Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 10, 2023, 9:44 a.m.	April 10, 2023, 9:47 a.m.

Size	1.2KB
Type	HTML document, ASCII text, with CRLF line terminators
MD5	`291c18d77096065aec86457b63eeb140`
SHA256	`165ca8bfaf93d58c24d501abe22b1a1846a8f47f802d2698e7d14e7f93248bf2`
CRC32	`30C52C49`
ssdeep	`24:IrWR34MvXdbbNCmR7Jju6AyCQbls5nINMilzwrMgxxsqkUUdhL5tJLj+7M4:BRo+XtnP3PplynIJRtzhNtJ334`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\ts.wsf
3040
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Internet Explorer에서 웹 페이지를 표시할 수 없습니다. Internet Explorer에서 웹 페이지를 표시할 수 없습니다. 가능한 해결 방법: 연결 문제 진단 추가 정보<ID id="moreInformation">추가 정보</ID> 이 문제는 다음과 같은 여러 가지 원인이 있을 수 있습니다. 인터넷 연결이 끊어졌습니다. 웹 사이트를 일시적으로 사용할 수 없습니다. DNS(도메인 이름 서버)에 연결할 수 없습니다. DNS(도메인 이름 서버)에 웹 사이트의 도메인에 대한 목록이 없습니다. 주소에 오타가 있을 수 있습니다. HTTPS(보안) 주소인 경우 [도구], [인터넷 옵션], [고급]을 차례로 클릭한 다음 보안 섹션에서 SSL/TLS 프로토콜이 사용되도록 설정되었는지 확인하십시오. 오프라인 사용자용 가입한 피드 및 최근에 열어본 일부 웹 페이지를 볼 수 있습니다. 가입한 피드를 보려면: 즐겨찾기 단추 를 클릭하고 피드를 클릭한 다음 보려는 피드를 클릭하십시오. 최근에 열어본 웹 페이지를 보려면(모든 페이지에서 가능하지 않을 수도 있음): Alt 키를 누르고 파일을 클릭한 다음 오프라인으로 작업을 클릭하십시오. 즐겨찾기 단추 를 클릭하고 열어본 페이지 목록을 클릭한 다음 보려는 페이지를 클릭하십시오.
  2516
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" move-item 'C:\Users\test22\AppData\Local\Temp\ts.wsf' 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'
  1192

Name	Response	Post-Analysis Lookup
ultimatescamrecovery.com	A 104.219.248.27	104.219.248.27

IP Address	Status	Action
104.219.248.27	Active	Moloch
117.18.232.200	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49164 -> 104.219.248.27:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49181 -> 117.18.232.200:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49165 -> 104.219.248.27:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49179 -> 117.18.232.200:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49180 -> 117.18.232.200:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 117.18.232.200:443 -> 192.168.56.102:49182	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 104.219.248.27:443 -> 192.168.56.102:49166	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49178 -> 117.18.232.200:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 117.18.232.200:443 -> 192.168.56.102:49183	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 104.219.248.27:80 -> 192.168.56.102:49163	2221010	SURICATA HTTP unable to match response to request	Generic Protocol Command Decode

Suricata TLS

No Suricata TLS

Queries for the computername (12 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 10, 2023, 9:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 10, 2023, 9:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 10, 2023, 9:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 10, 2023, 9:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 10, 2023, 9:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 10, 2023, 9:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 10, 2023, 9:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 10, 2023, 9:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 10, 2023, 9:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 10, 2023, 9:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 10, 2023, 9:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 10, 2023, 9:44 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 10, 2023, 9:44 a.m.			0	0
IsDebuggerPresent April 10, 2023, 9:44 a.m.			0	0

Command line console output was observed (50 out of 153 events)

Time & API	Arguments	Status	Return
WriteConsoleW April 10, 2023, 9:44 a.m.	buffer: The term 'Internet' is not recognized as the name of a cmdlet, function, script console_handle: 0x00000023	1	1
WriteConsoleW April 10, 2023, 9:44 a.m.	buffer: file, or operable program. Check the spelling of the name, or if a path was in console_handle: 0x0000002f	1	1
WriteConsoleW April 10, 2023, 9:44 a.m.	buffer: cluded, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW April 10, 2023, 9:44 a.m.	buffer: At line:1 char:9 console_handle: 0x00000047	1	1
WriteConsoleW April 10, 2023, 9:44 a.m.	buffer: + Internet <<<< Explorer에서 웹 페이지를 표시할 수 없습니다. console_handle: 0x00000053	1	1
WriteConsoleW April 10, 2023, 9:44 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Internet:String) [], CommandNot console_handle: 0x0000005f	1	1
WriteConsoleW April 10, 2023, 9:44 a.m.	buffer: FoundException console_handle: 0x0000006b	1	1
WriteConsoleW April 10, 2023, 9:44 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW April 10, 2023, 9:44 a.m.	buffer: The term 'Internet' is not recognized as the name of a cmdlet, function, script console_handle: 0x00000097	1	1
WriteConsoleW April 10, 2023, 9:44 a.m.	buffer: file, or operable program. Check the spelling of the name, or if a path was in console_handle: 0x000000a3	1	1
WriteConsoleW April 10, 2023, 9:44 a.m.	buffer: cluded, verify that the path is correct and try again. console_handle: 0x000000af	1	1
WriteConsoleW April 10, 2023, 9:44 a.m.	buffer: At line:7 char:9 console_handle: 0x000000bb	1	1
WriteConsoleW April 10, 2023, 9:44 a.m.	buffer: + Internet <<<< Explorer에서 웹 페이지를 표시할 수 없습니다. console_handle: 0x000000c7	1	1
WriteConsoleW April 10, 2023, 9:44 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Internet:String) [], CommandNot console_handle: 0x000000d3	1	1
WriteConsoleW April 10, 2023, 9:44 a.m.	buffer: FoundException console_handle: 0x000000df	1	1
WriteConsoleW April 10, 2023, 9:44 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x000000eb	1	1
WriteConsoleW April 10, 2023, 9:44 a.m.	buffer: The term '가능한' is not recognized as the name of a cmdlet, function, script file console_handle: 0x0000001b	1	1
WriteConsoleW April 10, 2023, 9:44 a.m.	buffer: , or operable program. Check the spelling of the name, or if a path was include console_handle: 0x00000027	1	1
WriteConsoleW April 10, 2023, 9:44 a.m.	buffer: d, verify that the path is correct and try again. console_handle: 0x00000037	1	1
WriteConsoleW April 10, 2023, 9:44 a.m.	buffer: At line:18 char:4 console_handle: 0x00000043	1	1
WriteConsoleW April 10, 2023, 9:44 a.m.	buffer: + 가능한 <<<< 해결 방법: console_handle: 0x0000004f	1	1
WriteConsoleW April 10, 2023, 9:44 a.m.	buffer: + CategoryInfo : ObjectNotFound: (가능한:String) [], CommandNotFound console_handle: 0x0000005b	1	1
WriteConsoleW April 10, 2023, 9:44 a.m.	buffer: Exception console_handle: 0x00000067	1	1
WriteConsoleW April 10, 2023, 9:44 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000073	1	1
WriteConsoleW April 10, 2023, 9:44 a.m.	buffer: The term '연결' is not recognized as the name of a cmdlet, function, script file, console_handle: 0x00000097	1	1
WriteConsoleW April 10, 2023, 9:44 a.m.	buffer: or operable program. Check the spelling of the name, or if a path was included console_handle: 0x000000a3	1	1
WriteConsoleW April 10, 2023, 9:44 a.m.	buffer: , verify that the path is correct and try again. console_handle: 0x000000af	1	1
WriteConsoleW April 10, 2023, 9:44 a.m.	buffer: At line:30 char:3 console_handle: 0x000000bb	1	1
WriteConsoleW April 10, 2023, 9:44 a.m.	buffer: + 연결 <<<< 문제 진단 console_handle: 0x000000c7	1	1
WriteConsoleW April 10, 2023, 9:44 a.m.	buffer: + CategoryInfo : ObjectNotFound: (연결:String) [], CommandNotFoundE console_handle: 0x000000d3	1	1
WriteConsoleW April 10, 2023, 9:44 a.m.	buffer: xception console_handle: 0x000000df	1	1
WriteConsoleW April 10, 2023, 9:44 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x000000eb	1	1
WriteConsoleW April 10, 2023, 9:44 a.m.	buffer: The term '추가' is not recognized as the name of a cmdlet, function, script file, console_handle: 0x0000010b	1	1
WriteConsoleW April 10, 2023, 9:44 a.m.	buffer: or operable program. Check the spelling of the name, or if a path was included console_handle: 0x00000117	1	1
WriteConsoleW April 10, 2023, 9:44 a.m.	buffer: , verify that the path is correct and try again. console_handle: 0x00000123	1	1
WriteConsoleW April 10, 2023, 9:44 a.m.	buffer: At line:43 char:3 console_handle: 0x0000012f	1	1
WriteConsoleW April 10, 2023, 9:44 a.m.	buffer: + 추가 <<<< 정보<ID id=moreInformation>추가 정보</ID> console_handle: 0x0000013b	1	1
WriteConsoleW April 10, 2023, 9:44 a.m.	buffer: + CategoryInfo : ObjectNotFound: (추가:String) [], CommandNotFoundE console_handle: 0x00000147	1	1
WriteConsoleW April 10, 2023, 9:44 a.m.	buffer: xception console_handle: 0x00000153	1	1
WriteConsoleW April 10, 2023, 9:44 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x0000015f	1	1
WriteConsoleW April 10, 2023, 9:44 a.m.	buffer: The term '이' is not recognized as the name of a cmdlet, function, script file, console_handle: 0x0000017f	1	1
WriteConsoleW April 10, 2023, 9:44 a.m.	buffer: or operable program. Check the spelling of the name, or if a path was included, console_handle: 0x0000018b	1	1
WriteConsoleW April 10, 2023, 9:44 a.m.	buffer: verify that the path is correct and try again. console_handle: 0x00000197	1	1
WriteConsoleW April 10, 2023, 9:44 a.m.	buffer: At line:47 char:2 console_handle: 0x000001a3	1	1
WriteConsoleW April 10, 2023, 9:44 a.m.	buffer: + 이 <<<< 문제는 다음과 같은 여러 가지 원인이 있을 수 있습니다. console_handle: 0x000001af	1	1
WriteConsoleW April 10, 2023, 9:44 a.m.	buffer: + CategoryInfo : ObjectNotFound: (이:String) [], CommandNotFoundEx console_handle: 0x000001bb	1	1
WriteConsoleW April 10, 2023, 9:44 a.m.	buffer: ception console_handle: 0x000001c7	1	1
WriteConsoleW April 10, 2023, 9:44 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x000001d3	1	1
WriteConsoleW April 10, 2023, 9:45 a.m.	buffer: The term '인터넷' is not recognized as the name of a cmdlet, function, script file console_handle: 0x000001f3	1	1
WriteConsoleW April 10, 2023, 9:45 a.m.	buffer: , or operable program. Check the spelling of the name, or if a path was include console_handle: 0x000001ff	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 88 events)

Time & API	Arguments	Status	Return
CryptExportKey April 10, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d1e68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 10, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d24e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 10, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d24e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 10, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d24e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 10, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d1fa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 10, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d1fa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 10, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d1fa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 10, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d1fa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 10, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d1fa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 10, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d1fa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 10, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d1f68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 10, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d1f68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 10, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d1f68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 10, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d2268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 10, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d2268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 10, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d2268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 10, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d2028 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 10, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d2268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 10, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d2268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 10, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d2268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 10, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d2268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 10, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d2268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 10, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d2268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 10, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d2268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 10, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d1968 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 10, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d1968 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 10, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d1968 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 10, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d1968 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 10, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d1968 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 10, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d1968 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 10, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d1968 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 10, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d1968 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 10, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d1968 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 10, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d1968 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 10, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d1968 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 10, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d1968 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 10, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d1968 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 10, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d1968 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 10, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d23e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 10, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d23e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 10, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d23e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 10, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d23e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 10, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d23e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 10, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d23e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 10, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d23e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 10, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d23e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 10, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00644b90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 10, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006448d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 10, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006448d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 10, 2023, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006448d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 10, 2023, 9:44 a.m.		1	1	0

Performs some HTTP requests (2 events)

request	GET http://ultimatescamrecovery.com/r/tk.txt
request	GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml

Allocates read-write-execute memory (usually to unpack itself) (50 out of 266 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 10, 2023, 9:44 a.m.	process_identifier: 3040 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02830000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2023, 9:44 a.m.	process_identifier: 2516 region_size: 786432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02870000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2023, 9:44 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2023, 9:44 a.m.	process_identifier: 2516 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f6e1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2023, 9:44 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0274a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2023, 9:44 a.m.	process_identifier: 2516 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f6e2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2023, 9:44 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02742000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2023, 9:44 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02752000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2023, 9:44 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2023, 9:44 a.m.	process_identifier: 2516 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2023, 9:44 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2023, 9:44 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02753000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2023, 9:44 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02754000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2023, 9:44 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2023, 9:44 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2023, 9:44 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0274b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2023, 9:44 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2023, 9:44 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2023, 9:44 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02755000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2023, 9:44 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2023, 9:44 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02bb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2023, 9:44 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02756000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2023, 9:44 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2023, 9:44 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027b3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2023, 9:44 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027b4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2023, 9:44 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2023, 9:44 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2023, 9:44 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2023, 9:44 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027b8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2023, 9:44 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027b9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2023, 9:44 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ce0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2023, 9:44 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ce1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2023, 9:44 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ce2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2023, 9:44 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ce3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2023, 9:44 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ce4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2023, 9:44 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ce5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2023, 9:44 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ce6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2023, 9:44 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ce7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2023, 9:44 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ce8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2023, 9:44 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ce9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2023, 9:44 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2023, 9:44 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ceb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2023, 9:44 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2023, 9:44 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ced000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2023, 9:44 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cee000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2023, 9:44 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cef000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2023, 9:44 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cf0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2023, 9:44 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cf1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2023, 9:44 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cf2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2023, 9:44 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cf3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (4 events)

cmdline	Powershell Internet Explorer에서 웹 페이지를 표시할 수 없습니다. Internet Explorer에서 웹 페이지를 표시할 수 없습니다. 가능한 해결 방법: 연결 문제 진단 추가 정보<ID id="moreInformation">추가 정보</ID> 이 문제는 다음과 같은 여러 가지 원인이 있을 수 있습니다. 인터넷 연결이 끊어졌습니다. 웹 사이트를 일시적으로 사용할 수 없습니다. DNS(도메인 이름 서버)에 연결할 수 없습니다. DNS(도메인 이름 서버)에 웹 사이트의 도메인에 대한 목록이 없습니다. 주소에 오타가 있을 수 있습니다. HTTPS(보안) 주소인 경우 [도구], [인터넷 옵션], [고급]을 차례로 클릭한 다음 보안 섹션에서 SSL/TLS 프로토콜이 사용되도록 설정되었는지 확인하십시오. 오프라인 사용자용 가입한 피드 및 최근에 열어본 일부 웹 페이지를 볼 수 있습니다. 가입한 피드를 보려면: 즐겨찾기 단추 를 클릭하고 피드를 클릭한 다음 보려는 피드를 클릭하십시오. 최근에 열어본 웹 페이지를 보려면(모든 페이지에서 가능하지 않을 수도 있음): Alt 키를 누르고 파일을 클릭한 다음 오프라인으로 작업을 클릭하십시오. 즐겨찾기 단추 를 클릭하고 열어본 페이지 목록을 클릭한 다음 보려는 페이지를 클릭하십시오.
cmdline	Powershell move-item 'C:\Users\test22\AppData\Local\Temp\ts.wsf' 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" move-item 'C:\Users\test22\AppData\Local\Temp\ts.wsf' 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Internet Explorer에서 웹 페이지를 표시할 수 없습니다. Internet Explorer에서 웹 페이지를 표시할 수 없습니다. 가능한 해결 방법: 연결 문제 진단 추가 정보<ID id="moreInformation">추가 정보</ID> 이 문제는 다음과 같은 여러 가지 원인이 있을 수 있습니다. 인터넷 연결이 끊어졌습니다. 웹 사이트를 일시적으로 사용할 수 없습니다. DNS(도메인 이름 서버)에 연결할 수 없습니다. DNS(도메인 이름 서버)에 웹 사이트의 도메인에 대한 목록이 없습니다. 주소에 오타가 있을 수 있습니다. HTTPS(보안) 주소인 경우 [도구], [인터넷 옵션], [고급]을 차례로 클릭한 다음 보안 섹션에서 SSL/TLS 프로토콜이 사용되도록 설정되었는지 확인하십시오. 오프라인 사용자용 가입한 피드 및 최근에 열어본 일부 웹 페이지를 볼 수 있습니다. 가입한 피드를 보려면: 즐겨찾기 단추 를 클릭하고 피드를 클릭한 다음 보려는 피드를 클릭하십시오. 최근에 열어본 웹 페이지를 보려면(모든 페이지에서 가능하지 않을 수도 있음): Alt 키를 누르고 파일을 클릭한 다음 오프라인으로 작업을 클릭하십시오. 즐겨찾기 단추 를 클릭하고 열어본 페이지 목록을 클릭한 다음 보려는 페이지를 클릭하십시오.

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW April 10, 2023, 9:44 a.m.	show_type: 0 filepath_r: Powershell parameters: Internet Explorer에서 웹 페이지를 표시할 수 없습니다. Internet Explorer에서 웹 페이지를 표시할 수 없습니다. 가능한 해결 방법: 연결 문제 진단 추가 정보<ID id="moreInformation">추가 정보</ID> 이 문제는 다음과 같은 여러 가지 원인이 있을 수 있습니다. 인터넷 연결이 끊어졌습니다. 웹 사이트를 일시적으로 사용할 수 없습니다. DNS(도메인 이름 서버)에 연결할 수 없습니다. DNS(도메인 이름 서버)에 웹 사이트의 도메인에 대한 목록이 없습니다. 주소에 오타가 있을 수 있습니다. HTTPS(보안) 주소인 경우 [도구], [인터넷 옵션], [고급]을 차례로 클릭한 다음 보안 섹션에서 SSL/TLS 프로토콜이 사용되도록 설정되었는지 확인하십시오. 오프라인 사용자용 가입한 피드 및 최근에 열어본 일부 웹 페이지를 볼 수 있습니다. 가입한 피드를 보려면: 즐겨찾기 단추 를 클릭하고 피드를 클릭한 다음 보려는 피드를 클릭하십시오. 최근에 열어본 웹 페이지를 보려면(모든 페이지에서 가능하지 않을 수도 있음): Alt 키를 누르고 파일을 클릭한 다음 오프라인으로 작업을 클릭하십시오. 즐겨찾기 단추 를 클릭하고 열어본 페이지 목록을 클릭한 다음 보려는 페이지를 클릭하십시오. filepath: Powershell	1	1	0
ShellExecuteExW April 10, 2023, 9:44 a.m.	show_type: 0 filepath_r: Powershell parameters: move-item 'C:\Users\test22\AppData\Local\Temp\ts.wsf' 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' filepath: Powershell	1	1	0

Moves the original executable to a new location (1 event)

Time & API	Arguments	Status	Return	Repeated
MoveFileWithProgressW April 10, 2023, 9:44 a.m.	newfilepath_r: C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ts.wsf flags: 2 oldfilepath_r: C:\Users\test22\AppData\Local\Temp\ts.wsf newfilepath: C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ts.wsf oldfilepath: C:\Users\test22\AppData\Local\Temp\ts.wsf	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 10, 2023, 9:44 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW April 10, 2023, 9:44 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (16 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (2 events)

cmdline

Powershell Internet Explorer에서 웹 페이지를 표시할 수 없습니다. Internet Explorer에서 웹 페이지를 표시할 수 없습니다. 가능한 해결 방법: 연결 문제 진단 추가 정보<ID id="moreInformation">추가 정보</ID> 이 문제는 다음과 같은 여러 가지 원인이 있을 수 있습니다. 인터넷 연결이 끊어졌습니다. 웹 사이트를 일시적으로 사용할 수 없습니다. DNS(도메인 이름 서버)에 연결할 수 없습니다. DNS(도메인 이름 서버)에 웹 사이트의 도메인에 대한 목록이 없습니다. 주소에 오타가 있을 수 있습니다. HTTPS(보안) 주소인 경우 [도구], [인터넷 옵션], [고급]을 차례로 클릭한 다음 보안 섹션에서 SSL/TLS 프로토콜이 사용되도록 설정되었는지 확인하십시오. 오프라인 사용자용 가입한 피드 및 최근에 열어본 일부 웹 페이지를 볼 수 있습니다. 가입한 피드를 보려면: 즐겨찾기 단추 를 클릭하고 피드를 클릭한 다음 보려는 피드를 클릭하십시오. 최근에 열어본 웹 페이지를 보려면(모든 페이지에서 가능하지 않을 수도 있음): Alt 키를 누르고 파일을 클릭한 다음 오프라인으로 작업을 클릭하십시오. 즐겨찾기 단추 를 클릭하고 열어본 페이지 목록을 클릭한 다음 보려는 페이지를 클릭하십시오.

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Internet Explorer에서 웹 페이지를 표시할 수 없습니다. Internet Explorer에서 웹 페이지를 표시할 수 없습니다. 가능한 해결 방법: 연결 문제 진단 추가 정보<ID id="moreInformation">추가 정보</ID> 이 문제는 다음과 같은 여러 가지 원인이 있을 수 있습니다. 인터넷 연결이 끊어졌습니다. 웹 사이트를 일시적으로 사용할 수 없습니다. DNS(도메인 이름 서버)에 연결할 수 없습니다. DNS(도메인 이름 서버)에 웹 사이트의 도메인에 대한 목록이 없습니다. 주소에 오타가 있을 수 있습니다. HTTPS(보안) 주소인 경우 [도구], [인터넷 옵션], [고급]을 차례로 클릭한 다음 보안 섹션에서 SSL/TLS 프로토콜이 사용되도록 설정되었는지 확인하십시오. 오프라인 사용자용 가입한 피드 및 최근에 열어본 일부 웹 페이지를 볼 수 있습니다. 가입한 피드를 보려면: 즐겨찾기 단추 를 클릭하고 피드를 클릭한 다음 보려는 피드를 클릭하십시오. 최근에 열어본 웹 페이지를 보려면(모든 페이지에서 가능하지 않을 수도 있음): Alt 키를 누르고 파일을 클릭한 다음 오프라인으로 작업을 클릭하십시오. 즐겨찾기 단추 를 클릭하고 열어본 페이지 목록을 클릭한 다음 보려는 페이지를 클릭하십시오.

Communicates with host for which no DNS query was performed (1 event)

host

117.18.232.200

One or more non-whitelisted processes were created (4 events)

parent_process	wscript.exe	martian_process	Powershell Internet Explorer에서 웹 페이지를 표시할 수 없습니다. Internet Explorer에서 웹 페이지를 표시할 수 없습니다. 가능한 해결 방법: 연결 문제 진단 추가 정보<ID id="moreInformation">추가 정보</ID> 이 문제는 다음과 같은 여러 가지 원인이 있을 수 있습니다. 인터넷 연결이 끊어졌습니다. 웹 사이트를 일시적으로 사용할 수 없습니다. DNS(도메인 이름 서버)에 연결할 수 없습니다. DNS(도메인 이름 서버)에 웹 사이트의 도메인에 대한 목록이 없습니다. 주소에 오타가 있을 수 있습니다. HTTPS(보안) 주소인 경우 [도구], [인터넷 옵션], [고급]을 차례로 클릭한 다음 보안 섹션에서 SSL/TLS 프로토콜이 사용되도록 설정되었는지 확인하십시오. 오프라인 사용자용 가입한 피드 및 최근에 열어본 일부 웹 페이지를 볼 수 있습니다. 가입한 피드를 보려면: 즐겨찾기 단추 를 클릭하고 피드를 클릭한 다음 보려는 피드를 클릭하십시오. 최근에 열어본 웹 페이지를 보려면(모든 페이지에서 가능하지 않을 수도 있음): Alt 키를 누르고 파일을 클릭한 다음 오프라인으로 작업을 클릭하십시오. 즐겨찾기 단추 를 클릭하고 열어본 페이지 목록을 클릭한 다음 보려는 페이지를 클릭하십시오.
parent_process	wscript.exe	martian_process	Powershell move-item 'C:\Users\test22\AppData\Local\Temp\ts.wsf' 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" move-item 'C:\Users\test22\AppData\Local\Temp\ts.wsf' 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Internet Explorer에서 웹 페이지를 표시할 수 없습니다. Internet Explorer에서 웹 페이지를 표시할 수 없습니다. 가능한 해결 방법: 연결 문제 진단 추가 정보<ID id="moreInformation">추가 정보</ID> 이 문제는 다음과 같은 여러 가지 원인이 있을 수 있습니다. 인터넷 연결이 끊어졌습니다. 웹 사이트를 일시적으로 사용할 수 없습니다. DNS(도메인 이름 서버)에 연결할 수 없습니다. DNS(도메인 이름 서버)에 웹 사이트의 도메인에 대한 목록이 없습니다. 주소에 오타가 있을 수 있습니다. HTTPS(보안) 주소인 경우 [도구], [인터넷 옵션], [고급]을 차례로 클릭한 다음 보안 섹션에서 SSL/TLS 프로토콜이 사용되도록 설정되었는지 확인하십시오. 오프라인 사용자용 가입한 피드 및 최근에 열어본 일부 웹 페이지를 볼 수 있습니다. 가입한 피드를 보려면: 즐겨찾기 단추 를 클릭하고 피드를 클릭한 다음 보려는 피드를 클릭하십시오. 최근에 열어본 웹 페이지를 보려면(모든 페이지에서 가능하지 않을 수도 있음): Alt 키를 누르고 파일을 클릭한 다음 오프라인으로 작업을 클릭하십시오. 즐겨찾기 단추 를 클릭하고 열어본 페이지 목록을 클릭한 다음 보려는 페이지를 클릭하십시오.

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3040 resumed a thread in remote process 2516
Process injection	Process 3040 resumed a thread in remote process 1192
NtResumeThread April 10, 2023, 9:44 a.m.	thread_handle: 0x0000038c suspend_count: 1 process_identifier: 2516	1	0	0
NtResumeThread April 10, 2023, 9:44 a.m.	thread_handle: 0x00000250 suspend_count: 1 process_identifier: 1192	1	0	0

The processes wscript.exe, powershell.exe wrote an executable file to disk which it then attempted to execute (20 events)

file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

ts.wsf

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All