Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6402 | Nov. 16, 2023, 6:54 p.m. | Nov. 16, 2023, 6:56 p.m. |
-
wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\NOV_INQUIRY.js
3024
Name | Response | Post-Analysis Lookup |
---|---|---|
apps.identrust.com |
CNAME
a1952.dscq.akamai.net
CNAME
identrust.edgesuite.net
|
23.67.53.17 |
wtools.io | 104.21.6.247 | |
pastebin.com | 104.20.68.143 |
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
TCP 192.168.56.102:49161 -> 172.67.34.170:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 192.168.56.102:49163 -> 104.21.6.247:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
UDP 192.168.56.102:62846 -> 164.124.101.2:53 | 2034938 | ET POLICY Observed DNS Query to Pastebin-style Service (wtools .io) | Potential Corporate Privacy Violation |
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.102:49161 172.67.34.170:443 |
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 | C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com | c7:af:cc:81:4d:27:d1:4c:7c:f4:bf:5d:55:9d:80:50:3b:6f:6c:cd |
TLSv1 192.168.56.102:49163 104.21.6.247:443 |
C=US, O=Let's Encrypt, CN=E1 | CN=wtools.io | 3a:58:36:cd:4b:ef:eb:18:c3:bf:78:bd:93:e9:a1:d0:70:e3:b8:13 |
request | GET http://apps.identrust.com/roots/dstrootcax3.p7c |
request | GET https://pastebin.com/raw/NVAgzFRR |