -> 164.124.101.2:53 2023883 ET DNS Query to a *.top domain - Likely Hostile Potentially Bad Traffic
TCP 192.168.56.102:49183 -> 171.22.28.226:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.102:49183 -> 171.22.28.226:80 2016698 ET HUNTING Suspicious services.exe in URI Potentially Bad Traffic
TCP 91.215.85.209:80 -> 192.168.56.102:49198 2400006 ET DROP Spamhaus DROP Listed Traffic Inbound group 7 Misc Attack
TCP 192.168.56.102:49185 -> 171.22.28.221:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 171.22.28.226:80 -> 192.168.56.102:49183 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 171.22.28.226:80 -> 192.168.56.102:49183 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.102:49185 -> 171.22.28.221:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.102:49182 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49182 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49190 -> 91.215.85.209:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49190 -> 91.215.85.209:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 171.22.28.221:80 -> 192.168.56.102:49185 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 171.22.28.221:80 -> 192.168.56.102:49185 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.102:49197 -> 91.215.85.209:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49197 -> 91.215.85.209:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49198 -> 91.215.85.209:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49196 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49196 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49177 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49177 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
UDP 192.168.56.102:51405 -> 164.124.101.2:53 2016778 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic
TCP 192.168.56.102:49188 -> 104.21.34.37:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 104.21.34.37:80 -> 192.168.56.102:49188 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49189 -> 104.21.34.37:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49189 -> 104.21.34.37:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49195 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49195 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49194 -> 104.21.34.37:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 176.113.115.84:8080 -> 192.168.56.102:49201 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 176.113.115.84:8080 -> 192.168.56.102:49201 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 176.113.115.84:8080 -> 192.168.56.102:49201 2014520 ET INFO EXE - Served Attached HTTP Misc activity
TCP 192.168.56.102:49207 -> 87.240.132.67:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49200 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49208 -> 91.215.85.209:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49209 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49209 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 91.215.85.209:443 -> 192.168.56.102:49210 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49211 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49217 -> 87.240.132.67:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49221 -> 95.142.206.2:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49220 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49220 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49222 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49222 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49223 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49223 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49187 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49187 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49184 -> 109.107.182.2:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.102:49184 -> 109.107.182.2:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.102:49205 -> 91.215.85.209:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49225 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49225 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 109.107.182.2:80 -> 192.168.56.102:49184 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 109.107.182.2:80 -> 192.168.56.102:49184 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.102:49226 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49226 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49199 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49206 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 87.240.132.67:80 -> 192.168.56.102:49206 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49227 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49228 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49228 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49229 -> 87.240.132.67:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49232 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49246 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49246 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49253 -> 87.240.132.67:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49213 -> 95.142.206.2:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49212 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49212 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49216 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49216 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49239 -> 87.240.132.67:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49233 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49257 -> 87.240.132.67:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49233 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49234 -> 95.142.206.3:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49235 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49235 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49256 -> 87.240.132.67:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49248 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49248 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49254 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49218 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49242 -> 87.240.132.67:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49259 -> 95.142.206.0:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49244 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49244 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49249 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49224 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49224 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49258 -> 87.240.132.67:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49230 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49231 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49231 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49236 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49237 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49237 -> 87.240.132.67:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 149.154.167.99:443 -> 192.168.56.102:49263 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49265 -> 104.21.79.77:443 906200022 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49267 -> 104.244.42.129:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49240 -> 87.240.132.67:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49273 -> 172.67.75.163:443 2042969 ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49273 -> 172.67.75.163:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49247 -> 87.240.132.67:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 69.90.162.0:443 -> 192.168.56.102:49269 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49266 -> 45.15.156.229:80 2045779 ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49269 -> 69.90.162.0:443 906200022 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49281 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49281 -> 34.117.59.81:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
UDP 192.168.56.102:65168 -> 164.124.101.2:53 2023883 ET DNS Query to a *.top domain - Likely Hostile Potentially Bad Traffic
TCP 192.168.56.102:49281 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49271 -> 5.255.255.70:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49277 -> 85.217.144.143:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.102:49275 -> 172.67.187.122:443 906200022 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49280 -> 104.21.35.235:443 906200022 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49278 -> 85.217.144.143:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.102:49278 -> 85.217.144.143:80 2019714 ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile Potentially Bad Traffic
TCP 85.217.144.143:80 -> 192.168.56.102:49278 2014819 ET INFO Packed Executable Download Misc activity
TCP 85.217.144.143:80 -> 192.168.56.102:49277 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 85.217.144.143:80 -> 192.168.56.102:49277 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 85.217.144.143:80 -> 192.168.56.102:49277 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 85.217.144.143:80 -> 192.168.56.102:49278 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 85.217.144.143:80 -> 192.168.56.102:49278 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 85.217.144.143:80 -> 192.168.56.102:49278 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.102:49252 -> 87.240.132.67:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49264 -> 104.20.67.143:443 906200022 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49279 -> 172.67.197.174:443 906200022 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 95.214.26.34:80 -> 192.168.56.102:49270 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 95.214.26.34:80 -> 192.168.56.102:49270 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 192.168.56.102:49289 -> 148.251.234.93:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49290 -> 107.167.110.211:443 906200022 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
UDP 192.168.56.102:60335 -> 164.124.101.2:53 2035948 ET POLICY IP Check Domain (iplogger .org in DNS Lookup) Potential Corporate Privacy Violation
TCP 192.168.56.102:49297 -> 148.251.234.83:443 2035949 ET POLICY IP Check Domain (iplogger .org in TLS SNI) Potential Corporate Privacy Violation
TCP 192.168.56.102:49297 -> 148.251.234.83:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49297 -> 148.251.234.83:443 2035949 ET POLICY IP Check Domain (iplogger .org in TLS SNI) Potential Corporate Privacy Violation
TCP 148.251.234.83:443 -> 192.168.56.102:49300 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49298 -> 185.225.75.171:22233 2043233 ET INFO Microsoft net.tcp Connection Initialization Activity Potentially Bad Traffic
TCP 192.168.56.102:49291 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49299 -> 77.232.38.234:80 2043233 ET INFO Microsoft net.tcp Connection Initialization Activity Potentially Bad Traffic
TCP 192.168.56.102:49291 -> 34.117.59.81:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49291 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49291 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49301 -> 213.180.204.24:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49298 -> 185.225.75.171:22233 2046045 ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) A Network Trojan was detected
TCP 192.168.56.102:49298 -> 185.225.75.171:22233 2046105 ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound) A Network Trojan was detected
TCP 192.168.56.102:49299 -> 77.232.38.234:80 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49299 -> 77.232.38.234:80 2046045 ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) A Network Trojan was detected
TCP 192.168.56.102:49304 -> 87.240.129.133:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49304 -> 87.240.129.133:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49310 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49310 -> 34.117.59.81:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49310 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49298 -> 185.225.75.171:22233 2046105 ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound) A Network Trojan was detected
TCP 77.232.38.234:80 -> 192.168.56.102:49299 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response A Network Trojan was detected
TCP 185.225.75.171:22233 -> 192.168.56.102:49298 2046056 ET MALWARE Redline Stealer Activity (Response) A Network Trojan was detected
TCP 192.168.56.102:49309 -> 87.240.129.133:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49302 -> 87.240.129.133:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49302 -> 87.240.129.133:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49317 -> 185.172.128.69:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.102:49319 -> 87.240.129.133:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49319 -> 87.240.129.133:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49317 -> 185.172.128.69:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.102:49320 -> 87.240.129.133:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49320 -> 87.240.129.133:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 185.172.128.69:80 -> 192.168.56.102:49317 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 185.172.128.69:80 -> 192.168.56.102:49317 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.102:49313 -> 104.26.5.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49328 -> 87.240.129.133:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49315 -> 91.103.252.189:30344 2043233 ET INFO Microsoft net.tcp Connection Initialization Activity Potentially Bad Traffic
UDP 192.168.56.102:60523 -> 164.124.101.2:53 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related Potentially Bad Traffic
TCP 192.168.56.102:49299 -> 77.232.38.234:80 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49262 -> 149.154.167.99:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49272 -> 104.21.93.225:443 906200022 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49276 -> 193.42.32.118:80 2045779 ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49284 -> 104.26.8.59:443 2042969 ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49284 -> 104.26.8.59:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49315 -> 91.103.252.189:30344 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49315 -> 91.103.252.189:30344 2046045 ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) A Network Trojan was detected
TCP 192.168.56.102:49285 -> 172.67.217.52:443 906200022 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49284 -> 104.26.8.59:443 2042969 ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) Device Retrieving External IP Address Detected
TCP 91.103.252.189:30344 -> 192.168.56.102:49315 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response A Network Trojan was detected
TCP 192.168.56.102:49331 -> 172.67.139.220:443 2033214 ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) Potentially Bad Traffic
TCP 192.168.56.102:49321 -> 87.240.129.133:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49331 -> 172.67.139.220:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49321 -> 87.240.129.133:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49323 -> 87.240.129.133:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49315 -> 91.103.252.189:30344 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49324 -> 87.240.129.133:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49329 -> 95.142.206.3:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49330 -> 95.142.206.1:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49332 -> 104.26.12.31:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49292 -> 62.217.160.2:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 148.251.234.93:443 -> 192.168.56.102:49294 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49296 -> 171.22.28.236:38306 2043233 ET INFO Microsoft net.tcp Connection Initialization Activity Potentially Bad Traffic
TCP 192.168.56.102:49296 -> 171.22.28.236:38306 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49296 -> 171.22.28.236:38306 2046045 ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) A Network Trojan was detected
TCP 171.22.28.236:38306 -> 192.168.56.102:49296 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response A Network Trojan was detected
TCP 171.22.28.236:38306 -> 192.168.56.102:49296 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response A Network Trojan was detected
UDP 192.168.56.102:59517 -> 164.124.101.2:53 2047719 ET INFO External IP Lookup Domain (iplogger .com in DNS lookup) Device Retrieving External IP Address Detected
TCP 148.251.234.93:443 -> 192.168.56.102:49305 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49305 -> 148.251.234.93:443 2047718 ET INFO External IP Lookup Domain (iplogger .com in TLS SNI) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49305 -> 148.251.234.93:443 906200022 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49306 -> 87.240.129.133:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49307 -> 193.42.32.118:80 2045779 ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49312 -> 104.26.5.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49296 -> 171.22.28.236:38306 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49336 -> 77.91.124.86:19084 2043233 ET INFO Microsoft net.tcp Connection Initialization Activity Potentially Bad Traffic
TCP 192.168.56.102:49318 -> 87.240.129.133:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49318 -> 87.240.129.133:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49322 -> 171.22.28.226:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.102:49299 -> 77.232.38.234:80 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49322 -> 171.22.28.226:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 171.22.28.226:80 -> 192.168.56.102:49322 2014819 ET INFO Packed Executable Download Misc activity
TCP 171.22.28.226:80 -> 192.168.56.102:49322 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 171.22.28.226:80 -> 192.168.56.102:49322 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.102:49336 -> 77.91.124.86:19084 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49336 -> 77.91.124.86:19084 2046045 ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) A Network Trojan was detected
TCP 192.168.56.102:49299 -> 77.232.38.234:80 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 77.91.124.86:19084 -> 192.168.56.102:49336 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response A Network Trojan was detected
TCP 192.168.56.102:49340 -> 142.251.130.13:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49327 -> 87.240.129.133:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49343 -> 77.91.124.1:80 2027700 ET MALWARE Amadey CnC Check-In Malware Command and Control Activity Detected
TCP 192.168.56.102:49343 -> 77.91.124.1:80 2045751 ET MALWARE Win32/Amadey Bot Activity (POST) M2 A Network Trojan was detected
TCP 192.168.56.102:49345 -> 142.250.204.35:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49349 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49349 -> 34.117.59.81:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49349 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49336 -> 77.91.124.86:19084 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49344 -> 142.250.204.35:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
UDP 192.168.56.102:63080 -> 164.124.101.2:53 2027026 ET POLICY External IP Address Lookup DNS Query (2ip .ua) Device Retrieving External IP Address Detected
TCP 91.103.252.189:30344 -> 192.168.56.102:49315 2046056 ET MALWARE Redline Stealer Activity (Response) A Network Trojan was detected
TCP 192.168.56.102:49341 -> 142.251.130.13:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49352 -> 87.240.132.78:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49352 -> 87.240.132.78:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49353 -> 87.240.132.78:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 87.240.132.78:80 -> 192.168.56.102:49353 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 87.240.132.78:80 -> 192.168.56.102:49355 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49356 -> 91.103.252.189:30344 2043233 ET INFO Microsoft net.tcp Connection Initialization Activity Potentially Bad Traffic
TCP 192.168.56.102:49348 -> 172.67.75.163:443 2042969 ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49348 -> 172.67.75.163:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49346 -> 94.142.138.113:80 2045779 ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49356 -> 91.103.252.189:30344 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49356 -> 91.103.252.189:30344 2046045 ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) A Network Trojan was detected
TCP 91.103.252.189:30344 -> 192.168.56.102:49356 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response A Network Trojan was detected
TCP 192.168.56.102:49333 -> 193.233.255.73:80 2047625 ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST) A Network Trojan was detected
TCP 192.168.56.102:49359 -> 87.240.132.78:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49333 -> 193.233.255.73:80 2018358 ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 Potentially Bad Traffic
TCP 192.168.56.102:49333 -> 193.233.255.73:80 2018358 ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 Potentially Bad Traffic
TCP 192.168.56.102:49336 -> 77.91.124.86:19084 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
UDP 192.168.56.102:57413 -> 164.124.101.2:53 2027026 ET POLICY External IP Address Lookup DNS Query (2ip .ua) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49360 -> 104.21.65.24:443 2033214 ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) Potentially Bad Traffic
TCP 192.168.56.102:49360 -> 104.21.65.24:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49299 -> 77.232.38.234:80 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49336 -> 77.91.124.86:19084 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49299 -> 77.232.38.234:80 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49333 -> 193.233.255.73:80 2018358 ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 Potentially Bad Traffic
TCP 192.168.56.102:49333 -> 193.233.255.73:80 2018358 ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 Potentially Bad Traffic
TCP 192.168.56.102:49336 -> 77.91.124.86:19084 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49362 -> 20.150.79.68:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49333 -> 193.233.255.73:80 2018358 ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 Potentially Bad Traffic
TCP 192.168.56.102:49299 -> 77.232.38.234:80 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49296 -> 171.22.28.236:38306 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 171.22.28.236:38306 -> 192.168.56.102:49296 2046056 ET MALWARE Redline Stealer Activity (Response) A Network Trojan was detected
TCP 192.168.56.102:49296 -> 171.22.28.236:38306 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49336 -> 77.91.124.86:19084 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49336 -> 77.91.124.86:19084 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49299 -> 77.232.38.234:80 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49336 -> 77.91.124.86:19084 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49296 -> 171.22.28.236:38306 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49299 -> 77.232.38.234:80 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49336 -> 77.91.124.86:19084 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49299 -> 77.232.38.234:80 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49336 -> 77.91.124.86:19084 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
UDP 192.168.56.102:60891 -> 8.8.8.8:53 2016778 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic
TCP 192.168.56.102:49378 -> 172.67.167.220:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49373 -> 104.21.21.189:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49373 -> 104.21.21.189:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49336 -> 77.91.124.86:19084 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49366 -> 123.213.233.131:80 2002400 ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer) A Network Trojan was detected
TCP 192.168.56.102:49366 -> 123.213.233.131:80 2036334 ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key A Network Trojan was detected
TCP 192.168.56.102:49382 -> 104.21.21.189:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 123.213.233.131:80 -> 192.168.56.102:49366 2036335 ET MALWARE Win32/Filecoder.STOP Variant Public Key Download A Network Trojan was detected
TCP 192.168.56.102:49368 -> 171.22.28.213:80 2018581 ET MALWARE Single char EXE direct download likely trojan (multiple families) A Network Trojan was detected
TCP 192.168.56.102:49368 -> 171.22.28.213:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.102:49333 -> 193.233.255.73:80 2018358 ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 Potentially Bad Traffic
TCP 192.168.56.102:49333 -> 193.233.255.73:80 2018358 ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 Potentially Bad Traffic
TCP 192.168.56.102:49368 -> 171.22.28.213:80 2018581 ET MALWARE Single char EXE direct download likely trojan (multiple families) A Network Trojan was detected
TCP 192.168.56.102:49368 -> 171.22.28.213:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 171.22.28.213:80 -> 192.168.56.102:49368 2014819 ET INFO Packed Executable Download Misc activity
TCP 192.168.56.102:49383 -> 142.251.130.13:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49336 -> 77.91.124.86:19084 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49367 -> 87.240.132.78:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49367 -> 87.240.132.78:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49365 -> 181.170.86.159:80 2002400 ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer) A Network Trojan was detected
TCP 192.168.56.102:49365 -> 181.170.86.159:80 2020826 ET MALWARE Potential Dridex.Maldoc Minimal Executable Request A Network Trojan was detected
TCP 192.168.56.102:49365 -> 181.170.86.159:80 2036333 ET MALWARE Win32/Vodkagats Loader Requesting Payload A Network Trojan was detected
TCP 171.22.28.213:80 -> 192.168.56.102:49368 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 171.22.28.213:80 -> 192.168.56.102:49368 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.102:49356 -> 91.103.252.189:30344 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49388 -> 142.250.76.132:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49387 -> 142.250.76.132:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49386 -> 87.240.132.78:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 87.240.132.78:80 -> 192.168.56.102:49386 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49390 -> 104.21.6.10:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 146.59.70.14:80 -> 192.168.56.102:49372 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 192.168.56.102:49333 -> 193.233.255.73:80 2018358 ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 Potentially Bad Traffic
TCP 192.168.56.102:49299 -> 77.232.38.234:80 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 181.170.86.159:80 -> 192.168.56.102:49365 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 192.168.56.102:49389 -> 87.240.132.78:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49333 -> 193.233.255.73:80 2018358 ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 Potentially Bad Traffic
TCP 192.168.56.102:49396 -> 87.240.132.78:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49333 -> 193.233.255.73:80 2018358 ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 Potentially Bad Traffic
TCP 192.168.56.102:49333 -> 193.233.255.73:80 2018358 ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 Potentially Bad Traffic
TCP 192.168.56.102:49375 -> 104.21.21.189:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 104.21.21.189:80 -> 192.168.56.102:49375 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49377 -> 104.21.21.189:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49395 -> 87.240.132.78:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49395 -> 87.240.132.78:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49398 -> 87.240.132.78:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49398 -> 87.240.132.78:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49381 -> 172.67.167.220:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49369 -> 171.22.28.221:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.102:49369 -> 171.22.28.221:80 2019714 ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile Potentially Bad Traffic
TCP 192.168.56.102:49400 -> 87.240.132.78:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49401 -> 87.240.132.78:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49369 -> 171.22.28.221:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.102:49369 -> 171.22.28.221:80 2019714 ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile Potentially Bad Traffic
TCP 192.168.56.102:49370 -> 194.169.175.233:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.102:49371 -> 87.240.132.78:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49371 -> 87.240.132.78:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49399 -> 123.213.233.131:80 2020826 ET MALWARE Potential Dridex.Maldoc Minimal Executable Request A Network Trojan was detected
TCP 192.168.56.102:49399 -> 123.213.233.131:80 2036333 ET MALWARE Win32/Vodkagats Loader Requesting Payload A Network Trojan was detected
TCP 171.22.28.221:80 -> 192.168.56.102:49369 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 171.22.28.221:80 -> 192.168.56.102:49369 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.102:49404 -> 87.240.132.78:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49404 -> 87.240.132.78:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49370 -> 194.169.175.233:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 123.213.233.131:80 -> 192.168.56.102:49399 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 192.168.56.102:49296 -> 171.22.28.236:38306 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 194.169.175.233:80 -> 192.168.56.102:49370 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 194.169.175.233:80 -> 192.168.56.102:49370 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.102:49361 -> 204.79.197.219:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49296 -> 171.22.28.236:38306 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 87.240.132.78:80 -> 192.168.56.102:49410 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49296 -> 171.22.28.236:38306 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49296 -> 171.22.28.236:38306 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49296 -> 171.22.28.236:38306 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49296 -> 171.22.28.236:38306 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49412 -> 87.240.132.78:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49296 -> 171.22.28.236:38306 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49296 -> 171.22.28.236:38306 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49364 -> 20.150.70.36:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49402 -> 95.142.206.3:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49296 -> 171.22.28.236:38306 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49374 -> 172.67.167.220:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49374 -> 172.67.167.220:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49376 -> 172.67.167.220:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 172.67.167.220:80 -> 192.168.56.102:49376 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 176.113.115.135:431 -> 192.168.56.102:49418 2400018 ET DROP Spamhaus DROP Listed Traffic Inbound group 19 Misc Attack
TCP 192.168.56.102:49296 -> 171.22.28.236:38306 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49385 -> 87.240.132.78:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49385 -> 87.240.132.78:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
UDP 192.168.56.102:57473 -> 74.125.197.127:19302 2033078 ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port) Misc activity
TCP 192.168.56.102:49391 -> 87.240.132.78:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49408 -> 87.240.132.78:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49408 -> 87.240.132.78:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49333 -> 193.233.255.73:80 2018358 ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 Potentially Bad Traffic
TCP 192.168.56.102:49406 -> 87.240.132.78:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49407 -> 95.142.206.2:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49409 -> 5.42.65.101:40676 2043233 ET INFO Microsoft net.tcp Connection Initialization Activity Potentially Bad Traffic
TCP 192.168.56.102:49409 -> 5.42.65.101:40676 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49409 -> 5.42.65.101:40676 2046045 ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) A Network Trojan was detected
TCP 5.42.65.101:40676 -> 192.168.56.102:49409 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response A Network Trojan was detected
TCP 192.168.56.102:49274 -> 85.143.220.63:80 2022896 ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 A Network Trojan was detected
TCP 192.168.56.102:49274 -> 85.143.220.63:80 2023882 ET INFO HTTP Request to a *.top domain Potentially Bad Traffic
TCP 192.168.56.102:49274 -> 85.143.220.63:80 2031089 ET HUNTING Request to .TOP Domain with Minimal Headers Potentially Bad Traffic
TCP 85.143.220.63:80 -> 192.168.56.102:49274 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 85.143.220.63:80 -> 192.168.56.102:49274 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 85.143.220.63:80 -> 192.168.56.102:49274 2023464 ET HUNTING Possible EXE Download From Suspicious TLD Misc activity
TCP 176.113.115.136:431 -> 192.168.56.102:49419 2400018 ET DROP Spamhaus DROP Listed Traffic Inbound group 19 Misc Attack
UDP 192.168.56.102:50420 -> 8.8.8.8:53 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related Potentially Bad Traffic
TCP 192.168.56.102:49435 -> 104.20.68.143:443 906200022 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49413 -> 95.142.206.2:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49436 -> 172.67.216.81:443 906200022 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49438 -> 104.21.32.208:443 906200022 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
UDP 192.168.56.102:57472 -> 8.8.8.8:53 2035466 ET INFO Observed Discord Domain in DNS Lookup (discordapp .com) Misc activity
TCP 192.168.56.102:49428 -> 162.159.135.233:443 2035464 ET INFO Observed Discord Domain (discordapp .com in TLS SNI) Misc activity
TCP 192.168.56.102:49409 -> 5.42.65.101:40676 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49409 -> 5.42.65.101:40676 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 5.42.65.101:40676 -> 192.168.56.102:49409 2046056 ET MALWARE Redline Stealer Activity (Response) A Network Trojan was detected
TCP 192.168.56.102:49409 -> 5.42.65.101:40676 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49440 -> 104.21.79.77:443 906200022 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49409 -> 5.42.65.101:40676 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49409 -> 5.42.65.101:40676 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49437 -> 85.217.144.143:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.102:49437 -> 85.217.144.143:80 2019714 ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile Potentially Bad Traffic
TCP 85.217.144.143:80 -> 192.168.56.102:49437 2014819 ET INFO Packed Executable Download Misc activity
TCP 192.168.56.102:49409 -> 5.42.65.101:40676 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 85.217.144.143:80 -> 192.168.56.102:49437 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 85.217.144.143:80 -> 192.168.56.102:49437 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 85.217.144.143:80 -> 192.168.56.102:49437 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.102:49409 -> 5.42.65.101:40676 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49409 -> 5.42.65.101:40676 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49448 -> 149.154.167.99:443 2041933 ET INFO Observed Telegram Domain (t .me in TLS SNI) Misc activity
TCP 192.168.56.102:49448 -> 149.154.167.99:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49448 -> 149.154.167.99:443 2041933 ET INFO Observed Telegram Domain (t .me in TLS SNI) Misc activity
TCP 192.168.56.102:49449 -> 149.154.167.99:443 2041933 ET INFO Observed Telegram Domain (t .me in TLS SNI) Misc activity
TCP 192.168.56.102:49449 -> 149.154.167.99:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49449 -> 149.154.167.99:443 2041933 ET INFO Observed Telegram Domain (t .me in TLS SNI) Misc activity
UDP 192.168.56.102:54734 -> 8.8.8.8:53 2036289 ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro) Crypto Currency Mining Activity Detected
TCP 192.168.56.102:49446 -> 104.21.78.56:443 906200022 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 95.214.26.34:80 -> 192.168.56.102:49439 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 95.214.26.34:80 -> 192.168.56.102:49439 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 192.168.56.102:49447 -> 107.167.110.211:443 906200022 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
UDP 192.168.56.102:50151 -> 8.8.8.8:53 2023883 ET DNS Query to a *.top domain - Likely Hostile Potentially Bad Traffic
TCP 192.168.56.102:49441 -> 104.21.90.82:443 906200022 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49445 -> 104.21.35.235:443 906200022 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 149.154.167.99:443 -> 192.168.56.102:49450 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49409 -> 5.42.65.101:40676 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49409 -> 5.42.65.101:40676 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49409 -> 5.42.65.101:40676 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49409 -> 5.42.65.101:40676 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49455 -> 49.12.116.189:80 2027262 ET INFO Dotted Quad Host ZIP Request Potentially Bad Traffic
TCP 192.168.56.102:49453 -> 104.75.41.21:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 91.103.252.189:30344 -> 192.168.56.102:49356 2046056 ET MALWARE Redline Stealer Activity (Response) A Network Trojan was detected
TCP 192.168.56.102:49174 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49456 -> 85.143.220.63:80 2022896 ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 A Network Trojan was detected
TCP 192.168.56.102:49456 -> 85.143.220.63:80 2031089 ET HUNTING Request to .TOP Domain with Minimal Headers Potentially Bad Traffic
TCP 192.168.56.102:49448 -> 149.154.167.99:443 2041933 ET INFO Observed Telegram Domain (t .me in TLS SNI) Misc activity
TCP 192.168.56.102:49442 -> 85.143.220.63:80 2022896 ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 A Network Trojan was detected
TCP 192.168.56.102:49442 -> 85.143.220.63:80 2031089 ET HUNTING Request to .TOP Domain with Minimal Headers Potentially Bad Traffic
TCP 192.168.56.102:49336 -> 77.91.124.86:19084 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49291 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.102:49173
172.67.75.163:443 		C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com 92:b4:ed:98:67:d9:db:8a:1e:bd:0e:fe:7f:22:45:e9:79:b5:78:65
TLSv1
192.168.56.102:49180
87.240.132.67:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49194
104.21.34.37:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1P5 CN=experiment.pw 5a:18:d3:ef:77:26:3f:d9:ff:c0:14:03:82:bb:01:c7:6d:e8:c8:b2
TLSv1
192.168.56.102:49207
87.240.132.67:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49217
87.240.132.67:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49221
95.142.206.2:443 		None None None
TLSv1
192.168.56.102:49229
87.240.132.67:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49253
87.240.132.67:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49213
95.142.206.2:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1
192.168.56.102:49239
87.240.132.67:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49257
87.240.132.67:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49234
95.142.206.3:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1
192.168.56.102:49256
87.240.132.67:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49242
87.240.132.67:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49259
95.142.206.0:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1
192.168.56.102:49258
87.240.132.67:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLS 1.2
192.168.56.102:49265
104.21.79.77:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1P5 CN=yip.su b6:2b:8b:a8:8c:60:65:fb:9d:d6:9b:25:cf:96:b2:78:7a:29:76:6b
TLSv1
192.168.56.102:49273
172.67.75.163:443 		C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com 92:b4:ed:98:67:d9:db:8a:1e:bd:0e:fe:7f:22:45:e9:79:b5:78:65
TLSv1
192.168.56.102:49247
87.240.132.67:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49271
5.255.255.70:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign ECC OV SSL CA 2018 C=RU, ST=Moscow, L=Moscow, O=Yandex LLC, CN=*.xn--d1acpjx3f.xn--p1ai e4:ba:b2:7f:bf:93:b8:22:10:26:70:37:9c:03:1a:9d:fb:23:17:24
TLS 1.2
192.168.56.102:49275
172.67.187.122:443 		C=US, O=Let's Encrypt, CN=E1 CN=lycheepanel.info fa:2e:ff:d8:31:ff:34:7b:0d:ed:0c:88:91:99:bd:b3:72:10:92:93
TLS 1.2
192.168.56.102:49280
104.21.35.235:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1P5 CN=potatogoose.com 0f:a9:ea:9d:3e:af:d2:24:68:a0:8f:b7:58:00:c9:0b:f0:7f:31:37
TLSv1
192.168.56.102:49252
87.240.132.67:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLS 1.2
192.168.56.102:49264
104.20.67.143:443 		C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com 55:c8:82:61:30:05:42:80:db:47:5e:d0:66:b5:df:ac:14:5b:19:6f
TLS 1.2
192.168.56.102:49279
172.67.197.174:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1P5 CN=*.grabyourpizza.com 19:34:3f:f1:b2:75:20:7f:8a:58:d1:fd:26:b2:74:e2:ea:f8:76:e6
TLS 1.2
192.168.56.102:49290
107.167.110.211:443 		C=US, O=DigiCert Inc, CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1 C=NO, ST=Oslo, L=Oslo, O=Opera Norway AS, CN=net.geo.opera.com 8b:1e:84:38:9c:97:8c:be:f7:e1:0e:28:14:15:bb:08:cc:fb:ad:af
TLSv1
192.168.56.102:49301
213.180.204.24:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018 C=RU, ST=Moscow, L=Moscow, O=Yandex LLC, CN=sso.passport.yandex.ru 3a:82:43:a9:43:9c:c8:90:01:04:4f:74:1b:6c:cd:4b:9b:19:7d:93
TLSv1
192.168.56.102:49309
87.240.129.133:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49313
104.26.5.15:443 		C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com 03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1
192.168.56.102:49328
87.240.129.133:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLS 1.2
192.168.56.102:49272
104.21.93.225:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1P5 CN=flyawayaero.net 34:8b:a3:9d:94:c4:8d:02:5c:e1:f1:43:da:57:49:64:a9:1c:b6:fe
TLS 1.2
192.168.56.102:49285
172.67.217.52:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1P5 CN=diplodoka.net 08:f2:0c:9e:cc:84:cd:91:24:54:d5:fe:5e:3f:a9:46:68:a2:58:33
TLSv1
192.168.56.102:49284
104.26.8.59:443 		C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com 92:b4:ed:98:67:d9:db:8a:1e:bd:0e:fe:7f:22:45:e9:79:b5:78:65
TLSv1
192.168.56.102:49331
172.67.139.220:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1P5 CN=2ip.ua df:8e:38:7b:a5:b7:63:5f:01:77:75:f0:d6:4a:08:30:fa:63:46:8f
TLSv1
192.168.56.102:49329
95.142.206.3:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1
192.168.56.102:49330
95.142.206.1:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1
192.168.56.102:49332
104.26.12.31:443 		C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com 53:56:0b:3a:91:49:7f:18:59:87:21:98:d3:7f:98:0b:b4:ae:cb:cc
TLSv1
192.168.56.102:49292
62.217.160.2:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018 C=RU, ST=Moscow, L=Moscow, O=VK LLC, CN=*.dzen.ru 6a:31:14:29:60:07:c9:c6:17:7b:d1:27:ad:53:57:ec:d8:c1:d8:d2
TLSv1
192.168.56.102:49312
104.26.5.15:443 		C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com 03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1
192.168.56.102:49340
142.251.130.13:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1C3 CN=accounts.google.com 86:7b:0f:9a:a8:81:46:14:e8:56:c2:45:8b:8e:ff:52:da:1c:f4:18
TLSv1
192.168.56.102:49327
87.240.129.133:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49345
142.250.204.35:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1C3 CN=*.gstatic.com be:d3:d2:0a:c4:57:fb:0b:d7:17:48:c8:ab:52:49:39:3e:e9:3c:60
TLSv1
192.168.56.102:49344
142.250.204.35:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1C3 CN=*.gstatic.com be:d3:d2:0a:c4:57:fb:0b:d7:17:48:c8:ab:52:49:39:3e:e9:3c:60
TLSv1
192.168.56.102:49341
142.251.130.13:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1C3 CN=accounts.google.com 86:7b:0f:9a:a8:81:46:14:e8:56:c2:45:8b:8e:ff:52:da:1c:f4:18
TLSv1
192.168.56.102:49348
172.67.75.163:443 		C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com 92:b4:ed:98:67:d9:db:8a:1e:bd:0e:fe:7f:22:45:e9:79:b5:78:65
TLSv1
192.168.56.102:49359
87.240.132.78:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49360
104.21.65.24:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1P5 CN=2ip.ua df:8e:38:7b:a5:b7:63:5f:01:77:75:f0:d6:4a:08:30:fa:63:46:8f
TLSv1
192.168.56.102:49362
20.150.79.68:443 		C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01 CN=*.blob.core.windows.net 6e:0d:1b:21:93:e6:c6:eb:18:68:57:6a:7e:85:c2:b6:90:ce:6b:9d
TLSv1
192.168.56.102:49382
104.21.21.189:443 		C=US, O=Let's Encrypt, CN=E1 CN=octocrabs.com 77:33:49:da:ac:e1:32:31:64:ad:8a:16:84:a3:aa:04:d0:fc:15:d7
TLSv1
192.168.56.102:49383
142.251.130.13:443 		None None None
TLSv1
192.168.56.102:49388
142.250.76.132:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1C3 CN=www.google.com 13:d2:e3:b0:25:78:80:d7:35:78:09:81:0d:21:ce:31:cb:ef:da:75
TLSv1
192.168.56.102:49387
142.250.76.132:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1C3 CN=www.google.com 13:d2:e3:b0:25:78:80:d7:35:78:09:81:0d:21:ce:31:cb:ef:da:75
TLSv1
192.168.56.102:49390
104.21.6.10:443 		C=US, O=Let's Encrypt, CN=E1 CN=neuralshit.net 48:34:be:08:a6:7d:1e:ee:b7:5d:2d:12:63:b2:18:02:6a:d9:0d:74
TLSv1
192.168.56.102:49396
87.240.132.78:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49381
172.67.167.220:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1P5 CN=experiment.pw 5a:18:d3:ef:77:26:3f:d9:ff:c0:14:03:82:bb:01:c7:6d:e8:c8:b2
TLSv1
192.168.56.102:49401
87.240.132.78:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49361
204.79.197.219:443 		C=US, O=Microsoft Corporation, CN=Microsoft Azure RSA TLS Issuing CA 03 C=US, ST=WA, L=Redmond, O=Microsoft Corporation, CN=msdl.microsoft.com 38:41:7e:3d:62:ae:23:84:cc:0e:a0:df:1b:44:80:83:13:e5:3b:51
TLSv1
192.168.56.102:49412
87.240.132.78:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49364
20.150.70.36:443 		C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01 CN=*.blob.core.windows.net 6e:0d:1b:21:93:e6:c6:eb:18:68:57:6a:7e:85:c2:b6:90:ce:6b:9d
TLSv1
192.168.56.102:49402
95.142.206.3:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1
192.168.56.102:49406
87.240.132.78:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49407
95.142.206.2:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLS 1.3
192.168.56.102:49427
185.82.216.96:443 		None None None
TLS 1.2
192.168.56.102:49432
104.16.128.120:443 		C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=nakedcph.com 05:dd:c6:10:c2:f8:3c:09:9d:37:1a:a2:db:d4:5f:c4:8d:02:6d:c2
TLS 1.2
192.168.56.102:49435
104.20.68.143:443 		C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com 55:c8:82:61:30:05:42:80:db:47:5e:d0:66:b5:df:ac:14:5b:19:6f
TLS 1.2
192.168.56.102:49436
172.67.216.81:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1P5 CN=flyawayaero.net 34:8b:a3:9d:94:c4:8d:02:5c:e1:f1:43:da:57:49:64:a9:1c:b6:fe
TLS 1.2
192.168.56.102:49438
104.21.32.208:443 		C=US, O=Let's Encrypt, CN=E1 CN=lycheepanel.info fa:2e:ff:d8:31:ff:34:7b:0d:ed:0c:88:91:99:bd:b3:72:10:92:93
TLSv1
192.168.56.102:49413
95.142.206.2:443 		None None None
TLS 1.3
192.168.56.102:49428
162.159.135.233:443 		None None None
TLS 1.3
192.168.56.102:49431
185.82.216.96:443 		None None None
TLS 1.2
192.168.56.102:49440
104.21.79.77:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1P5 CN=yip.su b6:2b:8b:a8:8c:60:65:fb:9d:d6:9b:25:cf:96:b2:78:7a:29:76:6b
TLS 1.3
192.168.56.102:49429
104.21.23.184:443 		None None None
TLS 1.3
192.168.56.102:49434
185.82.216.96:443 		None None None
TLS 1.2
192.168.56.102:49446
104.21.78.56:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1P5 CN=diplodoka.net 08:f2:0c:9e:cc:84:cd:91:24:54:d5:fe:5e:3f:a9:46:68:a2:58:33
TLS 1.2
192.168.56.102:49457
104.16.222.69:443 		C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1 C=DE, ST=Nordrhein-Westfalen, L=Essen, O=Deichmann SE, CN=snipes.com ad:5e:87:18:4a:ff:6e:f4:2d:af:8d:3c:bc:9e:3a:1f:3a:70:0a:1b
TLS 1.2
192.168.56.102:49447
107.167.110.211:443 		C=US, O=DigiCert Inc, CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1 C=NO, ST=Oslo, L=Oslo, O=Opera Norway AS, CN=net.geo.opera.com 8b:1e:84:38:9c:97:8c:be:f7:e1:0e:28:14:15:bb:08:cc:fb:ad:af
TLS 1.2
192.168.56.102:49441
104.21.90.82:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1P5 CN=*.grabyourpizza.com 19:34:3f:f1:b2:75:20:7f:8a:58:d1:fd:26:b2:74:e2:ea:f8:76:e6
TLS 1.2
192.168.56.102:49445
104.21.35.235:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1P5 CN=potatogoose.com 0f:a9:ea:9d:3e:af:d2:24:68:a0:8f:b7:58:00:c9:0b:f0:7f:31:37
TLS 1.3
192.168.56.102:49451
131.153.76.130:80 		None None None
TLSv1
192.168.56.102:49453
104.75.41.21:443 		C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA unknown=US, unknown=Washington, unknown=Private Organization, serialNumber=602 290 773, C=US, ST=Washington, L=Bellevue, O=Valve Corp, CN=store.steampowered.com b1:30:5e:4c:ee:14:70:87:a7:d7:1c:77:07:b5:3c:2c:99:13:aa:c5
TLS 1.2
192.168.56.102:49463
104.18.233.222:443 		C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com 2e:a1:6f:50:53:b9:d3:35:8a:81:e8:da:d6:e6:92:6a:7c:17:f8:eb

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
suspicious_features Connection to IP address suspicious_request GET http://193.42.32.118/api/tracemap.php
suspicious_features POST method with no referer header, Connection to IP address suspicious_request POST http://193.42.32.118/api/firegate.php
suspicious_features Connection to IP address suspicious_request HEAD http://171.22.28.226/download/Services.exe
suspicious_features Connection to IP address suspicious_request HEAD http://109.107.182.2/race/bus50.exe
suspicious_features Connection to IP address suspicious_request HEAD http://171.22.28.221/files/Random.exe
suspicious_features Connection to IP address suspicious_request GET http://171.22.28.226/download/Services.exe
suspicious_features Connection to IP address suspicious_request GET http://171.22.28.221/files/Random.exe
suspicious_features Connection to IP address suspicious_request GET http://109.107.182.2/race/bus50.exe
suspicious_features Connection to IP address suspicious_request GET http://176.113.115.84:8080/4.php
suspicious_features Connection to IP address suspicious_request GET http://45.15.156.229/api/tracemap.php
suspicious_features GET method with no useragent header suspicious_request GET http://galandskiyher5.com/downloads/toolspub1.exe
suspicious_features GET method with no useragent header suspicious_request GET http://gons3fc.top/build.exe
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://85.217.144.143/files/townpublishing.exe
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://85.217.144.143/files/My2.exe
suspicious_features POST method with no referer header, Connection to IP address suspicious_request POST http://45.15.156.229/api/firegate.php
suspicious_features GET method with no useragent header suspicious_request GET http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767
suspicious_features POST method with no referer header, Connection to IP address suspicious_request POST http://193.42.32.118/api/firecom.php
suspicious_features Connection to IP address suspicious_request HEAD http://185.172.128.69/newumma.exe
suspicious_features Connection to IP address suspicious_request GET http://185.172.128.69/newumma.exe
suspicious_features Connection to IP address suspicious_request HEAD http://171.22.28.226/download/WWW14_64.exe
suspicious_features Connection to IP address suspicious_request GET http://171.22.28.226/download/WWW14_64.exe
suspicious_features POST method with no referer header, Connection to IP address suspicious_request POST http://193.233.255.73/loghub/master
suspicious_features POST method with no referer header, POST method with no useragent header, Connection to IP address suspicious_request POST http://77.91.124.1/theme/index.php
suspicious_features Connection to IP address suspicious_request GET http://94.142.138.113/api/tracemap.php
suspicious_features POST method with no referer header, Connection to IP address suspicious_request POST http://94.142.138.113/api/firegate.php
suspicious_features Connection to IP address suspicious_request HEAD http://171.22.28.213/3.exe
suspicious_features Connection to IP address suspicious_request HEAD http://171.22.28.221/files/Ads.exe
suspicious_features Connection to IP address suspicious_request HEAD http://194.169.175.233/setup.exe
suspicious_features Connection to IP address suspicious_request GET http://171.22.28.221/files/Ads.exe
suspicious_features Connection to IP address suspicious_request GET http://171.22.28.213/3.exe
suspicious_features Connection to IP address suspicious_request GET http://194.169.175.233/setup.exe
suspicious_features Connection to IP address suspicious_request GET http://49.12.116.189/58f391d2f33b9f5a2ddb51a3516986eb
suspicious_features GET method with no useragent header suspicious_request GET http://gobo04fc.top/build.exe
suspicious_features Connection to IP address suspicious_request GET http://49.12.116.189/upload.zip
suspicious_features GET method with no useragent header suspicious_request GET https://yip.su/RNWPd.exe
suspicious_features GET method with no useragent header suspicious_request GET https://pastebin.com/raw/HPj0MzD6
suspicious_features GET method with no useragent header suspicious_request GET https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe
suspicious_features GET method with no useragent header suspicious_request GET https://grabyourpizza.com/7a54bdb20779c4359694feaa1398dd25.exe
suspicious_features GET method with no useragent header suspicious_request GET https://potatogoose.com/976b26ee384bf2dcf27abfc3b8d028eb/baf14778c246e15550645e30ba78ce1c.exe
suspicious_features GET method with no useragent header suspicious_request GET https://diplodoka.net/976b26ee384bf2dcf27abfc3b8d028eb/7a54bdb20779c4359694feaa1398dd25.exe
suspicious_features GET method with no useragent header suspicious_request GET https://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767
suspicious_features GET method with no useragent header suspicious_request GET https://api.ip.sb/ip
suspicious_features GET method with no useragent header suspicious_request GET https://pastebin.com/raw/xYhKBupz
request GET http://193.42.32.118/api/tracemap.php
request POST http://193.42.32.118/api/firegate.php
request HEAD http://171.22.28.226/download/Services.exe
request HEAD http://109.107.182.2/race/bus50.exe
request HEAD http://171.22.28.221/files/Random.exe
request GET http://171.22.28.226/download/Services.exe
request GET http://171.22.28.221/files/Random.exe
request GET http://109.107.182.2/race/bus50.exe
request GET http://176.113.115.84:8080/4.php
request GET http://45.15.156.229/api/tracemap.php
request GET http://galandskiyher5.com/downloads/toolspub1.exe
request GET http://gons3fc.top/build.exe
request GET http://85.217.144.143/files/townpublishing.exe
request GET http://85.217.144.143/files/My2.exe
request GET http://apps.identrust.com/roots/dstrootcax3.p7c
request POST http://45.15.156.229/api/firegate.php
request GET http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767
request POST http://193.42.32.118/api/firecom.php
request GET http://www.maxmind.com/geoip/v2.1/city/me
request HEAD http://185.172.128.69/newumma.exe
request GET http://185.172.128.69/newumma.exe
request HEAD http://171.22.28.226/download/WWW14_64.exe
request GET http://171.22.28.226/download/WWW14_64.exe
request POST http://193.233.255.73/loghub/master
request POST http://77.91.124.1/theme/index.php
request GET http://94.142.138.113/api/tracemap.php
request POST http://94.142.138.113/api/firegate.php
request GET http://colisumy.com/dl/build2.exe
request GET http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true
request HEAD http://171.22.28.213/3.exe
request HEAD http://171.22.28.221/files/Ads.exe
request HEAD http://194.169.175.233/setup.exe
request HEAD http://lakuiksong.known.co.ke/netTimer.exe
request GET http://171.22.28.221/files/Ads.exe
request GET http://171.22.28.213/3.exe
request GET http://194.169.175.233/setup.exe
request GET http://lakuiksong.known.co.ke/netTimer.exe
request GET http://zexeq.com/files/1/build3.exe
request GET http://www.google.com/
request GET http://49.12.116.189/58f391d2f33b9f5a2ddb51a3516986eb
request GET http://gobo04fc.top/build.exe
request GET http://49.12.116.189/upload.zip
request GET https://api.myip.com/
request GET https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1
request GET https://experiment.pw/setup294.exe
request GET https://vk.com/doc52355237_667339795?hash=Vr6hZn5xlDzZsz30TpnTzHAO4DHKke3DmD4kGhoeqoH&dl=6fzaZ8xtsOzOd75auvzL1Z7h0auXHva7GD7UyQqxDDo&api=1&no_preview=1
request GET https://sun6-22.userapi.com/c909328/u52355237/docs/d36/94e70066ac80/PL_Client.bmp?extra=GYu9pTC-Wl1Sg_fchSUawzC7SOJQ5mf6X2A3Lm8ZE1bmn4F7iqzq_0_-pgTnEnf4Z8ETAumkli_vcaYV1Z_ULFP_mNBGwhECBvqkXysXuH9Sz8e5J6_7zGC5Vyj2-tcbfXz3qBeXxZZmpG6k
request GET https://vk.com/doc52355237_667363057?hash=EFGn7JDa1yL3d80vbqsB9WZH2w3XpT5V6LPR4VEBzc4&dl=QJPdu5Tzl9CEda3jy8BmjsTGIU8RaodEGQVRlC2jmdD&api=1&no_preview=1#all
request GET https://sun6-22.userapi.com/c909328/u52355237/docs/d39/fea02e6516ef/all.bmp?extra=1jLtQoDZlkXee5oo1ICc_9GEajaJa4WgEW2aW76jh1X4r0G8nBKsO1fC-UITCjUotA9USMbQHx2E534DFNgrHG_ven327gh2BTuXaBkk_4hLBUxns9Tv5eHEyBEemy9O9cRIt33iy9__px79
request GET https://vk.com/doc52355237_667323207?hash=ZkIwTTYNTwNDXLt5Gs5EEchtp6n7cf7VmKRYfvfVcZc&dl=ZTGusJZiietYLrS13VtWmnhjrFLGcXrZJST1wXSwTtP&api=1&no_preview=1
request POST http://193.42.32.118/api/firegate.php
request POST http://45.15.156.229/api/firegate.php
request POST http://193.42.32.118/api/firecom.php
request POST http://193.233.255.73/loghub/master
request POST http://77.91.124.1/theme/index.php
request POST http://94.142.138.113/api/firegate.php
request POST https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
ip 171.22.28.236
ip 176.113.115.84
ip 185.225.75.171
ip 91.103.252.189
ip 77.91.124.86
ip 5.42.65.101
ip 74.125.197.127
domain server13.thestatsfiles.ru description Russian Federation domain TLD
domain a8b8fc1f-3586-4658-b72f-0e583b0d00e8.uuid.thestatsfiles.ru description Russian Federation domain TLD
domain jamesjordan.top description Generic top level domain TLD
domain gobo04fc.top description Generic top level domain TLD
domain gons3fc.top description Generic top level domain TLD
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2196
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74002000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2196
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73913000
process_handle: 0xffffffff
1 0 0
domain ipinfo.io
file C:\Users\test22\AppData\Local\Temp\7zE498428E1\File.exe
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeRestorePrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeSecurityPrivilege
1 1 0
description Escalate priviledges rule Escalate_priviledges
description PWS Memory rule Generic_PWS_Memory_Zero
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Run a KeyLogger rule KeyLogger
domain stun2.l.google.com
domain a8b8fc1f-3586-4658-b72f-0e583b0d00e8.uuid.thestatsfiles.ru
host 109.107.182.2
host 171.22.28.213
host 171.22.28.221
host 171.22.28.226
host 171.22.28.236
host 176.113.115.135
host 176.113.115.136
host 176.113.115.84
host 185.172.128.69
host 185.225.75.171
host 193.233.255.73
host 193.42.32.118
host 194.169.175.128
host 45.15.156.229
host 77.232.38.234
host 85.217.144.143
host 91.103.252.189
host 194.169.175.233
host 208.67.104.60
host 77.91.124.1
host 77.91.124.86
host 80.66.75.77
host 94.142.138.113
host 45.143.201.238
host 5.42.65.101
host 62.122.184.92
host 80.66.75.4
host 83.97.73.44
host 49.12.116.189
dead_host 192.168.56.102:49186
dead_host 194.169.175.128:50500
dead_host 176.113.115.84:80