Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Aug. 5, 2024, 3:18 p.m.	Aug. 5, 2024, 3:20 p.m.

Size	13.3MB
Type	7-zip archive data, version 0.4
MD5	`662ee89f76cfb8a8bddc6894b08203a6`
SHA256	`b2ec6531bba21cea054e9806d55db0b27ee65f08c2c3b2367f8369ea2534141b`
CRC32	`3DAE6883`
ssdeep	`393216:u0hxZ/dPwn3FQEThI+vHhijRs8WcvpiQQ/WWm6:9ZC3t3v2G3YiQWm6`
Yara	None matched

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "acoJVfXfshwbxw" C:\Users\test22\AppData\Local\Temp\archive.7z
3064
- 7zFM.exe "C:\Program Files (x86)\7-Zip\7zFM.exe" "C:\Users\test22\AppData\Local\Temp\archive.7z"
  2104

Name	Response	Post-Analysis Lookup
contile.services.mozilla.com	A 34.117.188.166	34.117.188.166
youtube-ui.l.google.com	A 142.250.76.142 A 142.251.42.206 A 142.250.207.110 A 142.250.206.238 A 142.250.206.206 A 172.217.25.174 A 172.217.161.206	172.217.161.206
prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209
www.gstatic.com	AAAA 2404:6800:400a:804::2003	142.250.206.227
shavar.prod.mozaws.net		44.239.110.200
twitter.com	A 104.244.42.129	104.244.42.129
prod.balrog.prod.cloudops.mozgcp.net	A 35.244.181.201	35.244.181.201
ipinfo.io	A 34.117.59.81	34.117.59.81
prod.detectportal.prod.cloudops.mozgcp.net	AAAA 2600:1901:0:38d7::	34.107.221.82
www.gstatic.com	A 142.250.206.227	142.250.206.227
accounts.google.com	AAAA 2404:6800:4008:c02::54	64.233.188.84
dyna.wikimedia.org	AAAA 2001:df2:e500:ed1a::1	103.102.166.224
www.facebook.com	CNAME star-mini.c10r.facebook.com A 157.240.215.35	157.240.215.35
prod.content-signature-chains.prod.webservices.mozgcp.net	A 34.160.144.191	34.160.144.191
152.134.208.175.in-addr.arpa
tracking-protection.prod.mozaws.net		34.120.158.37
play.google.com	AAAA 2404:6800:400a:813::200e	142.250.206.206
aus5.mozilla.org	A 35.244.181.201 CNAME balrog-aus5.r53-2.services.mozilla.com CNAME prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201
prod.content-signature-chains.prod.webservices.mozgcp.net	AAAA 2600:1901:0:92a9::	34.160.144.191
star-mini.c10r.facebook.com	A 157.240.215.35	157.240.215.35
benimmekansohbet.com	A 178.63.100.241	178.63.100.241
push.services.mozilla.com		34.107.243.93
www3.l.google.com	A 142.250.206.206	142.250.206.206
stan.pinefootsteps.com	A 104.21.32.226 A 172.67.156.80	104.21.32.226
prod.remote-settings.prod.webservices.mozgcp.net	A 34.149.100.209	34.149.100.209
reddit.map.fastly.net		151.101.1.140
shavar.prod.mozaws.net	A 44.239.110.200 A 35.155.86.205 A 35.165.99.161	44.239.110.200
www.wikipedia.org	CNAME dyna.wikimedia.org A 103.102.166.224	103.102.166.224
www.google.com	AAAA 2404:6800:400a:80e::2004	142.250.76.132
api.myip.com	A 172.67.75.163 A 104.26.9.59 A 104.26.8.59	104.26.8.59
ipv4only.arpa	A 192.0.0.170 A 192.0.0.171	192.0.0.170
shavar.services.mozilla.com	CNAME shavar.prod.mozaws.net A 44.239.110.200 A 35.155.86.205 A 35.165.99.161	35.165.99.161
iplogger.org	A 104.21.4.208 A 172.67.132.113	104.21.4.208
fonts.gstatic.com	A 142.250.207.99	142.250.207.99
tracking-protection.cdn.mozilla.net	CNAME tracking-protection.prod.mozaws.net A 34.120.158.37	34.120.158.37
tracking-protection.prod.mozaws.net	A 34.120.158.37	34.120.158.37
contile.services.mozilla.com		34.117.188.166
play.google.com	A 142.250.206.206	142.250.206.206
firefox.settings.services.mozilla.com	CNAME prod.remote-settings.prod.webservices.mozgcp.net A 34.149.100.209	34.149.100.209
pool.hashvault.pro	A 131.153.76.130 A 125.253.92.50	142.202.242.43
www.reddit.com	CNAME reddit.map.fastly.net A 151.101.129.140 A 151.101.1.140 A 151.101.65.140 A 151.101.193.140	151.101.1.140
star-mini.c10r.facebook.com	AAAA 2a03:2880:f156:82:face:b00c:0:25de	157.240.215.35
www3.l.google.com	AAAA 2404:6800:400a:813::200e	142.250.206.206
push.services.mozilla.com	A 34.107.243.93	34.107.243.93
prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201
twitter.com		104.244.42.129
prod.detectportal.prod.cloudops.mozgcp.net	A 34.107.221.82	34.107.221.82
dyna.wikimedia.org	A 103.102.166.224	103.102.166.224
youtube-ui.l.google.com	AAAA 2404:6800:400a:805::200e AAAA 2404:6800:400a:80b::200e AAAA 2404:6800:400a:80a::200e AAAA 2404:6800:400a:804::200e	172.217.161.206
accounts.youtube.com	CNAME www3.l.google.com A 142.250.206.206	142.250.206.206
accounts.google.com	A 173.194.174.84 A 64.233.187.84 A 64.233.188.84	64.233.188.84
reddit.map.fastly.net	A 151.101.1.140 A 151.101.129.140 A 151.101.65.140 A 151.101.193.140	151.101.1.140
vanaheim.cn	A 213.226.112.95	213.226.112.95
www.google.com	A 142.250.76.132	142.250.76.132
steamcommunity.com	A 184.26.241.154	23.194.74.106
example.org	A 93.184.215.14	93.184.215.14
t.me	A 149.154.167.99	149.154.167.99
detectportal.firefox.com	CNAME prod.detectportal.prod.cloudops.mozgcp.net CNAME detectportal.prod.mozaws.net A 34.107.221.82	34.107.221.82
fonts.gstatic.com	AAAA 2404:6800:400a:805::2003	142.250.207.99
content-signature-2.cdn.mozilla.net	A 34.160.144.191 CNAME content-signature-chains.prod.autograph.services.mozaws.net CNAME prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191
cdn.discordapp.com	A 162.159.135.233 A 162.159.134.233 A 162.159.129.233 A 162.159.130.233 A 162.159.133.233	162.159.133.233
www.youtube.com	CNAME youtube-ui.l.google.com A 142.251.42.206 A 142.250.76.142 A 172.217.161.206 A 142.250.206.206 A 142.250.206.238 A 142.250.207.110 A 172.217.25.174	172.217.161.206

IP Address	Status	Action
104.21.32.226	Active	Moloch
104.26.8.59	Active	Moloch
125.253.92.50	Active	Moloch
142.250.206.206	Active	Moloch
142.250.206.227	Active	Moloch
142.250.207.99	Active	Moloch
142.250.76.132	Active	Moloch
147.45.44.104	Active	Moloch
149.154.167.99	Active	Moloch
162.159.135.233	Active	Moloch
164.124.101.2	Active	Moloch
168.119.176.241	Active	Moloch
172.67.132.113	Active	Moloch
176.111.174.109	Active	Moloch
176.111.174.92	Active	Moloch
176.113.115.135	Active	Moloch
176.113.115.136	Active	Moloch
176.113.115.84	Active	Moloch
178.63.100.241	Active	Moloch
184.26.241.154	Active	Moloch
185.215.113.16	Active	Moloch
185.215.113.19	Active	Moloch
185.215.113.24	Active	Moloch
185.225.200.214	Active	Moloch
193.143.1.5	Active	Moloch
194.58.114.223	Active	Moloch
213.226.112.95	Active	Moloch
34.107.221.82	Active	Moloch
34.107.243.93	Active	Moloch
34.117.188.166	Active	Moloch
34.117.59.81	Active	Moloch
34.120.158.37	Active	Moloch
34.149.100.209	Active	Moloch
34.160.144.191	Active	Moloch
35.244.181.201	Active	Moloch
44.239.110.200	Active	Moloch
45.143.201.238	Active	Moloch
62.122.184.58	Active	Moloch
64.233.187.84	Active	Moloch
77.105.164.24	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.102:62846 -> 164.124.101.2:53	2054168	ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)	Device Retrieving External IP Address Detected
TCP 185.215.113.16:80 -> 192.168.56.102:49183	2400032	ET DROP Spamhaus DROP Listed Traffic Inbound group 33	Misc Attack
TCP 192.168.56.102:49185 -> 104.21.32.226:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 104.21.32.226:80 -> 192.168.56.102:49185	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 147.45.44.104:80 -> 192.168.56.102:49181	2400022	ET DROP Spamhaus DROP Listed Traffic Inbound group 23	Misc Attack
UDP 192.168.56.102:53778 -> 164.124.101.2:53	2035466	ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)	Misc activity
TCP 192.168.56.102:49188 -> 162.159.135.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49188 -> 162.159.135.233:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49188 -> 162.159.135.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49177 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49177 -> 34.117.59.81:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49177 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49177 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49189 -> 162.159.135.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49189 -> 162.159.135.233:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49189 -> 162.159.135.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49193 -> 162.159.135.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49193 -> 162.159.135.233:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49193 -> 162.159.135.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49176 -> 104.26.8.59:443	2042969	ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49176 -> 104.26.8.59:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49192 -> 162.159.135.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49192 -> 162.159.135.233:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49183 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49192 -> 162.159.135.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49186 -> 178.63.100.241:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49186 -> 178.63.100.241:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49180 -> 147.45.44.104:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 176.111.174.109:80 -> 192.168.56.102:49184	2400029	ET DROP Spamhaus DROP Listed Traffic Inbound group 30	Misc Attack
TCP 194.58.114.223:80 -> 192.168.56.102:49182	2049228	ET HUNTING Redirect to Discord Attachment Download	Misc activity
TCP 192.168.56.102:49183 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49180 -> 147.45.44.104:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 147.45.44.104:80 -> 192.168.56.102:49180	2014819	ET INFO Packed Executable Download	Misc activity
TCP 192.168.56.102:49187 -> 104.21.32.226:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 104.21.32.226:80 -> 192.168.56.102:49187	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49199 -> 104.21.32.226:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49181 -> 147.45.44.104:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 104.21.32.226:80 -> 192.168.56.102:49196	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 147.45.44.104:80 -> 192.168.56.102:49180	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 147.45.44.104:80 -> 192.168.56.102:49180	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.102:49183	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.16:80 -> 192.168.56.102:49183	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 176.111.174.109:80 -> 192.168.56.102:49184	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 176.111.174.109:80 -> 192.168.56.102:49184	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 176.111.174.109:80 -> 192.168.56.102:49184	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 192.168.56.102:49197 -> 178.63.100.241:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49197 -> 178.63.100.241:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 147.45.44.104:80 -> 192.168.56.102:49181	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 147.45.44.104:80 -> 192.168.56.102:49181	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.102:49202 -> 178.63.100.241:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.102:49202 -> 178.63.100.241:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.102:49202 -> 178.63.100.241:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 178.63.100.241:443 -> 192.168.56.102:49202	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 178.63.100.241:443 -> 192.168.56.102:49202	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.102:49200 -> 178.63.100.241:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49204 -> 178.63.100.241:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.102:49204 -> 178.63.100.241:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 178.63.100.241:443 -> 192.168.56.102:49204	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 178.63.100.241:443 -> 192.168.56.102:49204	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.102:49203 -> 178.63.100.241:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.102:49203 -> 178.63.100.241:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.102:49203 -> 178.63.100.241:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 178.63.100.241:443 -> 192.168.56.102:49203	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 178.63.100.241:443 -> 192.168.56.102:49203	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 185.215.113.19:80 -> 192.168.56.102:49220	2400032	ET DROP Spamhaus DROP Listed Traffic Inbound group 33	Misc Attack
UDP 192.168.56.102:65226 -> 164.124.101.2:53	2035948	ET POLICY IP Check Domain (iplogger .org in DNS Lookup)	Potential Corporate Privacy Violation
TCP 192.168.56.102:49211 -> 184.26.241.154:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49221 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.102:49221	2014819	ET INFO Packed Executable Download	Misc activity
TCP 192.168.56.102:49208 -> 172.67.132.113:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.102:49208 -> 172.67.132.113:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 185.215.113.16:80 -> 192.168.56.102:49221	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.16:80 -> 192.168.56.102:49221	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.102:49221	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.102:49220 -> 185.215.113.19:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.102:49216 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.102:49216 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49216 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.102:49217 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.102:49217 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49217 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.102:49222 -> 184.26.241.154:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49180 -> 147.45.44.104:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
UDP 192.168.56.102:51903 -> 164.124.101.2:53	2036289	ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)	Crypto Currency Mining Activity Detected
TCP 192.168.56.102:49220 -> 185.215.113.19:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.102:49228 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.102:49228 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49228 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 185.215.113.24:80 -> 192.168.56.102:49230	2400032	ET DROP Spamhaus DROP Listed Traffic Inbound group 33	Misc Attack
TCP 77.105.164.24:50505 -> 192.168.56.102:49207	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	A Network Trojan was detected
TCP 192.168.56.102:49207 -> 77.105.164.24:50505	2049060	ET MALWARE RisePro TCP Heartbeat Packet	A Network Trojan was detected
TCP 192.168.56.102:49230 -> 185.215.113.24:80	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	Malware Command and Control Activity Detected
TCP 192.168.56.102:49230 -> 185.215.113.24:80	2044244	ET MALWARE Win32/Stealc Requesting browsers Config from C2	Malware Command and Control Activity Detected
TCP 192.168.56.102:49220 -> 185.215.113.19:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.102:49207 -> 77.105.164.24:50505	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	A Network Trojan was detected
TCP 168.119.176.241:443 -> 192.168.56.102:49226	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49229 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.102:49229 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49229 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 185.215.113.24:80 -> 192.168.56.102:49230	2051828	ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1	Malware Command and Control Activity Detected
TCP 192.168.56.102:49230 -> 185.215.113.24:80	2044246	ET MALWARE Win32/Stealc Requesting plugins Config from C2	Malware Command and Control Activity Detected
TCP 185.215.113.24:80 -> 192.168.56.102:49230	2051831	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1	Malware Command and Control Activity Detected
TCP 192.168.56.102:49230 -> 185.215.113.24:80	2044248	ET MALWARE Win32/Stealc Submitting System Information to C2	Malware Command and Control Activity Detected
TCP 192.168.56.102:49230 -> 185.215.113.24:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.102:49230 -> 185.215.113.24:80	2044301	ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 185.215.113.24:80 -> 192.168.56.102:49230	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.24:80 -> 192.168.56.102:49230	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.102:49221	2014819	ET INFO Packed Executable Download	Misc activity
TCP 192.168.56.102:49221 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 176.113.115.136:431 -> 192.168.56.102:49269	2400029	ET DROP Spamhaus DROP Listed Traffic Inbound group 30	Misc Attack
TCP 176.111.174.92:431 -> 192.168.56.102:49270	2400029	ET DROP Spamhaus DROP Listed Traffic Inbound group 30	Misc Attack
TCP 176.113.115.84:431 -> 192.168.56.102:49266	2400029	ET DROP Spamhaus DROP Listed Traffic Inbound group 30	Misc Attack
TCP 192.168.56.102:49230 -> 185.215.113.24:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.102:49230 -> 185.215.113.24:80	2044303	ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 185.215.113.16:80 -> 192.168.56.102:49221	2014819	ET INFO Packed Executable Download	Misc activity
TCP 192.168.56.102:49221 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49230 -> 185.215.113.24:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.102:49230 -> 185.215.113.24:80	2044302	ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 149.154.167.99:443 -> 192.168.56.102:49231	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49230 -> 185.215.113.24:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.102:49230 -> 185.215.113.24:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.102:49230 -> 185.215.113.24:80	2044305	ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 62.122.184.58:487 -> 192.168.56.102:49237	2400005	ET DROP Spamhaus DROP Listed Traffic Inbound group 6	Misc Attack
TCP 168.119.176.241:443 -> 192.168.56.102:49214	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 149.154.167.99:443 -> 192.168.56.102:49218	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49230 -> 185.215.113.24:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.102:49230 -> 185.215.113.24:80	2044306	ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 176.113.115.135:431 -> 192.168.56.102:49268	2400029	ET DROP Spamhaus DROP Listed Traffic Inbound group 30	Misc Attack
TCP 192.168.56.102:49230 -> 185.215.113.24:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.102:49230 -> 185.215.113.24:80	2044307	ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 193.143.1.5:431 -> 192.168.56.102:49267	2400036	ET DROP Spamhaus DROP Listed Traffic Inbound group 37	Misc Attack
TCP 45.143.201.238:431 -> 192.168.56.102:49265	2400004	ET DROP Spamhaus DROP Listed Traffic Inbound group 5	Misc Attack
TCP 192.168.56.102:49217 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.102:49177 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 194.58.114.223:80 -> 192.168.56.102:49182	2049228	ET HUNTING Redirect to Discord Attachment Download	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49176 104.26.8.59:443	C=US, O=Google Trust Services, CN=WR1	CN=myip.com	b3:80:cf:15:df:f5:53:6f:d4:e4:88:68:de:87:c0:e1:f8:3b:2c:02
TLSv1 192.168.56.102:49199 104.21.32.226:443	C=US, O=Google Trust Services, CN=WE1	CN=pinefootsteps.com	94:d4:d9:15:b2:17:0c:8c:cc:a8:86:9a:61:07:7c:ad:25:20:05:26
TLSv1 192.168.56.102:49211 184.26.241.154:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=US, unknown=Washington, unknown=Private Organization, serialNumber=602 290 773, C=US, ST=Washington, L=Bellevue, O=Valve Corp, CN=store.steampowered.com	10:20:2b:ee:30:69:cc:b6:ac:5e:47:04:71:ca:b0:75:78:51:58:f5
TLSv1 192.168.56.102:49208 172.67.132.113:443	C=US, O=Google Trust Services, CN=WE1	CN=iplogger.org	08:dd:39:df:d9:24:0d:d7:6f:12:c0:8e:bc:78:4a:76:c1:28:90:07
TLSv1 192.168.56.102:49222 184.26.241.154:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=US, unknown=Washington, unknown=Private Organization, serialNumber=602 290 773, C=US, ST=Washington, L=Bellevue, O=Valve Corp, CN=store.steampowered.com	10:20:2b:ee:30:69:cc:b6:ac:5e:47:04:71:ca:b0:75:78:51:58:f5
TLS 1.3 192.168.56.102:49244 34.117.188.166:443	None	None	None
TLS 1.2 192.168.56.102:49250 34.149.100.209:443	C=US, O=Let's Encrypt, CN=R10	CN=remote-settings.mozilla.org	f1:2b:12:34:f0:1c:73:d9:bb:9e:78:06:b4:44:db:f5:eb:ad:4b:29
TLS 1.3 192.168.56.102:49246 64.233.187.84:443	None	None	None
TLS 1.2 192.168.56.102:49247 44.239.110.200:443	C=US, O=Let's Encrypt, CN=R10	CN=*.services.mozilla.com	ed:8b:e0:ef:78:83:a1:95:a7:db:bf:4f:dd:5a:9a:5e:59:99:10:7f
TLS 1.3 192.168.56.102:49255 142.250.207.99:443	None	None	None
TLS 1.3 192.168.56.102:49249 34.149.100.209:443	None	None	None
TLS 1.3 192.168.56.102:49252 142.250.206.227:443	None	None	None
TLS 1.3 192.168.56.102:49257 34.120.158.37:443	None	None	None
TLS 1.3 192.168.56.102:49262 142.250.76.132:443	None	None	None
TLS 1.2 192.168.56.102:49279 35.244.181.201:443	C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA	C=US, ST=California, L=San Francisco, O=Mozilla Corporation, CN=aus5.mozilla.org	4e:55:6c:d2:85:cd:87:bf:8a:91:21:6f:05:74:e4:6e:30:ba:2f:2e
TLS 1.3 192.168.56.102:49224 125.253.92.50:443	None	None	None
TLS 1.2 192.168.56.102:49245 34.160.144.191:443	C=US, O=Let's Encrypt, CN=R10	CN=content-signature-2.cdn.mozilla.net	75:83:22:ea:ae:d7:a3:f9:6e:ae:fd:c8:cd:f9:c9:a3:32:d1:e2:9d
TLS 1.2 192.168.56.102:49243 35.244.181.201:443	C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA	C=US, ST=California, L=San Francisco, O=Mozilla Corporation, CN=aus5.mozilla.org	4e:55:6c:d2:85:cd:87:bf:8a:91:21:6f:05:74:e4:6e:30:ba:2f:2e
TLS 1.3 192.168.56.102:49254 34.120.158.37:443	None	None	None
TLS 1.3 192.168.56.102:49248 34.107.243.93:443	None	None	None
TLS 1.3 192.168.56.102:49258 142.250.206.206:443	None	None	None
TLS 1.3 192.168.56.102:49261 142.250.206.206:443	None	None	None
TLS 1.3 192.168.56.102:49251 34.120.158.37:443	None	None	None
TLS 1.3 192.168.56.102:49256 142.250.207.99:443	None	None	None
TLS 1.3 192.168.56.102:49260 142.250.206.206:443	None	None	None

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 5, 2024, 3:18 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 5, 2024, 3:18 p.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (31 events)

suspicious_features	Connection to IP address	suspicious_request	GET http://185.225.200.214/api/crazyfish.php
suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://185.225.200.214/api/twofish.php
suspicious_features	Connection to IP address	suspicious_request	HEAD http://147.45.44.104/lopsa/66af4e35e761b_doz.exe#mene
suspicious_features	Connection to IP address	suspicious_request	HEAD http://147.45.44.104/prog/66ade58a5e39e_tgertert.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://194.58.114.223/d/525403
suspicious_features	Connection to IP address	suspicious_request	HEAD http://185.215.113.16/nemo/herso.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://176.111.174.109/socker
suspicious_features	Connection to IP address	suspicious_request	GET http://176.111.174.109/socker
suspicious_features	Connection to IP address	suspicious_request	GET http://194.58.114.223/d/525403
suspicious_features	Connection to IP address	suspicious_request	HEAD http://147.45.44.104/prog/66af531b832ee_main.exe#space
suspicious_features	Connection to IP address	suspicious_request	HEAD http://147.45.44.104/prog/66af45d13a3cb_xincz.exe#xin
suspicious_features	Connection to IP address	suspicious_request	GET http://185.215.113.16/nemo/herso.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://147.45.44.104/prog/66af31c75d213_123p.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://147.45.44.104/lopsa/66af4e35e761b_doz.exe#mene
suspicious_features	Connection to IP address	suspicious_request	GET http://147.45.44.104/prog/66ade58a5e39e_tgertert.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://147.45.44.104/prog/66af531b832ee_main.exe#space
suspicious_features	Connection to IP address	suspicious_request	GET http://147.45.44.104/prog/66af45d13a3cb_xincz.exe#xin
suspicious_features	Connection to IP address	suspicious_request	GET http://147.45.44.104/prog/66af31c75d213_123p.exe
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.215.113.19/Vi9leo/index.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.16/steam/random.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.16/well/random.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.24/
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.215.113.24/e2b1563c6670f193.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.24/0d60be0de163924d/sqlite3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.24/0d60be0de163924d/freebl3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.24/0d60be0de163924d/mozglue.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.24/0d60be0de163924d/msvcp140.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.24/0d60be0de163924d/nss3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.24/0d60be0de163924d/softokn3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.24/0d60be0de163924d/vcruntime140.dll
suspicious_features	GET method with no useragent header	suspicious_request	GET https://steamcommunity.com/profiles/76561199747278259

Performs some HTTP requests (37 events)

request	GET http://185.225.200.214/api/crazyfish.php
request	POST http://185.225.200.214/api/twofish.php
request	HEAD http://147.45.44.104/lopsa/66af4e35e761b_doz.exe#mene
request	HEAD http://147.45.44.104/prog/66ade58a5e39e_tgertert.exe
request	HEAD http://194.58.114.223/d/525403
request	HEAD http://185.215.113.16/nemo/herso.exe
request	HEAD http://176.111.174.109/socker
request	GET http://176.111.174.109/socker
request	GET http://194.58.114.223/d/525403
request	HEAD http://147.45.44.104/prog/66af531b832ee_main.exe#space
request	HEAD http://147.45.44.104/prog/66af45d13a3cb_xincz.exe#xin
request	GET http://185.215.113.16/nemo/herso.exe
request	HEAD http://147.45.44.104/prog/66af31c75d213_123p.exe
request	GET http://147.45.44.104/lopsa/66af4e35e761b_doz.exe#mene
request	GET http://147.45.44.104/prog/66ade58a5e39e_tgertert.exe
request	GET http://147.45.44.104/prog/66af531b832ee_main.exe#space
request	GET http://147.45.44.104/prog/66af45d13a3cb_xincz.exe#xin
request	GET http://147.45.44.104/prog/66af31c75d213_123p.exe
request	POST http://185.215.113.19/Vi9leo/index.php
request	GET http://185.215.113.16/steam/random.exe
request	GET http://185.215.113.16/well/random.exe
request	GET http://185.215.113.24/
request	POST http://185.215.113.24/e2b1563c6670f193.php
request	GET http://185.215.113.24/0d60be0de163924d/sqlite3.dll
request	GET http://185.215.113.24/0d60be0de163924d/freebl3.dll
request	GET http://185.215.113.24/0d60be0de163924d/mozglue.dll
request	GET http://185.215.113.24/0d60be0de163924d/msvcp140.dll
request	GET http://185.215.113.24/0d60be0de163924d/nss3.dll
request	GET http://185.215.113.24/0d60be0de163924d/softokn3.dll
request	GET http://185.215.113.24/0d60be0de163924d/vcruntime140.dll
request	GET http://detectportal.firefox.com/canonical.html
request	GET http://detectportal.firefox.com/success.txt?ipv4
request	GET http://www.google.com/
request	GET https://api.myip.com/
request	GET https://stan.pinefootsteps.com/ssl/crt.exe
request	GET https://iplogger.org/1nhuM4.js
request	GET https://steamcommunity.com/profiles/76561199747278259

Sends data using the HTTP POST Method (3 events)

request	POST http://185.225.200.214/api/twofish.php
request	POST http://185.215.113.19/Vi9leo/index.php
request	POST http://185.215.113.24/e2b1563c6670f193.php

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 5, 2024, 3:18 p.m.	process_identifier: 2104 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74002000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Aug. 5, 2024, 3:18 p.m.	process_identifier: 2104 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x737e3000 process_handle: 0xffffffff	1	0	0

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates executable files on the filesystem (31 events)

file	C:\Users\test22\AppData\Local\Temp\7zE8386E054\updates\updates\ILU.dll
file	C:\Users\test22\AppData\Local\Temp\7zE8386E054\updates\Cache_Data\CbsCore.dll
file	C:\Users\test22\AppData\Local\Temp\7zE8386E054\updates\WsmSvc.dll
file	C:\Users\test22\AppData\Local\Temp\7zE8386E054\updates\Cache_Data\AudioEng.dll
file	C:\Users\test22\AppData\Local\Temp\7zE8386E054\updates\updates\Uninstall\unins000.exe
file	C:\Users\test22\AppData\Local\Temp\7zE8386E054\updates\dll\System.AddIn.dll
file	C:\Users\test22\AppData\Local\Temp\7zE8386E054\updates\Windows.Networking.Vpn.dll
file	C:\Users\test22\AppData\Local\Temp\7zE8386E054\updates\dll\sppinst.dll
file	C:\Users\test22\AppData\Local\Temp\7zE8386E054\updates\res_mods\GdiPlus.dll
file	C:\Users\test22\AppData\Local\Temp\7zE8386E054\updates\Cache_Data\clr.dll
file	C:\Users\test22\AppData\Local\Temp\7zE8386E054\updates\Cache_Data\mfmp4srcsnk.dll
file	C:\Users\test22\AppData\Local\Temp\7zE8386E054\updates\dll\System.Web.DynamicData.Design.dll
file	C:\Users\test22\AppData\Local\Temp\7zE8386E054\updates\dll\ServiceModelPerformanceCounters.dll
file	C:\Users\test22\AppData\Local\Temp\7zE8386E054\updates\dll\System.Transactions.dll
file	C:\Users\test22\AppData\Local\Temp\7zE8386E054\updates\dll\msvcr90.dll
file	C:\Users\test22\AppData\Local\Temp\7zE8386E054\Setup.exe
file	C:\Users\test22\AppData\Local\Temp\7zE8386E054\updates\dll\System.Speech.dll
file	C:\Users\test22\AppData\Local\Temp\7zE8386E054\updates\dll\webengine.dll
file	C:\Users\test22\AppData\Local\Temp\7zE8386E054\updates\dll\WindowsBase.resources.dll
file	C:\Users\test22\AppData\Local\Temp\7zE8386E054\updates\dll\InstallUtilLib.dll
file	C:\Users\test22\AppData\Local\Temp\7zE8386E054\updates\dll\PrimitiveTransformers.dll
file	C:\Users\test22\AppData\Local\Temp\7zE8386E054\updates\dll\SettingsHandlers_OneDriveBackup.dll
file	C:\Users\test22\AppData\Local\Temp\7zE8386E054\updates\dll\Aspnet_perf.dll
file	C:\Users\test22\AppData\Local\Temp\7zE8386E054\updates\Cache_Data\Microsoft.Uev.AppAgent.dll
file	C:\Users\test22\AppData\Local\Temp\7zE8386E054\updates\wpfgfx_v0400.dll
file	C:\Users\test22\AppData\Local\Temp\7zE8386E054\updates\wsp_health.dll
file	C:\Users\test22\AppData\Local\Temp\7zE8386E054\updates\dll\WMINet_Utils.dll
file	C:\Users\test22\AppData\Local\Temp\7zE8386E054\updates\dll\PenIMC_v0400.dll
file	C:\Users\test22\AppData\Local\Temp\7zE8386E054\updates\dll\PresentationNative_v0400.dll
file	C:\Users\test22\AppData\Local\Temp\7zE8386E054\updates\Cache_Data\certmgr.dll
file	C:\Users\test22\AppData\Local\Temp\7zE8386E054\updates\msxml6.dll

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 5, 2024, 3:18 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1	0
LookupPrivilegeValueW Aug. 5, 2024, 3:18 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1	0

Yara rule detected in process memory (11 events)

description	Escalate priviledges	rule	Escalate_priviledges
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Run a KeyLogger	rule	KeyLogger

Communicates with host for which no DNS query was performed (16 events)

host	147.45.44.104
host	168.119.176.241
host	176.111.174.109
host	176.111.174.92
host	176.113.115.135
host	176.113.115.136
host	176.113.115.84
host	185.215.113.16
host	185.215.113.19
host	185.215.113.24
host	185.225.200.214
host	193.143.1.5
host	194.58.114.223
host	45.143.201.238
host	62.122.184.58
host	77.105.164.24

Generates some ICMP traffic

archive.7z

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All