Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 28, 2024, 9:33 a.m.	May 28, 2024, 9:35 a.m.

Size	1.9MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`af18d6dfe58e07bb76c7701a2c320ce7`
SHA256	`7cf5057c51e7188b96ce56a9231a72f9ac8428001df77e18d4a84d7d54127e4b`
CRC32	`47C66E48`
ssdeep	`49152:mCFgvKNPulGyVPbdw6cRsFd/Lqm76Ccgj:mC4KNPCqu376C3`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

rtx.exe "C:\Users\test22\AppData\Local\Temp\rtx.exe"
2560
- rtx.exe "C:\Users\test22\AppData\Local\Temp\rtx.exe"
  2668

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
104.149.139.42	Active	Moloch
116.12.180.237	Active	Moloch
128.31.0.39	Active	Moloch
131.188.40.189	Active	Moloch
154.35.175.225	Active	Moloch
176.123.3.222	Active	Moloch
185.97.32.34	Active	Moloch
192.121.44.26	Active	Moloch
192.46.225.58	Active	Moloch
193.23.244.244	Active	Moloch
199.58.81.140	Active	Moloch
86.59.21.38	Active	Moloch
87.151.147.113	Active	Moloch
89.163.164.202	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.121.44.26:9001 -> 192.168.56.101:49174	2522277	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 278	Misc Attack
TCP 128.31.0.39:9101 -> 192.168.56.101:49177	2522143	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 144	Misc Attack
TCP 199.58.81.140:443 -> 192.168.56.101:49175	2522306	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 307	Misc Attack
TCP 192.121.44.26:9001 -> 192.168.56.101:49174	2018789	ET POLICY TLS possible TOR SSL traffic	Misc activity
TCP 193.23.244.244:443 -> 192.168.56.101:49178	2522286	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 287	Misc Attack
TCP 131.188.40.189:443 -> 192.168.56.101:49182	2522148	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 149	Misc Attack
TCP 116.12.180.237:443 -> 192.168.56.101:49179	2522138	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 139	Misc Attack
TCP 89.163.164.202:443 -> 192.168.56.101:49181	2522740	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 741	Misc Attack

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.101:49174 192.121.44.26:9001	CN=www.kmsevoanps.com	CN=www.zkcn7rgvovblj52r6lef.net	6b:e5:ac:76:50:79:2e:03:e9:94:13:e0:a6:8d:09:a5:03:9a:d5:f3
TLS 1.2 192.168.56.101:49175 199.58.81.140:443	CN=www.gnmd2gvjeipnopwemui3.com	CN=www.rvkj3a73jvrcd5.net	5e:47:22:34:cf:3e:63:ab:5a:73:3f:70:de:89:5b:e0:01:e3:88:a7
TLS 1.2 192.168.56.101:49178 193.23.244.244:443	CN=www.nc4fiighnz.com	CN=www.krdkrcttf37.net	85:ee:dc:f6:23:f9:c0:67:af:06:45:53:0b:f5:58:d7:0f:45:c9:ff
TLS 1.2 192.168.56.101:49182 131.188.40.189:443	CN=www.uhlqmuy6t3oe3hhf.com	CN=www.amm5v4wst.net	db:7a:ee:da:d0:fc:d2:72:2a:b4:1c:b3:7d:b8:26:58:df:50:ea:ef
TLS 1.2 192.168.56.101:49179 116.12.180.237:443	CN=www.pd2obsqq62wrucno.com	CN=www.kokyf72j2oxz.net	69:7f:19:51:5d:d8:67:50:be:0b:90:f2:b4:b6:9e:bb:76:17:49:dc
TLS 1.2 192.168.56.101:49181 89.163.164.202:443	CN=www.ujmqkjo45qb.com	CN=www.x2sipc6jkict7z2.net	49:f9:cb:b5:9b:f9:4a:ad:41:ef:72:d2:0d:9d:83:3b:ef:24:9f:98

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW May 26, 2024, 8:51 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 26, 2024, 8:51 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 26, 2024, 8:51 p.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

AFX_DIALOG_LAYOUT

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Starts servers listening (5 events)

Time & API	Arguments	Status	Return
bind May 26, 2024, 8:51 p.m.	ip_address: 127.0.0.1 socket: 604 port: 0	1	0
listen May 26, 2024, 8:51 p.m.	socket: 604 backlog: 1	1	0
accept May 26, 2024, 8:51 p.m.	ip_address: 127.0.0.1 socket: 604 port: 49166	1	596
bind May 26, 2024, 8:51 p.m.	ip_address: 127.0.0.1 socket: 604 port: 49808	1	0
listen May 26, 2024, 8:51 p.m.	socket: 604 backlog: 2147483647	1	0

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 26, 2024, 8:51 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 1802240 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04900000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2024, 8:51 p.m.	process_identifier: 2560 region_size: 1798144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ac0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 26, 2024, 8:51 p.m.	process_identifier: 2668 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1

Foreign language identified in PE resource (11 events)

name

RT_ICON

language

LANG_JAPANESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x02a34ec0

size

0x00000468

name

RT_ICON

language

LANG_JAPANESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x02a34ec0

size

0x00000468

name

RT_ICON

language

LANG_JAPANESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x02a34ec0

size

0x00000468

name

RT_ICON

language

LANG_JAPANESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x02a34ec0

size

0x00000468

name

RT_ICON

language

LANG_JAPANESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x02a34ec0

size

0x00000468

name

RT_ICON

language

LANG_JAPANESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x02a34ec0

size

0x00000468

name

RT_ICON

language

LANG_JAPANESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x02a34ec0

size

0x00000468

name

RT_STRING

language

LANG_JAPANESE

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x02a38258

size

0x0000028a

name

RT_STRING

language

LANG_JAPANESE

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x02a38258

size

0x0000028a

name

RT_STRING

language

LANG_JAPANESE

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x02a38258

size

0x0000028a

name

RT_GROUP_ICON

language

LANG_JAPANESE

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x02a35328

size

0x00000068

Creates executable files on the filesystem (1 event)

file	C:\ProgramData\Drivers\csrss.exe

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (38 events)

Time & API	Arguments	Status	Return
Process32FirstW May 26, 2024, 8:51 p.m.	snapshot_handle: 0x0000019c process_name: [System Process] process_identifier: 0	1	1
Process32NextW May 26, 2024, 8:51 p.m.	snapshot_handle: 0x0000019c process_name: System process_identifier: 4	1	1
Process32NextW May 26, 2024, 8:51 p.m.	snapshot_handle: 0x0000019c process_name: smss.exe process_identifier: 224	1	1
Process32NextW May 26, 2024, 8:51 p.m.	snapshot_handle: 0x0000019c process_name: csrss.exe process_identifier: 304	1	1
Process32NextW May 26, 2024, 8:51 p.m.	snapshot_handle: 0x0000019c process_name: wininit.exe process_identifier: 352	1	1
Process32NextW May 26, 2024, 8:51 p.m.	snapshot_handle: 0x0000019c process_name: csrss.exe process_identifier: 360	1	1
Process32NextW May 26, 2024, 8:51 p.m.	snapshot_handle: 0x0000019c process_name: winlogon.exe process_identifier: 400	1	1
Process32NextW May 26, 2024, 8:51 p.m.	snapshot_handle: 0x0000019c process_name: services.exe process_identifier: 444	1	1
Process32NextW May 26, 2024, 8:51 p.m.	snapshot_handle: 0x0000019c process_name: lsass.exe process_identifier: 460	1	1
Process32NextW May 26, 2024, 8:51 p.m.	snapshot_handle: 0x0000019c process_name: lsm.exe process_identifier: 468	1	1
Process32NextW May 26, 2024, 8:51 p.m.	snapshot_handle: 0x0000019c process_name: svchost.exe process_identifier: 572	1	1
Process32NextW May 26, 2024, 8:51 p.m.	snapshot_handle: 0x0000019c process_name: svchost.exe process_identifier: 652	1	1
Process32NextW May 26, 2024, 8:51 p.m.	snapshot_handle: 0x0000019c process_name: svchost.exe process_identifier: 724	1	1
Process32NextW May 26, 2024, 8:51 p.m.	snapshot_handle: 0x0000019c process_name: svchost.exe process_identifier: 784	1	1
Process32NextW May 26, 2024, 8:51 p.m.	snapshot_handle: 0x0000019c process_name: svchost.exe process_identifier: 832	1	1
Process32NextW May 26, 2024, 8:51 p.m.	snapshot_handle: 0x0000019c process_name: audiodg.exe process_identifier: 900	1	1
Process32NextW May 26, 2024, 8:51 p.m.	snapshot_handle: 0x0000019c process_name: svchost.exe process_identifier: 992	1	1
Process32NextW May 26, 2024, 8:51 p.m.	snapshot_handle: 0x0000019c process_name: svchost.exe process_identifier: 292	1	1
Process32NextW May 26, 2024, 8:51 p.m.	snapshot_handle: 0x0000019c process_name: spoolsv.exe process_identifier: 324	1	1
Process32NextW May 26, 2024, 8:51 p.m.	snapshot_handle: 0x0000019c process_name: svchost.exe process_identifier: 1048	1	1
Process32NextW May 26, 2024, 8:51 p.m.	snapshot_handle: 0x0000019c process_name: srvany.exe process_identifier: 1284	1	1
Process32NextW May 26, 2024, 8:51 p.m.	snapshot_handle: 0x0000019c process_name: KMService.exe process_identifier: 1436	1	1
Process32NextW May 26, 2024, 8:51 p.m.	snapshot_handle: 0x0000019c process_name: conhost.exe process_identifier: 1448	1	1
Process32NextW May 26, 2024, 8:51 p.m.	snapshot_handle: 0x0000019c process_name: taskhost.exe process_identifier: 1600	1	1
Process32NextW May 26, 2024, 8:51 p.m.	snapshot_handle: 0x0000019c process_name: sppsvc.exe process_identifier: 1820	1	1
Process32NextW May 26, 2024, 8:51 p.m.	snapshot_handle: 0x0000019c process_name: svchost.exe process_identifier: 1896	1	1
Process32NextW May 26, 2024, 8:51 p.m.	snapshot_handle: 0x0000019c process_name: dwm.exe process_identifier: 1260	1	1
Process32NextW May 26, 2024, 8:51 p.m.	snapshot_handle: 0x0000019c process_name: explorer.exe process_identifier: 1452	1	1
Process32NextW May 26, 2024, 8:51 p.m.	snapshot_handle: 0x0000019c process_name: pw.exe process_identifier: 988	1	1
Process32NextW May 26, 2024, 8:51 p.m.	snapshot_handle: 0x0000019c process_name: SearchIndexer.exe process_identifier: 1160	1	1
Process32NextW May 26, 2024, 8:51 p.m.	snapshot_handle: 0x0000019c process_name: SearchProtocolHost.exe process_identifier: 936	1	1
Process32NextW May 26, 2024, 8:51 p.m.	snapshot_handle: 0x0000019c process_name: SearchFilterHost.exe process_identifier: 2000	1	1
Process32NextW May 26, 2024, 8:51 p.m.	snapshot_handle: 0x0000019c process_name: mobsync.exe process_identifier: 2276	1	1
Process32NextW May 26, 2024, 8:51 p.m.	snapshot_handle: 0x0000019c process_name: pw.exe process_identifier: 2320	1	1
Process32NextW May 26, 2024, 8:51 p.m.	snapshot_handle: 0x0000019c process_name: taskhost.exe process_identifier: 2372	1	1
Process32NextW May 26, 2024, 8:51 p.m.	snapshot_handle: 0x0000019c process_name: rtx.exe process_identifier: 2668	1	1
Process32NextW May 26, 2024, 8:51 p.m.	snapshot_handle: 0x0000019c process_name: process_identifier: 35901728		0
Process32NextW May 26, 2024, 8:51 p.m.	snapshot_handle: 0x000002b0 process_name: 핐畱 process_identifier: 35848192		0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses May 26, 2024, 8:51 p.m.	flags: 14 family: 2	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x001baa00', u'virtual_address': u'0x00018000', u'entropy': 7.994785189056425, u'name': u'.data', u'virtual_size': u'0x02a16380'}

entropy

7.99478518906

description

A section with a high entropy has been found

entropy

0.934794086589

description

Overall entropy of this PE file is high

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: d28efb268620185702b8d301d25e4dd45dcf4414

Communicates with host for which no DNS query was performed (14 events)

host	104.149.139.42
host	116.12.180.237
host	128.31.0.39
host	131.188.40.189
host	154.35.175.225
host	176.123.3.222
host	185.97.32.34
host	192.121.44.26
host	192.46.225.58
host	193.23.244.244
host	199.58.81.140
host	86.59.21.38
host	87.151.147.113
host	89.163.164.202

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory May 26, 2024, 8:51 p.m.	process_identifier: 2668 region_size: 4489216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0	0

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS

reg_value

"C:\ProgramData\Drivers\csrss.exe"

Potential code injection by writing to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory May 26, 2024, 8:51 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2668 process_handle: 0x00000080	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2560 called NtSetContextThread to modify thread in remote process 2668
NtSetContextThread May 26, 2024, 8:51 p.m.	registers.eip: 1995571652 registers.esp: 1638384 registers.edi: 0 registers.eax: 8673008 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 2668	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2560 resumed a thread in remote process 2668
NtResumeThread May 26, 2024, 8:51 p.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 2668	1	0	0

Installs Tor on the machine (1 event)

file	C:\Users\test22\AppData\Roaming\tor\geoip

Generates some ICMP traffic

Executed a process and injected code into it, probably while unpacking (9 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW May 26, 2024, 8:51 p.m.	thread_identifier: 2672 thread_handle: 0x0000007c process_identifier: 2668 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\rtx.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\rtx.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\rtx.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000080	1	1
NtGetContextThread May 26, 2024, 8:51 p.m.	thread_handle: 0x0000007c	1	0
NtUnmapViewOfSection May 26, 2024, 8:51 p.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 2668 process_handle: 0x00000080	1	0
NtAllocateVirtualMemory May 26, 2024, 8:51 p.m.	process_identifier: 2668 region_size: 4489216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0
WriteProcessMemory May 26, 2024, 8:51 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2668 process_handle: 0x00000080	1	1
NtSetContextThread May 26, 2024, 8:51 p.m.	registers.eip: 1995571652 registers.esp: 1638384 registers.edi: 0 registers.eax: 8673008 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 2668	1	0
NtResumeThread May 26, 2024, 8:51 p.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 2668	1	0
NtResumeThread May 26, 2024, 8:51 p.m.	thread_handle: 0x00000178 suspend_count: 1 process_identifier: 2668	1	0
NtResumeThread May 26, 2024, 8:51 p.m.	thread_handle: 0x000001d8 suspend_count: 1 process_identifier: 2668	1	0

File has been identified by 61 AntiVirus engines on VirusTotal as malicious (50 out of 61 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Agent.Y!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
CAT-QuickHeal	TrojanSpy.Zbot
Skyhigh	BehavesLike.Win32.Lockbit.tc
ALYac	Trojan.GenericKD.72867421
Cylance	unsafe
VIPRE	Trojan.GenericKD.72867421
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 00516fdf1 )
BitDefender	Trojan.GenericKD.72867421
K7GW	Trojan ( 00516fdf1 )
Arcabit	Trojan.Generic.D457DE5D
VirIT	Trojan.Win32.Tepfer.AD
Symantec	ML.Attribute.HighConfidence
tehtris	Generic.Malware
ESET-NOD32	a variant of Win32/Kryptik.HXDH
APEX	Malicious
McAfee	Artemis!AF18D6DFE58E
Avast	Win32:DropperX-gen [Drp]
ClamAV	Win.Packer.pkr_ce1a-9980177-0
Kaspersky	HEUR:Backdoor.Win32.Agent.gen
Alibaba	Backdoor:Win32/Kryptik.d730afba
NANO-Antivirus	Trojan.Win32.CMSBrute.knlvjk
MicroWorld-eScan	Trojan.GenericKD.72867421
Rising	Trojan.SmokeLoader!1.F6B2 (CLASSIC)
Emsisoft	Trojan.GenericKD.72867421 (B)
F-Secure	Trojan.TR/AD.MalwareCrypter.knmoj
DrWeb	Trojan.CMSBrute.1
TrendMicro	Trojan.Win32.SMOKELOADER.YXEEXZ
McAfeeD	Real Protect-LS!AF18D6DFE58E
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.af18d6dfe58e07bb
Sophos	Troj/Krypt-VK
Ikarus	Trojan.Win32.Crypt
Webroot	W32.Trojan.Gen
Google	Detected
Avira	TR/AD.MalwareCrypter.knmoj
MAX	malware (ai score=87)
Kingsoft	Win32.Troj.Unknown.a
Gridinsoft	Trojan.Win32.Kryptik.ca
Xcitium	Malware@#1aw7ld6v5zf2c
Microsoft	Trojan:Win32/Azorult
ZoneAlarm	HEUR:Backdoor.Win32.Agent.gen
GData	Trojan.GenericKD.72867421
Varist	W32/Kryptik.LVP.gen!Eldorado
AhnLab-V3	Trojan/Win.Azorult.C5626407
BitDefenderTheta	Gen:NN.ZexaF.36804.2r0@aGdzb8kG
DeepInstinct	MALICIOUS

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (10 events)

dead_host	192.46.225.58:9001
dead_host	192.168.56.101:49180
dead_host	185.97.32.34:9001
dead_host	128.31.0.39:9101
dead_host	104.149.139.42:8080
dead_host	154.35.175.225:443
dead_host	176.123.3.222:9001
dead_host	192.168.56.101:49177
dead_host	87.151.147.113:9001
dead_host	86.59.21.38:443

rtx.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All