Submissions

Date range button:

First seen:

Last seen:

No	Date	Request	Urls	Hosts	IDS	Rule	Score	Zero	VT	Player
9001	2023-10-28 12:54	HTMLIEbrowserhistory.vbs a32dfa1497c07d6c81f1c0ca839cbf03 Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted wscript.exe payload download Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key	4 Keyword trend analysis	5	2		9.6	M	5	ZeroCERT

9002	2023-10-28 12:58	GSW.txt.exe 584252105f5f7f2ab0bad8d1cc9a1bd4 Malicious Library UPX Malicious Packer PE File PE32 .NET EXE OS Name Check OS Memory Check OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger unpack itself Check virtual network interfaces IP Check Tofsee Browser Email ComputerName DNS Software crashed		2	4		5.2		48	ZeroCERT

9003	2023-10-28 12:58	HDV.txt.exe cb9088db397e3a4cc261a65902056464 Malicious Library UPX Malicious Packer PE File PE32 .NET EXE OS Name Check OS Memory Check OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Telegram suspicious privilege Check memory Checks debugger unpack itself Check virtual network interfaces IP Check Tofsee Browser Email ComputerName DNS Software crashed		4	6 Info ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI) ET HUNTING Telegram API Domain in DNS Lookup		5.2		42	ZeroCERT

9004	2023-10-28 13:00	KLV.txt.exe ad0080738beb0f1c978ebd471e918ffe Malicious Library UPX Malicious Packer PE File PE32 .NET EXE OS Name Check OS Memory Check OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger unpack itself Check virtual network interfaces IP Check Tofsee Browser Email ComputerName DNS Software crashed		2	4		5.2		42	ZeroCERT

9005	2023-10-28 18:50	HTMLIEbrowserHistoryClean.doc 5ad1dfb31daa5015f4fdc8af08b50ae9 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware exploit crash Tofsee Exploit crashed		2	3		2.4	M	30	ZeroCERT

9006	2023-10-28 18:53	HTMLDesginBrowserInternet.dOC c6f17e9d8c72950b1100f1ab9c3ab77d MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware exploit crash Tofsee Exploit crashed		2	3		2.2	M	26	ZeroCERT

9007	2023-10-28 18:57	HTMLIEBrowserhistory.doc f7b8200be0d768ab8fdc7ef3203267e8 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic exploit crash Tofsee Exploit DNS crashed	4 Keyword trend analysis	6	3	1	3.6	M	29	ZeroCERT

9008	2023-10-28 19:04	ngfor.vbs 974b499ef10e95adc829e98ec09d6565 VirusTotal Malware buffers extracted wscript.exe payload download Tofsee	1 Keyword trend analysis	2	2		3.0		8	ZeroCERT

9009	2023-10-28 19:04	cincocicnnc.vbs 13f5fea2cf9c8eab90170dfda8194c09 VirusTotal Malware buffers extracted wscript.exe payload download Tofsee	1 Keyword trend analysis	2	2		3.0		8	ZeroCERT

9010	2023-10-28 19:08	xlaexpoittt.vbs 08c5dddd1b41a03887c72314ea20d249 Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted wscript.exe payload download Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key	4 Keyword trend analysis	5	2		9.6		7	ZeroCERT

9011	2023-10-30 07:52	123.exe e374462a741bd8b228f22b33bb62f83f Emotet Gen1 Generic Malware NSIS Malicious Library UPX Malicious Packer Antivirus Admin Tool (Sysinternals etc ...) Anti_VM AntiDebug AntiVM PE File PE64 OS Processor Check PNG Format PE32 DLL MZP Format ZIP Format JPEG Format DllRegisterServer dll BMP Malware download Cryptocurrency Miner Malware AutoRuns Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files ICMP traffic unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder malicious URLs AntiVM_Disk suspicious TLD WriteConsoleW VM Disk Size Check Tofsee Ransomware Windows ComputerName DNS crashed Downloader CoinMiner	9 Keyword trend analysis Info http://85.217.144.143/files/My2.exe - rule_id: 34643 http://dl2-broomcleaner.online/InstallSetup6.exe http://pic.himanfast.com/order/tuc15.exe http://galandskiyher5.com/downloads/toolspub1.exe - rule_id: 37396 http://apps.identrust.com/roots/dstrootcax3.p7c http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767 https://pastebin.com/raw/E0rY26ni https://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767 https://yip.su/RNWPd.exe - rule_id: 37623	29 Info 632432.space(171.22.28.204) iplogger.com(148.251.234.93) - mailcious insuport.com(69.90.162.0) gobs2or.top() foryourbar.org(104.21.22.166) laubenstein.space() - mailcious dl2-broomcleaner.online(37.139.129.88) pastebin.com(172.67.34.170) - mailcious yip.su(104.21.79.77) - mailcious net.geo.opera.com(107.167.110.216) galandskiyher5.com(95.214.26.28) - malware pic.himanfast.com(104.21.6.189) lycheepanel.info(104.21.32.208) - malware pool.hashvault.pro(131.153.76.130) - mailcious 104.21.6.189 107.167.110.211 104.21.22.166 - mailcious 74.119.239.234 - mailcious 37.139.129.88 - mailcious 95.214.26.28 172.67.187.122 - malware 148.251.234.93 - mailcious 104.20.68.143 - mailcious 85.217.144.143 - malware 171.22.28.204 121.254.136.9 172.67.169.89 69.90.162.0 131.153.76.130 - mailcious	15 Info ET DNS Query to a *.top domain - Likely Hostile SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET DNS Query for .su TLD (Soviet Union) Often Malware Related ET INFO External IP Lookup Domain (iplogger .com in DNS lookup) ET INFO TLS Handshake Failure ET INFO External IP Lookup Domain (iplogger .com in TLS SNI) ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)	3	19.4	M		ZeroCERT

9012	2023-10-30 09:53	File.7z af9d7f78e54912ec053e221309ce9288 PrivateLoader Stealc Amadey Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Amadey Malware c&c Microsoft suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself suspicious TLD IP Check PrivateLoader Tofsee Stealc Stealer Windows Browser RisePro Trojan DNS Downloader	57 Keyword trend analysis Info http://171.22.28.226/download/WWW14_64.exe - rule_id: 36907 http://gobo06fc.top/build.exe http://109.107.182.2/race/bus50.exe - rule_id: 37496 http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true - rule_id: 27911 http://85.217.144.143/files/My2.exe - rule_id: 34643 http://apps.identrust.com/roots/dstrootcax3.p7c http://185.172.128.69/newumma.exe - rule_id: 37499 http://45.15.156.229/api/firegate.php - rule_id: 36052 http://194.169.175.233/setup.exe - rule_id: 37614 http://171.22.28.221/files/Ads.exe - rule_id: 37468 http://94.142.138.113/api/tracemap.php - rule_id: 28877 http://193.42.32.118/api/firegate.php - rule_id: 36458 http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=N8ipci53dhrAtaIs0Z9qUQyn.exe&platform=0009&osver=5&isServer=0 http://171.22.28.226/download/Services.exe - rule_id: 37064 http://howardwood.top/e9c345fc99a4e67e.php - rule_id: 37562 http://pic.himanfast.com/order/tuc15.exe http://galandskiyher5.com/downloads/toolspub1.exe - rule_id: 37396 http://94.142.138.131/api/tracemap.php - rule_id: 28311 http://193.42.32.118/api/tracemap.php - rule_id: 36180 http://77.91.124.1/theme/index.php - rule_id: 37040 http://45.15.156.229/api/tracemap.php - rule_id: 33783 http://193.233.255.73/loghub/master - rule_id: 37500 http://94.142.138.113/api/firegate.php - rule_id: 36152 http://lakuiksong.known.co.ke/netTimer.exe - rule_id: 37358 http://193.42.32.118/api/firecom.php - rule_id: 36700 http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767 http://www.maxmind.com/geoip/v2.1/city/me http://171.22.28.213/3.exe - rule_id: 37068 https://vk.com/doc493219498_672749745?hash=vAQNipawtX2M4kWLArPas0dqtYNjH5RFCiVEd2pEIu4&dl=zs8nRnVXgwetD0qYQFA8MtFtd4cvDsVE0LU7wM7ccnc&api=1&no_preview=1#2nc https://sun6-22.userapi.com/c237331/u493219498/docs/d49/b66400c9570a/2ncbjsgb.bmp?extra=p2I3_ac90QTyfY6tbGK3zTRsl8m01Mz5djnbH0Ck0s4rGpSkCVCS7E6ustd-k9k2DFGN53ueucr7M4QfOa63zoJ2ZD_KMLnUwsW4_sqVLCJy-JNcMyNXNYbofQd9M3HyKPO58VhCujni2lOB3g https://experiment.pw/setup294.exe - rule_id: 37436 https://vk.com/doc493219498_672788896?hash=qnDUhqn6hBDJzFWRnaSA0Z01GHFgFVba0yvHW6T79g0&dl=z7JZ3UTuMeYJqYgthVY47dZ7u7lnpTKYGCV9OgRhcJk&api=1&no_preview=1#ww11 https://sun6-23.userapi.com/c909518/u52355237/docs/d59/a7848d68c935/d432j89adg.bmp?extra=DOXVoEGDlhZ3qZpcWGZKTe_UaEJzSsHgQykmKEMHGAGyIwckz27zGXQn5e3tFqhKgAR5VwnJ7-mFCcKTAreATgHzptPdOONZ7bj5sYWy5TncTuLhz72Y4EkRR9-tgpmWSr316irJ85QgRDn2 https://api.myip.com/ https://vk.com/doc493219498_672804512?hash=k6gVocJtWMIGa4eR2u3BEQexXtjJzptcjPX2TpQvyHP&dl=RdWtWX0NOjUuv5jSqHuHLHgdyH9LhrvA8lQtBVZeJGP&api=1&no_preview=1#test22 https://pastebin.com/raw/xYhKBupz - rule_id: 36780 https://sun6-22.userapi.com/c237331/u493219498/docs/d54/558531b87f51/tmvwr.bmp?extra=H9R0hZa8Qk6cfwzu-uVl0xdtbNwDJ_qVhAKxlWQvT7ZL7P0K9If8jRa1oF86go-dE3dA08rsIQveSpHe-iiv1ThMDn3G4QIaLwGnvIAV4Ph6fiw5h0YEo-GD94rsUiKYsaf82cfzGyrdCn4tPA https://vk.com/doc493219498_672768541?hash=tpdx8YXg91Y3FlT5s0RAbnPmPS1Zzyo9eLqcOzyWZYc&dl=WDy5pNA0ek7levBiA9WZCVFsr80DioWsqEq14iAXX84&api=1&no_preview=1 https://yip.su/RNWPd.exe - rule_id: 37623 https://sun6-22.userapi.com/c909328/u825067038/docs/d10/dbd8180ea057/red.bmp?extra=1JmdCVOFWNFJ4b0PUaHk6aYVa-GAdpx4zCub1qMiqMDHFtHWM6rVmhZlRPJIQoo9YC7rLCtbjS-B_Ifo79si4vee5Y0mjPAb6f5isYmV2i-Zkew_BPBG9xDPvdfknsmAM5HCGCNmC6fq1Zz_5Q https://neuralshit.net/d90081187817a6ae1976603702b44d57/7725eaa6592c80f8124e769b4e8a07f7.exe https://sun6-22.userapi.com/c909518/u493219498/docs/d15/cb31b59ccd86/crypted.bmp?extra=4kM18eBBAFBYEBmT5K7ny9mwreXTxNP8Pc37HIDLBK5ek10xCo2u4vHn3EGEVScsV_bwEm_dCfHZHlPo00U0xxggi6bYqXDx-w-CAA82GXgAYpeBC2H64fDflmGqWK4BrgxVFxzdUb3hNKsJwA https://dzen.ru/?yredirect=true https://potatogoose.com/d90081187817a6ae1976603702b44d57/baf14778c246e15550645e30ba78ce1c.exe https://sso.passport.yandex.ru/push?uuid=edf1cf2f-872e-44da-a11f-d65d4aa510cb&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue https://vk.com/doc493219498_672808934?hash=3h4ko75BxWR7bDzmYDEVeLjJ3bMDZMmqJwpesGGRjEk&dl=3LiOPpNlxlxNezlWVYBcUr4wZeMfTqteUGyDAC5FvTH&api=1&no_preview=1#risepro https://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767 https://sun6-21.userapi.com/c237031/u493219498/docs/d9/f44badf38306/file291023.bmp?extra=7GE1C-EwQJy_8FKCjjzYwfovOf4Pj0g-Cl_UrB7R49OFcoW7unCyKfxTxR_7WcIlEFwgS1BpZkRO6_IxFUMs9s1dkCAxEl2iW6ipYPPcF8YpO894lNyZj98WPNuVnpJRwiX5zkQEf0sM6bBO6w https://api.2ip.ua/geo.json https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe - rule_id: 36783 https://sun6-20.userapi.com/c237331/u825067038/docs/d49/62f94930727d/PL_Client.bmp?extra=WKl12ZsgAl5B4caqcSa25bxYZG3KBVnP2hYZwJDXWNs_yGCBkyjXZTNurElPkE9In2UcIRR-dFstveJcJExDb_UzJWORx7bCJ8KJ7BEJIg3Q36N2Ph-OCyoWZvJ8c1crDANitolP42kcuubVrA https://vk.com/doc493219498_672795139?hash=7g3rgnU3d1p1j83fiPQfRd7uuNjdLnKy3K6hXX8CtxX&dl=MA21iZj9gcnP18Dr8zFAZlCUyOz91OUA5qwGoDcp2x8&api=1&no_preview=1#1 https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self https://vk.com/doc493219498_672789104?hash=wRQw6qpepE0sgtYf8bKOdwqZHHaauqkqH01POIsTcu0&dl=sxCzUpMz5PwDpI7atdJZ9Qxm6xZkLHmABBIpqrCKNNz&api=1&no_preview=1 https://sun6-21.userapi.com/c909418/u493219498/docs/d37/87bca5c0f023/WWW11_32.bmp?extra=n16gKuSgFdbzbUndRH-3kdNwVpz2zKmV3LlQchJqLUsE-c9iUv7t_p_pR0w79iXmFpT0lWfj7boucWuSJsujP5mwBohC4ZZWZ_T1e-fFJr_bwekVyE48EtEJJWgTD5KaXmtFbI1JiwT0CNI8iw https://sun6-23.userapi.com/c909228/u493219498/docs/d37/c664a593c9eb/RisePro.bmp?extra=UvO5MwYWbFe33V5P002LfJF3-ELPApRSrucm2DXQv0XU-cC5kXzn71n2lGd9PIPpkmCr04vYXMlGRFZVyUNF7HTCzkx3_PsxIozMLvqZivMASXprmQ-K5cEk-WFG4lVzUVpkFY8cnnOkVLkUxA https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe - rule_id: 36716	105 Info neuralshit.net(172.67.134.35) - malware gobo06fc.top(176.57.208.22) db-ip.com(104.26.4.15) www.paypal.com(151.101.193.21) ipinfo.io(34.117.59.81) accounts.google.com(142.250.206.205) sun6-23.userapi.com(95.142.206.3) - mailcious galandskiyher5.com(95.214.26.28) - malware potatogoose.com(104.21.35.235) - malware dzen.ru(62.217.160.2) medfioytrkdkcodlskeej.net(91.215.85.209) - malware learn.microsoft.com(23.52.33.172) api.2ip.ua(172.67.139.220) iplogger.org(148.251.234.83) - mailcious laubenstein.space() - mailcious twitter.com(104.244.42.193) telegram.org(149.154.167.99) yip.su(172.67.169.89) - mailcious sun6-20.userapi.com(95.142.206.0) - mailcious octocrabs.com(104.21.21.189) - mailcious pic.himanfast.com(172.67.135.47) sun6-21.userapi.com(95.142.206.1) - mailcious sso.passport.yandex.ru(213.180.204.24) lakuiksong.known.co.ke(146.59.70.14) - malware experiment.pw(172.67.167.220) - malware www.youtube.com(142.250.206.206) - mailcious net.geo.opera.com(107.167.110.211) dl1-broomcleaner.online() iplogger.com(148.251.234.93) - mailcious zexeq.com(190.224.203.37) - malware api.db-ip.com(172.67.75.166) albertwashington.icu(37.139.129.88) - malware 632432.space(171.22.28.204) yandex.ru(77.88.55.88) api.myip.com(104.26.8.59) sun6-22.userapi.com(95.142.206.2) - mailcious howardwood.top(37.139.129.88) - mailcious pastebin.com(104.20.67.143) - mailcious flyawayaero.net(104.21.93.225) - malware www.maxmind.com(104.18.145.235) vk.com(87.240.129.133) - mailcious iplis.ru(148.251.234.93) - mailcious lycheepanel.info(172.67.187.122) - malware 148.251.234.93 - mailcious 194.169.175.128 - mailcious 142.250.66.110 104.18.146.235 172.67.187.122 - malware 77.91.124.1 - malware 194.169.175.220 62.217.160.2 104.244.42.1 - suspicious 193.233.255.73 - mailcious 85.217.144.143 - malware 208.67.104.60 - mailcious 172.67.169.89 104.20.67.143 - mailcious 104.21.6.189 193.42.32.118 - mailcious 104.21.34.37 - phishing 142.251.130.13 91.215.85.209 - mailcious 95.214.26.28 121.254.136.18 190.187.52.42 171.22.28.226 - malware 87.240.132.78 - mailcious 171.22.28.221 - malware 34.117.59.81 171.22.28.204 172.67.200.10 - mailcious 176.57.208.22 104.21.35.235 - malware 77.88.55.60 148.251.234.83 185.225.75.171 - mailcious 74.119.239.234 - mailcious 37.139.129.88 - mailcious 172.67.134.35 - malware 213.180.204.24 77.91.124.86 185.172.128.69 - malware 172.67.75.166 194.169.175.233 - malware 94.142.138.131 - mailcious 149.154.167.99 - mailcious 192.229.232.89 121.254.136.9 107.167.110.211 45.15.156.229 - mailcious 104.26.9.59 104.26.4.15 87.240.137.164 - mailcious 95.142.206.3 - mailcious 95.142.206.2 - mailcious 172.67.139.220 95.142.206.0 - mailcious 104.21.93.225 - phishing 146.59.70.14 - malware 194.169.175.234 - mailcious 94.142.138.113 - mailcious 23.52.33.172 109.107.182.2 - malware 95.142.206.1 - mailcious 171.22.28.213 - malware	48 Info ET DROP Spamhaus DROP Listed Traffic Inbound group 7 SURICATA Applayer Mismatch protocol both directions SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Executable Download from dotted-quad Host ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) ET HUNTING Suspicious services.exe in URI ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET DNS Query to a .pw domain - Likely Hostile ET INFO DNS Query for Suspicious .icu Domain ET HUNTING Possible EXE Download From Suspicious TLD ET INFO TLS Handshake Failure ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token) ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity) ET POLICY IP Check Domain (iplogger .org in TLS SNI) ET POLICY IP Check Domain (iplogger .org in DNS Lookup) ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST) ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound) ET DNS Query to a .top domain - Likely Hostile ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET INFO HTTP Request to a *.top domain ET MALWARE Redline Stealer Activity (Response) ET POLICY External IP Address Lookup DNS Query (2ip .ua) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response) ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET MALWARE Single char EXE direct download likely trojan (multiple families) ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET INFO Packed Executable Download ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer) ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key ET MALWARE Win32/Filecoder.STOP Variant Public Key Download ET INFO External IP Lookup Domain (iplogger .com in DNS lookup) ET INFO External IP Lookup Domain (iplogger .com in TLS SNI) ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 ET HUNTING Request to .TOP Domain with Minimal Headers ET INFO EXE - Served Attached HTTP ET DNS Query for .su TLD (Soviet Union) Often Malware Related SURICATA HTTP unable to match response to request	27 Info http://171.22.28.226/download/WWW14_64.exe http://109.107.182.2/race/bus50.exe http://zexeq.com/test2/get.php http://85.217.144.143/files/My2.exe http://185.172.128.69/newumma.exe http://45.15.156.229/api/firegate.php http://194.169.175.233/setup.exe http://171.22.28.221/files/Ads.exe http://94.142.138.113/api/tracemap.php http://193.42.32.118/api/firegate.php http://171.22.28.226/download/Services.exe http://howardwood.top/e9c345fc99a4e67e.php http://galandskiyher5.com/downloads/toolspub1.exe http://94.142.138.131/api/tracemap.php http://193.42.32.118/api/tracemap.php http://77.91.124.1/theme/index.php http://45.15.156.229/api/tracemap.php http://193.233.255.73/loghub/master http://94.142.138.113/api/firegate.php http://lakuiksong.known.co.ke/netTimer.exe http://193.42.32.118/api/firecom.php http://171.22.28.213/3.exe https://experiment.pw/setup294.exe https://pastebin.com/raw/xYhKBupz https://yip.su/RNWPd.exe https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe	7.0	M		ZeroCERT

9013	2023-10-30 17:40	HTMLIEsearchHistory.vbs c3331ba028e5bac96943a698e5147891 Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted wscript.exe payload download Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key	3 Keyword trend analysis	4	2		9.0	M	5	ZeroCERT

9014	2023-10-30 17:40	HTMLhistoryClearner.dOC ab5d39905d80955d987393bd55dc63af MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware RWX flags setting exploit crash Tofsee Exploit crashed		2	3		2.6	M	29	ZeroCERT

9015	2023-10-30 17:41	HTMLIEcontentHistory.vbs 329ec572360f8e6cdddd1d7304e77001 VirusTotal Malware wscript.exe payload download Tofsee	1 Keyword trend analysis	2	2		2.0	M	5	ZeroCERT