Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Jan. 27, 2022, 9:24 a.m.	Jan. 27, 2022, 9:26 a.m.

Size	581.0KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Kulo, Template: Normal, Last Saved By: Kulo, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Jan 25 11:36:00 2022, Last Saved Time/Date: Tue Jan 25 11:36:00 2022, Number of Pages: 2, Number of Words: 0, Number of Characters: 5, Security: 0
MD5	`2ff7a82ce2cfd50823844a57baae4669`
SHA256	`49b36e28d00ebf1a1963c0bb8b34689b34e07ed0c686751b2c9d75434700ee09`
CRC32	`8531D939`
ssdeep	`12288:mzYq7bqwG51uUzYq7bqwG51umzYq7bqwG51uozYq7bqwG51uu:0v7urXuWv7urXu0v7urXu6v7urXuu`
Yara	Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries] Microsoft_Office_File_Zero - Microsoft Office File

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\U2232o1226.doc
2340
- MSOSYNC.EXE "C:\Program Files (x86)\Microsoft Office\Office15\MsoSync.exe"
  2588

Name	Response	Post-Analysis Lookup
tropitron5.ru	A 5.188.88.97	5.188.88.97

IP Address	Status	Action
164.124.101.2	Active	Moloch
5.188.88.97	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameA Jan. 27, 2022, 9:24 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 27, 2022, 9:24 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 27, 2022, 9:24 a.m.	computer_name: TEST22-PC	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Registration\{91150000-0011-0000-0000-0000000FF1CE}\DigitalProductID

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Jan. 27, 2022, 9:24 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 54 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Jan. 27, 2022, 9:24 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a5ed000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2022, 9:24 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a1fe000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2022, 9:24 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b4c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2022, 9:24 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b4c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2022, 9:24 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b4c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2022, 9:24 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b4c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2022, 9:24 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b3b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2022, 9:24 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b3b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2022, 9:24 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b3b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2022, 9:24 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b3b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2022, 9:24 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b3b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2022, 9:24 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b3b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2022, 9:24 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b3b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2022, 9:24 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b3b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2022, 9:24 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b3c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2022, 9:24 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b3c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2022, 9:24 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b3c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2022, 9:24 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b3c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2022, 9:24 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b3b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2022, 9:24 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b3b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2022, 9:24 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b3b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2022, 9:24 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b3b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2022, 9:24 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b3c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2022, 9:24 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b3c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2022, 9:24 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b4c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2022, 9:24 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b4c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2022, 9:24 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b3b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2022, 9:24 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b3b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2022, 9:24 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b3b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2022, 9:24 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b3b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2022, 9:24 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b3b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2022, 9:24 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b3b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2022, 9:24 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b3b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2022, 9:24 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b3b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2022, 9:24 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x699a6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2022, 9:24 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x698a4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2022, 9:24 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x69861000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2022, 9:24 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x697d2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2022, 9:24 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x69461000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2022, 9:24 a.m.	process_identifier: 2588 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a51000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 27, 2022, 9:24 a.m.	process_identifier: 2588 region_size: 40960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00420000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2022, 9:24 a.m.	process_identifier: 2588 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f8bf000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 27, 2022, 9:24 a.m.	process_identifier: 2588 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x355a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2022, 9:24 a.m.	process_identifier: 2588 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2022, 9:24 a.m.	process_identifier: 2588 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x355a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2022, 9:24 a.m.	process_identifier: 2588 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75599000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2022, 9:24 a.m.	process_identifier: 2588 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x355a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2022, 9:24 a.m.	process_identifier: 2588 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2022, 9:24 a.m.	process_identifier: 2588 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755a7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 27, 2022, 9:24 a.m.	process_identifier: 2588 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6acd4000 process_handle: 0xffffffff	1

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$232o1226.doc

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Jan. 27, 2022, 9:24 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000004b0 filepath: C:\Users\test22\AppData\Local\Temp\~$232o1226.doc desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$232o1226.doc create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Word document hooks document open

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Jan. 27, 2022, 9:24 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef70000 process_handle: 0xffffffff	1	0	0

One or more non-whitelisted processes were created (1 event)

parent_process

winword.exe

martian_process

C:\Program Files (x86)\Microsoft Office\Office15\MSOSYNC.EXE

Uses Sysinternals tools in order to add additional command line functionality (1 event)

cmdline

C:\Program Files (x86)\Microsoft Office\Office15\MSOSYNC.EXE

Zeus P2P (Banking Trojan) (24 events)

mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{E89326C2-4839-459D-A6FC-8BADBCCDAD20}:TID{F85AF7C9-265C-434D-ACAE-E783DFE17053}
mutex	Local\Microsoft_Office_15CSI_WDW:{99E4DC0A-5D53-4ACA-AA74-E1D2D2CAA4F3}
mutex	Local\Microsoft_Office_15CSI_WDW:{1C911EFB-6FE5-4A6A-AF5B-D44CC5AD1AA9}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{E89326C2-4839-459D-A6FC-8BADBCCDAD20}:TID{5585BD79-2A2B-4359-8F93-404ED6147369}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{E89326C2-4839-459D-A6FC-8BADBCCDAD20}:TID{7A3B9BC8-95AF-498B-A58A-AB578703D72A}
mutex	Local\Microsoft_Office_15CSI_WDW:{B661CBE0-6421-457B-A41F-7E7E361FDE2B}
mutex	Local\Microsoft_Office_15CSI_OMTX:{1C911EFB-6FE5-4A6A-AF5B-D44CC5AD1AA9}
mutex	Local\Microsoft_Office_15CSI_WDW:{5879075E-4842-45AA-B5D2-781258659315}
mutex	Global\Microsoft_Office_15Csi:GC:C:/Users/test22/AppData/Local/Microsoft/Office/15.0/OfficeFileCache/LocalCacheFileEditManager/FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF
mutex	Local\Microsoft_Office_15CSI_OMTX:{E491E693-892D-46FD-AFB7-65947BBE8F99}
mutex	Local\Microsoft_Office_15CSI_WDW:{8087E21A-C7A7-42EB-9A9F-CC2EE70BD934}
mutex	Local\Microsoft_Office_15Csi_TableRuntimeBucketsLock:{B661CBE0-6421-457B-A41F-7E7E361FDE2B}
mutex	Local\Microsoft_Office_15CSI_OMTX:{F5E6A74A-086E-469B-9233-76B7519163F8}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{E89326C2-4839-459D-A6FC-8BADBCCDAD20}:TID{BFCEF68A-3F40-481B-B237-FD551CEC6C8A}
mutex	Local\Microsoft_Office_15CSI_WDW:{1AA4DE55-59F1-4B64-A55D-6176B7D4A980}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{E89326C2-4839-459D-A6FC-8BADBCCDAD20}:TID{4A6D6FD4-6B5E-4B91-B650-BF1EC9669D4C}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{E89326C2-4839-459D-A6FC-8BADBCCDAD20}:TID{16284F64-D1CB-4015-ACFA-9E3944D6B6DD}
mutex	Local\Microsoft_Office_15CSI_WDW:{F5E6A74A-086E-469B-9233-76B7519163F8}
mutex	Local\Microsoft_Office_15CSI_WDW:{5DE27851-521D-4412-9C2D-1192CC57DBC3}
mutex	Local\Microsoft_Office_15CSI_WDW:{E491E693-892D-46FD-AFB7-65947BBE8F99}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{E89326C2-4839-459D-A6FC-8BADBCCDAD20}:TID{48DEC616-56E4-4F30-8030-C51111C102A9}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{E89326C2-4839-459D-A6FC-8BADBCCDAD20}:TID{D0A49606-3BBC-45A0-A810-6E7F9720E394}
udp	{u'src': u'192.168.56.103', u'dst': u'239.255.255.250', u'offset': 16488, u'time': 3.950995922088623, u'dport': 3702, u'sport': 49152}
udp	{u'src': u'192.168.56.103', u'dst': u'239.255.255.250', u'offset': 24864, u'time': 93.57790303230286, u'dport': 1900, u'sport': 60121}

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

5.188.88.97:80

U2232o1226.doc

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All