Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 27, 2023, 10:45 a.m.	March 27, 2023, 10:52 a.m.

Size	32.5MB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: {4CEC2908-5CE4-48F0-A717-8FC833D8017A}, Author: {4CEC2908-5CE4-48F0-A717-8FC833D8017A}, Keywords: Installer, Comments: This installer database contains the logic and data required to install {4CEC2908-5CE4-48F0-A717-8FC833D8017A}., Template: x64;1033, Revision Number: {DE69A329-ACDE-445D-90C7-B083DF6DCC17}, Create Time/Date: Sat Feb 25 06:58:58 2023, Last Saved Time/Date: Sat Feb 25 06:58:58 2023, Number of Pages: 405, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
MD5	`a62037c1812df2774da6257f465d5b78`
SHA256	`dc97da11663e5a9041962e5457291bb888c974bc13c89af37403c32973814e8c`
CRC32	`11D87FAD`
ssdeep	`786432:syLPvc48WEw3PYHrqavl0ztWtjZanLHmUhg24yVs3:BLP048dwfYHhq2YnLFi2j`
Yara	Malicious_Library_Zero - Malicious_Library Win32_Trojan_Gen_2_0904B0_Zero - Win32 Trojan Gen OS_Processor_Check_Zero - OS Processor Check CAB_file_format - CAB archive file Microsoft_Office_File_Zero - Microsoft Office File ASPack_Zero - ASPack packed file

msiexec.exe "C:\Windows\System32\msiexec.exe" /I C:\Users\test22\AppData\Local\Temp\t.msi
2556
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
www.teramind.co	A 104.22.19.138 A 104.22.18.138 A 172.67.26.154	104.22.19.138
ocsp.digicert.com	CNAME ocsp.edge.digicert.com CNAME fp2E7A.wpc.2BE4.phicdn.net CNAME fp2e7a.wpc.phicdn.net A 152.195.38.76	152.195.38.76
rt.teramind.co	A 132.226.193.252	132.226.193.252

IP Address	Status	Action
104.22.18.138	Active	Moloch
132.226.193.252	Active	Moloch
141.144.250.131	Active	Moloch
152.195.38.76	Active	Moloch
164.124.101.2	Active	Moloch
172.67.26.154	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.101:49167 104.22.18.138:443	C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2	CN=*.teramind.co	9b:5e:3b:90:71:6a:2a:ca:24:29:25:70:35:a4:61:ed:26:fc:6c:b6
TLS 1.2 192.168.56.101:49170 104.22.18.138:443	C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2	CN=*.teramind.co	9b:5e:3b:90:71:6a:2a:ca:24:29:25:70:35:a4:61:ed:26:fc:6c:b6
TLS 1.2 192.168.56.101:49168 132.226.193.252:443	C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2	CN=*.teramind.co	9b:5e:3b:90:71:6a:2a:ca:24:29:25:70:35:a4:61:ed:26:fc:6c:b6
TLS 1.2 192.168.56.101:49162 132.226.193.252:443	C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2	CN=*.teramind.co	9b:5e:3b:90:71:6a:2a:ca:24:29:25:70:35:a4:61:ed:26:fc:6c:b6
TLS 1.2 192.168.56.101:49169 132.226.193.252:443	C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2	CN=*.teramind.co	9b:5e:3b:90:71:6a:2a:ca:24:29:25:70:35:a4:61:ed:26:fc:6c:b6
TLS 1.2 192.168.56.101:49175 132.226.193.252:443	C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2	CN=*.teramind.co	9b:5e:3b:90:71:6a:2a:ca:24:29:25:70:35:a4:61:ed:26:fc:6c:b6
TLS 1.2 192.168.56.101:49158 132.226.193.252:443	C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2	CN=*.teramind.co	9b:5e:3b:90:71:6a:2a:ca:24:29:25:70:35:a4:61:ed:26:fc:6c:b6
TLS 1.2 192.168.56.101:49168 132.226.193.252:443	C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2	CN=*.teramind.co	9b:5e:3b:90:71:6a:2a:ca:24:29:25:70:35:a4:61:ed:26:fc:6c:b6
TLS 1.2 192.168.56.101:49166 132.226.193.252:443	C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2	CN=*.teramind.co	9b:5e:3b:90:71:6a:2a:ca:24:29:25:70:35:a4:61:ed:26:fc:6c:b6
TLS 1.2 192.168.56.101:49169 132.226.193.252:443	C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2	CN=*.teramind.co	9b:5e:3b:90:71:6a:2a:ca:24:29:25:70:35:a4:61:ed:26:fc:6c:b6
TLS 1.2 192.168.56.101:49166 104.22.18.138:443	C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2	CN=*.teramind.co	9b:5e:3b:90:71:6a:2a:ca:24:29:25:70:35:a4:61:ed:26:fc:6c:b6
TLS 1.2 192.168.56.101:49171 104.22.18.138:443	C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2	CN=*.teramind.co	9b:5e:3b:90:71:6a:2a:ca:24:29:25:70:35:a4:61:ed:26:fc:6c:b6
TLS 1.2 192.168.56.101:49160 132.226.193.252:443	C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2	CN=*.teramind.co	9b:5e:3b:90:71:6a:2a:ca:24:29:25:70:35:a4:61:ed:26:fc:6c:b6
TLS 1.2 192.168.56.101:49173 132.226.193.252:443	C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2	CN=*.teramind.co	9b:5e:3b:90:71:6a:2a:ca:24:29:25:70:35:a4:61:ed:26:fc:6c:b6
TLS 1.2 192.168.56.101:49171 132.226.193.252:443	C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2	CN=*.teramind.co	9b:5e:3b:90:71:6a:2a:ca:24:29:25:70:35:a4:61:ed:26:fc:6c:b6
TLS 1.2 192.168.56.101:49164 132.226.193.252:443	C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2	CN=*.teramind.co	9b:5e:3b:90:71:6a:2a:ca:24:29:25:70:35:a4:61:ed:26:fc:6c:b6
TLS 1.2 192.168.56.101:49177 132.226.193.252:443	C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2	CN=*.teramind.co	9b:5e:3b:90:71:6a:2a:ca:24:29:25:70:35:a4:61:ed:26:fc:6c:b6
TLS 1.2 192.168.56.101:49178 132.226.193.252:443	C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2	CN=*.teramind.co	9b:5e:3b:90:71:6a:2a:ca:24:29:25:70:35:a4:61:ed:26:fc:6c:b6

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameW March 27, 2023, 10:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 27, 2023, 10:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 27, 2023, 10:46 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 27, 2023, 10:45 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 27, 2023, 10:45 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (4 events)

request	GET http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAewQY2lHhSMMxu83rcTgyM%3D
request	GET http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTDZGCsCkDHH%2BXwJVKt4ohdOTWBUQQUy1yTroib%2FkNvVlBSAm14%2FKzhsVoCEA1e%2BQMDwigDd9%2FgTXTiCGE%3D
request	GET http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D
request	GET http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAP7r%2BFw4Evn1FZeRLt68uo%3D

Allocates read-write-execute memory (usually to unpack itself) (25 events)

Time & API	Arguments	Status
NtProtectVirtualMemory March 27, 2023, 10:45 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x736b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 27, 2023, 10:45 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73951000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 27, 2023, 10:45 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 27, 2023, 10:45 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ac4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 27, 2023, 10:45 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b02000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 27, 2023, 10:45 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72781000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 27, 2023, 10:45 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72761000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 27, 2023, 10:45 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73921000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 27, 2023, 10:45 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72741000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 27, 2023, 10:45 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75941000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 27, 2023, 10:45 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x764b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 27, 2023, 10:45 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75831000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 27, 2023, 10:45 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 27, 2023, 10:45 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72701000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 27, 2023, 10:45 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x726e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 27, 2023, 10:45 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x726a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 27, 2023, 10:45 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72631000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 27, 2023, 10:45 a.m.	process_identifier: 2556 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05d00000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 27, 2023, 10:45 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 27, 2023, 10:45 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72622000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 27, 2023, 10:45 a.m.	process_identifier: 2556 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05d00000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 27, 2023, 10:45 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05d70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 27, 2023, 10:45 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72551000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 27, 2023, 10:45 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75511000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 27, 2023, 10:46 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72101000 process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (4 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceExW March 27, 2023, 10:45 a.m.	total_number_of_free_bytes: 13289619456 free_bytes_available: 13289619456 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW March 27, 2023, 10:45 a.m.	number_of_free_clusters: 3244536 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW March 27, 2023, 10:45 a.m.	total_number_of_free_bytes: 13289619456 free_bytes_available: 13289619456 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW March 27, 2023, 10:45 a.m.	number_of_free_clusters: 3244536 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\MSIF397.tmp

File has been identified by 7 AntiVirus engines on VirusTotal as malicious (7 events)

ESET-NOD32	a variant of Win32/NetFilter.A potentially unsafe
Rising	PUF.NetFilter!8.1F0 (TFE:6:ZJJwIJgT9j)
McAfee-GW-Edition	Artemis!9D5915FDB756
Ikarus	PUA.RiskWare.Teramind
Xcitium	Malware@#2v55sd6wgpsq7
McAfee	Artemis!1BE54864AE1D
Fortinet	Riskware/NetFilter

Checks for the Locally Unique Identifier on the system for a suspicious privilege (16 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW March 27, 2023, 10:45 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW March 27, 2023, 10:45 a.m.	system_name: privilege_name: SeCreateTokenPrivilege	1	1
LookupPrivilegeValueW March 27, 2023, 10:45 a.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW March 27, 2023, 10:45 a.m.	system_name: privilege_name: SeMachineAccountPrivilege	1	1
LookupPrivilegeValueW March 27, 2023, 10:45 a.m.	system_name: privilege_name: SeTcbPrivilege	1	1
LookupPrivilegeValueW March 27, 2023, 10:45 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW March 27, 2023, 10:45 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW March 27, 2023, 10:45 a.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW March 27, 2023, 10:45 a.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW March 27, 2023, 10:45 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW March 27, 2023, 10:45 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW March 27, 2023, 10:45 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 27, 2023, 10:45 a.m.	system_name: privilege_name: SeRemoteShutdownPrivilege	1	1
LookupPrivilegeValueW March 27, 2023, 10:45 a.m.	system_name: privilege_name: SeEnableDelegationPrivilege	1	1
LookupPrivilegeValueW March 27, 2023, 10:45 a.m.	system_name: privilege_name: SeManageVolumePrivilege	1	1
LookupPrivilegeValueW March 27, 2023, 10:45 a.m.	system_name: privilege_name: SeCreateGlobalPrivilege	1	1

One or more of the buffers contains an embedded PE file (5 events)

buffer	Buffer with sha1: 0dc4583de426bc4a782d3351a0e89987d9511420
buffer	Buffer with sha1: 1d402b73d681cc8b203e595076ec59428827b726
buffer	Buffer with sha1: 4c1bcdb66e130c1ad1ef52e85b4cd1f2d7a9f5c4
buffer	Buffer with sha1: 73e0a81707960cc3ccb5dccef4cbb6cd51ee3710
buffer	Buffer with sha1: 495490531395940a70b977fa383866e157d67a30

Communicates with host for which no DNS query was performed (1 event)

host

141.144.250.131

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (9 events)

dead_host	192.168.56.101:49159
dead_host	192.168.56.101:49161
dead_host	172.67.26.154:443
dead_host	192.168.56.101:49179
dead_host	141.144.250.131:42760
dead_host	192.168.56.101:49174
dead_host	192.168.56.101:49176
dead_host	192.168.56.101:49172
dead_host	192.168.56.101:49163

t.msi

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All