Analysis

Category Package Started Completed Duration Log
PCAP 2020-04-20 22:31:40 2020-04-20 22:31:40 0 seconds Show Log

    


Signatures

Created network traffic indicative of malicious activity
signature: ET JA3 Hash - Possible Malware - Fake Firefox Font Update
signature: ET JA3 Hash - [Abuse.ch] Possible Dridex
signature: SURICATA Applayer Detect protocol only one direction
signature: ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)
signature: ET CURRENT_EVENTS WinHttpRequest Downloading EXE
signature: ET CURRENT_EVENTS Likely Evil EXE download from WinHttpRequest non-exe extension

Hosts

Direct IP Country Name
Y 91.211.88.122 [VT] unknown
N 72.21.81.200 [VT] United States
N 49.51.172.56 [VT] China
N 40.126.5.35 [VT] United States
N 23.54.20.139 [VT] United States
N 204.79.197.254 [VT] United States
N 204.79.197.222 [VT] United States
N 13.107.4.254 [VT] United States
N 13.107.3.254 [VT] United States
Y 13.107.246.10 [VT] United States

DNS

Name Response Post-Analysis Lookup
_ldap._tcp.dc._msdcs.one-hot-mess.com [VT]
One-Hot-Mess-DC.one-hot-mess.com [VT] A 172.17.8.8 [VT]
_ldap._tcp.dc._msdcs.localdomain.one-hot-mess.com [VT] NXDOMAIN
wpad.one-hot-mess.com [VT]
wpad.localdomain [VT]
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.one-hot-mess.com [VT]
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.one-hot-mess.com [VT]
_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.one-hot-mess.com [VT]
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.one-hot-mess.com [VT]
_ldap._tcp.Default-First-Site-Name._sites.one-hot-mess.com [VT]
DESKTOP-TZMKHKC.one-hot-mess.com [VT]
one-hot-mess.com [VT] CNAME DESKTOP-TZMKHKC.one-hot-mess.com [VT]
CNAME DESKTOP-TZMKHKC.one-hot-mess.com [VT]
ONE-HOT-MESS.NET [VT]
s-ring.msedge.net [VT] CNAME s-9999.s-msedge.net [VT]
CNAME s-ring.s-9999.s-msedge.net [VT]
A 13.107.3.254 [VT]
13.107.3.254 [VT]
ow1.res.office365.com [VT] CNAME ow1.res.office365.com.edgekey.net [VT]
A 23.54.20.139 [VT]
CNAME e1875.g.akamaiedge.net [VT]
184.27.136.81 [VT]
c-ring.msedge.net [VT] CNAME c-ring.c-9999.c-msedge.net [VT]
CNAME c-9999.c-msedge.net [VT]
A 13.107.4.254 [VT]
13.107.4.254 [VT]
login.microsoftonline.com [VT] A 40.126.5.37 [VT]
A 20.190.133.66 [VT]
CNAME www.tm.a.prd.aadg.akadns.net [VT]
A 20.190.133.75 [VT]
A 40.126.5.35 [VT]
A 40.126.5.98 [VT]
CNAME prda.aadg.msidentity.com [VT]
A 40.126.5.99 [VT]
A 20.190.133.76 [VT]
A 40.126.5.100 [VT]
40.126.0.70 [VT]
_gc._tcp.Default-First-Site-Name._sites.one-hot-mess.com [VT]
blueflag.xyz [VT] A 49.51.172.56 [VT]
fp.msedge.net [VT] CNAME 1.perf.msedge.net [VT]
CNAME a-0019.a-msedge.net [VT]
A 204.79.197.222 [VT]
204.79.197.222 [VT]
fp-vp.azureedge.net [VT] CNAME cs9.wpc.v0cdn.net [VT]
CNAME fp-vp.ec.azureedge.net [VT]
A 72.21.81.200 [VT]
72.21.81.200 [VT]
a-ring.msedge.net [VT] CNAME a-9999.a-msedge.net [VT]
CNAME a-ring.a-9999.a-msedge.net [VT]
A 204.79.197.254 [VT]
204.79.197.254 [VT]

Sorry! No behavior.

Hosts

Direct IP Country Name
Y 91.211.88.122 [VT] unknown
N 72.21.81.200 [VT] United States
N 49.51.172.56 [VT] China
N 40.126.5.35 [VT] United States
N 23.54.20.139 [VT] United States
N 204.79.197.254 [VT] United States
N 204.79.197.222 [VT] United States
N 13.107.4.254 [VT] United States
N 13.107.3.254 [VT] United States
Y 13.107.246.10 [VT] United States

TCP

Source Source Port Destination Destination Port
172.17.8.174 49776 104.77.69.193 443
172.17.8.174 49791 104.77.69.193 443
172.17.8.174 49799 104.77.69.193 443
172.17.8.174 49755 13.107.3.128 443
172.17.8.174 49757 13.107.3.128 443
172.17.8.174 49759 13.107.3.128 443
172.17.8.174 49721 13.107.3.254 s-ring.msedge.net 443
172.17.8.174 49764 13.107.3.254 s-ring.msedge.net 443
172.17.8.174 49720 13.107.4.254 c-ring.msedge.net 443
172.17.8.174 49792 13.107.4.50 80
172.17.8.174 49800 13.107.4.50 80
172.17.8.174 49668 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 389
172.17.8.174 49671 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 445
172.17.8.174 49672 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 135
172.17.8.174 49673 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 49670
172.17.8.174 49674 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 389
172.17.8.174 49675 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 88
172.17.8.174 49676 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 88
172.17.8.174 49677 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 88
172.17.8.174 49678 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 88
172.17.8.174 49679 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 88
172.17.8.174 49680 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 88
172.17.8.174 49681 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 88
172.17.8.174 49682 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 88
172.17.8.174 49683 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 88
172.17.8.174 49684 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 88
172.17.8.174 49685 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 49670
172.17.8.174 49686 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 389
172.17.8.174 49687 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 389
172.17.8.174 49688 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 389
172.17.8.174 49689 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 389
172.17.8.174 49691 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 389
172.17.8.174 49692 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 88
172.17.8.174 49693 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 389
172.17.8.174 49694 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 88
172.17.8.174 49695 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 88
172.17.8.174 49697 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 135
172.17.8.174 49698 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 49670
172.17.8.174 49699 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 389
172.17.8.174 49700 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 389
172.17.8.174 49701 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 389
172.17.8.174 49702 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 88
172.17.8.174 49703 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 88
172.17.8.174 49704 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 88
172.17.8.174 49706 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 88
172.17.8.174 49707 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 88
172.17.8.174 49708 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 88
172.17.8.174 49709 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 88
172.17.8.174 49710 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 445
172.17.8.174 49711 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 88
172.17.8.174 49712 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 445
172.17.8.174 49713 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 88
172.17.8.174 49714 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 88
172.17.8.174 49715 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 389
172.17.8.174 49716 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 389
172.17.8.174 49723 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 135
172.17.8.174 49724 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 49670
172.17.8.174 49725 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 389
172.17.8.174 49726 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 389
172.17.8.174 49728 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 3268
172.17.8.174 49730 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 3268
172.17.8.174 49733 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 135
172.17.8.174 49734 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 49670
172.17.8.174 49735 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 389
172.17.8.174 49736 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 389
172.17.8.174 49739 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 135
172.17.8.174 49740 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 49670
172.17.8.174 49741 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 389
172.17.8.174 49742 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 389
172.17.8.174 49751 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 445
172.17.8.174 49768 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 135
172.17.8.174 49769 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 49670
172.17.8.174 49718 204.79.197.200 443
172.17.8.174 49737 204.79.197.200 443
172.17.8.174 49761 204.79.197.222 fp.msedge.net 443
172.17.8.174 49766 204.79.197.254 a-ring.msedge.net 443
172.17.8.174 49785 205.185.216.10 80
172.17.8.174 49790 205.185.216.10 80
172.17.8.174 49797 205.185.216.10 80
172.17.8.174 49803 205.185.216.10 80
172.17.8.174 49784 205.185.216.42 80
172.17.8.174 49789 205.185.216.42 80
172.17.8.174 49798 205.185.216.42 80
172.17.8.174 49804 205.185.216.42 80
172.17.8.174 49805 23.1.236.114 80
172.17.8.174 49781 23.1.236.85 80
172.17.8.174 49754 23.54.20.119 443
172.17.8.174 49719 23.54.20.139 ow1.res.office365.com 443
172.17.8.174 49727 40.126.5.35 login.microsoftonline.com 443
172.17.8.174 49748 40.91.116.226 443
172.17.8.174 49731 49.51.172.56 blueflag.xyz 80
172.17.8.174 49753 52.109.2.55 443
172.17.8.174 49705 52.114.132.22 443
172.17.8.174 49732 52.114.76.34 443
172.17.8.174 49750 52.114.76.34 443
172.17.8.174 49772 52.159.17.76 443
172.17.8.174 49746 52.230.222.68 443
172.17.8.174 49749 64.4.54.18 443
172.17.8.174 49777 64.4.54.18 443
172.17.8.174 49808 64.4.54.18 443
172.17.8.174 49765 72.21.81.200 fp-vp.azureedge.net 443
172.17.8.174 49760 91.211.88.122 443
172.17.8.174 49763 91.211.88.122 443
172.17.8.174 49767 91.211.88.122 443
172.17.8.174 49770 91.211.88.122 443
172.17.8.8 445 172.17.8.174 49711
172.17.8.8 445 172.17.8.174 49776

UDP

Source Source Port Destination Destination Port
0.0.0.0 68 255.255.255.255 67
172.17.8.174 137 172.17.8.1 137
172.17.8.174 137 172.17.8.255 137
172.17.8.174 138 172.17.8.255 138
172.17.8.174 123 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 123
172.17.8.174 49614 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 53
172.17.8.174 49668 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 53
172.17.8.174 49669 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 389
172.17.8.174 49859 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 53
172.17.8.174 50065 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 53
172.17.8.174 50066 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 53
172.17.8.174 50399 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 53
172.17.8.174 50558 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 53
172.17.8.174 50624 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 53
172.17.8.174 50909 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 53
172.17.8.174 51627 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 53
172.17.8.174 51673 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 53
172.17.8.174 52250 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 53
172.17.8.174 52862 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 53
172.17.8.174 53951 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 53
172.17.8.174 54051 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 53
172.17.8.174 54226 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 53
172.17.8.174 54269 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 53
172.17.8.174 54516 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 53
172.17.8.174 54860 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 53
172.17.8.174 54926 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 53
172.17.8.174 54930 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 53
172.17.8.174 55694 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 53
172.17.8.174 55851 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 53
172.17.8.174 55853 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 389
172.17.8.174 56238 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 53
172.17.8.174 56715 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 53
172.17.8.174 57395 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 53
172.17.8.174 57672 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 53
172.17.8.174 58048 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 53
172.17.8.174 58257 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 53
172.17.8.174 58512 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 53
172.17.8.174 58724 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 53
172.17.8.174 58981 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 53
172.17.8.174 58982 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 389
172.17.8.174 59333 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 53
172.17.8.174 59398 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 53
172.17.8.174 59399 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 389
172.17.8.174 59400 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 389
172.17.8.174 60181 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 53
172.17.8.174 60326 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 53
172.17.8.174 60335 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 53
172.17.8.174 60336 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 389
172.17.8.174 60530 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 53
172.17.8.174 60531 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 389
172.17.8.174 60761 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 53
172.17.8.174 60762 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 389
172.17.8.174 60770 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 53
172.17.8.174 61422 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 53
172.17.8.174 61536 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 53
172.17.8.174 61613 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 53
172.17.8.174 61614 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 389
172.17.8.174 61650 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 53
172.17.8.174 61871 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 53
172.17.8.174 61942 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 53
172.17.8.174 61944 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 389
172.17.8.174 61945 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 389
172.17.8.174 62148 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 53
172.17.8.174 62187 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 53
172.17.8.174 62300 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 53
172.17.8.174 62362 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 53
172.17.8.174 62363 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 389
172.17.8.174 62365 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 389
172.17.8.174 62494 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 53
172.17.8.174 62496 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 389
172.17.8.174 62862 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 53
172.17.8.174 62863 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 389
172.17.8.174 62976 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 53
172.17.8.174 63275 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 53
172.17.8.174 63276 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 389
172.17.8.174 63374 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 53
172.17.8.174 63391 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 53
172.17.8.174 63487 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 53
172.17.8.174 64886 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 53
172.17.8.174 64898 172.17.8.8 One-Hot-Mess-DC.one-hot-mess.com 53
172.17.8.174 5353 224.0.0.251 5353
172.17.8.174 59336 224.0.0.252 5355
172.17.8.174 60302 224.0.0.252 5355
172.17.8.8 67 172.17.8.174 68

DNS

Name Response Post-Analysis Lookup
_ldap._tcp.dc._msdcs.one-hot-mess.com [VT]
One-Hot-Mess-DC.one-hot-mess.com [VT] A 172.17.8.8 [VT]
_ldap._tcp.dc._msdcs.localdomain.one-hot-mess.com [VT] NXDOMAIN
wpad.one-hot-mess.com [VT]
wpad.localdomain [VT]
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.one-hot-mess.com [VT]
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.one-hot-mess.com [VT]
_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.one-hot-mess.com [VT]
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.one-hot-mess.com [VT]
_ldap._tcp.Default-First-Site-Name._sites.one-hot-mess.com [VT]
DESKTOP-TZMKHKC.one-hot-mess.com [VT]
one-hot-mess.com [VT] CNAME DESKTOP-TZMKHKC.one-hot-mess.com [VT]
CNAME DESKTOP-TZMKHKC.one-hot-mess.com [VT]
ONE-HOT-MESS.NET [VT]
s-ring.msedge.net [VT] CNAME s-9999.s-msedge.net [VT]
CNAME s-ring.s-9999.s-msedge.net [VT]
A 13.107.3.254 [VT]
13.107.3.254 [VT]
ow1.res.office365.com [VT] CNAME ow1.res.office365.com.edgekey.net [VT]
A 23.54.20.139 [VT]
CNAME e1875.g.akamaiedge.net [VT]
184.27.136.81 [VT]
c-ring.msedge.net [VT] CNAME c-ring.c-9999.c-msedge.net [VT]
CNAME c-9999.c-msedge.net [VT]
A 13.107.4.254 [VT]
13.107.4.254 [VT]
login.microsoftonline.com [VT] A 40.126.5.37 [VT]
A 20.190.133.66 [VT]
CNAME www.tm.a.prd.aadg.akadns.net [VT]
A 20.190.133.75 [VT]
A 40.126.5.35 [VT]
A 40.126.5.98 [VT]
CNAME prda.aadg.msidentity.com [VT]
A 40.126.5.99 [VT]
A 20.190.133.76 [VT]
A 40.126.5.100 [VT]
40.126.0.70 [VT]
_gc._tcp.Default-First-Site-Name._sites.one-hot-mess.com [VT]
blueflag.xyz [VT] A 49.51.172.56 [VT]
fp.msedge.net [VT] CNAME 1.perf.msedge.net [VT]
CNAME a-0019.a-msedge.net [VT]
A 204.79.197.222 [VT]
204.79.197.222 [VT]
fp-vp.azureedge.net [VT] CNAME cs9.wpc.v0cdn.net [VT]
CNAME fp-vp.ec.azureedge.net [VT]
A 72.21.81.200 [VT]
72.21.81.200 [VT]
a-ring.msedge.net [VT] CNAME a-9999.a-msedge.net [VT]
CNAME a-ring.a-9999.a-msedge.net [VT]
A 204.79.197.254 [VT]
204.79.197.254 [VT]

HTTP Requests

URI Data
http://blueflag.xyz/nCvQOQHCBjZFfiJvyVGA/yrkbdmt.bin
GET /nCvQOQHCBjZFfiJvyVGA/yrkbdmt.bin HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: blueflag.xyz

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

Timestamp Source IP Source Port Destination IP Destination Port Protocol GID SID REV Signature Category Severity
2020-02-21 00:53:52.386 172.17.8.8 [VT] 88 172.17.8.174 [VT] 49675 TCP 1 2260002 1 SURICATA Applayer Detect protocol only one direction Generic Protocol Command Decode 3
2020-02-21 00:53:52.388 172.17.8.8 [VT] 88 172.17.8.174 [VT] 49676 TCP 1 2260002 1 SURICATA Applayer Detect protocol only one direction Generic Protocol Command Decode 3
2020-02-21 00:53:52.398 172.17.8.8 [VT] 88 172.17.8.174 [VT] 49678 TCP 1 2260002 1 SURICATA Applayer Detect protocol only one direction Generic Protocol Command Decode 3
2020-02-21 00:53:55.853 172.17.8.174 [VT] 62362 172.17.8.8 [VT] 53 UDP 1 2009702 5 ET POLICY DNS Update From External net Potential Corporate Privacy Violation 1
2020-02-21 00:54:01.628 172.17.8.8 [VT] 88 172.17.8.174 [VT] 49702 TCP 1 2260002 1 SURICATA Applayer Detect protocol only one direction Generic Protocol Command Decode 3
2020-02-21 00:54:03.445 172.17.8.174 [VT] 49705 52.114.132.22 [VT] 443 TCP 1 2028371 2 ET JA3 Hash - Possible Malware - Fake Firefox Font Update Unknown Traffic 3
2020-02-21 00:54:12.086 172.17.8.8 [VT] 88 172.17.8.174 [VT] 49706 TCP 1 2260002 1 SURICATA Applayer Detect protocol only one direction Generic Protocol Command Decode 3
2020-02-21 00:54:12.195 172.17.8.8 [VT] 88 172.17.8.174 [VT] 49711 TCP 1 2260002 1 SURICATA Applayer Detect protocol only one direction Generic Protocol Command Decode 3
2020-02-21 00:55:07.624 49.51.172.56 [VT] 80 172.17.8.174 [VT] 49731 TCP 1 2018959 4 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation 1
2020-02-21 00:55:07.624 49.51.172.56 [VT] 80 172.17.8.174 [VT] 49731 TCP 1 2019822 7 ET CURRENT_EVENTS WinHttpRequest Downloading EXE A Network Trojan was detected 1
2020-02-21 00:55:07.624 49.51.172.56 [VT] 80 172.17.8.174 [VT] 49731 TCP 1 2022653 2 ET CURRENT_EVENTS Likely Evil EXE download from WinHttpRequest non-exe extension A Network Trojan was detected 1
2020-02-21 00:59:23.563 172.17.8.174 [VT] 49743 52.114.132.22 [VT] 443 TCP 1 2028371 2 ET JA3 Hash - Possible Malware - Fake Firefox Font Update Unknown Traffic 3
2020-02-21 01:08:50.056 172.17.8.174 [VT] 62976 172.17.8.8 [VT] 53 UDP 1 2009702 5 ET POLICY DNS Update From External net Potential Corporate Privacy Violation 1
2020-02-21 01:09:15.007 172.17.8.174 [VT] 49753 52.109.2.55 [VT] 443 TCP 1 2028371 2 ET JA3 Hash - Possible Malware - Fake Firefox Font Update Unknown Traffic 3
2020-02-21 01:09:16.106 172.17.8.174 [VT] 49754 23.54.20.119 [VT] 443 TCP 1 2028371 2 ET JA3 Hash - Possible Malware - Fake Firefox Font Update Unknown Traffic 3
2020-02-21 01:09:17.869 172.17.8.174 [VT] 49755 13.107.3.128 [VT] 443 TCP 1 2028371 2 ET JA3 Hash - Possible Malware - Fake Firefox Font Update Unknown Traffic 3
2020-02-21 01:09:18.124 172.17.8.174 [VT] 49758 13.107.3.128 [VT] 443 TCP 1 2028371 2 ET JA3 Hash - Possible Malware - Fake Firefox Font Update Unknown Traffic 3
2020-02-21 01:09:18.126 172.17.8.174 [VT] 49759 13.107.3.128 [VT] 443 TCP 1 2028371 2 ET JA3 Hash - Possible Malware - Fake Firefox Font Update Unknown Traffic 3
2020-02-21 01:09:18.127 172.17.8.174 [VT] 49756 13.107.3.128 [VT] 443 TCP 1 2028371 2 ET JA3 Hash - Possible Malware - Fake Firefox Font Update Unknown Traffic 3
2020-02-21 01:09:18.129 172.17.8.174 [VT] 49757 13.107.3.128 [VT] 443 TCP 1 2028371 2 ET JA3 Hash - Possible Malware - Fake Firefox Font Update Unknown Traffic 3
2020-02-21 01:11:48.890 172.17.8.174 [VT] 49760 91.211.88.122 [VT] 443 TCP 1 2028765 2 ET JA3 Hash - [Abuse.ch] Possible Dridex Unknown Traffic 3
2020-02-21 01:11:48.934 91.211.88.122 [VT] 443 172.17.8.174 [VT] 49760 TCP 1 2023476 5 ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) A Network Trojan was detected 1
2020-02-21 01:11:51.961 172.17.8.174 [VT] 49763 91.211.88.122 [VT] 443 TCP 1 2028765 2 ET JA3 Hash - [Abuse.ch] Possible Dridex Unknown Traffic 3
2020-02-21 01:11:51.965 91.211.88.122 [VT] 443 172.17.8.174 [VT] 49763 TCP 1 2023476 5 ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) A Network Trojan was detected 1
2020-02-21 01:11:56.672 172.17.8.174 [VT] 49767 91.211.88.122 [VT] 443 TCP 1 2028765 2 ET JA3 Hash - [Abuse.ch] Possible Dridex Unknown Traffic 3
2020-02-21 01:11:56.676 91.211.88.122 [VT] 443 172.17.8.174 [VT] 49767 TCP 1 2023476 5 ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) A Network Trojan was detected 1
2020-02-21 01:12:03.447 172.17.8.174 [VT] 49770 91.211.88.122 [VT] 443 TCP 1 2028765 2 ET JA3 Hash - [Abuse.ch] Possible Dridex Unknown Traffic 3
2020-02-21 01:12:03.451 91.211.88.122 [VT] 443 172.17.8.174 [VT] 49770 TCP 1 2023476 5 ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) A Network Trojan was detected 1

Suricata TLS

Timestamp Source IP Source Port Destination IP Destination Port Subject Issuer Fingerprint Version
2020-02-21 00:54:03.445 172.17.8.174 [VT] 49705 52.114.132.22 [VT] 443 CN=*.events.data.microsoft.com 33:b3:b7:e9:da:25:f5:a0:04:e9:63:87:b6:fb:54:77:db:ed:27:eb TLS 1.2
2020-02-21 00:54:18.016 172.17.8.174 [VT] 49718 204.79.197.200 [VT] 443 CN=www.bing.com 62:91:45:76:dc:0a:fa:c8:3c:48:04:bc:c2:c1:b7:00:a6:11:39:fe TLS 1.2
2020-02-21 00:54:18.021 172.17.8.174 [VT] 49720 13.107.4.254 [VT] 443 CN=*.clo.footprintdns.com e9:46:fa:5d:7c:f8:13:56:ce:18:88:60:74:fd:36:35:ba:55:84:2b TLS 1.2
2020-02-21 00:54:18.026 172.17.8.174 [VT] 49717 204.79.197.200 [VT] 443 CN=www.bing.com 62:91:45:76:dc:0a:fa:c8:3c:48:04:bc:c2:c1:b7:00:a6:11:39:fe TLS 1.2
2020-02-21 00:54:18.134 172.17.8.174 [VT] 49719 23.54.20.139 [VT] 443 C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=*.res.outlook.com 65:0f:a4:ee:5f:63:db:e0:2b:49:8d:e9:4c:32:f2:6a:16:b1:f5:1a TLS 1.2
2020-02-21 00:54:21.148 172.17.8.174 [VT] 49721 13.107.3.254 [VT] 443 CN=*.msedge.net fa:81:e0:d1:e5:51:62:0c:6f:dc:ca:ef:7e:bf:06:44:0d:cd:0a:97 TLS 1.2
2020-02-21 00:54:22.370 172.17.8.174 [VT] 49722 204.79.197.200 [VT] 443 CN=www.bing.com 62:91:45:76:dc:0a:fa:c8:3c:48:04:bc:c2:c1:b7:00:a6:11:39:fe TLS 1.2
2020-02-21 00:54:24.898 172.17.8.174 [VT] 49727 40.126.5.35 [VT] 443 CN=stamp2.login.microsoftonline.com ec:9c:a6:e0:e6:45:aa:b2:4f:8a:d8:90:df:75:a4:48:82:4d:2c:37 TLS 1.2
2020-02-21 00:54:34.391 172.17.8.174 [VT] 49729 52.114.128.9 [VT] 443 CN=*.events.data.microsoft.com 33:b3:b7:e9:da:25:f5:a0:04:e9:63:87:b6:fb:54:77:db:ed:27:eb TLS 1.2
2020-02-21 00:55:13.309 172.17.8.174 [VT] 49732 52.114.76.34 [VT] 443 CN=*.events.data.microsoft.com 33:b3:b7:e9:da:25:f5:a0:04:e9:63:87:b6:fb:54:77:db:ed:27:eb TLS 1.2
2020-02-21 00:56:00.870 172.17.8.174 [VT] 49737 204.79.197.200 [VT] 443 CN=www.bing.com 62:91:45:76:dc:0a:fa:c8:3c:48:04:bc:c2:c1:b7:00:a6:11:39:fe TLS 1.2
2020-02-21 00:56:25.494 172.17.8.174 [VT] 49738 52.109.124.20 [VT] 443 CN=nexusrules.officeapps.live.com 5e:e9:3e:18:94:43:67:b2:17:d9:7b:d9:5c:e8:4b:ec:72:5d:bc:1f TLS 1.2
2020-02-21 00:59:23.574 172.17.8.174 [VT] 49743 52.114.132.22 [VT] 443 CN=*.events.data.microsoft.com 33:b3:b7:e9:da:25:f5:a0:04:e9:63:87:b6:fb:54:77:db:ed:27:eb TLS 1.2
2020-02-21 01:01:09.510 172.17.8.174 [VT] 49744 52.114.76.34 [VT] 443 CN=*.events.data.microsoft.com 33:b3:b7:e9:da:25:f5:a0:04:e9:63:87:b6:fb:54:77:db:ed:27:eb TLS 1.2
2020-02-21 01:02:51.693 172.17.8.174 [VT] 49745 13.107.246.10 [VT] 443 CN=pti.store.microsoft.com c9:bf:98:32:3d:b5:28:f2:75:64:dc:3c:ae:7a:ec:ab:3a:b6:4b:f4 TLS 1.2
2020-02-21 01:02:51.871 172.17.8.174 [VT] 49746 52.230.222.68 [VT] 443 CN=*.wns.windows.com dd:e1:a1:45:90:6b:17:05:92:29:57:75:e1:21:eb:52:52:1b:95:86 TLS 1.2
2020-02-21 01:03:52.764 172.17.8.174 [VT] 49747 52.230.222.68 [VT] 443 CN=*.wns.windows.com dd:e1:a1:45:90:6b:17:05:92:29:57:75:e1:21:eb:52:52:1b:95:86 TLS 1.2
2020-02-21 01:03:55.181 172.17.8.174 [VT] 49748 40.91.116.226 [VT] 443 C=US, ST=WA, L=Redmond, O=Microsoft, OU=DSP, CN=fe2cr.update.microsoft.com 69:38:3c:72:34:e4:20:dc:a8:a3:01:50:aa:31:e6:fe:77:40:31:50 TLS 1.2
2020-02-21 01:03:57.284 172.17.8.174 [VT] 49749 64.4.54.18 [VT] 443 C=US, ST=WA, L=Redmond, O=Microsoft, OU=DSP, CN=fe3cr.delivery.mp.microsoft.com 68:ce:7f:8e:e2:13:a6:04:c8:44:73:13:37:83:33:b2:a0:e3:8a:c7 TLS 1.2
2020-02-21 01:06:23.461 172.17.8.174 [VT] 49750 52.114.76.34 [VT] 443 CN=*.events.data.microsoft.com 33:b3:b7:e9:da:25:f5:a0:04:e9:63:87:b6:fb:54:77:db:ed:27:eb TLS 1.2
2020-02-21 01:08:54.464 172.17.8.174 [VT] 49752 64.4.54.18 [VT] 443 C=US, ST=WA, L=Redmond, O=Microsoft, OU=DSP, CN=fe3cr.delivery.mp.microsoft.com 68:ce:7f:8e:e2:13:a6:04:c8:44:73:13:37:83:33:b2:a0:e3:8a:c7 TLS 1.2
2020-02-21 01:09:15.007 172.17.8.174 [VT] 49753 52.109.2.55 [VT] 443 CN=mrodevicemgr.officeapps.live.com 3f:7d:9a:10:7a:71:ed:9f:7f:22:db:3b:db:c2:6f:f7:6f:0b:0f:02 TLS 1.2
2020-02-21 01:09:16.106 172.17.8.174 [VT] 49754 23.54.20.119 [VT] 443 C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=officecdn.microsoft.com 61:74:54:f9:a8:9f:0c:a5:e1:bb:37:97:9f:4a:fe:47:e5:36:dc:60 TLS 1.2
2020-02-21 01:09:17.869 172.17.8.174 [VT] 49755 13.107.3.128 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-02-21 01:09:18.125 172.17.8.174 [VT] 49758 13.107.3.128 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-02-21 01:09:18.127 172.17.8.174 [VT] 49759 13.107.3.128 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-02-21 01:09:18.127 172.17.8.174 [VT] 49756 13.107.3.128 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-02-21 01:09:18.130 172.17.8.174 [VT] 49757 13.107.3.128 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2
2020-02-21 01:11:48.890 172.17.8.174 [VT] 49760 91.211.88.122 [VT] 443 C=AT, ST=Anofotr, L=Vienna, O=Fovemaud Ptesiswss Ultd., CN=7Meconepear.Oofwororgupssd.tm c2:ed:ce:d5:5b:f0:fd:a9:e7:ee:fe:99:66:6c:81:07:a3:7b:c3:9d TLS 1.2
2020-02-21 01:11:50.021 172.17.8.174 [VT] 49761 204.79.197.222 [VT] 443 CN=*.msedge.net fa:81:e0:d1:e5:51:62:0c:6f:dc:ca:ef:7e:bf:06:44:0d:cd:0a:97 TLS 1.2
2020-02-21 01:11:50.550 172.17.8.174 [VT] 49762 204.79.197.200 [VT] 443 CN=www.bing.com 62:91:45:76:dc:0a:fa:c8:3c:48:04:bc:c2:c1:b7:00:a6:11:39:fe TLS 1.2
2020-02-21 01:11:51.961 172.17.8.174 [VT] 49763 91.211.88.122 [VT] 443 C=AT, ST=Anofotr, L=Vienna, O=Fovemaud Ptesiswss Ultd., CN=7Meconepear.Oofwororgupssd.tm c2:ed:ce:d5:5b:f0:fd:a9:e7:ee:fe:99:66:6c:81:07:a3:7b:c3:9d TLS 1.2
2020-02-21 01:11:52.464 172.17.8.174 [VT] 49764 13.107.3.254 [VT] 443 CN=*.msedge.net fa:81:e0:d1:e5:51:62:0c:6f:dc:ca:ef:7e:bf:06:44:0d:cd:0a:97 TLS 1.2
2020-02-21 01:11:53.262 172.17.8.174 [VT] 49765 72.21.81.200 [VT] 443 CN=*.vo.msecnd.net fc:37:b4:dc:07:95:dd:19:de:56:ee:38:3a:6f:ff:c7:41:09:c4:45 TLS 1.2
2020-02-21 01:11:54.038 172.17.8.174 [VT] 49766 204.79.197.254 [VT] 443 CN=*.msedge.net fa:81:e0:d1:e5:51:62:0c:6f:dc:ca:ef:7e:bf:06:44:0d:cd:0a:97 TLS 1.2
2020-02-21 01:11:56.672 172.17.8.174 [VT] 49767 91.211.88.122 [VT] 443 C=AT, ST=Anofotr, L=Vienna, O=Fovemaud Ptesiswss Ultd., CN=7Meconepear.Oofwororgupssd.tm c2:ed:ce:d5:5b:f0:fd:a9:e7:ee:fe:99:66:6c:81:07:a3:7b:c3:9d TLS 1.2
2020-02-21 01:12:03.447 172.17.8.174 [VT] 49770 91.211.88.122 [VT] 443 C=AT, ST=Anofotr, L=Vienna, O=Fovemaud Ptesiswss Ultd., CN=7Meconepear.Oofwororgupssd.tm c2:ed:ce:d5:5b:f0:fd:a9:e7:ee:fe:99:66:6c:81:07:a3:7b:c3:9d TLS 1.2
2020-02-21 01:14:02.259 172.17.8.174 [VT] 49771 52.159.17.76 [VT] 443 C=US, ST=WA, L=Redmond, O=Microsoft, OU=DSP, CN=tsfe.trafficshaping.dsp.mp.microsoft.com a4:83:4d:7a:9e:84:c4:5b:1c:96:e5:f7:80:89:c6:92:82:87:4d:7e TLS 1.2
2020-02-21 01:14:03.015 172.17.8.174 [VT] 49772 52.159.17.76 [VT] 443 C=US, ST=WA, L=Redmond, O=Microsoft, OU=DSP, CN=tsfe.trafficshaping.dsp.mp.microsoft.com a4:83:4d:7a:9e:84:c4:5b:1c:96:e5:f7:80:89:c6:92:82:87:4d:7e TLS 1.2
2020-02-21 01:14:03.830 172.17.8.174 [VT] 49773 52.159.17.76 [VT] 443 C=US, ST=WA, L=Redmond, O=Microsoft, OU=DSP, CN=tsfe.trafficshaping.dsp.mp.microsoft.com a4:83:4d:7a:9e:84:c4:5b:1c:96:e5:f7:80:89:c6:92:82:87:4d:7e TLS 1.2
2020-02-21 01:14:05.082 172.17.8.174 [VT] 49774 40.69.216.73 [VT] 443 C=US, ST=WA, L=Redmond, O=Microsoft, OU=DSP, CN=*.prod.do.dsp.mp.microsoft.com 96:da:8a:f2:d5:d0:ce:8b:3a:a2:b6:d2:d2:ab:16:92:72:54:c5:57 TLS 1.2
2020-02-21 01:14:06.176 172.17.8.174 [VT] 49775 104.77.69.193 [VT] 443 C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=cp601-prod.do.dsp.mp.microsoft.com 08:fb:d6:0f:87:01:9d:df:6d:01:0f:5d:11:07:af:38:61:01:7f:d6 TLS 1.2
2020-02-21 01:14:06.856 172.17.8.174 [VT] 49776 104.77.69.193 [VT] 443 C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=cp601-prod.do.dsp.mp.microsoft.com 08:fb:d6:0f:87:01:9d:df:6d:01:0f:5d:11:07:af:38:61:01:7f:d6 TLS 1.2
2020-02-21 01:14:07.085 172.17.8.174 [VT] 49777 64.4.54.18 [VT] 443 C=US, ST=WA, L=Redmond, O=Microsoft, OU=DSP, CN=fe3cr.delivery.mp.microsoft.com 68:ce:7f:8e:e2:13:a6:04:c8:44:73:13:37:83:33:b2:a0:e3:8a:c7 TLS 1.2
2020-02-21 01:14:07.383 172.17.8.174 [VT] 49778 104.77.69.193 [VT] 443 C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=cp601-prod.do.dsp.mp.microsoft.com 08:fb:d6:0f:87:01:9d:df:6d:01:0f:5d:11:07:af:38:61:01:7f:d6 TLS 1.2
2020-02-21 01:14:08.288 172.17.8.174 [VT] 49786 64.4.54.18 [VT] 443 C=US, ST=WA, L=Redmond, O=Microsoft, OU=DSP, CN=fe3cr.delivery.mp.microsoft.com 68:ce:7f:8e:e2:13:a6:04:c8:44:73:13:37:83:33:b2:a0:e3:8a:c7 TLS 1.2
2020-02-21 01:14:09.036 172.17.8.174 [VT] 49791 104.77.69.193 [VT] 443 C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=cp601-prod.do.dsp.mp.microsoft.com 08:fb:d6:0f:87:01:9d:df:6d:01:0f:5d:11:07:af:38:61:01:7f:d6 TLS 1.2
2020-02-21 01:14:09.565 172.17.8.174 [VT] 49793 104.77.69.193 [VT] 443 C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=cp601-prod.do.dsp.mp.microsoft.com 08:fb:d6:0f:87:01:9d:df:6d:01:0f:5d:11:07:af:38:61:01:7f:d6 TLS 1.2
2020-02-21 01:14:10.939 172.17.8.174 [VT] 49799 104.77.69.193 [VT] 443 C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=cp601-prod.do.dsp.mp.microsoft.com 08:fb:d6:0f:87:01:9d:df:6d:01:0f:5d:11:07:af:38:61:01:7f:d6 TLS 1.2
2020-02-21 01:14:11.990 172.17.8.174 [VT] 49808 64.4.54.18 [VT] 443 C=US, ST=WA, L=Redmond, O=Microsoft, OU=DSP, CN=fe3cr.delivery.mp.microsoft.com 68:ce:7f:8e:e2:13:a6:04:c8:44:73:13:37:83:33:b2:a0:e3:8a:c7 TLS 1.2

Suricata HTTP

Timestamp Source IP Source Port Destination IP Destination Port Method Status Hostname URI Content Type User Agent Referrer Length
2020-02-21 00:53:52.245 172.17.8.174 [VT] 49801 205.185.216.42 [VT] 80 None tlu.dl.delivery.mp.microsoft.com [VT] /filestreamingservice/files/9ed29ecb-8df0-4d34-83a5-a3fdd56a2aaf?P1=1582248747&P2=402&P3=2&P4=TAzJjyxXFI27ORkb4DNfuNA%2b9JMn92MahjGqaWxsTi7fJbQdQB4qsf32Czn6AStBUsxhKoRrB8s7zcmbNTo9vg%3d%3d None Microsoft-Delivery-Optimization/10.0 None 0
2020-02-21 00:53:52.245 172.17.8.174 [VT] 49807 205.185.216.42 [VT] 80 206 tlu.dl.delivery.mp.microsoft.com [VT] /filestreamingservice/files/9ed29ecb-8df0-4d34-83a5-a3fdd56a2aaf?P1=1582248747&P2=402&P3=2&P4=TAzJjyxXFI27ORkb4DNfuNA%2b9JMn92MahjGqaWxsTi7fJbQdQB4qsf32Czn6AStBUsxhKoRrB8s7zcmbNTo9vg%3d%3d application/octet-stream Microsoft-Delivery-Optimization/10.0 None 490876
2020-02-21 00:53:52.245 172.17.8.174 [VT] 49806 23.1.236.92 [VT] 80 206 2.tlu.dl.delivery.mp.microsoft.com [VT] /filestreamingservice/files/ae6344f1-6475-4365-b7bd-43e79abac1fb?P1=1582248267&P2=402&P3=2&P4=X16ZdLJ5vV9c6XJIjdHBVzqyQCDdZLY0XQG0gTzaQebQOvWdznZdEHwJ5VGSjaQYMvA6THNqvtvf45ZlGQuHkw%3d%3d application/octet-stream Microsoft-Delivery-Optimization/10.0 None 173375
2020-02-21 00:55:08.624 172.17.8.174 [VT] 49731 49.51.172.56 [VT] 80 200 blueflag.xyz [VT] /nCvQOQHCBjZFfiJvyVGA/yrkbdmt.bin application/octet-stream Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) None 208896
2020-02-21 01:14:07.579 172.17.8.174 [VT] 49779 13.107.4.50 [VT] 80 200 dl.delivery.mp.microsoft.com [VT] /filestreamingservice/files/001eb2ac-b2c2-4a55-a78d-85def1f04de3/pieceshash application/octet-stream Microsoft-Delivery-Optimization/10.0 None 293
2020-02-21 01:14:07.896 172.17.8.174 [VT] 49784 205.185.216.42 [VT] 80 403 tlu.dl.delivery.mp.microsoft.com [VT] /filestreamingservice/files/0092fb1c-d27f-429c-acdd-29b392ed3d33?P1=1580335569&P2=402&P3=2&P4=mABV5ffFfCEQA8rkWFvC1CL3DDKuapd6HyRMLFxQjWmV72eklsHfgpppXIda1%2bRuNGLixGGxcRUiVi7ZBcMAew%3d%3d None Microsoft-Delivery-Optimization/10.0 None 0
2020-02-21 01:14:07.896 172.17.8.174 [VT] 49785 205.185.216.10 [VT] 80 403 tlu.dl.delivery.mp.microsoft.com [VT] /filestreamingservice/files/0092fb1c-d27f-429c-acdd-29b392ed3d33?P1=1580335569&P2=402&P3=2&P4=mABV5ffFfCEQA8rkWFvC1CL3DDKuapd6HyRMLFxQjWmV72eklsHfgpppXIda1%2bRuNGLixGGxcRUiVi7ZBcMAew%3d%3d None Microsoft-Delivery-Optimization/10.0 None 0
2020-02-21 01:14:07.896 172.17.8.174 [VT] 49782 205.185.216.42 [VT] 80 403 tlu.dl.delivery.mp.microsoft.com [VT] /filestreamingservice/files/001eb2ac-b2c2-4a55-a78d-85def1f04de3?P1=1580335569&P2=402&P3=2&P4=NFqvAzoi8KK%2blIuW%2bABh0rnEWK2NH4vlr6zhdN4Sz%2bNlRhD0tiaLUAY46FJc4MDFnb9tPRqfgd6ZsqedUt2Rkg%3d%3d None Microsoft-Delivery-Optimization/10.0 None 0
2020-02-21 01:14:07.902 172.17.8.174 [VT] 49783 205.185.216.10 [VT] 80 403 tlu.dl.delivery.mp.microsoft.com [VT] /filestreamingservice/files/001eb2ac-b2c2-4a55-a78d-85def1f04de3?P1=1580335569&P2=402&P3=2&P4=NFqvAzoi8KK%2blIuW%2bABh0rnEWK2NH4vlr6zhdN4Sz%2bNlRhD0tiaLUAY46FJc4MDFnb9tPRqfgd6ZsqedUt2Rkg%3d%3d None Microsoft-Delivery-Optimization/10.0 None 0
2020-02-21 01:14:08.964 172.17.8.174 [VT] 49790 205.185.216.10 [VT] 80 206 tlu.dl.delivery.mp.microsoft.com [VT] /filestreamingservice/files/001eb2ac-b2c2-4a55-a78d-85def1f04de3?P1=1582248309&P2=402&P3=2&P4=OYTOMAM70Q%2fd4derugeBOPD04WTCco6vqlRyNC88eIAsg1VNhSoG17x8uiLzMbHy2dVKNG0nn3I27FhkzBDDdA%3d%3d application/octet-stream Microsoft-Delivery-Optimization/10.0 None 2
2020-02-21 01:14:08.974 172.17.8.174 [VT] 49787 205.185.216.42 [VT] 80 206 tlu.dl.delivery.mp.microsoft.com [VT] /filestreamingservice/files/0092fb1c-d27f-429c-acdd-29b392ed3d33?P1=1582248309&P2=402&P3=2&P4=VuCE7u3Zf5IiBceaCNrkpClSEVPiLmM%2fpC6%2fdew0ptQMkTG%2bP3ouy1xjONnUVdgjBchgeLOocenO5tPhl2jcBg%3d%3d application/octet-stream Microsoft-Delivery-Optimization/10.0 None 2
2020-02-21 01:14:09.023 172.17.8.174 [VT] 49789 205.185.216.42 [VT] 80 206 tlu.dl.delivery.mp.microsoft.com [VT] /filestreamingservice/files/001eb2ac-b2c2-4a55-a78d-85def1f04de3?P1=1582248309&P2=402&P3=2&P4=OYTOMAM70Q%2fd4derugeBOPD04WTCco6vqlRyNC88eIAsg1VNhSoG17x8uiLzMbHy2dVKNG0nn3I27FhkzBDDdA%3d%3d application/octet-stream Microsoft-Delivery-Optimization/10.0 None 2
2020-02-21 01:14:09.023 172.17.8.174 [VT] 49788 205.185.216.10 [VT] 80 206 tlu.dl.delivery.mp.microsoft.com [VT] /filestreamingservice/files/0092fb1c-d27f-429c-acdd-29b392ed3d33?P1=1582248309&P2=402&P3=2&P4=VuCE7u3Zf5IiBceaCNrkpClSEVPiLmM%2fpC6%2fdew0ptQMkTG%2bP3ouy1xjONnUVdgjBchgeLOocenO5tPhl2jcBg%3d%3d application/octet-stream Microsoft-Delivery-Optimization/10.0 None 2
2020-02-21 01:14:09.464 172.17.8.174 [VT] 49787 205.185.216.42 [VT] 80 206 tlu.dl.delivery.mp.microsoft.com [VT] /filestreamingservice/files/0092fb1c-d27f-429c-acdd-29b392ed3d33?P1=1582248309&P2=402&P3=2&P4=VuCE7u3Zf5IiBceaCNrkpClSEVPiLmM%2fpC6%2fdew0ptQMkTG%2bP3ouy1xjONnUVdgjBchgeLOocenO5tPhl2jcBg%3d%3d application/octet-stream Microsoft-Delivery-Optimization/10.0 None 519620
2020-02-21 01:14:09.675 172.17.8.174 [VT] 49792 13.107.4.50 [VT] 80 200 dl.delivery.mp.microsoft.com [VT] /filestreamingservice/files/ae6344f1-6475-4365-b7bd-43e79abac1fb/pieceshash application/octet-stream Microsoft-Delivery-Optimization/10.0 None 198
2020-02-21 01:14:09.805 172.17.8.174 [VT] 49790 205.185.216.10 [VT] 80 206 tlu.dl.delivery.mp.microsoft.com [VT] /filestreamingservice/files/001eb2ac-b2c2-4a55-a78d-85def1f04de3?P1=1582248309&P2=402&P3=2&P4=OYTOMAM70Q%2fd4derugeBOPD04WTCco6vqlRyNC88eIAsg1VNhSoG17x8uiLzMbHy2dVKNG0nn3I27FhkzBDDdA%3d%3d application/octet-stream Microsoft-Delivery-Optimization/10.0 None 791389
2020-02-21 01:14:09.844 172.17.8.174 [VT] 49795 205.185.216.42 [VT] 80 206 tlu.dl.delivery.mp.microsoft.com [VT] /filestreamingservice/files/ae6344f1-6475-4365-b7bd-43e79abac1fb?P1=1582248267&P2=402&P3=2&P4=X16ZdLJ5vV9c6XJIjdHBVzqyQCDdZLY0XQG0gTzaQebQOvWdznZdEHwJ5VGSjaQYMvA6THNqvtvf45ZlGQuHkw%3d%3d application/octet-stream Microsoft-Delivery-Optimization/10.0 None 2
2020-02-21 01:14:09.851 172.17.8.174 [VT] 49794 205.185.216.10 [VT] 80 206 tlu.dl.delivery.mp.microsoft.com [VT] /filestreamingservice/files/ae6344f1-6475-4365-b7bd-43e79abac1fb?P1=1582248267&P2=402&P3=2&P4=X16ZdLJ5vV9c6XJIjdHBVzqyQCDdZLY0XQG0gTzaQebQOvWdznZdEHwJ5VGSjaQYMvA6THNqvtvf45ZlGQuHkw%3d%3d application/octet-stream Microsoft-Delivery-Optimization/10.0 None 2
2020-02-21 01:14:10.051 172.17.8.174 [VT] 49796 13.107.4.50 [VT] 80 200 dl.delivery.mp.microsoft.com [VT] /filestreamingservice/files/9ed29ecb-8df0-4d34-83a5-a3fdd56a2aaf/pieceshash application/octet-stream Microsoft-Delivery-Optimization/10.0 None 1328
2020-02-21 01:14:10.353 172.17.8.174 [VT] 49798 205.185.216.42 [VT] 80 206 tlu.dl.delivery.mp.microsoft.com [VT] /filestreamingservice/files/9ed29ecb-8df0-4d34-83a5-a3fdd56a2aaf?P1=1582248747&P2=402&P3=2&P4=TAzJjyxXFI27ORkb4DNfuNA%2b9JMn92MahjGqaWxsTi7fJbQdQB4qsf32Czn6AStBUsxhKoRrB8s7zcmbNTo9vg%3d%3d application/octet-stream Microsoft-Delivery-Optimization/10.0 None 2
2020-02-21 01:14:10.409 172.17.8.174 [VT] 49795 205.185.216.42 [VT] 80 206 tlu.dl.delivery.mp.microsoft.com [VT] /filestreamingservice/files/ae6344f1-6475-4365-b7bd-43e79abac1fb?P1=1582248267&P2=402&P3=2&P4=X16ZdLJ5vV9c6XJIjdHBVzqyQCDdZLY0XQG0gTzaQebQOvWdznZdEHwJ5VGSjaQYMvA6THNqvtvf45ZlGQuHkw%3d%3d application/octet-stream Microsoft-Delivery-Optimization/10.0 None 629753
2020-02-21 01:14:10.429 172.17.8.174 [VT] 49797 205.185.216.10 [VT] 80 206 tlu.dl.delivery.mp.microsoft.com [VT] /filestreamingservice/files/9ed29ecb-8df0-4d34-83a5-a3fdd56a2aaf?P1=1582248747&P2=402&P3=2&P4=TAzJjyxXFI27ORkb4DNfuNA%2b9JMn92MahjGqaWxsTi7fJbQdQB4qsf32Czn6AStBUsxhKoRrB8s7zcmbNTo9vg%3d%3d application/octet-stream Microsoft-Delivery-Optimization/10.0 None 2
2020-02-21 01:14:11.003 172.17.8.174 [VT] 49798 205.185.216.42 [VT] 80 206 tlu.dl.delivery.mp.microsoft.com [VT] /filestreamingservice/files/9ed29ecb-8df0-4d34-83a5-a3fdd56a2aaf?P1=1582248747&P2=402&P3=2&P4=TAzJjyxXFI27ORkb4DNfuNA%2b9JMn92MahjGqaWxsTi7fJbQdQB4qsf32Czn6AStBUsxhKoRrB8s7zcmbNTo9vg%3d%3d application/octet-stream Microsoft-Delivery-Optimization/10.0 None 659511
2020-02-21 01:14:11.440 172.17.8.174 [VT] 49800 13.107.4.50 [VT] 80 200 dl.delivery.mp.microsoft.com [VT] /filestreamingservice/files/669bf2c3-676c-4886-abcb-369234eb0428/pieceshash application/octet-stream Microsoft-Delivery-Optimization/10.0 None 1140
2020-02-21 01:14:11.632 172.17.8.174 [VT] 49802 205.185.216.10 [VT] 80 206 tlu.dl.delivery.mp.microsoft.com [VT] /filestreamingservice/files/9ed29ecb-8df0-4d34-83a5-a3fdd56a2aaf?P1=1582248747&P2=402&P3=2&P4=TAzJjyxXFI27ORkb4DNfuNA%2b9JMn92MahjGqaWxsTi7fJbQdQB4qsf32Czn6AStBUsxhKoRrB8s7zcmbNTo9vg%3d%3d application/octet-stream Microsoft-Delivery-Optimization/10.0 None 2
2020-02-21 01:14:11.637 172.17.8.174 [VT] 49804 205.185.216.42 [VT] 80 403 tlu.dl.delivery.mp.microsoft.com [VT] /filestreamingservice/files/669bf2c3-676c-4886-abcb-369234eb0428?P1=1580334556&P2=402&P3=2&P4=ZPf97M7klbXT%2fiRNSu6Eqg8BMn0rc6JjOeqYP1khMmQ7nX%2fMt1he6JVA49UcPJuKKM2fjYEVwvUXSDZdJnj67w%3d%3d None Microsoft-Delivery-Optimization/10.0 None 0
2020-02-21 01:14:11.637 172.17.8.174 [VT] 49803 205.185.216.10 [VT] 80 403 tlu.dl.delivery.mp.microsoft.com [VT] /filestreamingservice/files/669bf2c3-676c-4886-abcb-369234eb0428?P1=1580334556&P2=402&P3=2&P4=ZPf97M7klbXT%2fiRNSu6Eqg8BMn0rc6JjOeqYP1khMmQ7nX%2fMt1he6JVA49UcPJuKKM2fjYEVwvUXSDZdJnj67w%3d%3d None Microsoft-Delivery-Optimization/10.0 None 0
2020-02-21 01:14:11.737 172.17.8.174 [VT] 49806 23.1.236.92 [VT] 80 206 2.tlu.dl.delivery.mp.microsoft.com [VT] /filestreamingservice/files/ae6344f1-6475-4365-b7bd-43e79abac1fb?P1=1582248267&P2=402&P3=2&P4=X16ZdLJ5vV9c6XJIjdHBVzqyQCDdZLY0XQG0gTzaQebQOvWdznZdEHwJ5VGSjaQYMvA6THNqvtvf45ZlGQuHkw%3d%3d application/octet-stream Microsoft-Delivery-Optimization/10.0 None 2
2020-02-21 01:14:11.773 172.17.8.174 [VT] 49805 23.1.236.114 [VT] 80 206 2.tlu.dl.delivery.mp.microsoft.com [VT] /filestreamingservice/files/ae6344f1-6475-4365-b7bd-43e79abac1fb?P1=1582248267&P2=402&P3=2&P4=X16ZdLJ5vV9c6XJIjdHBVzqyQCDdZLY0XQG0gTzaQebQOvWdznZdEHwJ5VGSjaQYMvA6THNqvtvf45ZlGQuHkw%3d%3d application/octet-stream Microsoft-Delivery-Optimization/10.0 None 2
Sorry! No dropped Suricata Extracted files.

JA3

Source Source Port Destination Destination Port JA3 Hash JA3 Description
172.17.8.174 49775 104.77.69.193 443 28a2c9bd18a11de089ef85a160da29e4 unknown
172.17.8.174 49776 104.77.69.193 443 28a2c9bd18a11de089ef85a160da29e4 unknown
172.17.8.174 49778 104.77.69.193 443 28a2c9bd18a11de089ef85a160da29e4 unknown
172.17.8.174 49791 104.77.69.193 443 28a2c9bd18a11de089ef85a160da29e4 unknown
172.17.8.174 49793 104.77.69.193 443 28a2c9bd18a11de089ef85a160da29e4 unknown
172.17.8.174 49799 104.77.69.193 443 28a2c9bd18a11de089ef85a160da29e4 unknown
172.17.8.174 49745 13.107.246.10 443 28a2c9bd18a11de089ef85a160da29e4 unknown
172.17.8.174 49755 13.107.3.128 443 a0e9f5d64349fb13191bc781f81f42e1 unknown
172.17.8.174 49756 13.107.3.128 443 a0e9f5d64349fb13191bc781f81f42e1 unknown
172.17.8.174 49757 13.107.3.128 443 a0e9f5d64349fb13191bc781f81f42e1 unknown
172.17.8.174 49758 13.107.3.128 443 a0e9f5d64349fb13191bc781f81f42e1 unknown
172.17.8.174 49759 13.107.3.128 443 a0e9f5d64349fb13191bc781f81f42e1 unknown
172.17.8.174 49721 13.107.3.254 s-ring.msedge.net 443 9e10692f1b7f78228b2d4e424db3a98c unknown
172.17.8.174 49764 13.107.3.254 s-ring.msedge.net 443 9e10692f1b7f78228b2d4e424db3a98c unknown
172.17.8.174 49720 13.107.4.254 c-ring.msedge.net 443 9e10692f1b7f78228b2d4e424db3a98c unknown
172.17.8.174 49717 204.79.197.200 443 9e10692f1b7f78228b2d4e424db3a98c unknown
172.17.8.174 49718 204.79.197.200 443 9e10692f1b7f78228b2d4e424db3a98c unknown
172.17.8.174 49722 204.79.197.200 443 9e10692f1b7f78228b2d4e424db3a98c unknown
172.17.8.174 49737 204.79.197.200 443 9e10692f1b7f78228b2d4e424db3a98c unknown
172.17.8.174 49762 204.79.197.200 443 9e10692f1b7f78228b2d4e424db3a98c unknown
172.17.8.174 49761 204.79.197.222 fp.msedge.net 443 9e10692f1b7f78228b2d4e424db3a98c unknown
172.17.8.174 49766 204.79.197.254 a-ring.msedge.net 443 9e10692f1b7f78228b2d4e424db3a98c unknown
172.17.8.174 49754 23.54.20.119 443 a0e9f5d64349fb13191bc781f81f42e1 unknown
172.17.8.174 49719 23.54.20.139 ow1.res.office365.com 443 9e10692f1b7f78228b2d4e424db3a98c unknown
172.17.8.174 49727 40.126.5.35 login.microsoftonline.com 443 9e10692f1b7f78228b2d4e424db3a98c unknown
172.17.8.174 49774 40.69.216.73 443 28a2c9bd18a11de089ef85a160da29e4 unknown
172.17.8.174 49748 40.91.116.226 443 28a2c9bd18a11de089ef85a160da29e4 unknown
172.17.8.174 49738 52.109.124.20 443 28a2c9bd18a11de089ef85a160da29e4 unknown
172.17.8.174 49753 52.109.2.55 443 a0e9f5d64349fb13191bc781f81f42e1 unknown
172.17.8.174 49729 52.114.128.9 443 37f463bf4616ecd445d4a1937da06e19 unknown
172.17.8.174 49705 52.114.132.22 443 a0e9f5d64349fb13191bc781f81f42e1 unknown
172.17.8.174 49743 52.114.132.22 443 a0e9f5d64349fb13191bc781f81f42e1 unknown
172.17.8.174 49732 52.114.76.34 443 37f463bf4616ecd445d4a1937da06e19 unknown
172.17.8.174 49744 52.114.76.34 443 37f463bf4616ecd445d4a1937da06e19 unknown
172.17.8.174 49750 52.114.76.34 443 37f463bf4616ecd445d4a1937da06e19 unknown
172.17.8.174 49771 52.159.17.76 443 28a2c9bd18a11de089ef85a160da29e4 unknown
172.17.8.174 49772 52.159.17.76 443 28a2c9bd18a11de089ef85a160da29e4 unknown
172.17.8.174 49773 52.159.17.76 443 28a2c9bd18a11de089ef85a160da29e4 unknown
172.17.8.174 49746 52.230.222.68 443 3b5074b1b5d032e5620f69f9f700ff0e unknown
172.17.8.174 49747 52.230.222.68 443 3b5074b1b5d032e5620f69f9f700ff0e unknown
172.17.8.174 49749 64.4.54.18 443 28a2c9bd18a11de089ef85a160da29e4 unknown
172.17.8.174 49752 64.4.54.18 443 28a2c9bd18a11de089ef85a160da29e4 unknown
172.17.8.174 49777 64.4.54.18 443 28a2c9bd18a11de089ef85a160da29e4 unknown
172.17.8.174 49786 64.4.54.18 443 28a2c9bd18a11de089ef85a160da29e4 unknown
172.17.8.174 49808 64.4.54.18 443 28a2c9bd18a11de089ef85a160da29e4 unknown
172.17.8.174 49765 72.21.81.200 fp-vp.azureedge.net 443 9e10692f1b7f78228b2d4e424db3a98c unknown
172.17.8.174 49760 91.211.88.122 443 51c64c77e60f3980eea90869b68c58a8 unknown
172.17.8.174 49763 91.211.88.122 443 51c64c77e60f3980eea90869b68c58a8 unknown
172.17.8.174 49767 91.211.88.122 443 51c64c77e60f3980eea90869b68c58a8 unknown
172.17.8.174 49770 91.211.88.122 443 51c64c77e60f3980eea90869b68c58a8 unknown
Sorry! No dropped files.
Sorry! No CAPE files.
Sorry! No process dumps.

Processing ( 31.293999999999997 seconds )

  • 25.15 NetworkAnalysis
  • 5.456 Suricata
  • 0.616 CAPE
  • 0.067 AnalysisInfo
  • 0.005 Debug

Signatures ( 0.059000000000000004 seconds )

  • 0.01 ransomware_files
  • 0.006 antiav_detectreg
  • 0.006 recon_checkip
  • 0.005 network_torgateway
  • 0.005 ransomware_extensions
  • 0.004 antiav_detectfile
  • 0.003 persistence_autorun
  • 0.003 infostealer_bitcoin
  • 0.003 infostealer_ftp
  • 0.002 infostealer_im
  • 0.001 kibex_behavior
  • 0.001 tinba_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antianalysis_detectreg
  • 0.001 antivm_vbox_files
  • 0.001 geodo_banking_trojan
  • 0.001 browser_security
  • 0.001 disables_browser_warn
  • 0.001 infostealer_mail
  • 0.001 masquerade_process_name
  • 0.001 network_doh
  • 0.001 revil_mutexes

Reporting ( 0.872 seconds )

  • 0.872 PCAP2CERT