Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Nov. 7, 2023, 10:36 a.m.	Nov. 7, 2023, 10:39 a.m.

Size	29.2MB
Type	RAR archive data, v5
MD5	`f990fd3d664b4a2cd89a21cb6e2a9911`
SHA256	`7d358ab572af48ef13265ae285337d6c096a2528ba432fa0a41c3b927b0d2405`
CRC32	`71EBABB9`
ssdeep	`786432:GdXED1CiOhju1QULmJ+DpKRit33DlvHhl:GyxCiwjCLYmJv7`
Yara	None matched

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "OLKUCbSQKaanzdX" C:\Users\test22\AppData\Local\Temp\File.rar
3052
- 7zFM.exe "C:\Program Files (x86)\7-Zip\7zFM.exe" "C:\Users\test22\AppData\Local\Temp\File.rar"
  2192

Name	Response	Post-Analysis Lookup
medfioytrkdkcodlskeej.net	A 91.215.85.209	91.215.85.209
zexeq.com	A 14.33.209.147 A 211.40.39.251 A 196.188.169.138 A 211.171.233.126 A 95.86.30.3 A 211.168.53.110 A 186.48.29.68 A 185.12.79.25 A 211.119.84.112 A 123.213.233.131	201.110.235.204
api.db-ip.com	A 104.26.5.15 A 104.26.4.15 A 172.67.75.166	104.26.4.15
yandex.ru	A 5.255.255.77 A 77.88.55.88 A 77.88.55.60 A 5.255.255.70	5.255.255.77
twitter.com	A 104.244.42.1	104.244.42.1
ipinfo.io	A 34.117.59.81	34.117.59.81
learn.microsoft.com	CNAME e13636.dscb.akamaiedge.net A 23.40.45.69 CNAME learn-public.trafficmanager.net CNAME learn.microsoft.com.edgekey.net CNAME learn.microsoft.com.edgekey.net.globalredir.akadns.net	23.36.221.172
sso.passport.yandex.ru	A 213.180.204.24 CNAME passport.yandex.ru	213.180.204.24
telegram.org	A 149.154.167.99	149.154.167.99
jaimemcgee.top	A 193.106.175.190	193.106.175.190
api.ip.sb	CNAME api.ip.sb.cdn.cloudflare.net A 104.26.13.31 A 104.26.12.31 A 172.67.75.172	104.26.13.31
sun6-21.userapi.com	A 95.142.206.1	95.142.206.1
gons09fc.top	A 212.113.122.87	212.113.122.87
sun6-22.userapi.com	A 95.142.206.2	95.142.206.2
apps.identrust.com	A 23.67.53.27 A 23.67.53.17 CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net A 121.254.136.9 A 121.254.136.18	23.67.53.17
walkinglate.com	A 104.21.23.184 A 172.67.212.188	172.67.212.188
dzen.ru	A 62.217.160.2	62.217.160.2
stim.graspalace.com	A 104.21.20.155 A 172.67.193.43	104.21.20.155
vsblobprodscussu5shard58.blob.core.windows.net	CNAME blob.SAT09PrdStrz08A.trafficmanager.net CNAME blob.sat09prdstrz08a.store.core.windows.net A 20.150.79.68 A 20.150.38.228 A 20.150.70.36	20.150.79.68
api.myip.com	A 172.67.75.163 A 104.26.9.59 A 104.26.8.59	172.67.75.163
iplogger.com	A 104.21.12.138 A 172.67.194.188	172.67.194.188
stun3.l.google.com	A 172.253.117.127	142.251.2.127
msdl.microsoft.com	CNAME msdl.microsoft.akadns.net CNAME msdl-microsoft-com.a-0016.a-msedge.net CNAME a-0016.a-msedge.net A 204.79.197.219	204.79.197.219
vk.com	A 87.240.129.133 A 87.240.132.72 A 87.240.132.78 A 87.240.137.164 A 93.186.225.194 A 87.240.132.67	87.240.129.133
iplogger.org	A 148.251.234.83	148.251.234.83
sun6-20.userapi.com	A 95.142.206.0	95.142.206.0
bd178ff8-29e6-47f2-a804-23d45a4bfa60.uuid.localstats.org		185.82.216.111
www.maxmind.com	A 104.18.145.235 A 104.18.146.235	104.18.145.235
fdjbgkhjrpfvsdf.online	A 104.21.87.5 A 172.67.139.27	104.21.87.5
api.2ip.ua	A 104.21.65.24 A 172.67.139.220	104.21.65.24
www.download.windowsupdate.com	A 23.33.32.64 A 23.33.32.67 CNAME download.windowsupdate.com.edgesuite.net CNAME wu-fg-shim.trafficmanager.net CNAME a767.dspw65.akamai.net	23.199.34.11
server3.localstats.org	A 185.82.216.111	185.82.216.111
ironhost.io	A 104.21.57.237 A 172.67.193.129	172.67.193.129
vanaheim.cn	A 158.160.73.47	158.160.73.47
steamcommunity.com	A 104.76.78.101	104.76.78.101
t.me	A 149.154.167.99	149.154.167.99
iplis.ru	A 104.21.63.150 A 172.67.147.32	172.67.147.32
db-ip.com	A 104.26.5.15 A 104.26.4.15 A 172.67.75.166	104.26.5.15
vsblobprodscussu5shard10.blob.core.windows.net	CNAME blob.SAT09PrdStrz08A.trafficmanager.net CNAME blob.sat09prdstrz08a.store.core.windows.net A 20.150.79.68 A 20.150.38.228 A 20.150.70.36	20.150.79.68
cdn.discordapp.com	A 162.159.135.233 A 162.159.134.233 A 162.159.129.233 A 162.159.130.233 A 162.159.133.233	162.159.135.233

IP Address	Status	Action
104.18.145.235	Active	Moloch
104.21.12.138	Active	Moloch
104.21.23.184	Active	Moloch
104.21.57.237	Active	Moloch
104.21.65.24	Active	Moloch
104.21.87.5	Active	Moloch
104.244.42.1	Active	Moloch
104.26.13.31	Active	Moloch
104.26.4.15	Active	Moloch
104.26.5.15	Active	Moloch
104.26.9.59	Active	Moloch
104.76.78.101	Active	Moloch
121.254.136.9	Active	Moloch
14.33.209.147	Active	Moloch
148.251.234.83	Active	Moloch
149.154.167.99	Active	Moloch
157.90.152.131	Active	Moloch
158.160.73.47	Active	Moloch
162.159.133.233	Active	Moloch
164.124.101.2	Active	Moloch
172.253.117.127	Active	Moloch
172.67.147.32	Active	Moloch
172.67.193.43	Active	Moloch
176.113.115.84	Active	Moloch
185.172.128.69	Active	Moloch
185.173.38.57	Active	Moloch
185.82.216.111	Active	Moloch
193.106.175.190	Active	Moloch
194.169.175.118	Active	Moloch
194.169.175.128	Active	Moloch
194.33.191.60	Active	Moloch
194.49.94.41	Active	Moloch
194.49.94.48	Active	Moloch
194.49.94.97	Active	Moloch
212.113.122.87	Active	Moloch
213.180.204.24	Active	Moloch
23.33.32.64	Active	Moloch
23.67.53.17	Active	Moloch
34.117.59.81	Active	Moloch
45.129.14.83	Active	Moloch
45.15.156.229	Active	Moloch
5.255.255.70	Active	Moloch
62.217.160.2	Active	Moloch
85.209.11.85	Active	Moloch
91.215.85.209	Active	Moloch
91.92.243.151	Active	Moloch
93.186.225.194	Active	Moloch
94.142.138.131	Active	Moloch
95.142.206.0	Active	Moloch
95.142.206.1	Active	Moloch
95.142.206.2	Active	Moloch
20.150.38.228	Active	Moloch
204.79.197.219	Active	Moloch
23.40.45.69	Active	Moloch
80.66.75.77	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49177 -> 104.26.9.59:443	2042969	ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49177 -> 104.26.9.59:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49181 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49181 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49176 -> 94.142.138.131:80	2045779	ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49184 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49186 -> 93.186.225.194:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 176.113.115.84:80 -> 192.168.56.102:49191	2400018	ET DROP Spamhaus DROP Listed Traffic Inbound group 19	Misc Attack
UDP 192.168.56.102:65226 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.102:49183 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49183 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49205 -> 104.21.87.5:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49190 -> 194.49.94.48:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49190 -> 194.49.94.48:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49198 -> 104.21.87.5:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 104.21.87.5:80 -> 192.168.56.102:49198	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 194.49.94.48:80 -> 192.168.56.102:49190	2014819	ET INFO Packed Executable Download	Misc activity
TCP 192.168.56.102:49194 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49194 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49201 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49201 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49207 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49207 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 91.215.85.209:80 -> 192.168.56.102:49211	2400006	ET DROP Spamhaus DROP Listed Traffic Inbound group 7	Misc Attack
TCP 192.168.56.102:49203 -> 212.113.122.87:80	2022896	ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016	A Network Trojan was detected
TCP 192.168.56.102:49203 -> 212.113.122.87:80	2023882	ET INFO HTTP Request to a *.top domain	Potentially Bad Traffic
TCP 194.49.94.48:80 -> 192.168.56.102:49190	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 194.49.94.48:80 -> 192.168.56.102:49190	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 212.113.122.87:80 -> 192.168.56.102:49203	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 212.113.122.87:80 -> 192.168.56.102:49203	2023464	ET HUNTING Possible EXE Download From Suspicious TLD	Misc activity
TCP 192.168.56.102:49178 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49178 -> 34.117.59.81:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49178 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49178 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49188 -> 194.49.94.97:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49197 -> 212.113.122.87:80	2022896	ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016	A Network Trojan was detected
TCP 104.21.87.5:80 -> 192.168.56.102:49200	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49188 -> 194.49.94.97:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49188 -> 194.49.94.97:80	2016698	ET HUNTING Suspicious services.exe in URI	Potentially Bad Traffic
TCP 194.49.94.97:80 -> 192.168.56.102:49188	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 194.49.94.97:80 -> 192.168.56.102:49188	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.102:49206 -> 91.215.85.209:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49213 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 93.186.225.194:80 -> 192.168.56.102:49213	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49214 -> 91.215.85.209:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49196 -> 104.21.87.5:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 104.21.87.5:80 -> 192.168.56.102:49196	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49193 -> 45.129.14.83:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49193 -> 45.129.14.83:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 192.168.56.102:49195 -> 91.215.85.209:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49195 -> 91.215.85.209:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49192 -> 194.169.175.118:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49189 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49189 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49193 -> 45.129.14.83:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49193 -> 45.129.14.83:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 45.129.14.83:80 -> 192.168.56.102:49193	2014819	ET INFO Packed Executable Download	Misc activity
TCP 192.168.56.102:49192 -> 194.169.175.118:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 194.169.175.118:80 -> 192.168.56.102:49192	2014819	ET INFO Packed Executable Download	Misc activity
TCP 192.168.56.102:49199 -> 91.215.85.209:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49199 -> 91.215.85.209:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49202 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49202 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 45.129.14.83:80 -> 192.168.56.102:49193	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 45.129.14.83:80 -> 192.168.56.102:49193	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 45.129.14.83:80 -> 192.168.56.102:49193	2015744	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	Misc activity
TCP 194.169.175.118:80 -> 192.168.56.102:49192	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 194.169.175.118:80 -> 192.168.56.102:49192	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 194.169.175.118:80 -> 192.168.56.102:49192	2015744	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	Misc activity
TCP 192.168.56.102:49208 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 93.186.225.194:80 -> 192.168.56.102:49208	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49217 -> 91.215.85.209:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49216 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 91.215.85.209:443 -> 192.168.56.102:49220	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49225 -> 95.142.206.0:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 176.113.115.84:8080 -> 192.168.56.102:49210	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 176.113.115.84:8080 -> 192.168.56.102:49210	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 176.113.115.84:8080 -> 192.168.56.102:49210	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 192.168.56.102:49212 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49221 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49221 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49226 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49232 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49234 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49218 -> 93.186.225.194:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49223 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49223 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49224 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49229 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49229 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49240 -> 93.186.225.194:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49241 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49231 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49231 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49233 -> 95.142.206.1:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49243 -> 93.186.225.194:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49244 -> 95.142.206.1:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49245 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49245 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49239 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 93.186.225.194:80 -> 192.168.56.102:49239	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49246 -> 93.186.225.194:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49228 -> 93.186.225.194:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49230 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49230 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49251 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49251 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49253 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49253 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49254 -> 93.186.225.194:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49236 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49236 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49249 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49249 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49256 -> 93.186.225.194:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49257 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49257 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49258 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49258 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49259 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49259 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49247 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49247 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49248 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49250 -> 95.142.206.2:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49252 -> 93.186.225.194:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49261 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49264 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49265 -> 93.186.225.194:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49267 -> 93.186.225.194:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49268 -> 93.186.225.194:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 194.49.94.41:50500 -> 192.168.56.102:49269	2046266	ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)	Malware Command and Control Activity Detected
TCP 194.49.94.41:50500 -> 192.168.56.102:49269	2046267	ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49269 -> 194.49.94.41:50500	2046269	ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)	Malware Command and Control Activity Detected
TCP 194.169.175.128:50505 -> 192.168.56.102:49270	2046266	ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49270 -> 194.169.175.128:50505	2046269	ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)	Malware Command and Control Activity Detected
TCP 149.154.167.99:443 -> 192.168.56.102:49278	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49277 -> 104.26.5.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49280 -> 104.244.42.1:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49274 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49274 -> 34.117.59.81:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49274 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49274 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49282 -> 104.26.9.59:443	2042969	ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49282 -> 104.26.9.59:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49283 -> 5.255.255.70:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49279 -> 94.142.138.131:80	2045779	ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49284 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49284 -> 34.117.59.81:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49284 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49272 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49273 -> 45.15.156.229:80	2045779	ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49290 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49290 -> 34.117.59.81:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49290 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49293 -> 172.67.147.32:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49287 -> 172.67.147.32:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49292 -> 62.217.160.2:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49286 -> 104.26.9.59:443	2042969	ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49295 -> 213.180.204.24:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49286 -> 104.26.9.59:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49289 -> 172.67.147.32:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49269 -> 194.49.94.41:50500	2046270	ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49294 -> 172.67.147.32:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49296 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.102:49296 -> 148.251.234.83:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49296 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.102:49296 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.102:49301 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49309 -> 104.21.57.237:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 148.251.234.83:443 -> 192.168.56.102:49297	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49260 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49300 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 93.186.225.194:80 -> 192.168.56.102:49300	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49316 -> 185.173.38.57:80	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.102:49317 -> 85.209.11.85:41140	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.102:49316 -> 185.173.38.57:80	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49317 -> 85.209.11.85:41140	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 192.168.56.102:49316 -> 185.173.38.57:80	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 192.168.56.102:49317 -> 85.209.11.85:41140	2046105	ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)	A Network Trojan was detected
TCP 192.168.56.102:49299 -> 91.92.243.151:80	2045779	ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49312 -> 185.172.128.69:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49313 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49313 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 185.173.38.57:80 -> 192.168.56.102:49316	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.102:49317 -> 85.209.11.85:41140	2046105	ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)	A Network Trojan was detected
TCP 192.168.56.102:49312 -> 185.172.128.69:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49302 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.102:49302 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49304 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.102:49304 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49302 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.102:49304 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 185.172.128.69:80 -> 192.168.56.102:49312	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.172.128.69:80 -> 192.168.56.102:49312	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.102:49305 -> 93.186.225.194:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 185.173.38.57:80 -> 192.168.56.102:49316	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.102:49318 -> 194.33.191.60:44675	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.102:49321 -> 93.186.225.194:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49318 -> 194.33.191.60:44675	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 192.168.56.102:49318 -> 194.33.191.60:44675	2046105	ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)	A Network Trojan was detected
TCP 192.168.56.102:49318 -> 194.33.191.60:44675	2046105	ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)	A Network Trojan was detected
TCP 194.33.191.60:44675 -> 192.168.56.102:49318	2046056	ET MALWARE Redline Stealer Activity (Response)	A Network Trojan was detected
TCP 192.168.56.102:49310 -> 157.90.152.131:80	2027262	ET INFO Dotted Quad Host ZIP Request	Potentially Bad Traffic
TCP 192.168.56.102:49316 -> 185.173.38.57:80	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
UDP 192.168.56.102:65168 -> 164.124.101.2:53	2035948	ET POLICY IP Check Domain (iplogger .org in DNS Lookup)	Potential Corporate Privacy Violation
TCP 192.168.56.102:49298 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49298 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 149.154.167.99:443 -> 192.168.56.102:49306	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49308 -> 104.76.78.101:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49314 -> 93.186.225.194:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49314 -> 93.186.225.194:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49326 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49326 -> 34.117.59.81:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49326 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49326 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49316 -> 185.173.38.57:80	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49316 -> 185.173.38.57:80	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
UDP 192.168.56.102:62197 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
UDP 192.168.56.102:60983 -> 164.124.101.2:53	2047719	ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49336 -> 193.106.175.190:80	2044244	ET MALWARE Win32/Stealc Requesting browsers Config from C2	Malware Command and Control Activity Detected
TCP 192.168.56.102:49336 -> 193.106.175.190:80	2023882	ET INFO HTTP Request to a *.top domain	Potentially Bad Traffic
TCP 193.106.175.190:80 -> 192.168.56.102:49336	2044245	ET MALWARE Win32/Stealc Active C2 Responding with browsers Config	Malware Command and Control Activity Detected
TCP 192.168.56.102:49328 -> 104.26.5.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 93.186.225.194:80 -> 192.168.56.102:49319	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49329 -> 104.26.4.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49323 -> 94.142.138.131:80	2045779	ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49331 -> 104.26.13.31:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49341 -> 193.106.175.190:80	2044301	ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 193.106.175.190:80 -> 192.168.56.102:49341	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 193.106.175.190:80 -> 192.168.56.102:49341	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 193.106.175.190:80 -> 192.168.56.102:49341	2023464	ET HUNTING Possible EXE Download From Suspicious TLD	Misc activity
TCP 192.168.56.102:49338 -> 193.106.175.190:80	2044246	ET MALWARE Win32/Stealc Requesting plugins Config from C2	Malware Command and Control Activity Detected
TCP 193.106.175.190:80 -> 192.168.56.102:49338	2044247	ET MALWARE Win32/Stealc Active C2 Responding with plugins Config	Malware Command and Control Activity Detected
TCP 192.168.56.102:49339 -> 193.106.175.190:80	2044248	ET MALWARE Win32/Stealc Submitting System Information to C2	Malware Command and Control Activity Detected
TCP 193.106.175.190:80 -> 192.168.56.102:49344	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 193.106.175.190:80 -> 192.168.56.102:49344	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 193.106.175.190:80 -> 192.168.56.102:49344	2023464	ET HUNTING Possible EXE Download From Suspicious TLD	Misc activity
UDP 192.168.56.102:51010 -> 164.124.101.2:53	2027026	ET POLICY External IP Address Lookup DNS Query (2ip .ua)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49349 -> 104.21.65.24:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.102:49349 -> 104.21.65.24:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49347 -> 193.106.175.190:80	2044305	ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.102:49359 -> 23.40.45.69:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49361 -> 23.40.45.69:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 193.106.175.190:80 -> 192.168.56.102:49347	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 193.106.175.190:80 -> 192.168.56.102:49347	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 193.106.175.190:80 -> 192.168.56.102:49347	2023464	ET HUNTING Possible EXE Download From Suspicious TLD	Misc activity
TCP 192.168.56.102:49353 -> 193.106.175.190:80	2044307	ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 193.106.175.190:80 -> 192.168.56.102:49353	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 193.106.175.190:80 -> 192.168.56.102:49353	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 193.106.175.190:80 -> 192.168.56.102:49353	2023464	ET HUNTING Possible EXE Download From Suspicious TLD	Misc activity
TCP 192.168.56.102:49374 -> 204.79.197.219:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49350 -> 193.106.175.190:80	2044306	ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.102:49316 -> 185.173.38.57:80	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49316 -> 185.173.38.57:80	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 193.106.175.190:80 -> 192.168.56.102:49350	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 193.106.175.190:80 -> 192.168.56.102:49350	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 193.106.175.190:80 -> 192.168.56.102:49350	2023464	ET HUNTING Possible EXE Download From Suspicious TLD	Misc activity
UDP 192.168.56.102:49431 -> 164.124.101.2:53	2035466	ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)	Misc activity
TCP 192.168.56.102:49380 -> 162.159.133.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49316 -> 185.173.38.57:80	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49354 -> 14.33.209.147:80	2002400	ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)	A Network Trojan was detected
TCP 192.168.56.102:49354 -> 14.33.209.147:80	2036334	ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key	A Network Trojan was detected
TCP 14.33.209.147:80 -> 192.168.56.102:49354	2036335	ET MALWARE Win32/Filecoder.STOP Variant Public Key Download	A Network Trojan was detected
UDP 192.168.56.102:54117 -> 164.124.101.2:53	2027026	ET POLICY External IP Address Lookup DNS Query (2ip .ua)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49316 -> 185.173.38.57:80	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49316 -> 185.173.38.57:80	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49316 -> 185.173.38.57:80	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49316 -> 185.173.38.57:80	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49316 -> 185.173.38.57:80	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49333 -> 104.21.65.24:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.102:49333 -> 104.21.65.24:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49316 -> 185.173.38.57:80	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49316 -> 185.173.38.57:80	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49375 -> 20.150.38.228:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49316 -> 185.173.38.57:80	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49335 -> 193.106.175.190:80	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	Malware Command and Control Activity Detected
TCP 192.168.56.102:49337 -> 104.21.12.138:443	2047718	ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49337 -> 104.21.12.138:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49360 -> 23.40.45.69:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 23.40.45.69:443 -> 192.168.56.102:49363	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49362 -> 23.40.45.69:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49376 -> 20.150.38.228:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 172.67.193.43:80 -> 192.168.56.102:49340	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 172.67.193.43:80 -> 192.168.56.102:49340	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 172.67.193.43:80 -> 192.168.56.102:49340	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 192.168.56.102:49342 -> 193.106.175.190:80	2044303	ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 193.106.175.190:80 -> 192.168.56.102:49342	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 193.106.175.190:80 -> 192.168.56.102:49342	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 193.106.175.190:80 -> 192.168.56.102:49342	2023464	ET HUNTING Possible EXE Download From Suspicious TLD	Misc activity
TCP 192.168.56.102:49343 -> 193.106.175.190:80	2044302	ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 193.106.175.190:80 -> 192.168.56.102:49343	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 193.106.175.190:80 -> 192.168.56.102:49343	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 193.106.175.190:80 -> 192.168.56.102:49343	2023464	ET HUNTING Possible EXE Download From Suspicious TLD	Misc activity
UDP 192.168.56.102:49432 -> 172.253.117.127:19302	2033078	ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port)	Misc activity
TCP 192.168.56.102:49274 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49296 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.102:49326 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49302 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.102:49178 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49177 104.26.9.59:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	92:b4:ed:98:67:d9:db:8a:1e:bd:0e:fe:7f:22:45:e9:79:b5:78:65
TLSv1 192.168.56.102:49186 93.186.225.194:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49205 104.21.87.5:443	C=US, O=Let's Encrypt, CN=E1	CN=fdjbgkhjrpfvsdf.online	5d:a5:57:bd:11:fb:b3:4d:13:f7:4a:c5:f4:35:35:9c:e3:02:fa:11
TLSv1 192.168.56.102:49225 95.142.206.0:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com	bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1 192.168.56.102:49218 93.186.225.194:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49240 93.186.225.194:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49233 95.142.206.1:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com	bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1 192.168.56.102:49243 93.186.225.194:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49244 95.142.206.1:443	None	None	None
TLSv1 192.168.56.102:49246 93.186.225.194:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49228 93.186.225.194:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49254 93.186.225.194:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49256 93.186.225.194:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49250 95.142.206.2:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com	bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1 192.168.56.102:49252 93.186.225.194:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49265 93.186.225.194:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49267 93.186.225.194:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49268 93.186.225.194:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49277 104.26.5.15:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1 192.168.56.102:49282 104.26.9.59:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	92:b4:ed:98:67:d9:db:8a:1e:bd:0e:fe:7f:22:45:e9:79:b5:78:65
TLSv1 192.168.56.102:49283 5.255.255.70:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign ECC OV SSL CA 2018	C=RU, ST=Moscow, L=Moscow, O=Yandex LLC, CN=*.xn--d1acpjx3f.xn--p1ai	e4:ba:b2:7f:bf:93:b8:22:10:26:70:37:9c:03:1a:9d:fb:23:17:24
TLSv1 192.168.56.102:49293 172.67.147.32:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=iplis.ru	04:2b:ef:ab:43:60:60:33:69:03:f3:51:37:11:c8:29:26:89:a4:93
TLSv1 192.168.56.102:49287 172.67.147.32:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=iplis.ru	04:2b:ef:ab:43:60:60:33:69:03:f3:51:37:11:c8:29:26:89:a4:93
TLSv1 192.168.56.102:49292 62.217.160.2:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018	C=RU, ST=Moscow, L=Moscow, O=VK LLC, CN=*.dzen.ru	6a:31:14:29:60:07:c9:c6:17:7b:d1:27:ad:53:57:ec:d8:c1:d8:d2
TLSv1 192.168.56.102:49286 104.26.9.59:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	92:b4:ed:98:67:d9:db:8a:1e:bd:0e:fe:7f:22:45:e9:79:b5:78:65
TLSv1 192.168.56.102:49289 172.67.147.32:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=iplis.ru	04:2b:ef:ab:43:60:60:33:69:03:f3:51:37:11:c8:29:26:89:a4:93
TLSv1 192.168.56.102:49295 213.180.204.24:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018	C=RU, ST=Moscow, L=Moscow, O=Yandex LLC, CN=sso.passport.yandex.ru	3a:82:43:a9:43:9c:c8:90:01:04:4f:74:1b:6c:cd:4b:9b:19:7d:93
TLSv1 192.168.56.102:49294 172.67.147.32:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=iplis.ru	04:2b:ef:ab:43:60:60:33:69:03:f3:51:37:11:c8:29:26:89:a4:93
TLSv1 192.168.56.102:49309 104.21.57.237:443	C=US, O=Let's Encrypt, CN=E1	CN=ironhost.io	bf:96:55:fe:92:31:2c:3b:86:d9:a5:21:ac:2a:4c:b7:56:b7:9e:19
TLSv1 192.168.56.102:49305 93.186.225.194:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49321 93.186.225.194:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49308 104.76.78.101:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=US, unknown=Washington, unknown=Private Organization, serialNumber=602 290 773, C=US, ST=Washington, L=Bellevue, O=Valve Corp, CN=store.steampowered.com	b1:30:5e:4c:ee:14:70:87:a7:d7:1c:77:07:b5:3c:2c:99:13:aa:c5
TLSv1 192.168.56.102:49328 104.26.5.15:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1 192.168.56.102:49329 104.26.4.15:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1 192.168.56.102:49331 104.26.13.31:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	53:56:0b:3a:91:49:7f:18:59:87:21:98:d3:7f:98:0b:b4:ae:cb:cc
TLSv1 192.168.56.102:49349 104.21.65.24:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=2ip.ua	df:8e:38:7b:a5:b7:63:5f:01:77:75:f0:d6:4a:08:30:fa:63:46:8f
TLSv1 192.168.56.102:49374 204.79.197.219:443	C=US, O=Microsoft Corporation, CN=Microsoft Azure RSA TLS Issuing CA 04	C=US, ST=WA, L=Redmond, O=Microsoft Corporation, CN=msdl.microsoft.com	1e:ad:90:78:48:f7:11:32:f5:23:1c:08:ec:53:07:87:4a:98:82:8e
TLS 1.3 192.168.56.102:49382 104.21.23.184:443	None	None	None
TLS 1.3 192.168.56.102:49380 162.159.133.233:443	None	None	None
TLSv1 192.168.56.102:49333 104.21.65.24:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=2ip.ua	df:8e:38:7b:a5:b7:63:5f:01:77:75:f0:d6:4a:08:30:fa:63:46:8f
TLSv1 192.168.56.102:49375 20.150.38.228:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01	CN=*.blob.core.windows.net	6e:0d:1b:21:93:e6:c6:eb:18:68:57:6a:7e:85:c2:b6:90:ce:6b:9d
TLS 1.2 192.168.56.102:49337 104.21.12.138:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=iplogger.com	c1:91:92:9b:9a:80:29:75:dc:65:9b:a4:c0:11:8c:ac:72:d6:77:58
TLSv1 192.168.56.102:49376 20.150.38.228:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01	CN=*.blob.core.windows.net	6e:0d:1b:21:93:e6:c6:eb:18:68:57:6a:7e:85:c2:b6:90:ce:6b:9d
TLS 1.3 192.168.56.102:49381 185.82.216.111:443	None	None	None

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 7, 2023, 10:36 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 7, 2023, 10:36 a.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (31 events)

suspicious_features	Connection to IP address	suspicious_request	GET http://94.142.138.131/api/tracemap.php
suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://94.142.138.131/api/firegate.php
suspicious_features	Connection to IP address	suspicious_request	HEAD http://194.49.94.97/download/Services.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://194.49.94.48/timeSync.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://194.169.175.118/xinchao.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://45.129.14.83/ch.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://45.129.14.83/ch.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://194.49.94.48/timeSync.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://194.169.175.118/xinchao.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://194.49.94.97/download/Services.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://176.113.115.84:8080/4.php
suspicious_features	Connection to IP address	suspicious_request	GET http://45.15.156.229/api/tracemap.php
suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://45.15.156.229/api/firegate.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://91.92.243.151/api/tracemap.php
suspicious_features	Connection to IP address	suspicious_request	GET http://157.90.152.131/9ea41fac0af12ade12ae478b6c25112b
suspicious_features	Connection to IP address	suspicious_request	GET http://157.90.152.131/getfiles.zip
suspicious_features	Connection to IP address	suspicious_request	HEAD http://185.172.128.69/latestumma.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://185.172.128.69/latestumma.exe
suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://94.142.138.131/api/firecom.php
suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://157.90.152.131/
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://jaimemcgee.top/40d570f44e84a454.php
suspicious_features	GET method with no useragent header	suspicious_request	GET http://stim.graspalace.com/order/tuc19.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://jaimemcgee.top/2a7743b8bbd7e4a7/sqlite3.dll
suspicious_features	GET method with no useragent header	suspicious_request	GET http://jaimemcgee.top/2a7743b8bbd7e4a7/freebl3.dll
suspicious_features	GET method with no useragent header	suspicious_request	GET http://jaimemcgee.top/2a7743b8bbd7e4a7/mozglue.dll
suspicious_features	GET method with no useragent header	suspicious_request	GET http://jaimemcgee.top/2a7743b8bbd7e4a7/msvcp140.dll
suspicious_features	GET method with no useragent header	suspicious_request	GET http://jaimemcgee.top/2a7743b8bbd7e4a7/nss3.dll
suspicious_features	GET method with no useragent header	suspicious_request	GET http://jaimemcgee.top/2a7743b8bbd7e4a7/softokn3.dll
suspicious_features	GET method with no useragent header	suspicious_request	GET http://jaimemcgee.top/2a7743b8bbd7e4a7/vcruntime140.dll
suspicious_features	GET method with no useragent header	suspicious_request	GET https://api.ip.sb/ip
suspicious_features	GET method with no useragent header	suspicious_request	GET https://iplogger.com/2lhi52

Performs some HTTP requests (50 out of 79 events)

request	GET http://94.142.138.131/api/tracemap.php
request	POST http://94.142.138.131/api/firegate.php
request	HEAD http://194.49.94.97/download/Services.exe
request	HEAD http://194.49.94.48/timeSync.exe
request	HEAD http://194.169.175.118/xinchao.exe
request	HEAD http://45.129.14.83/ch.exe
request	HEAD http://gons09fc.top/build.exe
request	GET http://45.129.14.83/ch.exe
request	GET http://194.49.94.48/timeSync.exe
request	GET http://194.169.175.118/xinchao.exe
request	GET http://194.49.94.97/download/Services.exe
request	GET http://gons09fc.top/build.exe
request	GET http://apps.identrust.com/roots/dstrootcax3.p7c
request	GET http://176.113.115.84:8080/4.php
request	GET http://45.15.156.229/api/tracemap.php
request	POST http://45.15.156.229/api/firegate.php
request	GET http://91.92.243.151/api/tracemap.php
request	GET http://157.90.152.131/9ea41fac0af12ade12ae478b6c25112b
request	GET http://157.90.152.131/getfiles.zip
request	HEAD http://185.172.128.69/latestumma.exe
request	GET http://185.172.128.69/latestumma.exe
request	GET http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
request	POST http://94.142.138.131/api/firecom.php
request	GET http://www.maxmind.com/geoip/v2.1/city/me
request	POST http://157.90.152.131/
request	POST http://jaimemcgee.top/40d570f44e84a454.php
request	GET http://stim.graspalace.com/order/tuc19.exe
request	GET http://jaimemcgee.top/2a7743b8bbd7e4a7/sqlite3.dll
request	GET http://jaimemcgee.top/2a7743b8bbd7e4a7/freebl3.dll
request	GET http://jaimemcgee.top/2a7743b8bbd7e4a7/mozglue.dll
request	GET http://jaimemcgee.top/2a7743b8bbd7e4a7/msvcp140.dll
request	GET http://jaimemcgee.top/2a7743b8bbd7e4a7/nss3.dll
request	GET http://jaimemcgee.top/2a7743b8bbd7e4a7/softokn3.dll
request	GET http://jaimemcgee.top/2a7743b8bbd7e4a7/vcruntime140.dll
request	GET http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true
request	GET http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=7mQSCiCXPXX6dRJCYyN_6SMF.exe&platform=0009&osver=5&isServer=0
request	GET https://api.myip.com/
request	GET https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1
request	GET https://fdjbgkhjrpfvsdf.online/setup294.exe
request	GET https://vk.com/doc26060933_667364987?hash=BHX3WK0Px3UZYC6KUcanvJ8pCPk0aSa1CJ1a0crl1aL&dl=Y5COLZGRCC7rDCjMPJPVPA4Y0k1NZaZCa4v1PlcGmn8&api=1&no_preview=1
request	GET https://sun6-20.userapi.com/c237031/u26060933/docs/d15/cc14cf618ad2/32ssh7832haf.bmp?extra=fwty-u7t3kuVDKn2Ab1i7boHK4AyOko_2OhckURSgZjMwMr1LMRzcDeu6ldvQCwfDuTH4EEUK6o17LKRsfTQtZt7FslDGR2y6GbdZCCcOp_WNzQ6CUda5D8--pR4RgBxlwovfJ0hDyZTvl6g
request	GET https://vk.com/doc26060933_667234651?hash=Rv3y1hZYldejZNTzjJxgzdYVgzKs0azR7LT5gowzNJT&dl=fEH5j2bjnO3mwDbqODuUYTgMkVbKBYVrBOOWxCsJzJ0&api=1&no_preview=1
request	GET https://sun6-21.userapi.com/c235031/u26060933/docs/d60/17553397c370/BotClients.bmp?extra=-v4zcNPz1jW9QCJnnz9JVzDnTCKGRuMlTveecae_unmKfC9kkvBIvc2-te4xySL_yWe5nnd_YxV37ErLEFEIq7sRTyCvImhVEvmEOPxoun1R7sPoot0d8T6T-hCuuHgaJPUBO994jw7jL9uK
request	GET https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#test
request	GET https://vk.com/doc26060933_667223635?hash=qzxpj41H7aJKGYAkotcS9kwFdHSU9KQawZjeS9cVst4&dl=iEliVZrkZcesylYAmZs8zvhVjQpPOUAfyAIZcvJVbPH&api=1&no_preview=1#ww11
request	GET https://sun6-21.userapi.com/c235031/u26060933/docs/d17/db2aaaddfe32/WWW11_32.bmp?extra=LvgMZ5BcJibniVvg_xQUErj_9kLnqOtcusmOUyUjOIXbjkKeGQ7pW-CoV7IrznBP2wJiu4NzODsIVN7qO0IUK8lgpYQX9G5kXyxutFPWFhIaYYMu_JdxGjVFCbYekkWVqM3_yu14LtRG8yAR
request	GET https://vk.com/doc26060933_667265534?hash=QrZOxyJfddotURGFHUaHcRtzBrPYFYi92QMrQaABFRL&dl=YGWXjzH1s6k62LlpR6zC3pzzD02Frvfpv4JhBLkPKVH&api=1&no_preview=1
request	GET https://sun6-22.userapi.com/c909218/u26060933/docs/d39/2b5c05ade136/PL_Client.bmp?extra=da599MOTGK0smGFDrYCbIOwnAESK93Bdw8XDZy_0vK13817g4Qsr6AWGWEf5TNMs8D67QVgYFb6fgHXsdA6lLB0kHdsNHYl2LuiA4Cchiwv-echVwulM9pvREF7eyP8R_tYUW-AEg4HMRDmJ
request	GET https://vk.com/doc26060933_667359908?hash=yQKoVWnfjFhzr903ZjYqRdETfhHRvOA3tdbWxY3zKzD&dl=zw8EgRqlD4zpJ6OqofPR0yVWnKxxgpXEHD0enFFWN4c&api=1&no_preview=1#risepro
request	GET https://sun6-21.userapi.com/c235031/u26060933/docs/d9/bc2848036729/RisePro.bmp?extra=SP1QdjCI8oU_xuYoIIuZttGFNgWH7AbE6JwtZ38DSR0pO-h7FoRCvnKkufqlmQ46-FAtSfPZhinV1S-bj-wfjvlOR9IAT1ozrONeI06QH8DZwg9_d29MnpwcitMyaiN5iQdqTV0kMpewNZlg

Sends data using the HTTP POST Method (6 events)

request	POST http://94.142.138.131/api/firegate.php
request	POST http://45.15.156.229/api/firegate.php
request	POST http://94.142.138.131/api/firecom.php
request	POST http://157.90.152.131/
request	POST http://jaimemcgee.top/40d570f44e84a454.php
request	POST https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self

Communication to multiple IPs on high port numbers possibly indicative of a peer-to-peer (P2P) or non-standard command and control protocol (5 events)

ip	176.113.115.84
ip	194.33.191.60
ip	194.49.94.41
ip	85.209.11.85
ip	172.253.117.127

Resolves a suspicious Top Level Domain (TLD) (2 events)

domain	gons09fc.top				description	Generic top level domain TLD
domain	jaimemcgee.top				description	Generic top level domain TLD

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 7, 2023, 10:36 a.m.	process_identifier: 2192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74062000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Nov. 7, 2023, 10:36 a.m.	process_identifier: 2192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x721c3000 process_handle: 0xffffffff	1	0	0

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates executable files on the filesystem (22 events)

file	C:\Users\test22\AppData\Local\Temp\7zE0980529A\PROPAMAT\gettext.dll
file	C:\Users\test22\AppData\Local\Temp\7zE0980529A\Templates\aadtb.dll
file	C:\Users\test22\AppData\Local\Temp\7zE0980529A\Templates\RenoirCore.WindowsDesktop — копия.dll
file	C:\Users\test22\AppData\Local\Temp\7zE0980529A\Templates\msvcp140.dll
file	C:\Users\test22\AppData\Local\Temp\7zE0980529A\Templates\RenoirCore.WindowsDesktop.dll
file	C:\Users\test22\AppData\Local\Temp\7zE0980529A\Setup.exe
file	C:\Users\test22\AppData\Local\Temp\7zE0980529A\Templates\ResIL — копия.dll
file	C:\Users\test22\AppData\Local\Temp\7zE0980529A\Templates\dbghelp.dll
file	C:\Users\test22\AppData\Local\Temp\7zE0980529A\Templates\vivoxsdk.dll
file	C:\Users\test22\AppData\Local\Temp\7zE0980529A\PROPAMAT\dbghelp.dll
file	C:\Users\test22\AppData\Local\Temp\7zE0980529A\Templates\lgc_api.dll
file	C:\Users\test22\AppData\Local\Temp\7zE0980529A\PROPAMAT\lgc_api.dll
file	C:\Users\test22\AppData\Local\Temp\7zE0980529A\Templates\ResIL.dll
file	C:\Users\test22\AppData\Local\Temp\7zE0980529A\Templates\concrt140.dll
file	C:\Users\test22\AppData\Local\Temp\7zE0980529A\Templates\lgc_api — копия.dll
file	C:\Users\test22\AppData\Local\Temp\7zE0980529A\Templates\vivoxsdk — копия.dll
file	C:\Users\test22\AppData\Local\Temp\7zE0980529A\PROPAMAT\libEGL.dll
file	C:\Users\test22\AppData\Local\Temp\7zE0980529A\PROPAMAT\msvcp140.dll
file	C:\Users\test22\AppData\Local\Temp\7zE0980529A\Templates\libEGL.dll
file	C:\Users\test22\AppData\Local\Temp\7zE0980529A\PROPAMAT\concrt140.dll
file	C:\Users\test22\AppData\Local\Temp\7zE0980529A\Templates\dbghelp — копия.dll
file	C:\Users\test22\AppData\Local\Temp\7zE0980529A\Templates\gettext.dll

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Nov. 7, 2023, 10:36 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1	0
LookupPrivilegeValueW Nov. 7, 2023, 10:36 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1	0

Yara rule detected in process memory (11 events)

description	Escalate priviledges	rule	Escalate_priviledges
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Run a KeyLogger	rule	KeyLogger

Performs a TXT record DNS lookup potentially for command and control or covert channel (1 event)

domain

bd178ff8-29e6-47f2-a804-23d45a4bfa60.uuid.localstats.org

Communicates with host for which no DNS query was performed (16 events)

host	157.90.152.131
host	176.113.115.84
host	185.172.128.69
host	185.173.38.57
host	194.169.175.118
host	194.169.175.128
host	194.33.191.60
host	194.49.94.41
host	194.49.94.48
host	194.49.94.97
host	45.129.14.83
host	45.15.156.229
host	85.209.11.85
host	91.92.243.151
host	94.142.138.131
host	80.66.75.77

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (3 events)

dead_host	192.168.56.102:49191
dead_host	176.113.115.84:80
dead_host	194.169.175.128:50500

File.rar

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All