Multiperspective Malware Analysis Page

Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

UNCENSORED PAGE

<Click here: to download BotHunter>

04 May 2008
<prev> <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.

Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]

Time
Victim
OS
Infection
Source
C&C
Server
DNS Lookups &
Failed Connects Infection
Port
Packet
Trace
Detection
Signatures
Infection
Chatter
BotHunter
Analysis
Behavioral
Cluster
Forensic
Logs
Antivirus
Labels
Packed Malware_Binary Unpacked egg.exe
Unpacked egg.asm
Packer PEID
Data Strings
Syscall Trace

00:12:00 WinXP 59.121.118.160 (HINET.NET):
CHTD CHUNGHWA TELECOM CO. LTD,
TAIPEI, T'AI-PEI, TW. n/a
CZ:217.170.244.2:443
CZ:82.114.64.251:443 445 pcap raw alerts
ruleset shell
ftp
17 lines Yeah : 1.3
profile none summary
tarball 25 of 28 7fdfe363d5
[Firefox:2587 hits: 12-31 to 05-07] 10862ea8b8 [0] ASM:Graph
FSG| lines=1933
embedded dns trace

T:01:46:00 WinXP 216.77.195.180 (BELLSOUTH.NET):
BELLSOUTH.NET INC,
NEW ORLEANS, LOUISIANA, US. n/a 445 pcap raw alerts
ruleset shell
3 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

02:15:00 Win2K-f 61.224.91.182 (HINET.NET):
DATA COMMUNICATION BUSINESS GROUP CHUNGHWA TELECOM CO. LTD,
TAIPEI, T'AI-PEI, TW. n/a
CZ:217.170.244.2:443
CZ:82.114.64.251:443 445 pcap raw alerts
ruleset shell
shell
ftp
18 lines Yeah : 1.3
profile none summary
tarball 25 of 28 7fdfe363d5
[Firefox:2587 hits: 12-31 to 05-07] 10862ea8b8 [0] ASM:Graph
FSG| lines=1933
embedded dns trace

02:23:00 WinXP 119.17.107.81 (-):
. n/a DE:proxim.ircgalaxy.pl
UA:citi-bank.ru
DE:85.114.137.60:80 445 pcap raw alerts
ruleset http
1 line Yeah : 1.3
profile none summary
tarball 30 of 32 3f5ec58a6b
[Firefox: 9 hits: 04-24 to 05-05] 4a77430a59 [0] ASM:Graph
PolyEnE| lines=70 trace

T:02:26:00 Win2K-f 84.51.88.205 (IPAPER.COM):
BLOCK FOR PI ASSIGNMENTS,
UK. n/a CN:hail.dns2go.com
CN:scorti1.dns2go.com
CN:211.96.97.44:7000 445 pcap raw alerts
ruleset ftp
14 lines Yeah : 0.8
profile none summary
tarball 27 of 31 4538decef7
NEW none[4] none:none
none|none none trace

02:29:00 Win2K-f 85.77.251.193 (SAUNALAHTI.FI):
SAUNALAHTI GROUP OYJ,
ESPOO, ETELA-SUOMEN LAANI, FI. (DSL) n/a CN:hail.dns2go.com
CN:scorti1.dns2go.com
CN:211.96.97.44:7000 445 pcap raw alerts
ruleset ftp
14 lines Yeah : 0.8
profile none summary
tarball 21 of 32 5f78ff609d
[Firefox:825 hits: 04-27 to 05-07] d4a06bdc3a [0] ASM:Graph
none|none lines=4 trace

02:39:00 WinXP 212.16.219.196 (516.RU):
INFORMATION SERVICE 516 LTD,
RU. n/a 445 pcap raw alerts
ruleset ftp
14 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

02:48:00 WinXP 4.228.162.53 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
OMAHA, NEBRASKA, US. (DIAL) n/a 445 pcap raw alerts
ruleset shell
ftp
17 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

02:49:00 Win2K-f 77.76.129.170 (-):
OPTILINK,
BG. n/a CN:hail.dns2go.com
CN:scorti1.dns2go.com
CN:211.96.97.44:7000 445 pcap raw alerts
ruleset ftp
14 lines Yeah : 0.8
profile none summary
tarball 21 of 32 5f78ff609d
[Firefox:825 hits: 04-27 to 05-07] d4a06bdc3a [0] ASM:Graph
none|none lines=4 trace

02:53:00 Win2K-f 59.103.12.98 (-):
. n/a CN:hail.dns2go.com
CN:scorti1.dns2go.com
CN:211.96.97.44:7000 445 pcap raw alerts
ruleset ftp
15 lines Yeah : 0.8
profile none summary
tarball 13 of 32 285af12d33
[Firefox: 3 hits: 04-28 to 05-05] none[4] none:none
none|none none trace

T:03:06:00 WinXP 219.164.189.180 (PLALA.OR.JP):
PLALA NETWORKS INC,
JP. 211.96.97.44:7000 CN:hail.dns2go.com 445 pcap raw alerts
ruleset ftp
irc
21 lines Yeah : 1.8
profile none summary
tarball 21 of 32 5f78ff609d
[Firefox:825 hits: 04-27 to 05-07] d4a06bdc3a [0] ASM:Graph
none|none lines=4 trace

03:23:00 Win2K-f 92.10.100.150 (-):
CARPHONE WAREHOUSE BROADBAND SERVICES,
UK. 211.96.97.44:7000 DE:proxim.ircgalaxy.pl
CN:hail.dns2go.com
CN:scorti1.dns2go.com
CN:211.96.97.44:7000
DE:85.114.137.60:80 445 pcap raw alerts
ruleset ftp
irc
22 lines Yeah : 1.3
profile none summary
tarball 28 of 31 d4aceeab99
NEW none[4] none:none
none|none none trace

T:03:29:00 Win2K-f 190.224.88.184 (-):
. 211.96.97.44:7000 CN:hail.dns2go.com 445 pcap raw alerts
ruleset ftp
irc
22 lines Yeah : 1.8
profile none summary
tarball 21 of 31 ea54317f5d
[Firefox: 3 hits: 04-29 to 05-07] none[4] none:none
none|none none trace

03:36:00 WinXP 92.36.240.209 (IKBCC.COM):
EU-ZZ,
UK. n/a CN:hail.dns2go.com
CN:scorti1.dns2go.com
CN:211.96.97.44:7000 445 pcap raw alerts
ruleset ftp
14 lines Yeah : 0.8
profile none summary
tarball 21 of 32 5f78ff609d
[Firefox:825 hits: 04-27 to 05-07] d4a06bdc3a [0] ASM:Graph
none|none lines=4 trace

03:42:00 WinXP 117.194.0.169 (-):
. n/a CN:hail.dns2go.com
CN:scorti1.dns2go.com
CN:211.96.97.44:7000 445 pcap raw alerts
ruleset ftp
14 lines Yeah : 0.8
profile none summary
tarball 21 of 32 5f78ff609d
[Firefox:825 hits: 04-27 to 05-07] d4a06bdc3a [0] ASM:Graph
none|none lines=4 trace

03:45:00 Win2K-f 82.200.153.124 (DIALUP.ITTE.KZ):
INTERNATIONAL AND TRUNK TELEPHONE EXCHANGE,
ALMATY, ALMATY, KZ. n/a CN:hail.dns2go.com
CN:scorti1.dns2go.com
CN:211.96.97.44:7000 445 pcap raw alerts
ruleset ftp
14 lines Yeah : 0.8
profile none summary
tarball 21 of 32 5f78ff609d
[Firefox:825 hits: 04-27 to 05-07] d4a06bdc3a [0] ASM:Graph
none|none lines=4 trace

T:03:57:00 WinXP 60.48.248.8 (TM.NET.MY):
TELEKOM MALAYSIA BERHAD,
KUALA LUMPUR, WILAYAH PERSEKUTUAN, MY. (DSL) 211.96.97.44:7000 CN:hail.dns2go.com
CN:scorti1.dns2go.com
CN:211.96.97.44:7000 445 pcap raw alerts
ruleset ftp
irc
22 lines Yeah : 1.3
profile none summary
tarball 21 of 32 5f78ff609d
[Firefox:825 hits: 04-27 to 05-07] d4a06bdc3a [0] ASM:Graph
none|none lines=4 trace

03:59:00 WinXP 89.40.246.133 (CLAX.RO):
ISP,
BAIA MARE, MARAMURES, RO. n/a DE:proxim.ircgalaxy.pl
CN:hail.dns2go.com
CN:scorti1.dns2go.com
CN:211.96.97.44:7000
DE:85.114.137.60:65520 445 pcap raw alerts
ruleset ftp
14 lines Yeah : 0.8
profile none summary
tarball 28 of 32 fc5ab11b1f
NEW none[4] none:none
none|none none trace

T:04:10:00 WinXP 122.30.153.13 (OCN.NE.JP):
OPEN COMPUTER NETWORK,
JP. n/a 445 pcap raw alerts
ruleset shell
ftp
14 lines Yeah : 0.8
profile none summary
tarball 31 of 32 741e3b03b3
[Firefox:25 hits: 09-28 to 05-07] e0197e8a64 [0] ASM:Graph
none|none lines=62 trace

04:18:00 WinXP 81.245.180.52 (ISP.BELGACOM.BE):
SKYNET-ADSL,
DENDERMONDE, OOST-VLAANDEREN, BE. (DSL) 211.96.97.44:7000 CN:hail.dns2go.com
CN:scorti1.dns2go.com
CN:211.96.97.44:7000 445 pcap raw alerts
ruleset ftp
irc
21 lines Yeah : 1.3
profile none summary
tarball 21 of 32 5f78ff609d
[Firefox:825 hits: 04-27 to 05-07] d4a06bdc3a [0] ASM:Graph
none|none lines=4 trace

04:29:00 WinXP 213.197.10.57 (CONCEPTS.NL):
WESTBRABANT NET,
AMSTERDAM, NOORD-HOLLAND, NL. (DSL) n/a CN:hail.dns2go.com
CN:scorti1.dns2go.com
CN:211.96.97.44:7000 445 pcap raw alerts
ruleset ftp
14 lines Yeah : 0.8
profile none summary
tarball 21 of 32 5f78ff609d
[Firefox:825 hits: 04-27 to 05-07] d4a06bdc3a [0] ASM:Graph
none|none lines=4 trace

04:35:00 WinXP 89.43.237.33 (SMANET.RO):
JUMP NETWORK SERVICES S.R.L,
RO. 211.96.97.44:7000 DE:proxim.ircgalaxy.pl
CN:hail.dns2go.com
CN:scorti1.dns2go.com
CN:211.96.97.44:7000
DE:85.114.137.60:65520 445 pcap raw alerts
ruleset ftp
irc
21 lines Yeah : 1.3
profile none summary
tarball 28 of 32 78f157c5ad
NEW none[4] none:none
StarForce| none trace

T:04:35:00 Win2K-f 194.106.171.226 (-):
BIS INFORMATIKA,
CS. n/a 445 pcap raw alerts
ruleset other
0 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

04:39:00 Win2K-f 89.230.188.15 (MM.PL):
SZEL-SAT,
PL. n/a CN:scorti1.dns2go.com
CN:211.96.97.44:7000 445 pcap raw alerts
ruleset ftp
14 lines Yeah : 0.8
profile none summary
tarball 19 of 30 93282471f7
[Firefox: 9 hits: 04-28 to 05-07] 95951dee58 [0] ASM:Graph
ASProtect| lines=0 trace

T:04:50:00 Win2K-f 79.185.107.190 (TPNET.PL):
TPSA,
PL. n/a CN:hail.dns2go.com
CN:scorti1.dns2go.com
CN:211.96.97.44:7000 445 pcap raw alerts
ruleset ftp
14 lines Yeah : 0.8
profile none summary
tarball 21 of 32 5f78ff609d
[Firefox:825 hits: 04-27 to 05-07] d4a06bdc3a [0] ASM:Graph
none|none lines=4 trace

04:52:00 WinXP 92.47.131.102 (IKBCC.COM):
EU-ZZ,
UK. n/a CN:hail.dns2go.com
CN:scorti1.dns2go.com
CN:211.96.97.44:7000 445 pcap raw alerts
ruleset ftp
14 lines Yeah : 0.8
profile none summary
tarball 21 of 32 5f78ff609d
[Firefox:825 hits: 04-27 to 05-07] d4a06bdc3a [0] ASM:Graph
none|none lines=4 trace

04:53:00 Win2K-f 78.96.14.60 (-):
ASTRAL BUZAU DOCSIS,
BUZAU, BUZAU, RO. n/a CN:hail.dns2go.com
CN:scorti1.dns2go.com
CN:211.96.97.44:7000 445 pcap raw alerts
ruleset ftp
14 lines Yeah : 0.8
profile none summary
tarball 21 of 32 5f78ff609d
[Firefox:825 hits: 04-27 to 05-07] d4a06bdc3a [0] ASM:Graph
none|none lines=4 trace

05:10:00 Win2K-f 87.9.168.242 (RETAIL.TELECOMITALIA.IT):
TELECOM ITALIA S.P.A. TIN EASY LITE,
NOVARA, PIEMONTE, IT. n/a CN:hail.dns2go.com
CN:scorti1.dns2go.com
CN:211.96.97.44:7000 445 pcap raw alerts
ruleset ftp
14 lines Yeah : 0.8
profile none summary
tarball 21 of 32 5f78ff609d
[Firefox:825 hits: 04-27 to 05-07] d4a06bdc3a [0] ASM:Graph
none|none lines=4 trace

T:05:11:00 WinXP 92.12.107.51 (-):
CARPHONE WAREHOUSE BROADBAND SERVICES,
UK. 211.96.97.44:7000 CN:hail.dns2go.com
CN:scorti1.dns2go.com
CN:211.96.97.44:7000 445 pcap raw alerts
ruleset ftp
irc
25 lines Yeah : 1.3
profile none summary
tarball 21 of 32 5f78ff609d
[Firefox:825 hits: 04-27 to 05-07] d4a06bdc3a [0] ASM:Graph
none|none lines=4 trace

T:05:21:00 Win2K-f 77.28.75.246 (APEXCOVANTAGE.COM):
EU-ZZ,
UK. n/a CN:hail.dns2go.com
CN:scorti1.dns2go.com
CN:211.96.97.44:7000 445 pcap raw alerts
ruleset ftp
14 lines Yeah : 0.8
profile none summary
tarball 21 of 32 5f78ff609d
[Firefox:825 hits: 04-27 to 05-07] d4a06bdc3a [0] ASM:Graph
none|none lines=4 trace

05:28:00 Win2K-f 194.212.33.48 (CONTACTEL.NET):
GTS NOVERA A.S,
CZ. n/a CN:hail.dns2go.com
CN:scorti1.dns2go.com
CN:211.96.97.44:7000 445 pcap raw alerts
ruleset ftp
14 lines Yeah : 0.8
profile none summary
tarball 21 of 32 5f78ff609d
[Firefox:825 hits: 04-27 to 05-07] d4a06bdc3a [0] ASM:Graph
none|none lines=4 trace

T:05:29:00 Win2K-f 87.5.50.80 (RETAIL.TELECOMITALIA.IT):
TELECOM ITALIA S.P.A. TIN EASY LITE,
IT. n/a CN:hail.dns2go.com
CN:scorti1.dns2go.com
CN:211.96.97.44:7000 445 pcap raw alerts
ruleset ftp
14 lines Yeah : 0.8
profile none summary
tarball 21 of 32 5f78ff609d
[Firefox:825 hits: 04-27 to 05-07] d4a06bdc3a [0] ASM:Graph
none|none lines=4 trace

05:29:00 Win2K-f 92.60.228.172 (IKBCC.COM):
EU-ZZ,
UK. 211.96.97.44:7000 CN:hail.dns2go.com 445 pcap raw alerts
ruleset ftp
20 lines Yeah : 1.3
profile none summary
tarball 21 of 32 5f78ff609d
[Firefox:825 hits: 04-27 to 05-07] d4a06bdc3a [0] ASM:Graph
none|none lines=4 trace

05:50:00 Win2K-f 81.84.233.97 (CPE.NETCABO.PT):
TVCABO-PORTUGAL CABLE MODEM NETWORK,
LISBON, LISBOA, PT. n/a CN:hail.dns2go.com
CN:scorti1.dns2go.com
CN:211.96.97.44:7000 445 pcap raw alerts
ruleset ftp
17 lines Yeah : 0.8
profile none summary
tarball 21 of 32 5f78ff609d
[Firefox:825 hits: 04-27 to 05-07] d4a06bdc3a [0] ASM:Graph
none|none lines=4 trace

T:05:54:00 WinXP 78.176.51.243 (SMYTHECRAMER.COM):
TELEKOM,
TR. n/a CN:scorti1.dns2go.com
CN:211.96.97.44:7000 445 pcap raw alerts
ruleset ftp
14 lines Yeah : 0.8
profile none summary
tarball 20 of 31 af98fe0c94
[Firefox:47 hits: 04-27 to 05-07] 480d076a0a [0] ASM:Graph
ASProtect| lines=422
embedded dns trace

06:00:00 Win2K-f 212.96.200.178 (WSNET.RU):
JOINT STOCK COMMERCIAL BANK AKKOBANK,
SURGUT, KHANTY-MANSIYSKIY AVTONOMNYY OKRUG, RU. n/a CN:scorti1.dns2go.com
CN:211.96.97.44:7000 445 pcap raw alerts
ruleset ftp
14 lines Yeah : 0.8
profile none summary
tarball 20 of 31 cb89ccfe52
[Firefox: 3 hits: 04-29 to 05-04] 881f6fa4b7 [0] ASM:Graph
TXT2COM| lines=406
embedded dns trace

06:13:00 Win2K-f 87.105.214.115 (NET.PL):
DIALOG,
PL. n/a CA:russia.blacktiehsbdcs.com
CA:jiets.soidudrf.com
CA:bti.jeiahsdod.net
CA:abc.ihshsd8.com
CA:72.10.172.218:3240
CA:72.10.172.218:7575
CA:72.10.172.218:8492
CA:72.10.172.218:9283 445 pcap raw alerts
ruleset ftp
14 lines Yeah : 0.8
profile none summary
tarball 28 of 32 39b81ab576
[Firefox: 3 hits: 05-02 to 05-06] 7b8b096e8e [0] ASM:Graph
EXECrypto| line=1 trace

T:06:17:00 WinXP 24.210.118.243 (RR.COM):
ROAD RUNNER HOLDCO LLC,
FAIRMONT, WEST VIRGINIA, US. n/a DE:siliconfireware.ru
DE:ebookfinaltrash.ru
:wpad
DE:217.11.54.126:80
EU:78.47.200.154:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 29 of 29 a12cab51ef
[Firefox:1008 hits: 05-01 to 05-07] 40f7f463c4 [0] ASM:Graph
ASPack| lines=281
embedded dns trace

06:21:00 Win2K-f 80.117.95.164 (POOL80117.INTERBUSINESS.IT):
TELECOM ITALIA S.P.A. TIN EASY LITE,
TRIESTE, FRIULI-VENEZIA GIULIA, IT. n/a CN:hail.dns2go.com
CN:scorti1.dns2go.com
CN:211.96.97.44:7000 445 pcap raw alerts
ruleset ftp
14 lines Yeah : 0.8
profile none summary
tarball 21 of 32 5f78ff609d
[Firefox:825 hits: 04-27 to 05-07] d4a06bdc3a [0] ASM:Graph
none|none lines=4 trace

T:06:33:00 Win2K-f 85.182.65.70 (ALICEDSL.DE):
HANSENET-ADSL,
HAMBURG, HAMBURG, DE. (DSL) n/a DE:proxim.ircgalaxy.pl
CZ:217.170.244.2:443
CZ:82.114.64.251:443
DE:85.114.137.60:65520 445 pcap raw alerts
ruleset shell
ftp
17 lines Yeah : 1.3
profile none summary
tarball 28 of 32 ab473a4fee
NEW none[3] none:none
FSG| none trace

06:36:00 WinXP 89.232.225.175 (ISURGUT.RU):
JSC INTERNET-TV RUSSIA WEST SIBERIA UGORSK,
RU. (DIAL) 211.96.97.44:7000 CN:scorti1.dns2go.com 445 pcap raw alerts
ruleset ftp
irc
25 lines Yeah : 1.3
profile none summary
tarball 22 of 31 9b0c5ed538
[Firefox: 3 hits: 05-02 to 05-04] none[4] none:none
none|none none trace

06:45:00 Win2K-f 79.72.201.106 (AS9105.COM):
TELINCO,
UK. 211.96.97.44:7000 CN:hail.dns2go.com
CN:scorti1.dns2go.com
CN:211.96.97.44:7000 445 pcap raw alerts
ruleset ftp
irc
24 lines Yeah : 1.3
profile none summary
tarball 12 of 30 76b4ab852e
[Firefox:29 hits: 04-29 to 05-07] none[4] none:none
none|none none trace

06:46:00 Win2K-f 124.82.17.155 (TM.NET.MY):
TM ADSL SERVICE PROVIDER MALAYSIA,
SHAH ALAM, SELANGOR, MY. (DSL) 211.96.97.44:7000 CN:hail.dns2go.com
CN:scorti1.dns2go.com
CN:211.96.97.44:7000 445 pcap raw alerts
ruleset ftp
irc
20 lines Yeah : 1.3
profile none summary
tarball 21 of 32 5f78ff609d
[Firefox:825 hits: 04-27 to 05-07] d4a06bdc3a [0] ASM:Graph
none|none lines=4 trace

T:06:47:00 WinXP 91.64.133.188 (SUPERKABEL.DE):
KABEL-DEUTSCHLAND-CUSTOMER-SERVICES,
DE. n/a CN:hail.dns2go.com
CN:scorti1.dns2go.com
CN:211.96.97.44:7000 445 pcap raw alerts
ruleset ftp
14 lines Yeah : 0.8
profile none summary
tarball 27 of 31 73be8e511b
NEW none[4] none:none
StarForce| none trace

06:52:00 Win2K-f 125.162.97.248 (-):
TLKM_D1_BB_SPEEDY_PG,
PALEMBANG, SUMATERA SELATAN, ID. n/a 445 pcap raw alerts
ruleset ftp
14 lines Yeah : 0.8
profile none summary
tarball 26 of 31 44bc18e093
NEW none[4] none:none
none|none none trace

T:06:59:00 Win2K-f 81.246.144.6 (ISP.BELGACOM.BE):
SKYNET-ADSL,
DENDERMONDE, OOST-VLAANDEREN, BE. (DSL) 217.170.244.2:443 DE:proxim.ircgalaxy.pl
CZ:217.170.244.2:443
DE:85.114.137.60:65520 445 pcap raw alerts
ruleset irc
10 lines Yeah : 1.8
profile none summary
tarball none none none none none none none

T:07:00:00 Win2K-f 216.10.168.135 (WISPNET.NET):
WISPNET LLC,
WILSON, NORTH CAROLINA, US. n/a 445 pcap raw alerts
ruleset shell
shell
4 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

07:09:00 WinXP 91.124.87.74 (UKRTEL.NET):
UKRTELECOM,
UA. n/a CN:scorti1.dns2go.com
CN:211.96.97.44:7000 445 pcap raw alerts
ruleset ftp
18 lines Yeah : 0.8
profile none summary
tarball 20 of 32 fd0bf48a75
[Firefox: 7 hits: 04-28 to 05-07] none[3] none:none
ASProtect| none trace

T:07:15:00 WinXP 66.50.23.220 (PRTC.NET):
PRTC RAS,
SAN JUAN, PUERTO RICO, PR. n/a UA:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 1.3
profile none summary
tarball 31 of 32 cf7bb33fb2
[Firefox: 7 hits: 03-11 to 05-04] 3040889c26 [0] ASM:Graph
PolyEnE| lines=68 trace

07:18:00 Win2K-f 88.160.219.44 (PROXAD.NET):
PROXAD / FREE SAS,
FR. 211.96.97.44:7000 CN:hail.dns2go.com 445 pcap raw alerts
ruleset ftp
irc
25 lines Yeah : 1.3
profile none summary
tarball 21 of 32 5f78ff609d
[Firefox:825 hits: 04-27 to 05-07] d4a06bdc3a [0] ASM:Graph
none|none lines=4 trace

07:23:00 WinXP 190.30.133.46 (NET.AR):
APOLO -GOLD-TELECOM-PER,
BUENOS AIRES, BUENOS AIRES, AR. n/a CN:hail.dns2go.com
CN:scorti1.dns2go.com
CN:211.96.97.44:7000 445 pcap raw alerts
ruleset ftp
14 lines Yeah : 0.8
profile none summary
tarball 21 of 32 5f78ff609d
[Firefox:825 hits: 04-27 to 05-07] d4a06bdc3a [0] ASM:Graph
none|none lines=4 trace

07:44:00 Win2K-f 4.235.78.186 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
OCALA, FLORIDA, US. (DIAL) n/a 445 pcap raw alerts
ruleset shell
ftp
16 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:07:45:00 Win2K-f 212.30.188.60 (MTU.RU):
ZAO MTU-INTEL,
MOSCOW, MOSKVA, RU. n/a CN:scorti1.dns2go.com 445 pcap raw alerts
ruleset ftp
14 lines Yeah : 0.8
profile none summary
tarball 20 of 31 cb89ccfe52
[Firefox: 3 hits: 04-29 to 05-04] 881f6fa4b7 [0] ASM:Graph
TXT2COM| lines=406
embedded dns trace

08:06:00 Win2K-f 201.212.179.217 (NET.AR):
PRIMA S.A,
BUENOS AIRES, BUENOS AIRES, AR. (DSL) n/a CN:hail.dns2go.com
CN:scorti1.dns2go.com
CN:211.96.97.44:7000
CN:218.93.14.236:7000 445 pcap raw alerts
ruleset ftp
14 lines Yeah : 0.8
profile none summary
tarball 21 of 32 5f78ff609d
[Firefox:825 hits: 04-27 to 05-07] d4a06bdc3a [0] ASM:Graph
none|none lines=4 trace

08:23:00 WinXP 212.120.242.22 (GIBCONNECT.COM):
GIBRALTAR NYNEX COMMUNICATIONS,
GI. n/a CN:scorti1.dns2go.com
CN:211.96.97.44:7000 445 pcap raw alerts
ruleset ftp
14 lines Yeah : 0.8
profile none summary
tarball 14 of 32 8f367186c3
[Firefox:61 hits: 12-27 to 05-05] 01a06977c4 [0] ASM:Graph
TXT2COM| lines=0 trace

08:33:00 WinXP 194.65.179.179 (DIAL-B1-178-10.TELEPAC.PT):
TELEPAC - COMUNICACOES INTERACTIVAS SA,
PORTO, PORTO, PT. (DIAL) n/a 445 pcap raw alerts
ruleset shell
ftp
13 lines Yeah : 1.3
profile none summary
tarball 29 of 29 1a2c0e6130
[Firefox:372 hits: 12-31 to 05-07] 048df78048 [0] ASM:Graph
none|none lines=61 trace

08:40:00 Win2K-f 85.26.34.85 (217-117-34-10.TELEDISNET.BE):
TELEDISNET ISP,
BE. n/a 445 pcap raw alerts
ruleset ftp
14 lines Yeah : 0.8
profile none summary
tarball 28 of 31 e1e2bddf79
NEW none[4] none:none
none|none none trace

09:03:00 Win2K-f 118.169.35.151 (-):
. 217.170.244.2:443 DE:proxim.ircgalaxy.pl
CZ:217.170.244.2:443
CZ:82.114.64.251:443
DE:85.114.137.60:65520 445 pcap raw alerts
ruleset shell
ftp
irc
29 lines Yeah : 1.8
profile none summary
tarball 28 of 31 0b8d225034
[Firefox: 2 hits: 05-04 to 05-05] d602884c66 [0] ASM:Graph
FSG| lines=1993
embedded dns trace

T:09:10:00 WinXP 41.214.137.57 (-):
. n/a UA:citi-bank.ru
UA:194.54.90.246:80 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 31 of 32 d370fa2826
[Firefox: 4 hits: 04-24 to 05-04] d4427d3b1e [0] ASM:Graph
PolyEnE| lines=68 trace

09:12:00 WinXP 84.170.95.156 (T-DIALIN.NET):
DEUTSCHE TELEKOM AG,
ASCHAFFENBURG, BAYERN, DE. (DIAL) n/a 445 pcap raw alerts
ruleset ftp
14 lines Yeah : 0.8
profile none summary
tarball 28 of 32 32b7295760
[Firefox: 2 hits: 05-04 to 05-07] 443ee2d2f0 [0] ASM:Graph
TXT2COM| lines=11 trace

T:09:35:00 WinXP 69.146.211.149 (BRESNAN.NET):
BRESNAN COMMUNICATIONS LLC,
GRAND JUNCTION, COLORADO, US. n/a 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball none none none none none none none

09:56:00 WinXP 83.97.193.10 (CM-83-97-128-10.TELECABLE.ES):
TELECABLE,
GIJON, ASTURIAS, ES. (DSL) n/a UA:citi-bank.ru
UA:194.54.90.246:80 445 pcap raw alerts
ruleset http
1 line Yeah : 1.3
profile none summary
tarball 26 of 28 7d99b0e910
[Firefox:2956 hits: 12-31 to 05-07] 7a70e1b592 [0] ASM:Graph
PolyEnE| lines=68 trace

T:10:15:00 Win2K-f 4.88.64.30 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
MYRTLE BEACH, SOUTH CAROLINA, US. (DIAL) n/a 135 pcap raw alerts
ruleset other
5 lines Argh : 0.3
profile none summary
tarball none none none none none none none

10:18:00 WinXP 190.17.130.17 (COM.AR):
CABLEVISION S.A,
BUENOS AIRES, BUENOS AIRES, AR. n/a UA:citi-bank.ru
UA:194.54.90.246:80 445 pcap raw alerts
ruleset http
1 line Yeah : 1.3
profile none summary
tarball 26 of 28 7d99b0e910
[Firefox:2956 hits: 12-31 to 05-07] 7a70e1b592 [0] ASM:Graph
PolyEnE| lines=68 trace

11:01:00 Win2K-f 79.12.111.212 (RETAIL.TELECOMITALIA.IT):
TELECOM ITALIA NET,
ROME, LAZIO, IT. n/a
CZ:217.170.244.2:443
CZ:82.114.64.251:443 445 pcap raw alerts
ruleset shell
ftp
17 lines Yeah : 1.3
profile none summary
tarball 25 of 28 7fdfe363d5
[Firefox:2587 hits: 12-31 to 05-07] 10862ea8b8 [0] ASM:Graph
FSG| lines=1933
embedded dns trace

T:11:06:00 WinXP 83.188.224.179 (SWIP.NET):
SWIPNET,
SE. n/a DE:proxim.ircgalaxy.pl
UA:citi-bank.ru
UA:194.54.90.246:80
DE:85.114.137.60:65520 445 pcap raw alerts
ruleset http
1 line Yeah : 1.3
profile none summary
tarball 31 of 31 e3f8ba0845
NEW cec20f9127 [0] ASM:Graph
PolyEnE| lines=129 trace

11:29:00 Win2K-f 81.246.144.6 (ISP.BELGACOM.BE):
SKYNET-ADSL,
DENDERMONDE, OOST-VLAANDEREN, BE. (DSL) n/a CN:hail.dns2go.com
CN:scorti1.dns2go.com
CN:211.96.97.44:7000
CN:218.93.14.236:7000 445 pcap raw alerts
ruleset ftp
16 lines Yeah : 0.8
profile none summary
tarball 21 of 32 5f78ff609d
[Firefox:825 hits: 04-27 to 05-07] d4a06bdc3a [0] ASM:Graph
none|none lines=4 trace

11:57:00 WinXP 79.138.128.2 (APEXCOVANTAGE.COM):
EU-ZZ,
UK. n/a UA:citi-bank.ru
UA:194.54.90.246:80 445 pcap raw alerts
ruleset http
1 line Yeah : 1.3
profile none summary
tarball 30 of 32 6a7149c49f
NEW 8ac4992704 [0] ASM:Graph
PolyEnE| lines=54 trace

12:52:00 WinXP 92.13.17.201 (-):
CARPHONE WAREHOUSE BROADBAND SERVICES,
UK. n/a DE:proxim.ircgalaxy.pl
CN:hail.dns2go.com
CN:scorti1.dns2go.com
CN:211.96.97.44:7000
CN:218.93.14.236:7000
DE:85.114.137.60:80 445 pcap raw alerts
ruleset ftp
14 lines Yeah : 0.8
profile none summary
tarball 28 of 31 89193031d2
[Firefox: 4 hits: 05-04 to 05-06] none[4] none:none
none|none none trace

13:45:00 WinXP 72.251.13.29 (1DIAL.COM):
AD-BASE SYSTEMS INC. (DBA GLOBALPOPS),
PITTSBURGH, PENNSYLVANIA, US. (DIAL) n/a EU:siliconfireware.ru
US:searchportal.information.com
US:spi.domainsponsor.com
:landdev1.lap.internal
GB:welcome3.smile.co.uk
:wpad
GB:195.92.84.198:80
DE:217.11.54.126:80
EU:78.47.200.154:80 445 pcap raw alerts
ruleset http
http
http
11 lines Yeah : 1.3
profile none summary
tarball 29 of 29 a12cab51ef
[Firefox:1008 hits: 05-01 to 05-07] 40f7f463c4 [0] ASM:Graph
ASPack| lines=281
embedded dns trace

14:03:00 WinXP 79.115.86.246 (RDSNET.RO):
RDS,
BUCHAREST, BUCURESTI, RO. n/a DE:proxim.ircgalaxy.pl
RU:moscow-advokat.ru
DE:85.114.137.60:65520 445 pcap raw alerts
ruleset http
1 line Yeah : 1.3
profile none summary
tarball 30 of 31 62258fc1b9
[Firefox: 3 hits: 05-04 to 05-06] 673798df40 [0] ASM:Graph
PolyEnE| lines=154
embedded dns trace

14:15:00 WinXP 66.232.255.85 (TVCCONNECT.NET):
THAMES VALLEY COMMUNICATIONS INC,
RUSSELLVILLE, ARKANSAS, US. n/a DE:siliconfireware.ru
RU:www.bbin.ru
:wpad
RU:195.200.213.52:80
DE:212.227.111.29:80
DE:217.11.54.126:80
EU:78.47.200.154:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 29 of 29 a12cab51ef
[Firefox:1008 hits: 05-01 to 05-07] 40f7f463c4 [0] ASM:Graph
ASPack| lines=281
embedded dns trace

T:14:21:00 WinXP 4.228.192.172 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
FARGO, NORTH DAKOTA, US. (DIAL) n/a RU:moscow-advokat.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 1.3
profile none summary
tarball 25 of 25 7f60162c2c
[Firefox:1274 hits: 12-31 to 05-07] 1aad8e4632 [0] ASM:Graph
PolyEnE| lines=93
embedded dns trace

14:52:00 WinXP 189.28.194.192 (BRASILTELECOM.NET.BR):
COMITE GESTOR DA INTERNET NO BRASIL,
BR. n/a UA:citi-bank.ru
UA:194.54.90.246:80 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 26 of 28 7d99b0e910
[Firefox:2956 hits: 12-31 to 05-07] 7a70e1b592 [0] ASM:Graph
PolyEnE| lines=68 trace

15:04:00 WinXP 216.77.195.180 (BELLSOUTH.NET):
BELLSOUTH.NET INC,
NEW ORLEANS, LOUISIANA, US. n/a 445 pcap raw alerts
ruleset shell
3 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

15:08:00 WinXP 202.221.174.230 (BMOBILE.NE.JP):
JAPAN COMMUNICATION INC,
TOKYO, TOKYO, JP. n/a UA:citi-bank.ru
UA:194.54.90.246:80 445 pcap raw alerts
ruleset http
1 line Yeah : 1.3
profile none summary
tarball 29 of 29 3ae357d17b
[Firefox:697 hits: 05-01 to 05-07] 462a7be171 [0] ASM:Graph
PolyEnE| lines=73 trace

15:12:00 WinXP 4.244.84.234 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
STILLWATER, OKLAHOMA, US. (DIAL) n/a 445 pcap raw alerts
ruleset shell
ftp
17 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

15:35:00 WinXP 123.48.73.96 (R-123-48-0-10.COMMUFA.JP):
CHUBU TELECOMMUNICATIONS CO. INC,
JP. n/a 445 pcap raw alerts
ruleset shell
ftp
14 lines Yeah : 1.3
profile none summary
tarball 29 of 29 831f4ee0a7
[Firefox:576 hits: 07-11 to 05-06] eb7546c600 [0] ASM:Graph
none|none lines=61 trace

16:06:00 WinXP 92.40.201.183 (IKBCC.COM):
EU-ZZ,
UK. 85.114.137.60:80 DE:proxim.ircgalaxy.pl
DE:85.114.137.60:80 445 pcap raw alerts
ruleset http
irc
50 lines Yeah : 1.3
profile none summary
tarball 29 of 32 1ab4d3d7b6
[Firefox: 6 hits: 04-10 to 05-04] cc366b3f6c [0] ASM:Graph
none|none lines=287
embedded dns trace

16:47:00 WinXP 202.224.83.200 (ENJOY.NE.JP):
DEODEO INTERNET SERVICE(DEODEO CORPORATION),
JP. n/a DE:siliconfireware.ru
:wpad
US:searchportal.information.com
DE:212.227.111.29:80
DE:217.11.54.126:80
EU:78.47.200.154:80 445 pcap raw alerts
ruleset http
http
6 lines Yeah : 0.8
profile none summary
tarball 29 of 29 df17a625ee
[Firefox:438 hits: 05-04 to 05-06] none[3] none:none
ASPack| none trace

17:42:00 WinXP 4.158.198.67 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
CHICAGO, ILLINOIS, US. (DIAL) 217.170.244.2:443
CZ:217.170.244.2:443 445 pcap raw alerts
ruleset shell
ftp
irc
27 lines Yeah : 1.8
profile none summary
tarball 25 of 28 7fdfe363d5
[Firefox:2587 hits: 12-31 to 05-07] 10862ea8b8 [0] ASM:Graph
FSG| lines=1933
embedded dns trace

T:17:48:00 WinXP 65.184.40.235 (RR.COM):
ROAD RUNNER HOLDCO LLC,
WILMINGTON, NORTH CAROLINA, US. n/a UA:citi-bank.ru
UA:194.54.90.246:80 445 pcap raw alerts
ruleset http
1 line Yeah : 1.3
profile none summary
tarball 26 of 28 7d99b0e910
[Firefox:2956 hits: 12-31 to 05-07] 7a70e1b592 [0] ASM:Graph
PolyEnE| lines=68 trace

17:48:00 WinXP 65.184.40.235 (RR.COM):
ROAD RUNNER HOLDCO LLC,
WILMINGTON, NORTH CAROLINA, US. n/a UA:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 1.3
profile none summary
tarball 26 of 28 7d99b0e910
[Firefox:2956 hits: 12-31 to 05-07] 7a70e1b592 [0] ASM:Graph
PolyEnE| lines=68 trace

18:27:00 Win2K-f 207.193.34.21 (DURACOM.NET):
DURANT COMPUTER INC,
OKLAHOMA CITY, OKLAHOMA, US. n/a 445 pcap raw alerts
ruleset shell
ftp
20 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:18:43:00 WinXP 218.168.126.85 (HINET.NET):
CHTD CHUNGHWA TELECOM CO. LTD,
TW. n/a
CZ:217.170.244.2:443
CZ:82.114.64.251:443 445 pcap raw alerts
ruleset shell
ftp
17 lines Yeah : 1.3
profile none summary
tarball 25 of 28 7fdfe363d5
[Firefox:2587 hits: 12-31 to 05-07] 10862ea8b8 [0] ASM:Graph
FSG| lines=1933
embedded dns trace

T:19:37:00 WinXP 97.89.11.89 (-):
. n/a UA:citi-bank.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 1.3
profile none summary
tarball 27 of 32 f190da6fbe
[Firefox:27 hits: 12-15 to 05-04] d8dc6af14c [0] ASM:Graph
PolyEnE| lines=68 trace

20:18:00 WinXP 4.229.192.226 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
THREE RIVERS, MICHIGAN, US. (DIAL) n/a RU:moscow-advokat.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 1.3
profile none summary
tarball 25 of 25 7f60162c2c
[Firefox:1274 hits: 12-31 to 05-07] 1aad8e4632 [0] ASM:Graph
PolyEnE| lines=93
embedded dns trace

T:20:19:00 WinXP 4.229.192.226 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
THREE RIVERS, MICHIGAN, US. (DIAL) n/a RU:moscow-advokat.ru
RU:194.6.222.11:6667 445 pcap raw alerts
ruleset http
1 line Yeah : 1.3
profile none summary
tarball 25 of 25 7f60162c2c
[Firefox:1274 hits: 12-31 to 05-07] 1aad8e4632 [0] ASM:Graph
PolyEnE| lines=93
embedded dns trace

20:24:00 WinXP 71.121.100.237 (VERIZON.NET):
VERIZON INTERNET SERVICES INC,
SAN ANGELO, TEXAS, US. n/a 445 pcap raw alerts
ruleset other
0 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

T:20:25:00 WinXP 71.121.100.237 (VERIZON.NET):
VERIZON INTERNET SERVICES INC,
SAN ANGELO, TEXAS, US. n/a 445 pcap raw alerts
ruleset other
0 lines Yeah : 0.8
profile none summary
tarball none none none none none none none

21:33:00 WinXP 118.168.191.96 (-):
. 217.170.244.2:443 445 pcap raw alerts
ruleset shell
ftp
irc
27 lines Yeah : 1.8
profile none summary
tarball 25 of 28 7fdfe363d5
[Firefox:2587 hits: 12-31 to 05-07] 10862ea8b8 [0] ASM:Graph
FSG| lines=1933
embedded dns trace

23:51:00 WinXP 89.218.14.21 (-):
ALMATYTELECOM,
KZ. 211.96.97.44:7000 CN:scorti1.dns2go.com
CN:211.96.97.44:7000 445 pcap raw alerts
ruleset ftp
irc
20 lines Yeah : 1.8
profile none summary
tarball 20 of 31 af98fe0c94
[Firefox:47 hits: 04-27 to 05-07] 480d076a0a [0] ASM:Graph
ASProtect| lines=422
embedded dns trace