Permission issue or partial installation.

rule Csinativeimagegen_suspected meta: description = "Detect suspicious Csinativeimagegen.exe variants" author = "SOC" strings: $fn = "Csinativeimagegen.exe" $s1 = "http" nocase $s2 = "CreateRemoteThread" wide condition: filesize < 50MB and $fn and ($s1 or $s2)

: It pre-compiles CSI software—such as ETABS , SAP2000 , SAFE , and CSiBridge —into a "native image" that is cached on your system.

If you want, I can: